Age | Commit message (Collapse) | Author | Files | Lines |
|
Add option to fallback to fetch local users if rfc2307is being used.
This is useful for cases where people added local users as LDAP members
and rely on these group memberships to be maintained on the local host.
Disabled by default as it violates identity domain separation.
Ticket:
https://fedorahosted.org/sssd/ticket/1020
|
|
Also simplify sdap_access_send to avoid completely fake _send() routines.
|
|
Changes the simple access provider's interface to be asynchronous. When
the simple access provider encounters a group that has gid, but no
meaningful name, it attempts to resolve the name using the
be_file_account_request function.
Some providers (like the AD provider) might perform initgroups
without resolving the group names. In order for the simple access
provider to work correctly, we need to resolve the groups before
performing the access check. In AD provider, the situation is
even more tricky b/c the groups HAVE name, but their name
attribute is set to SID and they are set as non-POSIX
|
|
The simple access provider unit tests now need to link against the Data
Provider when they start using the be_file_account_request() function.
But then we would start having conflicts as at least the main()
functions would clash.
If UNIT_TESTING is defined, then the data_provider_be.c module does not
contain the main() function and can be linked against directly from
another module that contains its own main() function
|
|
I realized that the current unit tests for the simple access provider
only tested the user directives. To have a baseline and be able to
detect new bugs in the upcoming patch, I implemented unit tests for the
group lists, too.
|
|
In order to resolve group names in the simple access provider we need to
contact the Data Provider in a generic fashion from the access provider.
We can't call any particular implementation (like sdap_generic_send())
because we have no idea what kind of provider is configured as the
id_provider.
This patch splits introduces the be_file_account_request() function into
the data_provider_be module and makes it public.
A future patch should make the be_get_account_info function use the
be_get_account_info_send function.
|
|
Option ipa_selinux_refresh is added to basic ipa options.
|
|
Reuse cached SELinux maps when they are requested
within time interval (in this patch it is hardcoded to
be 5 seconds).
https://fedorahosted.org/sssd/ticket/1744
|
|
The SELinux processing was distributed between provider and
pam responder which resulted in hard to maintain code. This
patch moves the logic to provider.
IT ALSO REQUIRES CHANGE IN THE SELINUX POLICY, because
the provider also writes the content of selinux login
file to disk (which was done by responder before).
https://fedorahosted.org/sssd/ticket/1743
|
|
Variables dir_cc and file_cc are used in three
modules: krb5_common.c, krb5_utils.c, krb5_child-test.c, therefore should be
declared with extern in krb5_utils.h.
|
|
Simplifies and consolidates error reporting for ldap authentication paths.
Adds 3 new error codes:
ERR_CHPASS_DENIED - Used when password constraints deny password changes
ERR_ACCOUNT_EXPIRED - Account is expired
ERR_PASSWORD_EXPIRED - Password is expired
|
|
https://fedorahosted.org/sssd/ticket/1738
|
|
|
|
Adding missing dependencies for linker. Missing dependency was
introduced by commit 22d381367c27910fe82f476a76b9f4ede555e35a
in changed file src/sss_client/nss_mc_common.c
All function declaration for io.c was moved from util.h to separate file io.h,
https://fedorahosted.org/sssd/ticket/1838
|
|
https://fedorahosted.org/sssd/ticket/1811
|
|
|
|
Header file "providers.h" is not included in any other
file and function "dp_process_init" declared in this header file
has no implementation.
Header file protos.h is not also included in any other file and even
hole content is commented out.
|
|
Function open_debug_file_ex() set flag FD_CLOEXEC to opened
file according to the value of third parameter.
Removed duplicity of unsetting FD_CLOEXEC after calling function
open_debug_file_ex()
|
|
Functions open_cloexec and openat_cloexec were renamed with prefix
"sss_" and moved to separete file. Replacing duplicated code of
function sss_open_cloexec everywhere in the source code.
https://fedorahosted.org/sssd/ticket/1794
|
|
This condition is invalid because different_realm is not set, when
EINVAL is returned. It can make the test fail sometimes.
|
|
https://fedorahosted.org/sssd/ticket/1833
state is expected to be a pointer
|
|
|
|
I think it logically belongs there and allows to better exercise the
responder commands from unit tests.
|
|
There was shared code for several unit tests that connected to their own
sysdb instance. This patch adds common code to run a generic request to
completion or connect to a test sysdb.
|
|
|
|
krb5 1.11 adds support for a new method for responding to
structured data queries. This method, called the responder,
provides an alternative to the prompter interface.
