History log of /sssd-io/src/providers/ldap/sdap_async_connection.c
Revision Date Author Comments Expand
b54cd7caf6b73b36b68fcefc0cad39a626690398 29-Jun-2016 Lukas Slebodnik <lslebodn@redhat.com>

Downcast to errno_t after tevent_req_is_error Functions tevent_req_is_error and _tevent_req_error use type uint64_t for error code. SSSD uses errno_t which is an alias for int. Therefore complier assumes that macro TEVENT_REQ_RETURN_ON_ERROR can return 0 due to implicit down casting from uint64_t -> int. This patch makes down casting explicit and returns EINVAL if result of downcasting is 0. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
8eb4a1f773b6c2246b0a6c6e3c3b8ef4d79c9ca6 11-May-2016 Pavel Březina <pbrezina@redhat.com>

Inform about (un)successful connection Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
ff275f4c0b8cc1a098dbd0c5f6d52d6a93cda597 17-Feb-2016 Pavel Reichl <preichl@redhat.com>

SDAP: Add return code ERR_ACCOUNT_LOCKED Add code to distinquish state when account is locked in Active Directory server. Tested against Windows Server 2012 This patch is best effort only as decision whether account is actually locked is based on parsing error message returned by AD. The format and content of this error message might be subject of change in future releases and also can be modified by AD administrators. If account is locked bind operation is expected to return following error message: ----------------------------------------------------------------------- Invalid credentials(49), 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 775, v23f0 ----------------------------------------------------------------------- Where sub string 'data 775' implies that account is locked (ERROR_ACCOUNT_LOCKED_OUT) [1]. However the 80090308 (error code 0x80090308, SEC_E_INVALID_TOKEN) is the only guaranteed part of error string [2]. Error message is described in further detail as [3]: ----------------------------------------------------------------------- When the server fails an LDAP operation with an error, and the server has sufficient resources to compute a string value for the errorMessage field of the LDAPResult, it includes a string in the errorMessage field of the LDAPResult (see [RFC2251] section 4.1.10). The string contains further information about the error. The first eight characters of the errorMessage string are a 32-bit integer, expressed in hexadecimal. Where protocol specifies the extended error code "<unrestricted>" there is no restriction on the value of the 32-bit integer. It is recommended that implementations use a Windows error code for the 32-bit integer in this case in order to improve usability of the directory for clients. Where protocol specifies an extended error code which is a Windows error code, the 32-bit integer is the specified Windows error code. Any data after the eighth character is strictly informational and used only for debugging. Conformant implementations need not put any value beyond the eighth character of the errorMessage field. ----------------------------------------------------------------------- [1] https://msdn.microsoft.com/en-us/library/windows/desktop/ms681386%28v=vs.85%29.aspx [2] https://social.msdn.microsoft.com/Forums/en-US/e1d600c8-60b7-4ed0-94cb-20ddd6c1a1c6/msadts-user-locking-password-policies?forum=os_windowsprotocols [3] MS-ADTS 3.1.1.3.1.9 https://msdn.microsoft.com/en-us/library/cc223253.aspx Resolves: https://fedorahosted.org/sssd/ticket/2839 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
8bd9ec3a8885b01a34863d22aa784e221fc422fb 19-Jan-2016 Pavel Březina <pbrezina@redhat.com>

sdap_connect_send: fail if uri or sockaddr is NULL Resolves: https://fedorahosted.org/sssd/ticket/2904 Reviewed-by: Michal Židek <mzidek@redhat.com>
10c07e188323a2f9824b5e34379f3b1a9b37759e 23-Oct-2015 Jakub Hrozek <jhrozek@redhat.com>

FO: Use refcount to keep track of servers returned to callers Resolves: https://fedorahosted.org/sssd/ticket/2829 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
afa6ac75f97951ea5ea4b6e96c607acc3c5fafcc 07-Aug-2015 Pavel Reichl <preichl@redhat.com>

IPA: Improve messages about failures Reviewed-by: Pavel Březina <pbrezina@redhat.com>
7abec79ff6eeaff043c995bbb0a152ca3e0744e7 14-Jun-2015 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Consolidate SDAP_SASL_REALM/SDAP_KRB5_REALM behaviour Reviewed-by: Sumit Bose <sbose@redhat.com>
3b9f34f653a610f63e88ee0f174a5c47e0d8fe0d 14-Jun-2015 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Do not set keytab through environment variable Otherwise each connection would clobber the environment variable with its own. This is a temporary workaround until SSSD's ldap_child is able to store ccaches in a collection. Reviewed-by: Sumit Bose <sbose@redhat.com>
f1f5854566c1ee44320a1111a33c12bcc409f00a 11-May-2015 Jakub Hrozek <jhrozek@redhat.com>

LDAP: return after tevent_req_error Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
7a62712d6961d4afcb6b4a4fd7e92c6738f73b6e 23-Mar-2015 Jakub Hrozek <jhrozek@redhat.com>

SDAP: Make StartTLS bind configurable with ldap_opt_timeout Related: https://fedorahosted.org/sssd/ticket/1501 Reviewed-by: Pavel Reichl <preichl@redhat.com>
b123a618dd8837f8a2db385542f0d7f3d7679d9b 23-Mar-2015 Jakub Hrozek <jhrozek@redhat.com>

SDAP: Make simple bind timeout configurable Resolves: https://fedorahosted.org/sssd/ticket/1501 Reuse the value of sdap_opt_timeout to set a longer bind timeout for user authentication, ID connection authentication and authentication during IPA migration mode. Reviewed-by: Pavel Reichl <preichl@redhat.com>
87f8bee53ee1b4ca87b602ff8536bc5fd5b5b595 17-Mar-2015 Lukas Slebodnik <lslebodn@redhat.com>

Add missing new lines to debug messages Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

/sssd-io/src/confdb/confdb_setup.c /sssd-io/src/db/sysdb_autofs.c /sssd-io/src/db/sysdb_sudo.c /sssd-io/src/db/sysdb_views.c /sssd-io/src/monitor/monitor.c /sssd-io/src/monitor/monitor_netlink.c /sssd-io/src/providers/ad/ad_common.c /sssd-io/src/providers/ad/ad_init.c /sssd-io/src/providers/ad/ad_subdomains.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/dp_dyndns.c /sssd-io/src/providers/dp_ptask.c /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_hbac_rules.c /sssd-io/src/providers/ipa/ipa_hostid.c /sssd-io/src/providers/ipa/ipa_selinux.c /sssd-io/src/providers/ipa/ipa_subdomains.c /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_wait_queue.c ldap_id.c sdap.c sdap_async.c sdap_async_connection.c sdap_async_initgroups.c sdap_utils.c /sssd-io/src/responder/autofs/autofssrv_cmd.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/pac/pacsrv_cmd.c /sssd-io/src/responder/pac/pacsrv_utils.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/responder/sudo/sudosrv_get_sudorules.c /sssd-io/src/responder/sudo/sudosrv_query.c /sssd-io/src/sbus/sssd_dbus_server.c /sssd-io/src/tests/krb5_child-test.c /sssd-io/src/tools/files.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/util/debug.c /sssd-io/src/util/domain_info_utils.c /sssd-io/src/util/find_uid.c /sssd-io/src/util/server.c /sssd-io/src/util/sss_ini.c /sssd-io/src/util/sss_krb5.c /sssd-io/src/util/sss_semanage.c /sssd-io/src/util/usertools.c
daa3dd779fbaec36142d112f8a47c7b9f23177c1 12-Oct-2014 Pavel Reichl <preichl@redhat.com>

