Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
Instead of multiple calls of sss_authtok_get_type, perform the call just
once and store into variable.
|
|
https://fedorahosted.org/sssd/ticket/1814
Return authentication error when empty password is passed.
|
|
https://fedorahosted.org/sssd/ticket/1814
When the authtok_length is zero, it shouldn't call
sss_authtok_set_password, because it tries to determine lenght of passed
string by itself and would read parts of DBus message behind boundaries
of authtok.
|
|
https://fedorahosted.org/sssd/ticket/2005
Some users were confused by our description of min_id/max_id and thought
the limits only applied to returning entries from the NSS responder.
However, the limits are actually enforced on the back end side, so the
entries are not even saved to cache.
|
|
https://fedorahosted.org/sssd/ticket/1998
Currently using IP address as value of ad_server is not supported, so
the man pages should not mention that as an option.
|
|
https://fedorahosted.org/sssd/ticket/1965
After we added a section that clarified what access_provider=ad did,
some users were confused and thought that "ad" was also the default
access provider if "id_provider=ad" was specified.
|
|
https://fedorahosted.org/sssd/ticket/1992
|
|
https://fedorahosted.org/sssd/ticket/1992
dyndns test will crash with this patch
|
|
Storing cyclic groups into sysdb can cause adding ghost members,
which has already been stored. Function ldb_modify will fail
with error [Attribute or value exists].
With permisive control, duplicated attributes will be skipped
as if it was never added.
https://fedorahosted.org/sssd/ticket/1846
|
|
https://fedorahosted.org/sssd/ticket/1827
|
|
https://fedorahosted.org/sssd/ticket/1997
Most of the time, the SIDs are resolved as a call coming from the PAC
responder during initgroups. In that case at least, it makes sense to
search for group matching that SID first, then users.
We may consider making this behaviour configurable ie for the server
mode where typically the users should be queried first.
|
|
|
|
|
|
Some krb5 functions needn't be available for retrieving ccache
with principal. Therefore ifdef is used to solve this situation with older
version of libkrb5. There were two functions with similar functionality
in krb5_child and krb5_utils. They were merged to one universal function, which
was moved to file src/util/sss_krb5.c
|
|
|
|
Dircache can be either file or directory. Wrong value was used
when dircache was itself directory.
https://fedorahosted.org/sssd/ticket/2002
|
|
We did not set port status for metaservers (srv servers)
in fo_reset_services().
Fixes:
https://fedorahosted.org/sssd/ticket/1933
|
|
The switch statement was dead code due to missing case/default.
|
|
Option -E/--everething was added to invalide all types of entries.
https://fedorahosted.org/sssd/ticket/1988
|
|
https://fedorahosted.org/sssd/ticket/1778
When trying to copy special file, only message is logged now.
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1999
ldap_auth.c code which was added to SSSD for updating the
shadowLastChange when "ldap_chpass_update_last_change" option is
enabled updates shadowLastChange even when the PAM password change
status reports failure.
We should only update shadowLastChange on PAM password change success or
we open up a work around for users to avoid changing their passwords
periodically as required by policy. The user simply attempts to change
password, fails by trying to set new password which invalid (denied due
to password history check) yet shadowLastChange is updated, avoiding
their need to actually change the password they are using.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1962
If the ipa_server_mode is selected IPA subdomain user and group lookups
are not done with the help of the extdom plugin but directly against AD
using the AD ID code.
|
|
When IPA server mode is on, then this patch will create an ad_id_ctx for
each subdomain discovered in IPA provider. The ID context is needed to
perform direct lookups using the AD provider.
Subtask of:
https://fedorahosted.org/sssd/ticket/1962
|
|
Makes creating the sdap_domain structure for a subdomain reusable
outside AD subdomain code where it was created initially.
Subtask of:
https://fedorahosted.org/sssd/ticket/1962
|
|
This patch introduces a new structure that holds information about a
subdomain and its ad_id_ctx. This structure will be used only in server
mode to make it possible to search subdomains with a particular
ad_id_ctx.
Subtask of:
https://fedorahosted.org/sssd/ticket/1962
|
|
This is needed so we can initialize failover using IPA realm and
on-the-fly discovered DNS domain. The subdomains discovered on-thefly
will use the subdomain name for realm, domain and failover service to
avoid conflicts.
Subtaks of:
https://fedorahosted.org/sssd/ticket/1962
|
|
The IPA subdomain code will perform lookups on its own in the server
mode. For this, the AD provider must offer a way to initialize the
ad_id_ctx for external consumers.
