History log of /sssd-io/src/util/util_errors.c
Revision Date Author Comments Expand
ccd349f0274217e1f0cc118e3a6045e2235ce420 25-Apr-2018 Fabiano Fidêncio <fidencio@redhat.com>

ERRORS: Add ERR_GID_DUPLICATED This new error will be returned from sysdb_add_incomplete_group() when renaming a group which will case gid collision. Related: https://pagure.io/SSSD/sssd/issue/2653 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

2af80640f18966d65cf82106059ce3c060df93bf 11-Dec-2017 amitkuma <amitkuma@redhat.com>

cache: Check for max_id/min_id in cache_req The cache_req code doesn't check the min_id/max_id boundaries for requests by ID. Extending the .lookup_fn function in each plugin that searches by ID for a check that returns non-zero if the entry is out of the range and 0 if not. Resolves: https://pagure.io/SSSD/sssd/issue/3569 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

0a0b34f5fbe8f4a8c533a7d65f0f2961ee264054 06-Dec-2017 Jakub Hrozek <jhrozek@redhat.com>

CACHE_REQ: Add a private request cache_req_locate_domain() Adds a new request cache_req_locate_domain_send/recv. This request, if the plugin that is being processed supports the locator, will call the plugin's dp_get_domain_send_fn(). On any error, the request returns just the error code. On success, the request returns the domain the object was found at. If the getAccountDomain() method returns that the back end does not support the locator method, all further getAccountDomain() calls are disabled for that domain. Related: https://pagure.io/SSSD/sssd/issue/3468 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

c0f9f5a0f6d71a1596ee3cef549b4b02295313c3 06-Dec-2017 Jakub Hrozek <jhrozek@redhat.com>

DP: Create a new handler function getAccountDomain() Adds a new method getAccountDomain() which is a bit similar to getAccountInfo, except it doesn't fetch, parse and store the entry, but just returns the domain or a subdomain the entry was found in. At the moment, the method only supports requests by ID. A default handler is provided (and in this patch used by all the domains) which returns ERR_GET_ACCT_DOM_NOT_SUPPORTED. This return code should be evaluated by the responder so that this DP method is not called again, because it's not supported by the back end type. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

b7ad403d5068dc4840cdaa175338de885e294ac6 23-May-2017 Lukas Slebodnik <lslebodn@redhat.com>

UTIL: Drop unused error code ERR_MISSING_CONF Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

78a08d30b5fbf6e1e3b589e0cf67022e0c1faa33 06-Apr-2017 Michal Židek <mzidek@redhat.com>

selinux: Do not fail if SELinux is not managed Previously we failed if semanage_is_managed returned 0 or -1 (not managed or error). With this patch we only fail in case of error and continue normally if selinux is not managed by libsemanage at all. Resolves: https://fedorahosted.org/sssd/ticket/3297 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

300b9e9217ee1ed8d845ed2370c5ccf5c87afb36 30-Mar-2017 Pavel Březina <pbrezina@redhat.com>

tcurl: add support for ssl and raw output At first, this patch separates curl_easy handle from the multi-handle processing and makes it encapsulated in custom tcurl_request structure. This allows us to separate protocol initialization from its asynchonous logic which gives us the ability to set different options for each request without over-extending the parameter list. In this patch we implement options for peer verification for TLS-enabled protocols and to return response with body and headers together. Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

cac0db2f8004ae88b9263dc3888a11a2d3d3d114 27-Mar-2017 Jakub Hrozek <jhrozek@redhat.com>

KCM: Store ccaches in secrets Adds a new KCM responder ccache back end that forwards all requests to sssd-secrets. Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

b9c563c29243291f40489bb0dcbf3946fca72d58 27-Mar-2017 Jakub Hrozek <jhrozek@redhat.com>