SDAP: check that connection is open before bind Tivoli server does not return an empty response when being asked for the rootDSE data but an error. In this case the rootDSE lookup in SSSD will terminate the connection to the server and return a error. But since errors except timeouts are ignored SSSD will try to continue with the bind, but since the connection is already terminated this will fail as well. And this will terminate the whole operation. Make sure the connection is open before performing bind operation. Resolves: https://fedorahosted.org/sssd/ticket/2435 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
28929b67fed17df3b7622bb48ed3700f944d91d0 12-Oct-2014 Pavel Reichl <preichl@redhat.com>

SDAP: move deciding of tls usage into new function Separate code for deciding tls usage from sdap_cli_connect_send() to new function decide_tls_usage(). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
6a3ec7ba6f99b027c4c15a360ef0116fe60a0705 16-Sep-2014 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Do not clobber return value when multiple controls are returned We loop over the array of returned controls and set 'ret' based on the control value. In case multiple controls were returned, the 'ret' variable might be clobbered with result of a string-to-int conversion. Reviewed-by: Pavel Reichl <preichl@redhat.com>
997d4bcd8e994932ac15c42524bb9f00055ee322 12-May-2014 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Check the LDAP handle before using it As the connection code is async-driven, the LDAP handle might be invalidated before SSSD attempts to use it. Similar to commit 5fe6ca5e339fd345119752e996c14edf8db57660, this patch adds a NULL check for the LDAP handle and aborts the request instead of crashing. Resolves: https://fedorahosted.org/sssd/ticket/2305
44d0fd9bfdcab991f00ba33c91f49527f8cce595 18-Feb-2014 Pavel Březina <pbrezina@redhat.com>

sdap: move non async functions from sdap_async_connection.c to sdap_utils.c Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
83bf46f4066e3d5e838a32357c201de9bd6ecdfd 12-Feb-2014 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>

Update DEBUG* invocations to use new levels Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

/sssd-io/src/confdb/confdb.c /sssd-io/src/confdb/confdb_setup.c /sssd-io/src/db/sysdb.c /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_ranges.c /sssd-io/src/db/sysdb_search.c /sssd-io/src/db/sysdb_upgrade.c /sssd-io/src/monitor/monitor.c /sssd-io/src/monitor/monitor_netlink.c /sssd-io/src/monitor/monitor_sbus.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/data_provider_callbacks.c /sssd-io/src/providers/data_provider_fo.c /sssd-io/src/providers/data_provider_opts.c /sssd-io/src/providers/dp_auth_util.c /sssd-io/src/providers/dp_pam_data_util.c /sssd-io/src/providers/fail_over.c /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_auth.c /sssd-io/src/providers/ipa/ipa_common.c /sssd-io/src/providers/ipa/ipa_hbac_common.c /sssd-io/src/providers/ipa/ipa_hbac_hosts.c /sssd-io/src/providers/ipa/ipa_hbac_rules.c /sssd-io/src/providers/ipa/ipa_hbac_services.c /sssd-io/src/providers/ipa/ipa_hbac_users.c /sssd-io/src/providers/ipa/ipa_id.c /sssd-io/src/providers/ipa/ipa_init.c /sssd-io/src/providers/ipa/ipa_netgroups.c /sssd-io/src/providers/krb5/krb5_access.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_child_handler.c /sssd-io/src/providers/krb5/krb5_common.c /sssd-io/src/providers/krb5/krb5_delayed_online_authentication.c /sssd-io/src/providers/krb5/krb5_init.c /sssd-io/src/providers/krb5/krb5_init_shared.c /sssd-io/src/providers/krb5/krb5_renew_tgt.c /sssd-io/src/providers/krb5/krb5_utils.c /sssd-io/src/providers/krb5/krb5_wait_queue.c ldap_auth.c ldap_child.c ldap_common.c ldap_id.c ldap_id_cleanup.c ldap_id_netgroup.c ldap_init.c sdap.c sdap_access.c sdap_async.c sdap_async_connection.c sdap_async_enum.c sdap_async_groups.c sdap_async_initgroups.c sdap_async_initgroups_ad.c sdap_async_netgroups.c sdap_async_users.c sdap_child_helpers.c sdap_fd_events.c sdap_id_op.c /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_child.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_init.c /sssd-io/src/providers/proxy/proxy_netgroup.c /sssd-io/src/resolv/async_resolv.c /sssd-io/src/responder/common/negcache.c /sssd-io/src/responder/common/responder_cmd.c /sssd-io/src/responder/common/responder_common.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/nss/nsssrv.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/nss/nsssrv_private.h /sssd-io/src/responder/nss/nsssrv_services.c /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/pam/pamsrv_dp.c /sssd-io/src/sbus/sbus_client.c /sssd-io/src/sbus/sssd_dbus_common.c /sssd-io/src/sbus/sssd_dbus_connection.c /sssd-io/src/sbus/sssd_dbus_server.c /sssd-io/src/tests/auth-tests.c /sssd-io/src/tests/files-tests.c /sssd-io/src/tests/resolv-tests.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tests/sysdb_ssh-tests.c /sssd-io/src/tools/selinux.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_groupadd.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/tools/tools_util.c /sssd-io/src/tools/tools_util.h /sssd-io/src/util/check_and_open.c /sssd-io/src/util/child_common.c /sssd-io/src/util/crypto/nss/nss_obfuscate.c /sssd-io/src/util/crypto/nss/nss_util.c /sssd-io/src/util/debug.c /sssd-io/src/util/find_uid.c /sssd-io/src/util/nscd.c /sssd-io/src/util/signal.c /sssd-io/src/util/sss_krb5.c /sssd-io/src/util/sss_ldap.c /sssd-io/src/util/user_info_msg.c /sssd-io/src/util/usertools.c /sssd-io/src/util/util.c
a3c8390d19593b1e5277d95bfb4ab206d4785150 12-Feb-2014 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

