History log of /sssd-io/src/providers/ldap/sdap_async_nested_groups.c
Revision Date Author Comments Expand
4a9c1047354dbe5a4ed41e5951ae623e3772e113 29-Jan-2018 René Genz <liebundartig@freenet.de>

Fix minor spelling mistakes in providers/* Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
0e238c259c066cf997aaa940d33d6bda96c15925 27-Nov-2017 Sumit Bose <sbose@redhat.com>

sysdb: do not use objectClass for users and groups The majority of the object in the SSSD cache are users and groups. If there are many user and groups in the cache the index objects of the objectclass attributes 'user' and 'group' become large because the must hold references to all objects of those object classes. As a result the management of these index objects becomes costly because they must be parsed and split apart quite often. Additionally they are mostly useless because user and groups are lookup up by more specific attributes in general. Only when enumerating all user or groups this kind of index might be useful. There are two way of removing this kind of index from the user and group objects. Either by removing objectClass from the list of indexes and add a new attribute to all other type of object we want and index for. Or by replacing objectClass with a different attribute for the user and group objects. After some testing I think the latter one is the more reliable one and implemented it in this patch. Related to https://pagure.io/SSSD/sssd/issue/3503 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

/sssd-io/src/db/sysdb.h /sssd-io/src/db/sysdb_init.c /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_search.c /sssd-io/src/db/sysdb_upgrade.c /sssd-io/src/ldb_modules/memberof.c /sssd-io/src/providers/ad/ad_pac.c /sssd-io/src/providers/ipa/ipa_id.c /sssd-io/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd-io/src/providers/ipa/ipa_subdomains_id.c /sssd-io/src/providers/krb5/krb5_renew_tgt.c ldap_id_cleanup.c sdap_async_groups.c sdap_async_initgroups.c sdap_async_initgroups_ad.c sdap_async_nested_groups.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_common.c /sssd-io/src/responder/ifp/ifp_cache.c /sssd-io/src/responder/ifp/ifp_groups.c /sssd-io/src/responder/ifp/ifp_users.c /sssd-io/src/responder/nss/nss_cmd.c /sssd-io/src/responder/nss/nss_protocol_grent.c /sssd-io/src/responder/nss/nss_protocol_sid.c /sssd-io/src/tests/cmocka/test_ad_common.c /sssd-io/src/tests/cmocka/test_ipa_subdomains_server.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tools/sssctl/sssctl_cache.c
4c508463be960682cf94b4e5a39be2f8f49067c8 05-Sep-2017 Fabiano Fidêncio <fidencio@redhat.com>

SDAP: Use sysdb_search_*_by_orig_dn() in sdap_async_nested_groups.c Methods for searching the users, groups and entries by their orig dn have been introduced in one of the previous commit. Let's make use of those whenever it makes sense. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
beec1ee5799570f34a51ea57674c7291c15f7022 23-Jun-2016 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Shortcut looking up for group members sooner This patch is a performance enhancement. When looking for entries to refresh, we always looked up all members in the cache, even if we ended up dereferencing the whole group. If we are about to try dereference, it makes sense to shortcut the lookups after the dereference threshold is reached. In that case, the split_members function returns a special error code and the caller just dereferences the whole group. Only if dereference fails, we fall back to looking up all members so that we can look them up one-by-one. Also adds an integration test to make sure the dereference code works. Reviewed-by: Sumit Bose <sbose@redhat.com>
630f3ff08c1d17c7900b9bde814922f775ca2703 10-Jun-2016 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Decorate the hot paths in the LDAP provider with systemtap probes During performance analysis, the LDAP provider and especially its nested group code proved to be the place where we spend the most time during account requests. Therefore, I decorated the LDAP provider with systemtap probes to be able to observe where the time is spent. The code allows passing of search properties (base, filter, ...) from marks to probes. Where applicable, the probes pass on these arguments to functions and build a human-readable string representation. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
b5137d2fe9223f71740c2a9be35d7762f136c41a 05-Apr-2016 Lukas Slebodnik <lslebodn@redhat.com>

