ccd349f0274217e1f0cc118e3a6045e2235ce420 |
|
25-Apr-2018 |
Fabiano Fidêncio <fidencio@redhat.com> |
ERRORS: Add ERR_GID_DUPLICATED
This new error will be returned from sysdb_add_incomplete_group()
when renaming a group which will case gid collision.
Related:
https://pagure.io/SSSD/sssd/issue/2653
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
2af80640f18966d65cf82106059ce3c060df93bf |
|
11-Dec-2017 |
amitkuma <amitkuma@redhat.com> |
cache: Check for max_id/min_id in cache_req
The cache_req code doesn't check the min_id/max_id
boundaries for requests by ID.
Extending the .lookup_fn function in each plugin
that searches by ID for a check that returns non-zero
if the entry is out of the range and 0 if not.
Resolves: https://pagure.io/SSSD/sssd/issue/3569
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> |
0a0b34f5fbe8f4a8c533a7d65f0f2961ee264054 |
|
06-Dec-2017 |
Jakub Hrozek <jhrozek@redhat.com> |
CACHE_REQ: Add a private request cache_req_locate_domain()
Adds a new request cache_req_locate_domain_send/recv. This request, if the
plugin that is being processed supports the locator, will call the plugin's
dp_get_domain_send_fn(). On any error, the request returns just the error
code. On success, the request returns the domain the object was found at.
If the getAccountDomain() method returns that the back end does not support
the locator method, all further getAccountDomain() calls are disabled for
that domain.
Related:
https://pagure.io/SSSD/sssd/issue/3468
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com> |
c0f9f5a0f6d71a1596ee3cef549b4b02295313c3 |
|
06-Dec-2017 |
Jakub Hrozek <jhrozek@redhat.com> |
DP: Create a new handler function getAccountDomain()
Adds a new method getAccountDomain() which is a bit similar to
getAccountInfo, except it doesn't fetch, parse and store the entry, but
just returns the domain or a subdomain the entry was found in.
At the moment, the method only supports requests by ID.
A default handler is provided (and in this patch used by all the
domains) which returns ERR_GET_ACCT_DOM_NOT_SUPPORTED. This return
code should be evaluated by the responder so that this DP method is
not called again, because it's not supported by the back end type.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com> |
b7ad403d5068dc4840cdaa175338de885e294ac6 |
|
23-May-2017 |
Lukas Slebodnik <lslebodn@redhat.com> |
UTIL: Drop unused error code ERR_MISSING_CONF
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
78a08d30b5fbf6e1e3b589e0cf67022e0c1faa33 |
|
06-Apr-2017 |
Michal Židek <mzidek@redhat.com> |
selinux: Do not fail if SELinux is not managed
Previously we failed if semanage_is_managed returned 0 or -1 (not
managed or error). With this patch we only fail in case of error and
continue normally if selinux is not managed by libsemanage at all.
Resolves:
https://fedorahosted.org/sssd/ticket/3297
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
300b9e9217ee1ed8d845ed2370c5ccf5c87afb36 |
|
30-Mar-2017 |
Pavel Březina <pbrezina@redhat.com> |
tcurl: add support for ssl and raw output
At first, this patch separates curl_easy handle from the multi-handle
processing and makes it encapsulated in custom tcurl_request structure.
This allows us to separate protocol initialization from its asynchonous
logic which gives us the ability to set different options for each
request without over-extending the parameter list.
In this patch we implement options for peer verification for TLS-enabled
protocols and to return response with body and headers together.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
cac0db2f8004ae88b9263dc3888a11a2d3d3d114 |
|
27-Mar-2017 |
Jakub Hrozek <jhrozek@redhat.com> |
KCM: Store ccaches in secrets
Adds a new KCM responder ccache back end that forwards all requests to
sssd-secrets.
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com> |
b9c563c29243291f40489bb0dcbf3946fca72d58 |
|
27-Mar-2017 |
Jakub Hrozek <jhrozek@redhat.com> |
KCM: Initial responder build and packaging
Adds the initial build of the Kerberos Cache Manager responder (KCM).
This is a deamon that is capable of holding and storing Kerberos
ccaches. When KCM is used, the kerberos libraries (invoked through e.g.
kinit) are referred to as a 'client' and the KCM deamon is referred to
as 'server'.
