a537df2ea99acb0181dc360ddf9a60b69c16faf0 |
|
25-Apr-2018 |
Fabiano Fidêncio <fidencio@redhat.com> |
SDAP: Add sdap_handle_id_collision_for_incomplete_groups()
This newly added function is a helper to properly hadle group
id-collisions when renaming incomplete groups and it does:
- Deletes the group from sysdb
- Adds the new incomplete group
- Notifies the NSS responder that the entry also has to be deleted from
the memory cache
This function will be called from
sdap_ad_save_group_membership_with_idmapping() and from
sdap_add_incomplete_groups().
Related:
https://pagure.io/SSSD/sssd/issue/2653
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
60a715a0dd79873d2d2607eab8fdfaf0ffd2e7d3 |
|
09-Feb-2018 |
Hristo Venev <hristo@venev.name> |
providers: Move hostid from ipa to sdap, v2
In the ldap provider, all option names are renamed to ldap_host_*. In
the ipa provider the names haven't been changed.
Host lookups for both ipa and ldap are handled in the ldap provider.
sss_ssh_knownhostsproxy works but hostgroups are still only available
in the ipa provider.
I've also added some documentation for the ldap provider.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
ba8a92bbd59f189bd1323dd0c4010cdfc694be35 |
|
06-Dec-2017 |
Jakub Hrozek <jhrozek@redhat.com> |
SDAP: Rename sdap_posix_check to sdap_gc_posix_check
Because searching the LDAP port of Active Directory server with a NULL
search base yields an error:
https://technet.microsoft.com/en-us/library/cc755809(v=ws.10).aspx
we changed the POSIX check request to only run against a GC connection
in a previous patch. To make it clearer to the caller that this request
should only be used with a GC connection, this patch renames the
request.
There are no functional changes in this patch.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com> |
6ae22d9adc0b075361defc99b8f14480ba8e7b46 |
|
06-Dec-2017 |
Jakub Hrozek <jhrozek@redhat.com> |
SDAP: Search with a NULL search base when looking up an ID in the Global Catalog
The posix_check request is used to determine whether domains in the forest
replicate the POSIX attributes into the Global Catalog. And since the
schema modification that replicates the attributes is not per-domain, but
per-forest, we don't need to iterate over search bases when checking for
the POSIX attribute presence. It is OK to just search with a NULL search
base (and it's what Windows clients do, too).
Additionally, searching over the whole GC will come handy when implementing
the request that located an account's domain.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com> |
70c0648f021ded3d31313eb962e1ad140f242673 |
|
23-Mar-2017 |
Sumit Bose <sbose@redhat.com> |
sdap_get_users_send(): new argument mapped_attrs
mapped_attrs can be a list of sysdb_attrs which are not available on
the server side but should be store with the cached user entry. This is
needed e.g. when the input to look up the user in LDAP is not an
attribute which is stored in LDAP but some data where LDAP attributes
are extracted from. The current use case is the certificate mapping
library which can create LDAP search filters based on content of the
certificate. To allow upcoming cache lookup to use the input directly it
is stored in the user object in the cache.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
9b29f86df7a29249ef8f485eedb8db515381c0de |
|
07-Jul-2016 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Rename DP filter value from name to filter_value
filter_value is a better name, because we don't look just by name, the
same variable is used to look up certificates etc.
Reviewed-by: Sumit Bose <sbose@redhat.com> |
7cc19286547260350afed9ef7176712f8fc66652 |
|
07-Jul-2016 |
Michal Zidek <mzidek@redhat.com> |
SDAP: Save user and group aliases qualified
When saving users or groups, qualify their names. Otherwise (currently
netgroups), store a plain username.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
cc2d77d5218c188119fa954c856e858cbde76947 |
|
20-Jun-2016 |
Pavel Březina <pbrezina@redhat.com> |
Rename dp_backend.h to backend.h
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
95c132e1a8c6bbab4be8b3a340333fadd8076122 |
|
19-Jan-2016 |
Jakub Hrozek <jhrozek@redhat.com> |
SDAP: Make it possible to silence errors from dereference
https://fedorahosted.org/sssd/ticket/2791
When a modern IPA client is connected to an old (3.x) IPA server, the
attribute dereferenced during the ID views lookup does not exist, which
triggers an error during the dereference processing and also a confusing
syslog message.
This patch suppresses the syslog message.
