d2633d922eeed68f92be4248b9172b928c189920 |
|
25-Apr-2018 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Augment the sdap_opts structure with a data provider pointer
In order to be able to use the Data Provider methods from the SDAP code
to e.g. invalidate memcache when needed, add a new field to the
sdap_options structure with the data_provider structure pointer.
Fill the pointer value for all LDAP-based providers.
Related:
https://pagure.io/SSSD/sssd/issue/2653
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> |
e6ad16e05f42a1678a8c6cd14eb54ca75b8d775e |
|
21-Feb-2018 |
Sumit Bose <sbose@redhat.com> |
AD: do not allocate temporary data on long living context
Related to https://pagure.io/SSSD/sssd/issue/3639
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
b4ca0da4d8d70bcfbd4f809f3b3b094d43d64cfc |
|
19-May-2017 |
Michal Židek <mzidek@redhat.com> |
AD: Add debug messages
Add debug messages when 1way or 2way trusts are created.
Reviewed-by: Sumit Bose <sbose@redhat.com> |
4c49edbd8df651b1737c59459637962c117212c6 |
|
02-May-2017 |
Michal Židek <mzidek@redhat.com> |
SDAP: Fix handling of search bases
We were rewriting the sdap_domain's search bases for only the first
sdap_domain in the list, which does not work for subdomains.
Also when search bases were already initialized in sdap_domain_subdom_add,
we should only rewrite them when they were explicitly set in sssd.conf.
Resolves:
https://pagure.io/SSSD/sssd/issue/3351
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
e0e038218580166648ac24f23180f0f4c2769d99 |
|
29-Mar-2017 |
Michal Židek <mzidek@redhat.com> |
UTIL: Introduce subdomain_create_conf_path()
This is a utility function that replaces the create_subdom_conf_path().
Differently than the latter, it only takes one parameter and is going to
be used in a few different places (thus adding it to util.h).
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukas Slebodnik <lslebodn@redhat.com> |
231bd1b34023daa3080cf461085e6e4aa7f4d733 |
|
15-Mar-2017 |
Michal Židek <mzidek@redhat.com> |
SUBDOMAINS: Configurable search bases
Added new trusted domain section in the
sssd.conf were the search bases for the
trusted domain can be specified.
Resolves:
https://pagure.io/SSSD/sssd/issue/2599
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
e915f42093add45a11208e871c9abdf7ab2bfbdc |
|
16-Aug-2016 |
Justin Stephenson <jstephen@redhat.com> |
Warn if IP address is used as option for ipa_server/ad_server
GSSAPI is dependent on DNS with hostnames and we should warn about this.
Resolves:
https://fedorahosted.org/sssd/ticket/2789
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
892ddeb5190dd5c1ffa26a95142a10a0034fc5e3 |
|
20-Jun-2016 |
Pavel Březina <pbrezina@redhat.com> |
Rename dp_dyndns.h to be_dyndns.h
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
cc4caf88344210ea9777d618f0f71935ca5e7f8b |
|
09-Jun-2016 |
Sumit Bose <sbose@redhat.com> |
AD: use krb5_keytab for subdomain initialization
During the initialization of AD subdomains parameters like the SASL auth
id are determined. Since subdomains use a default set of the AD specific
configuration options the default keytab will be used. If krb5_keytab is
set in sssd.conf for the AD domain this keytab should be used for the
subdomains (domains of the same AD forest) as well.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
03b859510dc13a13a456ca4aa94c0561a0e9684c |
|
26-Nov-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Add autofs provider
https://fedorahosted.org/sssd/ticket/1632
Adds the possibility to configure:
autofs_provider = ad
The AD autofs provider uses the rfc2307 (nis*) attribute maps. This is
different (at the moment) from using autofs_provider=ldap with
ldap_schema=ad.
