History log of /sssd-io/src/providers/ldap/sdap_access.c
Revision Date Author Comments Expand
f34a8330c1615511795847b0a1454249d782db2a 19-Oct-2017 Alexey Kamenskiy <alexey.kamenskiy@chinanetcloud.com>

LDAP: Add support for rhost access control This patch implements verification of pam_rhost against rules stored in LDAP entry of a user. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
709989b80b5d6112fc6b62db762570330b9e2eea 08-Jun-2017 Lukas Slebodnik <lslebodn@redhat.com>

Remove unnecessary sys/param.h They are mostly required for macros MAX/MIN which were not used in these modules. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
7a9f3fc59a2041e868fa9524d8351ec48ec8c158 07-Jul-2016 Jakub Hrozek <jhrozek@redhat.com>

LDAP: The access control filter just needs the plain username The LDAP access control code uses shortnames to construct an LDAP filter. Reviewed-by: Sumit Bose <sbose@redhat.com>
cc2d77d5218c188119fa954c856e858cbde76947 20-Jun-2016 Pavel Březina <pbrezina@redhat.com>

Rename dp_backend.h to backend.h Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

/sssd-io/Makefile.am /sssd-io/src/p11_child/p11_child_nss.c /sssd-io/src/providers/ad/ad_access.c /sssd-io/src/providers/ad/ad_gpo.c /sssd-io/src/providers/ad/ad_gpo_child.c /sssd-io/src/providers/ad/ad_srv.c /sssd-io/src/providers/ad/ad_subdomains.h /sssd-io/src/providers/backend.h /sssd-io/src/providers/be_dyndns.c /sssd-io/src/providers/be_ptask.c /sssd-io/src/providers/be_refresh.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/data_provider_callbacks.c /sssd-io/src/providers/data_provider_fo.c /sssd-io/src/providers/ipa/ipa_auth.h /sssd-io/src/providers/ipa/ipa_dyndns.h /sssd-io/src/providers/ipa/ipa_subdomains.h /sssd-io/src/providers/ipa/selinux_child.c /sssd-io/src/providers/krb5/krb5_auth.h /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_common.c /sssd-io/src/providers/krb5/krb5_common.h ldap_access.c ldap_child.c ldap_common.h sdap.h sdap_access.c sdap_access.h sdap_async.h sdap_async_sudo.c sdap_autofs.c sdap_dyndns.c sdap_dyndns.h sdap_sudo.c sdap_sudo.h sdap_sudo_shared.h /sssd-io/src/providers/proxy/proxy.h /sssd-io/src/providers/proxy/proxy_child.c /sssd-io/src/providers/simple/simple_access.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/tests/cmocka/test_be_ptask.c /sssd-io/src/tests/cmocka/test_data_provider_be.c
eedfc2cced329731c90317a5be3cd82a3749eb8a 03-Jun-2016 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Try also the AD access control for IPA users Resolves: https://fedorahosted.org/sssd/ticket/2927 If a user from an AD trusted domain is logging in, we should also check their AD lockout status. This helps cases where the user might have been disabled but is logging in with an SSH public key. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
108a49f0e816d95cf75a1e964f63b397e53c8b56 14-May-2015 Pavel Reichl <preichl@redhat.com>

LDAP: warn about lockout option being deprecated Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
871f340834f25ca92a481718939164e708a70e29 26-Mar-2015 Pavel Reichl <preichl@redhat.com>

LDAP: fix a typo in debug message Reviewed-by: Pavel Březina <pbrezina@redhat.com>
08f83281cf4b0f35e8569851fae7364e140371f9 23-Mar-2015 Pavel Reichl <preichl@redhat.com>

ldap: refactor nds_check_expired to use util func Refactor nds_check_expired() to use utility function sss_utc_to_time_t(). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
50b8a36b0932a510e825ed1ad8103f81ead2b7d8 23-Mar-2015 Pavel Reichl <preichl@redhat.com>

TESTS: test expiration Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
79ee5fbacd6ee4153fa59edf5b1ae55b4f020211 06-Mar-2015 Pavel Reichl <preichl@redhat.com>

SDAP: fix minor neglect in is_account_locked() It would be better to return explicit error code, although access is still denied and error message printed. Relates: https://fedorahosted.org/sssd/ticket/2534 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
13ec767e6ca3e435e119f1f07bda10eb213383f6 05-Mar-2015 Pavel Reichl <preichl@redhat.com>

SDAP: Lock out ssh keys when account naturally expires Resolves: https://fedorahosted.org/sssd/ticket/2534 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
c9b0071bfcb8eb8c71e40248de46d23aceecc0f3 03-Mar-2015 Pavel Reichl <preichl@redhat.com>