/sssd-io/src/confdb/confdb.c /sssd-io/src/confdb/confdb_setup.c /sssd-io/src/db/sysdb.c /sssd-io/src/db/sysdb_autofs.c /sssd-io/src/db/sysdb_idmap.c /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_ranges.c /sssd-io/src/db/sysdb_search.c /sssd-io/src/db/sysdb_selinux.c /sssd-io/src/db/sysdb_services.c /sssd-io/src/db/sysdb_ssh.c /sssd-io/src/db/sysdb_subdomains.c /sssd-io/src/db/sysdb_sudo.c /sssd-io/src/db/sysdb_upgrade.c /sssd-io/src/monitor/monitor.c /sssd-io/src/monitor/monitor_netlink.c /sssd-io/src/monitor/monitor_sbus.c /sssd-io/src/providers/ad/ad_access.c /sssd-io/src/providers/ad/ad_common.c /sssd-io/src/providers/ad/ad_domain_info.c /sssd-io/src/providers/ad/ad_dyndns.c /sssd-io/src/providers/ad/ad_id.c /sssd-io/src/providers/ad/ad_init.c /sssd-io/src/providers/ad/ad_srv.c /sssd-io/src/providers/ad/ad_subdomains.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/data_provider_callbacks.c /sssd-io/src/providers/data_provider_fo.c /sssd-io/src/providers/data_provider_opts.c /sssd-io/src/providers/dp_auth_util.c /sssd-io/src/providers/dp_dyndns.c /sssd-io/src/providers/dp_pam_data_util.c /sssd-io/src/providers/dp_ptask.c /sssd-io/src/providers/dp_refresh.c /sssd-io/src/providers/fail_over.c /sssd-io/src/providers/fail_over_srv.c /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_auth.c /sssd-io/src/providers/ipa/ipa_autofs.c /sssd-io/src/providers/ipa/ipa_common.c /sssd-io/src/providers/ipa/ipa_config.c /sssd-io/src/providers/ipa/ipa_dyndns.c /sssd-io/src/providers/ipa/ipa_hbac_common.c /sssd-io/src/providers/ipa/ipa_hbac_hosts.c /sssd-io/src/providers/ipa/ipa_hbac_rules.c /sssd-io/src/providers/ipa/ipa_hbac_services.c /sssd-io/src/providers/ipa/ipa_hbac_users.c /sssd-io/src/providers/ipa/ipa_hostid.c /sssd-io/src/providers/ipa/ipa_hosts.c /sssd-io/src/providers/ipa/ipa_id.c /sssd-io/src/providers/ipa/ipa_idmap.c /sssd-io/src/providers/ipa/ipa_init.c /sssd-io/src/providers/ipa/ipa_netgroups.c /sssd-io/src/providers/ipa/ipa_s2n_exop.c /sssd-io/src/providers/ipa/ipa_selinux.c /sssd-io/src/providers/ipa/ipa_selinux_maps.c /sssd-io/src/providers/ipa/ipa_srv.c /sssd-io/src/providers/ipa/ipa_subdomains.c /sssd-io/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd-io/src/providers/ipa/ipa_subdomains_id.c /sssd-io/src/providers/ipa/ipa_sudo.c /sssd-io/src/providers/krb5/krb5_access.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_become_user.c /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_child_handler.c /sssd-io/src/providers/krb5/krb5_common.c /sssd-io/src/providers/krb5/krb5_delayed_online_authentication.c /sssd-io/src/providers/krb5/krb5_init.c /sssd-io/src/providers/krb5/krb5_init_shared.c /sssd-io/src/providers/krb5/krb5_renew_tgt.c /sssd-io/src/providers/krb5/krb5_utils.c /sssd-io/src/providers/krb5/krb5_wait_queue.c ldap_access.c ldap_auth.c ldap_child.c ldap_common.c ldap_id.c ldap_id_cleanup.c ldap_id_enum.c ldap_id_netgroup.c ldap_id_services.c ldap_init.c sdap.c sdap_access.c sdap_async.c sdap_async_autofs.c sdap_async_connection.c sdap_async_enum.c sdap_async_groups.c sdap_async_groups_ad.c sdap_async_initgroups.c sdap_async_initgroups_ad.c sdap_async_nested_groups.c sdap_async_netgroups.c sdap_async_services.c sdap_async_sudo.c sdap_async_sudo_hostinfo.c sdap_async_sudo_timer.c sdap_async_users.c sdap_autofs.c sdap_child_helpers.c sdap_dyndns.c sdap_fd_events.c sdap_id_op.c sdap_idmap.c sdap_range.c sdap_refresh.c sdap_reinit.c sdap_sudo.c sdap_sudo_cache.c /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_child.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_init.c /sssd-io/src/providers/proxy/proxy_netgroup.c /sssd-io/src/providers/proxy/proxy_services.c /sssd-io/src/providers/simple/simple_access.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/resolv/async_resolv.c /sssd-io/src/resolv/async_resolv_utils.c /sssd-io/src/responder/autofs/autofssrv.c /sssd-io/src/responder/autofs/autofssrv_cmd.c /sssd-io/src/responder/autofs/autofssrv_dp.c /sssd-io/src/responder/common/negcache.c /sssd-io/src/responder/common/responder_cmd.c /sssd-io/src/responder/common/responder_common.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/common/responder_get_domains.c /sssd-io/src/responder/nss/nsssrv.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_mmap_cache.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/nss/nsssrv_private.h /sssd-io/src/responder/nss/nsssrv_services.c /sssd-io/src/responder/pac/pacsrv.c /sssd-io/src/responder/pac/pacsrv_cmd.c /sssd-io/src/responder/pac/pacsrv_utils.c /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pam_helpers.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/pam/pamsrv_dp.c /sssd-io/src/responder/ssh/sshsrv.c /sssd-io/src/responder/ssh/sshsrv_cmd.c /sssd-io/src/responder/ssh/sshsrv_dp.c /sssd-io/src/responder/sudo/sudosrv.c /sssd-io/src/responder/sudo/sudosrv_cmd.c /sssd-io/src/responder/sudo/sudosrv_dp.c /sssd-io/src/responder/sudo/sudosrv_get_sudorules.c /sssd-io/src/responder/sudo/sudosrv_query.c /sssd-io/src/sbus/sbus_client.c /sssd-io/src/sbus/sssd_dbus_common.c /sssd-io/src/sbus/sssd_dbus_connection.c /sssd-io/src/sbus/sssd_dbus_server.c /sssd-io/src/sss_client/ssh/sss_ssh_authorizedkeys.c /sssd-io/src/sss_client/ssh/sss_ssh_knownhostsproxy.c /sssd-io/src/tests/auth-tests.c /sssd-io/src/tests/cmocka/test_dyndns.c /sssd-io/src/tests/cmocka/test_fqnames.c /sssd-io/src/tests/cmocka/test_nss_srv.c /sssd-io/src/tests/cmocka/test_utils.c /sssd-io/src/tests/common_dom.c /sssd-io/src/tests/common_tev.c /sssd-io/src/tests/debug-tests.c /sssd-io/src/tests/files-tests.c /sssd-io/src/tests/krb5_child-test.c /sssd-io/src/tests/resolv-tests.c /sssd-io/src/tests/simple_access-tests.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tests/sysdb_ssh-tests.c /sssd-io/src/tools/files.c /sssd-io/src/tools/selinux.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_debuglevel.c /sssd-io/src/tools/sss_groupadd.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_seed.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/tools/tools_mc_util.c /sssd-io/src/tools/tools_util.c /sssd-io/src/tools/tools_util.h /sssd-io/src/util/authtok.c /sssd-io/src/util/backup_file.c /sssd-io/src/util/check_and_open.c /sssd-io/src/util/child_common.c /sssd-io/src/util/crypto/libcrypto/crypto_base64.c /sssd-io/src/util/crypto/libcrypto/crypto_obfuscate.c /sssd-io/src/util/crypto/nss/nss_obfuscate.c /sssd-io/src/util/crypto/nss/nss_util.c /sssd-io/src/util/debug.c /sssd-io/src/util/domain_info_utils.c /sssd-io/src/util/find_uid.c /sssd-io/src/util/nscd.c /sssd-io/src/util/server.c /sssd-io/src/util/signal.c /sssd-io/src/util/sss_ini.c /sssd-io/src/util/sss_krb5.c /sssd-io/src/util/sss_krb5.h /sssd-io/src/util/sss_ldap.c /sssd-io/src/util/sss_nss.c /sssd-io/src/util/sss_selinux.c /sssd-io/src/util/sss_ssh.c /sssd-io/src/util/sss_tc_utf8.c /sssd-io/src/util/user_info_msg.c /sssd-io/src/util/usertools.c /sssd-io/src/util/util.c /sssd-io/src/util/util.h /sssd-io/src/util/util_lock.c /sssd-io/src/util/well_known_sids.c
37817cf318df48bf892da0d7cc21ef85b9b82484 11-Sep-2013 Lukas Slebodnik <lslebodn@redhat.com>