SDAP: Remove unused parameter talloc context Parameter memctx was unused in sdap_nested_group_add_ext_members. Reviewed-by: Pavel Reichl <preichl@redhat.com>
c6bda70d6131b5e8cd760ad690fae001d1765547 11-Mar-2016 Jakub Hrozek <jhrozek@redhat.com>

tests: Add a unit test for the external groups resolution Adds a test that tests a complex nested group hierarchy. Also defines the talloc chunk for group members to 1 to make sure the realloc branch is always tested. Unit test for: https://fedorahosted.org/sssd/ticket/2522 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
c32266e79f9d4bebd0c31eaa8d6fa26050e7fb3e 24-Feb-2016 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Use the IPA provider interface to resolve external group members Resolves: https://fedorahosted.org/sssd/ticket/2522 Currently the approach is not optimized for performance, because each external member is resolved in a full transaction to make sure even ID views and similar information is processed. In future, we should implement https://fedorahosted.org/sssd/ticket/2943 we will again be able to process all the data in a single transaction. Reviewed-by: Sumit Bose <sbose@redhat.com>
a6dd4a6c55773e81490dcafd61d4b9782705e9bf 19-Jan-2016 Pavel Březina <pbrezina@redhat.com>

SDAP: use ipa_get_rdn() in nested groups Reviewed-by: Sumit Bose <sbose@redhat.com>
92ec40e6aa25f75903ffdb166a8ec56b67bfd77d 19-Jan-2016 Pavel Březina <pbrezina@redhat.com>

SDAP: rename sdap_get_id_specific_filter More generic name is used now since it is not used only for id filters. Probably all references will be deleted when the code uses sdap_search_in_bases istead of custom search base iterators. Reviewed-by: Sumit Bose <sbose@redhat.com>
bad2fc8133d941e5a6c8d8016c9689e039265c61 14-Apr-2015 Lukas Slebodnik <lslebodn@redhat.com>

SDAP: Extract filtering AD group to function Patch remove code duplication. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
c683b8d730f4ec838244147d70a0275d53459aa5 29-Sep-2014 Pavel Reichl <preichl@redhat.com>

Fix debug messages - trailing '.' Fix debug messages where '\n' was wrongly followed by '.'. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
7ba70236daccb48432350147d0560b3302518cee 15-Sep-2014 Michal Zidek <mzidek@redhat.com>

Use the alternative objectclass in group maps. Use the alternative group objectclass in queries. Fixes: https://fedorahosted.org/sssd/ticket/2436 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
72db1f3ce67b0634f2843088f1198b3b350b72ab 26-Aug-2014 Lukas Slebodnik <lslebodn@redhat.com>

SDAP: Fix using of uninitialized variable When group was posix and id mapping was enabled then variable gid was used uninitialized. Valgrind error: Conditional jump or move depends on uninitialised value(s) at 0x13F1A1D7: sdap_nested_group_hash_group (sdap_async_nested_groups.c:279) by 0x13F1DAA1: sdap_nested_group_send (sdap_async_nested_groups.c:718) by 0x13F1998D: sdap_get_groups_process (sdap_async_groups.c:1847) by 0x13F0F9CE: sdap_get_generic_ext_done (sdap_async.c:1467) by 0x13F0EE9F: sdap_process_result (sdap_async.c:357) by 0x54ABFBE: tevent_common_loop_timer_delay (in /usr/lib64/libtevent.so.0.9.20) by 0x54ACFC9: ??? (in /usr/lib64/libtevent.so.0.9.20) by 0x54AB6B6: ??? (in /usr/lib64/libtevent.so.0.9.20) by 0x54A7F2C: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.20) by 0x54A80CA: tevent_common_loop_wait (in /usr/lib64/libtevent.so.0.9.20) by 0x54AB656: ??? (in /usr/lib64/libtevent.so.0.9.20) by 0x5283872: server_loop (server.c:587) Reviewed-by: Pavel Reichl <preichl@redhat.com>
24c3188e29df52d6df7070007e1c65d152b57fe9 19-Aug-2014 Jakub Hrozek <jhrozek@redhat.com>

