History log of /sssd-io/src/providers/ldap/sdap_async_initgroups_ad.c
Revision Date Author Comments Expand
a2e743cd23e8e2033340612c77a8dbb8ef48c1e1 25-Apr-2018 Fabiano Fidêncio <fidencio@redhat.com>

SDAP: Properly handle group id-collision when renaming incomplete groups Resolves: https://pagure.io/SSSD/sssd/issue/2653 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
db52090e33b8f1747b7d77bab64ab8c9f9f5ecc2 21-Feb-2018 Sumit Bose <sbose@redhat.com>

AD: sdap_get_ad_tokengroups_done() allocate temporary data on state Related to https://pagure.io/SSSD/sssd/issue/3639 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
4a9c1047354dbe5a4ed41e5951ae623e3772e113 29-Jan-2018 René Genz <liebundartig@freenet.de>

Fix minor spelling mistakes in providers/* Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
1f2324abfbc69d95fe98a36216caa86a89cc6fb2 13-Dec-2017 Lukas Slebodnik <lslebodn@redhat.com>

SDAP: Fix typo in debug message Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
0e238c259c066cf997aaa940d33d6bda96c15925 27-Nov-2017 Sumit Bose <sbose@redhat.com>

sysdb: do not use objectClass for users and groups The majority of the object in the SSSD cache are users and groups. If there are many user and groups in the cache the index objects of the objectclass attributes 'user' and 'group' become large because the must hold references to all objects of those object classes. As a result the management of these index objects becomes costly because they must be parsed and split apart quite often. Additionally they are mostly useless because user and groups are lookup up by more specific attributes in general. Only when enumerating all user or groups this kind of index might be useful. There are two way of removing this kind of index from the user and group objects. Either by removing objectClass from the list of indexes and add a new attribute to all other type of object we want and index for. Or by replacing objectClass with a different attribute for the user and group objects. After some testing I think the latter one is the more reliable one and implemented it in this patch. Related to https://pagure.io/SSSD/sssd/issue/3503 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

/sssd-io/src/db/sysdb.h /sssd-io/src/db/sysdb_init.c /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_search.c /sssd-io/src/db/sysdb_upgrade.c /sssd-io/src/ldb_modules/memberof.c /sssd-io/src/providers/ad/ad_pac.c /sssd-io/src/providers/ipa/ipa_id.c /sssd-io/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd-io/src/providers/ipa/ipa_subdomains_id.c /sssd-io/src/providers/krb5/krb5_renew_tgt.c ldap_id_cleanup.c sdap_async_groups.c sdap_async_initgroups.c sdap_async_initgroups_ad.c sdap_async_nested_groups.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_common.c /sssd-io/src/responder/ifp/ifp_cache.c /sssd-io/src/responder/ifp/ifp_groups.c /sssd-io/src/responder/ifp/ifp_users.c /sssd-io/src/responder/nss/nss_cmd.c /sssd-io/src/responder/nss/nss_protocol_grent.c /sssd-io/src/responder/nss/nss_protocol_sid.c /sssd-io/src/tests/cmocka/test_ad_common.c /sssd-io/src/tests/cmocka/test_ipa_subdomains_server.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tools/sssctl/sssctl_cache.c
df4b24bed15f45bf286fb0102fd397218fdd4186 03-May-2017 Fabiano Fidêncio <fidencio@redhat.com>

LDAP/AD: Do not fail in case rfc2307bis_nested_groups_recv() returns ENOENT Commit 25699846 introduced a regression seen when an initgroup lookup is done and there's no nested groups involved. In this scenario the whole lookup fails due to an ENOENT returned by rfc2307bis_nested_groups_recv(), which leads to the user removal from sysdb causing some authentication issues. Resolves: https://pagure.io/SSSD/sssd/issue/3331 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>
823d8292c4658b51821514adf21939e04b7423ed 16-Jan-2017 Lukas Slebodnik <lslebodn@redhat.com>

LDAP: Remove unused parameter attr_type from groups_get_send Reviewed-by: Michal Židek <mzidek@redhat.com>
25699846bd1c9f8bb513b6271eb4366ab682fbd2 31-Oct-2016 Sumit Bose <sbose@redhat.com>

LDAP/AD: resolve domain local groups for remote users If a user from a trusted domain in the same forest is a direct or indirect member of domain local groups from the local domain those memberships must be resolved as well. Since those domain local groups are not valid in the trusted domain a DC from the trusted domain which is used to lookup the user data is not aware of them. As a consequence those memberships must be resolved against a local DC in a second step. Resolves https://fedorahosted.org/sssd/ticket/3206 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
a68e17d8fdc265d40e6f4a7d21a6d287a4bf23d5 07-Jul-2016 Michal Zidek <mzidek@redhat.com>

