summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)AuthorFilesLines
2013-04-02Reusing create_pam_data() on the other places.Lukas Slebodnik5-4/+16
Function create_pam_data() should be only one way how to create new struct pam_data, because it also initialize destructor to created object.
2013-04-02refactor nested group processing: replace old codePavel Březina2-1721/+21
https://fedorahosted.org/sssd/ticket/1784
2013-04-02refactor nested group processing: add new codePavel Březina1-0/+2229
https://fedorahosted.org/sssd/ticket/1784 1. initialization (main-req), returns members of input group 2. evaluate group members (group) 3. perform individual search (no-deref) or dereference attribute (deref) 4a. no-deref 1. perform a lookup depending on the type of the member object 2. all direct members are evaluated first 3. then we step down in nesting level and evaluate nested groups 4b. deref 1. perform a dereference lookup on member attribute 2. all direct members are evaluated first 3. then we step down in nesting level and evaluate nested groups Tevent request flow: main-req | group |------------------------| no-deref deref | | |----|------|---------| | user group unknown recurse recurse / \ | | | ... | | | ... user group group group
2013-03-27Provide libnl3 supportOndrej Kos3-78/+201
https://fedorahosted.org/sssd/ticket/812 Update the monitor code to be using the new libnl3 API. Changed configure option --with-libnl By default, it tries to build with libnl3, if not found, then with libnl1, if this isn't found either, build proceeds without libnl, just with warning. Specifing --with-libnl=<libnl3|libnl1|no> checks for the specific given version, if not found, configure ends with error.
2013-03-27selinux: Remove unused parameterJakub Hrozek1-1/+0
https://fedorahosted.org/sssd/ticket/1848
2013-03-27LDAP: Fix value initializationOndrej Kos1-1/+1
2013-03-27filename in comment is correctedAbhishek Singh1-1/+1
2013-03-25Include config.h to build io.c on RHEL5Jakub Hrozek1-0/+2
2013-03-21Document what does access_provider=ad doJakub Hrozek1-0/+14
https://fedorahosted.org/sssd/ticket/1841
2013-03-21LDAP: If deref search fails, try again without derefJan Cholasta5-4/+50
https://fedorahosted.org/sssd/ticket/1660
2013-03-21Move signal.m4 from src/util to externalJakub Hrozek1-0/+0
2013-03-21Fixing duplicate constLukas Slebodnik1-3/+3
const char const * --> const char *const
2013-03-20Return error code from ipa_subdom_storeJakub Hrozek1-5/+13
2013-03-20coding style fixPavel Březina1-1/+1
2013-03-20change responder contexts hierarchyPavel Březina6-65/+94
https://fedorahosted.org/sssd/ticket/1575 The hierarchy is now: main_ctx -> responder_ctx -> specific_ctx where specific_ctx is one of sudo, pam, etc.
2013-03-20do not leak memory on failure in *_process_init()Pavel Březina7-35/+62
2013-03-20tests: Print warning if LDB_MODULES_PATH is not setMichal Zidek4-0/+21
Print warning if sysdb-tests or sysdb-ssh test are run individually and LDB_MODULES_PATH was not set. https://fedorahosted.org/sssd/ticket/1820
2013-03-20correct order in error_to_str tablePavel Březina1-1/+1
Also fixed typo.
2013-03-20Making the ldb check configurableLukas Slebodnik2-2/+17
It is possible to enable/disable checking in LDB memberof plugin whether it was built against the same version of LDB that is present on the system. This feature is turned off by default and enabled in Fedora/RHEL spec file. https://fedorahosted.org/sssd/ticket/1813
2013-03-20ldap: Fallback option for rfc2307 schemaSimo Sorce13-11/+227
Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020
2013-03-19Convert sdap_access to new error codesSimo Sorce7-480/+214
Also simplify sdap_access_send to avoid completely fake _send() routines.
2013-03-19Resolve GIDs in the simple access providerJakub Hrozek4-223/+915
Changes the simple access provider's interface to be asynchronous. When the simple access provider encounters a group that has gid, but no meaningful name, it attempts to resolve the name using the be_file_account_request function. Some providers (like the AD provider) might perform initgroups without resolving the group names. In order for the simple access provider to work correctly, we need to resolve the groups before performing the access check. In AD provider, the situation is even more tricky b/c the groups HAVE name, but their name attribute is set to SID and they are set as non-POSIX
2013-03-19Do not compile main() in DP if UNIT_TESTING is definedJakub Hrozek1-0/+2
The simple access provider unit tests now need to link against the Data Provider when they start using the be_file_account_request() function. But then we would start having conflicts as at least the main() functions would clash. If UNIT_TESTING is defined, then the data_provider_be.c module does not contain the main() function and can be linked against directly from another module that contains its own main() function
2013-03-19Add unit tests for simple access test by groupsJakub Hrozek1-31/+253
I realized that the current unit tests for the simple access provider only tested the user directives. To have a baseline and be able to detect new bugs in the upcoming patch, I implemented unit tests for the group lists, too.
2013-03-19Provide a be_get_account_info_send functionJakub Hrozek2-19/+144
In order to resolve group names in the simple access provider we need to contact the Data Provider in a generic fashion from the access provider. We can't call any particular implementation (like sdap_generic_send()) because we have no idea what kind of provider is configured as the id_provider. This patch splits introduces the be_file_account_request() function into the data_provider_be module and makes it public. A future patch should make the be_get_account_info function use the be_get_account_info_send function.