This patch adds support for this method. It takes the password
and provides it via a responder instead of the prompter. In the
case of OTP authentication, it also disables the caching of
credentials (since the credentials are one-time only).
|
|
This patch adds debug message for the case if sssd
fails to open old mc file for some other reason than
the file does not exist.
|
|
File descriptors leaked every time sss_mmap_cache_reinit was
called and also the old memory cache was still maped in memory
(munmap was not called). This patch adds destructor for memory
cache context to call close() and munmap() automaticly.
https://fedorahosted.org/sssd/ticket/1826
|
|
https://fedorahosted.org/sssd/ticket/1825
|
|
C compiler did not complain, because "index" is function defined
in header file <string.h>
|
|
https://fedorahosted.org/sssd/ticket/1819
|
|
We need to mask the first part with 0xFFFF or there is a slight chance an
unrelated error code would match even if the upper part is not exactly
equal to ERR_BASE but just has all it's bits and some more.
Also make the macro more reasable by adding another helper macro for filtering
the base.
Finally compare err and ERR_LAST directly w/o masking err, or the comparison
will always return true.
|
|
This parameter was never used.
https://fedorahosted.org/sssd/ticket/1765
|
|
|
|
We used different debug levels for messages informing
about negative cache hits (old levels 2,3,4). Now it is
only SSSDBG_TRACE_FUNC (same level is used in nsssrv_services.c
and proposed in the ticket bellow).
https://fedorahosted.org/sssd/ticket/1771
|
|
Use the new internal SSSD errors, to simplify error handling.
Instead of using up to 3 different error types (system, krb5 and
pam_status), collapse all error reporting into one error type mapped
on errno_t.
The returned error can contain either SSSD internal errors, kerberos
errors or system errors, they all use different number spaces so there
is no overlap and they can be safely merged.
This means that errors being sent from the child to the parent are not
pam status error messages anymore.
The callers have been changed to properly deal with that.
Also note that this patch removes returning SSS_PAM_SYSTEM_INFO from
the krb5_child for kerberos errors as all it was doing was simply to
make the parent emit the same debug log already emitted by the child,
and the code is simpler if we do not do that.
|
|
EIO has always been an odd match, but was used as an error to indicate
that something had gone wrong internally before we had specific SSSD
errors available. Use ERR_INTERNAL instead going forward.
|
|
This prevents reportin false errors when internal functions return
a generic EINVAL or EACCES that should just be treated as internal
errors.
|
|
This code adds a new range of error codes specific to SSSD,
It also provides helper functions to print out error defintions
like you can do with system error messages and the strerror() function.
The sss_strerror() function can accept both the new sssd errors and
system errno_t errors falling back to the system strerror() if the error
code provide is not a valid SSSD error code.
|
|
https://fedorahosted.org/sssd/ticket/1812
|
|
ret was defined as integer, instead of errno_t, and was uninitialized
|
|
|
|
|
|
|
|
This reverts commit 30c76633788c498b7d34e7e5944a3d36f26ec2db.
|
|
https://fedorahosted.org/sssd/ticket/1739
Pointer to packet body may change while filling packet with autofs
mount points. As a consequence, we sometimes wrote the number of
entries into invalid body and we recieved an arbitrary number
on the client side.
If the number was 0, there were some skipped entries. If the number
was greater than 0, everything worked correctly, because we iterate
through the cached entries until we reach packet length - we don't
compare to the number.
|
|
|
|
The aim of this refactoring is to make the code readable and understandable.
This code has grown organically over time and has becomed confused and
baroque enough that understanding it's very simple flow had become very
complex for the uninitiated. Complex flows easily hide nasty bugs.
Improvements:
- Remove dead/unused data storage
- Fix and simplify talloc hierarchy, use a memory context (kr) for the
whole code and allocate kr->pd where it is filled up.
- Rename some functions to create a better name space (easier for
searching fucntions across the tree)
- Streamline setup function, by spliting out fast setup in a subroutine.
- Avoid confusing indirection in executng actual functions by not
using the krb5_req child_req member.
- Make main() flow s now simmetric, send abck data from the main function
instead of delegating a reply to every inner function that implements a
command.
Now the flow is evident from the main function:
1. read request
2. setup data
3. execute command
4. send reply back
|
|
Use the standard 'done' label for exceptions.
|
|
https://fedorahosted.org/sssd/ticket/1755
sdap_find_entry_by_origDN() may return ENOENT in these
non-error scenarios:
If a member is out of scope of configured nesting level, sssd
produces few noise lines indicating failure.
The worse case is when a member is outside of configured search
bases. In this case we save the group with incomplete membership,
|