SDAP: Store SID members during AD initgroups with a qualified name This is to be consistent with how we name groups normally. We rename the groupnames when resolving the groups by ID anyway, but if we fail to do so, at least be consistent. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
28f336bdb32db0b89cb98174a3f8e308e4e928db 13-Apr-2016 Sumit Bose <sbose@redhat.com>

util: make concatenate_string_array() reusable Reviewed-by: Pavel Březina <pbrezina@redhat.com>
7cf0f78d832c7a09b59ee9f91cedc427c0253cd4 13-Apr-2016 Sumit Bose <sbose@redhat.com>

LDAP: refactor sdap_ad_tokengroups_initgr_mapping_done() The group-processing is moved out to make it reusable. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
cce3e8526176ce2fe9baa5bda1bb457b996b7bcf 13-Apr-2016 Sumit Bose <sbose@redhat.com>

SDAP: make some AD specific calls public Make sdap_ad_tokengroups_get_posix_members() and sdap_ad_resolve_sids_send() reusable. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
92ec40e6aa25f75903ffdb166a8ec56b67bfd77d 19-Jan-2016 Pavel Březina <pbrezina@redhat.com>

SDAP: rename sdap_get_id_specific_filter More generic name is used now since it is not used only for id filters. Probably all references will be deleted when the code uses sdap_search_in_bases istead of custom search base iterators. Reviewed-by: Sumit Bose <sbose@redhat.com>
f91029dd8d7dbc026a5c73e222926db957240cb4 23-Jul-2015 Yuri Chornoivan <yurchor@ukr.net>

Fix minor typos Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
ee44aac95e42c3cb634876286a2aa4960ac69a2b 31-May-2015 Jakub Hrozek <jhrozek@redhat.com>

Download complete groups if ignore_group_members is set with tokengroups Resolves: https://fedorahosted.org/sssd/ticket/2644 When tokenGroups are enabled, we save groups using their SID as the RDN attribute during initgroups() and later, if the groups is requested and saved again with the full name, remove the original and save the new group entry. Saving the new group entry would break if ignore_group_members is also set, because the new group entry would lack the "member" attribute, so the member/memberof links between the new group and the user entry wouldn't be established again. This patch changes the initgroups processing so that the full group object is fetched when initgroups is enabled but together with ignore_group_members. This solution imposes some performance impact, because instead of one search for tokenGroups we also need to resolve the groups. The more systematic solution would be to get rid of removing the group entry as described in https://fedorahosted.org/sssd/ticket/2656 To reproduce the bug, set: ignore_group_members = True with a backend that uses: id_provider = ad Then run: $ id aduser@ad_domain.com $ id aduser@ad_domain.com Reviewed-by: Sumit Bose <sbose@redhat.com>
d81d8d3dc151ebc95cd0e3f3b14c1cdaa48980f1 17-Mar-2015 Sumit Bose <sbose@redhat.com>

LDAP/AD: do not resolve group members during tokenGroups request During initgroups requests we try to avoid to resolve the complete member list of groups if possible, e.g. if there are no nested groups. The tokenGroups LDAP lookup return the complete list of memberships for a user hence it is not necessary lookup the other group member and un-roll nested groups. With this patch only the group entry is looked up and saved as incomplete group to the cache. This is achieved by adding a new boolean parameter no_members to groups_get_send() and sdap_get_groups_send(). The difference to config options like ldap_group_nesting_level = 0 or ignore_group_members is that if no_members is set to true groups which are missing in the cache are created a incomplete groups. As a result a request to lookup this group will trigger a new LDAP request to resolve the group completely. This way no information is ignored but the time needed to read all data is better distributed between different requests. https://fedorahosted.org/sssd/ticket/2601 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
108db0e3b9e06e530364ef8228634f5e3f6bd3b5 30-Jan-2015 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Add UUID when saving incomplete groups Related to: https://fedorahosted.org/sssd/ticket/2571 Reviewed-by: Sumit Bose <sbose@redhat.com>
6af2095e63f5f78804420fb61e66cb741c179b5d 12-Oct-2014 Lukas Slebodnik <lslebodn@redhat.com>

