History log of /sssd-io/src/db/sysdb.h
Revision Date Author Comments Expand
08db22b1b1a2e742edbca92e35087294d963adda 10-Apr-2018 Sumit Bose <sbose@redhat.com>

nss: add a netgroup counter to struct nss_enum_index Netgroups are not looked up with the help of a single request but by calling setnetgrent(), getnetgrent() and endnetgrent() where getnetgrent() might be called multiple times depending on the number of netgroup elements. Since the caller does not provide a state the state has to be maintained by the SSSD nss responder. Besides the netgroup name this is mainly the number of elements already returned. This number is used to select the next element to return and currently it is assumed that there are not changes to the netgroup while the client is requesting the individual elements. But if e.g. the 3 nss calls are not used correctly or the netgroup is modified while the client is sending getnetgrent() calls the stored number might be out of range. To be on the safe side the stored number should be always compared with the current number of netgroup elements. Related to https://pagure.io/SSSD/sssd/issue/3679 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

0e238c259c066cf997aaa940d33d6bda96c15925 27-Nov-2017 Sumit Bose <sbose@redhat.com>

sysdb: do not use objectClass for users and groups The majority of the object in the SSSD cache are users and groups. If there are many user and groups in the cache the index objects of the objectclass attributes 'user' and 'group' become large because the must hold references to all objects of those object classes. As a result the management of these index objects becomes costly because they must be parsed and split apart quite often. Additionally they are mostly useless because user and groups are lookup up by more specific attributes in general. Only when enumerating all user or groups this kind of index might be useful. There are two way of removing this kind of index from the user and group objects. Either by removing objectClass from the list of indexes and add a new attribute to all other type of object we want and index for. Or by replacing objectClass with a different attribute for the user and group objects. After some testing I think the latter one is the more reliable one and implemented it in this patch. Related to https://pagure.io/SSSD/sssd/issue/3503 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb.h sysdb_init.c sysdb_ops.c sysdb_search.c sysdb_upgrade.c /sssd-io/src/ldb_modules/memberof.c /sssd-io/src/providers/ad/ad_pac.c /sssd-io/src/providers/ipa/ipa_id.c /sssd-io/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd-io/src/providers/ipa/ipa_subdomains_id.c /sssd-io/src/providers/krb5/krb5_renew_tgt.c /sssd-io/src/providers/ldap/ldap_id_cleanup.c /sssd-io/src/providers/ldap/sdap_async_groups.c /sssd-io/src/providers/ldap/sdap_async_initgroups.c /sssd-io/src/providers/ldap/sdap_async_initgroups_ad.c /sssd-io/src/providers/ldap/sdap_async_nested_groups.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_common.c /sssd-io/src/responder/ifp/ifp_cache.c /sssd-io/src/responder/ifp/ifp_groups.c /sssd-io/src/responder/ifp/ifp_users.c /sssd-io/src/responder/nss/nss_cmd.c /sssd-io/src/responder/nss/nss_protocol_grent.c /sssd-io/src/responder/nss/nss_protocol_sid.c /sssd-io/src/tests/cmocka/test_ad_common.c /sssd-io/src/tests/cmocka/test_ipa_subdomains_server.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tools/sssctl/sssctl_cache.c
e16539779668dacff868999bd59dbf33e3eab872 02-Nov-2017 Pavel Březina <pbrezina@redhat.com>

sysdb: add functions to get/set client site Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

f34a8330c1615511795847b0a1454249d782db2a 19-Oct-2017 Alexey Kamenskiy <alexey.kamenskiy@chinanetcloud.com>

LDAP: Add support for rhost access control This patch implements verification of pam_rhost against rules stored in LDAP entry of a user. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

e5c42c2630093d3020b3c4944cce1646325bc236 05-Sep-2017 Fabiano Fidêncio <fidencio@redhat.com>

SYSDB: Add sysdb_search_by_orig_dn() Three new methods have been added to sysdb's API in order to perform search by the orig dn (which is quite common in SSSD's code base). A common/base method called sysdb_search_by_orig_dn() is the most important one and then a few other helpers for searching users and groups groups directly. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

90fb7d3e61423ff1375e9f552f4b58e5173ad3d1 27-Jul-2017 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>

SYSDB: Add sessionRecording attribute macro Add a macro for sessionRecording attribute to sysdb.h. To be used for storing a boolean attribute signifying if session recording is enabled for the user. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

77e5c3fc26085f18277a70ffbd6351a8130963e7 26-Jul-2017 Yuri Chornoivan <yurchor@ukr.net>

Fix minor typos Merges: https://pagure.io/SSSD/sssd/pull-request/3456 Reviewed-by: Michal Židek <mzidek@redhat.com>

41708e1e500e7cada3d3e606aa2b8b9869a5c734 15-Jun-2017 Fabiano Fidêncio <fidencio@redhat.com>

SYSDB: Introduce _search_{users,groups}_by_timestamp() These new two sysdb methods are going to be used, at least for now, uniquely and exclusively in the cleanup task. The reason for adding those is that during the cleanup task a timestamp search is done in the persistent cache, which doesn't have the updated timestamps, returning then a wrong result that ends up in having all the users being removed from the cache. The persistent cache doesn't have its entries' timestamps updated because those are kept updated in the timestamp cache, therefore these new two methods end up doing: - if the timestamp cache is present: - search for the entries solely in the timestamp cache; - get the needed attributes from these entries from the persistent cache; - otherwise: - search for the entries in the persistent cache; - merge its results with timestamp cache's results; Related: https://pagure.io/SSSD/sssd/issue/3369 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

fb81f337b68c85471c3f5140850dccf549a2d0ac 29-Mar-2017 Fabiano Fidêncio <fidencio@redhat.com>

IPA: Get ipaDomainsResolutionOrder from IPA ID View ipaDomainsResolutionOrder provides a list of domains that have to be looked up firstly during cache_req searches. This commit only fetches this list from the server and stores its value at sysdb so we can make use of it later on this patch series. There are no tests for newly introduced sysdb methods are those are basically only calling sysdb_update_domain_resolution_order(), sysdb_get_domain_resolution_order() and sysdb_get_use_domain_resolution_order() which are have tests written for. Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

3cbf0e7b63e8e6888917e9215bbdc5674c2fa852 29-Mar-2017 Fabiano Fidêncio <fidencio@redhat.com>

IPA: Get ipaDomainsResolutionOrder from ipaConfig ipaDomainsResolutionOrder provides a list of domains that have to be looked up firstly during cache_req searches. This commit only fetches this list from the server and stores its value at sysdb so we can make use of it later on this patch series. There are no tests for newly introduced sysdb methods are those are basically only calling sysdb_update_domain_resolution_order(), sysdb_get_domain_resolution_order() and sysdb_get_use_domain_resolution_order() which are have tests written for. Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

2e85b015d8dd231094a09eab69b86e8b6fcc8b2b 29-Mar-2017 Fabiano Fidêncio <fidencio@redhat.com>

SYSDB: Add methods to deal with the domain's resolution order In the following-up patches those newly introduced methods will be used to deal with the domainResolutionOrder attribute. The sysdb_update_domain_resolution_order() method is purposely not checking whether a value has changed or not before writing to sysdb and while may not be optimal, the readability of the code has increased a lot by keeping it as simple as possible. Tests for these new methods are part of the next commit. Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

a63d74f65db2db7389cd373cb37adcdaaa2d56ea 29-Mar-2017 Michal Židek <mzidek@redhat.com>

SUBDOMAINS: Allow use_fully_qualified_names for subdomains Allow option use_fully_qualified_names in subdomain section. This option was recently added to subdomain_inherit. Resolves: https://pagure.io/SSSD/sssd/issue/3337 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

49f8ec8e0a3723a748bdb043d6dc1fb2a3977a8a 23-Mar-2017 Sumit Bose <sbose@redhat.com>

sysdb: add certmap related calls Add sysdb calls to write and read data for the certificate mapping library to the cache. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

81c564a0692aa4b719af2219f52894e6cd4bdf9f 23-Mar-2017 Sumit Bose <sbose@redhat.com>

LDAP: always store the certificate from the request Store the certificate used to lookup a user as mapped attribute in the cached user object. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

70c0648f021ded3d31313eb962e1ad140f242673 23-Mar-2017 Sumit Bose <sbose@redhat.com>

sdap_get_users_send(): new argument mapped_attrs mapped_attrs can be a list of sysdb_attrs which are not available on the server side but should be store with the cached user entry. This is needed e.g. when the input to look up the user in LDAP is not an attribute which is stored in LDAP but some data where LDAP attributes are extracted from. The current use case is the certificate mapping library which can create LDAP search filters based on content of the certificate. To allow upcoming cache lookup to use the input directly it is stored in the user object in the cache. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

3994e8779d16db3e9fb30f03e5ecf5e811095ac2 23-Mar-2017 Sumit Bose <sbose@redhat.com>

sysdb: add sysdb_attrs_copy() Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

57a924e71230ea360b19a88e0d5818cf01017161 08-Mar-2017 Petr Čech <pcech@redhat.com>

sss_cache: User/groups invalidation in domain cache When a group/users are invalidated from sss_cache, the group/user information in domain and timestamps cache are inconsistent with regard to dataExpireTimestamp attribute. This patch fixes the problem by explicitly invalidating the domain cache's entry when the timestamp cache entry is invalidated by sss_cache call. There is one new function: * sysdb_invalidate_cache_entry() provided for this purpose and used only in sss_cache utility. Resolves: https://fedorahosted.org/sssd/ticket/3164 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

afadeb1a530ff010a2f9a7552562576b843c874b 03-Mar-2017 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: When searching for UPNs, search either the whole DB or only the given domain The search-by-UPN functions always searched for the whole domain. In some cases, the caller depends on the result coming from the domain specified by the 'domain' parameter. This is the case in the cache_req code at least. Even though it should be safe to just switch to always searching the whole domain, in order to allow us to examine the code carefully and test each codepath, let's introduce a boolean option to the search functions. Currently it defaults to false in all codepaths and as we test the individual ones, we can flip the option to true until we finally remove the option altogether. Reviewed-by: Sumit Bose <sbose@redhat.com>

3ee411625aee19afda7477bb10b52c3da378b6fb 08-Feb-2017 Petr Čech <pcech@redhat.com>

SYSDB: Removing of sysdb_try_to_find_expected_dn() Currently in order to match multiple LDAP search results we use two different functions - we have sysdb_try_to_find_expected_dn() but also sdap_object_in_domain(). This patch removes sysdb_try_to_find_expected_dn() and add new sdap_search_initgr_user_in_batch() based on sdap_object_in_domain(). This function covers necessary logic. Resolves: https://fedorahosted.org/sssd/ticket/3230 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

8a4a2b87f51462ac22bf6db93927484841f098c6 23-Jan-2017 Lukas Slebodnik <lslebodn@redhat.com>

sysdb: Search also aliases in sysdb_search_object_by_name sysdb_search_object_by_name did not work well case insensitive domain. Resolves: https://fedorahosted.org/sssd/ticket/3284 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

2a2014d706478561e6f7dc938751bc224a93fee5 23-Jan-2017 Lukas Slebodnik <lslebodn@redhat.com>

SYSDB: Update filter for get object by id Resolves: https://fedorahosted.org/sssd/ticket/3283 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

3be2628d8aba6aeb99ac1484da990f1fad8169ec 19-Dec-2016 Pavel Březina <pbrezina@redhat.com>

cache_req: add object by id This request returns either user or group object. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

488518dde58724daa13b9216a0f1af6e0ba5401f 19-Dec-2016 Pavel Březina <pbrezina@redhat.com>

cache_req: add object by name This request returns either user or group object. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

24d8c85fae253f988165c112af208198cf48eef6 03-Nov-2016 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Augment sysdb_try_to_find_expected_dn to match search base as well In cases where the domain name in sssd.conf does not match the AD domain, our previous matching process wouldn't match. This patch augments the matching as follows: - the search base is known to sysdb_try_to_find_expected_dn and is expected to be non-NULL - the existing matching is ran first - during the search base, matching, all the non-DC components are stripped from the search base to 'canonicalize' the search base - if only a single entry that matches with a non-DC DN component (matching with a DC component would mean the DN comes from a different domain) then this entry is a match and is returned Resolves: https://fedorahosted.org/sssd/ticket/3199 Reviewed-by: Sumit Bose <sbose@redhat.com>

25699846bd1c9f8bb513b6271eb4366ab682fbd2 31-Oct-2016 Sumit Bose <sbose@redhat.com>

