8890a30f5d054187fd7d5b50503f82a49cd025f0 |
|
08-Jun-2017 |
Lukas Slebodnik <lslebodn@redhat.com> |
UTIL: Remove fcntl.h from util/util.h
fcntl.h is not used directly by util/util.h. The header file fcntl.h
must be included in 49 files and after removing it from util.h it had to be
added only to 7 missing file which were using either directly syscall fcntl
or syscall open.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> |
31459a01486cfb2c04759bc998ff0c3ed19df81e |
|
25-Jan-2017 |
Lukas Slebodnik <lslebodn@redhat.com> |
UTIL: Unset O_NONBLOCK for ldap connection
Before the commit 75e66c388862a4ba05afe0791c5503226395bad0,
the flag O_NONBLOCK was set only for the connect syscall
in request sssd_async_connect_send -> sssd_async_connect_send.
Such change was done for secrets provider.
However, if ldap is compiled with gnutls it caused problems with
start_tls and ldaps. There is not a problem with libldap 2.5 + gnutls
because libldap is compiled with LDAP_USE_NON_BLOCKING_TLS
OpenLDAP Server log:
5810cf2f connection_get(23): got connid=1042
5810cf2f connection_read(23): checking for input on id=1042
TLS: error: accept - force handshake failure: errno 11 - moznss error -12234
TLS: can't accept: TLS error -12234:SSL received an unexpected Application Data record..
5810cf2f connection_read(23): TLS accept failure error=-1 id=1042, closing
5810cf2f connection_close: conn=1042 sd=23
sssd domain log:
[simple_bind_send] (0x0100): Executing simple bind as: uid=user1,dc=example,dc=com
[simple_bind_send] (0x2000): ldap simple bind sent, msgid = 2
[sdap_op_add] (0x2000): New operation 2 timeout 6
[sdap_process_result] (0x2000): Trace: sh[0x151c240], connected[1], ops[0x1515700], ldap[0x1511bd0]
[sdap_process_result] (0x2000): Trace: end of ldap_result list
[sdap_process_result] (0x2000): Trace: sh[0x151c240], connected[1], ops[0x1515700], ldap[0x1511bd0]
[sdap_process_result] (0x0040): ldap_result error: [Can't contact LDAP server]
[sdap_handle_release] (0x2000): Trace: sh[0x151c240], connected[1], ops[0x1515700], ldap[0x1511bd0], destructor_lock[0], release_memory[0]
[remove_connection_callback] (0x4000): Successfully removed connection callback.
[sdap_op_destructor] (0x1000): Abandoning operation 2
[dp_req_done] (0x0400): DP Request [PAM Authenticate #3]: Request handler finished [0]: Success
[_dp_req_recv] (0x0400): DP Request [PAM Authenticate #3]: Receiving request data.
[dp_req_destructor] (0x0400): DP Request [PAM Authenticate #3]: Request removed.
[dp_req_destructor] (0x0400): Number of active DP request: 0
[dp_method_enabled] (0x0400): Target selinux is not configured
[dp_pam_reply] (0x1000): DP Request [PAM Authenticate #3]: Sending result [4][LDAP]
Resolves:
https://fedorahosted.org/sssd/ticket/3189
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
2bd410d0024cec9445c1aa1a4c28875b92ad74b2 |
|
16-Jun-2016 |
Graham Leggett <minfrin@sharp.fm> |
Add underlying diagnostic message for SSL errors.
Resolves:
https://fedorahosted.org/sssd/ticket/3005
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
5dbf360f2d6b0281c32f1bba6ebf5cc834c1716e |
|
09-Mar-2016 |
Simo Sorce <simo@redhat.com> |
Util: Move socket setup in a common utility file
Other components may need to connect sockets, the code here is generic enough
that with minimal modifications can be used for non-ldap connections too.
So create a sss_sockets.c/h utility file with all the non-ldap specific socket
setup functions and make them available for other uses.
Resolves:
https://fedorahosted.org/sssd/ticket/2968
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
a10f67d4c64f3b1243de5d86a996475361adf0ac |
|
05-Nov-2015 |
Lukas Slebodnik <lslebodn@redhat.com> |
LDAP: Fix leak of file descriptors
The state "struct sss_ldap_init_state" contains socket
created in function sss_ldap_init_send. We register callback
sdap_async_sys_connect_timeout for handling issue with connection
The tevent request "sss_ldap_init_send" is usually (nested) subrequest
of "struct resolve_service_state" related request created in fucntion
fo_resolve_service_send. Function fo_resolve_service_send also register
timeout callback fo_resolve_service_timeout to state "struct
resolve_service_state".
It might happen that fo_resolve_service_timeout will be called before
sss_ldap_init_send timeout and we could not handle tiemout error
for state "struct sss_ldap_init_state" and therefore created socket
was not closed.