Revert "IPA: try to resolve nested groups as poxix group" This reverts commit 08145755f66e83c304e11228c2b610a09576dd81.
08145755f66e83c304e11228c2b610a09576dd81 19-Aug-2014 Pavel Reichl <preichl@redhat.com>

IPA: try to resolve nested groups as poxix group Resolves: https://fedorahosted.org/sssd/ticket/2343 Reviewed-by: Michal Židek <mzidek@redhat.com>
e14cad512af789c78ab56c6f205f77a20a151316 06-Aug-2014 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Avoid undefined ret value If the LDAP schema was set to a different value than AD and ID mapping was enabled, the value of ret was not defined. Make sure we define ret for the condition below with the default for ID mapping which is 'no GID' Reviewed-by: Pavel Reichl <preichl@redhat.com>
8a8618717c99b7331125fa736b45d9155da797d3 23-Jul-2014 Jakub Hrozek <jhrozek@redhat.com>

Only check GID if ID-mapping Reviewed-by: Sumit Bose <sbose@redhat.com>
e3c994b7b779e6d6d6d125ee28d30bd139590f49 23-Jul-2014 Jakub Hrozek <jhrozek@redhat.com>

No point in searching for gid if we already know the group should be filtered Reviewed-by: Sumit Bose <sbose@redhat.com>
2efc26d6e54b68a079e8f11fa24d04867d432476 27-Jun-2014 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Fix retrieving a group with no members sysdb_attrs_get_el() cannot return ENOENT. Even if the requested member doesn't exist, an empty element is created instead. This patch changes the code to use sysdb_attrs_get_el_ext() which returns ENOENT. The code only ever worked because we forgot to check the return value of sdap_nested_group_split_members(). When the empty attribute reached sdap_nested_group_split_members(), the function returned ENOMEM and count == 0. The caller used to only check the value of count, not the retval. Reviewed-by: Pavel Reichl <preichl@redhat.com>
759fd29a597533a3f5489246c0d2b658d8bee417 27-Jun-2014 Pavel Reichl <preichl@redhat.com>

LDAP: group_split_members returns incorrectly ENOMEM Don't fail if num_missing is 0. Resolves: https://fedorahosted.org/sssd/ticket/2369 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
0d47aef7577f8cf651255cf59df87b3847dbe1ad 27-Jun-2014 Pavel Reichl <preichl@redhat.com>

SDAP: return after tevent_req_error Don't call tevent_req_done after tevent_req_error (for the same request). Reviewed-by: Sumit Bose <sbose@redhat.com>
a47cb2e08e4004179d2a6b5f9a9340200270fbd0 23-Jun-2014 Pavel Březina <pbrezina@redhat.com>

nested groups: do not fail if we get one entry twice https://fedorahosted.org/sssd/ticket/2341 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
4dd38025efda88f123eac672f87d3cda12f050c8 02-May-2014 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Make it possible to extend an attribute map https://fedorahosted.org/sssd/ticket/2073 This commit adds a new option ldap_user_extra_attrs that is unset by default. When set, the option contains a list of LDAP attributes the LDAP provider would download and store in addition to the usual set. The list can either contain LDAP attribute names only, or colon-separated tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP attribute name is specified, the attribute is saved to the cache verbatim. Using a custom SSSD attribute name might be required by environments that configure several SSSD domains with different LDAP schemas. Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
a3c8390d19593b1e5277d95bfb4ab206d4785150 12-Feb-2014 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

