e6ad16e05f42a1678a8c6cd14eb54ca75b8d775e |
|
21-Feb-2018 |
Sumit Bose <sbose@redhat.com> |
AD: do not allocate temporary data on long living context
Related to https://pagure.io/SSSD/sssd/issue/3639
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
095844d6b48aef483c33e5a369a405ae686e044d |
|
06-Dec-2017 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Implement a real getAccountDomain handler for the AD provider
After this patch, the AD provider drops the default getAccountDomain
handler in favor of the handler added in this patch.
The handler first checks if the domain is eligible for locating
the domain of an ID with the help of the Global Catalog at all, which
only happens if:
- the Global Catalog is enabled
- POSIX IDs are used, not ID-mapping
- the Global catalog contains some POSIX IDs
If all these hold true, then the Global Catalog is searched with
an empty search base, which searches the whole GC. If a single entry
is returned, its original DN is converted to a domain name and returned.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com> |
a406b52a0d20e0ec502f52d63dee293636d1443a |
|
25-Jul-2017 |
Sumit Bose <sbose@redhat.com> |
ad_account_can_shortcut: shortcut if ID is unknown
If sss_idmap_unix_to_sid() returns an error we can assume that the given
POSIX ID is not from the current domain and can be skipped. This is e.g.
the case in the IPA provider if a POSIX ID used in the IPA domain is
checked in a trusted id-mapped AD domain before the IPA domain is
checked.
Resolves https://pagure.io/SSSD/sssd/issue/3452
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
dfe05f505dcfea16e7d66ca1a44206aa2570e861 |
|
02-May-2017 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Make ad_account_can_shortcut() reusable by SSSD on an IPA server
Resolves:
https://pagure.io/SSSD/sssd/issue/3318
The ad_account_can_shortcut() function is helpful to avoid unnecessary
searches when SSSD is configured with an Active Directory domain that
uses ID-mapping in the sense that if we find that an ID is outside our
range, we can just abort the search in this domain and carry on.
This function was only used in the AD provider functions which are used
when SSSD is enrolled direcly with an AD server. This patch moves the
function to a codepath that is shared between directly enrolled SSSD and
SSSD running on an IPA server.
Apart from moving the code, there are some minor changes to the function
signature, namely the domain is passed as as struct (previously the
domain name from the DP input was passed).
Reviewed-by: Michal Židek <mzidek@redhat.com> |
2e505786d6d9d537f5b6631099862f6b93e2e687 |
|
01-Feb-2017 |
Lukas Slebodnik <lslebodn@redhat.com> |
Suppres implicit-fallthrough from gcc 7
Some kind of comments are recognized by gcc7 but they are ignored with
-Wimplicit-fallthrough=5 and only attributes disable the warning.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> |
132b31fd5fb74a7627896cdceaf29c7601ed4795 |
|
18-Jul-2016 |
Sumit Bose <sbose@redhat.com> |
sysdb: add UPN suffix support for the master domain
sysdb_master_domain_update() and sysdb_master_domain_add_info() are now
aware of the UPN suffix attribute.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
3d29430867cf92b2d71afa95abb679711231117c |
|
15-Jul-2016 |
Pavel Březina <pbrezina@redhat.com> |
DP: rename be_acct_req to dp_id_data
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
dea636af4d1902a081ee891f1b19ee2f8729d759 |
|
20-Jun-2016 |
Pavel Březina <pbrezina@redhat.com> |
DP: Switch to new interface
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4 |
|
13-Apr-2016 |
Sumit Bose <sbose@redhat.com> |
AD: process PAC during initgroups request
If there is a recently attached PAC blob in the cached user entry the
PAC data is used to update the group memberships data of the user. If
there is no PAC attached or if it is too old the other configured
methods will be used.