2013-03-19Make the SELinux refresh time configurable.Michal Zidek6-2/+24
Option ipa_selinux_refresh is added to basic ipa options.
2013-03-19Reuse cached SELinux mappings.Michal Zidek2-3/+29
Reuse cached SELinux maps when they are requested within time interval (in this patch it is hardcoded to be 5 seconds). https://fedorahosted.org/sssd/ticket/1744
2013-03-19Move SELinux processing to provider.Michal Zidek6-452/+393
The SELinux processing was distributed between provider and pam responder which resulted in hard to maintain code. This patch moves the logic to provider. IT ALSO REQUIRES CHANGE IN THE SELINUX POLICY, because the provider also writes the content of selinux login file to disk (which was done by responder before). https://fedorahosted.org/sssd/ticket/1743
2013-03-19Removing unused declaration of functions and variable.Lukas Slebodnik4-15/+2
Variables dir_cc and file_cc are used in three modules: krb5_common.c, krb5_utils.c, krb5_child-test.c, therefore should be declared with extern in krb5_utils.h.
2013-03-19Use common error facility instead of sdap_resultSimo Sorce11-355/+238
Simplifies and consolidates error reporting for ldap authentication paths. Adds 3 new error codes: ERR_CHPASS_DENIED - Used when password constraints deny password changes ERR_ACCOUNT_EXPIRED - Account is expired ERR_PASSWORD_EXPIRED - Password is expired
2013-03-18Decrease krb5_auth_timeout defaultOndrej Kos4-4/+4
https://fedorahosted.org/sssd/ticket/1738
2013-03-18Retry the correct service on krb5 child timeoutJakub Hrozek1-1/+1
2013-03-18Fix sss_client breakage.Lukas Slebodnik5-5/+50
Adding missing dependencies for linker. Missing dependency was introduced by commit 22d381367c27910fe82f476a76b9f4ede555e35a in changed file src/sss_client/nss_mc_common.c All function declaration for io.c was moved from util.h to separate file io.h, https://fedorahosted.org/sssd/ticket/1838
2013-03-18Fix coverity issue 13136Ondrej Kos1-0/+1
https://fedorahosted.org/sssd/ticket/1811
2013-03-13Fix initialization of multiple variablesOndrej Kos7-9/+8
2013-03-13Removing unused header file providers.hLukas Slebodnik2-175/+0
Header file "providers.h" is not included in any other file and function "dp_process_init" declared in this header file has no implementation. Header file protos.h is not also included in any other file and even hole content is commented out.
2013-03-13More generalized function open_debug_file_ex()Lukas Slebodnik4-15/+9
Function open_debug_file_ex() set flag FD_CLOEXEC to opened file according to the value of third parameter. Removed duplicity of unsetting FD_CLOEXEC after calling function open_debug_file_ex()
2013-03-13Reuse sss_open_cloexec at other places in code.Lukas Slebodnik4-83/+99
Functions open_cloexec and openat_cloexec were renamed with prefix "sss_" and moved to separete file. Replacing duplicated code of function sss_open_cloexec everywhere in the source code. https://fedorahosted.org/sssd/ticket/1794
2013-03-13krb5-utils-tests: remove invalid conditionPavel Březina1-2/+0
This condition is invalid because different_realm is not set, when EINVAL is returned. It can make the test fail sometimes.
2013-03-13fix segfault in nss responder unit testPavel Březina1-1/+1
https://fedorahosted.org/sssd/ticket/1833 state is expected to be a pointer
2013-03-08CMocka based test for the NSS responderJakub Hrozek4-0/+767
2013-03-08Move sss_cmd_execute from client to responder code.Jakub Hrozek3-7/+15
I think it logically belongs there and allows to better exercise the responder commands from unit tests.
2013-03-08Add utility functions for tests that use sysdb or tevent.Jakub Hrozek3-0/+267
There was shared code for several unit tests that connected to their own sysdb instance. This patch adds common code to run a generic request to completion or connect to a test sysdb.
2013-03-08Detect the presence of libcmocka during configureJakub Hrozek1-0/+19
2013-03-08Add support for krb5 1.11's responder callback.Nathaniel McCallum6-1/+236
krb5 1.11 adds support for a new method for responding to structured data queries. This method, called the responder, provides an alternative to the prompter interface. This patch adds support for this method. It takes the password and provides it via a responder instead of the prompter. In the case of OTP authentication, it also disables the caching of credentials (since the credentials are one-time only).
2013-03-07Debug message in sss_mc_create_file.Michal Zidek1-0/+5
This patch adds debug message for the case if sssd fails to open old mc file for some other reason than the file does not exist.
2013-03-07File descriptor leak in nss responder.Michal Zidek1-18/+43
File descriptors leaked every time sss_mmap_cache_reinit was called and also the old memory cache was still maped in memory (munmap was not called). This patch adds destructor for memory cache context to call close() and munmap() automaticly. https://fedorahosted.org/sssd/ticket/1826
2013-03-07Removing unused parameter type from sudosrv_get_sudorules_query_cache()Lukas Slebodnik1-6/+4
https://fedorahosted.org/sssd/ticket/1825
2013-03-07Fixed typo in debug message.Lukas Slebodnik1-3/+5
C compiler did not complain, because "index" is function defined in header file <string.h>
2013-03-06Updated Doxygen configuration to 1.8.1Thorsten Scherf4-536/+1912
https://fedorahosted.org/sssd/ticket/1819