History log of /sssd-io/src/responder/ifp/ifp_groups.c
Revision Date Author Comments Expand
0e238c259c066cf997aaa940d33d6bda96c15925 27-Nov-2017 Sumit Bose <sbose@redhat.com>

sysdb: do not use objectClass for users and groups The majority of the object in the SSSD cache are users and groups. If there are many user and groups in the cache the index objects of the objectclass attributes 'user' and 'group' become large because the must hold references to all objects of those object classes. As a result the management of these index objects becomes costly because they must be parsed and split apart quite often. Additionally they are mostly useless because user and groups are lookup up by more specific attributes in general. Only when enumerating all user or groups this kind of index might be useful. There are two way of removing this kind of index from the user and group objects. Either by removing objectClass from the list of indexes and add a new attribute to all other type of object we want and index for. Or by replacing objectClass with a different attribute for the user and group objects. After some testing I think the latter one is the more reliable one and implemented it in this patch. Related to https://pagure.io/SSSD/sssd/issue/3503 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

/sssd-io/src/db/sysdb.h /sssd-io/src/db/sysdb_init.c /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_search.c /sssd-io/src/db/sysdb_upgrade.c /sssd-io/src/ldb_modules/memberof.c /sssd-io/src/providers/ad/ad_pac.c /sssd-io/src/providers/ipa/ipa_id.c /sssd-io/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd-io/src/providers/ipa/ipa_subdomains_id.c /sssd-io/src/providers/krb5/krb5_renew_tgt.c /sssd-io/src/providers/ldap/ldap_id_cleanup.c /sssd-io/src/providers/ldap/sdap_async_groups.c /sssd-io/src/providers/ldap/sdap_async_initgroups.c /sssd-io/src/providers/ldap/sdap_async_initgroups_ad.c /sssd-io/src/providers/ldap/sdap_async_nested_groups.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_common.c ifp_cache.c ifp_groups.c ifp_users.c /sssd-io/src/responder/nss/nss_cmd.c /sssd-io/src/responder/nss/nss_protocol_grent.c /sssd-io/src/responder/nss/nss_protocol_sid.c /sssd-io/src/tests/cmocka/test_ad_common.c /sssd-io/src/tests/cmocka/test_ipa_subdomains_server.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tools/sssctl/sssctl_cache.c
5d855b5d546eb995023d80d61433bbe91888dbdf 25-Aug-2017 Fabiano Fidêncio <fidencio@redhat.com>

IFP: Change ifp_list_ctx_remaining_capacity() return type Now ifp_list_ctx_remaining_capacity() returns an errno_t and receives the count as an output parameter. It allows better handling and error reporting in case something goes wrong internally in this function. Related: https://pagure.io/SSSD/sssd/issue/3306 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
5fe1e8ba91a1e2e95aadf94ecc5148bec804aa5a 25-Aug-2017 Petr Čech <pcech@redhat.com>

IFP: Filter with * in infopipe group methods This patch fixes asterisk in filter of the ListByName Groups' method, which ends up calling ifp_groups_list_copy() with a NULL pointer. Resolves: https://pagure.io/SSSD/sssd/issue/3305 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
d84e841ede0a372a879531b2b7df6905e363b4ee 03-Aug-2017 Petr Čech <pcech@redhat.com>

IFP: Do not fail when a GHOST group is not found Usually is okay that there are no ghost attributes for a group as it basically just means that the group either has no members or all members have been previously fully resolved. Resolves: https://pagure.io/SSSD/sssd/issue/3315 Reviewed-by: Michal Židek <mzidek@redhat.com>
35f0f5ff9dac790f6c947190fcdc00d01ae9077c 30-Mar-2017 Jakub Hrozek <jhrozek@redhat.com>

IFP: Search both POSIX and non-POSIX domains Related to: https://pagure.io/SSSD/sssd/issue/3310 Changes the behaviour of the InfoPipe responder so that both application and POSIX domains are searched. In general, the IFP responder uses the CACHE_REQ_ANY_DOM lookup type because we can't presume the intention of the caller. Therefore, deployments that combine both POSIX and non-POSIX domains must use fully qualified names or select the right domain order manually. There is one change between the POSIX and non-POSIX users or groups - the object path. For the POSIX users, the object path includes the UID or GID. Because we don't have that for the non-POSIX objects, the object name is used in the path instead. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
cee85e8fb9534ec997e5388fce59f392cf029573 30-Mar-2017 Jakub Hrozek <jhrozek@redhat.com>