Reviewed-by: Ondrej Valousek <ondrejv2@fedoraproject.org>
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
499b60f44ecf7124e1906157bd4fca141f48e8d9 |
|
12-Nov-2015 |
Pavel Březina <pbrezina@redhat.com> |
AD: remove annoying debug message
This debug message is mostly a left over from development and doesn't
give us any useful information. It is just annoying in the logs.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
a3ade2e98d397d000f224ae80c6512c959cca18e |
|
11-Nov-2015 |
Lukas Slebodnik <lslebodn@redhat.com> |
AD: Remove unused memory context from ad_user_conn_list
Reviewed-by: Petr Cech <pcech@redhat.com> |
afb21fd06690a0bec288a7970abf74ed2ea7dfdc |
|
07-Oct-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Consolidate connection list construction on ad_common.c
Reviewed-by: Sumit Bose <sbose@redhat.com> |
309aa83d16b5919f727af04850bcd0799ba0962f |
|
07-Oct-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Provide common connection list construction functions
https://fedorahosted.org/sssd/ticket/2810
Provides a new AD common function ad_ldap_conn_list() that creates a
list of AD connection to use along with properties to avoid mistakes
when manually constructing these lists.
Reviewed-by: Sumit Bose <sbose@redhat.com> |
12440d2acbeb7ea6e5c0e4182d00377c8d01185b |
|
02-Oct-2015 |
Pavel Reichl <preichl@redhat.com> |
AD: fix minor memory leak
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
30dd3f3e063dded0ec9f58bc2535a94727d8e96d |
|
14-Jun-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Add ad_create_1way_trust_options
Related:
https://fedorahosted.org/sssd/ticket/2638
For one-way trusts we can assume that AD domain is the same as the
Kerberis realm. On the other hand, SASL realm and keytab path are
specified, unlike two-way trusts that use the system keytab.
Includes a unit test.
Reviewed-by: Sumit Bose <sbose@redhat.com> |
de2bad8ae08f09964834bda0f88db9de39f47c5c |
|
14-Jun-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
IPA/AD: Set up AD domain in ad_create_2way_trust_options
Related:
https://fedorahosted.org/sssd/ticket/2638
Removed code duplication. Amends unit test to make sure we don't
regress.
Reviewed-by: Sumit Bose <sbose@redhat.com> |
933314e53fac878d1a9b126af216454172cb945a |
|
14-Jun-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Split off ad_create_default_options
Related:
https://fedorahosted.org/sssd/ticket/2638
Make the function reusable and add a simple unit test.
Reviewed-by: Sumit Bose <sbose@redhat.com> |
51b5e1475b3e0b7acac34ed382cfaca8411883a4 |
|
14-Jun-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Rename ad_create_default_options to ad_create_2way_trust_options
Related:
https://fedorahosted.org/sssd/ticket/2638
Better reflects what's going on in the function. Also adds a unit test.
Reviewed-by: Sumit Bose <sbose@redhat.com> |
44ba573582072823d8760d0f18e5b3195cecc182 |
|
14-Jun-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Rename ad_set_ad_id_options to ad_set_sdap_options
Related:
https://fedorahosted.org/sssd/ticket/2638
The function sets SDAP related options based on the AD ID context
options. The name should reflect what the function does.
Reviewed-by: Sumit Bose <sbose@redhat.com> |
e2bd4f8a41b72aea0712ad21ad02ccebb707f536 |
|
15-Apr-2015 |
Stephen Gallagher <sgallagh@redhat.com> |
AD: Always get domain-specific ID connection
ad_get_dom_ldap_conn() assumed that ad_ctx->ldap_ctx always points at
the LDAP connection for the primary domain, however it turns out that
this is not always the case. It's currently unclear why, but this
connection can sometimes be pointing at a subdomain. Since the value of
subdom_id_ctx->ldap_ctx always points to the correct domain (including
the primary domain case), there's no benefit to trying to shortcut to
the ad_ctx->ldap_ctx when performing this lookup.
This patch also makes a minor tweak to the tests so that the primary
domain passes the sdap_domain_get() check for validity (since it needs
to have a private member assigned).