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
0f1ca83d9a87953e6e44f94e5948f1675b4adda2 |
|
08-Jan-2016 |
Lukas Slebodnik <lslebodn@redhat.com> |
AD: Log SID in debug message
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
a3ade2e98d397d000f224ae80c6512c959cca18e |
|
11-Nov-2015 |
Lukas Slebodnik <lslebodn@redhat.com> |
AD: Remove unused memory context from ad_user_conn_list
Reviewed-by: Petr Cech <pcech@redhat.com> |
afb21fd06690a0bec288a7970abf74ed2ea7dfdc |
|
07-Oct-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Consolidate connection list construction on ad_common.c
Reviewed-by: Sumit Bose <sbose@redhat.com> |
309aa83d16b5919f727af04850bcd0799ba0962f |
|
07-Oct-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Provide common connection list construction functions
https://fedorahosted.org/sssd/ticket/2810
Provides a new AD common function ad_ldap_conn_list() that creates a
list of AD connection to use along with properties to avoid mistakes
when manually constructing these lists.
Reviewed-by: Sumit Bose <sbose@redhat.com> |
64d4b1e5fd4a3c99ef8d8fef6ad0db52c5152c1c |
|
21-Sep-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Do not mark the whole back end as offline if subdomain lookup fails
Required for:
https://fedorahosted.org/sssd/ticket/2637
Rather mark the domain as inactive. It will be marked as active later,
in the meantime the main domain can continue to work online and
subdomain requests will be answered from cache.
The lookup request itself just returns a special error code and lets the
caller handle the error code as appropriate (normally by disabling the
subdomain temporarily).
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
7fc8692d49cdaa0368072f196433c07b475da679 |
|
21-Sep-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Only ignore errors from SDAP lookups if there's another connection to fallback to
Required for:
https://fedorahosted.org/sssd/ticket/2637
The AD lookup code honors the ignore_mark_offline flag in the sense that
if it's set, the sdap return code is not reported to the upper layer,
but EOK is returned as request status and the sdap return code is
returned separately.
This patch modifies the behaviour further to only apply if there is
another connection to fall back to.
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
9af86b9c936d07cff9d0c2054acde908749ea522 |
|
14-Jun-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
SYSDB: Add realm to sysdb_master_domain_add_info
Adding realm to both master domain and subdomain will make it easier to
set and select forest roots. Even master domains can be forest members,
it's preferable to avoid special-casing as much as possible.
Includes a unit test.
Reviewed-by: Sumit Bose <sbose@redhat.com> |
40bc389bc79bc41429b5a92d5ce75955f8eefaf5 |
|
01-Jun-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
Skip enumeration requests in IPA and AD providers as well
Checking the enum request in the underlying LDAP provider to skip it
might be too late as the richer IPA or AD providers depend on having a
useful result when the sdap request finishes.
Move the enumeration check earlier instead and allow directly in the IPA
or AD handler.
Related:
https://fedorahosted.org/sssd/ticket/2659
Reviewed-by: Sumit Bose <sbose@redhat.com> |
a849d848d53f305a90613a74c1767a42b250deda |
|
08-Mar-2015 |
Pavel Březina <pbrezina@redhat.com> |
sdap_handle_acct_req_send: remove be_req
be_req was used only as a talloc context for subreq. This memory context
was replace by state of the parent request which is more suitable for
tevent coding style.
This change will allow us to use this function in be_refresh where
none be_req is available.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
42bc7cb28858f8affa5bc7586f8d39b3afe4c387 |
|
02-Dec-2014 |
Lukas Slebodnik <lslebodn@redhat.com> |
AD: Set dp_error if gc was not used
Global catalog was not used in ipa server mode and request failed then
dp_error was not set (default is zero). dp_error should not be OK
on failed request.
[ipa_get_ad_acct_ad_part_done] (0x0040): AD lookup failed: 11
[ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: 11
[sdap_id_op_destroy] (0x4000): releasing operation connection
[ipa_account_info_error_text] (0x0020): Bug: dp_error is OK on failed request
[acctinfo_callback] (0x0100): Request processed. Returned 3,11,Account info lookup failed
Reviewed-by: Sumit Bose <sbose@redhat.com> |
db18dda869bc6c52a41797b2066cf121cf10f49c |
|
22-Jul-2014 |
Pavel Reichl <preichl@redhat.com> |
UTIL: rename find_subdomain_by_name
The function was named "find_subdomain" yet it could find both main
domain and subdomain.
