summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)AuthorFilesLines
2013-04-10resolv: add resolv_discover_srv request to resolv utilsPavel Březina2-0/+194
2013-04-10resolv: add resolv_get_domain request to resolv utilsPavel Březina2-0/+168
2013-04-10cmocka unittest for io addedAbhishek Singh1-0/+157
2013-04-10cmocka unittest for find_uid addedAbhishek Singh1-0/+105
2013-04-10Allow using flatname for subdomain home dir templateJakub Hrozek6-9/+33
https://fedorahosted.org/sssd/ticket/1609
2013-04-10Put the override_homedir into an included xml fileJakub Hrozek3-141/+56
The description was duplicated on two places, leading to errors where one was amended but the other was not.
2013-04-09LDAP: Always fail if a map can't be foundJakub Hrozek1-4/+2
2013-04-08Allocate PAM DP request data on responder contextJakub Hrozek3-5/+54
https://fedorahosted.org/sssd/ticket/1869 Currently the private data passed to the PAM request is a structure allocated on the client context. But in the odd case where the back end would be stopped or stuck until the idle timeout hits, the DP callback would access data that were freed when the client timed out. This patch introduces a new structure allocated on responder context, whose only purpose is to live as long as the request is active.
2013-04-05Wrong condition after waitpid.Michal Zidek1-1/+1
On success, waitpid() returns pid of terminated child, not 0.
2013-04-05Check for waitpid failure at wrong place.Michal Zidek2-10/+9
Coverity bugs. https://fedorahosted.org/sssd/ticket/1865
2013-04-05Check for the correct variablesJakub Hrozek1-2/+2
https://fedorahosted.org/sssd/ticket/1864
2013-04-05Further restrict become_user drop of privileges.Simo Sorce1-15/+18
We never need to regain root after we call become_user() so tighten up even further our privilege drop. Add a setgroups() call to remove all secondary groups root may have been given for whateve reason. Then use the setres[ug]id function to also drop the saved uid/gid so the process cannot regain back root id. Capabilities are also implicitly dropped here, no more CAP_SETUID so this is a Point of No Return, once changed to non-root the process can't get back. Remove redefinition of sys/types.h and unistd.h, they are already defined in util.h and they need to be included after _GNU_SOURCE/_BSD_SOURCE is defined or the prototypes for setres[ug]id will not be found. Add grp.h after util.h for the same reason.
2013-04-04dyndns: Fix initializing sdap_id_ctxJakub Hrozek1-1/+1
2013-04-04LDAP: Fix value initialization warningsLukas Slebodnik2-2/+2
2013-04-03Centralize resolv_init, remove resolv context listJakub Hrozek5-43/+7
2013-04-03Init failover with be_res optionsJakub Hrozek8-131/+124
2013-04-03Allow setting krb5_renew_interval with a delimiterAriel Barria9-13/+59
https://fedorahosted.org/sssd/ticket/902 changed the data type the krb5_renew_interval to string. function krb5_string_to_deltat is used to convert and allow delimiters
2013-04-03Check for correct variable nameJakub Hrozek6-9/+5
https://fedorahosted.org/sssd/ticket/1864
2013-04-03Return errno, not -1 on failure in files.cJakub Hrozek1-0/+1
https://fedorahosted.org/sssd/ticket/1862
2013-04-03Fix potential out-of-bounds write in sss_idmap_sid_to_dom_sidJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/1861
2013-04-03pidfile(): Do not leak fd on errorJakub Hrozek1-0/+1
https://fedorahosted.org/sssd/ticket/1860
2013-04-03krb5 child: Use the correct type when processing OTPJakub Hrozek1-1/+1
2013-04-03Fix typos in man pagesYuri Chornoivan2-2/+2
2013-04-02Updating the translations for the 1.10 alpha releaseJakub Hrozek16-8900/+31591
2013-04-02Improve syslog message when configuration cannot be loadedAriel Barria1-1/+3
https://fedorahosted.org/sssd/ticket/1414 Error code was added and strerror(errno) to show cause in sss_log
2013-04-02Making the authtok structure really opaque.Lukas Slebodnik19-137/+186
Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830
2013-04-02Reusing create_pam_data() on the other places.Lukas Slebodnik5-4/+16
Function create_pam_data() should be only one way how to create new struct pam_data, because it also initialize destructor to created object.
