| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
https://fedorahosted.org/sssd/ticket/1557
Some lookups should be performed from GC only -- for example trusted
users are only present in the Global Catalog, while some lookups should
be performed from LDAP only as not all objects or attributes are
replicated to Global Catalog.
This patch adds a generic failover mechanism for identity lookups in the
AD provider that allows to choose the appropriate source and even fail over
to the other source if available.
|
|
When fixed host names of AD servers are configured in the config file,
we can't know (unlike when service discovery is at play) if the servers
are Global Catalogs or not. This patch adds a private data to servers
read from the config file that denote whether the server can be tried
for contacting the Global Catalog port or just LDAP. The GC or LDAP URIs
are generated based on contents of this private data structure.
Because SSSD sticks to a working server, we don't have to disable or
remove the faulty GC servers from the list.
|
|
As the subdomains are MPG domains, we don't want to store a separate GID
for the subdomain users, but rather just create a UPG.
|
|
Move the part of sdap_save_user into a separate function so that it can
be special cased an only called for users in primary domains, not
subdomain users.
|
|
Because the NSS responder expects the name attribute to contain FQDN,
we must save the name as FQDN in the LDAP provider if the domain we save
to is a subdomain.
|
|
This function will be used later to fill the sdap_domain structures with
search bases.
|
|
Instead of copying a block of code that checks whether domain is a subdomain
and uses only name of FQDN as appropriate, wrap the logic into a function.
|
|
The utility function will be reused to guess search base from the base
DN of AD trusted domains.
|
|
By default, the LDAP searches delete the entry from cache if it wasn't
found during a search. But if a search wants to try both Global Catalog
and LDAP, for example, it might be beneficial to have an option to only
delete the entry from cache after the last operation fails to prevent
unnecessary memberof operations for example.
|
|
Previously an sdap_id_ctx was always tied to one domain with a single
set of search bases. But with the introduction of Global Catalog
lookups, primary domain and subdomains might have different search
bases.
This patch introduces a new structure sdap_domain that contains an sssd
domain or subdomain and a set of search bases. With this patch, there is
only one sdap_domain that describes the primary domain.
|
|
Instead of using the default connection from the sdap_id_ctx, allow the
caller to specify which connection shall be used for this particular
request. Again, no functional change is present in this patch, just
another parameter is added.
|
|
The sdap account handler was a function with its own private callback
that directly called the back end handlers. This patch refactors the
handler into a new tevent request that the current sdap handler calls.
This refactoring would allow the caller to specify a custom sdap
connection for use by the handler and optionally retry the same request
with another connection inside a single per-provider handler.
No functional changes are present in this patch.
|
|
With some LDAP server implementations, one server might provide
different "views" of the identites on different ports. One example is
the Active Directory Global catalog. The provider would contact
different view depending on which operation it is performing and against
which SSSD domain.
At the same time, these views run on the same server, which means the same
server options, enumeration, cleanup or Kerberos service should be used.
So instead of using several different failover ports or several
instances of sdap_id_ctx, this patch introduces a new "struct
sdap_id_conn_ctx" that contains the connection cache to the particular
view and an instance of "struct sdap_options" that contains the URI.
No functional changes are present in this patch, currently all providers
use a single connection. Multiple connections will be used later in the
upcoming patches.
|
|
Instead of using boolean variables to denote whether the call is adding
a primary or a secondary server, use a function wrapper that tells what
it's doing by its name.
|
|
|
|
Currently while doing a Kerberos based authentication the PAC was only
send to the PAC responder for principals from a different realm. This
reflects the FreeIPA use case of users from trusted domains.
This restriction does not make sense anymore when the data from the PAC
should be used for the AD provider as well. It also makes only limited
sense for the IPA use case, because when using GSSAPI the PAC of users
from the local IPA domain are already evaluated by the PAC responder.
|
|
users_get_recv() never returns ENOENT. In general it should return EOK
in the case no matching user was found. But since I forget to handle a
SID based filter properly in sdap_get_users_process() an error is
returned in this case which makes get_user_and_group_users_done() work
as expected with this patch.
There is an upcoming enhancement to users_get_recv() which I'm planning
to use for a full fix.
|
|
This patch modifies the PAC responder so that it can be used with the AD
provider as well. The main difference is that the POSIX UIDs and GIDs
are now lookup up with the help of the SID instead of being calculated
algorithmically. This was necessary because the AD provider allows
either algorithmic mapping or reading the value from attributes stored
in AD.