CACHE_REQ: Domain type selection in cache_req Related to: https://pagure.io/SSSD/sssd/issue/3310 Adds a new enumeration cache_req_dom_type. It is a tri-state that allows the caller to select which domains can be contacted - either only POSIX, only application domains or any type. Not all plugins of cache_req have the new parameter added -- only those that are usable/useful in a non-POSIX environment. For example, it makes no sense to allow the selection for calls by ID because those are inherently POSIX-specific. Also, services or netgroups are supported only coming from POSIX domains. At the moment, the patch should not change any behaviour as all calls default to contacting POSIX domains only. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

/sssd-io/src/responder/common/cache_req/cache_req.c /sssd-io/src/responder/common/cache_req/cache_req.h /sssd-io/src/responder/common/cache_req/cache_req_private.h /sssd-io/src/responder/common/cache_req/plugins/cache_req_enum_groups.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_enum_svc.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_enum_users.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_group_by_id.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_group_by_name.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_host_by_name.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_object_by_id.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_object_by_name.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_user_by_id.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_user_by_name.c ifp_groups.c ifp_users.c ifpsrv_cmd.c /sssd-io/src/responder/nss/nss_enum.c /sssd-io/src/responder/nss/nss_get_object.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/sudo/sudosrv_get_sudorules.c /sssd-io/src/tests/cmocka/test_responder_cache_req.c
b206e1abb7f6ea373d12537b3338552aed6b656d 19-Dec-2016 Pavel Březina <pbrezina@redhat.com>

cache_req: encapsulate output data into structure In enumeration calls we want to get objects from all domains, not only from the first matched domain. We move the cache search result into a structure that contains combination of domain and ldb_result. This is preparation for enumeration support inside cache_req. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
4169fb26ea2ff93c19ecdad6e09382732ea5deeb 20-Oct-2016 Pavel Březina <pbrezina@redhat.com>

cache_req: switch to new code This patch switch the old switch-based cache req code to the new plugin-based. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
e9a2e7afbd09c23dd8748246e09831ed7b17d7c5 22-Sep-2016 Thomas Equeter <firstname@lastname.com>

IFP: expose user and group unique IDs through DBus This adds a uniqueID property on User and Group InfoPipe objects. It has a useful value on AD- and IPA-backed domains. For Active Directory, this is the GUID. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
d0faaf01fd24a935d9779032886d228b3861fa48 07-Jul-2016 Jakub Hrozek <jhrozek@redhat.com>

IFP: Amend the InfoPipe responder for fqdns Parses the internal sysdb names and puts them on the bus using the sss_output_name() helper. Previously, the raw sysdb names were used. Reviewed-by: Sumit Bose <sbose@redhat.com>
c02b8482375837b57cb618ed56d4bede0e006d9d 18-Jun-2016 Pavel Březina <pbrezina@redhat.com>

Remove braces from DEBUG statements Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
11a87c5f091d6c092b5dadd3d67f900213e280da 11-May-2016 Petr Cech <pcech@redhat.com>

RESPONDER: Removing ncache from ifp_ctx This patch switches ncache from ifp_ctx to resp_ctx. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
beb07d2f45856d4f3135f173cce551a2aa878f57 11-May-2016 Petr Cech <pcech@redhat.com>

RESPONDER: Removing neg_timeout from pam responder It removes neg_timeout parameter from struct pam_ctx. Timeout is handled by context of negative cache internally. This patch additioanlly removes neg_timeout from struct cache_req_state. Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
877b92e80bde510d5cd9f03dbf01e2bcf73ab072 23-Oct-2015 Michal Židek <mzidek@redhat.com>

util: Update get_next_domain's interface Update get next domain to be able to include disbled domains and change the interface to accept flags instead of multiple booleans. Ticket: https://fedorahosted.org/sssd/ticket/2673 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