At the moment, only the Heimdal implementation of Kerberos implements the
KCM server:
https://www.h5l.org/manual/HEAD/info/heimdal/Credential-cache-server-_002d-KCM.html
This patch adds a KCM server to SSSD.
In MIT, only the 'client-side' support was added:
http://k5wiki.kerberos.org/wiki/Projects/KCM_client
This page also describes the protocol between the client and the server.
The client is capable of talking to the server over either UNIX sockets
(Linux, most Unixes) or Mach RPC (macOS). Our server only implements the
UNIX sockets way and should be socket-activated by systemd, although can
in theory be also ran explicitly.
The KCM server only builds if the configuration option "--with-kcm" is
enabled. It is packaged in a new subpackage sssd-kcm in order to allow
distributions to enable the KCM credential caches by installing this
subpackage only, without the rest of the SSSD. The sssd-kcm subpackage
also includes a krb5.conf.d snippet that allows the admin to just uncomment
the KCM defaults and instructs them to start the socket.
The server can be configured in sssd.conf in the "[kcm]" section.
By default, the server only listens on the same socket path the Heimdal
server uses, which is "/var/run/.heim_org.h5l.kcm-socket". This is,
however, configurable.
The file src/responder/kcm/kcm.h is more or less directly imported from
the MIT Kerberos tree, with an additional sentinel code and some
comments. Not all KCM operations are implemented, only those that also
the MIT client implements. That said, this KCM server should also be
usable with a Heimdal client, although no special testing was with this
hybrid.
The patch also adds several error codes that will be used in later
patches.
Related to:
https://pagure.io/SSSD/sssd/issue/2887
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com> |
d4757440418c7b73bbecec7e40baf6dfe8cc9460 |
|
23-Feb-2017 |
Sumit Bose <sbose@redhat.com> |
utils: new error codes
ERR_SC_AUTH_NOT_SUPPORTED can be used by backends to indicate that
Smartcard authentication is not supported. ERR_NO_AUTH_METHOD_AVAILABLE
can be used by backends that no authentication method was found.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
7171a7584dda534dde5409f3e7f4657e845ece15 |
|
24-Nov-2016 |
Fabiano Fidêncio <fidencio@redhat.com> |
SECRETS: Add configurable payload size limit of a secret
Resolves:
https://fedorahosted.org/sssd/ticket/3169
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
65a38b8c9cabde6c46cc0e9868f54cb9bb10afbf |
|
05-Oct-2016 |
Fabiano Fidêncio <fidencio@redhat.com> |
SECRETS: Add a configurable limit of secrets that can be stored
Related:
https://fedorahosted.org/sssd/ticket/3169
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
41cd6072648bb7a9e14e56ed38004a2947f67657 |
|
04-Oct-2016 |
Jakub Hrozek <jhrozek@redhat.com> |
SECRETS: Use HTTP error code 504 when a proxy server cannot be reached
Previously, a generic 500 error code was returned. This patch adds a new
error message on a failure to contact the proxy server and returns 504,
"Gateway timeout" instead.
Resolves:
https://fedorahosted.org/sssd/ticket/3212
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> |
efc65e78fa4e01e6cecc8690a9899af61213be62 |
|
03-Oct-2016 |
Fabiano Fidêncio <fidencio@redhat.com> |
SECRETS: Add a configurable depth limit for nested containers
Resolves:
https://fedorahosted.org/sssd/ticket/3168
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
4714118890e51b365fbce543d0a042b4b59b2b25 |
|
07-Jul-2016 |
Michal Zidek <mzidek@redhat.com> |
UTIL: Add function to parse internal fqname format
Add lightweight function to parse internal fqname format
(shortname@domain). This function does not require the
sss_names to be initialized.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
fcbcfa69f9291936f01f24b5fcb5a7672dca46f3 |
|
01-Jul-2016 |
Jakub Hrozek <jhrozek@redhat.com> |
SSH: Do not print an error message if sss_ssh_authorizedkeys is asked for a local user
If an IPA client uses the SSH integration and a local user logs in with
SSH, the sss_ssh_authorizedkeys looks up their keys in the SSH
responder, which doesn't find the user and returns ENOENT. The
sss_ssh_authorizedkeys reports a failure on any error, including ENOENT
which produced a confusing error message in the logs.