Fix formating of variables with ber_ type
937928d1161a4f7bd894cb365ada97569ab0f78f 11-Sep-2013 Lukas Slebodnik <lslebodn@redhat.com>

Fix formating of variables with type: time_t
795315c21d865a3060fc50bea79a758a7de7a956 11-Sep-2013 Lukas Slebodnik <lslebodn@redhat.com>

Fix formating of variables with type: int
749cfb5d3270b5daf389d51a0dbd3fd2aec6e05d 07-Jun-2013 Jakub Hrozek <jhrozek@redhat.com>

LDAP: new SDAP domain structure Previously an sdap_id_ctx was always tied to one domain with a single set of search bases. But with the introduction of Global Catalog lookups, primary domain and subdomains might have different search bases. This patch introduces a new structure sdap_domain that contains an sssd domain or subdomain and a set of search bases. With this patch, there is only one sdap_domain that describes the primary domain.
7486dea9f5f7b2a6fbbacc6db740a82140b6377c 20-May-2013 Lukas Slebodnik <lslebodn@redhat.com>

Fixing critical format string issues. --missing arguments. --format '%s', but argument is integer. --wrong format string, examle: '%\n'
05c53cfcee72dcb9e6103de7877ede220369ccf4 02-May-2013 Pavel Březina <pbrezina@redhat.com>

sdap: add sdap_connect_host request Create connection to specified LDAP server without using any failover stuff.
4ada3948dd888e7d95831a377bff3f8608cd778b 02-May-2013 Jakub Hrozek <jhrozek@redhat.com>

Display the last grace warning, too Due to a comparison error, the last warning when an LDAP password was in its grace period was never displayed. https://fedorahosted.org/sssd/ticket/1890
369626f19a9083be643c796691798e2debf2f07b 04-Apr-2013 Lukas Slebodnik <lslebodn@redhat.com>

LDAP: Fix value initialization warnings
9acfb09f7969a69f58bd45c856b01700541853ca 02-Apr-2013 Lukas Slebodnik <lslebodn@redhat.com>

Making the authtok structure really opaque. Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830
2d75dbbc6549acb1f749b5366b492ae087fdc0d8 27-Mar-2013 Ondrej Kos <okos@redhat.com>

LDAP: Fix value initialization
233a3c6c48972b177e60d6ef4cecfacd3cf31659 19-Mar-2013 Simo Sorce <simo@redhat.com>

Use common error facility instead of sdap_result Simplifies and consolidates error reporting for ldap authentication paths. Adds 3 new error codes: ERR_CHPASS_DENIED - Used when password constraints deny password changes ERR_ACCOUNT_EXPIRED - Account is expired ERR_PASSWORD_EXPIRED - Password is expired
4e9506ea508108c00a20f35756eb36b93ec2232d 11-Feb-2013 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Check for authtok validity The default authtok type in the LDAP provider (unlike the new IPA and AD providers) is "password". This oddity dates back to when password was the only supported authtok type in the SSSD, so configuration specifying only the password and bind DN was valid. We need to check the authtok validity as well before attempting to use it.
9c6e14c0d39f36085f11114e1f3155ee120558d5 14-Jan-2013 Pavel Březina <pbrezina@redhat.com>

Fix LDAP authentication - invalid password length sss_authtok_get_password() already returns length without terminating zero. This broke authentication over LDAP because we removed the last password character.
64af76e2bef2565caa9738f675c108a4b3789237 10-Jan-2013 Simo Sorce <simo@redhat.com>

Change pam data auth tokens. Use the new authtok abstraction and interfaces throught the code.
c96905018f6bb1c22a937bbcbea21cbd7e556743 18-Nov-2012 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Expire even non authenticated connections The connections request was terminated before setting the expiry timeout in case no authentication was set. https://fedorahosted.org/sssd/ticket/1649
d25e7c659361ebd794ef011dc9305543f266e8c4 13-Sep-2012 Jakub Hrozek <jhrozek@redhat.com>

FO: Check server validity before setting status The list of resolved servers is allocated on the back end context and kept in the fo_service structure. However, a single request often resolves a server and keeps a pointer until the end of a request and only then gives feedback about the server based on the request result. This presents a big race condition in case the SRV resolution is used. When there are requests coming in in parallel, it is possible that an incoming request will invalidate a server until another request that holds a pointer to the original server is able to give a feedback. This patch simply checks if a server is in the list of servers maintained by a service before reading its status. https://fedorahosted.org/sssd/ticket/1364
6c7057667272d6297924a6ccbf68700e791da0a7 31-Jul-2012 Pavel Březina <pbrezina@redhat.com>

Unbreak SASL Patch bc76428246c4ce532abd0eadcd539069fc1d94a8 changed the data type of sasl_minssf from int to ber_len_t. Unfortunately, default value of ldap_sasl_minssf is -1 but ber_len_t is defined as unsigned long. This made SASL mechanism inoperative.
8bbf89c5ab798c112773fe23515c3a9df56dde71 18-Jul-2012 Nick Guay <nguay@redhat.com>

Fix uninitialized values https://fedorahosted.org/sssd/ticket/1379
bc76428246c4ce532abd0eadcd539069fc1d94a8 18-Jul-2012 Jan Vcelak <jvcelak@redhat.com>

LDAP: Properly cast type for MINSSF value
5c9292bc86788f21274e1480acd2bbcc8a221b06 02-Jul-2012 Stephen Gallagher <sgallagh@redhat.com>

LDAP: Print extended failure message for SASL bind
29418db014ba58093fe4b538ac569c35e5302af3 22-May-2012 Joshua Roys <roysjosh@gmail.com>

Simple implementation of Netscape password warning expiration control
163a17f00c42f2405d8fb0a2af3bc9d8b7309260 10-May-2012 Jakub Hrozek <jhrozek@redhat.com>

Try all KDCs when getting TGT for LDAP When the ldap child process is killed after a timeout, try the next KDC. When none of the ldap child processes succeed, just abort the connection because we wouldn't be able to authenticate to the LDAP server anyway. https://fedorahosted.org/sssd/ticket/1324
7070641527c4bf94f77a3756ba24824cf664b959 20-Apr-2012 Jakub Hrozek <jhrozek@redhat.com>