sed 's/find_subdomain_by_name/find_domain_by_name/' -i `find . -name "*.[ch]"`
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
9ca0071db0e226e4e65b2a80fdeddd5048ca8990 |
|
22-Jul-2014 |
Pavel Reichl <preichl@redhat.com> |
UTIL: rename find_subdomain_by_sid
The function was named "find_subdomain" yet it could find both main
domain and subdomain.
sed 's/find_subdomain_by_sid/find_domain_by_sid/' -i `find . -name "*.[ch]"`
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
594b76cd86e32164a22172e054750fe18d09b0d6 |
|
21-Jul-2014 |
Pavel Březina <pbrezina@redhat.com> |
ad_handle_acct_info_step: fix typo
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
60cab26b12df9a2153823972cde0c38ca86e01b9 |
|
13-May-2014 |
Yassir Elley <yelley@redhat.com> |
Implemented LDAP component of GPO-based access control
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
bad65473c4c28ecbf2b6bd374a7ae2d634d57d8d |
|
12-Mar-2014 |
Lukas Slebodnik <lslebodn@redhat.com> |
AD: Continue if sssd failes to check extra members
Reported by scan-build
for (mi = 0; group_only[mi]; mi++) {
^~~~~~~~~~
warning: Array access (from variable 'group_only') results in a null pointer
dereference
It can happend if function ad_group_extra_members fails (ret != EOK)
Reviewed-by: Simo Sorce <simo@redhat.com> |
bb8a08118db0916bf8252a9481c16271ec20acd3 |
|
11-Mar-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Only connect to GC for subdomain users
https://fedorahosted.org/sssd/ticket/2251
By connecting to GC for users from both trusted domains and parent
domain, we lose the ability to download the shell and homedir if these
are used with ID mapping.
This patch changes the user lookups only. Changing the logic for all
lookups would break cross-domain group memberships, for example.
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
4cde267bec52ae1723a125d19439a5c75b47ebb7 |
|
19-Feb-2014 |
Pavel Březina <pbrezina@redhat.com> |
ad_account_can_shortcut(): return bool instead of errno
Resolves:
https://fedorahosted.org/sssd/ticket/2210
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
a3c8390d19593b1e5277d95bfb4ab206d4785150 |
|
12-Feb-2014 |
Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> |
Make DEBUG macro invocations variadic
Use a script to update DEBUG macro invocations to use it as a variadic
macro, supplying format string and its arguments directly, instead of
wrapping them in parens.
This script was used to update the code:
grep -rwl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e \
'use strict;
use File::Slurp;
my $text=read_file(\*STDIN);
$text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs;
print $text;' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com> |
d3436880c0ec1a7776698c739d4a3edc9a6ac57c |
|
12-Feb-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Remove dead code
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
957c55df7a7086166fb3c14cead6a0dab8f574c1 |
|
12-Feb-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Only download domains that are set to enumerate
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
e81deec535d11912b87954c81a1edd768c1386c9 |
|
12-Feb-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Detect the presence of POSIX attributes
When the schema is set to AD and ID mapping is not used, there is a one-time
check ran when searching for users to detect the presence of POSIX
attributes in LDAP. If this check fails, the search fails as if no entry
was found and returns a special error code.
The sdap_server_opts structure is filled every time a client connects to
a server so the posix check boolean is reset to false again on connecting
to the server.
It might be better to move the check to where the rootDSE is retrieved,
but the check depends on several features that are not known to the code
that retrieves the rootDSE (or the connection code for example) such as what
the attribute mappings are or the authentication method that should be used.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
b4ffa4d19e912740af6df3c1a4fabcea69729885 |
|
29-Jan-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Establish cross-domain memberships after enumeration finishes
Because domain enumeration currently works for each domain separately,
the code has to establish cross-domain memberships after all domains are
enumerated. The code works as follows:
1) check if any *sub*domains were enumerated. If not, do nothing
2) if any of the groups saved had more original members than
sysdb members, check if members of these groups can be linked now
that all users and groups are saved using the orig_member
attribute of the group matched against originalDN member of the
user.