SDAP: enable change phase of pw expire policy check Implement new option which does checking password expiration policy in accounting phase. This allows SSSD to issue shadow expiration warning even if alternate authentication method is used. Resolves: https://fedorahosted.org/sssd/ticket/2167 Reviewed-by: Sumit Bose <sbose@redhat.com>
c820e6db26426c9f74a0e8f8ff9d9cf79d57406a 02-Mar-2015 Pavel Reichl <preichl@redhat.com>

SDAP: log expired accounts at lower severity level Attempts to log into expired accounts were logged as SSSDBG_CRIT_FAILURE which is misleading as no real failures were happening. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
b07a3b729892d2bc2ffa73d93de95e19003cc6c8 27-Jan-2015 Pavel Reichl <preichl@redhat.com>

add missing '\n' in debug messages Also reformat debug strings not to exceed 80 columns long lines. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
4113389146cde7034bec7980a7fdf0d50f4c7bf7 10-Sep-2014 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Always free talloc_req On failure, the subreq wasn't freed, which was not a big deal given the parent request would free the subreq anyway, but it's better to follow the usual pattern. Reviewed-by: Simo Sorce <simo@redhat.com>
d80412010e18d1f48aa402bf7e31a909008edb24 08-Sep-2014 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Check return value Reported by Coverity Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
2a91d3dd0ce4387332db27bd1a0c0005c74f870e 27-Aug-2014 Pavel Reichl <preichl@redhat.com>

SDAP: account lockout to restrict access via ssh key Be able to configure sssd to honor openldap account lock to restrict access via ssh key. Introduce new ldap_access_order value ('lock') for enabling/disabling this feature. Account is considered locked if pwdAccountLockedTime attribut has value of 000001010000Z. ------------------------------------------------------------------------ Quotation from man slapo-ppolicy: pwdAccountLockedTime This attribute contains the time that the user's account was locked. If the account has been locked, the password may no longer be used to authenticate the user to the directory. If pwdAccountLockedTime is set to 000001010000Z, the user's account has been permanently locked and may only be unlocked by an administrator. Note that account locking only takes effect when the pwdLockout password policy attribute is set to "TRUE". ------------------------------------------------------------------------ Also set default value for sdap_pwdlockout_dn to cn=ppolicy,ou=policies,${search_base} Resolves: https://fedorahosted.org/sssd/ticket/2364 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
1a357c873baa79c0b82ab1d084f942cfcc8ba1c0 27-Aug-2014 Pavel Reichl <preichl@redhat.com>

SDAP: refactor AC offline checks Prepare code for other access control checks. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
9956e720e7f055afdb6ada141b4ab892bfa0930b 17-Aug-2014 Pavel Reichl <preichl@redhat.com>

SDAP: don't log error on access denied Don't log error if access is denied in function sdap_access_done(). Reviewed-by: Pavel Březina <pbrezina@redhat.com>
ed2136eebe3fbffccb8a5c548afdb815a46d5d39 17-Aug-2014 Pavel Reichl <preichl@redhat.com>

SDAP: refactor sdap_access_filter_done As preparation for ticket #2364 move code from sdap_access_filter_done() into sdap_access_done() to make its reuse possible and thus avoid code duplication. Rename check_next_rule() to sdap_access_check_next_rule(). Update definition order of tevent-using functions by time of execution. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
46ebf4415306454e1d062b61a2495b7cdb821c0f 17-Aug-2014 Pavel Reichl <preichl@redhat.com>

SDAP: nitpicks in sdap_access_filter_get_access_done Fixed typo and replaced duplicated string by macro definition. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
719985a9e2aeaf2cba960f1525325ff125b7e19b 17-Aug-2014 Pavel Reichl <preichl@redhat.com>

SDAP: refactor sdap_access_filter_send As preparation for ticket #2364 separate code for parsing user basedn to a new function sdap_get_basedn_user_entry(). We actually do not need to call strdup on basedn, instead we can just point to address in user_entry as it's allocated on parent memory context. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
4c38ed71727a9668cec4d3bd1bf8f7e77ac5e6c0 17-Aug-2014 Pavel Reichl <preichl@redhat.com>

SDAP: split sdap_access_filter_get_access_done As a preparation for ticket #2364 separate code for storing user bool values into sysdb to a new function sdap_save_user_cache_bool(). Reviewed-by: Pavel Březina <pbrezina@redhat.com>
bf6f1b3d49e17b1adf0448c0b06e94b1e52ddffd 03-Jun-2014 Lukas Slebodnik <lslebodn@redhat.com>

Unify usage of function gethostname man gethostanme says: NOTES SUSv2 guarantees that "Host names are limited to 255 bytes". POSIX.1-2001 guarantees that "Host names (not including the terminating null byte) are limited to HOST_NAME_MAX bytes". On Linux, HOST_NAME_MAX is defined with the value 64, which has been the limit since Linux 1.0 (earlier kernels imposed a limit of 8 bytes). Reviewed-by: Pavel Březina <pbrezina@redhat.com>
5389b3714be747f1a11ac51beb0c5988cfb6c240 27-May-2014 Lukas Slebodnik <lslebodn@redhat.com>