KCM: Initial responder build and packaging Adds the initial build of the Kerberos Cache Manager responder (KCM). This is a deamon that is capable of holding and storing Kerberos ccaches. When KCM is used, the kerberos libraries (invoked through e.g. kinit) are referred to as a 'client' and the KCM deamon is referred to as 'server'. At the moment, only the Heimdal implementation of Kerberos implements the KCM server: https://www.h5l.org/manual/HEAD/info/heimdal/Credential-cache-server-_002d-KCM.html This patch adds a KCM server to SSSD. In MIT, only the 'client-side' support was added: http://k5wiki.kerberos.org/wiki/Projects/KCM_client This page also describes the protocol between the client and the server. The client is capable of talking to the server over either UNIX sockets (Linux, most Unixes) or Mach RPC (macOS). Our server only implements the UNIX sockets way and should be socket-activated by systemd, although can in theory be also ran explicitly. The KCM server only builds if the configuration option "--with-kcm" is enabled. It is packaged in a new subpackage sssd-kcm in order to allow distributions to enable the KCM credential caches by installing this subpackage only, without the rest of the SSSD. The sssd-kcm subpackage also includes a krb5.conf.d snippet that allows the admin to just uncomment the KCM defaults and instructs them to start the socket. The server can be configured in sssd.conf in the "[kcm]" section. By default, the server only listens on the same socket path the Heimdal server uses, which is "/var/run/.heim_org.h5l.kcm-socket". This is, however, configurable. The file src/responder/kcm/kcm.h is more or less directly imported from the MIT Kerberos tree, with an additional sentinel code and some comments. Not all KCM operations are implemented, only those that also the MIT client implements. That said, this KCM server should also be usable with a Heimdal client, although no special testing was with this hybrid. The patch also adds several error codes that will be used in later patches. Related to: https://pagure.io/SSSD/sssd/issue/2887 Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

d4757440418c7b73bbecec7e40baf6dfe8cc9460 23-Feb-2017 Sumit Bose <sbose@redhat.com>

utils: new error codes ERR_SC_AUTH_NOT_SUPPORTED can be used by backends to indicate that Smartcard authentication is not supported. ERR_NO_AUTH_METHOD_AVAILABLE can be used by backends that no authentication method was found. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

7171a7584dda534dde5409f3e7f4657e845ece15 24-Nov-2016 Fabiano Fidêncio <fidencio@redhat.com>

SECRETS: Add configurable payload size limit of a secret Resolves: https://fedorahosted.org/sssd/ticket/3169 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

65a38b8c9cabde6c46cc0e9868f54cb9bb10afbf 05-Oct-2016 Fabiano Fidêncio <fidencio@redhat.com>

SECRETS: Add a configurable limit of secrets that can be stored Related: https://fedorahosted.org/sssd/ticket/3169 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

41cd6072648bb7a9e14e56ed38004a2947f67657 04-Oct-2016 Jakub Hrozek <jhrozek@redhat.com>

SECRETS: Use HTTP error code 504 when a proxy server cannot be reached Previously, a generic 500 error code was returned. This patch adds a new error message on a failure to contact the proxy server and returns 504, "Gateway timeout" instead. Resolves: https://fedorahosted.org/sssd/ticket/3212 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

efc65e78fa4e01e6cecc8690a9899af61213be62 03-Oct-2016 Fabiano Fidêncio <fidencio@redhat.com>

SECRETS: Add a configurable depth limit for nested containers Resolves: https://fedorahosted.org/sssd/ticket/3168 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

4714118890e51b365fbce543d0a042b4b59b2b25 07-Jul-2016 Michal Zidek <mzidek@redhat.com>

UTIL: Add function to parse internal fqname format Add lightweight function to parse internal fqname format (shortname@domain). This function does not require the sss_names to be initialized. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

fcbcfa69f9291936f01f24b5fcb5a7672dca46f3 01-Jul-2016 Jakub Hrozek <jhrozek@redhat.com>

SSH: Do not print an error message if sss_ssh_authorizedkeys is asked for a local user If an IPA client uses the SSH integration and a local user logs in with SSH, the sss_ssh_authorizedkeys looks up their keys in the SSH responder, which doesn't find the user and returns ENOENT. The sss_ssh_authorizedkeys reports a failure on any error, including ENOENT which produced a confusing error message in the logs. This patch adds a new error code that handles users that are not found by SSSD but exist on the system and also special cases root with the same error code. Therefore, logging in as a local user no longer prints an error message. Resolves: https://fedorahosted.org/sssd/ticket/3003 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

edaadf8de0c86a2cfff2d29215775d42919476f3 27-Jun-2016 Pavel Březina <pbrezina@redhat.com>