LDAP/AD: resolve domain local groups for remote users If a user from a trusted domain in the same forest is a direct or indirect member of domain local groups from the local domain those memberships must be resolved as well. Since those domain local groups are not valid in the trusted domain a DC from the trusted domain which is used to lookup the user data is not aware of them. As a consequence those memberships must be resolved against a local DC in a second step. Resolves https://fedorahosted.org/sssd/ticket/3206 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

3dd4c3eca80e9223a65f3318821bd0fb5b45aedd 31-Oct-2016 Sumit Bose <sbose@redhat.com>

sysdb: add parent_dom to sysdb_get_direct_parents() Currently sysdb_get_direct_parents() only return direct parents from the same domain as the child object. In setups with sub-domains this might not be sufficient. A new option parent_dom is added which allows to specify a domain the direct parents should be lookup up in. If it is NULL the whole cache is searched. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

e9a2e7afbd09c23dd8748246e09831ed7b17d7c5 22-Sep-2016 Thomas Equeter <firstname@lastname.com>

IFP: expose user and group unique IDs through DBus This adds a uniqueID property on User and Group InfoPipe objects. It has a useful value on AD- and IPA-backed domains. For Active Directory, this is the GUID. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

91767924bdf9b5a28e8902206a40348d6c83a139 29-Jul-2016 Sumit Bose <sbose@redhat.com>

NSS: add user email to fill_orig() The IPA server must send the email address of a user to the clients to allow login by email. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

78677495a7762469002b0976809fa20ac2196f42 29-Jul-2016 Sumit Bose <sbose@redhat.com>

sysdb: include email in UPN searches Email addresses and Kerberos user principals names (UPNs) do not only look similar they also can be used to identify a user uniquely. In future this approach should be replace by a more generic one where the attributes which can uniquely identifies a user can be configured to support even a wider range of login names. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

83a796ec8de4bde65b11cc8032675406950641fa 29-Jul-2016 Sumit Bose <sbose@redhat.com>

LDAP: new attribute option ldap_user_email Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

1594701fbdc341069e11cff9a85e7a795e52db3d 29-Jul-2016 Sumit Bose <sbose@redhat.com>

views: properly override group member names Resolves https://fedorahosted.org/sssd/ticket/2948 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

17bfd9f69251781140e4b2b55ffeb649d7a79e86 29-Jul-2016 Sumit Bose <sbose@redhat.com>

sysdb: add sysdb_get_user_members_recursively() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

d7b3c1d47f6a47c856187f2c52722e29c488d578 26-Jul-2016 Petr Cech <pcech@redhat.com>

SYSDB: Removing of duplication of sysdb_ts_cache_attrs Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>

20348a30feb4be619b3b691c24c9be8131507c46 18-Jul-2016 Sumit Bose <sbose@redhat.com>

sysdb: make subdomain calls aware of upn_suffixes sysdb_subdomain_store() and sysdb_update_subdomains() can now update upn_suffixes as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

132b31fd5fb74a7627896cdceaf29c7601ed4795 18-Jul-2016 Sumit Bose <sbose@redhat.com>

sysdb: add UPN suffix support for the master domain sysdb_master_domain_update() and sysdb_master_domain_add_info() are now aware of the UPN suffix attribute. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

8531bd4585f9135ffd4cbb9bb4c880dc77b5adc4 07-Jul-2016 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Upgrade sysdb to use qualified names for users and groups, sudo rules and override objects Runs a sysdb upgrade that changes objects that represent users, groups, sudo rules and overrides to the new schema, which uses the fully qualified names. Reviewed-by: Sumit Bose <sbose@redhat.com>

6d66c2c465861ff2558f2574eddf8315628ccc6d 07-Jul-2016 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Allow passing a context to sysdb upgrade functions We decide on whether to upgrade or not based on a pointer value, not a boolean. This pointer points to a structure that the upgrade invoker (typically the monitor) can use to fill auxilary data the sysdb upgrade has no means of instantiating. Reviewed-by: Sumit Bose <sbose@redhat.com>

ebbeac5c6b8b87ab478ee5a04ec48fbbba0c9efc 07-Jul-2016 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Remove useless parameter from sysdb_init() The function sysdb_init() is never used to allow upgrade, so the allow_upgrade parameter was pointless. Reviewed-by: Sumit Bose <sbose@redhat.com>

3931c6612fae5ad32ad81a59f77d77c2d896ebe1 07-Jul-2016 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Add a utility function to return a list of qualified names Adds a utility function the LDAP provider can use. This is different from sss_create_internal_fqname_list in the sense that the LDAP provider passes in the attribute name that contains the name attribute value. Reviewed-by: Sumit Bose <sbose@redhat.com>

a257259b05d62ebe548b6c798a3aa03a97dbc0c2 23-Jun-2016 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: If modifyTimestamp is the same, only update the TS cache Resolves: https://fedorahosted.org/sssd/ticket/2602 If the entry being saved contains the original modifyTimestamp attribute and the modifyTimestamp attribute is the same as the one we already saved to the timestamp cache, only the expire timestamps in the asynchronous timestamp cache will be bumped and the sysdb code will avoid writes to the main cache completely. If the modifyTimestamp is either missing or differs, we assume the entry had changed and do a full write to the main cache. Also amends the generic sysdb_set_attrs* and similar functions that their results is also reflected in the timestamps cache. Reviewed-by: Sumit Bose <sbose@redhat.com>

dd285415d7a8d8376207960cfa3e977524c3b98c 23-Jun-2016 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Search the timestamp caches in addition to the sysdb cache When a sysdb entry is searched, the sysdb cache is consulted first for users or groups. If an entry is found in the sysdb cache, the attributes from the timestamp cache are merged to return the full and up-to-date set of attributes. The merging is done with a single BASE search which is a direct lookup into the underlying key-value database, so it should be relatively fast. More complex merging is done only for enumeration by filter which is currently done only via the IFP back end and should be quite infrequent, so I hope we can justify a more complex merging there. Reviewed-by: Sumit Bose <sbose@redhat.com>

f983b400bf4f6fb14a2174d6f58071e06e9ec832 23-Jun-2016 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Open a timestamps cache for caching domains For all domain types, except the local domain, open a connection to a new ldb file located at /var/lib/sss/db names timestamps_$domain.ldb. Constructs the ldb file path manually in sysdb_check_upgrade_02() but that should be acceptable because nobody should be running such an old cache these days anyway. Reviewed-by: Sumit Bose <sbose@redhat.com>

e732d23f3ec986a463d757781a334040e03d1f59 23-Jun-2016 Jakub Hrozek <jhrozek@redhat.com>

UTIL: Add error codes for sysdb too old or too new We used really strange errno codes for detecting whether the database is too old or too new. We should use our sssd-specific error coded instead. Reviewed-by: Sumit Bose <sbose@redhat.com>

2f90ec2e16f0c14c789d9ed20e008e3103337210 09-Jun-2016 Sumit Bose <sbose@redhat.com>

sss_override: add certificate support Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

6cb34580ee6e9e2c9190b77b10db8a3c43e3c9c8 09-Jun-2016 Sumit Bose <sbose@redhat.com>

sysdb: add searches by certificate with overrides Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

6cdeb0923c16e3fafe21aaadca6dac1d71474c31 09-Jun-2016 Sumit Bose <sbose@redhat.com>

sysdb: add sysdb_attrs_add_base64_blob() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

d0d7de66c9494621c1bc12384e41e5e38a77fbeb 13-Apr-2016 Sumit Bose <sbose@redhat.com>

PAC: only save PAC blob into the cache Resolves https://fedorahosted.org/sssd/ticket/2158 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

5ff7a765434ed0b4d37564ade26d7761d06f81c3 01-Mar-2016 Sumit Bose <sbose@redhat.com>

sdap: improve filtering of multiple results in GC lookups The Global Catalog of AD contains some information about all users and groups in an AD forest. Users from different domain in the forest can have the same name. The most obvious example is the Administrator user which is present in all domains. Although SSSD uses a domain specific search base for looking up users in the GC the search might still return multiple results if there is a user with the same name in one of the child (or grand-child ...) domains because of the hierarchic nature of the LDAP tree. Limiting the search depth would not help because users can be created in deeply nested OUs. Currently SSSD expects in this case that the user object is store in CN=Users or below. This works for all default users like Administrator but in general users can be created anywhere in the directory tree. If a user is created outside of CN=Users and there is a user with the same name in a child domain the initgroups command to look up the group-memberships of the user fails because it is not clear which of the two results should be used (initgroups for the child domain user works fine). This patch adds an additional scheme to select the right result based on the domain component attribute name 'dc'. This attribute indicates an additional component in the domain name and hence a child domain. So as long as the result contains a dc component following out search base it cannot be the object we are looking for. This scheme includes the old CN=Users based one but since it is more expensive I kept the old scheme which so far worked all the time and only use the new one if the old one fails. Resolves https://fedorahosted.org/sssd/ticket/2961 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

659232f194f83ec7c450ce89c3fd41e4e74409f2 01-Mar-2016 Pavel Březina <pbrezina@redhat.com>

remove user certificate if not found on the server If the user is not found by cert lookup when the user is already cached, two things may happen: 1) cert was removed from the user object 2) user was removed Instead of issuing another cert lookup we will just remove cert attribute from the cache not touching the expiration timestamp so the user may be updated later when needed. Resolves: https://fedorahosted.org/sssd/ticket/2934 Reviewed-by: Sumit Bose <sbose@redhat.com>

3cf7fdfcaedb986f42a6640e26aa057007b64045 24-Feb-2016 Jakub Hrozek <jhrozek@redhat.com>

Add a new option ldap_group_external_member Required for: https://fedorahosted.org/sssd/ticket/2522 Reviewed-by: Sumit Bose <sbose@redhat.com>

68abbe716bed7c8d6790d9bec168ef44469306a1 19-Jan-2016 Pavel Březina <pbrezina@redhat.com>

SUDO: make sudo sysdb interface more reusable Reviewed-by: Sumit Bose <sbose@redhat.com>

aedc71fe8360a51785933523f14bb5c4e7e2c38b 20-Nov-2015 Sumit Bose <sbose@redhat.com>

IPA: fix override with the same name If the user name of a AD user is overridden with the name itself in an IPA override object SSSD adds this name twice to the alias list causing an ldb error when trying to write the user object to the cache. As a result the user is not available. This patch makes sure that there are no duplicated alias names. Resolves https://fedorahosted.org/sssd/ticket/2874 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

28ebfa4373d1e7ce45b5d70a3619df1c074a661e 08-Oct-2015 Pavel Březina <pbrezina@redhat.com>

cache_req: add support for UPN Reviewed-by: Sumit Bose <sbose@redhat.com>

b0d6d14b5bcc137074383abcd2bf8039c3d74b02 03-Sep-2015 Michal Židek <mzidek@redhat.com>

SYSDB: Add function to expire entry Ticket: https://fedorahosted.org/sssd/ticket/2676 Added function to expire entry in sysdb using its DN. Reviewed-by: Pavel Reichl <preichl@redhat.com>

a8d31510d12af6ee39fb3e1e13f3a4f6bdef33c1 27-Jul-2015 Pavel Březina <pbrezina@redhat.com>

SYSDB: prepare for LOCAL view Objects doesn't have to have overrideDN specified when using LOCAL view. Since the view is not stored on the server we do not want to contact LDAP therefore we special case LOCAL view saying that it is OK that this attribute is missing. Preparation for: https://fedorahosted.org/sssd/ticket/2584 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

696c17580b49d6817f1dd33915e0e209dcfe4225 15-Jul-2015 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Add functions to look up multiple entries including name and custom filter Related: https://fedorahosted.org/sssd/ticket/2553 Adds new sysdb function: - sysdb_enumpwent_filter - sysdb_enumpwent_filter_with_views - sysdb_enumgrent_filter - sysdb_enumgrent_filter_with_views These are similar to enumeration functions, but optionally allow to specify a filter to be applied on user/group names. Also an additional custom filter can be applied. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

32cc237aa0f3c70a4e0bc0491ec0cba0016aaf5a 06-Jul-2015 Pavel Reichl <preichl@redhat.com>

sysdb: new attribute lastOnlineAuthWithCurrentToken Introduce new user attribute lastOnlineAuthWithCurrentToken. This attribute behaves similarly to lastOnlineAuth but is set to NULL after password is changed. This attribute is needed for use-case when cached authentication is used, to request online authentication after password is locally changed. Resolves: https://fedorahosted.org/sssd/ticket/1807 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