Reviewed-by: Michal Židek <mzidek@redhat.com> |
1f2fc55ecf7b5e170b2c0752304d1a2ecebc5259 |
|
15-Jul-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Add sdap_lookup_type enum
Related:
https://fedorahosted.org/sssd/ticket/2553
Change the boolan parameter of sdap_get_users_send and sdap_get_groups_send
to a tri-state that controls whether we expect only a single entry
(ie don't use the paging control), multiple entries with a search limit
(wildcard request) or multiple entries with no limit (enumeration).
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
f4e643ed7df771f83e903a6309f7ff0917819d25 |
|
15-Jul-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Add sdap_get_and_parse_generic_send
Related:
https://fedorahosted.org/sssd/ticket/2553
So far we had a simple sdap_get_generic_send() request that uses the
right defaults around the low-level sdap_get_generic_ext_send() request
and calls the parser.
This patch adds also sdap_get_and_parse_generic_send() that exposes all
options that sdap_get_generic_ext_send() offers but also calls the
parser.
In this patch the function is not used at all.
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
31bafc0d6384a30859aa18f3bd22275aec6ee2ed |
|
28-May-2015 |
Stephen Gallagher <sgallagh@redhat.com> |
AD GPO: Support processing referrals
For GPOs assigned to a site, it's possible that their definition
actually exists in another domain. To retrieve this information,
we need to follow the referral and perform a base search on
another domain controller.
Resolves:
https://fedorahosted.org/sssd/ticket/2645
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
0f9c28eb52d2b45c8a97f709308dc11377831b8c |
|
06-May-2015 |
Sumit Bose <sbose@redhat.com> |
IPA: allow initgroups by UUID for FreeIPA users
If a FreeIPA user is searched with the help of an override name the UUID
from the override anchor is used to search the user. Currently the
initgroups request only allows searches by SID or name. With this patch
a UUID can be used as well.
Related to https://fedorahosted.org/sssd/ticket/2642
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
f0072e2b102f3b553533402d4ae42b1989b0370e |
|
23-Mar-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
SDAP: Make password change timeout configurable with ldap_opt_timeout
Related:
https://fedorahosted.org/sssd/ticket/1501
Reviewed-by: Pavel Reichl <preichl@redhat.com> |
b123a618dd8837f8a2db385542f0d7f3d7679d9b |
|
23-Mar-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
SDAP: Make simple bind timeout configurable
Resolves:
https://fedorahosted.org/sssd/ticket/1501
Reuse the value of sdap_opt_timeout to set a longer bind timeout for
user authentication, ID connection authentication and authentication
during IPA migration mode.
Reviewed-by: Pavel Reichl <preichl@redhat.com> |
d81d8d3dc151ebc95cd0e3f3b14c1cdaa48980f1 |
|
17-Mar-2015 |
Sumit Bose <sbose@redhat.com> |
LDAP/AD: do not resolve group members during tokenGroups request
During initgroups requests we try to avoid to resolve the complete
member list of groups if possible, e.g. if there are no nested groups.
The tokenGroups LDAP lookup return the complete list of memberships for
a user hence it is not necessary lookup the other group member and
un-roll nested groups. With this patch only the group entry is looked up
and saved as incomplete group to the cache.
This is achieved by adding a new boolean parameter no_members to
groups_get_send() and sdap_get_groups_send(). The difference to config
options like ldap_group_nesting_level = 0 or ignore_group_members is
that if no_members is set to true groups which are missing in the cache
are created a incomplete groups. As a result a request to lookup this
group will trigger a new LDAP request to resolve the group completely.
This way no information is ignored but the time needed to read all data
is better distributed between different requests.
https://fedorahosted.org/sssd/ticket/2601
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
7d35c7e8c5d2684321be879f7ff67816d4b31f09 |
|
16-Oct-2014 |
Sumit Bose <sbose@redhat.com> |
Add sdap_deref_search_with_filter_send()
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
25a387c2e90c74b27a26ea207503df8e4b6a1a76 |
|
01-Sep-2014 |
Sumit Bose <sbose@redhat.com> |
LDAP: If extra_value is 'U' do a UPN search
Besides the name the responders always send an extra string attribute to
the backends which is so far mostly empty. Since the only difference in
the processing of a request for a user name or a user principal name is
a different search attribute in the LDAP provider this extra value can
be used to indicate the type of the name. Providers which do not support
UPN lookup can just ignore this attribute.
