summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)AuthorFilesLines
2013-03-20ldap: Fallback option for rfc2307 schemaSimo Sorce13-11/+227
Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020
2013-03-19Convert sdap_access to new error codesSimo Sorce7-480/+214
Also simplify sdap_access_send to avoid completely fake _send() routines.
2013-03-19Resolve GIDs in the simple access providerJakub Hrozek4-223/+915
Changes the simple access provider's interface to be asynchronous. When the simple access provider encounters a group that has gid, but no meaningful name, it attempts to resolve the name using the be_file_account_request function. Some providers (like the AD provider) might perform initgroups without resolving the group names. In order for the simple access provider to work correctly, we need to resolve the groups before performing the access check. In AD provider, the situation is even more tricky b/c the groups HAVE name, but their name attribute is set to SID and they are set as non-POSIX
2013-03-19Do not compile main() in DP if UNIT_TESTING is definedJakub Hrozek1-0/+2
The simple access provider unit tests now need to link against the Data Provider when they start using the be_file_account_request() function. But then we would start having conflicts as at least the main() functions would clash. If UNIT_TESTING is defined, then the data_provider_be.c module does not contain the main() function and can be linked against directly from another module that contains its own main() function
2013-03-19Add unit tests for simple access test by groupsJakub Hrozek1-31/+253
I realized that the current unit tests for the simple access provider only tested the user directives. To have a baseline and be able to detect new bugs in the upcoming patch, I implemented unit tests for the group lists, too.
2013-03-19Provide a be_get_account_info_send functionJakub Hrozek2-19/+144
In order to resolve group names in the simple access provider we need to contact the Data Provider in a generic fashion from the access provider. We can't call any particular implementation (like sdap_generic_send()) because we have no idea what kind of provider is configured as the id_provider. This patch splits introduces the be_file_account_request() function into the data_provider_be module and makes it public. A future patch should make the be_get_account_info function use the be_get_account_info_send function.
2013-03-19Make the SELinux refresh time configurable.Michal Zidek6-2/+24
Option ipa_selinux_refresh is added to basic ipa options.
2013-03-19Reuse cached SELinux mappings.Michal Zidek2-3/+29
Reuse cached SELinux maps when they are requested within time interval (in this patch it is hardcoded to be 5 seconds). https://fedorahosted.org/sssd/ticket/1744
2013-03-19Move SELinux processing to provider.Michal Zidek6-452/+393
The SELinux processing was distributed between provider and pam responder which resulted in hard to maintain code. This patch moves the logic to provider. IT ALSO REQUIRES CHANGE IN THE SELINUX POLICY, because the provider also writes the content of selinux login file to disk (which was done by responder before). https://fedorahosted.org/sssd/ticket/1743
2013-03-19Removing unused declaration of functions and variable.Lukas Slebodnik4-15/+2
Variables dir_cc and file_cc are used in three modules: krb5_common.c, krb5_utils.c, krb5_child-test.c, therefore should be declared with extern in krb5_utils.h.
2013-03-19Use common error facility instead of sdap_resultSimo Sorce11-355/+238
Simplifies and consolidates error reporting for ldap authentication paths. Adds 3 new error codes: ERR_CHPASS_DENIED - Used when password constraints deny password changes ERR_ACCOUNT_EXPIRED - Account is expired ERR_PASSWORD_EXPIRED - Password is expired
2013-03-18Decrease krb5_auth_timeout defaultOndrej Kos4-4/+4
https://fedorahosted.org/sssd/ticket/1738
2013-03-18Retry the correct service on krb5 child timeoutJakub Hrozek1-1/+1
2013-03-18Fix sss_client breakage.Lukas Slebodnik5-5/+50
Adding missing dependencies for linker. Missing dependency was introduced by commit 22d381367c27910fe82f476a76b9f4ede555e35a in changed file src/sss_client/nss_mc_common.c All function declaration for io.c was moved from util.h to separate file io.h, https://fedorahosted.org/sssd/ticket/1838
2013-03-18Fix coverity issue 13136Ondrej Kos1-0/+1
https://fedorahosted.org/sssd/ticket/1811
2013-03-13Fix initialization of multiple variablesOndrej Kos7-9/+8
2013-03-13Removing unused header file providers.hLukas Slebodnik2-175/+0
Header file "providers.h" is not included in any other file and function "dp_process_init" declared in this header file has no implementation. Header file protos.h is not also included in any other file and even hole content is commented out.