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
87f8bee53ee1b4ca87b602ff8536bc5fd5b5b595 |
|
17-Mar-2015 |
Lukas Slebodnik <lslebodn@redhat.com> |
Add missing new lines to debug messages
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
5b4c6f22cb576a11037c7fa940fe0ba09e643e77 |
|
28-Nov-2014 |
Michal Zidek <mzidek@redhat.com> |
AD: Never store case_sensitive as "true" to confdb
If case_sensitive was set 'true' for AD
backend, we ignore it and continue with AD
default (false). However we still set confdb
to whatever was set in sssd.conf for the
responders. We should store to confdb
the value that is used by the backend.
Also fixes some misleading DEBUG messages
in that code area.
Reviewed-by: Pavel Reichl <preichl@redhat.com> |
ff22e829fd73fc53027d1e6ca005a9ac334086dd |
|
29-Jul-2014 |
Michal Zidek <mzidek@redhat.com> |
case_sensitivity = preserving
If case_sensitivity is set to 'preserving', getXXnam
returns name attribute in the same format as
stored in LDAP.
Fixes:
https://fedorahosted.org/sssd/ticket/2367
Reviewed-by: Pavel Reichl <preichl@redhat.com> |
35d420c5d4609b6e999920e38a9b2ec40a0e1ac4 |
|
22-May-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Initialize user_map_cnt in server mode
user_map_cnt was initialized when all the traditional back ends are
initialized. However, for the server mode, we simply copy the defaults
and the count was left zeroed, which led to crashes.
Down the road, we should consider tying the map and the attribute count
together (see ticket #2336)
Reviewed-by: Pavel Reichl <preichl@redhat.com> |
d2969c6b23c722445bd699c830adb7601ba1cdc6 |
|
02-May-2014 |
Sumit Bose <sbose@redhat.com> |
Make LDAP extra attributes available to IPA and AD
https://fedorahosted.org/sssd/ticket/2073
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
4dd38025efda88f123eac672f87d3cda12f050c8 |
|
02-May-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Make it possible to extend an attribute map
https://fedorahosted.org/sssd/ticket/2073
This commit adds a new option ldap_user_extra_attrs that is unset by
default. When set, the option contains a list of LDAP attributes the LDAP
provider would download and store in addition to the usual set.
The list can either contain LDAP attribute names only, or colon-separated
tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP
attribute name is specified, the attribute is saved to the cache verbatim.
Using a custom SSSD attribute name might be required by environments that
configure several SSSD domains with different LDAP schemas.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
90afedb00608547ae1f32aa7aafd552c4b306909 |
|
26-Feb-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
DP: Provide separate dp_copy_defaults function
https://fedorahosted.org/sssd/ticket/2257
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
a3c8390d19593b1e5277d95bfb4ab206d4785150 |
|
12-Feb-2014 |
Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> |
Make DEBUG macro invocations variadic
Use a script to update DEBUG macro invocations to use it as a variadic
macro, supplying format string and its arguments directly, instead of
wrapping them in parens.
This script was used to update the code:
grep -rwl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e \
'use strict;
use File::Slurp;
my $text=read_file(\*STDIN);
$text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs;
print $text;' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com> |
113debb7297f0c02b5be0dd404badeef78841a83 |
|
01-Feb-2014 |
Lukas Slebodnik <lslebodn@redhat.com> |
AD: Remove unused memory contexts
Memory context memctx was unused in functions _ad_servers_init
sdap_ad_tokengroups_update_members |
266110fa0f6eb086f8f88787bb167cea416fe108 |
|
19-Dec-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Enable fallback to LDAP of trusted domain
Since we have the LDAP port of a trusted AD GC always available now, we
can always perform a fallback. |
ba4a81e933deebb416603369b447ead6ebaa040d |
|
19-Dec-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Add a new option to turn off GC lookups
SSSD now defaults to using GC by default. For some environments, for
instance those that don't or can't replicate the POSIX attributes to
Global Catalog, this might not be desirable.