SDAP: Fix warning Value stored to is never read If function sdap_idmap_sid_to_unix return error code ENOTSUP then error message will be printed: "Skipping buit-in object" Processing of sids will continue an variable ret will be overridden with return code from function sdap_idmap_sid_to_unix, therefore storing EOK to variable is useless. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
7ba70236daccb48432350147d0560b3302518cee 15-Sep-2014 Michal Zidek <mzidek@redhat.com>

Use the alternative objectclass in group maps. Use the alternative group objectclass in queries. Fixes: https://fedorahosted.org/sssd/ticket/2436 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
4932db6258ccfb612a3a28eb6a618c2f042b9d58 08-Sep-2014 Pavel Reichl <preichl@redhat.com>

AD: process non-posix nested groups using tokenGroups When initgr is performed for AD supporting tokenGroups, do not skip non-posix groups. Resolves: https://fedorahosted.org/sssd/ticket/2343 Reviewed-by: Michal Židek <mzidek@redhat.com>
99f53d551a1db5d8023b4271eb691d554257624c 26-Aug-2014 Lukas Slebodnik <lslebodn@redhat.com>

SDAP: Update groups for user just once. The function sdap_ad_tokengroups_update_members finds the differences between list of groups from sysdb and list of groups from LDAP (input argument). For each new group, connections are created between user and group. The other connections are removed. The problem was that in some cases function sdap_ad_tokengroups_update_members was called twice (sdap_ad_tokengroups_initgr_posix_tg_done and sdap_ad_tokengroups_initgr_posix_sids_done). The first call created connection between user and groups resolved from tokengroups and the second call update groups from missing SIDs, but previously created connections were removed. The worst case was when there weren't any missing groups. This behaviour caused missing groups in some cases (for users in child ad domain) This patch join array of groups obtained from token group and array of groups obtained from missing SIDs. The function sdap_ad_tokengroups_update_members is called just once with single array. Resolves: https://fedorahosted.org/sssd/ticket/2407 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
174e9ec6f88d709b6e9481ed06a322c0fc495842 26-Aug-2014 Lukas Slebodnik <lslebodn@redhat.com>

SDAP: Use different talloc_context for array of names It will be easier to steal whole array to another talloc context Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
21f2821a4420291c8eb3ee9d427e9e1b0a1d9989 26-Aug-2014 Lukas Slebodnik <lslebodn@redhat.com>

SDAP: Immediately finish request for empty array If array of sids is empty we needn't try to resolve them and we can immediately finish request in function sdap_ad_resolve_sids_send This patch is just a small optimisation. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
983983dd1629ab33eab340a40d9ee83965a339c6 09-Aug-2014 Pavel Březina <pbrezina@redhat.com>

ad initgroups: continue if resolved SID is still missing https://fedorahosted.org/sssd/ticket/2389 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
ed346bcc84b8a326996e5550771773d8e63f17c2 22-Jul-2014 Pavel Březina <pbrezina@redhat.com>

ad: update membership after SIDs are resolved Resolves: https://fedorahosted.org/sssd/ticket/2385 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
e6fa71b990d7068d66b98015ae54aae399cc84f1 22-Jul-2014 Pavel Březina <pbrezina@redhat.com>

ad: comment ENOENT when id mapping is disabled Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
1614e1b25a98ff2f03648c4bf61d750fb688285a 21-Jul-2014 Pavel Reichl <preichl@redhat.com>

SDAP: Continue resolving SID even if some fail Resolving groups obtained via Token-Groups in case of disabled ID mapping may lead to failure as non-posix groups are not resolved. This patch amends sdap_ad_resolve_sids_done() not to abruptly finish request if ENOENT is returned. Resolves: https://fedorahosted.org/sssd/ticket/2345 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
b12e2500237f33c44807d7e5b377ec06007c7252 21-Jul-2014 Pavel Reichl <preichl@redhat.com>

LDAP: tokengroups do not work with id_provider=ldap With plain LDAP provider we already have a sdap_handle, so it should be possible that in the case where sdom->pvt == NULL sdap_id_op_connect_send() can be skipped and sdap_get_ad_tokengroups_send() can be already send with the sdap_handle passed to sdap_ad_tokengroups_initgr_mapping_send(). So we should only fail if sdom->pvt == NULL and sh == NULL. if find_subdomain_by_sid() failed we can check if there is only one domain in the domain list (state->domain) and in this case continue with this domain since the LDAP provider does not know about sub-domains and hence can only have one configured domain. Resolves: https://fedorahosted.org/sssd/ticket/2345 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
83bf46f4066e3d5e838a32357c201de9bd6ecdfd 12-Feb-2014 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>

Update DEBUG* invocations to use new levels Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

