d2633d922eeed68f92be4248b9172b928c189920 |
|
25-Apr-2018 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Augment the sdap_opts structure with a data provider pointer
In order to be able to use the Data Provider methods from the SDAP code
to e.g. invalidate memcache when needed, add a new field to the
sdap_options structure with the data_provider structure pointer.
Fill the pointer value for all LDAP-based providers.
Related:
https://pagure.io/SSSD/sssd/issue/2653
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> |
1b6965fd09e4e6a6b5ba76b8221ca3980bcc56b4 |
|
13-Feb-2018 |
Lukas Slebodnik <lslebodn@redhat.com> |
AD: Suppress warning Wincompatible-pointer-types with sasl callbacks
SASL use different prototype for callbacks based on id.
However struct sasl_callback_t contains generic callback int (*)(void)
which is not compatible with these callbacks and gcc8 warns about it.
src/providers/ad/ad_init.c:116:23: warning: cast between incompatible
function types from ‘int (*)(void *, const char *, const char *,
const char **, unsigned int *)’
to ‘int (*)(void)’ [-Wcast-function-type]
{ SASL_CB_GETOPT, (sss_sasl_gen_cb_fn)ad_sasl_getopt, NULL },
^
src/providers/ad/ad_init.c:117:20: warning: cast between incompatible
function types from ‘int (*)(void *, int, const char *)’
to ‘int (*)(void)’ [-Wcast-function-type]
{ SASL_CB_LOG, (sss_sasl_gen_cb_fn)ad_sasl_log, NULL },
^
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> |
d380148b0a23dd1a04d1d0767ba41d3e76fb7d23 |
|
07-Feb-2018 |
Lukas Slebodnik <lslebodn@redhat.com> |
KRB5: Pass special flag to krb5_child
We will need to distinguish between standard version
of krb5_get_init_creds_password or custom one which can distinguish
KERB-EXT-ERROR error code for expired and disabled AD users.
Flag is set only in case of auth provider ad.
Resolves:
https://pagure.io/SSSD/sssd/issue/3198
Reviewed-by: Sumit Bose <sbose@redhat.com> |
095844d6b48aef483c33e5a369a405ae686e044d |
|
06-Dec-2017 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Implement a real getAccountDomain handler for the AD provider
After this patch, the AD provider drops the default getAccountDomain
handler in favor of the handler added in this patch.
The handler first checks if the domain is eligible for locating
the domain of an ID with the help of the Global Catalog at all, which
only happens if:
- the Global Catalog is enabled
- POSIX IDs are used, not ID-mapping
- the Global catalog contains some POSIX IDs
If all these hold true, then the Global Catalog is searched with
an empty search base, which searches the whole GC. If a single entry
is returned, its original DN is converted to a domain name and returned.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com> |
c0f9f5a0f6d71a1596ee3cef549b4b02295313c3 |
|
06-Dec-2017 |
Jakub Hrozek <jhrozek@redhat.com> |
DP: Create a new handler function getAccountDomain()
Adds a new method getAccountDomain() which is a bit similar to
getAccountInfo, except it doesn't fetch, parse and store the entry, but
just returns the domain or a subdomain the entry was found in.
At the moment, the method only supports requests by ID.
A default handler is provided (and in this patch used by all the
domains) which returns ERR_GET_ACCT_DOM_NOT_SUPPORTED. This return
code should be evaluated by the responder so that this DP method is
not called again, because it's not supported by the back end type.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com> |
fb0431b13a9fcd8ac31e622503acbd10d2b73ac9 |
|
02-Nov-2017 |
Pavel Březina <pbrezina@redhat.com> |
AD: Remember last site discovered in sysdb
This can speed up sssd startup.