ERRORS: Add errors to indicated whether SSSD is running or not Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

beec1ee5799570f34a51ea57674c7291c15f7022 23-Jun-2016 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Shortcut looking up for group members sooner This patch is a performance enhancement. When looking for entries to refresh, we always looked up all members in the cache, even if we ended up dereferencing the whole group. If we are about to try dereference, it makes sense to shortcut the lookups after the dereference threshold is reached. In that case, the split_members function returns a special error code and the caller just dereferences the whole group. Only if dereference fails, we fall back to looking up all members so that we can look them up one-by-one. Also adds an integration test to make sure the dereference code works. Reviewed-by: Sumit Bose <sbose@redhat.com>

dd285415d7a8d8376207960cfa3e977524c3b98c 23-Jun-2016 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Search the timestamp caches in addition to the sysdb cache When a sysdb entry is searched, the sysdb cache is consulted first for users or groups. If an entry is found in the sysdb cache, the attributes from the timestamp cache are merged to return the full and up-to-date set of attributes. The merging is done with a single BASE search which is a direct lookup into the underlying key-value database, so it should be relatively fast. More complex merging is done only for enumeration by filter which is currently done only via the IFP back end and should be quite infrequent, so I hope we can justify a more complex merging there. Reviewed-by: Sumit Bose <sbose@redhat.com>

e732d23f3ec986a463d757781a334040e03d1f59 23-Jun-2016 Jakub Hrozek <jhrozek@redhat.com>

UTIL: Add error codes for sysdb too old or too new We used really strange errno codes for detecting whether the database is too old or too new. We should use our sssd-specific error coded instead. Reviewed-by: Sumit Bose <sbose@redhat.com>

dee7a89098b698e756f63e4041734d7322ad8b1e 20-Jun-2016 Pavel Březina <pbrezina@redhat.com>

ERRORS: Add ERR_MISSING_DP_TARGET Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

c1058e96679c7ed1372825bf5226ce7d28a8e6ff 20-Jun-2016 Pavel Březina <pbrezina@redhat.com>

ERRORS: Add ERR_INVALID_DATA_TYPE Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

75d66aea7accc842e68c88f085f9053112b20ecc 20-Jun-2016 Pavel Březina <pbrezina@redhat.com>

ERRORS: Add ERR_TERMINATED To indicate that data provider request was unexpectedly terminated. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

4ebab24f65b54720a6672898b76185462015abab 20-Jun-2016 Pavel Březina <pbrezina@redhat.com>

ERRORS: Add ERR_OFFLINE To indicate that backend is offline. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

c30b7a1931211fdcae0564551a7625cc4f6dee9f 10-May-2016 Jakub Hrozek <jhrozek@redhat.com>

UTIL: Add ERR_SBUS_REQUEST_HANDLED In most cases when sbus request parsing finishes, the request is handled internally and a reply is sent to the caller. However, in handlers that are parsed and handled completely manually, we might want to be notified about this case so that the called of sbus_request_parse_or_finish() aborts the request and doesn't proceed with using the sbus request which is already freed internally in sbus_request_parse_or_finish(). Reviewed-by: Pavel Březina <pbrezina@redhat.com>

5f7cd30c865046a7ea69944f7e07c85b4c43465a 19-Jan-2016 Sumit Bose <sbose@redhat.com>

AD: add task to renew the machine account password if needed AD expects its clients to renew the machine account password on a regular basis, be default every 30 days. Even if a client does not renew the password it might not cause issues because AD does not enforce the renewal. But the password age might be used to identify unused machine accounts in large environments which might get disabled or deleted automatically. With this patch SSSD calls an external program to check the age of the machine account password and renew it if needed. Currently 'adcli' is used as external program which is able to renew the password since version 0.8.0. Resolves https://fedorahosted.org/sssd/ticket/1041 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

19e44537c28f6d5f011cd7ac885c74c1e892605f 14-Jan-2016 Simo Sorce <simo@redhat.com>