/sssd-io/src/confdb/confdb.c /sssd-io/src/confdb/confdb_setup.c /sssd-io/src/db/sysdb.c /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_ranges.c /sssd-io/src/db/sysdb_search.c /sssd-io/src/db/sysdb_upgrade.c /sssd-io/src/monitor/monitor.c /sssd-io/src/monitor/monitor_netlink.c /sssd-io/src/monitor/monitor_sbus.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/data_provider_callbacks.c /sssd-io/src/providers/data_provider_fo.c /sssd-io/src/providers/data_provider_opts.c /sssd-io/src/providers/dp_auth_util.c /sssd-io/src/providers/dp_pam_data_util.c /sssd-io/src/providers/fail_over.c /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_auth.c /sssd-io/src/providers/ipa/ipa_common.c /sssd-io/src/providers/ipa/ipa_hbac_common.c /sssd-io/src/providers/ipa/ipa_hbac_hosts.c /sssd-io/src/providers/ipa/ipa_hbac_rules.c /sssd-io/src/providers/ipa/ipa_hbac_services.c /sssd-io/src/providers/ipa/ipa_hbac_users.c /sssd-io/src/providers/ipa/ipa_id.c /sssd-io/src/providers/ipa/ipa_init.c /sssd-io/src/providers/ipa/ipa_netgroups.c /sssd-io/src/providers/krb5/krb5_access.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_child_handler.c /sssd-io/src/providers/krb5/krb5_common.c /sssd-io/src/providers/krb5/krb5_delayed_online_authentication.c /sssd-io/src/providers/krb5/krb5_init.c /sssd-io/src/providers/krb5/krb5_init_shared.c /sssd-io/src/providers/krb5/krb5_renew_tgt.c /sssd-io/src/providers/krb5/krb5_utils.c /sssd-io/src/providers/krb5/krb5_wait_queue.c ldap_auth.c ldap_child.c ldap_common.c ldap_id.c ldap_id_cleanup.c ldap_id_netgroup.c ldap_init.c sdap.c sdap_access.c sdap_async.c sdap_async_connection.c sdap_async_enum.c sdap_async_groups.c sdap_async_initgroups.c sdap_async_initgroups_ad.c sdap_async_netgroups.c sdap_async_users.c sdap_child_helpers.c sdap_fd_events.c sdap_id_op.c /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_child.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_init.c /sssd-io/src/providers/proxy/proxy_netgroup.c /sssd-io/src/resolv/async_resolv.c /sssd-io/src/responder/common/negcache.c /sssd-io/src/responder/common/responder_cmd.c /sssd-io/src/responder/common/responder_common.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/nss/nsssrv.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/nss/nsssrv_private.h /sssd-io/src/responder/nss/nsssrv_services.c /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/pam/pamsrv_dp.c /sssd-io/src/sbus/sbus_client.c /sssd-io/src/sbus/sssd_dbus_common.c /sssd-io/src/sbus/sssd_dbus_connection.c /sssd-io/src/sbus/sssd_dbus_server.c /sssd-io/src/tests/auth-tests.c /sssd-io/src/tests/files-tests.c /sssd-io/src/tests/resolv-tests.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tests/sysdb_ssh-tests.c /sssd-io/src/tools/selinux.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_groupadd.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/tools/tools_util.c /sssd-io/src/tools/tools_util.h /sssd-io/src/util/check_and_open.c /sssd-io/src/util/child_common.c /sssd-io/src/util/crypto/nss/nss_obfuscate.c /sssd-io/src/util/crypto/nss/nss_util.c /sssd-io/src/util/debug.c /sssd-io/src/util/find_uid.c /sssd-io/src/util/nscd.c /sssd-io/src/util/signal.c /sssd-io/src/util/sss_krb5.c /sssd-io/src/util/sss_ldap.c /sssd-io/src/util/user_info_msg.c /sssd-io/src/util/usertools.c /sssd-io/src/util/util.c
a3c8390d19593b1e5277d95bfb4ab206d4785150 12-Feb-2014 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