Related to https://fedorahosted.org/sssd/ticket/1749 |
ac67376a47ed52374641e7a4f6fd97712fe5171b |
|
19-Aug-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
Revert "IPA: new attribute map for non-posix groups"
This reverts commit 4c560e7b98e7ab71d22be24d2fbc468396cb634f. |
4c560e7b98e7ab71d22be24d2fbc468396cb634f |
|
19-Aug-2014 |
Pavel Reichl <preichl@redhat.com> |
IPA: new attribute map for non-posix groups
Create new set of attributes to be used when processing non-posix groups.
Resolves:
https://fedorahosted.org/sssd/ticket/2343
Reviewed-by: Michal Židek <mzidek@redhat.com> |
60cab26b12df9a2153823972cde0c38ca86e01b9 |
|
13-May-2014 |
Yassir Elley <yelley@redhat.com> |
Implemented LDAP component of GPO-based access control
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
e81deec535d11912b87954c81a1edd768c1386c9 |
|
12-Feb-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Detect the presence of POSIX attributes
When the schema is set to AD and ID mapping is not used, there is a one-time
check ran when searching for users to detect the presence of POSIX
attributes in LDAP. If this check fails, the search fails as if no entry
was found and returns a special error code.
The sdap_server_opts structure is filled every time a client connects to
a server so the posix check boolean is reset to false again on connecting
to the server.
It might be better to move the check to where the rootDSE is retrieved,
but the check depends on several features that are not known to the code
that retrieves the rootDSE (or the connection code for example) such as what
the attribute mappings are or the authentication method that should be used.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
008e1ee835602023891ac45408483d87f41e4d5c |
|
19-Dec-2013 |
Sumit Bose <sbose@redhat.com> |
AD: cross-domain membership fix
A recent patch directed all call related to group membership lookups to
the AD LDAP port to fix an issue related to missing group memberships in
the Global Catalog. As a side-effect it broke cross-domain
group-memberships because those cannot be resolved by the connection to
the LDAP port.
The patch tires to fix this by restoring the original behaviour in the
top-level lookup calls in the AD provider and switching to the LDAP port
only for the LDAP request which is expected to return the full group
membership.
Additionally this patch contains a related fix for the tokenGroups with
Posix attributes patch. The original connection, typically a Global
Catalog connection in the AD case is passed down the stack so that the
group lookup after the tokenGroups request can run over the same
connection. |
ed3e08e6ff267722c605141a0b57774efe4cb531 |
|
18-Dec-2013 |
Pavel Březina <pbrezina@redhat.com> |
ad: use tokengroups even when id mapping is disabled
https://fedorahosted.org/sssd/ticket/1568 |
29a61bce88147872b5086278d37b1e58726032d1 |
|
18-Dec-2013 |
Pavel Březina <pbrezina@redhat.com> |
ad: refactor tokengroups initgroups
sdap_get_ad_tokengroups_initgroups is split into more parts so
it can be reused later. |
5b83443dd252a3897feda134f224f6b09f283372 |
|
20-Nov-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Split out a request to search for a user w/o saving
Related:
https://fedorahosted.org/sssd/ticket/2077
Certain situations require that a user entry is downloaded for further
inpection, but not saved to the sysdb right away. This patch splits the
previously monolithic request into one that just downloads the data and
one that uses the new one to download and save the user. |
3ca846cfb59dee6e20b94c4aee2716f1a20ebd3a |
|
07-Jun-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: store FQDNs for trusted users and groups
Because the NSS responder expects the name attribute to contain FQDN,
we must save the name as FQDN in the LDAP provider if the domain we save
to is a subdomain. |
749cfb5d3270b5daf389d51a0dbd3fd2aec6e05d |
|
07-Jun-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: new SDAP domain structure
Previously an sdap_id_ctx was always tied to one domain with a single
set of search bases. But with the introduction of Global Catalog
lookups, primary domain and subdomains might have different search
bases.