9ac2a33f4cdc4941fa63118dcffe8058854f33c4 02-Jul-2015 Michal Židek <mzidek@redhat.com>

views: Add is_default_view helper function Ticket: https://fedorahosted.org/sssd/ticket/2641 Reviewed-by: Pavel Reichl <preichl@redhat.com>

7d8b7d82f0a91ed656320577fc781f24a66db9f8 19-Jun-2015 Sumit Bose <sbose@redhat.com>

sysdb: add sysdb_search_user_by_cert() and sysdb_search_object_by_cert() Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

e22e04517b9f9d0c7759dc4768eedfd05908e9b6 19-Jun-2015 Sumit Bose <sbose@redhat.com>

LDAP: add ldap_user_certificate option Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

d3c82d0170d6d7407549afdadd08aa7e11aeb9a2 18-Jun-2015 Pavel Březina <pbrezina@redhat.com>

IFP: Implement org.freedesktop.sssd.infopipe.Cache[.Object] Resolves: https://fedorahosted.org/sssd/ticket/2338 Example use: $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.FindByName \ string:admin object path "/org/freedesktop/sssd/infopipe/Users/ipaldap/397400000" $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Cache.List array [ ] $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users/ipaldap/397400000 \ org.freedesktop.sssd.infopipe.Cache.Object.Store boolean true $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Cache.List array [ object path "/org/freedesktop/sssd/infopipe/Users/ipaldap/397400000" ] $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users/ipaldap/397400000 \ org.freedesktop.sssd.infopipe.Cache.Object.Remove boolean true $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Cache.List array [ ] Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

9af86b9c936d07cff9d0c2054acde908749ea522 14-Jun-2015 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Add realm to sysdb_master_domain_add_info Adding realm to both master domain and subdomain will make it easier to set and select forest roots. Even master domains can be forest members, it's preferable to avoid special-casing as much as possible. Includes a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>

ea224c3813a537639778f91ac762732b3c289603 14-Jun-2015 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Store trust direction for subdomains We need to store the subdomain trust direction in order to recover the structure after SSSD restart. The trust direction is a plain uint32_t to avoid leaking the knowledge about AD trust directions to sysdb while at the same time making it easy to compare values between sysdb and LDAP and avoid translating the values. Reviewed-by: Sumit Bose <sbose@redhat.com>

55b7fdd837a780ab0f71cbfaa2403f4626993922 08-May-2015 Sumit Bose <sbose@redhat.com>

sysdb: add sysdb_cache_password_ex() Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

1d93029624d708119bbf803e6647a2cbb271f001 20-Mar-2015 Sumit Bose <sbose@redhat.com>

sdap: properly handle binary objectGuid attribute Although in the initial processing SSSD treats the binary value right at some point it mainly assumes that it is a string. Depending on the value this might end up with the correct binary value stored in the cache but in most cases there will be only a broken entry in the cache. This patch converts the binary value into a string representation which is described in [MS-DTYP] and stores the result in the cache. Resolves https://fedorahosted.org/sssd/ticket/2588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

61c8d13e55ebafc28da1b0b5ad9ae578d687e288 08-Mar-2015 Pavel Březina <pbrezina@redhat.com>

be_refresh: support groups Resolves: https://fedorahosted.org/sssd/ticket/2346 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

e77d6366ff9e49dbbb607f1709f1ae4190b99489 08-Mar-2015 Pavel Březina <pbrezina@redhat.com>

be_refresh: support users Resolves: https://fedorahosted.org/sssd/ticket/2346 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

108db0e3b9e06e530364ef8228634f5e3f6bd3b5 30-Jan-2015 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Add UUID when saving incomplete groups Related to: https://fedorahosted.org/sssd/ticket/2571 Reviewed-by: Sumit Bose <sbose@redhat.com>

4f4d35e14b4dc35a8df0ba28d6bd26f9ce75f962 13-Jan-2015 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Reduce code duplication in sysdb_gpo.c Two places in sysdb_gpo.c were searching for the GPO result object while the only difference was the attributes searched for. Remove this duplication and make the search function static as it's not used outside the module. Reviewed-by: Pavel Reichl <preichl@redhat.com>

fbcdc08722aa8ed17c4b114e01fbb37c02cfb2fe 13-Jan-2015 Sumit Bose <sbose@redhat.com>

sysdb: fix group members with overridden names Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

4bbcc2d6d3f16b015796818746a45134861c93a4 17-Dec-2014 Pavel Reichl <preichl@redhat.com>

SYSDB: sysdb_search_object_by_sid returns ENOENT sysdb_search_object_by_sid returns ENOENT if no results are found. Part od solution for: https://fedorahosted.org/sssd/ticket/1991 Fixes: https://fedorahosted.org/sssd/ticket/2520 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

2d40bf0ad9f03e345228cba4563091c91eb02f5b 13-Dec-2014 Jakub Hrozek <jhrozek@redhat.com>

Skip CHAUTHTOK_PRELIM when using OTPs https://fedorahosted.org/sssd/ticket/2484 When OTPs are used, we can only used each authtoken at most once. When it comes to Kerberos password changes, this was only working previously by accident, because the old authtoken was first used to verify the old password is valid and not expired and then also to acquire a chpass principal. This patch looks at the user object in LDAP to check if the user has any OTPs enabled. If he does, the CHAUTHTOK_PRELIM step is skipped completely so that the OTP can be used to acquire the chpass ticket later. Reviewed-by: Sumit Bose <sbose@redhat.com>

6fac5e5f0c54a0f92872ce1450606cfcb577a920 13-Dec-2014 Pavel Reichl <preichl@redhat.com>

LDAP: retain external members When processing group membership check sysdb for group members from extern domain and include them in newly processed group membership as extern members are curently found only when initgroups() is called. Resolves: https://fedorahosted.org/sssd/ticket/2492 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

2fe140d3a41e1ac66400069d35adc9379348c1e5 25-Nov-2014 Sumit Bose <sbose@redhat.com>

sysdb: add sysdb_invalidate_overrides() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

fe2ab0d67fe8c66fb6352e9d8f845bb46d1848cb 25-Nov-2014 Sumit Bose <sbose@redhat.com>

sysdb: add sysdb_delete_view_tree() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

907a7c626db407d19d4cae85c2db7d3561120349 20-Nov-2014 Sumit Bose <sbose@redhat.com>

sysdb: add sysdb_search_object_by_uuid() Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

1a9f66352070d71a6b998c5afbc268ba6fddc51c 05-Nov-2014 Sumit Bose <sbose@redhat.com>

sysdb_add_overrides_to_object: add new parameter and multi-value support With the new parameter an attribute list other than the default one can be used. Override attributes with multiple values (e.g. SSH public keys) are now supported as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

0887c35bdb85adf0a4376dc8963294ea5a9d6da6 22-Oct-2014 Michal Zidek <mzidek@redhat.com>

SYSDB: Allow calling chown on the sysdb file from monitor Sysdb must be accessible for the nonroot sssd processes. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

cc5f7592e4d81f3a7336da20fc681b7e52c103b4 20-Oct-2014 Pavel Březina <pbrezina@redhat.com>

Add sysdb_get_user_attr_with_views Reviewed-by: Sumit Bose <sbose@redhat.com>

727d46f4dace666c809310b3f685eef387023f65 20-Oct-2014 Pavel Březina <pbrezina@redhat.com>

Add sysdb_search_[user|group]_override_attrs_by_name Reviewed-by: Sumit Bose <sbose@redhat.com>

4777af0b8f9a3f418a54f0d4bf7eb72b896dabb5 20-Oct-2014 Sumit Bose <sbose@redhat.com>

sysdb: add sysdb_enumpw/grent_with_views() Reviewed-by: Pavel Březina <pbrezina@redhat.com>

d2f4551519698809e73a029c49599e1f67e6bdd4 20-Oct-2014 Sumit Bose <sbose@redhat.com>

sysdb: add sysdb_getgrnam_with_views and sysdb_getgrgid_with_views Reviewed-by: Pavel Březina <pbrezina@redhat.com>

908ee7aa8f046ae7f066d80b787cd380d61af619 20-Oct-2014 Sumit Bose <sbose@redhat.com>

sysdb: add sysdb_initgroups_with_views() Reviewed-by: Pavel Březina <pbrezina@redhat.com>

ba88f3617e5a56bba19a0d65d35069d8e4d0c89c 20-Oct-2014 Sumit Bose <sbose@redhat.com>

sysdb: add sss_view_ldb_msg_find_element/attr_as_string/uint64 Override-aware replacements for the corresponding ldb_msg_find_* calls. First it is check if an override value is available before the original value is returned. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

89b065cb85f57e80760ce4d4b1215b533e249e92 20-Oct-2014 Sumit Bose <sbose@redhat.com>

sysdb: add sysdb_getpwnam/uid_with_views() View-aware drop-in replacements for sysdb_getpwnam() and sysdb_getpwuid(). Reviewed-by: Pavel Březina <pbrezina@redhat.com>

d70023a7fa95c8c12683de965a76ec38a6234ae5 20-Oct-2014 Sumit Bose <sbose@redhat.com>

sysdb: add overide lookup calls sysdb_search_user_override_by_name() and sysdb_search_group_override_by_name() search for overrides in the given view. sysdb_add_overrides_to_object() adds the data from the override object to the original object and makes them available for further processing. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

9da27cbc7532f775afc411d809735760dd5294a7 16-Oct-2014 Sumit Bose <sbose@redhat.com>

sysdb: sysdb_apply_default_override The default view is special in the sense that it is the baseline for every other view and that it always applies even if there is no view defined. To avoid useless additional processing the default view overrides are written directly to the corresponding cached object. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

8a2a503fa5c01ea037d28b7c902b8821a11084bd 16-Oct-2014 Sumit Bose <sbose@redhat.com>

sysdb: add sysdb_attrs_add_val_safe() and sysdb_attrs_add_string_safe() sysdb_attrs_add_val_safe() works like sysdb_attrs_add_val() but checks if the attribute value to add already exists. In this case the value list is not changed. This is useful if values are added from different sources at different times to avoid LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS errors from ldb_modify() later on. sysdb_attrs_add_string_safe() does the same for string arguments Reviewed-by: Pavel Březina <pbrezina@redhat.com>

ca49ae1eee321751681e99f3ebe2547211db3bf6 16-Oct-2014 Sumit Bose <sbose@redhat.com>

sysdb: add sysdb_store_override Reviewed-by: Pavel Březina <pbrezina@redhat.com>

08ab0d4ede41a1749e0bc26f78a37a4d10c20db8 16-Oct-2014 Sumit Bose <sbose@redhat.com>

IPA: add view support and get view name Related to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

2ef62c64e7f07c8aced3f72850008ecb72860162 16-Oct-2014 Sumit Bose <sbose@redhat.com>

sysdb: add sysdb_update_view_name() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

229c292143dcd4120acb022682b5b7d0aca622dd 14-Oct-2014 Sumit Bose <sbose@redhat.com>

nss: add SSS_NSS_GETORIGBYNAME request This patch adds a new request to the nss responder which follows the same flow as a SSS_NSSGETSIDBYNAME request but returns more data than just the SID. The data is returned as pairs of \0-terminated strings where the first string is the sysdb attribute name and the second the corresponding value. The main use case is on the FreeIPA server to make additional user and group data available to the extdom plugin which then send this data to SSSD running on FreeIPA clients. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

adf9c23d663c308cfeeaa5ad0a33c399c85b27ec 12-Oct-2014 Pavel Reichl <preichl@redhat.com>

NSS: UPN as a template expansion for homedir mappings Fixes: https://fedorahosted.org/sssd/ticket/2340 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

d7d3ee1b8ab7a05129c83da8a185351d7c751c1c 06-Oct-2014 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: move sysdb_get_real_name() from sysdb.c to sysdb_search.c The sysdb.c should be reserved for utility and setup functions. Search functions belong to sysdb_search.c Keeping functions in specialized modules helps to maintain nice dependencies and in overall makes unit testing easier. Moreover, the function was not unit tested, which needed fixing. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

4611802d41d8954a3040f39403590adb920ca521 02-Oct-2014 Yassir Elley <yelley@redhat.com>

AD-GPO resolve conflicting policy settings correctly Resolves: https://fedorahosted.org/sssd/ticket/2437 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

eb0cde4e6dfdbda08588860534f7ece5776ec3af 08-Sep-2014 Yassir Elley <yelley@redhat.com>

AD-GPO: delete stale GPOs https://fedorahosted.org/sssd/ticket/2431 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