Fixes https://fedorahosted.org/sssd/ticket/1558
|
|
|
|
It does not make much sense to run multiple get_subdomains request in
parallel because all requests will load the same information from the
server. The IPA and AD provider already implement a short timeout to
avoid the multiple requests are running to fast after each other. But if
the timeout is over chances are that if two or more request come in fast
the first request cannot update the timeout and request will run in
parallel. To avoid this the requests are queued and send one after the
other to the provider.
|
|
For some backend targets it might be not desirable to run requests in
parallel but to serialize them. To avoid that each provider has to
implement a queue for this target this patch implements a generic queue
which collects incoming requests before they are send to the target.
|
|
To make sure that e.g. the short/NetBIOS domain name is available this
patch make sure that the responders send a get_domains request to their
backends at startup the collect the domain information or read it from
the cache if the backend is offline.
For completeness I added this to all responders even if they do not need
the information at the moment.
Fixes https://fedorahosted.org/sssd/ticket/1951
|
|
https://fedorahosted.org/sssd/ticket/1929
|
|
In contrast to MIT KDCs AD does not automatically canonicalize the
enterprise principal in an AS request but requires the canonicalize
flags to be set. To be on the safe side we always enable
canonicalization if enterprise principals are used.
|
|
https://fedorahosted.org/sssd/ticket/1950
|
|
https://fedorahosted.org/sssd/ticket/1924
|
|
|
|
https://fedorahosted.org/sssd/ticket/1648
Adds another expansion in the printf format that allows the user to use
the domain flat name in the format.
|
|
Adds a sanity check of the fqname pattern. Fails if the username pattern
is not specified at all and warns if the domain pattern is not
specified.
|
|
Instead of using printf-like functions directly, provide two wrappers
that would encapsulate formatting the fully-qualified names. No
functional change is present in this patch.
|
|
Empty directory tests_path is removed in function test_dom_suite_cleanup.
Function test_dom_suite_cleanup is reused in other tests.
|
|
--removed duplicated test-io
--reusing library libsss_test_common in other tests
--cmocka test sss_nss_idmap-tests was moved to cmocka dir
--moved leak_check.c to libsss_test_common
--moved common_tev.c,common_dom.c to libsss_test_common
(leak_check.c,common_tev.c,common_dom.c) are test framework independent
|
|
|
|
|
|
|
|
|
|
The dyndns init function was starting the timer even if the updates were
set to False. This patch splits the init of dynamic updates and the
timer into two functions so that the back end can start the updates
separately from reading the options.
|
|
https://fedorahosted.org/sssd/ticket/1930
On misconfigured id-mapping range variables, the provider should not
start. We were internally correctly setting error code for failure, but
interruption of startup was not performed.
Also raised the debug level of message for this misconfiguration.
|
|
The patch adds support for BE_REQ_BY_SECID and BE_REQ_USER_AND_GROUP to
the LDAP provider. Since the AD and the IPA provider use the same code
they support those request now as well.
Besides allowing that users and groups can be searched by the SID as
well the new request allows to search users and groups in one run, i.e.
if there is not user matching the search criteria groups are searched as
well.
|
|
To allow mapping of SIDs to names or POSIX IDs and back the related
attributes must be read from the FreeIPA directory server.
|
|
This patch add a basic check if the SID returned by the LDAP server is
in a string representation. If not it is assumed that a binary SID was
returned by the LDAP server which is converted into a string
representation which is returned to the caller.
|
|
Because we now always want to store SIDs in the IPA provider, we also need
to always initialize the ID mapping context.
|
|
realmd needs to be able to tag various domains with basic info
when it configures a domain.
|
|
It was mentioned in the manpages, but not accepted by the API
|
|
This commit adds new option ldap_disable_range_retrieval with default value
FALSE. If this option is enabled, large groups(>1500) will not be retrieved and
behaviour will be similar like was before commit ae8d047122c
"LDAP: Handle very large Active Directory groups"
https://fedorahosted.org/sssd/ticket/1823
|
|
This patch remove unused functions sdap_parse_user and sdap_parse_group
|
|
The current PySequence_Check() also catches single strings with the
effect that the string is split into characters which are send as
arguments to SSSD individually.
With this patch only tuples and lists are treated as sequences.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1785
nscd.conf file is now checked for the presence of caching settings for
databases controlled by SSSD. Syslog warning is now written only if NSCD
is running with interfering configuration or if configuration file
couldn't be loaded.
New configure option added to support non-standard locations
--with-nscd-conf=PATH (defaultly set to /etc/nscd.conf)
This is just a workaround until the following bugzilla is resolved:
https://bugzilla.redhat.com/show_bug.cgi?id=963908
|
|
Preparation for the following patch which will include the nscd.c in the
monitor code due to newly introduced function for checking the nscd
configuration file.
|