This patch introduces a new structure sdap_domain that contains an sssd
domain or subdomain and a set of search bases. With this patch, there is
only one sdap_domain that describes the primary domain. |
9aa117a93e315f790a1922d9ac7bd484878b621e |
|
07-Jun-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Pass in a connection to ID functions
Instead of using the default connection from the sdap_id_ctx, allow the
caller to specify which connection shall be used for this particular
request. Again, no functional change is present in this patch, just
another parameter is added. |
05c53cfcee72dcb9e6103de7877ede220369ccf4 |
|
02-May-2013 |
Pavel Březina <pbrezina@redhat.com> |
sdap: add sdap_connect_host request
Create connection to specified LDAP server without using any
failover stuff. |
233a3c6c48972b177e60d6ef4cecfacd3cf31659 |
|
19-Mar-2013 |
Simo Sorce <simo@redhat.com> |
Use common error facility instead of sdap_result
Simplifies and consolidates error reporting for ldap authentication paths.
Adds 3 new error codes:
ERR_CHPASS_DENIED - Used when password constraints deny password changes
ERR_ACCOUNT_EXPIRED - Account is expired
ERR_PASSWORD_EXPIRED - Password is expired |
2ce00e0d3896bb42db169d1e79553a81ca837a22 |
|
15-Jan-2013 |
Simo Sorce <simo@redhat.com> |
Add domain to sysdb_search_user_by_name()
Also remove unused sysdb_search_domuser_by_name() |
64af76e2bef2565caa9738f675c108a4b3789237 |
|
10-Jan-2013 |
Simo Sorce <simo@redhat.com> |
Change pam data auth tokens.
Use the new authtok abstraction and interfaces throught the code. |
d0e0e73e86f2afdb7f8fefbed70fda8d77b1c25a |
|
24-Sep-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
AD: Optimize initgroups lookups with tokenGroups
https://fedorahosted.org/sssd/ticket/1355 |
d42d371c00c83ae44b9d1c3e88ecbe0e01b112e6 |
|
13-Jun-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
LDAP: Add support for AD chain matching extension in initgroups |
97ae45d61d921f07e812620e0156aee02b7b83a7 |
|
13-Jun-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
LDAP: Add support for AD chain matching extension in group lookups |
3963d3fa9e3099bc02d612b5051d8b769d6e3a75 |
|
13-Jun-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
LDAP: Add ldap_*_use_matching_rule_in_chain options |
f56e704cf0b3b0e9e997e96221fa82d488ee8ca7 |
|
31-May-2012 |
Jan Zeleny <jzeleny@redhat.com> |
Ghost members - removed sdap_check_aliases()
This function is no longer necessary because we don't have fake user
entries any more. The original purpose of this function was to check if
there are fake user entries for particular user and, if yes, to update
its membership. |
2f3ee3f49019f5b60adbe073070f31e6e2d7c7ab |
|
24-Feb-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
LDAP: Only use paging control on requests for multiple entries
The paging control can cause issues on servers that put limits on
how many paging controls can be active at one time (on some
servers, it is limited to one per connection). We need to reduce
our usage so that we only activate the paging control when making
a request that may return an arbitrary number of results.
https://fedorahosted.org/sssd/ticket/1202 phase one |
c9750312bfb4196b49ba6f91b26489f630958452 |
|
06-Feb-2012 |
Jan Zeleny <jzeleny@redhat.com> |
Update shadowLastChanged attribute during LDAP password change
https://fedorahosted.org/sssd/ticket/1019 |
e2925c2d7d10cbb51098402233784044168f1a77 |
|
31-Jan-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
LDAP: Add enumeration support for services |
796463906a54e259bd5b582ce84af4297a58eafc |
|
31-Jan-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
LDAP: Add support for service lookups (non-enum) |
940e033c0c427d02a34347dbd2f4443fa625b111 |
|
16-Dec-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Use the case sensitivity flag in the LDAP provider |
70a33bdf7db34fe4d1ba194cf9ea28c758719b4b |
|
16-Dec-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Refactor saving sdap entities
There was too much code duplication between
sdap_save_{user,group,netgroup}. This patch removes the most egregious ones. |
