| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
https://fedorahosted.org/sssd/ticket/1689
Add a online callback if the first full refresh fails due to the
provider beeing offline so we can perform the refresh as soon as
possible.
|
|
https://fedorahosted.org/sssd/ticket/1689
If the first full refresh of sudo rules fails because the data provider
is offline, we will schedule another one in 2, 4, ... minutes.
|
|
https://fedorahosted.org/sssd/ticket/1689
|
|
Reduces amount of code duplication.
|
|
https://fedorahosted.org/sssd/ticket/1679
The problem is when we are about to reset the server status, we don't
get through the timeout (30 seconds) because the "switch to primary
server" task is scheduled 30 seconds after fall back to a backup
server. Thus the server status remains "not working" and is resetted
after another 30 seconds.
We need to make sure that the server status is tried after the
timeout period. retry_timeout is currently hardcoded to 30, thus
the change in man page.
|
|
https://fedorahosted.org/sssd/ticket/1706
|
|
https://fedorahosted.org/sssd/ticket/1708
The services kept the fd to /var/log/sssd/sssd.log open. I don't think
there's any point in keeping the logfiles open after exec-ing for the
child, so I set the CLOEXEC flag.
|
|
src/ldb_modules/memberof.c: In function ‘mbof_get_ghost_from_parent_cb’:
src/ldb_modules/memberof.c:3085: warning: declaration of ‘dup’ shadows a global declaration
/usr/include/unistd.h:528: warning: shadowed declaration is here
src/ldb_modules/memberof.c: In function ‘mbof_inherited_mod’:
src/ldb_modules/memberof.c:3253: warning: declaration of ‘dup’ shadows a global declaration
/usr/include/unistd.h:528: warning: shadowed declaration is here
src/ldb_modules/memberof.c: In function ‘mbof_fill_vals_array’:
src/ldb_modules/memberof.c:3786: warning: declaration of ‘index’ shadows a global declaration
/usr/include/string.h:489: warning: shadowed declaration is here
|
|
https://fedorahosted.org/sssd/ticket/1685
Properly react on deleting group which was not found in sysdb.
|
|
https://fedorahosted.org/sssd/ticket/1699
We want to continue with the next server on all errors, not only
on ETIMEDOUT.
This particullar ticket was dealing with ECONNREFUSED.
|
|
The pam responder was not properly configured to recover from a backend
disconnect. The connections that were in flight before the disconnection
were never freed and new requests for the same user would just pile up on
top of the now phantom requests.
Fixes: https://fedorahosted.org/sssd/ticket/1655
|
|
This is to allow to freely call mc functions even if initialization failed.
They will now gracefully fail instead of segfaulting.
|
|
https://fedorahosted.org/sssd/ticket/1710
|
|
https://fedorahosted.org/sssd/ticket/1712
The timestamp doesn't have to be in the form yyyymmddHHMMSSZ any
more. It can be in any form of generalized time format.
|
|
https://fedorahosted.org/sssd/ticket/1659
|
|
Functions nss_cmd_getXXnam remove entries from memory cache if
not found in sysdb cache of a local domain.
|
|
https://fedorahosted.org/sssd/ticket/1677
|
|
|
|
We have 2 places where we memcpy memory and need barriers protection.
Use a macro so we can consolidate code in one place.
Second fix for: https://fedorahosted.org/sssd/ticket/1694
|
|
We've been hitting situations where the sysdb conversion failed.
Unfortunately, the current code doesn't include enough debugging info to
pinpoint the failing entries. This patch adds more DEBUG statements for
each processed entry.
|
|
https://fedorahosted.org/sssd/ticket/1682
The problem was in following code:
if (ret != EOK || state->dp_error != DP_ERR_OK || state->error != EOK) {
tevent_req_error(req, ret);
return;
}
In situation when data provider error occurs (e.g. when offline),
ret == EOK but dp_error != DP_ERR_OK and we take the true branch.
This results in calling tevent_req_error(req, EOK).
Unfortunately, with EOK tevent_req_error only returns false, but
does not trigger callback and this tevent request hangs forever,
because no tevent_req_done(req) is called.
|
|
https://fedorahosted.org/sssd/ticket/1704
The function is short enough so that we can simply stick with return and
release resources before returning as appropriate.
|
|
expression
https://fedorahosted.org/sssd/ticket/1690
|
|
https://fedorahosted.org/sssd/ticket/1703
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1680
There were two errors:
1. kr->kpasswd_srv was never set
2. bad service name (KERBEROS) was provided when setting port status,
thus the port status never changed
|
|
https://fedorahosted.org/sssd/ticket/1687
|
|
https://fedorahosted.org/sssd/ticket/1685
The PROXY provider wasn't storing credentials to negative cache due to
bad return value. This was delegated from attempt to delete these
credentials from local cache. Therefore ENOENT is replaced as EOK.
|
|
https://fedorahosted.org/sssd/ticket/1701
|
|
...and if sudo_timed = true.
https://fedorahosted.org/sssd/ticket/1688
A comma was missing in attribute list. This caused concatenation
of the two attributes so we requested one attribute called
"objectClasscn". This doesn't affect functionality, only debug
messages.
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1652
It is possible to simply reset the list of ghost users to a different one
during a modify operation. It is also actually how we update entries that
are expired in the SSSD cache.
In this case, we must be careful and retain the ghost users that are not
native to the group we are processing but are rather inherited from child
groups. The intention of the replace operation after all is to set the
list of direct members of that group, not direct and indirect.
|
|
Similar to the add and delete operation, we also need to propagate the
changes of the ghost user attribute to the parent groups so that if a
nested group updates memberships, its parents also get the membership
updated.
|
|
This new function will be reused by the modify operation later
|
|
This new function is going to be reused by the modify operation
|
|
This will allow to process ghost users in a similar fashion
|
|
https://fedorahosted.org/sssd/ticket/1668
The memberof plugin did only expand the ghost users attribute to
parents when adding a nested group, but didn't implement the reverse
operation.
This bug resulted in users being reported as group members even
after the direct parent went away as the expanded ghost attributes were
never removed from the parent entry.
When a ghost entry is removed from a group, all its parent groups are
expired from the cache by setting the expire timestamp to 1. Doing so
would force the SSSD to re-read the group next time it is requested in
order to make sure its members are really up-to-date.
|
|
https://fedorahosted.org/sssd/ticket/1695
|
|
Fixes https://fedorahosted.org/sssd/ticket/1694
|
|
This is used for the new calls back from the data provider.
|
|
This is needed in order to assure the memcache is properly and promptly
cleaned up if a user memberships change on login.
The list of the current groups for the user is sourced before it is
updated and sent to the NSS provider to verify if it has changed after
the update call has been made.
|
|
This set of functions enumerate the user's groups and invalidate them all
if the list does not matches what we get from the caller.
|
|
This set of functions enumerate each user/group from all domains
and invalidate any mmap cache record that matches.
|
|
These functions can be called from the nss responder to invalidate
records that have ceased to exist or that need to be refreshed the
first time an application needs them.
|
|
Avoids hardcoding magic numbers everywhere and self documents why a
mask is being applied.
|
|
In particular note that we merge ipa_account_info_netgroups_done()
and ipa_account_info_users_done() into a single fucntion called
ipa_account_info_done() that handles both cases
We also remove the auxiliary function ipa_account_info_complete() that
unnecessarily violates the tevent_req style and instead use a new function
named ipa_account_info_error_text() to generate error text.
|