Krb5/PAM: Fix account lockout error handling The krb5 provider was mapping KRB5KDC_ERR_CLIENT_REVOKED as ERR_ACCOUNT_EXPIRED. This is incorrect as KRB5KDC_ERR_CLIENT_REVOKED is returned by the KDC when an account lockout is in effect. When an account is expired the kdc returns KRB5KDC_ERR_NAME_EXP. Fix the mapping by adding a new ERR_ACCOUNT_LOCKOUT sssd_error code. Resolves: https://fedorahosted.org/sssd/ticket/2924 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

b5825c74b6bf7a99ae2172392dbecb51179013a6 21-Sep-2015 Jakub Hrozek <jhrozek@redhat.com>

UTIL: Convert domain->disabled into tri-state with domain states Required for: https://fedorahosted.org/sssd/ticket/2637 This is a first step towards making it possible for domain to be around, but not contacted by Data Provider. Also explicitly create domains as active, previously we only relied on talloc_zero marking dom->disabled as false. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

9118a539a5d59f669f551114f880fe91d6bb8741 01-Sep-2015 Jakub Hrozek <jhrozek@redhat.com>

sbus: Add a special error code for messages sent by the bus itself Reviewed-by: Pavel Březina <pbrezina@redhat.com>

b42bf6c0c01db08208fb81d8295a2909d307284a 14-Aug-2015 Pavel Reichl <preichl@redhat.com>

DYNDNS: remove code duplication Move copy pasted code for converting sockaddr_storage to string into function. Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

a8d887323f83984679a7d9b827a70146656bb7b2 31-Jul-2015 Sumit Bose <sbose@redhat.com>

PAM: add certificate support to PAM (pre-)auth requests Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

64ea4127f463798410a2c20e0261c6b15f60257f 14-Jun-2015 Jakub Hrozek <jhrozek@redhat.com>

IPA: Fetch keytab for 1way trusts Uses the ipa-getkeytab call to retrieve keytabs for one-way trust relationships. https://fedorahosted.org/sssd/ticket/2636 Reviewed-by: Sumit Bose <sbose@redhat.com>

05d935cc9d04f03522d0bb44598d22d99b085926 14-Jun-2015 Jakub Hrozek <jhrozek@redhat.com>

IPA: Include ipaNTTrustDirection in the attribute set for trusted domains Allows to distinguish the trust directions for trusted domains. For domains where we don't know the direction in server mode, we assume two-way trusts. Member domains do not have the direction, but rather the forest root direction is used. Reviewed-by: Sumit Bose <sbose@redhat.com>

979e8d8d6ed444007eeff6be5269e8dc5d2bdf68 14-Jun-2015 Pavel Reichl <preichl@redhat.com>

IPA: Don't override homedir with subdomain_homedir Resolves: https://fedorahosted.org/sssd/ticket/2583 Reviewed-by: Michal Židek <mzidek@redhat.com>

7a4e3e29196e3abc1746714fcf93624edae89f93 01-Jun-2015 Lukas Slebodnik <lslebodn@redhat.com>

util-tests: Add validation of internal error messages The function sss_strerror() should not return a sentence. It shoudl return string; the same as strerror() Reviewed-by: Pavel Březina <pbrezina@redhat.com>

10a28f461c25d788ff4dcffefa881e7aa724a25d 22-May-2015 Pavel Březina <pbrezina@redhat.com>

sbus: add sbus_opath_decompose[_exact] This function decomposes object path into array of strings. The "_exact" version expects a certain number of parts otherwise an error is thrown. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

82a958e6592c4a4078e45b7197bbe4751b70f511 28-Apr-2015 Pavel Reichl <preichl@redhat.com>

simple-access-provider: make user grp res more robust Not all user groups need to be resolved if group deny list is empty. Resolves: https://fedorahosted.org/sssd/ticket/2519 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

1243e093fd31c5660adf1bb3dd477d6935a755be 24-Mar-2015 Jakub Hrozek <jhrozek@redhat.com>

IPA: Use custom error codes when validating HBAC rules https://fedorahosted.org/sssd/ticket/2603 Instead of reusing EINVAL/ENOENT, use more descriptive error codes. This will be useful in the next patch where we act on certain codes. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

7650ded4ffa87fcf7ce5adf00920fecf89cffcf5 13-Mar-2015 Michal Zidek <mzidek@redhat.com>

test: Check ERR_LAST Check if number of error codes and messages is the same. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