61602026ed8c91efd166000562899670449f1b50 05-Sep-2014 Pavel Reichl <preichl@redhat.com>

SYSDB: SSS_LDB_SEARCH - macro around ldb_search This patch amends previous patch 5153e8b9793dea1e212ca08af0f77ea1d023cbb7. Macro SSS_LDB_SEARCH is used instead of using fuction sss_ldb_search as a wrapper around ldb_search which could lead to premature expansion of variadic parameters. Part of solution for: https://fedorahosted.org/sssd/ticket/1991 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

9bda5ab39fc3429191e2272a8be62e230677ecb1 13-Aug-2014 Yassir Elley <yelley@redhat.com>

AD-GPO: sysdb_gpo changes for offline gpo support Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

ff4b603cc14ea6ea15caaf89a03e927920124af4 31-Jul-2014 Yassir Elley <yelley@redhat.com>

AD-GPO: add ad_gpo_cache_timeout option Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

64074e584a56611d7563667e0fcdadd215b0c922 30-Jul-2014 Yassir Elley <yelley@redhat.com>

AD-GPO: add sysdb_gpo support for caching gpo version Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

5153e8b9793dea1e212ca08af0f77ea1d023cbb7 25-Jun-2014 Pavel Reichl <preichl@redhat.com>

SYSDB: sss_ldb_search - wrapper around ldb_search Make sure that if no results were found ENOENT is returned rather than just empty list of results. Resolves: https://fedorahosted.org/sssd/ticket/1991 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

7420bdb0b76ab7ba6e20a0e9b080241bd8269e6b 23-Jun-2014 Lukas Slebodnik <lslebodn@redhat.com>

SYSDB: Modify declaration of sysdb_search_entry Type of parameter scope was changed s/int/enum ldb_scope/ This patch fixes warning from static analysers: src/db/sysdb_ops.c:228: mixed_enum_type: enumerated type mixed with another type Reviewed-by: Pavel Reichl <preichl@redhat.com>

7ecb5aea65cb1899f16e7a41bffa93d074defd4a 20-Jun-2014 Sumit Bose <sbose@redhat.com>

sysdb: add sysdb_search_user_by_upn() with tests Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

09579ae252c181c7884defc0612c36108f6cf509 20-Jun-2014 Pavel Reichl <preichl@redhat.com>

SYSDB: sysdb_search_entry fix memory leak Allocate res on tmp_ctx instead of on mem_ctx. Also use '_' prefix convention for output parameters. Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

21fc2ea7d4a9944582ffd4d11500faf4bddae835 18-Jun-2014 Pavel Reichl <preichl@redhat.com>

SYSDB: utility call sysdb_attrs_add_lower_case_string Resolves: https://fedorahosted.org/sssd/ticket/2056 Reviewed-by: Sumit Bose <sbose@redhat.com>

cf2cc44d6293165379d6470b8bf6bb6a87d62b31 14-May-2014 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: return SYSDB_NAME from sysdb_initgroups For the GetGroupsList function it would be handy to get the user names as well with a single sysdb_initgroups() call. This patch adds SYSDB_NAME to the default attribute list. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

37171a92dc9c5e4fe1a0663901fc965b49a78151 29-Jan-2014 Jakub Hrozek <jhrozek@redhat.com>

DB: Add sss_ldb_el_to_string_list

17195241500e46272018d7897d6e87249870caf2 09-Jan-2014 Pavel Reichl <pavel.reichl@redhat.com>

responder: Set forest attribute in AD domains Resolves: https://fedorahosted.org/sssd/ticket/2160

fb4435785f92712840efb107700452598371ce77 19-Dec-2013 Sumit Bose <sbose@redhat.com>

Add sysdb_attrs_get_int32_t

022456e93c9b175ce3774afe524e3926f41ba80f 19-Dec-2013 Sumit Bose <sbose@redhat.com>

Add new option ldap_group_type

15a1519ec9c23f598716ffa89e533cd9bfb2a4f3 19-Dec-2013 Sumit Bose <sbose@redhat.com>

Use lower-case name for case-insensitive searches The patch makes sure that a completely lower-cased version of a fully qualified name is used for case insensitive searches. Currently there are code paths where the domain name was used as configured and was not lower-cased. To make sure this patch does not break with old entries in the cache or case sensitive domains a third template was added to the related filters templates which is either filled with a completely lower-cased version or with the old version. The other two template values are unchanged.

48eb2ca157f7cdc625d0eacdcdc085a3fe1a0fc8 19-Dec-2013 Sumit Bose <sbose@redhat.com>

Add sysdb_attrs_add_lc_name_alias

05bbf81c6b7e0c0ddb7a9d1c66ad2e19e9e3b6c9 27-Nov-2013 Michal Zidek <mzidek@redhat.com>

Fix parameter name. We use '_' as prefix for output parameters. In function sysdb_get_rdn we wrongly used this prefix for input parameter, which caused some confusion when reading the code.

7789ef33ab4c2745d46aa5c342b1d852a9593223 27-Nov-2013 Michal Zidek <mzidek@redhat.com>

Missing parameter name in declaration.

e2ac9be4f293b96f3c8992f1171e44bc1da5cfca 15-Nov-2013 Michal Zidek <mzidek@redhat.com>

SYSDB: Drop redundant sysdb_ctx parameter from sysdb.c

d115f40c7a3999e3cbe705a2ff9cf0fd493f80fb 15-Nov-2013 Michal Zidek <mzidek@redhat.com>

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2)

sysdb.h sysdb_autofs.c sysdb_ops.c sysdb_services.c sysdb_ssh.c sysdb_sudo.c /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_hbac_common.c /sssd-io/src/providers/ipa/ipa_hbac_hosts.c /sssd-io/src/providers/ipa/ipa_hbac_services.c /sssd-io/src/providers/ipa/ipa_hbac_users.c /sssd-io/src/providers/ipa/ipa_id.c /sssd-io/src/providers/ipa/ipa_netgroups.c /sssd-io/src/providers/ipa/ipa_s2n_exop.c /sssd-io/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/ldap/ldap_auth.c /sssd-io/src/providers/ldap/ldap_id.c /sssd-io/src/providers/ldap/ldap_id_cleanup.c /sssd-io/src/providers/ldap/ldap_id_netgroup.c /sssd-io/src/providers/ldap/sdap_async_groups.c /sssd-io/src/providers/ldap/sdap_async_initgroups.c /sssd-io/src/providers/ldap/sdap_async_initgroups_ad.c /sssd-io/src/providers/ldap/sdap_async_nested_groups.c /sssd-io/src/providers/ldap/sdap_async_netgroups.c /sssd-io/src/providers/ldap/sdap_async_users.c /sssd-io/src/providers/ldap/sdap_reinit.c /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_netgroup.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/pac/pacsrv_cmd.c /sssd-io/src/responder/pac/pacsrv_utils.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/sudo/sudosrv_get_sudorules.c /sssd-io/src/tests/cmocka/test_nss_srv.c /sssd-io/src/tests/simple_access-tests.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_seed.c /sssd-io/src/tools/sss_sync_ops.c
7d056853e4a5fe6daa5743e38d21b4493f4fca27 15-Nov-2013 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Drop the sysdb_ctx parameter from the sysdb_idmap module

4c08db0fb0dda3d27b1184248ca5c800d7ce23f0 15-Nov-2013 Michal Zidek <mzidek@redhat.com>

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 1)

sysdb.h sysdb_ops.c sysdb_sudo.c /sssd-io/src/providers/ipa/ipa_auth.c /sssd-io/src/providers/ipa/ipa_hbac_common.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/ldap/sdap_access.c /sssd-io/src/providers/ldap/sdap_async_groups.c /sssd-io/src/providers/ldap/sdap_async_initgroups.c /sssd-io/src/providers/ldap/sdap_async_initgroups_ad.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/pac/pacsrv_cmd.c /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/tools_mc_util.c /sssd-io/src/util/sss_selinux.c
b3292840ebaa747a9fd596ff47cc5d18198361d0 15-Nov-2013 Michal Zidek <mzidek@redhat.com>

SYSDB: Drop the sysdb_ctx parameter from the sysdb_search module

sysdb.c sysdb.h sysdb_search.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd-io/src/providers/krb5/krb5_access.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_utils.c /sssd-io/src/providers/ldap/ldap_auth.c /sssd-io/src/providers/ldap/sdap_access.c /sssd-io/src/providers/ldap/sdap_async_initgroups.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/python/pysss.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/pac/pacsrv_cmd.c /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/ssh/sshsrv_cmd.c /sssd-io/src/responder/sudo/sudosrv_get_sudorules.c /sssd-io/src/tests/cmocka/test_nss_srv.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_seed.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/sss_sync_ops.h /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/tools/tools_util.c
8b64ca35eb73667a589067788a6f9fb1f7d281c1 25-Oct-2013 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Add sysdb_delete_by_sid

c5711b0279ea85d69fe3c77dfb194360c346e1d7 27-Sep-2013 Sumit Bose <sbose@redhat.com>

IPA: store forest name for forest member domains In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of the forest must be known for a member domain of the forest.

6ff294ac06863ea76463c3fa3549cc46a60b75ad 26-Sep-2013 Pavel Březina <pbrezina@redhat.com>

sysdb: sysdb_update_members can take either name or dn We need to work with distinguish names when processing cross-domain membership, because groups and users may be stored in different sysdb tree. Resolves: https://fedorahosted.org/sssd/ticket/2066

764aa04ee92dbbd0d1eca6703294135eb97fda6d 23-Sep-2013 Sumit Bose <sbose@redhat.com>

krb5: save canonical upn to sysdb If the returned TGT contains a different user principal name (upn) than used in the request, i.e. the upn was canonicalized, we currently save it to sysdb into the same attribute where the upn coming from an LDAP server is stored as well. This means the canonical upn might be overwritten when the user data is re-read from the LDAP server. To avoid this this patch add a new attribute to sysdb where the canonical upn is stored and makes sure it is used when available. Fixes https://fedorahosted.org/sssd/ticket/2060

abc398cba9d11d3da047636992ec14c2d4535161 10-Sep-2013 Ondrej Kos <okos@redhat.com>

DB: Add user/group lookup by SID

b3458bbb5315b05d7ac1abc58f1c380761756603 28-Aug-2013 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Store enumerate flag for subdomain

a4644da8f2bd25621ae159d753ffb66df9594dc8 28-Aug-2013 Jakub Hrozek <jhrozek@redhat.com>

DB: remove unused realm parameter from sysdb_master_domain_add_info The parameter was not used at all.

caee9828ee30609e9f433957dbb3d0163390a207 28-Aug-2013 Sumit Bose <sbose@redhat.com>

ipa-server-mode: add IPA group memberships to AD users When IPA trusts an AD domain the AD user or groups can be placed into IPA groups e.g. to put AD users under the control of HBAC. Since IPA group can only have members from the IPA directory tree and the AD users and groups are not stored there a special IPA object called external group was introduced. SIDs of users and groups can be added to the external group and since the external groups are in the IPA directory tree they can be member of IPA groups. To speed things up and to remove some load from the IPA servers SSSD reads all external groups and stores them in memory for some time before rereading the data. Enhances https://fedorahosted.org/sssd/ticket/1962

75dd4b05e1dacc76dc9d5f16be31978f84a71dc5 19-Aug-2013 Sumit Bose <sbose@redhat.com>

sysdb_add_incomplete_group: store SID string is available During initgroups request we read the SID of a group from the server but do not save it to the cache. This patch fixes this and might help to avoid an additional lookup of the SID later.

39f13b3bf5b3cf79f5f16575403f03b539300dc7 19-Aug-2013 Sumit Bose <sbose@redhat.com>

fill_initgr: add original primary GID if available In some cases when MPG domains are used the information about the original primary group of a user cannot be determined by looking at the explicit group memberships. In those cases the GID related to the original primary group is stored in a special attribute of the user object. This patch adds the GID of the original primary group when available and needed. Fixes https://fedorahosted.org/sssd/ticket/2027

8cdb9b9824d3fcc2448544d67544496f55b8d393 19-Aug-2013 Sumit Bose <sbose@redhat.com>

sdap_save_user: save original primary GID of subdomain users If ID mapping is enabled we use magic private groups (MPG) for subdomains, i.e. the UID and the primary GID of the user will have the same numerical value. As a consequence the information about the original primary group might get lost because neither in AD domains nor on a typical UNIX system the user is an explicit member of it's primary group. With this patch the mapped GID or the original primary group is saved in the cached user object under a new attribute. Fixes https://fedorahosted.org/sssd/ticket/2027

09d7c105839bfc7447ea0f766413ed86675ca075 28-Jun-2013 Sumit Bose <sbose@redhat.com>

Save mpg state for subdomains The information of a subdomain will use magic private groups (mpg) or not will be stored together with other information about the domain in the cache.