Don't use macro _XOPEN_SOURCE for function strptime We detect all necessary feature macros in configure script using AC_USE_SYSTEM_EXTENSIONS or AC_GNU_SOURCE. This patch replaces all definitions of macro _XOPEN_SOURCE with header file config.h Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
40dd828529cf01291daf0f075b850783409e8c05 18-Mar-2014 Pavel Reichl <preichl@redhat.com>

refactor calls of sss_parse_name sss_parse_name now supports NULL as output parameters so existing calls passing arguments which were never read were substituted by NULL. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
83bf46f4066e3d5e838a32357c201de9bd6ecdfd 12-Feb-2014 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>

Update DEBUG* invocations to use new levels Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

/sssd-io/src/confdb/confdb.c /sssd-io/src/confdb/confdb_setup.c /sssd-io/src/db/sysdb.c /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_ranges.c /sssd-io/src/db/sysdb_search.c /sssd-io/src/db/sysdb_upgrade.c /sssd-io/src/monitor/monitor.c /sssd-io/src/monitor/monitor_netlink.c /sssd-io/src/monitor/monitor_sbus.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/data_provider_callbacks.c /sssd-io/src/providers/data_provider_fo.c /sssd-io/src/providers/data_provider_opts.c /sssd-io/src/providers/dp_auth_util.c /sssd-io/src/providers/dp_pam_data_util.c /sssd-io/src/providers/fail_over.c /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_auth.c /sssd-io/src/providers/ipa/ipa_common.c /sssd-io/src/providers/ipa/ipa_hbac_common.c /sssd-io/src/providers/ipa/ipa_hbac_hosts.c /sssd-io/src/providers/ipa/ipa_hbac_rules.c /sssd-io/src/providers/ipa/ipa_hbac_services.c /sssd-io/src/providers/ipa/ipa_hbac_users.c /sssd-io/src/providers/ipa/ipa_id.c /sssd-io/src/providers/ipa/ipa_init.c /sssd-io/src/providers/ipa/ipa_netgroups.c /sssd-io/src/providers/krb5/krb5_access.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_child_handler.c /sssd-io/src/providers/krb5/krb5_common.c /sssd-io/src/providers/krb5/krb5_delayed_online_authentication.c /sssd-io/src/providers/krb5/krb5_init.c /sssd-io/src/providers/krb5/krb5_init_shared.c /sssd-io/src/providers/krb5/krb5_renew_tgt.c /sssd-io/src/providers/krb5/krb5_utils.c /sssd-io/src/providers/krb5/krb5_wait_queue.c ldap_auth.c ldap_child.c ldap_common.c ldap_id.c ldap_id_cleanup.c ldap_id_netgroup.c ldap_init.c sdap.c sdap_access.c sdap_async.c sdap_async_connection.c sdap_async_enum.c sdap_async_groups.c sdap_async_initgroups.c sdap_async_initgroups_ad.c sdap_async_netgroups.c sdap_async_users.c sdap_child_helpers.c sdap_fd_events.c sdap_id_op.c /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_child.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_init.c /sssd-io/src/providers/proxy/proxy_netgroup.c /sssd-io/src/resolv/async_resolv.c /sssd-io/src/responder/common/negcache.c /sssd-io/src/responder/common/responder_cmd.c /sssd-io/src/responder/common/responder_common.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/nss/nsssrv.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/nss/nsssrv_private.h /sssd-io/src/responder/nss/nsssrv_services.c /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/pam/pamsrv_dp.c /sssd-io/src/sbus/sbus_client.c /sssd-io/src/sbus/sssd_dbus_common.c /sssd-io/src/sbus/sssd_dbus_connection.c /sssd-io/src/sbus/sssd_dbus_server.c /sssd-io/src/tests/auth-tests.c /sssd-io/src/tests/files-tests.c /sssd-io/src/tests/resolv-tests.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tests/sysdb_ssh-tests.c /sssd-io/src/tools/selinux.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_groupadd.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/tools/tools_util.c /sssd-io/src/tools/tools_util.h /sssd-io/src/util/check_and_open.c /sssd-io/src/util/child_common.c /sssd-io/src/util/crypto/nss/nss_obfuscate.c /sssd-io/src/util/crypto/nss/nss_util.c /sssd-io/src/util/debug.c /sssd-io/src/util/find_uid.c /sssd-io/src/util/nscd.c /sssd-io/src/util/signal.c /sssd-io/src/util/sss_krb5.c /sssd-io/src/util/sss_ldap.c /sssd-io/src/util/user_info_msg.c /sssd-io/src/util/usertools.c /sssd-io/src/util/util.c
a3c8390d19593b1e5277d95bfb4ab206d4785150 12-Feb-2014 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