2013-03-13More generalized function open_debug_file_ex()Lukas Slebodnik4-15/+9
Function open_debug_file_ex() set flag FD_CLOEXEC to opened file according to the value of third parameter. Removed duplicity of unsetting FD_CLOEXEC after calling function open_debug_file_ex()
2013-03-13Reuse sss_open_cloexec at other places in code.Lukas Slebodnik4-83/+99
Functions open_cloexec and openat_cloexec were renamed with prefix "sss_" and moved to separete file. Replacing duplicated code of function sss_open_cloexec everywhere in the source code. https://fedorahosted.org/sssd/ticket/1794
2013-03-13krb5-utils-tests: remove invalid conditionPavel Březina1-2/+0
This condition is invalid because different_realm is not set, when EINVAL is returned. It can make the test fail sometimes.
2013-03-13fix segfault in nss responder unit testPavel Březina1-1/+1
https://fedorahosted.org/sssd/ticket/1833 state is expected to be a pointer
2013-03-08CMocka based test for the NSS responderJakub Hrozek4-0/+767
2013-03-08Move sss_cmd_execute from client to responder code.Jakub Hrozek3-7/+15
I think it logically belongs there and allows to better exercise the responder commands from unit tests.
2013-03-08Add utility functions for tests that use sysdb or tevent.Jakub Hrozek3-0/+267
There was shared code for several unit tests that connected to their own sysdb instance. This patch adds common code to run a generic request to completion or connect to a test sysdb.
2013-03-08Detect the presence of libcmocka during configureJakub Hrozek1-0/+19
2013-03-08Add support for krb5 1.11's responder callback.Nathaniel McCallum6-1/+236
krb5 1.11 adds support for a new method for responding to structured data queries. This method, called the responder, provides an alternative to the prompter interface. This patch adds support for this method. It takes the password and provides it via a responder instead of the prompter. In the case of OTP authentication, it also disables the caching of credentials (since the credentials are one-time only).
2013-03-07Debug message in sss_mc_create_file.Michal Zidek1-0/+5
This patch adds debug message for the case if sssd fails to open old mc file for some other reason than the file does not exist.
2013-03-07File descriptor leak in nss responder.Michal Zidek1-18/+43
File descriptors leaked every time sss_mmap_cache_reinit was called and also the old memory cache was still maped in memory (munmap was not called). This patch adds destructor for memory cache context to call close() and munmap() automaticly. https://fedorahosted.org/sssd/ticket/1826
2013-03-07Removing unused parameter type from sudosrv_get_sudorules_query_cache()Lukas Slebodnik1-6/+4
https://fedorahosted.org/sssd/ticket/1825
2013-03-07Fixed typo in debug message.Lukas Slebodnik1-3/+5
C compiler did not complain, because "index" is function defined in header file <string.h>
2013-03-06Updated Doxygen configuration to 1.8.1Thorsten Scherf4-536/+1912
https://fedorahosted.org/sssd/ticket/1819
2013-03-05Improve IS_SSSD_ERROR() macroSimo Sorce1-2/+2
We need to mask the first part with 0xFFFF or there is a slight chance an unrelated error code would match even if the upper part is not exactly equal to ERR_BASE but just has all it's bits and some more. Also make the macro more reasable by adding another helper macro for filtering the base. Finally compare err and ERR_LAST directly w/o masking err, or the comparison will always return true.