Get the RootDSE after binding if not successfull before https://fedorahosted.org/sssd/ticket/1258
cdf4599ba44a6b17818cb5e77f3a727491b7e85e 20-Apr-2012 Jakub Hrozek <jhrozek@redhat.com>

Free controls in sdap_rebind_proc
280a07e60639dfbcfa41c2626e5fe95870b9f473 18-Apr-2012 Jakub Hrozek <jhrozek@redhat.com>

Do not call sdap_auth if not needed
d7e3a3704d22e69f01214873a7207b4fc760d3f3 27-Mar-2012 Stephen Gallagher <sgallagh@redhat.com>

LDAP: Fix memory leaks in synchronous_tls_setup We were never freeing "result" if it was allocated by ldap_result(). We were also not freeing "errmsg" if it was allocated but ldap_parse_result() returned an error. Also disambiguate error messages from ldap_parse_result() and error messages from sss_ldap_get_diagnostic_msg() since they use differing memory-management functions.
f65143669a49b8394dbd99a2215392a36e7aef7a 16-Mar-2012 Stephen Gallagher <sgallagh@redhat.com>

LDAP: Errors retrieving the RootDSE should not be fatal If we can't reach the RootDSE, let's just proceed as if it's unavailable with reasonable defaults. If we fail later on, that's fine. Fixes https://fedorahosted.org/sssd/ticket/1257
606d2d03833903f00d40f9810d4dccd04a752e76 08-Mar-2012 Jakub Hrozek <jhrozek@redhat.com>

Detect cycle in the fail over on subsequent resolve requests only
b300bad539e9a9ad7f3a88dc91253afff0425cb6 06-Mar-2012 Jakub Hrozek <jhrozek@redhat.com>

Only do one cycle when resolving a server https://fedorahosted.org/sssd/ticket/1214
394f8a24f5794bced737cfb743fe038fb4d0f4a6 14-Jan-2012 Stephen Gallagher <sgallagh@redhat.com>

LDAP: Copy URI instead of pointing at failover service record In a heavy load environment, sometimes the failover service record would be updated and free the URI value. We need to guarantee that this URI string remains valid throughout the entire request. https://fedorahosted.org/sssd/ticket/1139
440d7fb430f83b3547f98f79c67a232ab2220296 12-Dec-2011 Stephen Gallagher <sgallagh@redhat.com>

Add sdap_connection_expire_timeout option https://fedorahosted.org/sssd/ticket/1036
b46635a151ca93b74a45bbaa3f782da43b3692f9 08-Dec-2011 Stephen Gallagher <sgallagh@redhat.com>

LDAP: Fix missing break statements in force_tls Also add a default case to protect against bad input
09b71830d7ff0ce10e16d39c750c04d20131cfa4 08-Dec-2011 Jakub Hrozek <jhrozek@redhat.com>

LDAP provider: Error while setting the nocanon option should not be fatal https://fedorahosted.org/sssd/ticket/1100
8c60644bd8f2d739ff7a58b3717929254d09dfbe 08-Dec-2011 Jan Zeleny <jzeleny@redhat.com>

Add ldap_sasl_minssf option https://fedorahosted.org/sssd/ticket/1075
9b9c7f8caddf2b57adfbef8741651ee5063fa3bd 29-Nov-2011 Jakub Hrozek <jhrozek@redhat.com>

Provide means of forcing TLS and GSSAPI enabled/disabled for sdap connections
0aaf73e328ce89fb7e690545234402e1b17dee36 29-Nov-2011 Stephen Gallagher <sgallagh@redhat.com>

LDAP: Try next failover server on any error
ac3a1f3da772cf101101c31675c63dc3549b21b5 22-Nov-2011 Jakub Hrozek <jhrozek@redhat.com>

Cleanup: Remove unused parameters

/sssd-io/src/providers/data_provider_fo.c /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_dyndns.c /sssd-io/src/providers/ipa/ipa_dyndns.h /sssd-io/src/providers/ipa/ipa_hbac_common.c /sssd-io/src/providers/ipa/ipa_hbac_hosts.c /sssd-io/src/providers/ipa/ipa_hbac_private.h /sssd-io/src/providers/ipa/ipa_hbac_rules.c /sssd-io/src/providers/ipa/ipa_hbac_services.c /sssd-io/src/providers/ipa/ipa_hbac_users.c /sssd-io/src/providers/ipa/ipa_init.c /sssd-io/src/providers/krb5/krb5_auth.c ldap_auth.c ldap_id_cleanup.c sdap.c sdap.h sdap_access.c sdap_async.c sdap_async_connection.c sdap_async_groups.c sdap_async_initgroups.c sdap_async_netgroups.c /sssd-io/src/providers/proxy/proxy.h /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_netgroup.c /sssd-io/src/python/pysss.c /sssd-io/src/responder/nss/nsssrv.c /sssd-io/src/sss_client/pam_sss.c /sssd-io/src/tools/nscd.c /sssd-io/src/tools/sss_groupadd.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/sss_sync_ops.h /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/tools_util.c /sssd-io/src/tools/tools_util.h /sssd-io/src/util/crypto/nss/nss_obfuscate.c
37a76cff2478d8be3d11ccb7ff42d9d863f1839e 18-Nov-2011 Jakub Hrozek <jhrozek@redhat.com>

Prevent printing NULL in several places of LDAP provider
ed80a7f8ff76089bdcfae7007dbdef42d05e2cc8 02-Nov-2011 Jan Zeleny <jzeleny@redhat.com>

Support to request canonicalization in LDAP/IPA provider https://fedorahosted.org/sssd/ticket/957
54423ae32fa26aa7790a67ff0f9a93b96677e590 06-Sep-2011 Pavel Březina <pbrezina@redhat.com>

sss_ldap_err2string() - ldap_err2string() to sss_ldap_err2string() https://fedorahosted.org/sssd/ticket/986
3fff68f56b3c68897821c49ec7357a4f36bafa96 06-Sep-2011 Pavel Březina <pbrezina@redhat.com>

sss_ldap_err2string() - function created https://fedorahosted.org/sssd/ticket/986
a2e6bd6ed16c92799d435043450f6156a773a6dc 26-Aug-2011 Jakub Hrozek <jhrozek@redhat.com>

Add LDAP provider option to set LDAP_OPT_X_SASL_NOCANON https://fedorahosted.org/sssd/ticket/978
5bf2314b9f64099cd4e88b8f3498d986d97e1ac6 15-Aug-2011 Jakub Hrozek <jhrozek@redhat.com>

Handle timeout during sss_ldap_init_send In some cases, where there would be no response from the LDAP server, there would be no R/W events on the LDAP fd, so sdap_async_sys_connect_done would never be called. This patch adds a tevent timer that cancels the connection after SDAP_NETWORK_TIMEOUT seconds.
83a7d6767035a09099c58838a42fd10516c92063 01-Aug-2011 Jakub Hrozek <jhrozek@redhat.com>

Request password control unconditionally during bind https://fedorahosted.org/sssd/ticket/940
e96c468ed06c3378e2aee6992dabe926d79e1a2d 30-Jun-2011 Sumit Bose <sbose@redhat.com>