5e60c73cb91d1659755fb5ea829837db68d46163 28-Jun-2013 Sumit Bose <sbose@redhat.com>

Add support for new ipaRangeType attribute Recent versions of FreeIPA support a range type attribute to allow different type of ranges for sub/trusted-domains. If the attribute is available it will be used, if not the right value is determined with the help of the other idrange attributes. Fixes https://fedorahosted.org/sssd/ticket/1961

3680bb9c72ea5c60e6ac2fd2cf500b801341ca59 06-Jun-2013 Sumit Bose <sbose@redhat.com>

Read SIDs of groups with sysdb_initgroups() as well

1e72a17f6527d47968032fc928f489dad10705ea 02-May-2013 Sumit Bose <sbose@redhat.com>

sysdb: add sysdb_search_object_by_sid() The patch add a new sysdb to find objects based on their SID. Currently only the basic attributes needed to map SIDs to POSIX IDs and names are requested, but this list can be extended for future use cases.

2ba16c5a5c4b6d3cd2a44179186ec60eda828bcd 05-Mar-2013 Michal Zidek <mzidek@redhat.com>

Remove the alt_db_path parameter of sysdb_init This parameter was never used. https://fedorahosted.org/sssd/ticket/1765

956309e24c32cd0886736bf065a27d5bdd200a77 26-Feb-2013 Jan Engelhardt <jengelh@inai.de>

sysdb: try dealing with binary-content attributes https://fedorahosted.org/sssd/ticket/1818 I have here a LDAP user entry which has this attribute loginAllowedTimeMap:: AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA In the function sysdb_attrs_add_string(), called from sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is the wrong thing to do. The result of strlen is then used to populate the .v_length member of a struct ldb_val - and this will set it to zero in this case. (There is also the problem that there may not be a '\0' at all in the blob.) Subsequently, .v_length being 0 makes ldb_modify(), called from sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End result is that users do not get stored in the sysdb, and programs like `id` or `getent ...` show incomplete information. The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave fine, but that may not mean that is the absolute lower boundary of introduction of the problem.

bba1a5fd62cffcae076d1351df5a83fbc4a6ec17 10-Feb-2013 Simo Sorce <simo@redhat.com>

Change the way domains are linked. - Use a double-linked list for domains and subdomains. - Never remove a subdomain, simply mark it as disabled if it becomes unused. - Rework the way subdomains are refreshed. Now sysdb_update_subdomains() actually updates the current subdomains and marks as disabled the ones not found in the sysdb or add new ones found. It never removes them. Removal of missing domains from sysdb is deferred to the providers, which will perform it at refresh time, for the ipa provider that is done by ipa_subdomains_write_mappings() now. sysdb_update_subdomains() is then used to update the memory hierarchy of the subdomains. - Removes sysdb_get_subdomains() - Removes copy_subdomain() - Add sysdb_subdomain_delete()

95e94691178297f2b8225a83d43ae388cab04b45 10-Feb-2013 Simo Sorce <simo@redhat.com>

Remove sysdb_subdom completely struct sss_domain_info is always used to represent domains now. Adjust tests accordingly.

1187a07ed4207c1c326fdf83915dddfe472b8620 10-Feb-2013 Simo Sorce <simo@redhat.com>

Add sysdb_subdomain_store() function Replaces sysdb_add_subdomain_attributes and is a public sysdb interface.

3912262270a6449ebe1d3e92c27c217b4044f894 10-Feb-2013 Simo Sorce <simo@redhat.com>

Refactor sysdb_master_domain_add_info()

65393a294e635822c1d7a15fe5853dc457ad8a2a 10-Feb-2013 Simo Sorce <simo@redhat.com>

Update main domain info in place

aab938c5975f0e3b85c7c79a5d718e5fefed7217 10-Feb-2013 Simo Sorce <simo@redhat.com>

Avoid sysdb_subdom in sysdb_get_subdomains()

b1ea4ec53e90bd2897abf47e7af02d157d89d7ae 23-Jan-2013 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: make the sss_ldb_modify_permissive function public

0b7be98ee0f8757428a45b22d1ace937e6bb7799 16-Jan-2013 Simo Sorce <simo@redhat.com>

Tidy up BASE dn macros

f91e4aacb78d33791efcd744000597d5254dac4b 15-Jan-2013 Simo Sorce <simo@redhat.com>

Stop creating fake sysdb contexts Now that the sysdb context does not contain anymore domain related data we can simply stop creating faxe sysdb context and just reference the parent context.

0754ff886f909f0404038eb9c99dd61be1acf5b9 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain to some subdomain functions

043bda72889e9ef0c48b80b21c99e9e18c5f49d7 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain arguemnt to sysdb_get_real_name()

9a7b6d3248c5aac460e164f2246b26131cfbc055 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb_idmap_ funcitons

2ca23577d3a25aead24ba759a1f6f67ffc24decf 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb_remove_attrs()

80c6afa474d8a1e0198832bddfe5da75a9818b29 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb_has/set_enumerated()

84c986f9bb2767d8930b6f5d92d34b09b8fabe60 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain arg to sysdb_search/delete_netgroup()

a58ccee5afc802c7560624929614616aeefa9bd0 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb_delete_group() Also remove sysdb_delete_domgroup()

2b7ee2a760e7fcc70f4970a3bbee6fbf8f2ccb9d 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb_search_groups()

3412d14d65490c32414e72ac20fe21bad53ceb45 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb_delete_user() Also remove sysdb_delete_domuser()

044868b388b4e47499f12a9105310b247bbe1ce2 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain arg to sysdb_search_users()

a703ed242523c145133f522085ee3180452b3743 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain to sysdb_delete_custom

770896b194b7b66b09c2a30545b4d091fd86b1f4 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb_search_custom() Also changes sysdb_search_custom_by_name()

dd7192379e5fc5bb852863e60ad4b6a20c5da183 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb_store_custom()

74ac1c2834cd8961ed9e7cadcfe28b113bffe4de 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb_cache_auth()

777f5bc1fb5f2ba4267de83843beee51090eb8d5 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb_cache_password()

363ce75bfe2f73198e1ae7feeed97b6009ae24b8 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain arg to sysdb group member functions

99c0cfdc5f065ba38f1ee91701d1d27f9e4fdb96 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb_store_group() Also remove sysdb_store_domgroup()

6ac396bebb4cd3124711d26dce54263f6f9c7c45 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb_store_user() Also remove sysdb_store_domuser()

b7427d63bd328be32991f9d437c4a3d46bcabe03 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain arguments to sysdb_add_inetgroup fns.

5c1135221ff3ea9132b6ebf073f2dcae88b73b3f 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain arguments to sysdb_add_group functions.

7c26e3568d0d789067feef945086dff367408a1c 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb_add_user()

efc81d1b44169206a2e55bb8e900d3859375abe3 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb_add_basic_user()

722c364c39bc0ed81e9577fb522f684c0104e26c 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb_get_new_id()

3187afe4aafa562f2a6747846181ac06d0659dff 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb_set_netgroup_attr()

20d2466dbce2bb950813e3f739bc40b511020efb 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb_set_group_attr()

3f94d6718d44185137e13b6d326dfd63e8dc61c6 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb_set_user_attr()

e6f266656ead48452673389835125db7a1a34baf 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain arg to sysdb_search_netgroup_by_name()

5d72a91a37273c8c874640906fd2f7a70e606812 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain to sysdb_search_group_by_gid() Also remove unused sysdb_search_domgroup_by_gid()

b23539e420b9962ad3bfd8f305b9d5acf47e7efb 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain to sysdb_search_group_by_name() Also remove unused sysdb_search_domgroup_by_name()

a5a4e5b4836fdd693bab6e1c7f9d633d1440447d 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain to sysdb_search_user_by_uid() Also remove unused sysdb_search_domuser_by_uid()

2ce00e0d3896bb42db169d1e79553a81ca837a22 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain to sysdb_search_user_by_name() Also remove unused sysdb_search_domuser_by_name()

5d78919c955c945e78865f322726aac075c71203 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb_get_user_attr()

c3ca06c011a34997cd6ec5d1e5927fee12bf2464 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb_initgroups()

1826891a4869450994ae82adb60215ca564f9f4d 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain option to sysdb_get/netgr/attrs() fns

a0593a02a5d2c7a8b4dda330a69fb1f10cc12cdb 15-Jan-2013 Simo Sorce <simo@redhat.com>

Pass domain to sysdb_enum<pw/gr>ebt() functions

2d66c2eee2e4364a52d5436b61759ef990108230 15-Jan-2013 Simo Sorce <simo@redhat.com>

Pass domain to sysdb_get<pwu/grg><id() functions

58fd3aa25c5292bc67432647ab7e5059439fcc6d 15-Jan-2013 Simo Sorce <simo@redhat.com>

Pass domain to sysdb_get<pw/gr>nam() functions Also allows us to remove sysdb_subdom_get<pw/gr>nam() wrappers and restore fqnames proper value in subdomains, by testing for a parent domain being present or not.

62dbfd0596aa15ddf0d9384f426814edcf627331 15-Jan-2013 Simo Sorce <simo@redhat.com>

Move range objects into their own top-level tree. Storing ranges for multiple domains under any specific domain is somewhat aritrary and unnecessary. Put ranges under cn=ranges,cn=sysdb, without involving any specific domain subtree. This allows us to avoid using sysdb->domain in ranges functions. Also storing other subdomains data under the parent domain tree felt wrong, all other domain specific data is under their own subtree. Moving this data in its own place seems a better solution.

9675bccabff4e79d224f64611ad9ff3e073b488e 15-Jan-2013 Simo Sorce <simo@redhat.com>

Make sysdb_custom_subtree_dn() require a domain.

de526c8425886ca3bed8f07a0f092ba5ac325654 15-Jan-2013 Simo Sorce <simo@redhat.com>

Make sysdb_custom_dn() require a domain.

4b49384056874e7999d8338ce5288f3d5c27a7b8 15-Jan-2013 Simo Sorce <simo@redhat.com>

Make sysdb_domain_dn() require a domain.

2ee09a30b020916ee7bf2f61f993ce7844897c1f 15-Jan-2013 Simo Sorce <simo@redhat.com>

Make sysdb_netgroup_base_dn() require a domain.

7c974e792beef952ceb19a01775c6d0ee71a1253 15-Jan-2013 Simo Sorce <simo@redhat.com>

Make sysdb_netgroup_dn() require a domain explictly.

52c72ae8587d8d47393a891ccd4ef06bd4bef856 15-Jan-2013 Simo Sorce <simo@redhat.com>

Make sysdb_group_dn() require a domain explictly.

3613cc1eba1337256a2d06ba7a84532156139ccd 15-Jan-2013 Simo Sorce <simo@redhat.com>

Make sysdb_user_dn() require a domain explictly.

1e6f2180724de4722a5218826c9401181168d9d4 15-Jan-2013 Simo Sorce <simo@redhat.com>

Remove the sysdb_ctx_get_domain() function. We are deprecating sysdb->domain so kill the function that gives access to this member as we should stop relying on it being available (or correct).

234958be042980242fff6da936af674da877c5ef 15-Jan-2013 Simo Sorce <simo@redhat.com>

Refactor single domain initialization Bring it out of sysdb, which will slowly remove internal dependencies on domains and instead will always require them to be passed by callers.

72aa8e7b1d234b6b68446d42efa1cff22b70c81b 15-Jan-2013 Simo Sorce <simo@redhat.com>

Refactor sysdb initialization Change the way sysdbs are initialized. Make callers responsible for providing the list of domains. Remove the returned array of sysdb contexts, it was used only by sss_cache and not really necessary there either as that tool can easily iterate the domains. Make sysdb ctx children of their respective domains. Neither sysdb context nor domains are ever freed until a program is done so there shouldn't be any memory hierarchy issue. As plus we simplify the code by removing a destructor and a setter function.

c83e409297711e6012a164cc929c758a3f38e9b9 10-Jan-2013 Simo Sorce <simo@redhat.com>

Code can only check for cached passwords Make it clear to the API users that we can not take arbitrary auth tokens. We can only take a password for now so simplify and clarify the interface.