/sssd-io/src/confdb/confdb.c /sssd-io/src/confdb/confdb_setup.c /sssd-io/src/db/sysdb.c /sssd-io/src/db/sysdb_autofs.c /sssd-io/src/db/sysdb_idmap.c /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_ranges.c /sssd-io/src/db/sysdb_search.c /sssd-io/src/db/sysdb_selinux.c /sssd-io/src/db/sysdb_services.c /sssd-io/src/db/sysdb_ssh.c /sssd-io/src/db/sysdb_subdomains.c /sssd-io/src/db/sysdb_sudo.c /sssd-io/src/db/sysdb_upgrade.c /sssd-io/src/monitor/monitor.c /sssd-io/src/monitor/monitor_netlink.c /sssd-io/src/monitor/monitor_sbus.c /sssd-io/src/providers/ad/ad_access.c /sssd-io/src/providers/ad/ad_common.c /sssd-io/src/providers/ad/ad_domain_info.c /sssd-io/src/providers/ad/ad_dyndns.c /sssd-io/src/providers/ad/ad_id.c /sssd-io/src/providers/ad/ad_init.c /sssd-io/src/providers/ad/ad_srv.c /sssd-io/src/providers/ad/ad_subdomains.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/data_provider_callbacks.c /sssd-io/src/providers/data_provider_fo.c /sssd-io/src/providers/data_provider_opts.c /sssd-io/src/providers/dp_auth_util.c /sssd-io/src/providers/dp_dyndns.c /sssd-io/src/providers/dp_pam_data_util.c /sssd-io/src/providers/dp_ptask.c /sssd-io/src/providers/dp_refresh.c /sssd-io/src/providers/fail_over.c /sssd-io/src/providers/fail_over_srv.c /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_auth.c /sssd-io/src/providers/ipa/ipa_autofs.c /sssd-io/src/providers/ipa/ipa_common.c /sssd-io/src/providers/ipa/ipa_config.c /sssd-io/src/providers/ipa/ipa_dyndns.c /sssd-io/src/providers/ipa/ipa_hbac_common.c /sssd-io/src/providers/ipa/ipa_hbac_hosts.c /sssd-io/src/providers/ipa/ipa_hbac_rules.c /sssd-io/src/providers/ipa/ipa_hbac_services.c /sssd-io/src/providers/ipa/ipa_hbac_users.c /sssd-io/src/providers/ipa/ipa_hostid.c /sssd-io/src/providers/ipa/ipa_hosts.c /sssd-io/src/providers/ipa/ipa_id.c /sssd-io/src/providers/ipa/ipa_idmap.c /sssd-io/src/providers/ipa/ipa_init.c /sssd-io/src/providers/ipa/ipa_netgroups.c /sssd-io/src/providers/ipa/ipa_s2n_exop.c /sssd-io/src/providers/ipa/ipa_selinux.c /sssd-io/src/providers/ipa/ipa_selinux_maps.c /sssd-io/src/providers/ipa/ipa_srv.c /sssd-io/src/providers/ipa/ipa_subdomains.c /sssd-io/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd-io/src/providers/ipa/ipa_subdomains_id.c /sssd-io/src/providers/ipa/ipa_sudo.c /sssd-io/src/providers/krb5/krb5_access.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_become_user.c /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_child_handler.c /sssd-io/src/providers/krb5/krb5_common.c /sssd-io/src/providers/krb5/krb5_delayed_online_authentication.c /sssd-io/src/providers/krb5/krb5_init.c /sssd-io/src/providers/krb5/krb5_init_shared.c /sssd-io/src/providers/krb5/krb5_renew_tgt.c /sssd-io/src/providers/krb5/krb5_utils.c /sssd-io/src/providers/krb5/krb5_wait_queue.c ldap_access.c ldap_auth.c ldap_child.c ldap_common.c ldap_id.c ldap_id_cleanup.c ldap_id_enum.c ldap_id_netgroup.c ldap_id_services.c ldap_init.c sdap.c sdap_access.c sdap_async.c sdap_async_autofs.c sdap_async_connection.c sdap_async_enum.c sdap_async_groups.c sdap_async_groups_ad.c sdap_async_initgroups.c sdap_async_initgroups_ad.c sdap_async_nested_groups.c sdap_async_netgroups.c sdap_async_services.c sdap_async_sudo.c sdap_async_sudo_hostinfo.c sdap_async_sudo_timer.c sdap_async_users.c sdap_autofs.c sdap_child_helpers.c sdap_dyndns.c sdap_fd_events.c sdap_id_op.c sdap_idmap.c sdap_range.c sdap_refresh.c sdap_reinit.c sdap_sudo.c sdap_sudo_cache.c /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_child.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_init.c /sssd-io/src/providers/proxy/proxy_netgroup.c /sssd-io/src/providers/proxy/proxy_services.c /sssd-io/src/providers/simple/simple_access.