7c69221077c780e62f6c536e78675f2dc1c131bc 13-Mar-2015 Michal Zidek <mzidek@redhat.com>

DEBUG: Add missing strings for error messages We had more error codes than corresponding messages. Also order of two messages was wrong. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

804df4040eb142f82a44c019c7a55b5ce524583c 11-Mar-2015 Michal Zidek <mzidek@redhat.com>

Use FQDN if default domain was set https://fedorahosted.org/sssd/ticket/2569 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

5a5c5cdeb92f4012fc75fd717bfea06598f68f12 05-Mar-2015 Pavel Reichl <preichl@redhat.com>

UTIL: convert GeneralizedTime to unix time New utility function *sss_utc_to_time_t* to convert GeneralizedTime to unix time. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

8394eddba54b5d3e3fda868145e3751247bdbdb2 25-Nov-2014 Michal Zidek <mzidek@redhat.com>

util: Special-case PCRE_ERROR_NOMATCH in sss_parse_name Add new SSSD specific error code for the case when pcre_exec returns PCRE_ERROR_NOMATCH. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

2745b0156f12df7a7eb93d57716233243658e4d9 18-Nov-2014 Jakub Hrozek <jhrozek@redhat.com>

KRB5: Move all ccache operations to krb5_child.c The credential cache operations must be now performed by the krb5_child completely, because the sssd_be process might be running as the sssd user who doesn't have access to the ccaches. src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5 until we fix Kerberos ticket renewal as non-root. Also includes a new error code that indicates that the back end should remove the old ccache attribute -- the child can't do that if it's running as the user. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

f3a25949de81f80c136bb073e4a8f504b080c20c 05-Nov-2014 Jakub Hrozek <jhrozek@redhat.com>

IPA: Move setting the SELinux context to a child process In order for the sssd_be process to run as unprivileged user, we need to move the semanage processing to a process that runs as the root user using setuid privileges. Reviewed-by: Michal Židek <mzidek@redhat.com>

a2ea3f5d9ef9f17efbb61e942c2bc6cff7d1ebf2 02-Sep-2014 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Ignore returned referrals if referral support is disabled Reviewed-by: Pavel Reichl <preichl@redhat.com>

0c1d65998907930678da2d091789446f2c344d5d 08-Jul-2014 Jakub Hrozek <jhrozek@redhat.com>

IFP: Return a specific value on failure connecting to the system bus We need to treat the failure to connect to the system bus as non-fatal. In this commit, we introduce a special error code and only print a DEBUG message when this error code is returned from the startup function. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

1319e71fd1680ca4864afe0b1aca2b8c8e4a1ee4 22-May-2014 Stef Walter <stefw@redhat.com>

SBUS: Start implementing property access This patch adds the basis of SBUS getters and setters. A new module, sssd_dbus_properties.c would contain handlers for the property methods like Get, Set and GetAll. Type-safe property access works in a similar fashion like type-safe method calls - the invoker calls the getter which returns the primitive type, which is in turn marshalled into variant by the invoker. This patch does not contain the complete functionality, see later patches that continue implementing the getters and setters. Reviewed-by: Stef Walter <stefw@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

60cab26b12df9a2153823972cde0c38ca86e01b9 13-May-2014 Yassir Elley <yelley@redhat.com>

Implemented LDAP component of GPO-based access control Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

0161a3c5637a0c0092bf54c436bb3d6508d7df26 13-May-2014 Jakub Hrozek <jhrozek@redhat.com>

SBUS: Add an async request to retrieve the caller ID Adds an async request sbus_get_sender_id_{send,recv} that allows retrieval of UID based on "sender" as returned by dbus_message_get_sender(). The UID is an int64_t to be able to use "-1" to as a fallback value for uknown or error cases. The unit test is added as a standalone one, not part of the sbus_tests because the request, and by extension the unit test relies on being connected to the system bus, which is very unlikely to work in a build system. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Stef Walter <stefw@redhat.com>

4dd38025efda88f123eac672f87d3cda12f050c8 02-May-2014 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Make it possible to extend an attribute map https://fedorahosted.org/sssd/ticket/2073 This commit adds a new option ldap_user_extra_attrs that is unset by default. When set, the option contains a list of LDAP attributes the LDAP provider would download and store in addition to the usual set. The list can either contain LDAP attribute names only, or colon-separated tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP attribute name is specified, the attribute is saved to the cache verbatim. Using a custom SSSD attribute name might be required by environments that configure several SSSD domains with different LDAP schemas. Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