849aa25d7511a44e8f755c6f0a79b2746007a539 08-Jan-2013 Simo Sorce <simo@redhat.com>

Remove dead netgroup functions

8338d6727eb33ccdc1c2b77e6b4d38220587b9d2 08-Jan-2013 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Remove duplicate selinux defines

5c95a8f77a37cd9ca4e2f6037bebade5284f415c 07-Jan-2013 Simo Sorce <simo@redhat.com>

Remove redundant definition. We had 2 defines for the same class. Consolidate and remove confusion.

8455d5ab61184e0d126fc074a9ce6e98391eb909 20-Nov-2012 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Only convert direct parents' ghost attribute to member https://fedorahosted.org/sssd/ticket/1612 This patch changes the handling of ghost attributes when saving the actual user entry. Instead of always linking all groups that contained the ghost attribute with the new user entry, the original member attributes are now saved in the group object and the user entry is only linked with its direct parents. As the member attribute is compared against the originalDN of the user, if either the originalDN or the originalMember attributes are missing, the user object is linked with all the groups as a fallback. The original member attributes are only saved if the LDAP schema supports nesting.

8d9e0547a864cee05ab36bc988300c0cfa986025 19-Nov-2012 Simo Sorce <simo@redhat.com>

Refactor the way subdomain accounts are saved The original sysdb code had a strong assumption that only users from one domain are saved in the databse, with the subdomain feature, we have changed reality, but have not adjusted all the code arund the sysdb calls to not rely on the original assumption. One of the side effects of this incongrunece is that currently group memberships do not return fully qualified names for subdomain users as they should. In oreder to fix this and other potential issues surrounding the violation of the original assumption, we need to fully qualify subdomain user names. By savin them fully qualified we do not risk aliasing local users and have group memberhips or other name based matching code mistake a domain user with subdomain usr or vice versa.

4c9a85ab708ec7debecad51e4240e04d8bc6ca4e 19-Nov-2012 Ondrej Kos <okos@redhat.com>

Display more information on DB version mismatch https://fedorahosted.org/sssd/ticket/1589 Added check for determining, whether database version is higher or lower than expected. To distinguish it from other errors it uses following retun values (further used for appropriate error message): EMEDIUMTYPE for lower version than expected EUCLEAN for higher version than expected When SSSD or one of it's tools fails on DB version mismatch, new error message is showed suggesting how to proceed.

6b216d9bf26e9dc333e2ebd0158a3952f51a08d4 19-Nov-2012 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Remove unused macros

6722c85cb59c2d6fc223966c2b83cc3ea0d9aceb 11-Nov-2012 Sumit Bose <sbose@redhat.com>

Add pac_user_get_grp_info() to read current group memberships To be able to efficiently store group memberships we need to know the current memberships of a user. sysdb_initgroups() is used to read the user entry together with all groups the user is a member of. Some of the group attributes are kept to avoid additional lookups and speed up further processing. Currently sysdb_initgroups() does not return the original DN of the group. Since it is needed to remove memberships later on it is added to the list of requested attributes

73550e4cc5abf4c639a65c7c65d68d9dd2ed64f7 26-Oct-2012 Sumit Bose <sbose@redhat.com>

sysdb: add sysdb_base_dn() Add a help function which returns the ldb_dn object for the base dn of the cache.

edd6630a969fcd6ee2f4e69ebf7576926f040e48 24-Sep-2012 Jakub Hrozek <jhrozek@redhat.com>

DB: Use TALLOC_CTX for talloc context A couple of sysdb functions used "void *" in place of a TALLOC_CTX.

95f5e7963a36b7b68859ce91ae4b232088bbaa09 24-Sep-2012 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Remove unnecessary domain parameter from several sysdb calls The domain can be read from the sysdb object. Removing the domain string makes the API more self-contained.

f17d26a8db285622a5cd5f21c7488b62eedc2cf8 24-Sep-2012 Jakub Hrozek <jhrozek@redhat.com>

AUTOFS: Add entry objects below map objects https://fedorahosted.org/sssd/ticket/1506 Changes how the new autofs entry objects are handled. Instead of creating the entry on the cn=autofs,cn=custom level, the entry is created below the map it belongs to.

74c85b07831edb520764bfb0f997576ff355c681 21-Aug-2012 Stephen Gallagher <sgallagh@redhat.com>

SYSDB: Make sysdb_attrs_get_el_int() public Also rename it to sysdb_attrs_get_el_ext()

97b0dd25b0b62e57fdb7750b398181f953b2fd37 07-Aug-2012 Pavel Březina <pbrezina@redhat.com>

Remove redefinition of some SYSDB_* macros

efea50efda58be66638e5d38c8e57fdf9992f204 01-Aug-2012 Simo Sorce <simo@redhat.com>

Change refreshing of subdomains This patch keeps a local copy of the subdomains in the ipa subdomains plugin context. This has 2 advantages: 1. allows to check if anything changed w/o always hitting the sysdb. 2. later will allows us to dump this information w/o having to retrieve it again. The timestamp also allows to avoid refreshing too often.

204cfc89a076fd32bf34f2abb3f809304aaa88ab 01-Aug-2012 Simo Sorce <simo@redhat.com>

Add realm paramter to subdomain list This will be used later for setting domain_realm mappings in krb5.conf

b58460076fe843c11d736ae244c1ac979a6473a4 01-Aug-2012 Simo Sorce <simo@redhat.com>

Change subdomain_info Rename the structure to use a standard name prefix so it is properly name-spaced, in preparation for changing the structure itself.

1a3e6221b38a7cae27d7e84a30bb8ea3c3900a47 18-Jul-2012 Jan Zeleny <jzeleny@redhat.com>

Modify priority evaluation in SELinux user maps The functionality now is following: When rule is being matched, its priority is determined as a combination of user and host specificity (host taking preference). After the rule is matched in provider, only its host priority is stored in sysdb for later usage. When rules are matched in the responder, their user priority is determined. After that their host priority is retrieved directly from sysdb and sum of both priorities is user to determine whether to use that rule or not. If more rules have the same priority, the order given in IPA config is used. https://fedorahosted.org/sssd/ticket/1360 https://fedorahosted.org/sssd/ticket/1395

266fd9834133e31c51b9e967307a793e5a49258e 18-Jul-2012 Jan Zeleny <jzeleny@redhat.com>

Add function sysdb_attrs_copy_values() This function copies all values from one sysdb_attrs structure to another

386a66b1aa18a176e6a06fa126556c9590c373b6 21-Jun-2012 Sumit Bose <sbose@redhat.com>

Add support for ID ranges

84c611c1b7c04cc7735ab54d4e5f48284b79e6fb 10-Jun-2012 Jan Zeleny <jzeleny@redhat.com>

IPA subdomains - ask for information about master domain The query is performed only if there is missing information in the cache. That means this should be done only once after restart when cache doesn't exist. All subsequent requests for subdomains won't include the request for master domain.

e4fb78b4507fe0c9ad55a3cff12b67b7b4976580 31-May-2012 Jan Zeleny <jzeleny@redhat.com>

Ghost members - modifications in sysdb Deleted sysdb_add_fake_user(): This function is no longer used. Modified sysdb_add_user(): When user object is added to sysdb, it is important to iterate over all groups that might have its name or any of its aliases as ghost member and replace this ghost membership by a real one. This will eliminate duplicite memberships.

15c4878ac7830d078ad1a948a08a79e8b93eab3f 31-May-2012 Jan Zeleny <jzeleny@redhat.com>

Ghost members - add the ghost attribute to sysdb

532eb49e129bedf57cdbd0a66f39ad228b8f2482 03-May-2012 Stephen Gallagher <sgallagh@redhat.com>

LDAP: Map the user's primaryGroupID

8538f3d5109c548049c344fa042684d9d40f04d6 03-May-2012 Stephen Gallagher <sgallagh@redhat.com>

LDAP: Enable looking up ID-mapped users by name

817b1bcafff27cc67630dd0cbd36df708c05fccc 03-May-2012 Stephen Gallagher <sgallagh@redhat.com>

SYSDB: Add sysdb routines for ID-mapping

4f07a5ba197b902afd3a785baf6bd9967f50dfd2 03-May-2012 Stephen Gallagher <sgallagh@redhat.com>

LDAP: Add objectSID config option

e76d78338026fa47dca32eaf7f5c15eabb1b951a 24-Apr-2012 Jan Zeleny <jzeleny@redhat.com>

Sysdb routines for subdomains

2c9d3ca604743df82f2f3a8a05829c2dee3d97d7 18-Apr-2012 Jan Zeleny <jzeleny@redhat.com>

Removed unused function sysdb_attrs_users_from_ldb_vals()

9729b24935f9b717234728b2d2cfb4ca49df307b 06-Mar-2012 Jakub Hrozek <jhrozek@redhat.com>

Search netgroups by alias, too https://fedorahosted.org/sssd/ticket/1228

b7b50b21d2254a079b1b1c299909483d23db1512 29-Feb-2012 Sumit Bose <sbose@redhat.com>

Remove sysdb_get_ctx_from_list()

d2d2d6ae0c436461bcc8f881df059eb036314c44 29-Feb-2012 Sumit Bose <sbose@redhat.com>

Keep sysdb context in domain info struct

277a0187190fd417696590b303a5d7a204ed0555 24-Feb-2012 Jan Zeleny <jzeleny@redhat.com>

Delete missing attributes from netgroups to be stored https://fedorahosted.org/sssd/ticket/1136

fdab7bbf8933351f6254438c30ff361cd748b15a 24-Feb-2012 Jan Zeleny <jzeleny@redhat.com>

IPA hosts refactoring

af5a58fc3811af8521721f731d8234d983042cea 07-Feb-2012 Jan Cholasta <jcholast@redhat.com>

LDAP: Add support for SSH user public keys

4c11f752e1f10cf5740d53a3206bb795e9e34fe8 06-Feb-2012 Jan Zeleny <jzeleny@redhat.com>

Added some SELinux-related sysdb routines

9674f0f018c65a9af6b18dd0a4e515f726803d27 06-Feb-2012 Jan Zeleny <jzeleny@redhat.com>

Renamed some sysdb constants for their wider usage

1f1e6cbc59868f06dee3ab4b3df660fcb77ce1c8 06-Feb-2012 Jakub Hrozek <jhrozek@redhat.com>

AUTOFS: sysdb interface

48b6eab1b369107af0d568e016a87637b7affc55 31-Jan-2012 Stephen Gallagher <sgallagh@redhat.com>

SYSDB: Add sysdb_attrs_get_uint16_t

e299638926171e0e92a36122aeff6611cd52418d 31-Jan-2012 Stephen Gallagher <sgallagh@redhat.com>

SYSDB: extend sysdb_store_service() to accept additional attributes

6961025be43141b1d1ca4a6a046ce8f3ac94f508 17-Jan-2012 Pavel Březina <pbrezina@redhat.com>

sysdb_get_bool() and sysdb_get_bool() functions

75a43c7f91fcb27dee75976cc7c094dd5fa589f6 16-Dec-2011 Jakub Hrozek <jhrozek@redhat.com>

Export the function to convert ldb_result to sysdb_attrs It will be reused later in the sudo responder

940e033c0c427d02a34347dbd2f4443fa625b111 16-Dec-2011 Jakub Hrozek <jhrozek@redhat.com>

Use the case sensitivity flag in the LDAP provider

a26ea060ec4001daf5614bd9afcc092d29174662 16-Dec-2011 Jakub Hrozek <jhrozek@redhat.com>

sysdb_get_real_name helper function

544de543ee88961272e9b9c5baa2c0d296162965 23-Nov-2011 Jan Zeleny <jzeleny@redhat.com>

Added and modified options for IPA netgroups

684d1b48b5582a1bf7812b8c3c663592dc6dfed9 13-Oct-2011 Pavel Březina <pbrezina@redhat.com>

SysDB commands that save lastUpdate allows this value to be passed in https://fedorahosted.org/sssd/ticket/836

c98298029c51fdbc727536fec7a27795184d04e4 28-Sep-2011 Jakub Hrozek <jhrozek@redhat.com>

Return users and groups based on alias https://fedorahosted.org/sssd/ticket/926

fd61c807554d5a3ff74f065eb0438fe2524f4ba2 28-Sep-2011 Jakub Hrozek <jhrozek@redhat.com>

Add a sysdb_get_direct_parents function

920b227ac810f1a1964bbecfdc4d871a1cfd07ac 28-Sep-2011 Jakub Hrozek <jhrozek@redhat.com>

Add sysdb interface to get name aliases

844015b85bb4e488161ee6c8912f3f4b4c4572c5 15-Aug-2011 Jan Zeleny <jzeleny@redhat.com>

Remaining memory context variables renamed memctx to mem_ctx tmpctx to tmp_ctx

e79d23932ef9d52cf4eb32ddec2d0a9b3af9a9eb 15-Aug-2011 Jan Zeleny <jzeleny@redhat.com>

sysdb refactoring: memory context deleted This patch deletes memory context parameter in those places in sysdb where it is not necessary. The code using modified functions has been updated. Tests updated as well.

