Age | Commit message (Collapse) | Author | Files | Lines |
|
https://fedorahosted.org/sssd/ticket/1795
Only alpha-numeric chars, dashes and underscores are allowed in
krb5 include directory.
|
|
|
|
Otherwise dom may be set to NULL and we will segfault when
dereferencing dom.
|
|
https://fedorahosted.org/sssd/ticket/1804
|
|
The default authtok type in the LDAP provider (unlike the new IPA and AD
providers) is "password". This oddity dates back to when password was
the only supported authtok type in the SSSD, so configuration specifying
only the password and bind DN was valid.
We need to check the authtok validity as well before attempting to use
it.
|
|
krb5-1.10 used to include "struct krb5_trace_info", now krb5-1.11
includes a "krb5_trace_info" typedefed from "struct _krb5_trace_info".
Do the same in the SSSD to allow compiling with both 1.10 and 1.11.
|
|
Fixes https://fedorahosted.org/sssd/ticket/1766
|
|
Remove code that tries to get the 'right' sysdb, as it is always going
to get the same answer anyway since the recent patches to rework the
domains/sysdb relationship.
|
|
- Use a double-linked list for domains and subdomains.
- Never remove a subdomain, simply mark it as disabled if it becomes
unused.
- Rework the way subdomains are refreshed.
Now sysdb_update_subdomains() actually updates the current subdomains
and marks as disabled the ones not found in the sysdb or add new ones
found. It never removes them.
Removal of missing domains from sysdb is deferred to the providers,
which will perform it at refresh time, for the ipa provider that is
done by ipa_subdomains_write_mappings() now.
sysdb_update_subdomains() is then used to update the memory hierarchy
of the subdomains.
- Removes sysdb_get_subdomains()
- Removes copy_subdomain()
- Add sysdb_subdomain_delete()
|
|
|
|
Use this function instead of explicitly calling domain->next
This function allows to get the next primary domain or to descend into the
subdomains and replaces also get_next_dom_or_subdom()
|
|
struct sss_domain_info is always used to represent domains now.
Adjust tests accordingly.
|
|
Replaces sysdb_add_subdomain_attributes and is a public sysdb interface.
|
|
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1805
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1512
If directory where a ccache file was stored was missing and user
was still logged in, we erroneously considered the ccache file
still active. Thus the ccache file was not recreated and user was
unable to login.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1763
|
|
Found by coverity.
https://fedorahosted.org/sssd/ticket/1791
|
|
https://fedorahosted.org/sssd/ticket/1783
When dn in member attribute is invalid (e.g. rdn instead of dn)
or it is outside of configured search bases, we might hit a situation
when tevent_req is marked as done before any callback could be
attached on it.
|
|
Provides compatible declarations for modern file management functions
such as futimens or opening with the O_CLOEXEC flag
|
|
intensive
https://fedorahosted.org/sssd/ticket/1732
|
|
Found by coverity.
https://fedorahosted.org/sssd/ticket/1790
|
|
|
|
|
|
When creating a home directory, the destination tree can be modified in
various ways while it is being constructed because directory permissions
are set before populating the directory. This can lead to file creation
and permission changes outside the target directory tree, using hard links.
This security problem was assigned CVE-2013-0219
https://fedorahosted.org/sssd/ticket/1782
|
|
The removal of a home directory is sensitive to concurrent modification
of the directory tree being removed and can unlink files outside the
directory tree.
This security issue was assigned CVE-2013-0219
https://fedorahosted.org/sssd/ticket/1782
|
|
SSH requests.
This fixes CVE-2013-0220.
https://fedorahosted.org/sssd/ticket/1781
|
|
https://fedorahosted.org/sssd/ticket/1779
2^32 should be enough to store sudo rules. size_t type was causing
troubles on big endian architectures, because it wasn't used
correctly in combination with D-Bus.
|
|
When read from the domain section, the pwd_expiration_warning was
properly converted to seconds from days, but not the
pam_pwd_expiration_warning set in the [pam] section.
https://fedorahosted.org/sssd/ticket/1773
|
|
https://fedorahosted.org/sssd/ticket/1776
Although cb->list got updated when the callback is removed,
this change did not propagate to be_ctx->*_cb_list which
caused dlist having invalid records.
|
|
|
|
|
|
In preparation for making struct be_req opaque.
|
|
In preparation for making be_req opaque
|
|
|
|
Call it everywhere instead of directly dereferencing be_req->fn
This is in preparation of making be_req opaque.
|
|
|
|
|
|
Need to split out the function or new additions to the handler funtion will not
allow simple access tests to compile anymore.
|
|
|
|
|
|
|
|
|