We tried to release resources in function sdap_handle_release.
But the structure "struct sdap_handle" had not been initialized yet
with LDAP handle and therefore associated file descriptor could not be closed.
[fo_resolve_service_timeout] (0x0080): Service resolving timeout reached
[fo_resolve_service_recv] (0x0020): TEVENT_REQ_RETURN_ON_ERROR ret[110]
[sdap_handle_release] (0x2000): Trace: sh[0x7f6713410270], connected[0], ops[(nil)], ldap[(nil)], destructor_lock[0], release_memory
[be_resolve_server_done] (0x1000): Server resolution failed: 14
[be_resolve_server_recv] (0x0020): TEVENT_REQ_RETURN_ON_ERROR ret[14]
[check_online_callback] (0x0100): Backend returned: (1, 0, <NULL>) [Provider is Offline (Success)]
Resolves:
https://fedorahosted.org/sssd/ticket/2792
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
afa6ac75f97951ea5ea4b6e96c607acc3c5fafcc |
|
07-Aug-2015 |
Pavel Reichl <preichl@redhat.com> |
IPA: Improve messages about failures
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
cf901f549abe18f32562cbe1ef7a1ef258edab1a |
|
03-Jun-2014 |
Lukas Slebodnik <lslebodn@redhat.com> |
SDAP: Use portable constant as level in setsockopt
The macros SOL_TCP and IPPROTO_TCP have the same value on linux,
but the first one is not portable.
man in.h says:
The <netinet/in.h> header shall define the following macros for use as
values of the level argument of getsockopt() and setsockopt():
IPPROTO_IP Internet protocol.
IPPROTO_IPV6 Internet Protocol Version 6.
IPPROTO_ICMP Control message protocol.
IPPROTO_RAW Raw IP Packets Protocol.
IPPROTO_TCP Transmission control protocol.
IPPROTO_UDP User datagram protocol.
Reviewed-by: Pavel Reichl <preichl@redhat.com> |
83bf46f4066e3d5e838a32357c201de9bd6ecdfd |
|
12-Feb-2014 |
Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> |
Update DEBUG* invocations to use new levels
Use a script to update DEBUG* macro invocations, which use literal
numbers for levels, to use bitmask macros instead:
grep -rl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e 'use strict;
use File::Slurp;
my @map=qw"
SSSDBG_FATAL_FAILURE
SSSDBG_CRIT_FAILURE
SSSDBG_OP_FAILURE
SSSDBG_MINOR_FAILURE
SSSDBG_CONF_SETTINGS
SSSDBG_FUNC_DATA
SSSDBG_TRACE_FUNC
SSSDBG_TRACE_LIBS
SSSDBG_TRACE_INTERNAL
SSSDBG_TRACE_ALL
";
my $text=read_file(\*STDIN);
my $repl;
$text=~s/
^
(
.*
\b
(DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM)
\s*
\(\s*
)(
[0-9]
)(
\s*,
)
(
\s*
)
(
.*
)
$
/
$repl = $1.$map[$3].$4.$5.$6,
length($repl) <= 80
? $repl
: $1.$map[$3].$4."\n".(" " x length($1)).$6
/xmge;
print $text;
' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com> |
a3c8390d19593b1e5277d95bfb4ab206d4785150 |
|
12-Feb-2014 |
Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> |
Make DEBUG macro invocations variadic
Use a script to update DEBUG macro invocations to use it as a variadic
macro, supplying format string and its arguments directly, instead of
wrapping them in parens.
This script was used to update the code:
grep -rwl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e \
'use strict;
use File::Slurp;
my $text=read_file(\*STDIN);
$text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs;
print $text;' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com> |
2743db79b1d1f72ba7aaafde02e3f0b888e6dacd |
|
29-Nov-2013 |
Pavel Reichl <pavel.reichl@redhat.com> |
SSSD: Improved domain detection
A bit more elegant way of detection of what domain the group member belongs to
Resolves:
https://fedorahosted.org/sssd/ticket/2132 |
795315c21d865a3060fc50bea79a758a7de7a956 |
|
11-Sep-2013 |
Lukas Slebodnik <lslebodn@redhat.com> |
Fix formating of variables with type: int |
5cc0b4ed2843ad093191f6dbe979a0afbe7c8619 |
|
02-May-2013 |
Pavel Březina <pbrezina@redhat.com> |
add sss_ldap_encode_ndr_uint32
Converts uint32 to a string value that is suitable for octed
string attributes. |
233a3c6c48972b177e60d6ef4cecfacd3cf31659 |
|
19-Mar-2013 |
Simo Sorce <simo@redhat.com> |
Use common error facility instead of sdap_result
Simplifies and consolidates error reporting for ldap authentication paths.