9b9c7f8caddf2b57adfbef8741651ee5063fa3bd |
|
29-Nov-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Provide means of forcing TLS and GSSAPI enabled/disabled for sdap connections |
ed80a7f8ff76089bdcfae7007dbdef42d05e2cc8 |
|
02-Nov-2011 |
Jan Zeleny <jzeleny@redhat.com> |
Support to request canonicalization in LDAP/IPA provider
https://fedorahosted.org/sssd/ticket/957 |
1bbd4c57fc31cec302244725e698413623818d19 |
|
02-Nov-2011 |
Stephen Gallagher <sgallagh@redhat.com> |
LDAP: Add support for multiple search bases for group enumeration |
f26b61dfe246c750a42f1f9fb28f9df5981bc841 |
|
02-Nov-2011 |
Stephen Gallagher <sgallagh@redhat.com> |
LDAP: Add support for multiple search bases for user enumeration |
86e00b950eae9884702ad535e3030b238ec451e3 |
|
02-Nov-2011 |
Stephen Gallagher <sgallagh@redhat.com> |
LDAP: Support multiple group search bases (non-enumeration, RFC2307) |
fd94a375467ade9233e34513863571fc51fec2ed |
|
02-Nov-2011 |
Stephen Gallagher <sgallagh@redhat.com> |
LDAP: Support multiple netgroup search bases |
a0e406e5219068aec1a531e2b09ee30309b266cf |
|
02-Nov-2011 |
Stephen Gallagher <sgallagh@redhat.com> |
LDAP: Support multiple user search bases (non-enumeration) |
033d1e3985288ec827db85882b052104485606ac |
|
28-Sep-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Store name aliases for users, groups
Also checks fake users for aliases when storing a real users so that
getgrnam for a RFC2307 group that references a user by his secondary
name followed by getpwnam for this user by his primary name works |
9b5c5f041e92802aa074037d283674cb6eca1a23 |
|
06-Sep-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Allow turning dereference off by setting the threshold to 0 |
e96c468ed06c3378e2aee6992dabe926d79e1a2d |
|
30-Jun-2011 |
Sumit Bose <sbose@redhat.com> |
Use ldap_init_fd() instead of ldap_initialize() if available |
d4bfba145e74aa8c0f9e7c36e548fc9965822a12 |
|
20-May-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Generic dereference search
A generic wrapper around ASQ and OpenLDAP dereference searches.
https://fedorahosted.org/sssd/ticket/635 |
3ad662a4d26c0d6ee4e382758ca7b3f0c2880d20 |
|
21-Jan-2011 |
Stephen Gallagher <sgallagh@redhat.com> |
Add the user's primary group to the initgroups lookup
The user may not be a direct member of their primary group, but
we still want to make sure that group is cached on the system. |
a530a96721d8106a6839b6b643b0abc5d7a7b9e0 |
|
17-Jan-2011 |
Sumit Bose <sbose@redhat.com> |
Add timeout parameter to sdap_get_generic_send() |
1d9eec9e868fbc2d996f1030a43675be9a840133 |
|
07-Dec-2010 |
Simo Sorce <ssorce@redhat.com> |
ldap: add checks to determine if USN features are available. |
619bd403265ce0880989ba6f8324b010949851bc |
|
13-Oct-2010 |
Sumit Bose <sbose@redhat.com> |
Implement netgroup support for LDAP provider |
93109c5f1d85c028ce5cf6e31e2249ca90a7f746 |
|
13-Oct-2010 |
Jakub Hrozek <jhrozek@redhat.com> |
Initialize kerberos service for GSSAPI |
71af2725e8f96b403af3f4aa140c413f751380c0 |
|
15-Sep-2010 |
Sumit Bose <sbose@redhat.com> |
Store rootdse supported features in sdap_handler |
2d7a7b0140a4d3fcef9148900276e24f82e33866 |
|
09-Jul-2010 |
eindenbom <eindenbom@gmail.com> |
LDAP connection usage tracking, sharing and failover retry framework. |
a2cabe1873c4d01c18ef6617b6b1f10a0ce3560e |
|
09-Jul-2010 |
eindenbom <eindenbom@gmail.com> |
GSSAPI ticket expiry time is returned from ldap_child and stored in sdap_handle for future reference. |
ebb6e30d687a4d6626c735234c85cbb5b06a26aa |
|
16-May-2010 |
Sumit Bose <sbose@redhat.com> |
Add ldap_krb5_ticket_lifetime option |
dfc511c1226786cebbda35990bb7149dea5577b5 |
|
22-Mar-2010 |
Ralf Haferkamp <rhafer@suse.de> |
Improvements for LDAP Password Policy support
Display warnings about remaining grace logins and password
expiration to the user, when LDAP Password Policies are used.
Improved detection if LDAP Password policies are supported by
LDAP Server. |
1c48b5a62f73234ed26bb20f0ab345ab61cda0ab |
|
18-Feb-2010 |
Stephen Gallagher <sgallagh@redhat.com> |
Rename server/ directory to src/
Also update BUILD.txt |