summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)AuthorFilesLines
2012-06-13LDAP: Auto-detect support for the ldap match ruleStephen Gallagher7-6/+120
This patch extends the RootDSE lookup so that we will perform a second request to test whether the match rule syntax can be used. If both groups and initgroups are disabled in the configuration, this lookup request can be skipped.
2012-06-13LDAP: Add support for AD chain matching extension in initgroupsStephen Gallagher3-9/+325
2012-06-13LDAP: Add support for AD chain matching extension in group lookupsStephen Gallagher3-9/+417
2012-06-13LDAP: Add ldap_*_use_matching_rule_in_chain optionsStephen Gallagher8-0/+65
2012-06-13sss_names_init: Report correct error code if allocation failedJakub Hrozek1-1/+4
2012-06-12Clarify how comments work in sssd.confAriel Barria1-1/+2
2012-06-12Make re_expression and full_name_format per domain optionsStef Walter19-83/+252
* Allows different user/domain qualified names for different domains. For example Domain\User or user@domain. * The global re_expression and full_name_format options remain as defaults for the domains. * Subdomains get the re_expression and full_name_format of their parent domain. https://bugzilla.redhat.com/show_bug.cgi?id=811663
2012-06-12LDAP: Make sdap_initgr_common_store() non-staticStephen Gallagher2-7/+15
Move it to a private header so it can be reused by other initgroups C files.
2012-06-12LDAP: Add helper function to get list of a user's groups from sysdbStephen Gallagher2-33/+69
2012-06-12LDAP: Fix incorrect switch statement in sdap_get_initgr_done()Stephen Gallagher1-1/+1
SDAP_SCHEMA_AD needs to be calling sdap_initgr_rfc2307bis_recv(), not sdap_initgr_nested_recv(). By coincidence both recv functions happened to be identical, but if one or the other changed, this would break unexpectedly.
2012-06-12LDAP: Remove redundant checkStephen Gallagher1-11/+0
The same block appeared earlier in the function and neither variable could have changed values since.
2012-06-12SYSDB: Reduce noise level of debug messages in lookupsStephen Gallagher1-6/+8
2012-06-10Allow fast memcache timeout to be configurableJan Zeleny7-5/+30
https://fedorahosted.org/sssd/ticket/1318
2012-06-10IPA subdomains - ask for information about master domainJan Zeleny11-17/+358
The query is performed only if there is missing information in the cache. That means this should be done only once after restart when cache doesn't exist. All subsequent requests for subdomains won't include the request for master domain.
2012-06-10PAM: Better pam_reply messageStephen Gallagher1-1/+2
2012-06-08sss_idmap: fix typo which prevents sub auth larger then 2^31Sumit Bose2-3/+40
A test to cover this is added as well.
2012-06-08sss_idmap: add support for samba struct dom_sidSumit Bose4-2/+405
The samba ndr libraries use struct dom_sid to handle SIDs. Since there is no public samba library which offers conversion from other representations, e.g. as string, this is added to libsss_idmap. To avoid compile-time or run-time dependency to any samba library or header file the definition of the struct is copied here.
2012-06-05Fix the 0.11 sysdb upgradeJakub Hrozek1-26/+26
The block that upgraded the version was at a wrong indentation level, so it never ran if there were no fake users to convert
2012-06-05Fix the default sssd.conf pathJakub Hrozek1-1/+1
2012-06-04Fixed setting of debug level in test suiteJan Zeleny2-4/+2
2012-05-31SSH: Don't abort connection in sss_ssh_knownhostsproxy when DNS records are ↵Jan Cholasta1-36/+49
missing https://fedorahosted.org/sssd/ticket/1356
2012-05-31SSH: Supress error message output in sss_ssh_knownhostsproxyJan Cholasta2-15/+8
2012-05-31Utilize attribute exclusion in LDAP initgroupsJan Zeleny1-3/+33
Previous patch added the possibility to exclude some attributes from a map when building an attribute list to be sent to server. The original reason for this functionality is the code handling LDAP initgroups. In this code, there is no need to fetch members of groups in question. This can save some performance since the list of members can be pretty long in some cases. This case apllies only to RFC2307 and generic RFC2307bis, it doesn't apply for IPA schema.
2012-05-31Add support for filtering atributesJan Zeleny17-41/+70
This patch adds support for filtering attributes when constructing attribute list from a map for LDAP query.
2012-05-31SSH: Update sss_ssh_knownhostsproxy manual pageJan Cholasta1-1/+1
Don't use GlobalKnownHostsFile2 in ssh_config, as it has been deprecated in OpenSSH 5.9.