/sssd-io/src/confdb/confdb.c /sssd-io/src/confdb/confdb_setup.c /sssd-io/src/db/sysdb.c /sssd-io/src/db/sysdb_autofs.c /sssd-io/src/db/sysdb_idmap.c /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_ranges.c /sssd-io/src/db/sysdb_search.c /sssd-io/src/db/sysdb_selinux.c /sssd-io/src/db/sysdb_services.c /sssd-io/src/db/sysdb_ssh.c /sssd-io/src/db/sysdb_subdomains.c /sssd-io/src/db/sysdb_sudo.c /sssd-io/src/db/sysdb_upgrade.c /sssd-io/src/monitor/monitor.c /sssd-io/src/monitor/monitor_netlink.c /sssd-io/src/monitor/monitor_sbus.c /sssd-io/src/providers/ad/ad_access.c /sssd-io/src/providers/ad/ad_common.c /sssd-io/src/providers/ad/ad_domain_info.c /sssd-io/src/providers/ad/ad_dyndns.c /sssd-io/src/providers/ad/ad_id.c /sssd-io/src/providers/ad/ad_init.c /sssd-io/src/providers/ad/ad_srv.c /sssd-io/src/providers/ad/ad_subdomains.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/data_provider_callbacks.c /sssd-io/src/providers/data_provider_fo.c /sssd-io/src/providers/data_provider_opts.c /sssd-io/src/providers/dp_auth_util.c /sssd-io/src/providers/dp_dyndns.c /sssd-io/src/providers/dp_pam_data_util.c /sssd-io/src/providers/dp_ptask.c /sssd-io/src/providers/dp_refresh.c /sssd-io/src/providers/fail_over.c /sssd-io/src/providers/fail_over_srv.c /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_auth.c /sssd-io/src/providers/ipa/ipa_autofs.c /sssd-io/src/providers/ipa/ipa_common.c /sssd-io/src/providers/ipa/ipa_config.c /sssd-io/src/providers/ipa/ipa_dyndns.c /sssd-io/src/providers/ipa/ipa_hbac_common.c /sssd-io/src/providers/ipa/ipa_hbac_hosts.c /sssd-io/src/providers/ipa/ipa_hbac_rules.c /sssd-io/src/providers/ipa/ipa_hbac_services.c /sssd-io/src/providers/ipa/ipa_hbac_users.c /sssd-io/src/providers/ipa/ipa_hostid.c /sssd-io/src/providers/ipa/ipa_hosts.c /sssd-io/src/providers/ipa/ipa_id.c /sssd-io/src/providers/ipa/ipa_idmap.c /sssd-io/src/providers/ipa/ipa_init.c /sssd-io/src/providers/ipa/ipa_netgroups.c /sssd-io/src/providers/ipa/ipa_s2n_exop.c /sssd-io/src/providers/ipa/ipa_selinux.c /sssd-io/src/providers/ipa/ipa_selinux_maps.c /sssd-io/src/providers/ipa/ipa_srv.c /sssd-io/src/providers/ipa/ipa_subdomains.c /sssd-io/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd-io/src/providers/ipa/ipa_subdomains_id.c /sssd-io/src/providers/ipa/ipa_sudo.c /sssd-io/src/providers/krb5/krb5_access.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_become_user.c /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_child_handler.c /sssd-io/src/providers/krb5/krb5_common.c /sssd-io/src/providers/krb5/krb5_delayed_online_authentication.c /sssd-io/src/providers/krb5/krb5_init.c /sssd-io/src/providers/krb5/krb5_init_shared.c /sssd-io/src/providers/krb5/krb5_renew_tgt.c /sssd-io/src/providers/krb5/krb5_utils.c /sssd-io/src/providers/krb5/krb5_wait_queue.c ldap_access.c ldap_auth.c ldap_child.c ldap_common.c ldap_id.c ldap_id_cleanup.c ldap_id_enum.c ldap_id_netgroup.c ldap_id_services.c ldap_init.c sdap.c sdap_access.c sdap_async.c sdap_async_autofs.c sdap_async_connection.c sdap_async_enum.c sdap_async_groups.c sdap_async_groups_ad.c sdap_async_initgroups.c sdap_async_initgroups_ad.c sdap_async_nested_groups.c sdap_async_netgroups.c sdap_async_services.c sdap_async_sudo.c sdap_async_sudo_hostinfo.c sdap_async_sudo_timer.c sdap_async_users.c sdap_autofs.c sdap_child_helpers.c sdap_dyndns.c sdap_fd_events.c sdap_id_op.c sdap_idmap.c sdap_range.c sdap_refresh.c sdap_reinit.c sdap_sudo.c sdap_sudo_cache.c /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_child.