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/resolv/async_resolv.c /sssd-io/src/resolv/async_resolv_utils.c /sssd-io/src/responder/autofs/autofssrv.c /sssd-io/src/responder/autofs/autofssrv_cmd.c /sssd-io/src/responder/autofs/autofssrv_dp.c /sssd-io/src/responder/common/negcache.c /sssd-io/src/responder/common/responder_cmd.c /sssd-io/src/responder/common/responder_common.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/common/responder_get_domains.c /sssd-io/src/responder/nss/nsssrv.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_mmap_cache.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/nss/nsssrv_private.h /sssd-io/src/responder/nss/nsssrv_services.c /sssd-io/src/responder/pac/pacsrv.c /sssd-io/src/responder/pac/pacsrv_cmd.c /sssd-io/src/responder/pac/pacsrv_utils.c /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pam_helpers.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/pam/pamsrv_dp.c /sssd-io/src/responder/ssh/sshsrv.c /sssd-io/src/responder/ssh/sshsrv_cmd.c /sssd-io/src/responder/ssh/sshsrv_dp.c /sssd-io/src/responder/sudo/sudosrv.c /sssd-io/src/responder/sudo/sudosrv_cmd.c /sssd-io/src/responder/sudo/sudosrv_dp.c /sssd-io/src/responder/sudo/sudosrv_get_sudorules.c /sssd-io/src/responder/sudo/sudosrv_query.c /sssd-io/src/sbus/sbus_client.c /sssd-io/src/sbus/sssd_dbus_common.c /sssd-io/src/sbus/sssd_dbus_connection.c /sssd-io/src/sbus/sssd_dbus_server.c /sssd-io/src/sss_client/ssh/sss_ssh_authorizedkeys.c /sssd-io/src/sss_client/ssh/sss_ssh_knownhostsproxy.c /sssd-io/src/tests/auth-tests.c /sssd-io/src/tests/cmocka/test_dyndns.c /sssd-io/src/tests/cmocka/test_fqnames.c /sssd-io/src/tests/cmocka/test_nss_srv.c /sssd-io/src/tests/cmocka/test_utils.c /sssd-io/src/tests/common_dom.c /sssd-io/src/tests/common_tev.c /sssd-io/src/tests/debug-tests.c /sssd-io/src/tests/files-tests.c /sssd-io/src/tests/krb5_child-test.c /sssd-io/src/tests/resolv-tests.c /sssd-io/src/tests/simple_access-tests.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tests/sysdb_ssh-tests.c /sssd-io/src/tools/files.c /sssd-io/src/tools/selinux.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_debuglevel.c /sssd-io/src/tools/sss_groupadd.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_seed.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/tools/tools_mc_util.c /sssd-io/src/tools/tools_util.c /sssd-io/src/tools/tools_util.h /sssd-io/src/util/authtok.c /sssd-io/src/util/backup_file.c /sssd-io/src/util/check_and_open.c /sssd-io/src/util/child_common.c /sssd-io/src/util/crypto/libcrypto/crypto_base64.c /sssd-io/src/util/crypto/libcrypto/crypto_obfuscate.c /sssd-io/src/util/crypto/nss/nss_obfuscate.c /sssd-io/src/util/crypto/nss/nss_util.c /sssd-io/src/util/debug.c /sssd-io/src/util/domain_info_utils.c /sssd-io/src/util/find_uid.c /sssd-io/src/util/nscd.c /sssd-io/src/util/server.c /sssd-io/src/util/signal.c /sssd-io/src/util/sss_ini.c /sssd-io/src/util/sss_krb5.c /sssd-io/src/util/sss_krb5.h /sssd-io/src/util/sss_ldap.c /sssd-io/src/util/sss_nss.c /sssd-io/src/util/sss_selinux.c /sssd-io/src/util/sss_ssh.c /sssd-io/src/util/sss_tc_utf8.c /sssd-io/src/util/user_info_msg.c /sssd-io/src/util/usertools.c /sssd-io/src/util/util.c /sssd-io/src/util/util.h /sssd-io/src/util/util_lock.c /sssd-io/src/util/well_known_sids.c
2a96981a0ac781d01e5bba473409ed2bdf4cd4e0 09-Jan-2014 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Add a new error code for malformed access control filter https://fedorahosted.org/sssd/ticket/2164 The patch adds a new error code and special cases the new code so that access is denied and a nicer log message is shown.
17195241500e46272018d7897d6e87249870caf2 09-Jan-2014 Pavel Reichl <pavel.reichl@redhat.com>