This patch introduces a new option ad_enable_gc, that is enabled by
default. Setting this option to false makes the SSSD contact only the
LDAP port of AD DCs. |
72ae534f5aef6d2e5d3f2f51299aede5abf9687e |
|
19-Dec-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Add a utility function to create list of connections
ad_id.c and ad_access.c used the same block of code. With the upcoming
option to disable GC lookups, we should unify the code in a function to
avoid breaking one of the code paths.
The same applies for the LDAP connection to the trusted AD DC.
Includes a unit test. |
3a3fd60043234038c6ff6584a5b92fb757c4afe1 |
|
25-Oct-2013 |
Lukas Slebodnik <lslebodn@redhat.com> |
AD: Prefer GC port from SRV record
We had a hard coded value of Global Catalog port (3268).
Informations from SRV record was ignored.
This patch prefer port number from SRV record and hard coded value is used only
as a fall back if port number was not initialized. |
9a9a813906472ffff3911b6006d023e1c6cbff8a |
|
04-Oct-2013 |
Sumit Bose <sbose@redhat.com> |
AD: properly intitialize GC from ad_server option |
59415636c92c6e9764ddc65a85ad61002310519d |
|
28-Jun-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: initialize failover with custom realm, domain and failover service
This is needed so we can initialize failover using IPA realm and
on-the-fly discovered DNS domain. The subdomains discovered on-thefly
will use the subdomain name for realm, domain and failover service to
avoid conflicts.
Subtaks of:
https://fedorahosted.org/sssd/ticket/1962 |
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9 |
|
28-Jun-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: decouple ad_id_ctx initialization
The IPA subdomain code will perform lookups on its own in the server
mode. For this, the AD provider must offer a way to initialize the
ad_id_ctx for external consumers.
Subtask of:
https://fedorahosted.org/sssd/ticket/1962 |
ba95f1c434b430f0db7fddbd865af10488ecab17 |
|
26-Jun-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: kinit with the local DC even when talking to a GC
We tried to use the GC address even for kinit which gave us errors like:
"Realm not local to KDC while getting initial credentials".
This patch adds a new AD_GC service that is only used for ID lookups,
any sort of Kerberos operations are done against the local servers. |
bb4172259e04925ffc3a92e4450029634d295134 |
|
14-Jun-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Fix segfault in DEBUG message |
14452cd066b51e32ca0ebad6c45ae909a1debe57 |
|
10-Jun-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
A new option krb5_use_kdcinfo
https://fedorahosted.org/sssd/ticket/1883
The patch introduces a new Kerberos provider option called
krb5_use_kdcinfo. The option is true by default in all providers. When
set to false, the SSSD will not create krb5 info files that the locator
plugin consumes and the user would have to set up the Kerberos options
manually in krb5.conf |
55d80b1301fe969fb4ba2b9481027887b9462dbb |
|
07-Jun-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Add additional service to support Global Catalog lookups
When fixed host names of AD servers are configured in the config file,
we can't know (unlike when service discovery is at play) if the servers
are Global Catalogs or not. This patch adds a private data to servers
read from the config file that denote whether the server can be tried
for contacting the Global Catalog port or just LDAP. The GC or LDAP URIs
are generated based on contents of this private data structure.
Because SSSD sticks to a working server, we don't have to disable or
remove the faulty GC servers from the list. |
749cfb5d3270b5daf389d51a0dbd3fd2aec6e05d |
|
07-Jun-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: new SDAP domain structure
Previously an sdap_id_ctx was always tied to one domain with a single
set of search bases. But with the introduction of Global Catalog
lookups, primary domain and subdomains might have different search
bases.