/sssd-io/src/config/SSSDConfig/__init__.py.in /sssd-io/src/config/etc/sssd.api.d/sssd-ldap.conf /sssd-io/src/man/sssd-ldap.5.xml /sssd-io/src/providers/ad/ad_common.c /sssd-io/src/providers/ad/ad_opts.h /sssd-io/src/providers/ipa/ipa_common.c /sssd-io/src/providers/ipa/ipa_netgroups.c /sssd-io/src/providers/ipa/ipa_opts.h /sssd-io/src/providers/ldap/ldap_id.c /sssd-io/src/providers/ldap/ldap_options.c /sssd-io/src/providers/ldap/ldap_opts.h /sssd-io/src/providers/ldap/sdap.c /sssd-io/src/providers/ldap/sdap.h /sssd-io/src/providers/ldap/sdap_async_enum.c /sssd-io/src/providers/ldap/sdap_async_groups.c /sssd-io/src/providers/ldap/sdap_async_groups_ad.c /sssd-io/src/providers/ldap/sdap_async_initgroups.c /sssd-io/src/providers/ldap/sdap_async_nested_groups.c /sssd-io/src/providers/ldap/sdap_async_users.c /sssd-io/src/tests/ipa_ldap_opt-tests.c util_errors.c util_errors.h
7caf7ed4f2eae1ec1c0717b4ee6ce78bdacd5926 22-Apr-2014 Jakub Hrozek <jhrozek@redhat.com>

RESPONDERS: Add a new request sss_parse_inp_send The responders were copying code to parse input and on encountering an uknown domain, send the discover subdomain request. This patch adds a reusable request that can always be called in responders and in case the name can be parsed, just shortcut. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

e81deec535d11912b87954c81a1edd768c1386c9 12-Feb-2014 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Detect the presence of POSIX attributes When the schema is set to AD and ID mapping is not used, there is a one-time check ran when searching for users to detect the presence of POSIX attributes in LDAP. If this check fails, the search fails as if no entry was found and returns a special error code. The sdap_server_opts structure is filled every time a client connects to a server so the posix check boolean is reset to false again on connecting to the server. It might be better to move the check to where the rootDSE is retrieved, but the check depends on several features that are not known to the code that retrieves the rootDSE (or the connection code for example) such as what the attribute mappings are or the authentication method that should be used. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

2a96981a0ac781d01e5bba473409ed2bdf4cd4e0 09-Jan-2014 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Add a new error code for malformed access control filter https://fedorahosted.org/sssd/ticket/2164 The patch adds a new error code and special cases the new code so that access is denied and a nicer log message is shown.

b5ee224324b0158641d9b110f81d2bc6eddddc13 27-Nov-2013 Pavel Reichl <pavel.reichl@redhat.com>

monitor: Specific error message for missing sssd.conf Specific error message is logged for missing sssd.conf file. New sssd specific error value is introduced for this case. Resolves: https://fedorahosted.org/sssd/ticket/2156

bc30ce9b7d588a17e58012e699986f0d6898b791 25-Oct-2013 Pavel Březina <pbrezina@redhat.com>

utils: add ERR_DOMAIN_NOT_FOUND error code Resolves: https://fedorahosted.org/sssd/ticket/1968

dcc6877aa2e2dd63a9dc9c411a9c58feaeb36b9a 28-Aug-2013 Stephen Gallagher <sgallagh@redhat.com>

krb5: Fetch ccname template from krb5.conf In order to use the same defaults in all system daemons that needs to know how to generate or search for ccaches we introduce ode here to take advantage of the new option called default_ccache_name provided by libkrb5. If set this variable we establish the same default for all programs that surce it out of krb5.conf therefore providing a consistent experience across the system. Related: https://fedorahosted.org/sssd/ticket/2036

e5f455afbc2d149527bfd08f4e89903a3a8da17a 21-Jun-2013 Pavel Březina <pbrezina@redhat.com>

failover: return error when SRV lookup returned only duplicates https://fedorahosted.org/sssd/ticket/1947 Otherwise we risk that the meta server is removed from the server list, but without a chance to return, because there may be no fo_server with srv_data = meta. Also if state->meta->next is NULL (it is still orphaned because we try to errornously expand it without invoking collapse first), state->out will be NULL and SSSD will crash. New error code: ERR_SRV_DUPLICATES