Use ldap_init_fd() instead of ldap_initialize() if available
b35da26911249aa48052655eef02f16e12930cf9 27-Apr-2011 Stephen Gallagher <sgallagh@redhat.com>

Add ldap_page_size configuration option
e81a816cddab4a62f263d1a0274d5d3f101e8e0f 25-Apr-2011 Jan Zeleny <jzeleny@redhat.com>

Modify principal selection for keytab authentication Currently we construct the principal as host/fqdn@REALM. The problem with this is that this principal doesn't have to be in the keytab. In that case the provider fails to start. It is better to scan the keytab and find the most suitable principal to use. Only in case no suitable principal is found the backend should fail to start. The second issue solved by this patch is that the realm we are authenticating the machine to can be in general different from the realm our users are part of (in case of cross Kerberos trust). The patch adds new configuration option SDAP_SASL_REALM. https://fedorahosted.org/sssd/ticket/781
41019c25edfef1b37e0ff6a9b505061a04fcff84 12-Apr-2011 Sumit Bose <sbose@redhat.com>

Initialise rootdse to NULL if not available
280ed6f992a3a3e661e618c77b64aff35a356c7e 11-Apr-2011 Sumit Bose <sbose@redhat.com>

Initialise srv_opts even if rootDSE is missing
18f3210e95bec4f23e5cac85813f54bab99cd41c 08-Apr-2011 Sumit Bose <sbose@redhat.com>

Read only rootDSE data if rootDSE is available
4a28fb10122bd74ba33607af46f028813de9161d 08-Apr-2011 Jakub Hrozek <jhrozek@redhat.com>

Don't pass NULL to printf for TLS errors https://fedorahosted.org/sssd/ticket/643
cc2b267e14db7073e7247b52cc9d82dfdf280076 16-Feb-2011 Stephen Gallagher <sgallagh@redhat.com>

Do not attempt to use START_TLS on SSL connections Not all LDAP servers are capable of handling dual-encryption with both TLS and SSL. https://fedorahosted.org/sssd/ticket/795
52b703a4c7cc43ae908300795569e27b64186ec8 06-Jan-2011 Sumit Bose <sbose@redhat.com>

Convert obfuscated password once at startup
a3ea95747b33de4b50485fb9b5c4e5c45338b3db 07-Dec-2010 Sumit Bose <sbose@redhat.com>

Mark unavailable Kerberos server as PORT_NOT_WORKING
1d9eec9e868fbc2d996f1030a43675be9a840133 07-Dec-2010 Simo Sorce <ssorce@redhat.com>

ldap: add checks to determine if USN features are available.
5de0dda3e3ee131000c5f2155416b98f22a86313 01-Dec-2010 Sumit Bose <sbose@redhat.com>

Fix offline detection in sdap_cli_connect request sdap_cli_connect_recv_ext() checks if the failover server is not set to determine if the backend is offline. To make this work properly if multiple servers are defined the failover server must be set to NULL if all servers are checked.
e481c0f0f16bcb787debf05584a0550a7052dda4 04-Nov-2010 Sumit Bose <sbose@redhat.com>

Use (default)namingContext to set empty search bases
bfb9e9c08d9cd830963fbf5e65a23ef673c82258 27-Oct-2010 Sumit Bose <sbose@redhat.com>

Allow authentication for referrals
59cc610d3a4885c5d37185b9adad39168feb6b55 22-Oct-2010 Sumit Bose <sbose@redhat.com>

Add some missing ldap_memfree()
4534c103b193b74452ea81bf12ffaceb1901728a 22-Oct-2010 Sumit Bose <sbose@redhat.com>

Add ldap_deref option
93109c5f1d85c028ce5cf6e31e2249ca90a7f746 13-Oct-2010 Jakub Hrozek <jhrozek@redhat.com>

Initialize kerberos service for GSSAPI
64783bdc0aff447a356c5169c027dadc05dfb312 13-Oct-2010 Jakub Hrozek <jhrozek@redhat.com>

Make ldap_child report kerberos return code to parent
6c188d847dfcd2778d134d5a0f80ecbce53e7b57 15-Sep-2010 Simo Sorce <ssorce@redhat.com>

Check if control is supported before using it.
6480abbd1bba71efa8a834fada6505d1767fabfc 15-Sep-2010 Jakub Hrozek <jhrozek@redhat.com>

Revert "Make ldap bind asynchronous" This reverts 56d8d19ac9d857580a233d8264e851883b883c67
71af2725e8f96b403af3f4aa140c413f751380c0 15-Sep-2010 Sumit Bose <sbose@redhat.com>

Store rootdse supported features in sdap_handler
88aeed9a31b734a92630d5e881c960c5f77ba0ce 08-Sep-2010 Jakub Hrozek <jhrozek@redhat.com>

Deobfuscate password in back ends When obfuscated password is used in config file, the LDAP backend converts it back to clear text and uses it to authenticate to the server.
56d8d19ac9d857580a233d8264e851883b883c67 02-Sep-2010 Martin Nagy <mnagy@redhat.com>

Make ldap bind asynchronous Every ldap function that could possibly create a new connection is now wrapped in a tevent_req. If the connection is created, we will call the function again after the socket is ready for writing.
2ee34809cb2d580ac7a3e1fd666b005543e3aa8d 09-Jul-2010 Stephen Gallagher <sgallagh@redhat.com>

Log TLS errors to syslog Also adds support for detecting LDAPS errors by adding a check for SDAP_DIAGNOSTIC_MESSAGE after ldap_search_ext()
801fcc63a9ec83d76d8d027758f9a0357b34890f 09-Jul-2010 eindenbom <eindenbom@gmail.com>

Eliminate delayed sdap_handle destruction after fail-over retry.
1639954090616f9e868a083f358c87e381b3fb78 09-Jul-2010 eindenbom <eindenbom@gmail.com>

Use new LDAP connection framework in IPA dynamic DNS forwarder.
2d7a7b0140a4d3fcef9148900276e24f82e33866 09-Jul-2010 eindenbom <eindenbom@gmail.com>

LDAP connection usage tracking, sharing and failover retry framework.
a2cabe1873c4d01c18ef6617b6b1f10a0ce3560e 09-Jul-2010 eindenbom <eindenbom@gmail.com>

GSSAPI ticket expiry time is returned from ldap_child and stored in sdap_handle for future reference.
0daccb28ba9b40a20ac3494aea42ce68c7a92a31 28-Jun-2010 Stephen Gallagher <sgallagh@redhat.com>

Make RootDSE optional In violation of the standard, some LDAP servers control access to the RootDSE, thus preventing us from being able to read it before performing a bind. This patch will allow us to continue on if the RootDSE was inaccessible. All of the places that we use the return value of the RootDSE after this are already checked for NULL and use sane defaults if the RootDSE is unavailable
b0249a8990feeb7e7b49da59fb1337a5f462bc64 28-Jun-2010 Sumit Bose <sbose@redhat.com>

Fix SASL authentication
242fc5b1eee793e3c2ced43eb845429f1a4599a0 06-Jun-2010 Stephen Gallagher <sgallagh@redhat.com>

