2d43eaf43540c375d39c5e1c2482595e919fb4df |
|
18-Apr-2018 |
Jakub Hrozek <jhrozek@redhat.com> |
SDAP: Improve a DEBUG message about GC detection
It was not entirely clear what the message means. We should improve the
debug message to make it clear that all or none attributes should be
replicated to the Global Catalog.
This patch can be reverted once we fix
https://pagure.io/SSSD/sssd/issue/3538 and only use the GC to look up
the entry DN, not the entry itself.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> |
4a9c1047354dbe5a4ed41e5951ae623e3772e113 |
|
29-Jan-2018 |
René Genz <liebundartig@freenet.de> |
Fix minor spelling mistakes in providers/*
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
ba8a92bbd59f189bd1323dd0c4010cdfc694be35 |
|
06-Dec-2017 |
Jakub Hrozek <jhrozek@redhat.com> |
SDAP: Rename sdap_posix_check to sdap_gc_posix_check
Because searching the LDAP port of Active Directory server with a NULL
search base yields an error:
https://technet.microsoft.com/en-us/library/cc755809(v=ws.10).aspx
we changed the POSIX check request to only run against a GC connection
in a previous patch. To make it clearer to the caller that this request
should only be used with a GC connection, this patch renames the
request.
There are no functional changes in this patch.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com> |
6ae22d9adc0b075361defc99b8f14480ba8e7b46 |
|
06-Dec-2017 |
Jakub Hrozek <jhrozek@redhat.com> |
SDAP: Search with a NULL search base when looking up an ID in the Global Catalog
The posix_check request is used to determine whether domains in the forest
replicate the POSIX attributes into the Global Catalog. And since the
schema modification that replicates the attributes is not per-domain, but
per-forest, we don't need to iterate over search bases when checking for
the POSIX attribute presence. It is OK to just search with a NULL search
base (and it's what Windows clients do, too).
Additionally, searching over the whole GC will come handy when implementing
the request that located an account's domain.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com> |
b9941359b3181c42f415530d5ccad0f4664d85fa |
|
21-Sep-2016 |
Lukas Slebodnik <lslebodn@redhat.com> |
Remove double semicolon at the end of line
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
3319d964721396c07daba383ded6aaaf33ed6e3b |
|
14-Sep-2016 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Return partial results from adminlimit exceeded
Resolves:
https://fedorahosted.org/sssd/ticket/3185
Since commit c420ce830ac0b0b288a2a887ec2cfce5c748018c we try to move to
the next server on any error on the connection, which in case there is
only one server sends SSSD offline.
It's more graceful to try to process the results, same as we already do
with sizelimit exceeded.
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
6c335dee38da943796710b5e336472a10cf641f2 |
|
13-Sep-2016 |
Lukas Slebodnik <lslebodn@redhat.com> |
SDAP: Fix settig paging attribute in sdap_get_generic_ext_send
We should set pagging flag in state and not in local
variable which is not read anywhere in the function.
Found by clang static analyzer.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> |
07faf35960fafcff07ef588a851bde0066e88cd7 |
|
02-Aug-2016 |
Petr Cech <pcech@redhat.com> |
LDAP: Changing of confusing debug message
This debug message used to confuse our customer. So this patch changes it.
Resolves:
https://fedorahosted.org/sssd/ticket/3091
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> |
630f3ff08c1d17c7900b9bde814922f775ca2703 |
|
10-Jun-2016 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Decorate the hot paths in the LDAP provider with systemtap probes
During performance analysis, the LDAP provider and especially its nested
group code proved to be the place where we spend the most time during
account requests. Therefore, I decorated the LDAP provider with
systemtap probes to be able to observe where the time is spent.
The code allows passing of search properties (base, filter, ...) from
marks to probes. Where applicable, the probes pass on these arguments to
functions and build a human-readable string representation.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
878237a89949f7456aaabe8ebee7831cb4fde336 |
|
27-Apr-2016 |
Lukas Slebodnik <lslebodn@redhat.com> |
LDAP: Print port in sdap_print_server
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
95c132e1a8c6bbab4be8b3a340333fadd8076122 |
|
19-Jan-2016 |
Jakub Hrozek <jhrozek@redhat.com> |
SDAP: Make it possible to silence errors from dereference
https://fedorahosted.org/sssd/ticket/2791
When a modern IPA client is connected to an old (3.x) IPA server, the
attribute dereferenced during the ID views lookup does not exist, which
triggers an error during the dereference processing and also a confusing
syslog message.
This patch suppresses the syslog message.
Reviewed-by: Michal Židek <mzidek@redhat.com> |
468495d91d536603a1c485424275b6dcf2bb83de |
|
15-Jan-2016 |
Pavel Březina <pbrezina@redhat.com> |
SDAP: do not fail if refs are found but not processed
It is possible to end up with not-processed referrals when
using AD provider and ldap_referrals=true.