This patch adds a new error code that handles users that are not found
by SSSD but exist on the system and also special cases root with the
same error code. Therefore, logging in as a local user no longer prints
an error message.
Resolves:
https://fedorahosted.org/sssd/ticket/3003
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
edaadf8de0c86a2cfff2d29215775d42919476f3 |
|
27-Jun-2016 |
Pavel Březina <pbrezina@redhat.com> |
ERRORS: Add errors to indicated whether SSSD is running or not
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
beec1ee5799570f34a51ea57674c7291c15f7022 |
|
23-Jun-2016 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Shortcut looking up for group members sooner
This patch is a performance enhancement. When looking for entries to
refresh, we always looked up all members in the cache, even if we ended
up dereferencing the whole group. If we are about to try dereference, it
makes sense to shortcut the lookups after the dereference threshold is
reached. In that case, the split_members function returns a special
error code and the caller just dereferences the whole group.
Only if dereference fails, we fall back to looking up all members so
that we can look them up one-by-one.
Also adds an integration test to make sure the dereference code works.
Reviewed-by: Sumit Bose <sbose@redhat.com> |
dd285415d7a8d8376207960cfa3e977524c3b98c |
|
23-Jun-2016 |
Jakub Hrozek <jhrozek@redhat.com> |
SYSDB: Search the timestamp caches in addition to the sysdb cache
When a sysdb entry is searched, the sysdb cache is consulted first
for users or groups. If an entry is found in the sysdb cache, the
attributes from the timestamp cache are merged to return the full and
up-to-date set of attributes.
The merging is done with a single BASE search which is a direct lookup
into the underlying key-value database, so it should be relatively fast.
More complex merging is done only for enumeration by filter which is
currently done only via the IFP back end and should be quite
infrequent, so I hope we can justify a more complex merging there.
Reviewed-by: Sumit Bose <sbose@redhat.com> |
e732d23f3ec986a463d757781a334040e03d1f59 |
|
23-Jun-2016 |
Jakub Hrozek <jhrozek@redhat.com> |
UTIL: Add error codes for sysdb too old or too new
We used really strange errno codes for detecting whether the database is
too old or too new. We should use our sssd-specific error coded instead.
Reviewed-by: Sumit Bose <sbose@redhat.com> |
dee7a89098b698e756f63e4041734d7322ad8b1e |
|
20-Jun-2016 |
Pavel Březina <pbrezina@redhat.com> |
ERRORS: Add ERR_MISSING_DP_TARGET
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
c1058e96679c7ed1372825bf5226ce7d28a8e6ff |
|
20-Jun-2016 |
Pavel Březina <pbrezina@redhat.com> |
ERRORS: Add ERR_INVALID_DATA_TYPE
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
75d66aea7accc842e68c88f085f9053112b20ecc |
|
20-Jun-2016 |
Pavel Březina <pbrezina@redhat.com> |
ERRORS: Add ERR_TERMINATED
To indicate that data provider request was unexpectedly terminated.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
4ebab24f65b54720a6672898b76185462015abab |
|
20-Jun-2016 |
Pavel Březina <pbrezina@redhat.com> |
ERRORS: Add ERR_OFFLINE
To indicate that backend is offline.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
c30b7a1931211fdcae0564551a7625cc4f6dee9f |
|
10-May-2016 |
Jakub Hrozek <jhrozek@redhat.com> |
UTIL: Add ERR_SBUS_REQUEST_HANDLED
In most cases when sbus request parsing finishes, the request is handled
internally and a reply is sent to the caller. However, in handlers that
are parsed and handled completely manually, we might want to be notified
about this case so that the called of sbus_request_parse_or_finish()
aborts the request and doesn't proceed with using the sbus request which
is already freed internally in sbus_request_parse_or_finish().