Fix broken build against older versions of OpenLDAP OpenLDAP < 2.4 used LDAP_OPT_ERROR_STRING. It was changed to LDAP_OPT_DIAGNOSTIC_MESSAGE in 2.4. This patch will allow the TLS error messages to be displayed on either version.
88f059faa6742fa84750127fcc9307cd319c6f7d 20-May-2010 Stephen Gallagher <sgallagh@redhat.com>

Add a better error message for TLS failures
ebb6e30d687a4d6626c735234c85cbb5b06a26aa 16-May-2010 Sumit Bose <sbose@redhat.com>

Add ldap_krb5_ticket_lifetime option
dd025b4cbd501e2f34461f9d8359a829b81f5c2f 07-May-2010 Stephen Gallagher <sgallagh@redhat.com>

Add callback when the ID provider switches from offline to online Allow backends to set a callback in the be_ctx that should be invoked when the ID provider goes online. This can be used to perform regular maintenance tasks that are valid only when going online.
2d54b2a56b83315b3f89e082f8bf89fe8132a685 07-May-2010 Jakub Hrozek <jhrozek@redhat.com>

Use all available servers in LDAP provider
270a0a1b6182ef1fbff2a93af6731788cf954874 03-May-2010 Simo Sorce <ssorce@redhat.com>

Better handle sdap_handle memory from callers. Always just mark the sdap_handle as not connected and let later _send() functions to take care of freeing the handle before reconnecting. Introduce restart functions to avoid calling _send() functions in _done() functions error paths as this would have the same effect as directly freeing the sdap_handle and cause access to freed memory in sdap_handle_release() By freeing sdap_handle only in the connection _recv() function we guarantee it can never be done within sdap_handle_release() but only in a following event.
5b680ac8ef46fc1714f2ab59a07f68ac386ad89b 26-Apr-2010 Sumit Bose <sbose@redhat.com>

Make the handling of fd events opaque Depending on the version of the OpenLDAP libraries we use two different schemes to find the file descriptor of the connection to the LDAP server. This patch removes the related ifdefs from the main code and introduces helper functions which can handle the specific cases.
d1de8d73252e973018cb985e6aedffd76cddbbe4 26-Apr-2010 Sumit Bose <sbose@redhat.com>

Set LDAP_OPT_RESTART for all LDAP connections
541578ee21975ab008db2dcec69bd3c3f8283122 25-Mar-2010 Sumit Bose <sbose@redhat.com>

Set LDAP_OPT_RESTART for ldap_sasl_interactive_bind_s() This option is needed for the rare case where a poll() call during ldap_sasl_interactive_bind_s() is interrupted by a signal. LDAP_OPT_RESTART enables the handling of the EINTR error instead of returning an error.
dfc511c1226786cebbda35990bb7149dea5577b5 22-Mar-2010 Ralf Haferkamp <rhafer@suse.de>

Improvements for LDAP Password Policy support Display warnings about remaining grace logins and password expiration to the user, when LDAP Password Policies are used. Improved detection if LDAP Password policies are supported by LDAP Server.
9fc1d8b42b78765ab980943d468cfa7d2ae649ee 18-Mar-2010 Stephen Gallagher <sgallagh@redhat.com>

Fix error message for ldap_start_tls
71c4f9723d2f7ffd8450f4ec28d39dda1e3e42a3 15-Mar-2010 Ralf Haferkamp <rhafer@suse.de>

Fixed check for expired passwords When the user's password is expired it might also be indicated by the bind operation returning "INVALID_CREDENTIALS" with the ppolicy control's errorcode set to "PP_passwordExpired".
1c48b5a62f73234ed26bb20f0ab345ab61cda0ab 18-Feb-2010 Stephen Gallagher <sgallagh@redhat.com>