Resolves:
https://fedorahosted.org/sssd/ticket/2906
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> |
de1131abe5ba7aaeb59f81fc3a9cd2a71c0b52dd |
|
14-Dec-2015 |
Lukas Slebodnik <lslebodn@redhat.com> |
DEBUG: Add missing new lines
Reviewed-by: Petr Cech <pcech@redhat.com> |
86ffb3db2a6e798aaa920a0b40e0c517db8c293f |
|
22-Oct-2015 |
Pavel Reichl <preichl@redhat.com> |
SDAP: pass params in sdap_get_and_parse_generic_send
Previously some arguments passed to sdap_get_and_parse_generic_send()
were ignored. This patch fixes that and passes 'attronly',
'serverctrls' and 'clientctrls' to sdap_get_generic_ext_send().
Reviewed-by: Sumit Bose <sbose@redhat.com> |
108af0012e016b464790478b8aa3ad60e712930f |
|
22-Oct-2015 |
Pavel Reichl <preichl@redhat.com> |
SDAP: change type of attrsonly in sdap_get_generic_ext_state
'attrsonly' parameter is directly passed to ldap_search_ext() and is
describe as:
The attrsonly parameter should be set to a non-zero value if only
attribute descriptions are wanted. It should be set to zero (0) if both
attributes descriptions and attribute values are wanted.
Boolean type should be fine for the 'attrsonly' parameter especially
since the actual parameter was already set to false in function calls.
Reviewed-by: Sumit Bose <sbose@redhat.com> |
45363a04548738ac99a5d173e3fe021c28b61aec |
|
22-Oct-2015 |
Pavel Reichl <preichl@redhat.com> |
SDAP: allow_paging in sdap_get_generic_ext_send()
Make allow_paging parameter a part of the flag parameter in
sdap_get_generic_ext_send().
Reviewed-by: Sumit Bose <sbose@redhat.com> |
1f1b41931d299d6356ac205b75b402adb2cc9234 |
|
22-Oct-2015 |
Pavel Reichl <preichl@redhat.com> |
SDAP: optional warning - sizelimit exceeded in POSIX check
Add new parameter 'flags' to sdap_get_generic_ext_send_ext() which can
be set to suppress warning about 'sizelimit exceeded'.
Resolves:
https://fedorahosted.org/sssd/ticket/2804
Reviewed-by: Sumit Bose <sbose@redhat.com> |
6735c0451d4e80d7cd4b480a8c1f7dafb2b536ea |
|
02-Oct-2015 |
Pavel Reichl <preichl@redhat.com> |
SDAP: Relax POSIX check
Relax the check on UID or GID just to check if at least one of them is
present but do not require them to be positive numbers.
Add requirement on objectclass attributes to be user or group to make
check more reliable.
Resolves:
https://fedorahosted.org/sssd/ticket/2800 |
06987186fb528271d6c208d2abf326049c0e168b |
|
19-Aug-2015 |
Michal Židek <mzidek@redhat.com> |
sdap_async: Use specific errmsg when available
Ticket:
https://fedorahosted.org/sssd/ticket/2762
Use specific errmsg when ldap returns
LDAP_CONSTRAINT_VIOLATION code if that specific
message is available.
Reviewed-by: Pavel Reichl <preichl@redhat.com> |
f4e643ed7df771f83e903a6309f7ff0917819d25 |
|
15-Jul-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Add sdap_get_and_parse_generic_send
Related:
https://fedorahosted.org/sssd/ticket/2553
So far we had a simple sdap_get_generic_send() request that uses the
right defaults around the low-level sdap_get_generic_ext_send() request
and calls the parser.
This patch adds also sdap_get_and_parse_generic_send() that exposes all
options that sdap_get_generic_ext_send() offers but also calls the
parser.
In this patch the function is not used at all.
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
176244cb1e9df96ce36d36556de1fd766582b1dc |
|
01-Jun-2015 |
Lukas Slebodnik <lslebodn@redhat.com> |
SDAP: Check return value before using output arguments
==18139== Conditional jump or move depends on uninitialised value(s)
==18139== at 0x14400F1B: generic_ext_search_handler.isra.3 (sdap_async.c:1626)
==18139== by 0x879D7E3: tevent_common_loop_immediate (tevent_immediate.c:135)
==18139== by 0x87A20CD: epoll_event_loop_once (tevent_epoll.c:907)
==18139== by 0x87A07D6: std_event_loop_once (tevent_standard.c:114)
==18139== by 0x879CFBC: _tevent_loop_once (tevent.c:530)
==18139== by 0x879D15A: tevent_common_loop_wait (tevent.c:634)
==18139== by 0x87A0776: std_event_loop_wait (tevent_standard.c:140)
==18139== by 0x5293862: server_loop (server.c:668)
==18139== by 0x10EA41: main (data_provider_be.c:2909
Related tickets:
https://fedorahosted.org/sssd/ticket/2645
https://fedorahosted.org/sssd/ticket/2662
Reviewed-by: Pavel Reichl <preichl@redhat.com> |
31bafc0d6384a30859aa18f3bd22275aec6ee2ed |
|
28-May-2015 |
Stephen Gallagher <sgallagh@redhat.com> |
AD GPO: Support processing referrals
For GPOs assigned to a site, it's possible that their definition
actually exists in another domain. To retrieve this information,
we need to follow the referral and perform a base search on
another domain controller.