8a1738f9379a1b8fb5c95c3df649e014ff5a1434 15-Aug-2011 Jan Zeleny <jzeleny@redhat.com>

sysdb refactoring: deleted domain variables in sysdb API The patch also updates code using modified functions. Tests have also been adjusted.

sysdb.c sysdb.h sysdb_ops.c sysdb_search.c /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_auth.c /sssd-io/src/providers/ipa/ipa_hbac_common.c /sssd-io/src/providers/ipa/ipa_hbac_hosts.c /sssd-io/src/providers/ipa/ipa_hbac_services.c /sssd-io/src/providers/ipa/ipa_hbac_users.c /sssd-io/src/providers/krb5/krb5_access.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_renew_tgt.c /sssd-io/src/providers/ldap/ldap_auth.c /sssd-io/src/providers/ldap/ldap_common.c /sssd-io/src/providers/ldap/ldap_id.c /sssd-io/src/providers/ldap/ldap_id_cleanup.c /sssd-io/src/providers/ldap/ldap_id_enum.c /sssd-io/src/providers/ldap/ldap_id_netgroup.c /sssd-io/src/providers/ldap/sdap_access.c /sssd-io/src/providers/ldap/sdap_async_accounts.c /sssd-io/src/providers/ldap/sdap_async_netgroups.c /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_netgroup.c /sssd-io/src/providers/simple/simple_access.c /sssd-io/src/python/pysss.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/sss_sync_ops.h /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/tools/tools_util.c
237ade4114ae88f87c814d447dfd5aebdbdf72ef 15-Aug-2011 Jan Zeleny <jzeleny@redhat.com>

Added sysdb_ctx_get_domain function

82c3185b2ccc1e99ff6c6d63d09754cbd0705e6c 15-Aug-2011 Jan Zeleny <jzeleny@redhat.com>

sysdb refactoring: renamed ctx variable to sysdb

ace07a7d75c5a7c3f5613e5349fa8c1ffd05863a 02-Jun-2011 Jan Zeleny <jzeleny@redhat.com>

Non-posix group processing - sysdb changes

ba33be9b40ecbe6f98a52025348dbcff43273b40 02-Jun-2011 Jan Zeleny <jzeleny@redhat.com>

Added sysdb_attrs_get_bool() function

77bc3d93ddd41edee6046508884d7e95553ed5b7 20-May-2011 Jakub Hrozek <jhrozek@redhat.com>

Change sysdb_add_fake_user to add OriginalDN RFC2307bis code relies heavily on originalDN, so the fake users need to have an option to store it, too.

f62b9b41b0a29a0294d6e532e2bed2b4ce9012e4 04-May-2011 Jan Zeleny <jzeleny@redhat.com>

Add a function for searching netgroups with custom filter

9dfa22c3925792204b22962851dd44175e1b5735 04-May-2011 Jan Zeleny <jzeleny@redhat.com>

Make sysdb_ctx_list public structure Also create a routine to initialize it

3612c73e7957721bcbf31d0118e2ac210eb46b88 24-Mar-2011 Pierre Ossman <pierre@ossman.eu>

Add host access control support https://fedorahosted.org/sssd/ticket/746

24be43b38dc62de571636f04632f00f699112440 23-Mar-2011 Stephen Gallagher <sgallagh@redhat.com>

Add sysdb_attrs_primary_name_list() routine This routine will replace the use of sysdb_attrs_to_list() for any case where we're trying to get the name of the entry. It's a necessary precaution in case the name is multi-valued.

278e1768a158a73b7769bcfe17035a17e2b81f70 23-Mar-2011 Jakub Hrozek <jhrozek@redhat.com>

Add originalDN to fake groups

d86c2d2995933d61fc3c63f74ec260b5c8c75bf9 23-Mar-2011 Stephen Gallagher <sgallagh@redhat.com>

Add sysdb_attrs_primary_name() This function will check a sysdb_attrs struct for the primary name of the entity it represents. If there are multiple entries, it will pick the one that matches the RDN. If none match, it will throw an error.

42d8e67c26df2b7660507d26b9a50911bdd3cf18 23-Mar-2011 Stephen Gallagher <sgallagh@redhat.com>

Create sysdb_get_rdn() function This function takes a DN formatted string and returns the RDN value from it.

c6257286e9a31dfd42d28c99a22a69e2c4717a61 21-Jan-2011 Stephen Gallagher <sgallagh@redhat.com>

Delete attributes that are removed from LDAP Sometimes, a value in LDAP will cease to exist (the classic example being shadowExpire). We need to make sure we purge that value from SSSD's sysdb as well. https://fedorahosted.org/sssd/ticket/750

2a2f642aae37e3f41cbbda162a74c2b946a4521f 21-Dec-2010 Stephen Gallagher <sgallagh@redhat.com>

Add authorizedService support https://fedorahosted.org/sssd/ticket/670

84bb9ec1bba8e60d1d87febd48749edd18e16787 20-Dec-2010 Stephen Gallagher <sgallagh@redhat.com>

Add sysdb_has_enumerated and sysdb_set_enumerated helper functions Includes a unit test

f8a60e728780a8230ed4fa9c5350fa94534f0543 15-Nov-2010 Stephen Gallagher <sgallagh@redhat.com>

Fix const cast issue with sysdb_attrs_users_from_str_list

3fa7380908997eda5e45c5f4d6b512a954d3bc3c 15-Nov-2010 Stephen Gallagher <sgallagh@redhat.com>

Fix const cast warning for sysdb_update_members

aef2ac961abfe73c799354f5cfa0331ab44ac765 15-Nov-2010 Stephen Gallagher <sgallagh@redhat.com>

Add sysdb utility function for sanitizing DN

580374daba2ab2c6075a7d0de9512abff133e2e9 26-Oct-2010 Jakub Hrozek <jhrozek@redhat.com>

Always use uint32_t for UID/GID numbers

8059574092a96396dea64dae13696a7f95b423b1 18-Oct-2010 Stephen Gallagher <sgallagh@redhat.com>

Modify sysdb_[add|remove]_group_member to accept users and groups Previously, it assumed that all members were users. This changes the interface so that either a user or a group can be specified. Also, it eliminates the need for a memory context to be passed, since the internal memory should be self-contained.

c1d525a90f06a9414d0788857b271b80625a5858 15-Oct-2010 Jakub Hrozek <jhrozek@redhat.com>

sysdb interface for adding fake users

7e15d2ed3c01ab3c1f5f882fe8fa974058097bc6 15-Oct-2010 Jakub Hrozek <jhrozek@redhat.com>

sysdb interface for adding incomplete groups Useful for optimizing the initgroups operation.

8c08a5e11f19cfe39695ee80793b72e2034c5aa4 15-Oct-2010 Jakub Hrozek <jhrozek@redhat.com>

Add sysdb_attrs_get_ulong utility function

619bd403265ce0880989ba6f8324b010949851bc 13-Oct-2010 Sumit Bose <sbose@redhat.com>

Implement netgroup support for LDAP provider

8c64b46e923ec590984325beedb29fcd09aac0e4 13-Oct-2010 Sumit Bose <sbose@redhat.com>

Also return member groups to the client

517b5d79dd38b20f9e03dd0bd8bdc0f0a6f67198 13-Oct-2010 Sumit Bose <sbose@redhat.com>

Add sysdb_netgroup_base_dn()

1a3c4b9f378e3b04161e4f35b2efa5fae3d56a7b 13-Oct-2010 Stephen Gallagher <sgallagh@redhat.com>

Netgroups sysdb API

b0f08fe9d94f5bc6ec0c749f2b78d3f0d95cf5af 15-Sep-2010 Jakub Hrozek <jhrozek@redhat.com>

Define objectclass with a constant Use a #define instead of hardcoded string

d59e1d2397c92a2c9f43eb310d99d81cc835b37e 03-Aug-2010 Stephen Gallagher <sgallagh@redhat.com>

Add sysdb_update_members function This function will take a user, a list of groups that this user should be added to and a list of groups the user should be removed from and will recursively call sysdb_[add|remove]_group_member Includes a unit test

0228e28a3f07b5dc909cdc154dc89c4952f09280 03-Aug-2010 Stephen Gallagher <sgallagh@redhat.com>

Add sysdb_group_dn_name utility function

0286d59c82657abe96ccaa3eebea7240ac30ca81 03-Aug-2010 Stephen Gallagher <sgallagh@redhat.com>

Add sysdb_attrs_to_list() utility function

5fad9a3d700ba24783e66c6941f68f84459b4d61 02-Jun-2010 Sumit Bose <sbose@redhat.com>

Add sysdb_attrs_get_string_array()

35480afaefafb77b28d35b29039989ab888aafe9 27-May-2010 Stephen Gallagher <sgallagh@redhat.com>

Add ldap_access_filter option This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com

02e38eae1b9cb5df2036a707dafd86f6047c17de 26-May-2010 Sumit Bose <sbose@redhat.com>

Add support for delayed kinit if offline If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used.

/sssd-io/contrib/sssd.spec.in /sssd-io/src/Makefile.am /sssd-io/src/config/SSSDConfig.py /sssd-io/src/config/SSSDConfigTest.py /sssd-io/src/config/etc/sssd.api.d/sssd-krb5.conf /sssd-io/src/configure.ac sysdb.h sysdb_ops.c /sssd-io/src/external/libkeyutils.m4 /sssd-io/src/man/sssd-krb5.5.xml /sssd-io/src/providers/data_provider.h /sssd-io/src/providers/dp_pam_data_util.c /sssd-io/src/providers/ipa/ipa_common.c /sssd-io/src/providers/ipa/ipa_common.h /sssd-io/src/providers/ipa/ipa_init.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_auth.h /sssd-io/src/providers/krb5/krb5_common.c /sssd-io/src/providers/krb5/krb5_common.h /sssd-io/src/providers/krb5/krb5_delayed_online_authentication.c /sssd-io/src/providers/krb5/krb5_init.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/tests/sysdb-tests.c
9db5a5140356479a58f2e7212fc5c4ad6135bb7f 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysydb: Finally stop using a common event context This commit completes the migration to a synchronous sysdb

e5e32021c23f3726d68ee756e8e3de48b3214063 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: remove remaining traces of sysdb_handle

aacf8781c61e928c74fcc89f02225374b283b872 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: remove obsolete helpers from sysdb

aafa0393524bacc5ba48e79ab536f9deb3972e38 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_initgroups

88e7576d8bf00bfd0eaed8731b7eee1d6b6e05a1 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_enumgrent

fa362558a3f89644dab60debfbc423fe31a39f00 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_enumpwent

08d9d10747da6900971cdd8fced05ca66f5111e2 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_get_user_attr

ac660a221255b761615f6ecdb63b92a6391a58a2 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_getgrgid

25465215742b9c78566d44cd06a886c4a4e43ffa 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_getgrnam

a298e5b4050a69238593017ccc774336eb332e16 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_getpwuid

7ffaa2afb9e03a6f0b9c602c0f03b2074ea33eac 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_getpwnam

7db27a6090eafc8a4f76d25c464d1341b8dc5b8a 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: remove async transactions not used anymore

cc14edade621572cf4457d55d5b989029c5131ee 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: add synchronous transaction functions

c38706faa07a380c542cd1bda3ee54edfaf275d4 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_cache_auth

8a6449480e4be898248c1d35bbf5c24d91503e4e 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_search_groups

3b3dc1a8ad19100951d19abe4038791f01faa0b7 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: delete sysdb_delete_group

ed80c73efa51780a39dfc9c72821cf88e95d264c 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_delete_user

16ef1ec0d10d24703351d02bbd7d0c2255da4359 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_search_users

4c898e1bb31ccf2af4039a7c3c5fcd82fb5667ed 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_asq_search

a137f77b4ddff7f0651ffda710cec1f01618d7a9 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_store_custom