22a21e910fd216ec1468fe769dcc29f1621a52a4 14-Jun-2013 Ondrej Kos <okos@redhat.com>

KRB: Handle preauthentication error correctly https://fedorahosted.org/sssd/ticket/1873 KRB preauthentication error was later mishandled like authentication error.

9cb46bc62f22e0104f1b41a423b014c281ef5fc2 03-May-2013 Jakub Hrozek <jhrozek@redhat.com>

Refactor dynamic DNS updates Provides two new layers instead of the previous IPA specific layer: 1) dp_dyndns.c -- a very generic dyndns layer on the DP level. Its purpose it to make it possible for any back end to use dynamic DNS updates. 2) sdap_dyndns.c -- a wrapper around dp_dyndns.c that utilizes some LDAP-specific features like autodetecting the address from the LDAP connection. Also converts the dyndns code to new specific error codes.

f9961e5f82e0ef474d6492371bfdf9e74e208a99 10-Apr-2013 Pavel Březina <pbrezina@redhat.com>

DNS sites support - SRV lookup plugin interface https://fedorahosted.org/sssd/ticket/1032 Introduces two new error codes: - ERR_SRV_NOT_FOUND - ERR_SRV_LOOKUP_ERROR Since id_provider is authoritative in case of SRV plugin choise, ability to override the selected pluging during runtime is not desirable. We rely on the fact that id_provider is initialized before all other providers, thus the plugin is set correctly.

aa7202c8ae677becd6c91d6a27a607fe0f3995ee 20-Mar-2013 Pavel Březina <pbrezina@redhat.com>

correct order in error_to_str table Also fixed typo.

dfd71fc92db940b2892cc996911cec03d7b6c52b 19-Mar-2013 Simo Sorce <simo@redhat.com>

Convert sdap_access to new error codes Also simplify sdap_access_send to avoid completely fake _send() routines.

233a3c6c48972b177e60d6ef4cecfacd3cf31659 19-Mar-2013 Simo Sorce <simo@redhat.com>

Use common error facility instead of sdap_result Simplifies and consolidates error reporting for ldap authentication paths. Adds 3 new error codes: ERR_CHPASS_DENIED - Used when password constraints deny password changes ERR_ACCOUNT_EXPIRED - Account is expired ERR_PASSWORD_EXPIRED - Password is expired

c6872e79e8496fd075e20aec0343ade99cca725c 04-Mar-2013 Simo Sorce <simo@redhat.com>

Cleanup error message handling for krb5 child Use the new internal SSSD errors, to simplify error handling. Instead of using up to 3 different error types (system, krb5 and pam_status), collapse all error reporting into one error type mapped on errno_t. The returned error can contain either SSSD internal errors, kerberos errors or system errors, they all use different number spaces so there is no overlap and they can be safely merged. This means that errors being sent from the child to the parent are not pam status error messages anymore. The callers have been changed to properly deal with that. Also note that this patch removes returning SSS_PAM_SYSTEM_INFO from the krb5_child for kerberos errors as all it was doing was simply to make the parent emit the same debug log already emitted by the child, and the code is simpler if we do not do that.

ab967283b710dfa05d11ee5b30c7ac916486ceec 04-Mar-2013 Simo Sorce <simo@redhat.com>

Use SSSD specific errors for offline auth This prevents reportin false errors when internal functions return a generic EINVAL or EACCES that should just be treated as internal errors.

8bcabb97d988d1602882a1f036aac2eaf5e09234 04-Mar-2013 Simo Sorce <simo@redhat.com>

Add SSSD specific error codes and definitions This code adds a new range of error codes specific to SSSD, It also provides helper functions to print out error defintions like you can do with system error messages and the strerror() function. The sss_strerror() function can accept both the new sssd errors and system errno_t errors falling back to the system strerror() if the error code provide is not a valid SSSD error code.