Resolves:
https://fedorahosted.org/sssd/ticket/2645
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
c9db9d3e3d1a51117a64b366ec866bbeb009c57f |
|
28-May-2015 |
Stephen Gallagher <sgallagh@redhat.com> |
LDAP: Support returning referral information
Some callers may be interested in the raw referral values returned from
a lookup. This patch allows interested consumers to get these referrals
back and process them if they wish. It does not implement a generic
automatic following of referrals.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
331de115acab77ca4da12a56867b89de7afe263e |
|
23-Mar-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
SDAP: Decorate the sdap_op functions with DEBUG messages
Reviewed-by: Pavel Reichl <preichl@redhat.com> |
f0072e2b102f3b553533402d4ae42b1989b0370e |
|
23-Mar-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
SDAP: Make password change timeout configurable with ldap_opt_timeout
Related:
https://fedorahosted.org/sssd/ticket/1501
Reviewed-by: Pavel Reichl <preichl@redhat.com> |
87f8bee53ee1b4ca87b602ff8536bc5fd5b5b595 |
|
17-Mar-2015 |
Lukas Slebodnik <lslebodn@redhat.com> |
Add missing new lines to debug messages
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
a859ef56cf6c0df732d022b66819caf4d401a0a2 |
|
27-Oct-2014 |
Sumit Bose <sbose@redhat.com> |
sdap_print_server: use getpeername() to get server address
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
7d35c7e8c5d2684321be879f7ff67816d4b31f09 |
|
16-Oct-2014 |
Sumit Bose <sbose@redhat.com> |
Add sdap_deref_search_with_filter_send()
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
f3d4b3e03b1505a539977c86b59ff4aa967580d1 |
|
29-Sep-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Do not require a dereference control to be retuned in a reply
When we attempt to request attributes that are not present in
the dereferenced links, some serves might not send the dereference
control back at all. Be permissive and treat the search as if
it didn't find anything.
Reviewed-by: Pavel Reichl <preichl@redhat.com> |
2284e50c801a53541016eb9a5af00d1250d36afb |
|
08-Sep-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Skip dereferenced entries that we are not permitted to read
https://fedorahosted.org/sssd/ticket/2421
In case we dereference an entry, for which we have /some/ permissions
for reading, but we only request attributes that we can't access, the
dereference control only returns the DN.
This is also the case with the current version of 389DS for cases where
no entries at all are readable. In this case, the server should not return
the DN at all, though. This DS bug was tracked as
https://fedorahosted.org/389/ticket/47885
Reviewed-by: Michal Židek <mzidek@redhat.com> |
7ec88ea204c0d1db40a93502c70c7bc0491ec262 |
|
05-Sep-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Don't reuse a single tevent callback for multiple requests
Several requests (deref, ASQ and SD) were using the same tevent
callback. This worked fine for quite some time, because the callback
only used the tevent_req variables. However, a recent patch changed the
shared sdap_get_generic_done so that it also longer uses the 'state'
variable.
At that point, all requsts that re-used the sdap_get_generic_done
request started failing becaus the type of the state variable was
different.
This patch makes sure the callbacks only manipulate their own data
types.
Moreover, sdap_get_generic_ext_done() was renamed because it's not
really a tevent callback.
Reviewed-by: Michal Židek <mzidek@redhat.com> |
a2ea3f5d9ef9f17efbb61e942c2bc6cff7d1ebf2 |
|
02-Sep-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Ignore returned referrals if referral support is disabled
Reviewed-by: Pavel Reichl <preichl@redhat.com> |
25dfb62595f73d1ca3d1170abe5853c4253d7c42 |
|
19-Aug-2014 |
Lukas Slebodnik <lslebodn@redhat.com> |
Revert "SDAP: Deref needn't be treated as critical"
This reverts commit fc8d98c9f0bb26de7be732c3e542b85c8abdba53.
The reason why the control was marked critical is that we expect
to get it back on reply, or it should fail. We should rather leave
the criticality bit and handle the error (by downgrading to not use
deref controls) if the server fails.
In other words, we should not workaround bugs in any LDAP server.
If server claim it support deref control, it should work with critical flag.
sh-4.2$ ldapsearch -LLL -h 172.17.0.9 -x -b "" -s base supportedControl
dn:
supportedControl: 1.3.6.1.4.1.4203.666.5.16
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
sh-4.2$ grep "1.3.6.1.4.1.4203.666.5.16" /usr/include/ldap.h
#define LDAP_CONTROL_X_DEREF "1.3.6.1.4.1.4203.666.5.16"
sh-4.2$ ldapsearch -x -LLL -h 172.17.0.9 -b 'dc=example,dc=com' \
-E '!deref=member:cn,uid' \
cn=ref_grp1 cn,uid
Critical extension is unavailable (12)
Additional information: critical control unavailable in context
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
fc8d98c9f0bb26de7be732c3e542b85c8abdba53 |
|
09-Aug-2014 |
Lukas Slebodnik <lslebodn@redhat.com> |
SDAP: Deref needn't be treated as critical
The command line utility ldapsearch does not set option LDAP_CONTROL_X_DEREF as
critical.
