Age | Commit message (Collapse) | Author | Files | Lines |
|
krb5 1.11 adds support for a new method for responding to
structured data queries. This method, called the responder,
provides an alternative to the prompter interface.
This patch adds support for this method. It takes the password
and provides it via a responder instead of the prompter. In the
case of OTP authentication, it also disables the caching of
credentials (since the credentials are one-time only).
|
|
* Protect the fd with a mutex when closing
* Set it to a safe value after closing
|
|
https://fedorahosted.org/sssd/ticket/1569
|
|
|
|
|
|
|
|
This adds support for parsing PAC and storing information contained
within. In particular the user and all his memberships are stored. In
case it is necessary, getgrgid() requests are sent to provider for group
resolution.
|
|
|
|
|
|
|
|
This is the library the autofs client is using. automounter dlopen()s
the library so there is no header file, no pkgconfig file and the
library is in the libsss_autofs package, not in -devel.
The library provides the following interface:
* _sss_setautomntent() - select the map for processing
* _sss_getautomntent_r() - iterates through key/value pairs in the
selected map. The key is usually the mount
point, the value is mount information
(server:/export)
* _sss_getautomntbyname_r() - returns value for a specific key.
* _sss_endautomntent() deselect a map, clean up
|
|
|
|
https://fedorahosted.org/sssd/ticket/1143
|
|
|
|
There were many places in the client code where we were
duplicating a loop to copy data in from the response buffer. This
patch turns those loops into a function for easier maintenance and
easier-to-read *readrep() routines.
|
|
Also fixes a return value bug where we were returning errno error
codes instead of nss_status codes.
Fixes https://fedorahosted.org/sssd/ticket/1135
|
|
|
|
|
|
|
|
Since memcpy() is used in sss_cli.h it should be declared here, too.
|
|
|
|
|
|
Add mutexes around nss operations and serialize them.
This is necessary because nss operations may have global state.
For pam it is sufficient to protect socket operations instead.
As pam functions use only the provided pam handler.
Fixes: https://fedorahosted.org/sssd/ticket/640
|
|
|
|
|
|
|
|
This is useful for guaranteeing the size of an input buffer.
|
|
|
|
This is the second attempt to let the PAM client and the PAM responder
exchange their credentials, i.e. uid, gid and pid. Because this approach
does not require any message interchange between the client and the
server the protocol version number is not changed.
On the client side the connection is terminated it the responder is not
run by root. On the server side the effective uid and gid and the pid of
the client are available for future use.
The following additional changes are made by this patch:
- the checks of the ownership and the permissions on the PAM sockets are
enhanced
- internal error codes are introduced on the client side to generate
more specific log messages if an error occurs
|
|
Display warnings about remaining grace logins and password
expiration to the user, when LDAP Password Policies are used.
Improved detection if LDAP Password policies are supported by
LDAP Server.
|
|
I fixed a handful of alignment problems in sss_client and nss responder.
Enumerating group and passwd with getgrent and getpwent now works correctly
on ARM.
Signed-off-by: George McCollister <georgem@novatech-llc.com>
|
|
So far we handled expired password during authentication. Other PAM
modules typically detect expired password during account management and
return PAM_NEW_AUTHTOK_REQD if the password is expired and should be
changed. The PAM library then calls the change password routines. To
meet these standards pam_sss is change accordingly.
As a result it is now possible to update an expired password via ssh if
sssd is running with PasswordAuthentication=yes. One drawback due to
limitations of PAM is that the user now has to type his current password
again before setting a new one.
|
|
|
|
|
|
Also update BUILD.txt
|