Rename server/ directory to src/ Also update BUILD.txt

/sssd-io/BUILD.txt /sssd-io/Makefile.am /sssd-io/configure.ac /sssd-io/contrib/sssd.spec.in /sssd-io/src/Makefile.am /sssd-io/src/build_macros.m4 /sssd-io/src/conf_macros.m4 /sssd-io/src/confdb/confdb.c /sssd-io/src/confdb/confdb.h /sssd-io/src/confdb/confdb_private.h /sssd-io/src/confdb/confdb_setup.c /sssd-io/src/confdb/confdb_setup.h /sssd-io/src/config/SSSDConfig.py /sssd-io/src/config/SSSDConfigTest.py /sssd-io/src/config/etc/sssd.api.conf /sssd-io/src/config/etc/sssd.api.d/sssd-ipa.conf /sssd-io/src/config/etc/sssd.api.d/sssd-krb5.conf /sssd-io/src/config/etc/sssd.api.d/sssd-ldap.conf /sssd-io/src/config/etc/sssd.api.d/sssd-local.conf /sssd-io/src/config/etc/sssd.api.d/sssd-proxy.conf /sssd-io/src/config/ipachangeconf.py /sssd-io/src/config/setup.py /sssd-io/src/config/testconfigs/noparse.api.conf /sssd-io/src/config/testconfigs/sssd-badversion.conf /sssd-io/src/config/testconfigs/sssd-invalid-badbool.conf /sssd-io/src/config/testconfigs/sssd-invalid.conf /sssd-io/src/config/testconfigs/sssd-noversion.conf /sssd-io/src/config/testconfigs/sssd-valid.conf /sssd-io/src/config/upgrade_config.py /sssd-io/src/configure.ac /sssd-io/src/db/sysdb.c /sssd-io/src/db/sysdb.h /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_private.h /sssd-io/src/db/sysdb_search.c /sssd-io/src/doxy.config.in /sssd-io/src/examples/sssd.conf /sssd-io/src/examples/sssdproxytest /sssd-io/src/examples/sudo /sssd-io/src/external/crypto.m4 /sssd-io/src/external/docbook.m4 /sssd-io/src/external/krb5.m4 /sssd-io/src/external/ldap.m4 /sssd-io/src/external/libcares.m4 /sssd-io/src/external/libcollection.m4 /sssd-io/src/external/libdhash.m4 /sssd-io/src/external/libini_config.m4 /sssd-io/src/external/libldb.m4 /sssd-io/src/external/libpcre.m4 /sssd-io/src/external/libpopt.m4 /sssd-io/src/external/libtalloc.m4 /sssd-io/src/external/libtdb.m4 /sssd-io/src/external/libtevent.m4 /sssd-io/src/external/pam.m4 /sssd-io/src/external/pkg.m4 /sssd-io/src/external/platform.m4 /sssd-io/src/external/python.m4 /sssd-io/src/external/selinux.m4 /sssd-io/src/external/sizes.m4 /sssd-io/src/krb5_plugin/sssd_krb5_locator_plugin.c /sssd-io/src/ldb_modules/memberof.c /sssd-io/src/m4/.dir /sssd-io/src/man/include/failover.xml /sssd-io/src/man/include/param_help.xml /sssd-io/src/man/include/upstream.xml /sssd-io/src/man/sss_groupadd.8.xml /sssd-io/src/man/sss_groupdel.8.xml /sssd-io/src/man/sss_groupmod.8.xml /sssd-io/src/man/sss_groupshow.8.xml /sssd-io/src/man/sss_useradd.8.xml /sssd-io/src/man/sss_userdel.8.xml /sssd-io/src/man/sss_usermod.8.xml /sssd-io/src/man/sssd-ipa.5.xml /sssd-io/src/man/sssd-krb5.5.xml /sssd-io/src/man/sssd-ldap.5.xml /sssd-io/src/man/sssd.8.xml /sssd-io/src/man/sssd.conf.5.xml /sssd-io/src/man/sssd_krb5_locator_plugin.8.xml /sssd-io/src/monitor/monitor.c /sssd-io/src/monitor/monitor.h /sssd-io/src/monitor/monitor_interfaces.h /sssd-io/src/monitor/monitor_sbus.c /sssd-io/src/po/LINGUAS /sssd-io/src/po/Makevars /sssd-io/src/po/POTFILES.in /sssd-io/src/po/de.po /sssd-io/src/po/es.po /sssd-io/src/po/fr.po /sssd-io/src/po/it.po /sssd-io/src/po/ja.po /sssd-io/src/po/nl.po /sssd-io/src/po/pl.po /sssd-io/src/po/pt.po /sssd-io/src/po/sss_daemon.pot /sssd-io/src/po/sv.po /sssd-io/src/providers/child_common.c /sssd-io/src/providers/child_common.h /sssd-io/src/providers/data_provider.h /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/data_provider_fo.c /sssd-io/src/providers/data_provider_opts.c /sssd-io/src/providers/dp_auth_util.c /sssd-io/src/providers/dp_backend.h /sssd-io/src/providers/dp_sbus.c /sssd-io/src/providers/fail_over.c /sssd-io/src/providers/fail_over.h /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_access.h /sssd-io/src/providers/ipa/ipa_auth.c /sssd-io/src/providers/ipa/ipa_auth.h /sssd-io/src/providers/ipa/ipa_common.c /sssd-io/src/providers/ipa/ipa_common.h /sssd-io/src/providers/ipa/ipa_init.c /sssd-io/src/providers/ipa/ipa_timerules.c /sssd-io/src/providers/ipa/ipa_timerules.h /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_auth.h /sssd-io/src/providers/krb5/krb5_become_user.c /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_common.c /sssd-io/src/providers/krb5/krb5_common.h /sssd-io/src/providers/krb5/krb5_init.c /sssd-io/src/providers/krb5/krb5_utils.c /sssd-io/src/providers/krb5/krb5_utils.h ldap_auth.c ldap_child.c ldap_common.c ldap_common.h ldap_id.c ldap_id_cleanup.c ldap_id_enum.c ldap_init.c sdap.c sdap.h sdap_async.c sdap_async.h sdap_async_accounts.c sdap_async_connection.c sdap_async_private.h sdap_child_helpers.c /sssd-io/src/providers/providers.h /sssd-io/src/providers/proxy.c /sssd-io/src/providers/sssd_be.exports /sssd-io/src/python/pysss.c /sssd-io/src/resolv/ares/ares_data.c /sssd-io/src/resolv/ares/ares_data.h /sssd-io/src/resolv/ares/ares_dns.h /sssd-io/src/resolv/ares/ares_parse_srv_reply.c /sssd-io/src/resolv/ares/ares_parse_srv_reply.h /sssd-io/src/resolv/ares/ares_parse_txt_reply.c /sssd-io/src/resolv/ares/ares_parse_txt_reply.h /sssd-io/src/resolv/async_resolv.c /sssd-io/src/resolv/async_resolv.h /sssd-io/src/responder/common/responder.h /sssd-io/src/responder/common/responder_cmd.c /sssd-io/src/responder/common/responder_common.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/common/responder_packet.c /sssd-io/src/responder/common/responder_packet.h /sssd-io/src/responder/nss/nsssrv.c /sssd-io/src/responder/nss/nsssrv.h /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_nc.c /sssd-io/src/responder/nss/nsssrv_nc.h /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/responder/pam/pamsrv.h /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/pam/pamsrv_dp.c /sssd-io/src/sbus/sbus_client.c /sssd-io/src/sbus/sbus_client.h /sssd-io/src/sbus/sssd_dbus.h /sssd-io/src/sbus/sssd_dbus_common.c /sssd-io/src/sbus/sssd_dbus_connection.c /sssd-io/src/sbus/sssd_dbus_private.h /sssd-io/src/sbus/sssd_dbus_server.c /sssd-io/src/sss_client/common.c /sssd-io/src/sss_client/group.c /sssd-io/src/sss_client/man/pam_sss.8.xml /sssd-io/src/sss_client/pam_sss.c /sssd-io/src/sss_client/pam_test_client.c /sssd-io/src/sss_client/passwd.c /sssd-io/src/sss_client/protos.h /sssd-io/src/sss_client/sss_cli.h /sssd-io/src/sss_client/sss_nss.exports /sssd-io/src/sss_client/sss_pam.exports /sssd-io/src/sss_client/sss_pam_macros.h /sssd-io/src/sysv/SUSE/sssd /sssd-io/src/sysv/sssd /sssd-io/src/tests/auth-tests.c /sssd-io/src/tests/check_and_open-tests.c /sssd-io/src/tests/common.c /sssd-io/src/tests/common.h /sssd-io/src/tests/fail_over-tests.c /sssd-io/src/tests/files-tests.c /sssd-io/src/tests/find_uid-tests.c /sssd-io/src/tests/ipa_ldap_opt-tests.c /sssd-io/src/tests/ipa_timerules-tests.c /sssd-io/src/tests/krb5_utils-tests.c /sssd-io/src/tests/python-test.py /sssd-io/src/tests/refcount-tests.c /sssd-io/src/tests/resolv-tests.c /sssd-io/src/tests/stress-tests.c /sssd-io/src/tests/strtonum-tests.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tools/files.c /sssd-io/src/tools/sss_groupadd.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/sss_sync_ops.h /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/tools/tools_util.c /sssd-io/src/tools/tools_util.h /sssd-io/src/util/backup_file.c /sssd-io/src/util/check_and_open.c /sssd-io/src/util/crypto_sha512crypt.c /sssd-io/src/util/debug.c /sssd-io/src/util/dlinklist.h /sssd-io/src/util/find_uid.c /sssd-io/src/util/find_uid.h /sssd-io/src/util/memory.c /sssd-io/src/util/nss_sha512crypt.c /sssd-io/src/util/refcount.c /sssd-io/src/util/refcount.h /sssd-io/src/util/server.c /sssd-io/src/util/sha512crypt.h /sssd-io/src/util/signal.c /sssd-io/src/util/signal.m4 /sssd-io/src/util/sss_krb5.c /sssd-io/src/util/sss_krb5.h /sssd-io/src/util/sss_ldap.c /sssd-io/src/util/sss_ldap.h /sssd-io/src/util/strtonum.c /sssd-io/src/util/strtonum.h /sssd-io/src/util/user_info_msg.c /sssd-io/src/util/user_info_msg.h /sssd-io/src/util/usertools.c /sssd-io/src/util/util.c /sssd-io/src/util/util.h