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
5f7cd30c865046a7ea69944f7e07c85b4c43465a |
|
19-Jan-2016 |
Sumit Bose <sbose@redhat.com> |
AD: add task to renew the machine account password if needed
AD expects its clients to renew the machine account password on a
regular basis, be default every 30 days. Even if a client does not renew
the password it might not cause issues because AD does not enforce the
renewal. But the password age might be used to identify unused machine
accounts in large environments which might get disabled or deleted
automatically.
With this patch SSSD calls an external program to check the age of the
machine account password and renew it if needed. Currently 'adcli' is
used as external program which is able to renew the password since
version 0.8.0.
Resolves https://fedorahosted.org/sssd/ticket/1041
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
19e44537c28f6d5f011cd7ac885c74c1e892605f |
|
14-Jan-2016 |
Simo Sorce <simo@redhat.com> |
Krb5/PAM: Fix account lockout error handling
The krb5 provider was mapping KRB5KDC_ERR_CLIENT_REVOKED as
ERR_ACCOUNT_EXPIRED. This is incorrect as KRB5KDC_ERR_CLIENT_REVOKED is
returned by the KDC when an account lockout is in effect. When an account is
expired the kdc returns KRB5KDC_ERR_NAME_EXP.
Fix the mapping by adding a new ERR_ACCOUNT_LOCKOUT sssd_error code.
Resolves:
https://fedorahosted.org/sssd/ticket/2924
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
b5825c74b6bf7a99ae2172392dbecb51179013a6 |
|
21-Sep-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
UTIL: Convert domain->disabled into tri-state with domain states
Required for:
https://fedorahosted.org/sssd/ticket/2637
This is a first step towards making it possible for domain to be around,
but not contacted by Data Provider.
Also explicitly create domains as active, previously we only relied on
talloc_zero marking dom->disabled as false.
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
9118a539a5d59f669f551114f880fe91d6bb8741 |
|
01-Sep-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
sbus: Add a special error code for messages sent by the bus itself
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
b42bf6c0c01db08208fb81d8295a2909d307284a |
|
14-Aug-2015 |
Pavel Reichl <preichl@redhat.com> |
DYNDNS: remove code duplication
Move copy pasted code for converting sockaddr_storage to string into
function.
Resolves:
https://fedorahosted.org/sssd/ticket/2495
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
a8d887323f83984679a7d9b827a70146656bb7b2 |
|
31-Jul-2015 |
Sumit Bose <sbose@redhat.com> |
PAM: add certificate support to PAM (pre-)auth requests
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
64ea4127f463798410a2c20e0261c6b15f60257f |
|
14-Jun-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
IPA: Fetch keytab for 1way trusts
Uses the ipa-getkeytab call to retrieve keytabs for one-way trust
relationships.
https://fedorahosted.org/sssd/ticket/2636
Reviewed-by: Sumit Bose <sbose@redhat.com> |
05d935cc9d04f03522d0bb44598d22d99b085926 |
|
14-Jun-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
IPA: Include ipaNTTrustDirection in the attribute set for trusted domains
Allows to distinguish the trust directions for trusted domains. For
domains where we don't know the direction in server mode, we assume
two-way trusts.
Member domains do not have the direction, but rather the forest root
direction is used.
Reviewed-by: Sumit Bose <sbose@redhat.com> |
979e8d8d6ed444007eeff6be5269e8dc5d2bdf68 |
|
14-Jun-2015 |
Pavel Reichl <preichl@redhat.com> |
IPA: Don't override homedir with subdomain_homedir
Resolves:
https://fedorahosted.org/sssd/ticket/2583
Reviewed-by: Michal Židek <mzidek@redhat.com> |
7a4e3e29196e3abc1746714fcf93624edae89f93 |
|
01-Jun-2015 |
Lukas Slebodnik <lslebodn@redhat.com> |
util-tests: Add validation of internal error messages
The function sss_strerror() should not return a sentence.
It shoudl return string; the same as strerror()
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
10a28f461c25d788ff4dcffefa881e7aa724a25d |
|
22-May-2015 |
Pavel Březina <pbrezina@redhat.com> |
sbus: add sbus_opath_decompose[_exact]
This function decomposes object path into array of strings. The
"_exact" version expects a certain number of parts otherwise an
error is thrown.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
82a958e6592c4a4078e45b7197bbe4751b70f511 |
|
28-Apr-2015 |
Pavel Reichl <preichl@redhat.com> |
simple-access-provider: make user grp res more robust
Not all user groups need to be resolved if group deny list is empty.
