summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)AuthorFilesLines
2011-02-03Gracefully handle permission errors in sss_obfuscateStephen Gallagher1-3/+15
2011-02-03Make the domain argument mandatory in sss_obfuscateStephen Gallagher1-2/+6
It doesn't make sense to set a "default" domain. We should require that the domain always be specified.
2011-02-03Add additional indexing for sysdbStephen Gallagher2-1/+117
Adds an index for dataExpireTimestamp This is used for determining which users need to be removed during the cleanup task. If enumeration is enabled (or huge numbers of users have been cached), the cleanup task runs very slowly due to the non-indexed search. Also adds an index for ONELEVEL lookups, to speed up situations where we would need to request all entries under a particular node in the LDB.
2011-02-03Wrap cleanup task in a sysdb transactionStephen Gallagher1-0/+20
2011-02-01Sanitize search filters for nested group lookupsStephen Gallagher1-3/+17
2011-01-31Remove LDAP_DEPRECATEDSumit Bose1-1/+0
2011-01-27Add option to disable TLS for LDAP authStephen Gallagher5-4/+25
Option is named to discourage use in production environments and is intentionally not listed in the SSSDConfig API.
2011-01-27Do not fail if attributes are emptySumit Bose1-16/+29
Currently we fail if attributes are empty. But there are some use cases where requested attributes are empty. E.g Active Directory uses an empty member attribute to indicate that a subset of the members are in a range sub-attribute.
2011-01-27Updating uk translationYuri Chornoivan1-88/+118
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2011-01-25Update man.stamp when the potfile or po4a.cfg is updatedStephen Gallagher1-1/+1
2011-01-24Update translation files for string freezeStephen Gallagher3-850/+1313
Earlier patch for strings was incomplete
2011-01-21Updating translation files for string freezeStephen Gallagher1-197/+212
2011-01-21Updating uk manpage translationYuri Chornoivan1-355/+496
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2011-01-21Delete attributes that are removed from LDAPStephen Gallagher7-13/+297
Sometimes, a value in LDAP will cease to exist (the classic example being shadowExpire). We need to make sure we purge that value from SSSD's sysdb as well. https://fedorahosted.org/sssd/ticket/750
2011-01-21Fix nested group handling during enumerationSumit Bose1-0/+14
Nested groups where not unrolled completely during the first enumeration run because not all where present in the cache.
2011-01-21Fix uninitialized value errorSumit Bose1-1/+1
2011-01-21Rename dns_domain to discovery domain for fo_add_srv_server()Stephen Gallagher2-8/+12
2011-01-21Allow fallback to SSSD domainStephen Gallagher3-7/+50
For backwards-compatibility with older versions of the SSSD (such as 1.2.x), we need to be able to have our DNS SRV record lookup be capable of falling back to using the SSSD domain name as the DNS discovery domain. This patch modifies our DNS lookups so that they behave as follows: If dns_discovery_domain is specified, it is considered authoritative. No other discovery domains will be attempted. If dns_discovery_domain is not specified, we first attempt to look up the SRV records using the domain portion of the machine's hostname. If this returns "NOTFOUND", we will try performing an SRV record query using the SSSD domain name as the DNS discovery domain. https://fedorahosted.org/sssd/ticket/754
2011-01-21Add missing include file to sdap_async_accounts.cStephen Gallagher1-0/+1
2011-01-21Perform initgroups lookup for PAMStephen Gallagher1-1/+3
Previously we were only looking up the user, but we need to make sure that all groups are available for use by access providers.
2011-01-21Add the user's primary group to the initgroups lookupStephen Gallagher3-14/+56
The user may not be a direct member of their primary group, but we still want to make sure that group is cached on the system.
