summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)AuthorFilesLines
2013-08-28NSS: Descend into subdomains if enumerate=trueJakub Hrozek1-12/+12
Since we now store the enumerate flag in sysdb for subdomains, we can always descend to all available subdomains and if they do not allow enumeration, simply skip them.
2013-08-28IPA: enable enumeration if parent domain enumerates in server modeJakub Hrozek1-12/+58
https://fedorahosted.org/sssd/ticket/1963
2013-08-28Add a new option to control subdomain enumerationJakub Hrozek8-1/+75
2013-08-28Read enumerate state for subdomains from cacheJakub Hrozek4-7/+23
The enumerate flag will be read from the cache for subdomains and the domain object will be created accordingly.
2013-08-28SYSDB: Store enumerate flag for subdomainJakub Hrozek5-11/+38
2013-08-28LDAP: Make sdap_id_setup_tasks reusable for subdomainsJakub Hrozek5-9/+21
Instead of always performing the setup for the main domain, the setup can now be performed for subdomains as well.
2013-08-28LDAP: Make the cleanup task reusable for subdomainsJakub Hrozek5-42/+73
Instead of always performing the cleanup on the main domain, the task now accepts a sdap_domain structure to perform the cleanup on. This change will make the cleanup task reusable for subdomains.
2013-08-28LDAP: Make cleanup synchronousJakub Hrozek3-150/+34
The LDAP cleanup request was asynchronous for no good reason, probably a leftover from the days of async sysdb. This patch makes it sychronous again, removing a lot of uneeded code.
2013-08-28LDAP: Convert enumeration to the ptask APIJakub Hrozek4-136/+132
https://fedorahosted.org/sssd/ticket/1942 Identity providers other than LDAP need to customize the enumeration in different ways while sharing the way the task is scheduled etc. The easiest way to accomplish it is to leverage the recently introduced ptask framework.
2013-08-28LDAP: Move the ldap enum request to its own reusable moduleJakub Hrozek6-642/+741
The LDAP enumeration was too closely tied to the LDAP identity provider. Because some providers might need special handling such as refresh the master domain record before proceeding with the enumeration itself, this patch splits the request itself to a separate async request and lets the ldap_id_enum.c module only configure this new request. Also move the enum timestamp to sdap_domain to make the enum tracking per sdap domain. The cleanup timestamp will be moved in another patch.
2013-08-28LDAP: Remove unused constantJakub Hrozek1-2/+0
The constant was not used since Euegene came up with his reconnection logic.
2013-08-28LDAP: Add enum_{users,groups}_recv to follow the tevent_req styleJakub Hrozek1-24/+19
The enum code was quite old and predated the tevent_req style. In particular, the enum code was checking tevent state direcly and not using _recv functions or the helper macros we added later. As a consequence, it was not easy to read. This patch adds the standard _recv functions to read the status of the enum requests.
2013-08-28DB: remove unused realm parameter from sysdb_master_domain_add_infoJakub Hrozek4-24/+4
The parameter was not used at all.
2013-08-28DB: Update sss_domain_info with new updated dataJakub Hrozek1-5/+5
2013-08-28ipa-server-mode: add IPA group memberships to AD usersSumit Bose4-8/+1005
When IPA trusts an AD domain the AD user or groups can be placed into IPA groups e.g. to put AD users under the control of HBAC. Since IPA group can only have members from the IPA directory tree and the AD users and groups are not stored there a special IPA object called external group was introduced. SIDs of users and groups can be added to the external group and since the external groups are in the IPA directory tree they can be member of IPA groups. To speed things up and to remove some load from the IPA servers SSSD reads all external groups and stores them in memory for some time before rereading the data. Enhances https://fedorahosted.org/sssd/ticket/1962
2013-08-28mmap_cache: Use stricter check for hash keys.Lukas Slebodnik1-4/+6
ht_size is size of hash_table in bytes, but hash keys have type uint32_t
2013-08-28mmap_cache: Skip records which doesn't have same hashLukas Slebodnik1-2/+34