responder: Set forest attribute in AD domains Resolves: https://fedorahosted.org/sssd/ticket/2160
4c08db0fb0dda3d27b1184248ca5c800d7ce23f0 15-Nov-2013 Michal Zidek <mzidek@redhat.com>

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 1)
b3292840ebaa747a9fd596ff47cc5d18198361d0 15-Nov-2013 Michal Zidek <mzidek@redhat.com>

SYSDB: Drop the sysdb_ctx parameter from the sysdb_search module

/sssd-io/src/db/sysdb.c /sssd-io/src/db/sysdb.h /sssd-io/src/db/sysdb_search.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd-io/src/providers/krb5/krb5_access.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_utils.c ldap_auth.c sdap_access.c sdap_async_initgroups.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/python/pysss.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/pac/pacsrv_cmd.c /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/ssh/sshsrv_cmd.c /sssd-io/src/responder/sudo/sudosrv_get_sudorules.c /sssd-io/src/tests/cmocka/test_nss_srv.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_seed.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/sss_sync_ops.h /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/tools/tools_util.c
dd2f33603228005a44675f1484c294ea647dbce3 25-Oct-2013 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Parse FQDN into name/domain for subdomain users Related: https://fedorahosted.org/sssd/ticket/2082 When a subdomain user logs in, the username the account request receives is a FQDN. This hackish patch parses the FQDN and only uses the name to search the LDAP.
443eb8217741df57d9f58f2098487b91e3404e71 25-Oct-2013 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Amend sdap_access_check to allow any connection Related: https://fedorahosted.org/sssd/ticket/2082 Also move the check for subdomain to the handler. I think it is the job of the handler to decide which domain the request belongs to, not the request itself.
937928d1161a4f7bd894cb365ada97569ab0f78f 11-Sep-2013 Lukas Slebodnik <lslebodn@redhat.com>

Fix formating of variables with type: time_t
69c83119c0504fd1590299b8a4ecdabf86a8f18d 11-Sep-2013 Lukas Slebodnik <lslebodn@redhat.com>

Fix formating of variables with type defined in stdint.h
0e65abe5cf2abf5d4b431cf6bd161b419f07901d 11-Sep-2013 Lukas Slebodnik <lslebodn@redhat.com>

Fix formating of variables with type: size_t

/sssd-io/src/db/sysdb_autofs.c /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_search.c /sssd-io/src/providers/ad/ad_srv.c /sssd-io/src/providers/fail_over_srv.c /sssd-io/src/providers/ipa/ipa_config.c /sssd-io/src/providers/ipa/ipa_idmap.c /sssd-io/src/providers/ipa/ipa_netgroups.c /sssd-io/src/providers/ipa/ipa_selinux.c /sssd-io/src/providers/ipa/ipa_selinux_maps.c /sssd-io/src/providers/ipa/ipa_srv.c /sssd-io/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_child_handler.c /sssd-io/src/providers/krb5/krb5_renew_tgt.c ldap_child.c ldap_id_cleanup.c sdap_access.c sdap_async_autofs.c sdap_async_groups.c sdap_async_groups_ad.c sdap_async_initgroups.c sdap_async_initgroups_ad.c sdap_async_nested_groups.c sdap_async_netgroups.c sdap_async_services.c sdap_async_sudo.c sdap_async_users.c sdap_child_helpers.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/responder/nss/nsssrv_mmap_cache.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/util/child_common.c
57cd3443dcb7c073c5a00a9f2c3c3a3030ae2d3e 11-Sep-2013 Lukas Slebodnik <lslebodn@redhat.com>

Fix formating of variables with type: long
b8d703cf3aba81800cf1b8ccca64bb00ef0b30f7 28-Jun-2013 Sumit Bose <sbose@redhat.com>

Replace new_subdomain() with find_subdomain_by_name() new_subdomain() will create a new domain object and should not be used anymore in the priovder code directly. Instead a reference to the domain from the common domain object should be used.
dcb44c39dda9699cdd6488fd116a51ced0687de3 07-Jun-2013 Jakub Hrozek <jhrozek@redhat.com>

LDAP: sdap_id_ctx might contain several connections With some LDAP server implementations, one server might provide different "views" of the identites on different ports. One example is the Active Directory Global catalog. The provider would contact different view depending on which operation it is performing and against which SSSD domain. At the same time, these views run on the same server, which means the same server options, enumeration, cleanup or Kerberos service should be used. So instead of using several different failover ports or several instances of sdap_id_ctx, this patch introduces a new "struct sdap_id_conn_ctx" that contains the connection cache to the particular view and an instance of "struct sdap_options" that contains the URI. No functional changes are present in this patch, currently all providers use a single connection. Multiple connections will be used later in the upcoming patches.
dfd71fc92db940b2892cc996911cec03d7b6c52b 19-Mar-2013 Simo Sorce <simo@redhat.com>

Convert sdap_access to new error codes Also simplify sdap_access_send to avoid completely fake _send() routines.
b8e6d0e6d6b9b56ef508578a2ae0078b5b7d22d0 07-Mar-2013 Lukas Slebodnik <lslebodn@redhat.com>