Resolves:
https://pagure.io/SSSD/sssd/issue/3265
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
3d29430867cf92b2d71afa95abb679711231117c |
|
15-Jul-2016 |
Pavel Březina <pbrezina@redhat.com> |
DP: rename be_acct_req to dp_id_data
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
dea636af4d1902a081ee891f1b19ee2f8729d759 |
|
20-Jun-2016 |
Pavel Březina <pbrezina@redhat.com> |
DP: Switch to new interface
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
892ddeb5190dd5c1ffa26a95142a10a0034fc5e3 |
|
20-Jun-2016 |
Pavel Březina <pbrezina@redhat.com> |
Rename dp_dyndns.h to be_dyndns.h
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
9a6ff0851fc707f21165818f66ae926fa14d7226 |
|
07-Jun-2016 |
Petr Cech <pcech@redhat.com> |
AD_PROVIDER: Fix constant char *
This patch fixes loading of ad_domain option. It is declared like
const, co we should use dp_opt_get_cstring() instead of
dp_opt_get_string().
Reviewed-by: Sumit Bose <sbose@redhat.com> |
5f7cd30c865046a7ea69944f7e07c85b4c43465a |
|
19-Jan-2016 |
Sumit Bose <sbose@redhat.com> |
AD: add task to renew the machine account password if needed
AD expects its clients to renew the machine account password on a
regular basis, be default every 30 days. Even if a client does not renew
the password it might not cause issues because AD does not enforce the
renewal. But the password age might be used to identify unused machine
accounts in large environments which might get disabled or deleted
automatically.
With this patch SSSD calls an external program to check the age of the
machine account password and renew it if needed. Currently 'adcli' is
used as external program which is able to renew the password since
version 0.8.0.
Resolves https://fedorahosted.org/sssd/ticket/1041
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
03b859510dc13a13a456ca4aa94c0561a0e9684c |
|
26-Nov-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Add autofs provider
https://fedorahosted.org/sssd/ticket/1632
Adds the possibility to configure:
autofs_provider = ad
The AD autofs provider uses the rfc2307 (nis*) attribute maps. This is
different (at the moment) from using autofs_provider=ldap with
ldap_schema=ad.
Reviewed-by: Ondrej Valousek <ondrejv2@fedoraproject.org>
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
bfa5e3869bb68213f08169efe55c45cb625e8fd0 |
|
01-Sep-2015 |
Pavel Reichl <preichl@redhat.com> |
AD: send less logs to syslog
Create new callback that handles logging messages in cyrus sasl library.
Resolves:
https://fedorahosted.org/sssd/ticket/2561
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
87f8bee53ee1b4ca87b602ff8536bc5fd5b5b595 |
|
17-Mar-2015 |
Lukas Slebodnik <lslebodn@redhat.com> |
Add missing new lines to debug messages
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
17531a398cc9084036cb08d69fe876a8f12707bb |
|
08-Mar-2015 |
Pavel Březina <pbrezina@redhat.com> |
be_refresh: add sdap_refresh_init
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
e438fbf102c3d787902504bdae177e84230cbbc9 |
|
26-Jan-2015 |
Pavel Reichl <preichl@redhat.com> |
AD: support for AD site override
Override AD site found during DNS discovery.
Resolves:
https://fedorahosted.org/sssd/ticket/2486
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
a8356a0c98ee44e7256bb1c7767159c70e1fc218 |
|
08-Sep-2014 |
Yassir Elley <yelley@redhat.com> |
AD-GPO: processing changes for gpo_map_* options
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
ff4b603cc14ea6ea15caaf89a03e927920124af4 |
|
31-Jul-2014 |
Yassir Elley <yelley@redhat.com> |
AD-GPO: add ad_gpo_cache_timeout option
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
60cab26b12df9a2153823972cde0c38ca86e01b9 |
|
13-May-2014 |
Yassir Elley <yelley@redhat.com> |
Implemented LDAP component of GPO-based access control
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
61804568ce5ede3b1a699cda17c033dd6c23f0e3 |
|
02-Mar-2014 |
Sumit Bose <sbose@redhat.com> |
SUDO: AD provider
This patch adds the sudo target to the AD provider. The main reason is
to cover different default settings in the LDAP and AD provider. E.g.
the default for ldap_id_mapping is True in the AD provider and False
in the LDAP provider. If ldap_id_mapping was not set explicitly in the
config file both components worked with different setting.