/sssd-io/src/confdb/confdb.c /sssd-io/src/db/sysdb_subdomains.c /sssd-io/src/monitor/monitor.c /sssd-io/src/providers/ad/ad_subdomains.c /sssd-io/src/providers/dp_refresh.c /sssd-io/src/providers/ipa/ipa_subdomains.c /sssd-io/src/providers/ipa/ipa_subdomains_server.c /sssd-io/src/providers/ldap/sdap_domain.c /sssd-io/src/responder/autofs/autofssrv_cmd.c /sssd-io/src/responder/common/negcache.c /sssd-io/src/responder/common/responder_cache_req.c /sssd-io/src/responder/common/responder_common.c /sssd-io/src/responder/common/responder_get_domains.c ifp_cache.c ifp_domains.c ifp_groups.c ifp_users.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/nss/nsssrv_services.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/sudo/sudosrv_get_sudorules.c /sssd-io/src/tests/cmocka/test_utils.c /sssd-io/src/tools/common/sss_tools.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_debuglevel.c /sssd-io/src/tools/sss_override.c /sssd-io/src/util/domain_info_utils.c /sssd-io/src/util/usertools.c /sssd-io/src/util/util.h
afdc0179af0ad8ddbedd67422193ef02dcd2bf84 26-Sep-2015 Lukas Slebodnik <lslebodn@redhat.com>

IFP: Suppress warning from static analyzer It seems that clang expected that errno can change to 0 in case of error. It might be a bug in static analyzer. But the workaround does not change the logic and the errno is read just once.
bdf32fbb3c947dd1b2c54d1c21d8028a1ddc80e6 15-Jul-2015 Jakub Hrozek <jhrozek@redhat.com>

IFP: Add wildcard requests Resolves: https://fedorahosted.org/sssd/ticket/2553 Can be used as: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.ListByName \ string:r\* uint32:10 dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Groups \ org.freedesktop.sssd.infopipe.Groups.ListByName \ string:r\* uint32:10 dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.ListByDomainAndName \ string:ipaldap string:r\* uint32:10 dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Groups \ org.freedesktop.sssd.infopipe.Groups.ListByDomainAndName \ string:ipaldap string:r\* uint32:10 By default the wildcard_limit is unset, that is, the request will return all cached entries that match. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
d3c82d0170d6d7407549afdadd08aa7e11aeb9a2 18-Jun-2015 Pavel Březina <pbrezina@redhat.com>

IFP: Implement org.freedesktop.sssd.infopipe.Cache[.Object] Resolves: https://fedorahosted.org/sssd/ticket/2338 Example use: $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.FindByName \ string:admin object path "/org/freedesktop/sssd/infopipe/Users/ipaldap/397400000" $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Cache.List array [ ] $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users/ipaldap/397400000 \ org.freedesktop.sssd.infopipe.Cache.Object.Store boolean true $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Cache.List array [ object path "/org/freedesktop/sssd/infopipe/Users/ipaldap/397400000" ] $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users/ipaldap/397400000 \ org.freedesktop.sssd.infopipe.Cache.Object.Remove boolean true $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Cache.List array [ ] Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
8fe171bf5a7a570591418e6548105f1d5a0097b3 22-May-2015 Pavel Březina <pbrezina@redhat.com>

IFP: add org.freedesktop.sssd.infopipe.Groups.Group Example calls: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Groups/LDAP_2ePB/30001 org.freedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Groups.Group string:name method return sender=:1.159 -> dest=:1.168 reply_serial=2 variant string "group-1" dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Groups/LDAP/30002 org.freedesktop.sssd.infopipe.Groups.Group.UpdateMemberList method return sender=:1.934 -> dest=:1.937 reply_serial=2 Resolves: https://fedorahosted.org/sssd/ticket/2150 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
132e477d69e07e02fe6e4d668c0bb6226206474a 22-May-2015 Pavel Březina <pbrezina@redhat.com>

IFP: add org.freedesktop.sssd.infopipe.Groups Example calls: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Groups org.freedesktop.sssd.infopipe.Groups.FindByName string:group-1method return sender=:1.159 -> dest=:1.166 reply_serial=2 object path "/org/freedesktop/sssd/infopipe/Groups/LDAP_2ePB/30001" dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Groups org.freedesktop.sssd.infopipe.Groups.FindByID uint32:30001 method return sender=:1.159 -> dest=:1.167 reply_serial=2 object path "/org/freedesktop/sssd/infopipe/Groups/LDAP_2ePB/30001" Resolves: https://fedorahosted.org/sssd/ticket/2150 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
a1e4113a5388e34c08459c5b69679c82ac2bddc9 22-May-2015 Pavel Březina <pbrezina@redhat.com>

IFP: add org.freedesktop.sssd.infopipe.Users.User Example calls: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/LDAP_2ePB/10001 org.freedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Users.User string:name method return sender=:1.159 -> dest=:1.165 reply_serial=2 variant string "user-1" Resolves: https://fedorahosted.org/sssd/ticket/2150 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>