sssd performes similar ldap search as following command:
sh-4.2$ ldapsearch -x -LLL -h 172.17.0.7 \
-b 'cn=ref_grp1,ou=qagroup,dc=example,dc=com'
-E '!deref=member:objectClass,cn,userPassword,gidNumber,member,modifyTimestamp,modifyTimestamp,uid' \
objectClass,cn,userPassword,gidNumber,member,modifyTimestamp,modifyTimestamp,uid
Critical extension is unavailable (12)
Additional information: critical control unavailable in context
The most important is "exclamation mark" before extensions. It indicates
criticality. This caused problem when openldap server was older
openldap-2.4.23-34.el6. Dereference is performed successfully if extension is
not critical: -E 'deref=member:objectClass ...
Resolves:
https://fedorahosted.org/sssd/ticket/2383
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
d5903e1982525d27cb135899c8827ec253599d8c |
|
05-Aug-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Dump LDAP server IP address with a high DEBUG level
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
f47a1a7add1bcf78f26e9be457ff1a771e7377df |
|
05-Aug-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Print referrals for debugging purposes
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
d8dc383c438fad9b3b5ce4ad9e5c67271b22bf3a |
|
22-Jul-2014 |
Pavel Reichl <preichl@redhat.com> |
SDAP: remove duplicated code
Body of functions sdap_x_deref_search_done(), sdap_asq_search_done(),
sdap_sd_search_done and sdap_get_generic_done() are the same. Remove
code duplication by calling sdap_get_generic_done() from
sdap_x_deref_search_done(), sdap_sd_search_done and from
sdap_asq_search_done() instead of having two more duplicate
implementations.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
34de8a00f5b480ef3f46d2516e072e4acf1ebf87 |
|
08-Jul-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Remove unused output parameter _dn from sdap_parse_entry
No caller directly accessed this parameter. Moreover, it seemed useless
since the same data is available as SYSDB_ORIGINAL_DN in the attributes.
Reviewed-by: Michal Židek <mzidek@redhat.com> |
60cab26b12df9a2153823972cde0c38ca86e01b9 |
|
13-May-2014 |
Yassir Elley <yelley@redhat.com> |
Implemented LDAP component of GPO-based access control
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
25ac7bda643c8872b5a29bc856c374e76a7f8363 |
|
18-Feb-2014 |
Pavel Březina <pbrezina@redhat.com> |
sdap: move non async functions from sdap_async.c to sdap_utils.c
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
83bf46f4066e3d5e838a32357c201de9bd6ecdfd |
|
12-Feb-2014 |
Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> |
Update DEBUG* invocations to use new levels
Use a script to update DEBUG* macro invocations, which use literal
numbers for levels, to use bitmask macros instead:
grep -rl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e 'use strict;
use File::Slurp;
my @map=qw"
SSSDBG_FATAL_FAILURE
SSSDBG_CRIT_FAILURE
SSSDBG_OP_FAILURE
SSSDBG_MINOR_FAILURE
SSSDBG_CONF_SETTINGS
SSSDBG_FUNC_DATA
SSSDBG_TRACE_FUNC
SSSDBG_TRACE_LIBS
SSSDBG_TRACE_INTERNAL
SSSDBG_TRACE_ALL
";
my $text=read_file(\*STDIN);
my $repl;
$text=~s/
^
(
.*
\b
(DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM)
\s*
\(\s*
)(
[0-9]
)(
\s*,
)
(
\s*
)
(
.*
)
$
/
$repl = $1.$map[$3].$4.$5.$6,
length($repl) <= 80
? $repl
: $1.$map[$3].$4."\n".(" " x length($1)).$6
/xmge;
print $text;
' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com> |
a3c8390d19593b1e5277d95bfb4ab206d4785150 |
|
12-Feb-2014 |
Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> |
Make DEBUG macro invocations variadic
Use a script to update DEBUG macro invocations to use it as a variadic
macro, supplying format string and its arguments directly, instead of
wrapping them in parens.
This script was used to update the code:
grep -rwl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e \
'use strict;
use File::Slurp;
my $text=read_file(\*STDIN);
$text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs;
print $text;' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com> |
e81deec535d11912b87954c81a1edd768c1386c9 |
|
12-Feb-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Detect the presence of POSIX attributes
When the schema is set to AD and ID mapping is not used, there is a one-time
check ran when searching for users to detect the presence of POSIX
attributes in LDAP. If this check fails, the search fails as if no entry
was found and returns a special error code.
The sdap_server_opts structure is filled every time a client connects to
a server so the posix check boolean is reset to false again on connecting
to the server.