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_init.c /sssd-io/src/providers/proxy/proxy_netgroup.c /sssd-io/src/providers/proxy/proxy_services.c /sssd-io/src/providers/simple/simple_access.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/resolv/async_resolv.c /sssd-io/src/resolv/async_resolv_utils.c /sssd-io/src/responder/autofs/autofssrv.c /sssd-io/src/responder/autofs/autofssrv_cmd.c /sssd-io/src/responder/autofs/autofssrv_dp.c /sssd-io/src/responder/common/negcache.c /sssd-io/src/responder/common/responder_cmd.c /sssd-io/src/responder/common/responder_common.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/common/responder_get_domains.c /sssd-io/src/responder/nss/nsssrv.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_mmap_cache.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/nss/nsssrv_private.h /sssd-io/src/responder/nss/nsssrv_services.c /sssd-io/src/responder/pac/pacsrv.c /sssd-io/src/responder/pac/pacsrv_cmd.c /sssd-io/src/responder/pac/pacsrv_utils.c /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pam_helpers.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/pam/pamsrv_dp.c /sssd-io/src/responder/ssh/sshsrv.c /sssd-io/src/responder/ssh/sshsrv_cmd.c /sssd-io/src/responder/ssh/sshsrv_dp.c /sssd-io/src/responder/sudo/sudosrv.c /sssd-io/src/responder/sudo/sudosrv_cmd.c /sssd-io/src/responder/sudo/sudosrv_dp.c /sssd-io/src/responder/sudo/sudosrv_get_sudorules.c /sssd-io/src/responder/sudo/sudosrv_query.c /sssd-io/src/sbus/sbus_client.c /sssd-io/src/sbus/sssd_dbus_common.c /sssd-io/src/sbus/sssd_dbus_connection.c /sssd-io/src/sbus/sssd_dbus_server.c /sssd-io/src/sss_client/ssh/sss_ssh_authorizedkeys.c /sssd-io/src/sss_client/ssh/sss_ssh_knownhostsproxy.c /sssd-io/src/tests/auth-tests.c /sssd-io/src/tests/cmocka/test_dyndns.c /sssd-io/src/tests/cmocka/test_fqnames.c /sssd-io/src/tests/cmocka/test_nss_srv.c /sssd-io/src/tests/cmocka/test_utils.c /sssd-io/src/tests/common_dom.c /sssd-io/src/tests/common_tev.c /sssd-io/src/tests/debug-tests.c /sssd-io/src/tests/files-tests.c /sssd-io/src/tests/krb5_child-test.c /sssd-io/src/tests/resolv-tests.c /sssd-io/src/tests/simple_access-tests.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tests/sysdb_ssh-tests.c /sssd-io/src/tools/files.c /sssd-io/src/tools/selinux.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_debuglevel.c /sssd-io/src/tools/sss_groupadd.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_seed.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/tools/tools_mc_util.c /sssd-io/src/tools/tools_util.c /sssd-io/src/tools/tools_util.h /sssd-io/src/util/authtok.c /sssd-io/src/util/backup_file.c /sssd-io/src/util/check_and_open.c /sssd-io/src/util/child_common.c /sssd-io/src/util/crypto/libcrypto/crypto_base64.c /sssd-io/src/util/crypto/libcrypto/crypto_obfuscate.c /sssd-io/src/util/crypto/nss/nss_obfuscate.c /sssd-io/src/util/crypto/nss/nss_util.c /sssd-io/src/util/debug.c /sssd-io/src/util/domain_info_utils.c /sssd-io/src/util/find_uid.c /sssd-io/src/util/nscd.c /sssd-io/src/util/server.c /sssd-io/src/util/signal.c /sssd-io/src/util/sss_ini.c /sssd-io/src/util/sss_krb5.c /sssd-io/src/util/sss_krb5.h /sssd-io/src/util/sss_ldap.c /sssd-io/src/util/sss_nss.c /sssd-io/src/util/sss_selinux.c /sssd-io/src/util/sss_ssh.c /sssd-io/src/util/sss_tc_utf8.c /sssd-io/src/util/user_info_msg.c /sssd-io/src/util/usertools.c /sssd-io/src/util/util.c /sssd-io/src/util/util.h /sssd-io/src/util/util_lock.c /sssd-io/src/util/well_known_sids.c
8280c5213094a72fcaa499dda2f8647246185d45 19-Dec-2013 Sumit Bose <sbose@redhat.com>