/sssd-io/src/confdb/confdb.c /sssd-io/src/confdb/confdb_setup.c /sssd-io/src/db/sysdb.c /sssd-io/src/db/sysdb_autofs.c /sssd-io/src/db/sysdb_idmap.c /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_ranges.c /sssd-io/src/db/sysdb_search.c /sssd-io/src/db/sysdb_selinux.c /sssd-io/src/db/sysdb_services.c /sssd-io/src/db/sysdb_ssh.c /sssd-io/src/db/sysdb_subdomains.c /sssd-io/src/db/sysdb_sudo.c /sssd-io/src/db/sysdb_upgrade.c /sssd-io/src/monitor/monitor.c /sssd-io/src/monitor/monitor_netlink.c /sssd-io/src/monitor/monitor_sbus.c /sssd-io/src/providers/ad/ad_access.c /sssd-io/src/providers/ad/ad_common.c /sssd-io/src/providers/ad/ad_domain_info.c /sssd-io/src/providers/ad/ad_dyndns.c /sssd-io/src/providers/ad/ad_id.c /sssd-io/src/providers/ad/ad_init.c /sssd-io/src/providers/ad/ad_srv.c /sssd-io/src/providers/ad/ad_subdomains.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/data_provider_callbacks.c /sssd-io/src/providers/data_provider_fo.c /sssd-io/src/providers/data_provider_opts.c /sssd-io/src/providers/dp_auth_util.c /sssd-io/src/providers/dp_dyndns.c /sssd-io/src/providers/dp_pam_data_util.c /sssd-io/src/providers/dp_ptask.c /sssd-io/src/providers/dp_refresh.c /sssd-io/src/providers/fail_over.c /sssd-io/src/providers/fail_over_srv.c /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_auth.c /sssd-io/src/providers/ipa/ipa_autofs.c /sssd-io/src/providers/ipa/ipa_common.c /sssd-io/src/providers/ipa/ipa_config.c /sssd-io/src/providers/ipa/ipa_dyndns.c /sssd-io/src/providers/ipa/ipa_hbac_common.c /sssd-io/src/providers/ipa/ipa_hbac_hosts.c /sssd-io/src/providers/ipa/ipa_hbac_rules.c /sssd-io/src/providers/ipa/ipa_hbac_services.c /sssd-io/src/providers/ipa/ipa_hbac_users.c /sssd-io/src/providers/ipa/ipa_hostid.c /sssd-io/src/providers/ipa/ipa_hosts.c /sssd-io/src/providers/ipa/ipa_id.c /sssd-io/src/providers/ipa/ipa_idmap.c /sssd-io/src/providers/ipa/ipa_init.c /sssd-io/src/providers/ipa/ipa_netgroups.c /sssd-io/src/providers/ipa/ipa_s2n_exop.c /sssd-io/src/providers/ipa/ipa_selinux.c /sssd-io/src/providers/ipa/ipa_selinux_maps.c /sssd-io/src/providers/ipa/ipa_srv.c /sssd-io/src/providers/ipa/ipa_subdomains.c /sssd-io/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd-io/src/providers/ipa/ipa_subdomains_id.c /sssd-io/src/providers/ipa/ipa_sudo.c /sssd-io/src/providers/krb5/krb5_access.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_become_user.c /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_child_handler.c /sssd-io/src/providers/krb5/krb5_common.c /sssd-io/src/providers/krb5/krb5_delayed_online_authentication.c /sssd-io/src/providers/krb5/krb5_init.c /sssd-io/src/providers/krb5/krb5_init_shared.c /sssd-io/src/providers/krb5/krb5_renew_tgt.c /sssd-io/src/providers/krb5/krb5_utils.c /sssd-io/src/providers/krb5/krb5_wait_queue.c ldap_access.c ldap_auth.c ldap_child.c ldap_common.c ldap_id.c ldap_id_cleanup.c ldap_id_enum.c ldap_id_netgroup.c ldap_id_services.c ldap_init.c sdap.c sdap_access.c sdap_async.c sdap_async_autofs.c sdap_async_connection.c sdap_async_enum.c sdap_async_groups.c sdap_async_groups_ad.c sdap_async_initgroups.c sdap_async_initgroups_ad.c sdap_async_nested_groups.c sdap_async_netgroups.c sdap_async_services.c sdap_async_sudo.c sdap_async_sudo_hostinfo.c sdap_async_sudo_timer.c sdap_async_users.c sdap_autofs.c sdap_child_helpers.c sdap_dyndns.c sdap_fd_events.c sdap_id_op.c sdap_idmap.c sdap_range.c sdap_refresh.c sdap_reinit.c sdap_sudo.c sdap_sudo_cache.c /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_child.