Related:
https://fedorahosted.org/sssd/ticket/2142 |
dde2f0b4fcabc7093ddfcdda3dbacff00b82df46 |
|
29-Jan-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Enumerate users from GC, other entities from LDAP |
f8407faaeb6726bef6463d84f183f2b0ad1f99d4 |
|
29-Jan-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Pass a private context to enumeration ptask instead of hardcoded connection
Previously, the sdap-domain enumeration request used a single connection context to
download all the data. Now we'd like to use different connections to
download different objects, so the ID context is passed in and the
request itself decides which connection to use for the sdap-domain
enumeration. |
6095e82a99cc1c1fcac5e00f0a770302cc46eb2b |
|
24-Jan-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Don't abort request if no id mapping domain matches
If an ID was requested from the back end, but no ID mapping domain
matched, the request ended with a scary error message. It's better to
treat the request as if no such ID was found in the domain
Related:
https://fedorahosted.org/sssd/ticket/2200 |
82234f3cc55b6faa954f2ad11968139ae0533f7d |
|
20-Jan-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Don't fail the request if ad_account_can_shortcut fails |
17195241500e46272018d7897d6e87249870caf2 |
|
09-Jan-2014 |
Pavel Reichl <pavel.reichl@redhat.com> |
responder: Set forest attribute in AD domains
Resolves:
https://fedorahosted.org/sssd/ticket/2160 |
72ae534f5aef6d2e5d3f2f51299aede5abf9687e |
|
19-Dec-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Add a utility function to create list of connections
ad_id.c and ad_access.c used the same block of code. With the upcoming
option to disable GC lookups, we should unify the code in a function to
avoid breaking one of the code paths.
The same applies for the LDAP connection to the trusted AD DC.
Includes a unit test. |
008e1ee835602023891ac45408483d87f41e4d5c |
|
19-Dec-2013 |
Sumit Bose <sbose@redhat.com> |
AD: cross-domain membership fix
A recent patch directed all call related to group membership lookups to
the AD LDAP port to fix an issue related to missing group memberships in
the Global Catalog. As a side-effect it broke cross-domain
group-memberships because those cannot be resolved by the connection to
the LDAP port.
The patch tires to fix this by restoring the original behaviour in the
top-level lookup calls in the AD provider and switching to the LDAP port
only for the LDAP request which is expected to return the full group
membership.
Additionally this patch contains a related fix for the tokenGroups with
Posix attributes patch. The original connection, typically a Global
Catalog connection in the AD case is passed down the stack so that the
group lookup after the tokenGroups request can run over the same
connection. |
1101a3da9037f69a556935f2706b844accc468de |
|
18-Dec-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Don't mark domain as enumerated twice
The domain was already marked as enumerated using sysdb_set_enumerated
in the enumeration request itself. |
87a6f8fca5fb818d11b7702abb47faf2f3f00b79 |
|
13-Dec-2013 |
Sumit Bose <sbose@redhat.com> |
AD: use LDAP for group lookups
The group memberships cannot be reliable retrieved from the Global
Catalog. By default the memberOf attribute is not replicated to the GC
at all and the member attribute is copied from the local LDAP instance
to the GC running on the same host, but is only replicated to other GC
instances for groups with universal scope. Additionally the tokenGroups
attribute contains invalid SIDs when used with the GC for users from a
different domains than the GC belongs to.
As a result the requests which tries to resolve group-memberships of a
AD user have to go to a LDAP server from the domain of the user.
Fixes https://fedorahosted.org/sssd/ticket/2161 and
https://fedorahosted.org/sssd/ticket/2148 as a side-effect. |
e2ac9be4f293b96f3c8992f1171e44bc1da5cfca |
|
15-Nov-2013 |
Michal Zidek <mzidek@redhat.com> |
SYSDB: Drop redundant sysdb_ctx parameter from sysdb.c |
4537e95f6741ae05ec620e5b46ca1d4a3a1ceae5 |
|
07-Nov-2013 |
Pavel Březina <pbrezina@redhat.com> |
free idmapped SIDs correctly
Resolves:
https://fedorahosted.org/sssd/ticket/2133 |
76da70d5a5b5b05b926840d7692a31915d3ca8eb |
|
30-Oct-2013 |
Pavel Březina <pbrezina@redhat.com> |
ad: shortcut if possible during get object by ID or SID
When getByID or getBySID comes from responder, the request doesn't
necessarily have to contain correct domain, since responder iterates
over all domains until it finds a match.