Fixes https://fedorahosted.org/sssd/ticket/2256
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
a3c8390d19593b1e5277d95bfb4ab206d4785150 |
|
12-Feb-2014 |
Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> |
Make DEBUG macro invocations variadic
Use a script to update DEBUG macro invocations to use it as a variadic
macro, supplying format string and its arguments directly, instead of
wrapping them in parens.
This script was used to update the code:
grep -rwl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e \
'use strict;
use File::Slurp;
my $text=read_file(\*STDIN);
$text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs;
print $text;' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com> |
f8407faaeb6726bef6463d84f183f2b0ad1f99d4 |
|
29-Jan-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Pass a private context to enumeration ptask instead of hardcoded connection
Previously, the sdap-domain enumeration request used a single connection context to
download all the data. Now we'd like to use different connections to
download different objects, so the ID context is passed in and the
request itself decides which connection to use for the sdap-domain
enumeration. |
72ae534f5aef6d2e5d3f2f51299aede5abf9687e |
|
19-Dec-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Add a utility function to create list of connections
ad_id.c and ad_access.c used the same block of code. With the upcoming
option to disable GC lookups, we should unify the code in a function to
avoid breaking one of the code paths.
The same applies for the LDAP connection to the trusted AD DC.
Includes a unit test. |
008e1ee835602023891ac45408483d87f41e4d5c |
|
19-Dec-2013 |
Sumit Bose <sbose@redhat.com> |
AD: cross-domain membership fix
A recent patch directed all call related to group membership lookups to
the AD LDAP port to fix an issue related to missing group memberships in
the Global Catalog. As a side-effect it broke cross-domain
group-memberships because those cannot be resolved by the connection to
the LDAP port.
The patch tires to fix this by restoring the original behaviour in the
top-level lookup calls in the AD provider and switching to the LDAP port
only for the LDAP request which is expected to return the full group
membership.
Additionally this patch contains a related fix for the tokenGroups with
Posix attributes patch. The original connection, typically a Global
Catalog connection in the AD case is passed down the stack so that the
group lookup after the tokenGroups request can run over the same
connection. |
1ce58f139699dd26b8888f4131c996263b6a80a5 |
|
25-Oct-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Add extended access filter
https://fedorahosted.org/sssd/ticket/2082
Adds a new option that allows the admin to specify a LDAP access filter
that can be applied globally, per-domain or per-forest. |
67b1fc914190e12ab014c0616b7f0a642fbe6356 |
|
25-Oct-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Search GC by default during access control, fall back to LDAP
Resolves:
https://fedorahosted.org/sssd/ticket/2082
In order to allow the ad_access_filter option to work for subdomain
users as well, the Global Catalog must be searched. This patch adds a
wrapper request atop sdap_access_send that selects the right connection
(GC or LDAP) and optionally falls back to LDAP. |
efe6b4a9d374339cac2528cdeb43720957c6b7c9 |
|
25-Oct-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Use the ad_access_filter if it's set
Related:
https://fedorahosted.org/sssd/ticket/2082
Currently the AD access control only checks if an account has been
expired. This patch amends the logic so that if ad_access_filter is set,
it is used automatically. |
74802794554e0f87d1354b6788f1719cd7d80a6c |
|
18-Sep-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Download master domain info when enumerating
https://fedorahosted.org/sssd/ticket/2068
With the current design, downloading master domain data was tied to
subdomains refresh, triggered by responders. But because enumeration is
a background task that can't be triggered on its own, we can't rely on
responders to download the master domain data and we need to check the
master domain on each enumeration request. |
31ad608192c24eb56cf7a8294f6bfc080893193c |
|
18-Sep-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: async request to retrieve master domain info
Adds a reusable async request to download the master domain info. |
1c4144a6ce68dbd54c7c08a517d1f982ea57f19a |
|
28-Aug-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Make sdap_id_setup_tasks reusable for subdomains
Instead of always performing the setup for the main domain, the setup
can now be performed for subdomains as well. |
483728c1f9719e419830cce93b7e411370a5364b |
|
09-Aug-2013 |
Ondrej Kos <okos@redhat.com> |
AD: Cast SASL callbacks to propper type
The initialization of ad_sasl_callbacks raised an incompatible pointer
type warning. This was caused because the cyrus-sasl API hasa changed.