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_init.c /sssd-io/src/providers/proxy/proxy_netgroup.c /sssd-io/src/providers/proxy/proxy_services.c /sssd-io/src/providers/simple/simple_access.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/resolv/async_resolv.c /sssd-io/src/resolv/async_resolv_utils.c /sssd-io/src/responder/autofs/autofssrv.c /sssd-io/src/responder/autofs/autofssrv_cmd.c /sssd-io/src/responder/autofs/autofssrv_dp.c /sssd-io/src/responder/common/negcache.c /sssd-io/src/responder/common/responder_cmd.c /sssd-io/src/responder/common/responder_common.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/common/responder_get_domains.c /sssd-io/src/responder/nss/nsssrv.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_mmap_cache.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/nss/nsssrv_private.h /sssd-io/src/responder/nss/nsssrv_services.c /sssd-io/src/responder/pac/pacsrv.c /sssd-io/src/responder/pac/pacsrv_cmd.c /sssd-io/src/responder/pac/pacsrv_utils.c /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pam_helpers.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/pam/pamsrv_dp.c /sssd-io/src/responder/ssh/sshsrv.c /sssd-io/src/responder/ssh/sshsrv_cmd.c /sssd-io/src/responder/ssh/sshsrv_dp.c /sssd-io/src/responder/sudo/sudosrv.c /sssd-io/src/responder/sudo/sudosrv_cmd.c /sssd-io/src/responder/sudo/sudosrv_dp.c /sssd-io/src/responder/sudo/sudosrv_get_sudorules.c /sssd-io/src/responder/sudo/sudosrv_query.c /sssd-io/src/sbus/sbus_client.c /sssd-io/src/sbus/sssd_dbus_common.c /sssd-io/src/sbus/sssd_dbus_connection.c /sssd-io/src/sbus/sssd_dbus_server.c /sssd-io/src/sss_client/ssh/sss_ssh_authorizedkeys.c /sssd-io/src/sss_client/ssh/sss_ssh_knownhostsproxy.c /sssd-io/src/tests/auth-tests.c /sssd-io/src/tests/cmocka/test_dyndns.c /sssd-io/src/tests/cmocka/test_fqnames.c /sssd-io/src/tests/cmocka/test_nss_srv.c /sssd-io/src/tests/cmocka/test_utils.c /sssd-io/src/tests/common_dom.c /sssd-io/src/tests/common_tev.c /sssd-io/src/tests/debug-tests.c /sssd-io/src/tests/files-tests.c /sssd-io/src/tests/krb5_child-test.c /sssd-io/src/tests/resolv-tests.c /sssd-io/src/tests/simple_access-tests.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tests/sysdb_ssh-tests.c /sssd-io/src/tools/files.c /sssd-io/src/tools/selinux.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_debuglevel.c /sssd-io/src/tools/sss_groupadd.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_seed.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/tools/tools_mc_util.c /sssd-io/src/tools/tools_util.c /sssd-io/src/tools/tools_util.h /sssd-io/src/util/authtok.c /sssd-io/src/util/backup_file.c /sssd-io/src/util/check_and_open.c /sssd-io/src/util/child_common.c /sssd-io/src/util/crypto/libcrypto/crypto_base64.c /sssd-io/src/util/crypto/libcrypto/crypto_obfuscate.c /sssd-io/src/util/crypto/nss/nss_obfuscate.c /sssd-io/src/util/crypto/nss/nss_util.c /sssd-io/src/util/debug.c /sssd-io/src/util/domain_info_utils.c /sssd-io/src/util/find_uid.c /sssd-io/src/util/nscd.c /sssd-io/src/util/server.c /sssd-io/src/util/signal.c /sssd-io/src/util/sss_ini.c /sssd-io/src/util/sss_krb5.c /sssd-io/src/util/sss_krb5.h /sssd-io/src/util/sss_ldap.c /sssd-io/src/util/sss_nss.c /sssd-io/src/util/sss_selinux.c /sssd-io/src/util/sss_ssh.c /sssd-io/src/util/sss_tc_utf8.c /sssd-io/src/util/user_info_msg.c /sssd-io/src/util/usertools.c /sssd-io/src/util/util.c /sssd-io/src/util/util.h /sssd-io/src/util/util_lock.c /sssd-io/src/util/well_known_sids.c
113debb7297f0c02b5be0dd404badeef78841a83 01-Feb-2014 Lukas Slebodnik <lslebodn@redhat.com>

