7171a7584dda534dde5409f3e7f4657e845ece15 |
|
24-Nov-2016 |
Fabiano Fidêncio <fidencio@redhat.com> |
SECRETS: Add configurable payload size limit of a secret
Resolves:
https://fedorahosted.org/sssd/ticket/3169
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
ce43f710c9638fbbeae077559cd7514370a10c0c |
|
02-Nov-2016 |
Sumit Bose <sbose@redhat.com> |
PAM: add pam_response_filter option
Currently the main use-case for this new option is to not set the
KRB5CCNAME environment varible for services like 'sudo-i'.
Resolves https://fedorahosted.org/sssd/ticket/2296
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
65a38b8c9cabde6c46cc0e9868f54cb9bb10afbf |
|
05-Oct-2016 |
Fabiano Fidêncio <fidencio@redhat.com> |
SECRETS: Add a configurable limit of secrets that can be stored
Related:
https://fedorahosted.org/sssd/ticket/3169
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
efc65e78fa4e01e6cecc8690a9899af61213be62 |
|
03-Oct-2016 |
Fabiano Fidêncio <fidencio@redhat.com> |
SECRETS: Add a configurable depth limit for nested containers
Resolves:
https://fedorahosted.org/sssd/ticket/3168
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
47aea8d2fc19fedb0a774f2e72c02ac2c87d1723 |
|
03-Oct-2016 |
Fabiano Fidêncio <fidencio@redhat.com> |
CONFIG: Add secrets provider options
Related:
https://fedorahosted.org/sssd/ticket/3207
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
1773fdad2730f3f910782781fa286f402ce36cca |
|
22-Sep-2016 |
Lukas Slebodnik <lslebodn@redhat.com> |
SSSDConfig: Do not fail with nonexisting domains/services
dict.keys() returns iterator in python3 and not list
Chaging data in dictionary while using iterator
fails with "RuntimeError: dictionary changed size during iteration"
https://fedorahosted.org/sssd/ticket/3107
Reviewed-by: Michal Židek <mzidek@redhat.com> |
aef0171e0bdc9a683958d69c7ee984fb10cd5de7 |
|
13-Sep-2016 |
Petr Cech <pcech@redhat.com> |
PROXY: Adding proxy_max_children option
The new option 'proxy_max_children' is applicable
in domain section. Default value is 10.
Resolves:
https://fedorahosted.org/sssd/ticket/3153
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
081c6d8c7c8e75487d1c4e42862964be1e85b575 |
|
12-Sep-2016 |
Justin Stephenson <jstephen@redhat.com> |
MONITOR: Add disable_netlink option
Adding a new monitor boolean option to disable netlink support.
This will give users more control over sssd state changes without
having to modify systemd unit files.
Resolves:
https://fedorahosted.org/sssd/ticket/3142
Reviewed-by: Petr Cech <pcech@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
5b0735876aa66464b24cb7736a74fafd8ec82128 |
|
31-Aug-2016 |
Fabiano Fidêncio <fidencio@redhat.com> |
MONITOR: Remove leftovers from kill_service
Seems that wen I sent the v2 of ac35fe74 I attached the wrong pacth that
ended up being pushed.
The patch was incomplete as there are still some leftovers.
The .po and sssd-docs.pot were not touched as I do believe they are
autogenerated from Zanata.
Related:
https://fedorahosted.org/sssd/ticket/3052
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Petr Čech <pcech@redhat.com> |
e04df9feca0c9877c69aa46450d04c556bcb23ad |
|
31-Aug-2016 |
Fabiano Fidêncio <fidencio@redhat.com> |
MONITOR: Remove leftovers from diag_cmd
Seems that when I sent the v2 of 7579cf99 I attached the wrong patch
that ended up being pushed.
That patch was incomplete as there are still some leftovers.
