| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
https://fedorahosted.org/sssd/ticket/1810
|
|
|
|
Fixes https://fedorahosted.org/sssd/ticket/1766
|
|
Remove code that tries to get the 'right' sysdb, as it is always going
to get the same answer anyway since the recent patches to rework the
domains/sysdb relationship.
|
|
- Use a double-linked list for domains and subdomains.
- Never remove a subdomain, simply mark it as disabled if it becomes
unused.
- Rework the way subdomains are refreshed.
Now sysdb_update_subdomains() actually updates the current subdomains
and marks as disabled the ones not found in the sysdb or add new ones
found. It never removes them.
Removal of missing domains from sysdb is deferred to the providers,
which will perform it at refresh time, for the ipa provider that is
done by ipa_subdomains_write_mappings() now.
sysdb_update_subdomains() is then used to update the memory hierarchy
of the subdomains.
- Removes sysdb_get_subdomains()
- Removes copy_subdomain()
- Add sysdb_subdomain_delete()
|
|
Use this function instead of explicitly calling domain->next
This function allows to get the next primary domain or to descend into the
subdomains and replaces also get_next_dom_or_subdom()
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1805
|
|
SSH requests.
This fixes CVE-2013-0220.
https://fedorahosted.org/sssd/ticket/1781
|
|
https://fedorahosted.org/sssd/ticket/1779
2^32 should be enough to store sudo rules. size_t type was causing
troubles on big endian architectures, because it wasn't used
correctly in combination with D-Bus.
|
|
Related to https://fedorahosted.org/sssd/ticket/1757
Previously we would optimize the mc invalidate code for cases where the
user was a member of some groups. But if the user was removed from the
server while being in memory cache, we would only invalidate the mc
record if he was a member of at least one supplementary group.
|
|
https://fedorahosted.org/sssd/ticket/1757
When the user entry was missing completely after initgroups, we would
never invalidate the user entry from cache. This led to dangling cache
entried in memory cache if the user was removed from the server while
still being in memory cache.
|
|
|
|
|
|
|
|
also fix sysdb_svc_add declarations
|
|
|
|
|
|
Also remove sysdb_delete_domuser()
|
|
Also changes sysdb_search_custom_by_name()
|
|
|
|
Also remove sysdb_store_domuser()
|
|
|
|
Also remove unused sysdb_search_domgroup_by_gid()
|
|
Also remove unused sysdb_search_domuser_by_uid()
|
|
|
|
|
|
|
|
|
|
|
|
Also allows us to remove sysdb_subdom_get<pw/gr>nam() wrappers and restore
fqnames proper value in subdomains, by testing for a parent domain being
present or not.
|
|
|
|
|
|
Change the way sysdbs are initialized. Make callers responsible for providing
the list of domains.
Remove the returned array of sysdb contexts, it was used only by sss_cache
and not really necessary there either as that tool can easily iterate the
domains.
Make sysdb ctx children of their respective domains.
Neither sysdb context nor domains are ever freed until a program is done so
there shouldn't be any memory hierarchy issue. As plus we simplify the code by
removing a destructor and a setter function.
|
|
Use the new authtok abstraction and interfaces throught the code.
|
|
Make it clear to the API users that we can not take arbitrary auth tokens.
We can only take a password for now so simplify and clarify the interface.
|
|
Instead of using a single array of gid-domain_pointer pairs, Simo
suggested to use a gid array for each domain an store it with a pointer
to the domain.
|
|
If some of the Posix attributes of an user existing in the cache differ
from the data given in the current PAC the old user entry is drop and a
new one is created with the data from the PAC.
|
|
To avoid duplicated entries in the group list all gids are added to a
hash table first.
Fixes: https://fedorahosted.org/sssd/ticket/1672
|
|
Read the group membership of the remote domain the user belongs to from
the PAC and add them to the cache.
Fixes: https://fedorahosted.org/sssd/ticket/1666
|
|
Groups from subdomains will not have an attribute holding the original
DN because in general it will not be available. This attribute is only
used by IPA HABC to improve performance and remote groups cannot be used
for access control.
|
|
Currently users from subdomains can only be members of groups from the
configured domain and to access those groups a pointer to the domain
struct of the configured domain is used. This patch sets the dom_grp
member of struct pac_grp to point to the domain struct of the configured
for groups from this domain. This is a first step to allow group
membership for groups from subdomains as well. For those groups a
pointer to the related subdomain structure will be saved.
|
|
Currently some user specific data from the PAC is only read when the
user is not already in the cache. Since some of this information is
needed later on, e.g. the domain SID the user belongs to, with this
patch the data is read always from the PAC.
|
|
Currently only the flat name of the configured domain is updated if it
is not already set. This patch updates the domain ID as well. This is
typically the case when trust support is enabled on the server side
while sssd is running.
|
|
Currently domains can only be searched by name in the global domain
list. To make it easier to find the domain for a given SID
find_domain_by_id() which returns a pointer to the domain or subdomain
entry in the global domain list if a matching id was found.
|
|
To be able to handle groupmemberships from other domains more data than
just the gid must be kept for groups given in the PAC.
|
|
|
|
If use_fully_qualified_names is used, we need to pass fqdn
to sss_mmap_cache_*_invalidate.
|