Every domain has its own ID range, so we can simply shortcut if
domain does not match and avoid LDAP round trip. Responder will
continue with next domain until it finds the correct one. |
d67a80baf0bdc888297d3587c98f8a12d4827ebc |
|
25-Oct-2013 |
Lukas Slebodnik <lslebodn@redhat.com> |
AD: fall back to LDAP if GC is not available.
AD provider went offline if the Global Catalog could not be connected although
there was also the LDAP port available. With this patch, AD provider will
fall back to the LDAP port before going offline.
New boolean flag ignore_mark_offline was added to structure sdap_id_conn_ctx
If this flag is enabled function be_mark_offline will not be called.
Resolves:
https://fedorahosted.org/sssd/ticket/2104 |
c2aeea38addda1a07e60adbc3451f11b640f7bf1 |
|
27-Sep-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: talk to GC first even for local domain objects
Related: https://fedorahosted.org/sssd/ticket/2070
Since we are recommending to configure the POSIX attributes so that they
are replicated to the Global Catalog, we can start connecting to the GC
by default even for local users. If the object is not matches in the GC,
there is a possibility to fall back to LDAP. |
09b915007009b3e7a0942630fae132a6c534e349 |
|
20-Sep-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Failure to get flat name is not fatal
https://fedorahosted.org/sssd/ticket/2067
Some AD or AD-like servers do not contain the netlogon attribute in the
master domain name. Instead of failing completely, we should just abort
the master domain request and carry on. The only functionality we miss
would be getting users by domain flat name. |
74802794554e0f87d1354b6788f1719cd7d80a6c |
|
18-Sep-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Download master domain info when enumerating
https://fedorahosted.org/sssd/ticket/2068
With the current design, downloading master domain data was tied to
subdomains refresh, triggered by responders. But because enumeration is
a background task that can't be triggered on its own, we can't rely on
responders to download the master domain data and we need to check the
master domain on each enumeration request. |
3d28e0e560b787b5c57ed7327d184310342a7e38 |
|
28-Jun-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
IPA: Look up AD users directly if IPA server mode is on
https://fedorahosted.org/sssd/ticket/1962
If the ipa_server_mode is selected IPA subdomain user and group lookups
are not done with the help of the extdom plugin but directly against AD
using the AD ID code. |
5546876b121d674077e93fe908f3a602de8ec31f |
|
07-Jun-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
AD ID lookups - choose GC or LDAP as appropriate
https://fedorahosted.org/sssd/ticket/1557
Some lookups should be performed from GC only -- for example trusted
users are only present in the Global Catalog, while some lookups should
be performed from LDAP only as not all objects or attributes are
replicated to Global Catalog.
This patch adds a generic failover mechanism for identity lookups in the
AD provider that allows to choose the appropriate source and even fail over
to the other source if available. |
9aa117a93e315f790a1922d9ac7bd484878b621e |
|
07-Jun-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Pass in a connection to ID functions
Instead of using the default connection from the sdap_id_ctx, allow the
caller to specify which connection shall be used for this particular
request. Again, no functional change is present in this patch, just
another parameter is added. |
03abdaa21ecf562b714f204ca42379ff08626f75 |
|
21-Jan-2013 |
Simo Sorce <simo@redhat.com> |
Add be_req_get_be_ctx() helper.
In preparation for making be_req opaque |
e523233315f44b8f77ab9c5143a3d80364ebf955 |
|
23-Aug-2012 |
Ondrej Kos <okos@redhat.com> |
AD context was set to null due to type mismatch |
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30 |
|
06-Jul-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
AD: Add AD identity provider
This new identity provider takes advantage of existing code for
the LDAP provider, but provides sensible defaults for operating
against an Active Directory 2008 R2 or later server. |