2013-04-02refactor nested group processing: replace old codePavel Březina2-1721/+21
https://fedorahosted.org/sssd/ticket/1784
2013-04-02refactor nested group processing: add new codePavel Březina1-0/+2229
https://fedorahosted.org/sssd/ticket/1784 1. initialization (main-req), returns members of input group 2. evaluate group members (group) 3. perform individual search (no-deref) or dereference attribute (deref) 4a. no-deref 1. perform a lookup depending on the type of the member object 2. all direct members are evaluated first 3. then we step down in nesting level and evaluate nested groups 4b. deref 1. perform a dereference lookup on member attribute 2. all direct members are evaluated first 3. then we step down in nesting level and evaluate nested groups Tevent request flow: main-req | group |------------------------| no-deref deref | | |----|------|---------| | user group unknown recurse recurse / \ | | | ... | | | ... user group group group
2013-03-27Provide libnl3 supportOndrej Kos3-78/+201
https://fedorahosted.org/sssd/ticket/812 Update the monitor code to be using the new libnl3 API. Changed configure option --with-libnl By default, it tries to build with libnl3, if not found, then with libnl1, if this isn't found either, build proceeds without libnl, just with warning. Specifing --with-libnl=<libnl3|libnl1|no> checks for the specific given version, if not found, configure ends with error.
2013-03-27selinux: Remove unused parameterJakub Hrozek1-1/+0
https://fedorahosted.org/sssd/ticket/1848
2013-03-27LDAP: Fix value initializationOndrej Kos1-1/+1
2013-03-27filename in comment is correctedAbhishek Singh1-1/+1
2013-03-25Include config.h to build io.c on RHEL5Jakub Hrozek1-0/+2
2013-03-21Document what does access_provider=ad doJakub Hrozek1-0/+14
https://fedorahosted.org/sssd/ticket/1841
2013-03-21LDAP: If deref search fails, try again without derefJan Cholasta5-4/+50
https://fedorahosted.org/sssd/ticket/1660
2013-03-21Move signal.m4 from src/util to externalJakub Hrozek1-0/+0
2013-03-21Fixing duplicate constLukas Slebodnik1-3/+3
const char const * --> const char *const
2013-03-20Return error code from ipa_subdom_storeJakub Hrozek1-5/+13
2013-03-20coding style fixPavel Březina1-1/+1
2013-03-20change responder contexts hierarchyPavel Březina6-65/+94
https://fedorahosted.org/sssd/ticket/1575 The hierarchy is now: main_ctx -> responder_ctx -> specific_ctx where specific_ctx is one of sudo, pam, etc.
2013-03-20do not leak memory on failure in *_process_init()Pavel Březina7-35/+62
2013-03-20tests: Print warning if LDB_MODULES_PATH is not setMichal Zidek4-0/+21
Print warning if sysdb-tests or sysdb-ssh test are run individually and LDB_MODULES_PATH was not set. https://fedorahosted.org/sssd/ticket/1820
2013-03-20correct order in error_to_str tablePavel Březina1-1/+1
Also fixed typo.
2013-03-20Making the ldb check configurableLukas Slebodnik2-2/+17
It is possible to enable/disable checking in LDB memberof plugin whether it was built against the same version of LDB that is present on the system. This feature is turned off by default and enabled in Fedora/RHEL spec file. https://fedorahosted.org/sssd/ticket/1813
2013-03-20ldap: Fallback option for rfc2307 schemaSimo Sorce13-11/+227
Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020
2013-03-19Convert sdap_access to new error codesSimo Sorce7-480/+214
Also simplify sdap_access_send to avoid completely fake _send() routines.
2013-03-19Resolve GIDs in the simple access providerJakub Hrozek4-223/+915
Changes the simple access provider's interface to be asynchronous. When the simple access provider encounters a group that has gid, but no meaningful name, it attempts to resolve the name using the be_file_account_request function. Some providers (like the AD provider) might perform initgroups without resolving the group names. In order for the simple access provider to work correctly, we need to resolve the groups before performing the access check. In AD provider, the situation is even more tricky b/c the groups HAVE name, but their name attribute is set to SID and they are set as non-POSIX
2013-03-19Do not compile main() in DP if UNIT_TESTING is definedJakub Hrozek1-0/+2
The simple access provider unit tests now need to link against the Data Provider when they start using the be_file_account_request() function. But then we would start having conflicts as at least the main() functions would clash. If UNIT_TESTING is defined, then the data_provider_be.c module does not contain the main() function and can be linked against directly from another module that contains its own main() function
2013-03-19Add unit tests for simple access test by groupsJakub Hrozek1-31/+253
I realized that the current unit tests for the simple access provider only tested the user directives. To have a baseline and be able to detect new bugs in the upcoming patch, I implemented unit tests for the group lists, too.