It might be better to move the check to where the rootDSE is retrieved,
but the check depends on several features that are not known to the code
that retrieves the rootDSE (or the connection code for example) such as what
the attribute mappings are or the authentication method that should be used.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
2a96981a0ac781d01e5bba473409ed2bdf4cd4e0 |
|
09-Jan-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Add a new error code for malformed access control filter
https://fedorahosted.org/sssd/ticket/2164
The patch adds a new error code and special cases the new code so that
access is denied and a nicer log message is shown. |
c9124effceb40890bc9dd157155618067a7b8d2f |
|
19-Dec-2013 |
Sumit Bose <sbose@redhat.com> |
Use sysdb_attrs_add_lc_name_alias to add case-insensitive alias |
5fe6ca5e339fd345119752e996c14edf8db57660 |
|
22-Oct-2013 |
Sumit Bose <sbose@redhat.com> |
sdap_get_generic_ext_send: check if we a re still connected
At the beginning of a LDAP request we check if we are connecte and have
a valid sdap handle. But for some requests more than one LDAP operation,
typically a search, is needed. Due to the asynchronous handling of LDAP
request it might be possible that a second request might detect a server
error and close the connection while the first request just finished one
LDAP search and wants to start a new LDAP search.
This patch tries to make sure that there is a valid sdap handle before
sending a LDAP search to the server.
Fixes https://fedorahosted.org/sssd/ticket/2126 |
37817cf318df48bf892da0d7cc21ef85b9b82484 |
|
11-Sep-2013 |
Lukas Slebodnik <lslebodn@redhat.com> |
Fix formating of variables with ber_ type |
6f6e4408cedaebbfcef61e5adb78ba75abe5839d |
|
17-Jul-2013 |
Pavel Březina <pbrezina@redhat.com> |
print hint about password complexity when new password is rejected
https://fedorahosted.org/sssd/ticket/1827 |
3ca846cfb59dee6e20b94c4aee2716f1a20ebd3a |
|
07-Jun-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: store FQDNs for trusted users and groups
Because the NSS responder expects the name attribute to contain FQDN,
we must save the name as FQDN in the LDAP provider if the domain we save
to is a subdomain. |
7c116e6b9c55cf08a8010a5919066207b82e3859 |
|
30-May-2013 |
Lukas Slebodnik <lslebodn@redhat.com> |
Prevent segfault while processing ASQ request
https://fedorahosted.org/sssd/ticket/1950 |
6263578b03a52b3ec3a2e33e097554241780fc20 |
|
23-May-2013 |
Lukas Slebodnik <lslebodn@redhat.com> |
Adding option to disable retrieving large AD groups.
This commit adds new option ldap_disable_range_retrieval with default value
FALSE. If this option is enabled, large groups(>1500) will not be retrieved and
behaviour will be similar like was before commit ae8d047122c
"LDAP: Handle very large Active Directory groups"
https://fedorahosted.org/sssd/ticket/1823 |
7486dea9f5f7b2a6fbbacc6db740a82140b6377c |
|
20-May-2013 |
Lukas Slebodnik <lslebodn@redhat.com> |
Fixing critical format string issues.
--missing arguments.
--format '%s', but argument is integer.
--wrong format string, examle: '%\n' |
4709ff46db0dbe073aef061b796d2fd7adeaf18f |
|
21-Mar-2013 |
Jan Cholasta <jcholast@redhat.com> |
LDAP: If deref search fails, try again without deref
https://fedorahosted.org/sssd/ticket/1660 |
233a3c6c48972b177e60d6ef4cecfacd3cf31659 |
|
19-Mar-2013 |
Simo Sorce <simo@redhat.com> |
Use common error facility instead of sdap_result
Simplifies and consolidates error reporting for ldap authentication paths.
Adds 3 new error codes:
ERR_CHPASS_DENIED - Used when password constraints deny password changes
ERR_ACCOUNT_EXPIRED - Account is expired
ERR_PASSWORD_EXPIRED - Password is expired |
956309e24c32cd0886736bf065a27d5bdd200a77 |
|
26-Feb-2013 |
Jan Engelhardt <jengelh@inai.de> |
sysdb: try dealing with binary-content attributes
https://fedorahosted.org/sssd/ticket/1818
I have here a LDAP user entry which has this attribute
loginAllowedTimeMap::
AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA
In the function sysdb_attrs_add_string(), called from
sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is
the wrong thing to do. The result of strlen is then used to populate
the .v_length member of a struct ldb_val - and this will set it to
zero in this case. (There is also the problem that there may not be
a '\0' at all in the blob.)
Subsequently, .v_length being 0 makes ldb_modify(), called from
sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End
result is that users do not get stored in the sysdb, and programs like
`id` or `getent ...` show incomplete information.
The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave
fine, but that may not mean that is the absolute lower boundary of
introduction of the problem. |
64af76e2bef2565caa9738f675c108a4b3789237 |
|
10-Jan-2013 |
Simo Sorce <simo@redhat.com> |
Change pam data auth tokens.
Use the new authtok abstraction and interfaces throught the code. |
e6ba224432bfcd64802222a3544bc38c179727cd |
|
24-Sep-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
AD: Detect domain controller compatibility version |
33988e421afa86892a732cc74c153fdc5be8703b |
|
16-Jul-2012 |
Jan Zeleny <jzeleny@redhat.com> |
Fixed wrong number in shadowLastChange
The attribute is supposed to contain number of days since the epoch, not
the number of seconds. |
2c62da337e31217d03f5bf0f768b574d166bb2fe |
|
13-Jun-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
LDAP: Auto-detect support for the ldap match rule
This patch extends the RootDSE lookup so that we will perform a
second request to test whether the match rule syntax can be used.