Subtask of:
https://fedorahosted.org/sssd/ticket/1962
|
|
The AD subdomains will only use default options values. This patch
introduces a new utility function sdap_copy_map() that copies the
default options map.
Subtask of:
https://fedorahosted.org/sssd/ticket/1962
|
|
https://fedorahosted.org/sssd/ticket/1993
SSSD needs to know that it is running on an IPA server and should not
look up trusted users and groups with the help of the extdom plugin
but do the lookups on its own. For this a new boolean configuration
option, is introduced which defaults to false but is set to true during
ipa-server-install or during updates of the FreeIPA server if it is not
already set.
|
|
The mpg flag will be read from the cache for subdomains and the domain
object will be created accordingly.
|
|
The information of a subdomain will use magic private groups (mpg) or
not will be stored together with other information about the domain in
the cache.
|
|
Since FreIPA will start to support external mapping for trusted domains
as well the range type for the domain must be know before the domain
object is created. The reason is that external mapping will not use
magic private groups (mpg) while algorithmic mapping will use them.
|
|
new_subdomain() will create a new domain object and should not be used
anymore in the priovder code directly. Instead a reference to the domain
from the common domain object should be used.
|
|
Recent versions of FreeIPA support a range type attribute to allow
different type of ranges for sub/trusted-domains. If the attribute is
available it will be used, if not the right value is determined with the
help of the other idrange attributes.
Fixes https://fedorahosted.org/sssd/ticket/1961
|
|
Use the sdap_idmap context for the IPA provider as well.
https://fedorahosted.org/sssd/ticket/1961
|
|
Currently the decision if external or algorithmic mapping should be used
in the LDAP or AD provider was based on the value of the ldap_id_mapping
config option. Since now all information about ID mapping is handled by
libsss_idmap the check for this options can be replace with a call which
checks the state via libss_idmap.
https://fedorahosted.org/sssd/ticket/1961
|
|
This patch implements a wrapper for
sss_idmap_domain_has_algorithmic_mapping() for the sdap ID mapping.
Fixes https://fedorahosted.org/sssd/ticket/1960
|
|
Currently the range management code is in the generic LDAP provider and
can be used by the LDAP and AD provider. New ranges are allocated with
the help of a hash value of the domain SID.
If the IPA provider cannot find a range for a given domain it cannot
allocate a new range on its own but has to look up the idrange objects
on the FreeIPA server and use them accordingly. To allow the LDAP, AD
and IPA provider to use as much common code as possible a plugin
interface, similar to the one used to find the DNS site, to find a
missing range would be useful. The default plugin will be used by the
LDAP and the AD provider and the IPA provider will implement a plugin to
read the data from the server.
Fixes https://fedorahosted.org/sssd/ticket/1961
|
|
To allow libsss_idmap to manage all id-ranges the id-ranges of the
domains configured in sssd.conf which are currently unmanaged must be
added to libsss_idmap.
|
|
Currently the range for Posix IDs stored in an LDAP server is unbound.
This might lead to conflicts in a setup with AD and trusts when the
configured domain uses IDs from LDAP. With the two noe options this
conflict can be avoided.
|
|
This patch implements some unit tests for the recent enhancements to
libsss_idmap.
|
|
With this call it can be checked if for a given domain algorithmic
mapping is available or if the ID must be read from an external source.
The default if an error occurs or no matching range was found is false,
i.e external mapping, to meet the requirements for simple LDAP based
domains where only external mapping is available.
Fixes https://fedorahosted.org/sssd/ticket/1960
|
|
When ID are mapped externally it must be checked if the extern ID falls
into the right configured range to avoid ID conflicts.
Fixes https://fedorahosted.org/sssd/ticket/1960
|
|
Since it is planned that the LDAP based ID providers (LDAP, AD, IPA)
will always use libsss_idmap to map ID or get information about how to
map it, it must be possible to add domains to libsss_idmap which do not
have a SID or where is SID is not known when external mapping is used.
Algorithmic mapping always requires a domain SID.
Fixes https://fedorahosted.org/sssd/ticket/1960
|
|
The idea is that ranges for IDs from AD can be used in libsss_idmap as
well, but whenever a mapping is requested for this range a specific
error code IDMAP_EXTERNAL is returned to tell SSSD to do
an AD lookup. This way SSSD does not need to inspect the ranges itself
but all is done inside if libsss_idmap.
Fixes https://fedorahosted.org/sssd/ticket/1960
|
|
To be able to detect configuration changes in idranges managed by
FreeIPA an identifier should be stored on the client together with the
other idrange related data.
Fixes https://fedorahosted.org/sssd/ticket/1979
|