| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
A test to cover this is added as well.
|
|
The samba ndr libraries use struct dom_sid to handle SIDs. Since there
is no public samba library which offers conversion from other
representations, e.g. as string, this is added to libsss_idmap.
To avoid compile-time or run-time dependency to any samba library or
header file the definition of the struct is copied here.
|
|
The block that upgraded the version was at a wrong indentation level, so
it never ran if there were no fake users to convert
|
|
|
|
|
|
missing
https://fedorahosted.org/sssd/ticket/1356
|
|
|
|
Previous patch added the possibility to exclude some attributes from a
map when building an attribute list to be sent to server. The original
reason for this functionality is the code handling LDAP initgroups. In
this code, there is no need to fetch members of groups in question. This
can save some performance since the list of members can be pretty long
in some cases. This case apllies only to RFC2307 and generic RFC2307bis,
it doesn't apply for IPA schema.
|
|
This patch adds support for filtering attributes when constructing
attribute list from a map for LDAP query.
|
|
Don't use GlobalKnownHostsFile2 in ssh_config, as it has been deprecated in
OpenSSH 5.9.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1008
|
|
We were polluting the primary Python space with several
dependencies. We will now install them their own directory/module.
|
|
|
|
|
|
This function is no longer necessary because we don't have fake user
entries any more. The original purpose of this function was to check if
there are fake user entries for particular user and, if yes, to update
its membership.
|
|
Since there are two attributes storing information about user
memberships of the group we have to include both of them in results.
This will apply only for objects that have ghost members (i.e. they
contain the SYSDB_GHOST attribute). If an object has this attribute,
values of this attribute are not projected to the memberuid attribute.
|
|
It is remotely possible to have sysdb in an inconsistent state that
might need upgrade. Consider scenario when user asks for group
information. Some fake users are added as a part of this operation.
Before users can be fully resolved and stored properly, SSSD is shut
down and upgrade is performed.
In this case we need to go over all fake user records (uidNumber=0) and
replace each of them with ghost record in all group objects that are stated in
its memberof attribute.
|
|
|
|
Deleted sysdb_add_fake_user():
This function is no longer used.
Modified sysdb_add_user():
When user object is added to sysdb, it is important to iterate over all
groups that might have its name or any of its aliases as ghost member
and replace this ghost membership by a real one. This will eliminate
duplicite memberships.
|
|
|
|
The original approach was to store name and original DN in an object in
sysdb. When later referenced as member of a group, it was retrieved by
its original DN and the correct information about its sysdb DN was
stored in the group object which referenced it.
The new approach doesn't use fake user objects, therefore this
information has to be reached differently when constructing group
memberships. The approach is to store all users to a hash table where
original DN is used as the key and username as value. When constructing
group memberships, the name is retrieved from this hash table instead of
sysdb. This hash table is constructed when retrieving user objects from
LDAP server - if the user is not present in sysdb, it is automatically
stored in the hash table.
Another situation is for rfc2307. Because there is no nesting there, we
can construct the SYSDB_GHOST attribute directly and therefore don't
need a hash table of ghost users.
|
|
|
|
|
|
When fixing an endianness bug, we changed the protocol unnecessarily.
|
|
https://fedorahosted.org/sssd/ticket/1348
|
|
|
|
There was an issue when IPA provider didn't set PAM_SUCCESS when
successfully finished loading SELinux user maps. This lead to the map
not being read in the responder.
|
|
structure
https://fedorahosted.org/sssd/ticket/1343
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1330
|
|
|
|
https://fedorahosted.org/sssd/ticket/1336
|
|
The fact that we were keeping it in memory for the full duration
of the cache timeout meant that we would never reap the benefits
of the midpoint cache refresh.
https://fedorahosted.org/sssd/ticket/1340
|
|
|
|
|
|
|
|
To avoid conflicts with struct dom_sid used by samba the sss_ prefix is
added to the struct used by libsss_idmap.
|
|
|
|
|
|
|
|
|
|
Fixes a regression in the local domain tools where sss_groupadd no longer
detected a GID duplicate. The check for EEXIST is moved one level up into
more high level function.
The patch also adds the same rename support for users. I found it odd that
we allowed a rename of groups but not users. There is a catch when storing
a user -- his cached password would be gone. I think that renaming a user
is such a rare operation that it's not severe, plus there is a warning in
the logs.
|
|
documentation-access_provider
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
https://fedorahosted.org/sssd/ticket/949
|
|
The subdomains back end request was sending replies in a format the
responder did not understand in case the request failed.
|
|
https://fedorahosted.org/sssd/ticket/1329
|