If both groups and initgroups are disabled in the configuration,
this lookup request can be skipped. |
f56e704cf0b3b0e9e997e96221fa82d488ee8ca7 |
|
31-May-2012 |
Jan Zeleny <jzeleny@redhat.com> |
Ghost members - removed sdap_check_aliases()
This function is no longer necessary because we don't have fake user
entries any more. The original purpose of this function was to check if
there are fake user entries for particular user and, if yes, to update
its membership. |
02837b3dda135680051067223b6b30a7e65d1740 |
|
22-May-2012 |
Ariel Barria <arielb@fedoraproject.org> |
Warn to syslog when dereference requests fail |
ae8d047122c7ba8123f72b2eac68944868ac37d4 |
|
10-May-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
LDAP: Handle very large Active Directory groups
Active Directory 2008R2 allows only 1500 group members to be
retrieved in a single lookup. However, when we hit such a
situation, we can take advantage of the ASQ lookups, which are not
similarly limited.
With this patch, we will add any members found by ASQ that were
not found by the initial lookup so we will end with a complete
group listing.
https://fedorahosted.org/sssd/ticket/783 |
4627cf4d8a949d1d7b4a9b24f9ad3b9a06d5b5bc |
|
07-May-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
Special-case LDAP_SIZELIMIT_EXCEEDED
Previous version of the SSSD did not abort the async LDAP search
operation on errors. In cases where the request ended in progress, such
as when the paging was very strictly limited, the old versions at least
returned partial data.
This patch special-cases the LDAP_SIZELIMIT_EXCEEDED error to avoid a
user-visible regression.
https://fedorahosted.org/sssd/ticket/1322 |
dbdf6911688315515a36bb91786108a95d033128 |
|
03-May-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
Read sysdb attribute name, not LDAP attribute map name
https://fedorahosted.org/sssd/ticket/1320 |
f34a9f4bd791d9ba7b4bb1df5011e68eb9f6d485 |
|
20-Apr-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
sdap_check_aliases must not error when detects the same user
https://fedorahosted.org/sssd/ticket/1307 |
bd09ead65cded3207cf228c44a31bbc87c2979bd |
|
18-Apr-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
Prevent printing NULL from DEBUG messages |
da0da0419e96fef0e79469328b1dfe1c28913838 |
|
21-Mar-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
LDAP: Add better error logging when ldap_result() fails |
2f3ee3f49019f5b60adbe073070f31e6e2d7c7ab |
|
24-Feb-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
LDAP: Only use paging control on requests for multiple entries
The paging control can cause issues on servers that put limits on
how many paging controls can be active at one time (on some
servers, it is limited to one per connection). We need to reduce
our usage so that we only activate the paging control when making
a request that may return an arbitrary number of results.
https://fedorahosted.org/sssd/ticket/1202 phase one |
4f2951e4d3b4470babd76dffff7ef89b1f7bd7d3 |
|
22-Feb-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
End request if ldap_parse_result fails |
c9750312bfb4196b49ba6f91b26489f630958452 |
|
06-Feb-2012 |
Jan Zeleny <jzeleny@redhat.com> |
Update shadowLastChanged attribute during LDAP password change
https://fedorahosted.org/sssd/ticket/1019 |
8270b1b8505e4bce5ec065daa8fcdf985e1fc9f5 |
|
18-Jan-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
LDAP: Add option to disable paging control
Fixes https://fedorahosted.org/sssd/ticket/967 |
940e033c0c427d02a34347dbd2f4443fa625b111 |
|
16-Dec-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Use the case sensitivity flag in the LDAP provider |
70a33bdf7db34fe4d1ba194cf9ea28c758719b4b |
|
16-Dec-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Refactor saving sdap entities
There was too much code duplication between
sdap_save_{user,group,netgroup}. This patch removes the most egregious ones. |
ac3a1f3da772cf101101c31675c63dc3549b21b5 |
|
22-Nov-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Cleanup: Remove unused parameters |
37a76cff2478d8be3d11ccb7ff42d9d863f1839e |
|
18-Nov-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Prevent printing NULL in several places of LDAP provider |
c9fd6c31a30644bee52fa30240e7101d15833c9a |
|
02-Nov-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Remove confusing do-while loop
The deref processing would return a single control back. The do-while
loop was harmless but confusing. |
f2b1b79d8acc2f6b401bf280dd34325d09011bdf |
|
02-Nov-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Use LDAPDerefSpec properly
ldap_create_deref_control_value expects an array of LDAPDerefSpec structures
with LDAPDerefSpec.derefAttr == NULL as a sentinel. We were passing a
single instance of a LDAPDerefSpec structure.
https://fedorahosted.org/sssd/ticket/1050 |
033d1e3985288ec827db85882b052104485606ac |
|
28-Sep-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Store name aliases for users, groups
Also checks fake users for aliases when storing a real users so that
getgrnam for a RFC2307 group that references a user by his secondary
name followed by getpwnam for this user by his primary name works |
64caba9e680b72f6d7c174cb86275720389850d6 |
|
06-Sep-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Keep deref controls until the whole request is finished
https://fedorahosted.org/sssd/ticket/989
John Hodrien found out that when paging is used while dereferencing an
entry, sssd_be may segfault on the second page.