Fixed typo in debug message. C compiler did not complain, because "index" is function defined in header file <string.h>
b8dcd1216e5ea7065213c750a92dabfe01fa3b70 10-Feb-2013 Simo Sorce <simo@redhat.com>

Add realm info to sss_domain_info
249a28dbf31e11794c7f35d709c5561c1555898d 21-Jan-2013 Simo Sorce <simo@redhat.com>

Pass domain not be_req to access check functions
24b715f096613d18f182cf0fff537e1fc79647fa 21-Jan-2013 Simo Sorce <simo@redhat.com>

Remove sysdb as a be request structure member The sysdb context is already available through the 'domain' context.
7a468783159880f81f7cd9270ee94bf0954d6a56 21-Jan-2013 Simo Sorce <simo@redhat.com>

Move ldap provider access functions It was confusing to see the ldap provider own handler mixed with the generic ldap access code used also by the ipa and ad providers. So move the ldap provider handler code in its own file.
3f94d6718d44185137e13b6d326dfd63e8dc61c6 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb_set_user_attr()
5d78919c955c945e78865f322726aac075c71203 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb_get_user_attr()
94a66f84bd3c28fcabffeb84c682dccf89d89c2b 19-Nov-2012 Sumit Bose <sbose@redhat.com>

Do not save HBAC rules in subdomain subtree Currently the sysdb context is pointed to the subdomain subtree containing user the user to be checked at the beginning of a HBAC request. As a result all HBAC rules and related data is save in the subdomain tree as well. But since the HBAC rules of the configured domain apply to all users it is sufficient to save them once in the subtree of the configured domain. Since most of the sysdb operations during a HBAC request are related to the HBAC rules and related data this patch does not change the default sysdb context but only create a special context to look up subdomain users.
a0f186208e39a88b9e18d875121c5032531e7705 24-Apr-2012 Jan Zeleny <jzeleny@redhat.com>

Accept be_req instead if be_ctx in LDAP access provider
8372129f446e1558f1923a112f328a266144c3ce 09-Mar-2012 Stephen Gallagher <sgallagh@redhat.com>

LDAP: Make sdap_access_send/recv public We want to consume this in the IPA provider.
2f3ee3f49019f5b60adbe073070f31e6e2d7c7ab 24-Feb-2012 Stephen Gallagher <sgallagh@redhat.com>

LDAP: Only use paging control on requests for multiple entries The paging control can cause issues on servers that put limits on how many paging controls can be active at one time (on some servers, it is limited to one per connection). We need to reduce our usage so that we only activate the paging control when making a request that may return an arbitrary number of results. https://fedorahosted.org/sssd/ticket/1202 phase one
ac3a1f3da772cf101101c31675c63dc3549b21b5 22-Nov-2011 Jakub Hrozek <jhrozek@redhat.com>

Cleanup: Remove unused parameters

/sssd-io/src/providers/data_provider_fo.c /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_dyndns.c /sssd-io/src/providers/ipa/ipa_dyndns.h /sssd-io/src/providers/ipa/ipa_hbac_common.c /sssd-io/src/providers/ipa/ipa_hbac_hosts.c /sssd-io/src/providers/ipa/ipa_hbac_private.h /sssd-io/src/providers/ipa/ipa_hbac_rules.c /sssd-io/src/providers/ipa/ipa_hbac_services.c /sssd-io/src/providers/ipa/ipa_hbac_users.c /sssd-io/src/providers/ipa/ipa_init.c /sssd-io/src/providers/krb5/krb5_auth.c ldap_auth.c ldap_id_cleanup.c sdap.c sdap.h sdap_access.c sdap_async.c sdap_async_connection.c sdap_async_groups.c sdap_async_initgroups.c sdap_async_netgroups.c /sssd-io/src/providers/proxy/proxy.h /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_netgroup.c /sssd-io/src/python/pysss.c /sssd-io/src/responder/nss/nsssrv.c /sssd-io/src/sss_client/pam_sss.c /sssd-io/src/tools/nscd.c /sssd-io/src/tools/sss_groupadd.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/sss_sync_ops.h /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/tools_util.c /sssd-io/src/tools/tools_util.h /sssd-io/src/util/crypto/nss/nss_obfuscate.c
e79d23932ef9d52cf4eb32ddec2d0a9b3af9a9eb 15-Aug-2011 Jan Zeleny <jzeleny@redhat.com>

sysdb refactoring: memory context deleted This patch deletes memory context parameter in those places in sysdb where it is not necessary. The code using modified functions has been updated. Tests updated as well.
8a1738f9379a1b8fb5c95c3df649e014ff5a1434 15-Aug-2011 Jan Zeleny <jzeleny@redhat.com>

sysdb refactoring: deleted domain variables in sysdb API The patch also updates code using modified functions. Tests have also been adjusted.