AD: Remove unused memory contexts Memory context memctx was unused in functions _ad_servers_init sdap_ad_tokengroups_update_members
2a96981a0ac781d01e5bba473409ed2bdf4cd4e0 09-Jan-2014 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Add a new error code for malformed access control filter https://fedorahosted.org/sssd/ticket/2164 The patch adds a new error code and special cases the new code so that access is denied and a nicer log message is shown.
008e1ee835602023891ac45408483d87f41e4d5c 19-Dec-2013 Sumit Bose <sbose@redhat.com>

AD: cross-domain membership fix A recent patch directed all call related to group membership lookups to the AD LDAP port to fix an issue related to missing group memberships in the Global Catalog. As a side-effect it broke cross-domain group-memberships because those cannot be resolved by the connection to the LDAP port. The patch tires to fix this by restoring the original behaviour in the top-level lookup calls in the AD provider and switching to the LDAP port only for the LDAP request which is expected to return the full group membership. Additionally this patch contains a related fix for the tokenGroups with Posix attributes patch. The original connection, typically a Global Catalog connection in the AD case is passed down the stack so that the group lookup after the tokenGroups request can run over the same connection.
8280c5213094a72fcaa499dda2f8647246185d45 19-Dec-2013 Sumit Bose <sbose@redhat.com>

AD: filter domain local groups for trusted/sub domains In Active Directory groups with a domain local scope should only be used inside of the specific domain. Since SSSD read the group memberships from LDAP server of the user's domain the domain local groups are included in the LDAP result. Those groups should be filtered out if the domain is a sub/trusted domain, i.e. is not the domain the client running SSSD is joined to. The groups will still be in the cache but marked as non-POSIX groups and no GID will be assigned. Fixes https://fedorahosted.org/sssd/ticket/2178
ed3e08e6ff267722c605141a0b57774efe4cb531 18-Dec-2013 Pavel Březina <pbrezina@redhat.com>

ad: use tokengroups even when id mapping is disabled https://fedorahosted.org/sssd/ticket/1568
29a61bce88147872b5086278d37b1e58726032d1 18-Dec-2013 Pavel Březina <pbrezina@redhat.com>

ad: refactor tokengroups initgroups sdap_get_ad_tokengroups_initgroups is split into more parts so it can be reused later.
e2ac9be4f293b96f3c8992f1171e44bc1da5cfca 15-Nov-2013 Michal Zidek <mzidek@redhat.com>

SYSDB: Drop redundant sysdb_ctx parameter from sysdb.c
d115f40c7a3999e3cbe705a2ff9cf0fd493f80fb 15-Nov-2013 Michal Zidek <mzidek@redhat.com>

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2)

/sssd-io/src/db/sysdb.h /sssd-io/src/db/sysdb_autofs.c /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_services.c /sssd-io/src/db/sysdb_ssh.c /sssd-io/src/db/sysdb_sudo.c /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_hbac_common.c /sssd-io/src/providers/ipa/ipa_hbac_hosts.c /sssd-io/src/providers/ipa/ipa_hbac_services.c /sssd-io/src/providers/ipa/ipa_hbac_users.c /sssd-io/src/providers/ipa/ipa_id.c /sssd-io/src/providers/ipa/ipa_netgroups.c /sssd-io/src/providers/ipa/ipa_s2n_exop.c /sssd-io/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd-io/src/providers/krb5/krb5_auth.c ldap_auth.c ldap_id.c ldap_id_cleanup.c ldap_id_netgroup.c sdap_async_groups.c sdap_async_initgroups.c sdap_async_initgroups_ad.c sdap_async_nested_groups.c sdap_async_netgroups.c sdap_async_users.c sdap_reinit.c /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_netgroup.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/pac/pacsrv_cmd.c /sssd-io/src/responder/pac/pacsrv_utils.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/sudo/sudosrv_get_sudorules.c /sssd-io/src/tests/cmocka/test_nss_srv.c /sssd-io/src/tests/simple_access-tests.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_seed.c /sssd-io/src/tools/sss_sync_ops.c
4c08db0fb0dda3d27b1184248ca5c800d7ce23f0 15-Nov-2013 Michal Zidek <mzidek@redhat.com>

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 1)
c56da2ccf852c403b21dd987de8bae451654e95a 08-Nov-2013 Jakub Hrozek <jhrozek@redhat.com>

Initialize sid_str to NULL to avoid freeing random data If any function before failed, sss_idmap_free_sid() might have been called with random data.
4537e95f6741ae05ec620e5b46ca1d4a3a1ceae5 07-Nov-2013 Pavel Březina <pbrezina@redhat.com>

free idmapped SIDs correctly Resolves: https://fedorahosted.org/sssd/ticket/2133
7d3b27b0b2137cbc26da20d93bdcf332b123be19 26-Sep-2013 Pavel Březina <pbrezina@redhat.com>

ad: store group in correct tree on initgroups via tokenGroups If tokenGroups contains group from different domain than user's, we stored it under the user's domain tree in sysdb. This patch changes it so we store it under group's domain tree. Resolves: https://fedorahosted.org/sssd/ticket/2066
a4bf85ccc902490c3b75b44532010fbb32169801 11-Sep-2013 Lukas Slebodnik <lslebodn@redhat.com>