The code uses 2 hashes for each record, but only one hash table to index them both, furthermore each record has only one single 'next' pointer. This means that in certain conditions a record main end up being on a hash chain even though its hashes do not match the hash chain. This can happen when another record 'drags' it in from another hash chain where they both belong. If the record without matching hashes happens to be the second of the chain and the first record is removed, then the non matching record is left on the wrong chain. On removal of the non-matching record the hash chain will not be updated and the hash chain will end up pointing to an invalid slot. This slot may be later reused for another record and may not be the first slot of this new record. In this case the hash chain will point to arbitrary data and may cause issues if the slot is interpreted as the head of a record. By skipping any block that has no matching hashes upon removing the first record in a chain we insure that dangling references cannot be left in the hash table Resolves: https://fedorahosted.org/sssd/ticket/2049
2013-08-28sss_packet_grow: correctly pad packet length to 512BPavel Březina1-1/+1
https://fedorahosted.org/sssd/ticket/2059 If len % SSSSRV_PACKET_MEM_SIZE == 0 or some low number, we can end up with totlen < len and return EINVAL. It also does not pad the length, but usually allocates much more memory than is desired. len = 1024 n = 1024 % 512 + 1 = 0 + 1 = 1 totlen = 1 * 512 = 512 => totlen < len len = 511 n = 511 % 512 + 1 = 511 + 1 totlen = 512 * 512 = 262144 totlen is way bigger than it was supposed to be
2013-08-28IPA: Enable AD sites when in server modeJakub Hrozek3-2/+70
https://fedorahosted.org/sssd/ticket/1964 Currently the AD sites are enabled unconditionally
2013-08-28krb5: Fetch ccname template from krb5.confStephen Gallagher10-16/+182
In order to use the same defaults in all system daemons that needs to know how to generate or search for ccaches we introduce ode here to take advantage of the new option called default_ccache_name provided by libkrb5. If set this variable we establish the same default for all programs that surce it out of krb5.conf therefore providing a consistent experience across the system. Related: https://fedorahosted.org/sssd/ticket/2036
2013-08-28krb5_common: Refactor to use a talloc temp contextSimo Sorce1-12/+28
In preparation for handling some more allocations in the following patches and fixes a curent memleak on the opts struct. Related: https://fedorahosted.org/sssd/ticket/2036
2013-08-27KRB5: Add support for KEYRING cache typeStephen Gallagher7-6/+245
https://fedorahosted.org/sssd/ticket/2036
2013-08-27KRB5: Remove unnecessary call to become_user()Stephen Gallagher1-6/+0
By the time that the create_ccache_in_dir() routine is called, we are already guaranteed to have dropped privileges. This has either happened because we dropped them before the exec() in the normal operation case or because we dropped them explicitly after we completed the TGT validation step if that or FAST is configured.
2013-08-27KRB5: Add low-level debugging to sss_get_ccache_name_for_principalStephen Gallagher1-0/+6
2013-08-26sudo: do not strdup usn on ENOENTPavel Březina1-1/+1
If USN attribute is not present, we call strdup on uninitialized variable. This may cause segfault, or if we are lucky and usn is NULL it will return ENOMEM.
2013-08-26sudo: do not fail to store the rule if we can't read usnPavel Březina1-3/+4
Resolves: https://fedorahosted.org/sssd/ticket/2052
2013-08-26PAC: Skip SIDs that cannot be resolved to domainJakub Hrozek1-2/+4
2013-08-26PAC: use SID instead of GID to search for groupsSumit Bose1-48/+41
With the support of POSIX IDs managed on the AD side we may find non-POSIX groups, i.e. groups which do not have a GID assigned in AD, in the PAC. Since in this case all cached groups have a SDI attribute it is more reliable to search the groups by SID instead of GID.
2013-08-26PAC: do not fail if a single group cannot be added/removedSumit Bose1-18/+31
When processing a list of groups we try to process as much as possible only not stop on the first error.
2013-08-26PAC: read user DN instead of constructing itSumit Bose1-5/+17
To avoid issues with case-sensitivity it is more reliable to search the user entry in the cache and use the returned DN instead of constructing it.
2013-08-26PAC: handle non-POSIX groups in cacheSumit Bose2-11/+9
Since the DN of the group is used to remove a membership it is not necessary to check if the GID is valid.
2013-08-26PAC: do not create users with missing GIDSumit Bose1-0/+14
If the user entry does not exist in the cache and a primary GID cannot be found it does not make sense to create a user entry.