Resolves:
https://fedorahosted.org/sssd/ticket/2519
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
1243e093fd31c5660adf1bb3dd477d6935a755be |
|
24-Mar-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
IPA: Use custom error codes when validating HBAC rules
https://fedorahosted.org/sssd/ticket/2603
Instead of reusing EINVAL/ENOENT, use more descriptive error codes. This
will be useful in the next patch where we act on certain codes.
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
7650ded4ffa87fcf7ce5adf00920fecf89cffcf5 |
|
13-Mar-2015 |
Michal Zidek <mzidek@redhat.com> |
test: Check ERR_LAST
Check if number of error codes and messages is the same.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
7c69221077c780e62f6c536e78675f2dc1c131bc |
|
13-Mar-2015 |
Michal Zidek <mzidek@redhat.com> |
DEBUG: Add missing strings for error messages
We had more error codes than corresponding
messages. Also order of two messages was
wrong.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
804df4040eb142f82a44c019c7a55b5ce524583c |
|
11-Mar-2015 |
Michal Zidek <mzidek@redhat.com> |
Use FQDN if default domain was set
https://fedorahosted.org/sssd/ticket/2569
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
5a5c5cdeb92f4012fc75fd717bfea06598f68f12 |
|
05-Mar-2015 |
Pavel Reichl <preichl@redhat.com> |
UTIL: convert GeneralizedTime to unix time
New utility function *sss_utc_to_time_t* to convert GeneralizedTime to
unix time.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
8394eddba54b5d3e3fda868145e3751247bdbdb2 |
|
25-Nov-2014 |
Michal Zidek <mzidek@redhat.com> |
util: Special-case PCRE_ERROR_NOMATCH in sss_parse_name
Add new SSSD specific error code for the case when
pcre_exec returns PCRE_ERROR_NOMATCH.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
2745b0156f12df7a7eb93d57716233243658e4d9 |
|
18-Nov-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
KRB5: Move all ccache operations to krb5_child.c
The credential cache operations must be now performed by the krb5_child
completely, because the sssd_be process might be running as the sssd
user who doesn't have access to the ccaches.
src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5
until we fix Kerberos ticket renewal as non-root.
Also includes a new error code that indicates that the back end should
remove the old ccache attribute -- the child can't do that if it's
running as the user.
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
f3a25949de81f80c136bb073e4a8f504b080c20c |
|
05-Nov-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
IPA: Move setting the SELinux context to a child process
In order for the sssd_be process to run as unprivileged user, we need to
move the semanage processing to a process that runs as the root user
using setuid privileges.
Reviewed-by: Michal Židek <mzidek@redhat.com> |
a2ea3f5d9ef9f17efbb61e942c2bc6cff7d1ebf2 |
|
02-Sep-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Ignore returned referrals if referral support is disabled
Reviewed-by: Pavel Reichl <preichl@redhat.com> |
0c1d65998907930678da2d091789446f2c344d5d |
|
08-Jul-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
IFP: Return a specific value on failure connecting to the system bus
We need to treat the failure to connect to the system bus as non-fatal.
In this commit, we introduce a special error code and only print a DEBUG
message when this error code is returned from the startup function.
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
1319e71fd1680ca4864afe0b1aca2b8c8e4a1ee4 |
|
22-May-2014 |
Stef Walter <stefw@redhat.com> |
SBUS: Start implementing property access
This patch adds the basis of SBUS getters and setters. A new module,
sssd_dbus_properties.c would contain handlers for the property methods
like Get, Set and GetAll.
Type-safe property access works in a similar fashion like type-safe
method calls - the invoker calls the getter which returns the primitive
type, which is in turn marshalled into variant by the invoker.
This patch does not contain the complete functionality, see later
patches that continue implementing the getters and setters.
Reviewed-by: Stef Walter <stefw@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
60cab26b12df9a2153823972cde0c38ca86e01b9 |
|
13-May-2014 |
Yassir Elley <yelley@redhat.com> |
Implemented LDAP component of GPO-based access control
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
0161a3c5637a0c0092bf54c436bb3d6508d7df26 |
|
13-May-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
SBUS: Add an async request to retrieve the caller ID
Adds an async request sbus_get_sender_id_{send,recv} that allows
retrieval of UID based on "sender" as returned by
dbus_message_get_sender().