Fix formating of variables with type: gid_t
0e65abe5cf2abf5d4b431cf6bd161b419f07901d 11-Sep-2013 Lukas Slebodnik <lslebodn@redhat.com>

Fix formating of variables with type: size_t

/sssd-io/src/db/sysdb_autofs.c /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_search.c /sssd-io/src/providers/ad/ad_srv.c /sssd-io/src/providers/fail_over_srv.c /sssd-io/src/providers/ipa/ipa_config.c /sssd-io/src/providers/ipa/ipa_idmap.c /sssd-io/src/providers/ipa/ipa_netgroups.c /sssd-io/src/providers/ipa/ipa_selinux.c /sssd-io/src/providers/ipa/ipa_selinux_maps.c /sssd-io/src/providers/ipa/ipa_srv.c /sssd-io/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_child_handler.c /sssd-io/src/providers/krb5/krb5_renew_tgt.c ldap_child.c ldap_id_cleanup.c sdap_access.c sdap_async_autofs.c sdap_async_groups.c sdap_async_groups_ad.c sdap_async_initgroups.c sdap_async_initgroups_ad.c sdap_async_nested_groups.c sdap_async_netgroups.c sdap_async_services.c sdap_async_sudo.c sdap_async_users.c sdap_child_helpers.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/responder/nss/nsssrv_mmap_cache.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/util/child_common.c
75dd4b05e1dacc76dc9d5f16be31978f84a71dc5 19-Aug-2013 Sumit Bose <sbose@redhat.com>

sysdb_add_incomplete_group: store SID string is available During initgroups request we read the SID of a group from the server but do not save it to the cache. This patch fixes this and might help to avoid an additional lookup of the SID later.
749cfb5d3270b5daf389d51a0dbd3fd2aec6e05d 07-Jun-2013 Jakub Hrozek <jhrozek@redhat.com>

LDAP: new SDAP domain structure Previously an sdap_id_ctx was always tied to one domain with a single set of search bases. But with the introduction of Global Catalog lookups, primary domain and subdomains might have different search bases. This patch introduces a new structure sdap_domain that contains an sssd domain or subdomain and a set of search bases. With this patch, there is only one sdap_domain that describes the primary domain.
7486dea9f5f7b2a6fbbacc6db740a82140b6377c 20-May-2013 Lukas Slebodnik <lslebodn@redhat.com>

Fixing critical format string issues. --missing arguments. --format '%s', but argument is integer. --wrong format string, examle: '%\n'
363ce75bfe2f73198e1ae7feeed97b6009ae24b8 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain arg to sysdb group member functions
5c1135221ff3ea9132b6ebf073f2dcae88b73b3f 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain arguments to sysdb_add_group functions.
5d72a91a37273c8c874640906fd2f7a70e606812 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain to sysdb_search_group_by_gid() Also remove unused sysdb_search_domgroup_by_gid()
b23539e420b9962ad3bfd8f305b9d5acf47e7efb 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain to sysdb_search_group_by_name() Also remove unused sysdb_search_domgroup_by_name()
2ce00e0d3896bb42db169d1e79553a81ca837a22 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain to sysdb_search_user_by_name() Also remove unused sysdb_search_domuser_by_name()
d6f283302268520c1506fb3da4f2a22f5a741be5 28-Nov-2012 Michal Zidek <mzidek@redhat.com>

idmap: Silence DEBUG messages when dealing with built-in SIDs. When converting built-in SID to unix GID/UID a confusing debug message about the failed conversion was printed. This patch special cases these built-in objects. https://fedorahosted.org/sssd/ticket/1593
7ac513a054d76fa8b758fefbee5ba3467aeab48a 24-Sep-2012 Stephen Gallagher <sgallagh@redhat.com>

AD: Handle sysdb lookup failure during tokenGroups processing
d0e0e73e86f2afdb7f8fefbed70fda8d77b1c25a 24-Sep-2012 Stephen Gallagher <sgallagh@redhat.com>

AD: Optimize initgroups lookups with tokenGroups https://fedorahosted.org/sssd/ticket/1355
d42d371c00c83ae44b9d1c3e88ecbe0e01b112e6 13-Jun-2012 Stephen Gallagher <sgallagh@redhat.com>

LDAP: Add support for AD chain matching extension in initgroups