2011-01-20NSS obfuscation code cleanupJakub Hrozek1-38/+97
https://fedorahosted.org/sssd/ticket/752
2011-01-20Add ldap_tls_{cert,key,cipher_suite} config optionsTyson Whitehead9-1/+87
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2011-01-19Fix return value checkSumit Bose1-2/+2
2011-01-19Fix incorrect example fileStephen Gallagher1-8/+7
The example sssd.conf still had entry_cache_timeout listed in the [nss] section, and did not have correct values for entry_cache_nowait_percentage (it was listed as entry_cache_nowait_timeout and gave a value in seconds)
2011-01-19Don't double-sanitize member DNsStephen Gallagher1-12/+4
After asking the cache for the list of member DNs for groups during an initgroups request, we were passing it through the sanitization function. Since this had already been done before they were saved to the cache, this meant that it was corrupting the results. It is safe to pass the returned DN directly into the sysdb_group_dn_name() function.
2011-01-19Use DEFAULT_PAM_VERBOSITY if config value cannot be retrievedSumit Bose1-1/+1
2011-01-19Add pam_pwd_expiration_warning config optionSumit Bose5-12/+68
2011-01-19Add ipa_hbac_search_base config optionSumit Bose7-54/+58
2011-01-19Add LDAP expire policy base RHDS/IPA attributeSumit Bose9-4/+76
The attribute nsAccountLock is used by RHDS, IPA and other directory servers to indicate that the account is locked.
2011-01-19Add LDAP expire policy based on AD attributesSumit Bose9-4/+141
The second bit of userAccountControl is used to determine if the account is enabled or disabled. accountExpires is checked to see if the account is expired.
2011-01-17Remove support for pre-1.1 netlinkStephen Gallagher3-61/+27
Netlink 1.0 and older is buggy and unreliable, occasionally causing tight-loops. We're no longer going to try to support it. https://fedorahosted.org/sssd/ticket/755
2011-01-17Clarify nscd warningStephen Gallagher1-4/+5
Removes the level-zero DEBUG message and modifies the syslog message to explain that NSCD is safe for maps that SSSD does not (yet) support.
2011-01-17Do not force a default for debug_levelStephen Gallagher2-4/+1
2011-01-17Fix usability of sss_obfuscate commandStephen Gallagher2-14/+23
2011-01-17Update manpage translations for ldap_enumeration_search_timeoutStephen Gallagher3-333/+391
2011-01-17Add ldap_search_enumeration_timeout config optionSumit Bose9-15/+38
2011-01-17Add timeout parameter to sdap_get_generic_send()Sumit Bose10-55/+111
2011-01-14Regenerate manpage po[t] filesStephen Gallagher3-2955/+5262
Fixed several typos
2011-01-14Fix manpage typosYuri Chornoivan4-9/+9
2011-01-14Add uk translation for manpagesYuri Chornoivan2-1/+4386
2011-01-14Fix missing hash table bugStephen Gallagher1-0/+1
When the automatic cleanup happened, if the netgroup had been created with no contents (to indicate an unknown netgroup), we weren't saving the hash table address and the talloc_free() was failing.
2011-01-14Do not throw a DP error when a netgroup is not foundStephen Gallagher2-6/+5
https://fedorahosted.org/sssd/ticket/775
2011-01-14Add missing sysdb transaction to group enumerationsStephen Gallagher1-12/+45
We were not enclosing group processing in a transaction, which was resulting in extremely high numbers of disk-writes. This patch adds a transaction around the sdap_process_group code to ensure that these actions take place within a transaction. This patch also adds a check around the missing member code for RFC2307bis so we don't go back to the LDAP server to look up entries that don't exist (since the enumeration first pass would already have guaranteed that we have all real users cached)
2011-01-14Work around libldb bugStephen Gallagher1-2/+10
Libldb performs non-indexed searches for ONELEVEL requests. We'll use SUBTREE instead to reduce the performance hit substantially
2011-01-11Add overflow check to SAFEALIGN_COPY_*_CHECK macrosSumit Bose1-3/+6
2011-01-11Validate user supplied size of data itemsSumit Bose3-76/+94
Specially crafted packages might lead to an integer overflow and the parsing of the input buffer might not continue as expected. This issue was identified by Sebastian Krahmer <krahmer@suse.de>.
2011-01-06Add syslog messages to authorized service access checkSumit Bose1-1/+31
2011-01-06Add syslog message to shadow access checkSumit Bose1-6/+14
2011-01-06Convert obfuscated password once at startupSumit Bose2-14/+41