The UID is an int64_t to be able to use "-1" to as a fallback value for
uknown or error cases.
The unit test is added as a standalone one, not part of the sbus_tests
because the request, and by extension the unit test relies on being
connected to the system bus, which is very unlikely to work in a build
system.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Stef Walter <stefw@redhat.com> |
4dd38025efda88f123eac672f87d3cda12f050c8 |
|
02-May-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Make it possible to extend an attribute map
https://fedorahosted.org/sssd/ticket/2073
This commit adds a new option ldap_user_extra_attrs that is unset by
default. When set, the option contains a list of LDAP attributes the LDAP
provider would download and store in addition to the usual set.
The list can either contain LDAP attribute names only, or colon-separated
tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP
attribute name is specified, the attribute is saved to the cache verbatim.
Using a custom SSSD attribute name might be required by environments that
configure several SSSD domains with different LDAP schemas.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
7caf7ed4f2eae1ec1c0717b4ee6ce78bdacd5926 |
|
22-Apr-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
RESPONDERS: Add a new request sss_parse_inp_send
The responders were copying code to parse input and on encountering an
uknown domain, send the discover subdomain request. This patch adds a
reusable request that can always be called in responders and in case the
name can be parsed, just shortcut.
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
e81deec535d11912b87954c81a1edd768c1386c9 |
|
12-Feb-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Detect the presence of POSIX attributes
When the schema is set to AD and ID mapping is not used, there is a one-time
check ran when searching for users to detect the presence of POSIX
attributes in LDAP. If this check fails, the search fails as if no entry
was found and returns a special error code.
The sdap_server_opts structure is filled every time a client connects to
a server so the posix check boolean is reset to false again on connecting
to the server.
It might be better to move the check to where the rootDSE is retrieved,
but the check depends on several features that are not known to the code
that retrieves the rootDSE (or the connection code for example) such as what
the attribute mappings are or the authentication method that should be used.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
2a96981a0ac781d01e5bba473409ed2bdf4cd4e0 |
|
09-Jan-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Add a new error code for malformed access control filter
https://fedorahosted.org/sssd/ticket/2164
The patch adds a new error code and special cases the new code so that
access is denied and a nicer log message is shown. |
b5ee224324b0158641d9b110f81d2bc6eddddc13 |
|
27-Nov-2013 |
Pavel Reichl <pavel.reichl@redhat.com> |
monitor: Specific error message for missing sssd.conf
Specific error message is logged for missing sssd.conf file. New sssd specific
error value is introduced for this case.
Resolves:
https://fedorahosted.org/sssd/ticket/2156 |
bc30ce9b7d588a17e58012e699986f0d6898b791 |
|
25-Oct-2013 |
Pavel Březina <pbrezina@redhat.com> |
utils: add ERR_DOMAIN_NOT_FOUND error code
Resolves:
https://fedorahosted.org/sssd/ticket/1968 |
dcc6877aa2e2dd63a9dc9c411a9c58feaeb36b9a |
|
28-Aug-2013 |
Stephen Gallagher <sgallagh@redhat.com> |
krb5: Fetch ccname template from krb5.conf
In order to use the same defaults in all system daemons that needs to know how
to generate or search for ccaches we introduce ode here to take advantage of
the new option called default_ccache_name provided by libkrb5.
If set this variable we establish the same default for all programs that surce
it out of krb5.conf therefore providing a consistent experience across the
system.
Related:
https://fedorahosted.org/sssd/ticket/2036 |
e5f455afbc2d149527bfd08f4e89903a3a8da17a |
|
21-Jun-2013 |
Pavel Březina <pbrezina@redhat.com> |
failover: return error when SRV lookup returned only duplicates
https://fedorahosted.org/sssd/ticket/1947
Otherwise we risk that the meta server is removed from the server list,
but without a chance to return, because there may be no fo_server with
srv_data = meta.