Adds 3 new error codes:
ERR_CHPASS_DENIED - Used when password constraints deny password changes
ERR_ACCOUNT_EXPIRED - Account is expired
ERR_PASSWORD_EXPIRED - Password is expired |
05eac5703ba2c93e693f7dfb0d5ed06d6a623682 |
|
21-Aug-2012 |
Pavel Březina <pbrezina@redhat.com> |
Unbreak build on RHEL5: replace ldap_destroy() with ldap_unbind_ext()
ldap_destroy() is not present in RHEL5 |
d8fbc520c632094055325a887b0346eae21f6002 |
|
21-Aug-2012 |
Pavel Březina <pbrezina@redhat.com> |
Close LDAP connection when unable to install TLS
We were not closing LDAP connection when using SSL
with invalid certificate.
https://fedorahosted.org/sssd/ticket/1490 |
23d17a0389386c09b72dba31bac5f586c904f113 |
|
14-Jan-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
Log fixes for sdap_call_conn_cb |
273e5d2b64c02f5a264be52c3055f318ae800377 |
|
16-Dec-2011 |
Pavel Březina <pbrezina@redhat.com> |
Use of uninitialized value in sss_ldap_dn_in_search_bases
https://fedorahosted.org/sssd/ticket/1112 |
6ca8884a361e5369daca02078611e4ec3368403a |
|
14-Dec-2011 |
Pavel Březina <pbrezina@redhat.com> |
Added sss_ldap_dn_in_search_bases() |
81b69919e1755180280c215468b4368d13024ea5 |
|
07-Dec-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Always attempt to connect in sdap_async_sys_connect_done
This syncs up with Samba commit 50e30afa608dfdeae8a260730ead9761ed424dad |
54423ae32fa26aa7790a67ff0f9a93b96677e590 |
|
06-Sep-2011 |
Pavel Březina <pbrezina@redhat.com> |
sss_ldap_err2string() - ldap_err2string() to sss_ldap_err2string()
https://fedorahosted.org/sssd/ticket/986 |
3fff68f56b3c68897821c49ec7357a4f36bafa96 |
|
06-Sep-2011 |
Pavel Březina <pbrezina@redhat.com> |
sss_ldap_err2string() - function created
https://fedorahosted.org/sssd/ticket/986 |
5bf2314b9f64099cd4e88b8f3498d986d97e1ac6 |
|
15-Aug-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Handle timeout during sss_ldap_init_send
In some cases, where there would be no response from the LDAP server,
there would be no R/W events on the LDAP fd, so
sdap_async_sys_connect_done would never be called.
This patch adds a tevent timer that cancels the connection after
SDAP_NETWORK_TIMEOUT seconds. |
2a644650a1063e8710939299c2a8dbcd7f7460ec |
|
11-Aug-2011 |
Ralf Haferkamp <rhafer@suse.de> |
Allow the O_NONBLOCK flag to be reset correctly
sssd set the O_NONBLOCK flag on the LDAP socket twice. First in
set_fd_flags_and_opts(). And the second time in sdap_async_sys_connect_send()
after storing a backup in the local state structure. The backup is later
used to restore the original flags (after connect() succeeded). As NONBLOCK
was already set before it didn't correctly reset that flag.
https://fedorahosted.org/sssd/ticket/952 |
2e1973b90ea87b343d39fef1f6393cc201989ecd |
|
11-Jul-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Move IP adress escaping from the LDAP namespace |
87f3fa68e8223111bd53e4bc7a4842b1a35f0ee7 |
|
05-Jul-2011 |
Sumit Bose <sbose@redhat.com> |
Call ldap_install_tls() on ldaps connections |
f0f439c77363627115ca6b452d80b2f1822e4a36 |
|
01-Jul-2011 |
Sumit Bose <sbose@redhat.com> |
Do not access state after tevent_req_done() is called. |
a57cca518ba0b1dda8868448e176ab626272c84b |
|
01-Jul-2011 |
Stephen Gallagher <sgallagh@redhat.com> |
Do not attempt to close() a file descriptor < 0
Coverity 10886 |
e96c468ed06c3378e2aee6992dabe926d79e1a2d |
|
30-Jun-2011 |
Sumit Bose <sbose@redhat.com> |
Use ldap_init_fd() instead of ldap_initialize() if available |
f8202685c80ca49734d554999062c58f4f470c37 |
|
02-Jun-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Add a utility function to escape IPv6 address for use in URIs |
4a28fb10122bd74ba33607af46f028813de9161d |
|
08-Apr-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Don't pass NULL to printf for TLS errors
https://fedorahosted.org/sssd/ticket/643 |
1c48b5a62f73234ed26bb20f0ab345ab61cda0ab |
|
18-Feb-2010 |
Stephen Gallagher <sgallagh@redhat.com> |
Rename server/ directory to src/
Also update BUILD.txt |