AD: filter domain local groups for trusted/sub domains In Active Directory groups with a domain local scope should only be used inside of the specific domain. Since SSSD read the group memberships from LDAP server of the user's domain the domain local groups are included in the LDAP result. Those groups should be filtered out if the domain is a sub/trusted domain, i.e. is not the domain the client running SSSD is joined to. The groups will still be in the cache but marked as non-POSIX groups and no GID will be assigned. Fixes https://fedorahosted.org/sssd/ticket/2178
d115f40c7a3999e3cbe705a2ff9cf0fd493f80fb 15-Nov-2013 Michal Zidek <mzidek@redhat.com>

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2)

/sssd-io/src/db/sysdb.h /sssd-io/src/db/sysdb_autofs.c /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_services.c /sssd-io/src/db/sysdb_ssh.c /sssd-io/src/db/sysdb_sudo.c /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_hbac_common.c /sssd-io/src/providers/ipa/ipa_hbac_hosts.c /sssd-io/src/providers/ipa/ipa_hbac_services.c /sssd-io/src/providers/ipa/ipa_hbac_users.c /sssd-io/src/providers/ipa/ipa_id.c /sssd-io/src/providers/ipa/ipa_netgroups.c /sssd-io/src/providers/ipa/ipa_s2n_exop.c /sssd-io/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd-io/src/providers/krb5/krb5_auth.c ldap_auth.c ldap_id.c ldap_id_cleanup.c ldap_id_netgroup.c sdap_async_groups.c sdap_async_initgroups.c sdap_async_initgroups_ad.c sdap_async_nested_groups.c sdap_async_netgroups.c sdap_async_users.c sdap_reinit.c /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_netgroup.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/pac/pacsrv_cmd.c /sssd-io/src/responder/pac/pacsrv_utils.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/sudo/sudosrv_get_sudorules.c /sssd-io/src/tests/cmocka/test_nss_srv.c /sssd-io/src/tests/simple_access-tests.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_seed.c /sssd-io/src/tools/sss_sync_ops.c
55206e06bcfa0322cd817d34457e330545d6b877 30-Oct-2013 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Check all search bases during nested group processing
05f6866b89f790e25510b7eeca88ded617294011 30-Oct-2013 Pavel Březina <pbrezina@redhat.com>

nested groups: pick correct domain for cache lookups Groups may contain members from different domains. We need to make sure that we always choose correct domain for subdomain users when looking up in sysdb. Resolves: https://fedorahosted.org/sssd/ticket/2064
5cd4414fce1e0eb4133dfc6fc828bf25c8a959f9 24-Sep-2013 Lukas Slebodnik <lslebodn@redhat.com>