2012-05-31added DEBUG messages to krb5_child and ldap_childNick Guay2-3/+19
2012-05-31SSSDConfig: Make default config and schema file locations configurableStephen Gallagher2-7/+7
https://fedorahosted.org/sssd/ticket/1008
2012-05-31SSSDConfig: Make SSSDConfig a packageStephen Gallagher4-5/+1
We were polluting the primary Python space with several dependencies. We will now install them their own directory/module.
2012-05-31Ghost members - various small changesJan Zeleny3-3/+3
2012-05-31Ghost members - modified sss_groupshowJan Zeleny1-4/+40
2012-05-31Ghost members - removed sdap_check_aliases()Jan Zeleny4-127/+0
This function is no longer necessary because we don't have fake user entries any more. The original purpose of this function was to check if there are fake user entries for particular user and, if yes, to update its membership.
2012-05-31Ghost members - NSS responder changesJan Zeleny1-89/+147
Since there are two attributes storing information about user memberships of the group we have to include both of them in results. This will apply only for objects that have ghost members (i.e. they contain the SYSDB_GHOST attribute). If an object has this attribute, values of this attribute are not projected to the memberuid attribute.
2012-05-31Ghost members - sysdb upgrade routineJan Zeleny3-1/+157
It is remotely possible to have sysdb in an inconsistent state that might need upgrade. Consider scenario when user asks for group information. Some fake users are added as a part of this operation. Before users can be fully resolved and stored properly, SSSD is shut down and upgrade is performed. In this case we need to go over all fake user records (uidNumber=0) and replace each of them with ghost record in all group objects that are stated in its memberof attribute.
2012-05-31Ghost members - modifications in memberof pluginJan Zeleny1-6/+41
2012-05-31Ghost members - modifications in sysdbJan Zeleny2-80/+153
Deleted sysdb_add_fake_user(): This function is no longer used. Modified sysdb_add_user(): When user object is added to sysdb, it is important to iterate over all groups that might have its name or any of its aliases as ghost member and replace this ghost membership by a real one. This will eliminate duplicite memberships.
2012-05-31Ghost members - support in proxy providerJan Zeleny1-6/+8
2012-05-31Ghost members - support in LDAP providerJan Zeleny1-186/+286
The original approach was to store name and original DN in an object in sysdb. When later referenced as member of a group, it was retrieved by its original DN and the correct information about its sysdb DN was stored in the group object which referenced it. The new approach doesn't use fake user objects, therefore this information has to be reached differently when constructing group memberships. The approach is to store all users to a hash table where original DN is used as the key and username as value. When constructing group memberships, the name is retrieved from this hash table instead of sysdb. This hash table is constructed when retrieving user objects from LDAP server - if the user is not present in sysdb, it is automatically stored in the hash table. Another situation is for rfc2307. Because there is no nesting there, we can construct the SYSDB_GHOST attribute directly and therefore don't need a hash table of ghost users.
2012-05-31Ghost members - add the ghost attribute to sysdbJan Zeleny1-0/+2
2012-05-29Revert the client packet length, too, after reverting the packet protocolJakub Hrozek1-1/+1
2012-05-25NSS: Restore original protocol for getservbyportStephen Gallagher2-3/+4
When fixing an endianness bug, we changed the protocol unnecessarily.
2012-05-25Send 16bit protocol numbers from the sss_clientJakub Hrozek2-7/+8
https://fedorahosted.org/sssd/ticket/1348
2012-05-24NSS: Fix segfault when mmap cache cannot be initializedStephen Gallagher1-2/+2
2012-05-22Fixed issue in SELinux user mapsJan Zeleny1-0/+2
There was an issue when IPA provider didn't set PAM_SUCCESS when successfully finished loading SELinux user maps. This lead to the map not being read in the responder.
2012-05-22LDAP nested groups: Do not process callback with _post deep in the nested ↵Jakub Hrozek1-12/+10
structure https://fedorahosted.org/sssd/ticket/1343
2012-05-22Update translation sourcesStephen Gallagher10-41/+41
2012-05-22Warn to syslog when dereference requests failAriel Barria1-2/+2
2012-05-22KRB5: Avoid NULL-dereference with empty keytabStephen Gallagher1-7/+13
https://fedorahosted.org/sssd/ticket/1330
2012-05-22Simple implementation of Netscape password warning expiration controlJoshua Roys2-22/+82
2012-05-22Always use positional arguments in translatable stringsStephen Gallagher9-25/+25
https://fedorahosted.org/sssd/ticket/1336
2012-05-16NSS: Expire in-memory netgroup cache before the nowait timeoutStephen Gallagher1-1/+9
The fact that we were keeping it in memory for the full duration of the cache timeout meant that we would never reap the benefits of the midpoint cache refresh. https://fedorahosted.org/sssd/ticket/1340