2013-03-05Remove the alt_db_path parameter of sysdb_initMichal Zidek5-14/+5
This parameter was never used. https://fedorahosted.org/sssd/ticket/1765
2013-03-05Check the return value of sysdb_search_servicesJakub Hrozek1-0/+6
2013-03-04Use the same dbg level for all ncache hits.Michal Zidek2-21/+28
We used different debug levels for messages informing about negative cache hits (old levels 2,3,4). Now it is only SSSDBG_TRACE_FUNC (same level is used in nsssrv_services.c and proposed in the ticket bellow). https://fedorahosted.org/sssd/ticket/1771
2013-03-04Cleanup error message handling for krb5 childSimo Sorce4-297/+251
Use the new internal SSSD errors, to simplify error handling. Instead of using up to 3 different error types (system, krb5 and pam_status), collapse all error reporting into one error type mapped on errno_t. The returned error can contain either SSSD internal errors, kerberos errors or system errors, they all use different number spaces so there is no overlap and they can be safely merged. This means that errors being sent from the child to the parent are not pam status error messages anymore. The callers have been changed to properly deal with that. Also note that this patch removes returning SSS_PAM_SYSTEM_INFO from the krb5_child for kerberos errors as all it was doing was simply to make the parent emit the same debug log already emitted by the child, and the code is simpler if we do not do that.
2013-03-04Return ERR_INTERNAL instead of EIOSimo Sorce1-1/+1
EIO has always been an odd match, but was used as an error to indicate that something had gone wrong internally before we had specific SSSD errors available. Use ERR_INTERNAL instead going forward.
2013-03-04Use SSSD specific errors for offline authSimo Sorce6-25/+42
This prevents reportin false errors when internal functions return a generic EINVAL or EACCES that should just be treated as internal errors.
2013-03-04Add SSSD specific error codes and definitionsSimo Sorce3-7/+117
This code adds a new range of error codes specific to SSSD, It also provides helper functions to print out error defintions like you can do with system error messages and the strerror() function. The sss_strerror() function can accept both the new sssd errors and system errno_t errors falling back to the system strerror() if the error code provide is not a valid SSSD error code.
2013-03-04Improved readability of get_next_domain()Lukas Slebodnik1-2/+2
https://fedorahosted.org/sssd/ticket/1812
2013-03-04krb5_child: fix value type and initializationOndrej Kos1-1/+2
ret was defined as integer, instead of errno_t, and was uninitialized
2013-03-04Use the correct memory context in be_req_createJakub Hrozek1-1/+1
2013-03-04Remove unused functionsJakub Hrozek4-36/+0
2013-03-01Don't treat 0 as default for pam_pwd_expiration warningJakub Hrozek1-1/+2
2013-03-01Revert "Add debug message to autofs client"Jakub Hrozek1-3/+0
This reverts commit 30c76633788c498b7d34e7e5944a3d36f26ec2db.
2013-03-01autofs: fix invalid header 'number of entries' in packetPavel Březina1-1/+5
https://fedorahosted.org/sssd/ticket/1739 Pointer to packet body may change while filling packet with autofs mount points. As a consequence, we sometimes wrote the number of entries into invalid body and we recieved an arbitrary number on the client side. If the number was 0, there were some skipped entries. If the number was greater than 0, everything worked correctly, because we iterate through the cached entries until we reach packet length - we don't compare to the number.
2013-03-01Add debug message to autofs clientPavel Březina1-0/+3
2013-02-28Refactor krb5 childSimo Sorce1-288/+210
The aim of this refactoring is to make the code readable and understandable. This code has grown organically over time and has becomed confused and baroque enough that understanding it's very simple flow had become very complex for the uninitiated. Complex flows easily hide nasty bugs. Improvements: - Remove dead/unused data storage - Fix and simplify talloc hierarchy, use a memory context (kr) for the whole code and allocate kr->pd where it is filled up. - Rename some functions to create a better name space (easier for searching fucntions across the tree) - Streamline setup function, by spliting out fast setup in a subroutine. - Avoid confusing indirection in executng actual functions by not using the krb5_req child_req member. - Make main() flow s now simmetric, send abck data from the main function instead of delegating a reply to every inner function that implements a command. Now the flow is evident from the main function: 1. read request 2. setup data 3. execute command 4. send reply back
2013-02-28krb5_child style fixSimo Sorce1-11/+11
Use the standard 'done' label for exceptions.
2013-02-27sdap_fill_memberships: continue if a member is not foud in sysdbPavel Březina1-3/+7
https://fedorahosted.org/sssd/ticket/1755 sdap_find_entry_by_origDN() may return ENOENT in these non-error scenarios: If a member is out of scope of configured nesting level, sssd produces few noise lines indicating failure. The worse case is when a member is outside of configured search bases. In this case we save the group with incomplete membership,