Include header file in implementation module. Declarations of public functions was in header files, but header files was not included in implementation file.
0e65abe5cf2abf5d4b431cf6bd161b419f07901d 11-Sep-2013 Lukas Slebodnik <lslebodn@redhat.com>

Fix formating of variables with type: size_t

/sssd-io/src/db/sysdb_autofs.c /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_search.c /sssd-io/src/providers/ad/ad_srv.c /sssd-io/src/providers/fail_over_srv.c /sssd-io/src/providers/ipa/ipa_config.c /sssd-io/src/providers/ipa/ipa_idmap.c /sssd-io/src/providers/ipa/ipa_netgroups.c /sssd-io/src/providers/ipa/ipa_selinux.c /sssd-io/src/providers/ipa/ipa_selinux_maps.c /sssd-io/src/providers/ipa/ipa_srv.c /sssd-io/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_child_handler.c /sssd-io/src/providers/krb5/krb5_renew_tgt.c ldap_child.c ldap_id_cleanup.c sdap_access.c sdap_async_autofs.c sdap_async_groups.c sdap_async_groups_ad.c sdap_async_initgroups.c sdap_async_initgroups_ad.c sdap_async_nested_groups.c sdap_async_netgroups.c sdap_async_services.c sdap_async_sudo.c sdap_async_users.c sdap_child_helpers.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/responder/nss/nsssrv_mmap_cache.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/util/child_common.c
d98fdd80331e93cd698281341360a3ce3e30afbe 02-Sep-2013 Pavel Březina <pbrezina@redhat.com>

Fix czech specific character in my name
fc0d76ac54c813c78380ab388f69c69c3620155d 18-Jun-2013 Pavel Březina <pbrezina@redhat.com>

nested groups: do not expect any particular number of groups
e6dee5182d07e3fdbcdfe5b1b3d36f1d26672223 18-Jun-2013 Pavel Březina <pbrezina@redhat.com>

nested groups: do not return ENOMEM if num_groups is 0 talloc_realloc(..., 0) calls talloc_free() and returns NULL. If we process group that contains only users, we errornously return ENOMEM.
d9a000b54a23fd4a58481b864175b88a8a3f7949 17-Jun-2013 Pavel Březina <pbrezina@redhat.com>

nested groups: allocate more space if deref returns more members https://fedorahosted.org/sssd/ticket/1894
749cfb5d3270b5daf389d51a0dbd3fd2aec6e05d 07-Jun-2013 Jakub Hrozek <jhrozek@redhat.com>

LDAP: new SDAP domain structure Previously an sdap_id_ctx was always tied to one domain with a single set of search bases. But with the introduction of Global Catalog lookups, primary domain and subdomains might have different search bases. This patch introduces a new structure sdap_domain that contains an sssd domain or subdomain and a set of search bases. With this patch, there is only one sdap_domain that describes the primary domain.
369626f19a9083be643c796691798e2debf2f07b 04-Apr-2013 Lukas Slebodnik <lslebodn@redhat.com>

LDAP: Fix value initialization warnings
02b2c042d0c2ace289583c8e5e4ead1eff481376 02-Apr-2013 Pavel Březina <pbrezina@redhat.com>

refactor nested group processing: add new code https://fedorahosted.org/sssd/ticket/1784 1. initialization (main-req), returns members of input group 2. evaluate group members (group) 3. perform individual search (no-deref) or dereference attribute (deref) 4a. no-deref 1. perform a lookup depending on the type of the member object 2. all direct members are evaluated first 3. then we step down in nesting level and evaluate nested groups 4b. deref 1. perform a dereference lookup on member attribute 2. all direct members are evaluated first 3. then we step down in nesting level and evaluate nested groups Tevent request flow: main-req | group |------------------------| no-deref deref | | |----|------|---------| | user group unknown recurse recurse / \ | | | ... | | | ... user group group group