/sssd-io/src/db/sysdb.c /sssd-io/src/db/sysdb.h /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_search.c /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_auth.c /sssd-io/src/providers/ipa/ipa_hbac_common.c /sssd-io/src/providers/ipa/ipa_hbac_hosts.c /sssd-io/src/providers/ipa/ipa_hbac_services.c /sssd-io/src/providers/ipa/ipa_hbac_users.c /sssd-io/src/providers/krb5/krb5_access.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_renew_tgt.c ldap_auth.c ldap_common.c ldap_id.c ldap_id_cleanup.c ldap_id_enum.c ldap_id_netgroup.c sdap_access.c sdap_async_accounts.c sdap_async_netgroups.c /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_netgroup.c /sssd-io/src/providers/simple/simple_access.c /sssd-io/src/python/pysss.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/sss_sync_ops.h /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/tools/tools_util.c
37e7e93f1996cf50677cf59fd8af6938dd5d85b2 08-Jul-2011 Sumit Bose <sbose@redhat.com>

Add LDAP access control based on NDS attributes
3612c73e7957721bcbf31d0118e2ac210eb46b88 24-Mar-2011 Pierre Ossman <pierre@ossman.eu>

Add host access control support https://fedorahosted.org/sssd/ticket/746
586793c2f95b574695c5520cf6f3ef019fb58519 04-Feb-2011 Stephen Gallagher <sgallagh@redhat.com>

Only print "no matching service rule" when appropriate
d73fcc5183a676aed4fd040714b87274248b784c 19-Jan-2011 Sumit Bose <sbose@redhat.com>

Add LDAP expire policy base RHDS/IPA attribute The attribute nsAccountLock is used by RHDS, IPA and other directory servers to indicate that the account is locked.
22f4c1b86dcf5589e63f2ae043dc65a8f72f6f18 19-Jan-2011 Sumit Bose <sbose@redhat.com>

Add LDAP expire policy based on AD attributes The second bit of userAccountControl is used to determine if the account is enabled or disabled. accountExpires is checked to see if the account is expired.
a530a96721d8106a6839b6b643b0abc5d7a7b9e0 17-Jan-2011 Sumit Bose <sbose@redhat.com>

Add timeout parameter to sdap_get_generic_send()
e1522a568dac91499f5f2039ef978a0a4ceeb3b3 06-Jan-2011 Sumit Bose <sbose@redhat.com>

Add syslog messages to authorized service access check
6742203fd84e97822cdddc4065402c15f3c5703f 06-Jan-2011 Sumit Bose <sbose@redhat.com>

Add syslog message to shadow access check
2a2f642aae37e3f41cbbda162a74c2b946a4521f 21-Dec-2010 Stephen Gallagher <sgallagh@redhat.com>

Add authorizedService support https://fedorahosted.org/sssd/ticket/670
6ff6ccd3eec35217708870b0fe7a6362e97de95f 21-Dec-2010 Stephen Gallagher <sgallagh@redhat.com>

Pass all PAM data to the LDAP access provider Previously we were only passing the username.
32266b2c1c6b8bf95f3ba8fd7f3ff2ef63d8fb9a 06-Dec-2010 Sumit Bose <sbose@redhat.com>

Add new account expired rule to LDAP access provider Two new options are added to the LDAP access provider to allow a broader range of access control rules to be evaluated. 'ldap_access_order' makes it possible to run more than one rule. To keep compatibility with older versions the default is 'filter'. This patch adds a new rule 'expire'. 'ldap_account_expire_policy' specifies which LDAP attribute should be used to determine if an account is expired or not. Currently only 'shadow' is supported which evaluates the ldap_user_shadow_expire attribute.
85e8cbdd79359ae1f330c8b84f7b58d4fc6fda6e 15-Nov-2010 Stephen Gallagher <sgallagh@redhat.com>

Sanitize search filters in LDAP provider
f7fa22da5d865221f84371d6b522444e1591164c 28-Sep-2010 Sumit Bose <sbose@redhat.com>

Suppress some 'may be used uninitialized' warnings Additionally the handling of errno and the errno_t return value of functions is fixed in krb5_common.c.
87f2bb60510f31fec012d126411f09a99c72140e 08-Sep-2010 Jan Zeleny <jzeleny@redhat.com>

Dead assignments cleanup in providers code Dead assignments were deleted. Also prototype of function sdap_access_decide_offline() has been changed, since its return code was never used. Ticket: #586
ee3b4d1d0a6a438626e2dbbae3bf96d2d6faaf18 09-Jul-2010 eindenbom <eindenbom@gmail.com>

Use new LDAP connection framework in LDAP access backend.
a6dbe52dc824f8338d209ef5c56f9e345aeeb2fe 09-Jun-2010 Stephen Gallagher <sgallagh@redhat.com>

Allow ldap_access_filter values wrapped in parentheses
35480afaefafb77b28d35b29039989ab888aafe9 27-May-2010 Stephen Gallagher <sgallagh@redhat.com>

Add ldap_access_filter option This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com