The callback function list needs to be cast now. |
fb945a2cacc5506a2acb50349670f22078f1d4f5 |
|
06-Aug-2013 |
Simo Sorce <simo@redhat.com> |
sssd_ad: Add hackish workaround for sasl ad_compat
This tries to set the ad_compat option for sasl, by working around
the openldap/sasl initialization as openldap does not allow us to pass
down to sasl our own getopt callback.
Resolves:
https://fedorahosted.org/sssd/ticket/2040 |
48657b5de36a63b0c13ed5d53065871d59d8f10b |
|
23-Jul-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
KRB5: Do not send PAC in server mode
The krb5 child contacts the PAC responder for any user except for the
IPA native users if the PAC is configured. This works fine for the
general case but the ipa_server_mode is a special one. The PAC responder
is there, but since in the server mode we should be operating as AD
provider default, the PAC shouldn't be analyzed either in this case. |
59415636c92c6e9764ddc65a85ad61002310519d |
|
28-Jun-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: initialize failover with custom realm, domain and failover service
This is needed so we can initialize failover using IPA realm and
on-the-fly discovered DNS domain. The subdomains discovered on-thefly
will use the subdomain name for realm, domain and failover service to
avoid conflicts.
Subtaks of:
https://fedorahosted.org/sssd/ticket/1962 |
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9 |
|
28-Jun-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: decouple ad_id_ctx initialization
The IPA subdomain code will perform lookups on its own in the server
mode. For this, the AD provider must offer a way to initialize the
ad_id_ctx for external consumers.
Subtask of:
https://fedorahosted.org/sssd/ticket/1962 |
e23f790d0e38a8dce04560e34c189208d146ddd8 |
|
17-Jun-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
Fix allocation check |
8d95aa1b58139002ace4b4418d5391ee7bfc78cb |
|
11-Jun-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
Fix allocation check in the AD provider
https://fedorahosted.org/sssd/ticket/1976 |
7b5e7e539ae9312ab55d75aa94feaad549b2a708 |
|
10-Jun-2013 |
Pavel Březina <pbrezina@redhat.com> |
providers: refresh expired netgroups
https://fedorahosted.org/sssd/ticket/1713 |
55d80b1301fe969fb4ba2b9481027887b9462dbb |
|
07-Jun-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Add additional service to support Global Catalog lookups
When fixed host names of AD servers are configured in the config file,
we can't know (unlike when service discovery is at play) if the servers
are Global Catalogs or not. This patch adds a private data to servers
read from the config file that denote whether the server can be tried
for contacting the Global Catalog port or just LDAP. The GC or LDAP URIs
are generated based on contents of this private data structure.
Because SSSD sticks to a working server, we don't have to disable or
remove the faulty GC servers from the list. |
dcb44c39dda9699cdd6488fd116a51ced0687de3 |
|
07-Jun-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: sdap_id_ctx might contain several connections
With some LDAP server implementations, one server might provide
different "views" of the identites on different ports. One example is
the Active Directory Global catalog. The provider would contact
different view depending on which operation it is performing and against
which SSSD domain.
At the same time, these views run on the same server, which means the same
server options, enumeration, cleanup or Kerberos service should be used.
So instead of using several different failover ports or several
instances of sdap_id_ctx, this patch introduces a new "struct
sdap_id_conn_ctx" that contains the connection cache to the particular
view and an instance of "struct sdap_options" that contains the URI.