This patch introduces a new structure sdap_domain that contains an sssd
domain or subdomain and a set of search bases. With this patch, there is
only one sdap_domain that describes the primary domain. |
7119f0c483049a8850d3075c0b1062f35200a538 |
|
07-Jun-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
Do not obfuscate calls with booleans
Instead of using boolean variables to denote whether the call is adding
a primary or a secondary server, use a function wrapper that tells what
it's doing by its name. |
3bd78eb2faf09635b8d307e4440ccb1420f80716 |
|
27-May-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
Fix dyndns timer initialization
The dyndns init function was starting the timer even if the updates were
set to False. This patch splits the init of dynamic updates and the
timer into two functions so that the back end can start the updates
separately from reading the options. |
74e95cfd9d3939dfe9417d79d2f6fc79b361405f |
|
03-May-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
Active Directory dynamic DNS updates
https://fedorahosted.org/sssd/ticket/1504
Implements dynamic DNS updates for the AD provider. By default, the
updates also update the reverse zone and run periodically every 24
hours. |
04759b59e71c78ab23b84d13dd29d9c6dd680adb |
|
02-Jan-2013 |
Michal Zidek <mzidek@redhat.com> |
failover: Protect against empty host names
Added new parameter to split_on_separator that allows to skip
empty values.
The whole function was rewritten. Unit test case was added to
check the new implementation.
https://fedorahosted.org/sssd/ticket/1484 |
e0d861963e10c5aba79ad87f8c48b0ce1bec06ca |
|
19-Nov-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Provide a common sdap_set_sasl_options init function
The AD and IPA initialization functions shared the same code. This patch
moves the code into a common initialization function. |
b1caacb098ae99ad65144120fdec4d0fd98ad9d5 |
|
17-Sep-2012 |
Pavel Březina <pbrezina@redhat.com> |
Failover: use _srv_ when no primary server is defined
https://fedorahosted.org/sssd/ticket/1521 |
b096321a5a02dda0b6b71ba0f9c4d8feacd979e4 |
|
23-Aug-2012 |
Michal Zidek <mzidek@redhat.com> |
Fix: IPv6 address with square brackets doesn't work.
https://fedorahosted.org/sssd/ticket/1365 |
0051296f67bd7d8e2e3094638ddff4e641324d04 |
|
23-Aug-2012 |
Michal Zidek <mzidek@redhat.com> |
Typo in debug message (SSSd -> SSSD).
https://fedorahosted.org/sssd/ticket/1434 |
e4c29d1f8e3b2c2b268105f169e5156a0a36aebf |
|
23-Aug-2012 |
Ondrej Kos <okos@redhat.com> |
Consolidation of functions that make realm upper-case |
9ab243b369ba317cc964080786dbcdebaf23d6be |
|
15-Aug-2012 |
Michal Zidek <mzidek@redhat.com> |
Duplicate detection in fail over did not work.
https://fedorahosted.org/sssd/ticket/1472 |
4a1e58d85409fbb7a12ac244c3dbef8c0c1b15df |
|
09-Aug-2012 |
Michal Zidek <mzidek@redhat.com> |
SRV resolution for backup servers should not be permitted.
https://fedorahosted.org/sssd/ticket/1463 |
016e0d7202ff965018e41869c5ab501f86b0d081 |
|
01-Aug-2012 |
Jan Zeleny <jzeleny@redhat.com> |
Primary server support: AD adaptation
This patch adds support for the primary server functionality into AD
provider. No backup servers are added at the moment, just the basic
support is in place. |
346f41f1ede975cb2db0af570f5b454b9b306704 |
|
06-Jul-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
AD: Force case-insensitive operation in AD provider |
4e2d9fe30bf8b692972a9654c60d2d90ed355815 |
|
06-Jul-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
AD: use krb5_keytab for validation and GSSAPI
This simplifies configuration by eliminating the need to
specifiy both krb5_keytab and ldap_krb5_keytab if the keytab is
not located at /etc/krb5.keytab |
d92c50f6d75ae980b0d130134112a33e1584724c |
|
06-Jul-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
AD: Add AD auth and chpass providers
These new providers take advantage of existing code for the KRB5
provider, providing sensible defaults for operating against an
Active Directory 2008 R2 or later server. |
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30 |
|
06-Jul-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
AD: Add AD identity provider
This new identity provider takes advantage of existing code for
the LDAP provider, but provides sensible defaults for operating
against an Active Directory 2008 R2 or later server. |