2013-08-26PAC: if user entry already exists keep itSumit Bose3-86/+10
Currently the PAC responder deletes a user entry and recreates it if some attributes seems to be different. Two of the attributes where the home directory and the shell of the user. Those two attributes are not available from the PAC but where generates by the PAC responder. The corresponding ID provider might have better means to determine those attributes, e.g. read them from LDAP, so we shouldn't change them here. The third attribute is the user name. Since the PAC responder does lookups only based on the UID we can wait until the ID provider updates the entry. Fixes https://fedorahosted.org/sssd/ticket/1996
2013-08-24DP: Notify propperly when removing PAC responderOndrej Kos2-1/+5
Adds pac_cli be_client structure pointer, to indetify and log the PAC responder termination correctly.
2013-08-24MAN: AD provider only supports trusted domains from the same forestJakub Hrozek1-0/+5
Resolves: https://fedorahosted.org/sssd/ticket/2044
2013-08-24check_cc_validity: make sure _valid is always setSumit Bose1-5/+7
In the KRB5_FCC_NOFILE code path _valid is not set leading to 'may be used uninitialized' compiler warnings.
2013-08-22pam: Bad debug message format and parameter.Michal Zidek1-1/+2
2013-08-22Fix memory leak insss_krb5_get_error_messageLukas Slebodnik1-0/+1
warning reported by cppcheck
2013-08-22Use brackets around macros.Lukas Slebodnik2-8/+8
warnings reported by cppcheck.
2013-08-22Remove include recursionLukas Slebodnik2-3/+0
warning reported by coverity include_recursion: #include file "src/providers/dp_backend.h" includes itself: dp_backend.h -> dp_refresh.h -> dp_backend.h (other events go to each file) primary_file: During compilation of file 'src/krb5_plugin/sssd_krb5_locator_plugin.c include_recursion: #include file "src/providers/dp_backend.h" includes itself: dp_backend.h -> dp_refresh.h -> dp_ptask.h -> dp_backend.h (other events go to each file) primary_file: During compilation of file 'src/krb5_plugin/sssd_krb5_locator_plugin.c'
2013-08-22proxy: Allow initgroup to return NOTFOUNDSimo Sorce1-0/+16
When the user is only member of its own primary group, initgroups_dyn may return NOTFOUND as, at least for the 'files' nss provider the code skips the passed in group. Resolves: https://fedorahosted.org/sssd/ticket/2051
2013-08-22mmap_cache: Use sss_atomic_write_s instead of write.Michal Zidek1-2/+11
Use sss_atomic_write_s() instead of write() in sss_mc_save_corrupted(). Also unlink() the file if no data were written. It is better to use sss_atomic_write_s instead of write
2013-08-22KRB5: Only set active and valid on successStephen Gallagher1-6/+5
The FILE cache only sets the return values of _active and _bool if the entire function succeeds. The DIR cache was setting it even on failure. This patch makes both consistent. This will benefit static analysis tools which would be able to detect if the variable is ever used uninitialized anywhere.
2013-08-22KRB5: Refactor cc_*_check_existingStephen Gallagher1-61/+59
There was duplicated code in cc_file_check_existing() and in cc_dir_check_existing(). I pulled them into the same function. There are two changes made to the original code here: 1) Fixes a use-after-free bug in cc_file_check_existing(). In the original code, we called krb5_free_context() and then used that context immediately after that in krb5_cc_close(). This patch corrects the ordering 2) The krb5_cc_resolve() call handles KRB5_FCC_NOFILE for all cache types. Previously, this was only handled for DIR caches.
2013-08-22KRB5: Add new #define for collection cache typesStephen Gallagher8-35/+35
Kerberos now supports multiple types of collection caches, not just DIR: caches. We should add a macro for generic collection behavior and use that where appropriate.
2013-08-19sysdb_add_incomplete_group: store SID string is availableSumit Bose5-14/+72
During initgroups request we read the SID of a group from the server but do not save it to the cache. This patch fixes this and might help to avoid an additional lookup of the SID later.
2013-08-19save_rfc2307bis_user_memberships: use fq names for subdomainsSumit Bose1-0/+16
For subdomains the group names must be expanded to fully qualified names to be able to find existing groups or properly add new ones.
2013-08-19sdap_add_incomplete_groups: use fully qualified name if neededSumit Bose1-4/+14
For subdomains the group names must be expanded to fully qualified names to be able to find existing groups or properly add new ones.
2013-08-19mmap_cache: Store corrupted mmap cache before resetMichal Zidek1-0/+66
This patch adds function to store corrupted mmap cache file to disk for further analysis.
2013-08-19sudo: continue if we are unable to resolve fqdnPavel Březina1-1/+0
https://fedorahosted.org/sssd/ticket/2043