9def019030f844e429c067c7cca27ff99c921527 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_search_custom

bb0b6b4e39242577f60729fbcbd9e46e7a7af30d 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_cache_password

02a9d8a40dc3a5fd671ede0e4fa7dac5178fbc75 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_mod/add/remove_group_member

ace612f5998f619ba41828d2ba4b80d02a965162 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_store/add(_basic)_group

a6ecb562529430be5a4cd6e8cdd541a383c9a2e1 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_store/add(_basic)_user

c4a8b4169eea9661156d78dfe73a723fc5b61697 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_get_new_id

506d34d2e84268c6589f613de0cb3992b8fb87a6 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_set_entry/user/group_attr

5c69fd7c03e762a6fb08a7224eb1d6fd2967d09c 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_search_group_by_name/gid

1c733ece101ca43b84c59a8dc7953346312dbf64 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_search_user_by_name/uid

0995e4cc173577122bea5a1d4698262fd0e9c200 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_search_entry and sysdb_delete_recursive

79c090e8c25ac13454b9f12f4d6dc635029a0c9d 12-Apr-2010 Simo Sorce <ssorce@redhat.com>

sysdb: convert sysdb_delete_custom

cae9c9fbdebc3f6a4c390a20e75447217439dff7 12-Apr-2010 Stephen Gallagher <sgallagh@redhat.com>

sysdb: convert sysdb_delete_entry

1c48b5a62f73234ed26bb20f0ab345ab61cda0ab 18-Feb-2010 Stephen Gallagher <sgallagh@redhat.com>

Rename server/ directory to src/ Also update BUILD.txt

/sssd-io/BUILD.txt /sssd-io/Makefile.am /sssd-io/configure.ac /sssd-io/contrib/sssd.spec.in /sssd-io/src/Makefile.am /sssd-io/src/build_macros.m4 /sssd-io/src/conf_macros.m4 /sssd-io/src/confdb/confdb.c /sssd-io/src/confdb/confdb.h /sssd-io/src/confdb/confdb_private.h /sssd-io/src/confdb/confdb_setup.c /sssd-io/src/confdb/confdb_setup.h /sssd-io/src/config/SSSDConfig.py /sssd-io/src/config/SSSDConfigTest.py /sssd-io/src/config/etc/sssd.api.conf /sssd-io/src/config/etc/sssd.api.d/sssd-ipa.conf /sssd-io/src/config/etc/sssd.api.d/sssd-krb5.conf /sssd-io/src/config/etc/sssd.api.d/sssd-ldap.conf /sssd-io/src/config/etc/sssd.api.d/sssd-local.conf /sssd-io/src/config/etc/sssd.api.d/sssd-proxy.conf /sssd-io/src/config/ipachangeconf.py /sssd-io/src/config/setup.py /sssd-io/src/config/testconfigs/noparse.api.conf /sssd-io/src/config/testconfigs/sssd-badversion.conf /sssd-io/src/config/testconfigs/sssd-invalid-badbool.conf /sssd-io/src/config/testconfigs/sssd-invalid.conf /sssd-io/src/config/testconfigs/sssd-noversion.conf /sssd-io/src/config/testconfigs/sssd-valid.conf /sssd-io/src/config/upgrade_config.py /sssd-io/src/configure.ac sysdb.c sysdb.h sysdb_ops.c sysdb_private.h sysdb_search.c /sssd-io/src/doxy.config.in /sssd-io/src/examples/sssd.conf /sssd-io/src/examples/sssdproxytest /sssd-io/src/examples/sudo /sssd-io/src/external/crypto.m4 /sssd-io/src/external/docbook.m4 /sssd-io/src/external/krb5.m4 /sssd-io/src/external/ldap.m4 /sssd-io/src/external/libcares.m4 /sssd-io/src/external/libcollection.m4 /sssd-io/src/external/libdhash.m4 /sssd-io/src/external/libini_config.m4 /sssd-io/src/external/libldb.m4 /sssd-io/src/external/libpcre.m4 /sssd-io/src/external/libpopt.m4 /sssd-io/src/external/libtalloc.m4 /sssd-io/src/external/libtdb.m4 /sssd-io/src/external/libtevent.m4 /sssd-io/src/external/pam.m4 /sssd-io/src/external/pkg.m4 /sssd-io/src/external/platform.m4 /sssd-io/src/external/python.m4 /sssd-io/src/external/selinux.m4 /sssd-io/src/external/sizes.m4 /sssd-io/src/krb5_plugin/sssd_krb5_locator_plugin.c /sssd-io/src/ldb_modules/memberof.c /sssd-io/src/m4/.dir /sssd-io/src/man/include/failover.xml /sssd-io/src/man/include/param_help.xml /sssd-io/src/man/include/upstream.xml /sssd-io/src/man/sss_groupadd.8.xml /sssd-io/src/man/sss_groupdel.8.xml /sssd-io/src/man/sss_groupmod.8.xml /sssd-io/src/man/sss_groupshow.8.xml /sssd-io/src/man/sss_useradd.8.xml /sssd-io/src/man/sss_userdel.8.xml /sssd-io/src/man/sss_usermod.8.xml /sssd-io/src/man/sssd-ipa.5.xml /sssd-io/src/man/sssd-krb5.5.xml /sssd-io/src/man/sssd-ldap.5.xml /sssd-io/src/man/sssd.8.xml /sssd-io/src/man/sssd.conf.5.xml /sssd-io/src/man/sssd_krb5_locator_plugin.8.xml /sssd-io/src/monitor/monitor.c /sssd-io/src/monitor/monitor.h /sssd-io/src/monitor/monitor_interfaces.h /sssd-io/src/monitor/monitor_sbus.c /sssd-io/src/po/LINGUAS /sssd-io/src/po/Makevars /sssd-io/src/po/POTFILES.in /sssd-io/src/po/de.po /sssd-io/src/po/es.po /sssd-io/src/po/fr.po /sssd-io/src/po/it.po /sssd-io/src/po/ja.po /sssd-io/src/po/nl.po /sssd-io/src/po/pl.po /sssd-io/src/po/pt.po /sssd-io/src/po/sss_daemon.pot /sssd-io/src/po/sv.po /sssd-io/src/providers/child_common.c /sssd-io/src/providers/child_common.h /sssd-io/src/providers/data_provider.h /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/data_provider_fo.c /sssd-io/src/providers/data_provider_opts.c /sssd-io/src/providers/dp_auth_util.c /sssd-io/src/providers/dp_backend.h /sssd-io/src/providers/dp_sbus.c /sssd-io/src/providers/fail_over.c /sssd-io/src/providers/fail_over.h /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_access.h /sssd-io/src/providers/ipa/ipa_auth.c /sssd-io/src/providers/ipa/ipa_auth.h /sssd-io/src/providers/ipa/ipa_common.c /sssd-io/src/providers/ipa/ipa_common.h /sssd-io/src/providers/ipa/ipa_init.c /sssd-io/src/providers/ipa/ipa_timerules.c /sssd-io/src/providers/ipa/ipa_timerules.h /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_auth.h /sssd-io/src/providers/krb5/krb5_become_user.c /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_common.c /sssd-io/src/providers/krb5/krb5_common.h /sssd-io/src/providers/krb5/krb5_init.c /sssd-io/src/providers/krb5/krb5_utils.c /sssd-io/src/providers/krb5/krb5_utils.h /sssd-io/src/providers/ldap/ldap_auth.c /sssd-io/src/providers/ldap/ldap_child.c /sssd-io/src/providers/ldap/ldap_common.c /sssd-io/src/providers/ldap/ldap_common.h /sssd-io/src/providers/ldap/ldap_id.c /sssd-io/src/providers/ldap/ldap_id_cleanup.c /sssd-io/src/providers/ldap/ldap_id_enum.c /sssd-io/src/providers/ldap/ldap_init.c /sssd-io/src/providers/ldap/sdap.c /sssd-io/src/providers/ldap/sdap.h /sssd-io/src/providers/ldap/sdap_async.c /sssd-io/src/providers/ldap/sdap_async.h /sssd-io/src/providers/ldap/sdap_async_accounts.c /sssd-io/src/providers/ldap/sdap_async_connection.c /sssd-io/src/providers/ldap/sdap_async_private.h /sssd-io/src/providers/ldap/sdap_child_helpers.c /sssd-io/src/providers/providers.h /sssd-io/src/providers/proxy.c /sssd-io/src/providers/sssd_be.exports /sssd-io/src/python/pysss.c /sssd-io/src/resolv/ares/ares_data.c /sssd-io/src/resolv/ares/ares_data.h /sssd-io/src/resolv/ares/ares_dns.h /sssd-io/src/resolv/ares/ares_parse_srv_reply.c /sssd-io/src/resolv/ares/ares_parse_srv_reply.h /sssd-io/src/resolv/ares/ares_parse_txt_reply.c /sssd-io/src/resolv/ares/ares_parse_txt_reply.h /sssd-io/src/resolv/async_resolv.c /sssd-io/src/resolv/async_resolv.h /sssd-io/src/responder/common/responder.h /sssd-io/src/responder/common/responder_cmd.c /sssd-io/src/responder/common/responder_common.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/common/responder_packet.c /sssd-io/src/responder/common/responder_packet.h /sssd-io/src/responder/nss/nsssrv.c /sssd-io/src/responder/nss/nsssrv.h /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_nc.c /sssd-io/src/responder/nss/nsssrv_nc.h /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/responder/pam/pamsrv.h /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/pam/pamsrv_dp.c /sssd-io/src/sbus/sbus_client.c /sssd-io/src/sbus/sbus_client.h /sssd-io/src/sbus/sssd_dbus.h /sssd-io/src/sbus/sssd_dbus_common.c /sssd-io/src/sbus/sssd_dbus_connection.c /sssd-io/src/sbus/sssd_dbus_private.h /sssd-io/src/sbus/sssd_dbus_server.c /sssd-io/src/sss_client/common.c /sssd-io/src/sss_client/group.c /sssd-io/src/sss_client/man/pam_sss.8.xml /sssd-io/src/sss_client/pam_sss.c /sssd-io/src/sss_client/pam_test_client.c /sssd-io/src/sss_client/passwd.c /sssd-io/src/sss_client/protos.h /sssd-io/src/sss_client/sss_cli.h /sssd-io/src/sss_client/sss_nss.exports /sssd-io/src/sss_client/sss_pam.exports /sssd-io/src/sss_client/sss_pam_macros.h /sssd-io/src/sysv/SUSE/sssd /sssd-io/src/sysv/sssd /sssd-io/src/tests/auth-tests.c /sssd-io/src/tests/check_and_open-tests.c /sssd-io/src/tests/common.c /sssd-io/src/tests/common.h /sssd-io/src/tests/fail_over-tests.c /sssd-io/src/tests/files-tests.c /sssd-io/src/tests/find_uid-tests.c /sssd-io/src/tests/ipa_ldap_opt-tests.c /sssd-io/src/tests/ipa_timerules-tests.c /sssd-io/src/tests/krb5_utils-tests.c /sssd-io/src/tests/python-test.py /sssd-io/src/tests/refcount-tests.c /sssd-io/src/tests/resolv-tests.c /sssd-io/src/tests/stress-tests.c /sssd-io/src/tests/strtonum-tests.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tools/files.c /sssd-io/src/tools/sss_groupadd.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/sss_sync_ops.h /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/tools/tools_util.c /sssd-io/src/tools/tools_util.h /sssd-io/src/util/backup_file.c /sssd-io/src/util/check_and_open.c /sssd-io/src/util/crypto_sha512crypt.c /sssd-io/src/util/debug.c /sssd-io/src/util/dlinklist.h /sssd-io/src/util/find_uid.c /sssd-io/src/util/find_uid.h /sssd-io/src/util/memory.c /sssd-io/src/util/nss_sha512crypt.c /sssd-io/src/util/refcount.c /sssd-io/src/util/refcount.h /sssd-io/src/util/server.c /sssd-io/src/util/sha512crypt.h /sssd-io/src/util/signal.c /sssd-io/src/util/signal.m4 /sssd-io/src/util/sss_krb5.c /sssd-io/src/util/sss_krb5.h /sssd-io/src/util/sss_ldap.c /sssd-io/src/util/sss_ldap.h /sssd-io/src/util/strtonum.c /sssd-io/src/util/strtonum.h /sssd-io/src/util/user_info_msg.c /sssd-io/src/util/user_info_msg.h /sssd-io/src/util/usertools.c /sssd-io/src/util/util.c /sssd-io/src/util/util.h