summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)AuthorFilesLines
2010-04-08SELinux login managementJakub Hrozek11-0/+434
Adds a new option -Z to sss_useradd and sss_usermod. This option allows user to specify the SELinux login context for the user. On deleting the user with sss_userdel, the login mapping is deleted, so subsequent adding of the same user would result in the default login context unless -Z is specified again. MLS security is not supported as of this patch.
2010-04-08Move SELinux related functions into its own moduleJakub Hrozek4-60/+86
Fix whitespace errors
2010-04-07Adding Russion TranslationDmitry Drozdov2-0/+861
2010-04-06Protect against check-and-open race conditionsStephen Gallagher3-30/+79
There is a small window between running lstat() on a filename and opening it where it's possible for the file to have been modified. We were protecting against this by saving the stat data from the original file and verifying that it was the same file (by device and inode) when we opened it again, but this is an imperfect solution, as it is still possible for an attacker to modify the permissions during this window. It is much better to simply open the file and test on the active file descriptor. Resolves https://fedorahosted.org/sssd/ticket/425 incidentally, as without the initial lstat, we are implicitly accepting symlinks and only verifying the target file.
2010-04-06Make sss_userdel check for logged in usersJakub Hrozek3-3/+154
sss_userdel now warns if the deleted user was logged in at the time of deletion. Also adds a new parameter --kick to userdel that kills all user processes before actually deleting ther user. Fixes: #229
2010-04-06Add userdel_cmd paramJakub Hrozek6-0/+104
Fixes: #231
2010-03-31Do not revert options to defaults in SSSDConfig.get_domain()Stephen Gallagher1-1/+1
There was a faulty check in get_domain() that led to the *_provider options being re-added, sometimes after options related to them had already been set. If those options had a default value, they would be overwritten by the default. Fixes: https://fedorahosted.org/sssd/ticket/441
2010-03-31Add regression test for https://fedorahosted.org/sssd/ticket/441Stephen Gallagher2-0/+6
2010-03-31Fix typo in ldap_id_use_start_tls option descriptionStephen Gallagher1-1/+1
2010-03-25Allow arbitrary-length PAM messagesStephen Gallagher7-43/+55
The PAM standard allows for messages of any length to be returned to the client. We were discarding all messages of length greater than 255. This patch dynamically allocates the message buffers so we can pass the complete message. This resolves https://fedorahosted.org/sssd/ticket/432
2010-03-25Add a test for domain_to_basedn()Sumit Bose1-0/+47
2010-03-25Fix LDAP search paths for IPA HBACSumit Bose6-43/+84
- use domain_to_basedn() to construct LDAP search paths for IPA HBAC - move domain_to_basedn() to a separate file to simplify the build of a test
2010-03-25Add krb5_kpasswd to IPA providerEugene Indenbom2-2/+3
The krb5 options were out of sync, causing a runtime abort.
2010-03-25Regression test against RHBZ #576856Jakub Hrozek3-5/+7
2010-03-25Allow running with read only rootJakub Hrozek2-1/+2
Packages /etc/rwtab.d/sssd file that allows SSSD to run on a read-only root filesystem. Fixes: #428
2010-03-25Fix warnings from -Wmissing-field-initializersSumit Bose7-26/+28
This patch removes some tab-indentations from pamsrv.c, too.
2010-03-25Set LDAP_OPT_RESTART for ldap_sasl_interactive_bind_s()Sumit Bose1-0/+7
This option is needed for the rare case where a poll() call during ldap_sasl_interactive_bind_s() is interrupted by a signal. LDAP_OPT_RESTART enables the handling of the EINTR error instead of returning an error.
2010-03-25Fix kinit after password changeSumit Bose1-2/+6
In an environment with slave KDCs and a central server where password changes are allowed the request for a new TGT immediately after the password change should be made against this server, because the slave server might not know the new password. To achieve this the Kerberos localtor plugin now returns the address of the kpasswd server as master_kdc.
2010-03-22Update zh_TW translationCheng-Chia Tseng1-69/+101
2010-03-22Improvements for LDAP Password Policy supportRalf Haferkamp6-20/+201
Display warnings about remaining grace logins and password expiration to the user, when LDAP Password Policies are used. Improved detection if LDAP Password policies are supported by LDAP Server.