Also if state->meta->next is NULL (it is still orphaned because we try
to errornously expand it without invoking collapse first), state->out
will be NULL and SSSD will crash.
New error code: ERR_SRV_DUPLICATES |
22a21e910fd216ec1468fe769dcc29f1621a52a4 |
|
14-Jun-2013 |
Ondrej Kos <okos@redhat.com> |
KRB: Handle preauthentication error correctly
https://fedorahosted.org/sssd/ticket/1873
KRB preauthentication error was later mishandled like authentication error. |
9cb46bc62f22e0104f1b41a423b014c281ef5fc2 |
|
03-May-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
Refactor dynamic DNS updates
Provides two new layers instead of the previous IPA specific layer:
1) dp_dyndns.c -- a very generic dyndns layer on the DP level. Its
purpose it to make it possible for any back end to use dynamic DNS
updates.
2) sdap_dyndns.c -- a wrapper around dp_dyndns.c that utilizes some
LDAP-specific features like autodetecting the address from the LDAP
connection.
Also converts the dyndns code to new specific error codes. |
f9961e5f82e0ef474d6492371bfdf9e74e208a99 |
|
10-Apr-2013 |
Pavel Březina <pbrezina@redhat.com> |
DNS sites support - SRV lookup plugin interface
https://fedorahosted.org/sssd/ticket/1032
Introduces two new error codes:
- ERR_SRV_NOT_FOUND
- ERR_SRV_LOOKUP_ERROR
Since id_provider is authoritative in case of SRV plugin choise,
ability to override the selected pluging during runtime is not
desirable. We rely on the fact that id_provider is initialized
before all other providers, thus the plugin is set correctly. |
aa7202c8ae677becd6c91d6a27a607fe0f3995ee |
|
20-Mar-2013 |
Pavel Březina <pbrezina@redhat.com> |
correct order in error_to_str table
Also fixed typo. |
dfd71fc92db940b2892cc996911cec03d7b6c52b |
|
19-Mar-2013 |
Simo Sorce <simo@redhat.com> |
Convert sdap_access to new error codes
Also simplify sdap_access_send to avoid completely fake _send() routines. |
233a3c6c48972b177e60d6ef4cecfacd3cf31659 |
|
19-Mar-2013 |
Simo Sorce <simo@redhat.com> |
Use common error facility instead of sdap_result
Simplifies and consolidates error reporting for ldap authentication paths.
Adds 3 new error codes:
ERR_CHPASS_DENIED - Used when password constraints deny password changes
ERR_ACCOUNT_EXPIRED - Account is expired
ERR_PASSWORD_EXPIRED - Password is expired |
c6872e79e8496fd075e20aec0343ade99cca725c |
|
04-Mar-2013 |
Simo Sorce <simo@redhat.com> |
Cleanup error message handling for krb5 child
Use the new internal SSSD errors, to simplify error handling.
Instead of using up to 3 different error types (system, krb5 and
pam_status), collapse all error reporting into one error type mapped
on errno_t.
The returned error can contain either SSSD internal errors, kerberos
errors or system errors, they all use different number spaces so there
is no overlap and they can be safely merged.
This means that errors being sent from the child to the parent are not
pam status error messages anymore.
The callers have been changed to properly deal with that.
Also note that this patch removes returning SSS_PAM_SYSTEM_INFO from
the krb5_child for kerberos errors as all it was doing was simply to
make the parent emit the same debug log already emitted by the child,
and the code is simpler if we do not do that. |
ab967283b710dfa05d11ee5b30c7ac916486ceec |
|
04-Mar-2013 |
Simo Sorce <simo@redhat.com> |
Use SSSD specific errors for offline auth
This prevents reportin false errors when internal functions return
a generic EINVAL or EACCES that should just be treated as internal
errors. |
8bcabb97d988d1602882a1f036aac2eaf5e09234 |
|
04-Mar-2013 |
Simo Sorce <simo@redhat.com> |
Add SSSD specific error codes and definitions
This code adds a new range of error codes specific to SSSD,
It also provides helper functions to print out error defintions
like you can do with system error messages and the strerror() function.
The sss_strerror() function can accept both the new sssd errors and
system errno_t errors falling back to the system strerror() if the error
code provide is not a valid SSSD error code. |