This was because paging returned the control to sdap_generic_search
multiple times but sssd was freeing dereference control after the first
search invocation. The subsequend sdap searched accessed memory that was
already freed. |
cd5b718ebeab1c923af7a5c3c0a5c717c5659c7d |
|
06-Sep-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Improve error message for LDAP password constraint violation
https://fedorahosted.org/sssd/ticket/985 |
9b5c5f041e92802aa074037d283674cb6eca1a23 |
|
06-Sep-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Allow turning dereference off by setting the threshold to 0 |
54423ae32fa26aa7790a67ff0f9a93b96677e590 |
|
06-Sep-2011 |
Pavel Březina <pbrezina@redhat.com> |
sss_ldap_err2string() - ldap_err2string() to sss_ldap_err2string()
https://fedorahosted.org/sssd/ticket/986 |
99dd40a885ed3d42af4bbbde7ee2fc98830544d0 |
|
25-Aug-2011 |
Pavel Březina <pbrezina@redhat.com> |
New DEBUG facility - conversion
https://fedorahosted.org/sssd/ticket/925
Conversion of the old debug_level format to the new one.
(only where it was necessary)
Removed:
SSS_DEFAULT_DEBUG_LEVEL (completely replaced with SSSDBG_DEFAULT) |
621c0a33924a8b1a657b552dd609a551a79a7aea |
|
24-May-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Fix uninitialized pointer read in sdap_x_deref_parse_entry
https://fedorahosted.org/sssd/ticket/877 |
b0c83f802761ffd9098c76a4d87c64892d5a4813 |
|
24-May-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Fix bad comparison in sdap_has_deref_support
https://fedorahosted.org/sssd/ticket/876 |
d4bfba145e74aa8c0f9e7c36e548fc9965822a12 |
|
20-May-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Generic dereference search
A generic wrapper around ASQ and OpenLDAP dereference searches.
https://fedorahosted.org/sssd/ticket/635 |
258d4b400f72e89f4428302d82c886f9c4c45c3e |
|
20-May-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
OpenLDAP dereference searches
This dereference method is supported at least by OpenLDAP and
389DS/RHDS
For more details, see:
http://tools.ietf.org/html/draft-masarati-ldap-deref-00 |
2cc60b61c8d487221f88703b1784a92d9a1525e4 |
|
20-May-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Add support for Attribute Scoped Queries
For more details on ASQ, see:
http://msdn.microsoft.com/en-us/library/aa366976%28VS.85%29.aspx
http://msdn.microsoft.com/en-us/library/aa746418%28v=VS.85%29.aspx |
0a4b0580d8f5de1733ea065553992edfcb793de5 |
|
20-May-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Generic dereference data structures and utilities
These will be shared by both dereference methods in a later patch. |
4dbc76b8784eed6dbf4d9b40c0f59fd0bceeeec7 |
|
20-May-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
sdap_get_generic_ext
Add a private sdap_get_generic_ext_send()/_recv() request that
exposes more of ldap_search_ext options, in particular the server
contols. The existing sdap_generic_search_send()/_recv() request
is now a thin wrapper around the new _ext request.
The other important change is that an entry parsing is a callback now.