No functional changes are present in this patch, currently all providers
use a single connection. Multiple connections will be used later in the
upcoming patches. |
eb64d3406c15dcc5cb42c94488737bdbb9a15655 |
|
20-May-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
Remove unneeded parameter of setup_child and namespace it
setup_child() was accepting a parameter it didn't use. Also the function
name was too generic, so I added a sdap prefix. |
4cdaf239d4504966bed8ecd5e3fa07def74c7302 |
|
07-May-2013 |
Sumit Bose <sbose@redhat.com> |
AD: read flat name and SID of the AD domain
For various features either the flat/short/NetBIOS domain name or the
domain SID is needed. Since the responders already try to do a subdomain
lookup when and known domain name is encountered I added a subdomain
lookup to the AD provider which currently only reads the SID from the
base DN and the NetBIOS name from a reply of a LDAP ping. The results
are written to the cache to have them available even if SSSD is started
in offline mode. Looking up trusted domains can be added later.
Since all the needed responder code is already available from the
corresponding work for the IPA provider this patch fixes
https://fedorahosted.org/sssd/ticket/1468 |
2e4f8db631a10224dac20e8a472f751fef0e3fcd |
|
03-May-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
AD: Always initialize ID mapping
Because we now always store SIDs in the LDAP provider, we also need to
always initialize the ID mapping context even if ID mapping itself is
off. |
74e95cfd9d3939dfe9417d79d2f6fc79b361405f |
|
03-May-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
Active Directory dynamic DNS updates
https://fedorahosted.org/sssd/ticket/1504
Implements dynamic DNS updates for the AD provider. By default, the
updates also update the reverse zone and run periodically every 24
hours. |
a679f0167b646cffdae86546ed77e105576991b0 |
|
02-May-2013 |
Pavel Březina <pbrezina@redhat.com> |
DNS sites support - add AD SRV plugin
https://fedorahosted.org/sssd/ticket/1032 |
1abdf56dcda5f6bed7b144e544c00dbdd501b3fc |
|
10-Apr-2013 |
Pavel Březina <pbrezina@redhat.com> |
DNS sites support - use SRV DNS lookup plugin in all providers
https://fedorahosted.org/sssd/ticket/1032
We set a plugin during an initialization of ID provider, which
is an authoritative provider for a plugin choice. The plugin is
set only once. When other provider is initalized (e.g. id = IPA,
sudo = LDAP), we do not overwrite the plugin.
Since sssm_*_id_init() is called from all module constructors,
this patch relies on the fact, that ID provider is initialized
before all other providers. |
e523233315f44b8f77ab9c5143a3d80364ebf955 |
|
23-Aug-2012 |
Ondrej Kos <okos@redhat.com> |
AD context was set to null due to type mismatch |
294e9a5521d327c5cdc49beeb9cb9e703b3134f1 |
|
01-Aug-2012 |
Jan Zeleny <jzeleny@redhat.com> |
Primary server support: new option in AD provider
This patch adds support for new config option ad_backup_server. The
description of this option's functionality is included in man page in
one of previous patches. |
016e0d7202ff965018e41869c5ab501f86b0d081 |
|
01-Aug-2012 |
Jan Zeleny <jzeleny@redhat.com> |
Primary server support: AD adaptation
This patch adds support for the primary server functionality into AD
provider. No backup servers are added at the moment, just the basic
support is in place. |
a4cce2c98eedecb5d3b47da62104634cae268434 |
|
06-Jul-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
AD: Add AD access-control provider
This patch adds support for checking whether a user is expired or
disabled in AD. |
d92c50f6d75ae980b0d130134112a33e1584724c |
|
06-Jul-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
AD: Add AD auth and chpass providers
These new providers take advantage of existing code for the KRB5
provider, providing sensible defaults for operating against an
Active Directory 2008 R2 or later server. |
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30 |
|
06-Jul-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
AD: Add AD identity provider
This new identity provider takes advantage of existing code for
the LDAP provider, but provides sensible defaults for operating
against an Active Directory 2008 R2 or later server. |