Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
Previously, the option krb5_kpasswd was only available if
'chpass_provider = krb5' was specified explicitly. Now it will be
available also if 'auth_provider = krb5'.
This option was also missing from the IPA options, so I have added
it there as well
|
|
|
|
Also clean up some duplicated code into a single common routine
sdap_account_info_common_done()
|
|
|
|
Prevent freeing the sdap_handle by failing in the destructor if we
are trying to recurse.
|
|
Always just mark the sdap_handle as not connected and let later _send()
functions to take care of freeing the handle before reconnecting.
Introduce restart functions to avoid calling _send() functions in _done()
functions error paths as this would have the same effect as directly freeing
the sdap_handle and cause access to freed memory in sdap_handle_release()
By freeing sdap_handle only in the connection _recv() function we
guarantee it can never be done within sdap_handle_release() but only
in a following event.
|
|
|
|
We had a hard-coded timeout of five seconds for DNS lookups in the
async resolver. This patch adds an option 'dns_resolver_timeout'
to specify this value (Default: 5)
|
|
If there was a failure during a password change a wrong return value was
send back to the PAM stack.
|
|
|
|
Adds a new failover API call fo_add_srv_server that allows the caller
to specify a server that is later resolved into a list of specific
servers using SRV requests.
Also adds a new failover option that specifies how often should the
servers resolved from SRV query considered valid until we need a
refresh.
The "real" servers to connect to are returned to the user as usual,
using the fo_resolve_service_{send,recv} calls.
Make SRV resolution work with c-ares 1.6
|
|
|
|
RFC 2782 defines a way to sort replies to a SRV query. In short, the
algorithm sorts all replies by priority and then does a weight-based
selection for every priority level.
For details, please see the sections "Usage rules" for overview of the
algorithm and section "The 'Weight' field" for description on the weight
selection.
|
|
|
|
|
|
Depending on the version of the OpenLDAP libraries we use two different
schemes to find the file descriptor of the connection to the LDAP
server. This patch removes the related ifdefs from the main code and
introduces helper functions which can handle the specific cases.
|
|
|
|
|
|
If read() returns with errno set to EINTR -1 is added to total_len.
|
|
|
|
The correct memory deallocation sequence is:
- clear pointer to memory first
- then deallocate memory
|
|
Using sssm_*_init() as the name of the initialization function for
identity providers was a holdover from earlier development when we
thought we would only have a single "provider" entry in the config
file.
As we have now separated out the initialization functions for
auth, chpass and access, we should rename sssm_*_init() to
sssm_*_id_init() for a cleaner interface.
|
|
Resolves: https://fedorahosted.org/sssd/ticket/438
|
|
This is the second attempt to let the PAM client and the PAM responder
exchange their credentials, i.e. uid, gid and pid. Because this approach
does not require any message interchange between the client and the
server the protocol version number is not changed.
On the client side the connection is terminated it the responder is not
run by root. On the server side the effective uid and gid and the pid of
the client are available for future use.
The following additional changes are made by this patch:
- the checks of the ownership and the permissions on the PAM sockets are
enhanced
- internal error codes are introduced on the client side to generate
more specific log messages if an error occurs
|
|
This reverts commit 5a88e963744e5da453e88b5c36499f04712df097.
|
|
|
|
When we converted to the synchronous sysdb interface, the
synchronous-simulating function test_loop() became unnecessary,
but we forgot to remove it.
|
|
|
|
|
|
|
|
|
|
|
|
Since the sysdb is now synchronous and creates its own event context we
don't need an explicit event context anymore in the tools.
|
|
I tried to convert this code as mechanically as possible from the
previously existing code. I am not sure it works right, and it will
probably recurse infinetly as circular group memberships are
admitted in sysdb. The original code had the same issues.
This code should be probably discarded and redone from scratch.
|
|
This commit completes the migration to a synchronous sysdb
|
|
|
|
|
|
|
|
fill_pwent should return the number of users actually processed. Otherwise in
case of a recoverable error we may end up skipping a large chunk of users.
fill_grent doesn't need to distinguish between number of entries and number of
groups to process since we started adding memberuid. Remove remnants that are
not useful anymore.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Only functions that do multiple operations need explicit transactions
as ldb_add/ldb_modify/ldb_delete already start transactions automatically
intenrally.
|
|
not used anymore
|