2010-03-22Ensure the SSSDConfig creates sssd.conf with the correct modeStephen Gallagher2-4/+87
2010-03-22Lower debug level of unexpected LDAP result codesSumit Bose1-0/+5
2010-03-22Add generic error messageJakub Hrozek1-0/+4
2010-03-22Fix config file error messageJakub Hrozek2-2/+2
2010-03-19Fix multiple errors with destructors.Simo Sorce1-2/+22
This commits cleans up 3 segfaults/valgrind errors due to access to freed memory. 1. The spy wasn't clearing conn_spy causing the svc_destructor to try to clear the spy destructor when the spy was already freed 2. get_config_service was not setting the svc_destrcutor on services depending on the orderof frees at exit this was causing the spy destructor to try to access freed memory because it was not neutralized when the service was freed. 3. at exit the mt_ctx could be freed before services causing the svc_destrcutor to try to access freed memory when removing the service from the service list in the monitor context.
2010-03-19Fix invalid read cause by premature free of tmpctxSimo Sorce1-13/+10
2010-03-18Add translated help text for ldap_tls_cacertdirStephen Gallagher1-1/+2
2010-03-18Add missing ldap_tls_cacertdir option to SSSDConfig APIStephen Gallagher1-0/+1
2010-03-18Update PT translationRui Gouveia1-8/+8
2010-03-18Fix error message for ldap_start_tlsStephen Gallagher1-1/+1
2010-03-17Fix a series of memory leaks in the SBUSStephen Gallagher5-17/+30
2010-03-17Add UK translationYuri Chornoivan2-0/+877
2010-03-17use logfiles for debug messagesRalf Haferkamp1-1/+1
2010-03-17Fixes for client communicationSumit Bose2-9/+17
- catch all errors of send() and recv(), not only EAGAIN - check if send() or recv() return EWOULDBLOCK or EINTR - remove unused parameter from client_send() and client_recv() - fix a debugging message
2010-03-15Fixed buffer alignment in exchange_credentials().George McCollister2-8/+16
buf needs to be 32 bit aligned on ARM. Also made the fix on the server side. Signed-off-by: George McCollister <George.McCollister@gmail.com>
2010-03-15Fix segfault in the locator pluginJakub Hrozek1-25/+26
2010-03-15Updating PT translation for 1.1.0Rui Gouveia1-0/+5
2010-03-15Updating ES translation for 1.1.0Héctor Daniel Cabrera1-2/+7
2010-03-15Updating PL translation for 1.1.0Piotr Drąg1-2/+6
2010-03-15Properly handle dbus send attempts on a closed connectionStephen Gallagher7-133/+109
dbus_connection_send_with_reply() will report success and return a NULL pending_reply when the connection is not open for communication. This patch creates a new wrapper around dbus_connection_send_with_reply() to properly detect this condition and report it as an error.
2010-03-15Updating translation files for string freeze.Stephen Gallagher12-24/+72
2010-03-15Prompt for old password even when running as rootRalf Haferkamp1-2/+4
When changing an expired password (during e.g. login) the PAM module needs to prompt for the old password even when running as root.
2010-03-15Warn user about an expired passwordRalf Haferkamp1-1/+6
2010-03-15Fixed authentication check for CHAUTHTOK_PRELIMRalf Haferkamp1-1/+1
When changing passwords, treat SDAP_AUTH_PW_EXPIRED as a successful authentication in SSS_PAM_CHAUTHTOK_PRELIM.
2010-03-15Fixed check for expired passwordsRalf Haferkamp1-2/+4
When the user's password is expired it might also be indicated by the bind operation returning "INVALID_CREDENTIALS" with the ppolicy control's errorcode set to "PP_passwordExpired".
2010-03-15Updating zh_TW translationCheng-Chia Tseng1-144/+165
2010-03-15Update translations for string freezeStephen Gallagher12-577/+697
2010-03-15Remove unused M4 codeJakub Hrozek1-14/+0
2010-03-15Flush NSCD cache after modifying local databaseJakub Hrozek9-1/+153
Fixes: #221
2010-03-12Add krb5_kpasswd optionSumit Bose12-71/+373