That was done in order to allow custom parsing for results such as
OpenLDAP deref or Attribute Scoped Queries. |
8c7e6e71b435857802f12c8de09d34b052880eb6 |
|
28-Apr-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Do not leak LDAP paging controls |
b35da26911249aa48052655eef02f16e12930cf9 |
|
27-Apr-2011 |
Stephen Gallagher <sgallagh@redhat.com> |
Add ldap_page_size configuration option |
5ed0e9f015a9948530292918dce7b8d46dcd0d6b |
|
27-Apr-2011 |
Stephen Gallagher <sgallagh@redhat.com> |
Enable paging support for LDAP |
3156735c3183fbd8c674d4605cf0d09bea54edd4 |
|
27-Apr-2011 |
Stephen Gallagher <sgallagh@redhat.com> |
Log the LDAP message type we're processing |
4a28fb10122bd74ba33607af46f028813de9161d |
|
08-Apr-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Don't pass NULL to printf for TLS errors
https://fedorahosted.org/sssd/ticket/643 |
d0d3497c10a02e8489198dc3e1edc621bfac0c6d |
|
09-Mar-2011 |
Sumit Bose <sbose@redhat.com> |
Release handle if not connected |
a530a96721d8106a6839b6b643b0abc5d7a7b9e0 |
|
17-Jan-2011 |
Sumit Bose <sbose@redhat.com> |
Add timeout parameter to sdap_get_generic_send() |
1d9eec9e868fbc2d996f1030a43675be9a840133 |
|
07-Dec-2010 |
Simo Sorce <ssorce@redhat.com> |
ldap: add checks to determine if USN features are available. |
d64940d823b7d860ef65e000f084fd3f62b51d81 |
|
05-Nov-2010 |
Sumit Bose <sbose@redhat.com> |
Review comments for namingContexts patches |
e481c0f0f16bcb787debf05584a0550a7052dda4 |
|
04-Nov-2010 |
Sumit Bose <sbose@redhat.com> |
Use (default)namingContext to set empty search bases |
dc6fb2323c964456d4b22597b575e42f1fd79246 |
|
04-Nov-2010 |
Sumit Bose <sbose@redhat.com> |
Add defaultNamingContext to RootDSE attributes |
59cc610d3a4885c5d37185b9adad39168feb6b55 |
|
22-Oct-2010 |
Sumit Bose <sbose@redhat.com> |
Add some missing ldap_memfree() |
6c188d847dfcd2778d134d5a0f80ecbce53e7b57 |
|
15-Sep-2010 |
Simo Sorce <ssorce@redhat.com> |
Check if control is supported before using it. |
6480abbd1bba71efa8a834fada6505d1767fabfc |
|
15-Sep-2010 |
Jakub Hrozek <jhrozek@redhat.com> |
Revert "Make ldap bind asynchronous"
This reverts 56d8d19ac9d857580a233d8264e851883b883c67 |
56d8d19ac9d857580a233d8264e851883b883c67 |
|
02-Sep-2010 |
Martin Nagy <mnagy@redhat.com> |
Make ldap bind asynchronous
Every ldap function that could possibly create a new connection is now
wrapped in a tevent_req. If the connection is created, we will call the
function again after the socket is ready for writing. |
602fa2c3ef0d088b7b834e9d2ebb306d104a79ce |
|
02-Sep-2010 |
Stephen Gallagher <sgallagh@redhat.com> |
Properly handle errors from a password change operation |
2ee34809cb2d580ac7a3e1fd666b005543e3aa8d |
|
09-Jul-2010 |
Stephen Gallagher <sgallagh@redhat.com> |
Log TLS errors to syslog
Also adds support for detecting LDAPS errors by adding a check for
SDAP_DIAGNOSTIC_MESSAGE after ldap_search_ext() |
09c170c5b5cf0d62e7302ef284a1e35072ef1d95 |
|
09-Jul-2010 |
eindenbom <eindenbom@gmail.com> |
Remove remainder of now unused global LDAP connection handle. |
0daccb28ba9b40a20ac3494aea42ce68c7a92a31 |
|
28-Jun-2010 |
Stephen Gallagher <sgallagh@redhat.com> |
Make RootDSE optional
In violation of the standard, some LDAP servers control access to
the RootDSE, thus preventing us from being able to read it before
performing a bind.
This patch will allow us to continue on if the RootDSE was
inaccessible. All of the places that we use the return value of
the RootDSE after this are already checked for NULL and use sane
defaults if the RootDSE is unavailable |
b22c0449d1f4943944b8a4dd037f97a69192c6ca |
|
28-Jun-2010 |
Alexander Gordeev <lasaine@lvk.cs.msu.su> |
Add explicit requests for several operational attrs
Operational attributes are not returned in searched requests unless
explicitly requested according to RFC 4512 section 5.1. Therefore to
get several standard attributes of root DSE we have to request for
them. The requested attrs are:
- altServer
- namingContexts
- supportedControl
- supportedExtension
- supportedFeatures
- supportedLDAPVersion
- supportedSASLMechanisms
Signed-off-by: Alexander Gordeev <lasaine@lvk.cs.msu.su> |
2d54b2a56b83315b3f89e082f8bf89fe8132a685 |
|
07-May-2010 |
Jakub Hrozek <jhrozek@redhat.com> |
Use all available servers in LDAP provider |
6c8223ed11b46e44187b7f2ff201d68393b8c32e |
|
03-May-2010 |
Simo Sorce <ssorce@redhat.com> |
Avoid freeing sdap_handle too early
Prevent freeing the sdap_handle by failing in the destructor if we
are trying to recurse. |
5b680ac8ef46fc1714f2ab59a07f68ac386ad89b |
|
26-Apr-2010 |
Sumit Bose <sbose@redhat.com> |
Make the handling of fd events opaque
Depending on the version of the OpenLDAP libraries we use two different
schemes to find the file descriptor of the connection to the LDAP
server. This patch removes the related ifdefs from the main code and
introduces helper functions which can handle the specific cases. |
b3f76cd4c5cacaad7580f953f3c17ab019d89330 |
|
22-Mar-2010 |
Sumit Bose <sbose@redhat.com> |
Lower debug level of unexpected LDAP result codes |
1c48b5a62f73234ed26bb20f0ab345ab61cda0ab |
|
18-Feb-2010 |
Stephen Gallagher <sgallagh@redhat.com> |
Rename server/ directory to src/
Also update BUILD.txt |