Related:
https://fedorahosted.org/sssd/ticket/3051
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Petr Čech <pcech@redhat.com> |
d940593e647731c0caec1fd04cf16a1b23578f32 |
|
23-Aug-2016 |
Jakub Hrozek <jhrozek@redhat.com> |
CONFIG: session_provider does not exist anymore
The session_provider used to exist a long time ago when we used to set
the SELinux context from it, but the provider had been removed for a
long time. We just forgot to remove the value from the config API and
the validator.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> |
dec00197181ee8f7efbfbdadd73629f66f80f1ff |
|
23-Aug-2016 |
Jakub Hrozek <jhrozek@redhat.com> |
CONFIG: selinux_provider is a valid provider type
We should not warn about it in the validator and should allow
selinux_provider from the config API.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> |
d6342c92c226becbdd254f90a0005b8c00c300dc |
|
17-Aug-2016 |
Petr Cech <pcech@redhat.com> |
AD_PROVIDER: Add ad_enabled_domains option
Resolves:
https://fedorahosted.org/sssd/ticket/2828
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
6d19051c50c10fc4de056ebb385c63ec0ed221cb |
|
12-Aug-2016 |
Jakub Hrozek <jhrozek@redhat.com> |
CONFIG: re_expression is an allowed option for all domains
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
cc4d1af16820b15595b60c3df15220fb852eb897 |
|
12-Aug-2016 |
Jakub Hrozek <jhrozek@redhat.com> |
CONFIG: full_name_format is an allowed option for all domains
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
83a796ec8de4bde65b11cc8032675406950641fa |
|
29-Jul-2016 |
Sumit Bose <sbose@redhat.com> |
LDAP: new attribute option ldap_user_email
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
0a172552ec16f3b84d127399551cad786da8fd9d |
|
12-Jul-2016 |
Michal Židek <mzidek@redhat.com> |
config: Fix user_attributes
Fixes:
https://fedorahosted.org/sssd/ticket/3068
Option user_attributes is also available in
NSS responder, but not in PAC responder.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
fc04d11c2fdde0bfe280c6030df2b1d6bf15ce63 |
|
12-Jul-2016 |
Michal Židek <mzidek@redhat.com> |
config: override_space is monitor's option
We read override_space from [sssd] not
[nss] section.
Resolves:
https://fedorahosted.org/sssd/ticket/3068
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
ba5e2d5e261e5f3ac6ce00227595f7265d2c715e |
|
29-Jun-2016 |
Simo Sorce <simo@redhat.com> |
Monitor: Remove ping infrastructure
Now thast services use an internal watchdog we do not need pings anymore,
this will cut down the chatter and allow more flexible process management,
for example socket activation and exit-on-idle.
Resolves:
https://fedorahosted.org/sssd/ticket/2921
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
131684b9107a3fc07906013d16b35975531f2864 |
|
16-Jun-2016 |
Stephen Gallagher <sgallagh@redhat.com> |
DEBUG: Add `debug` alias for debug_level
Our users constantly make the mistake of typing `debug = 9` in the
sssd.conf instead of `debug_level = 9` as would be correct. This
happens frequently-enough that we should just alias it rather than
continue to have people make mistakes.
Resolves:
https://fedorahosted.org/sssd/ticket/2999
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Petr Cech <pcech@redhat.com> |
e7ccfb139388c947ec2dee16cfe3005f5643b90d |
|
10-Jun-2016 |
Petr Cech <pcech@redhat.com> |
RESPONDERS: Negative caching of local users
This patch adds new option 'neg_cache_locals_timeout' into section
of NSS responder. It allows negative caching of local groups and
users. Default value is 0 which means no caching.
Resolves:
https://fedorahosted.org/sssd/ticket/2928
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
875c90d531e6869a92da4b515db729ffce7c4244 |
|
09-Jun-2016 |
Sumit Bose <sbose@redhat.com> |
p11: add missing man page entry and config API
The pam_cert_auth and pam_cert_db_path option where missing in the
config API and had no man page entries.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
d0d7de66c9494621c1bc12384e41e5e38a77fbeb |
|
13-Apr-2016 |
Sumit Bose <sbose@redhat.com> |
PAC: only save PAC blob into the cache
Resolves https://fedorahosted.org/sssd/ticket/2158
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
3cf7fdfcaedb986f42a6640e26aa057007b64045 |
|
24-Feb-2016 |
Jakub Hrozek <jhrozek@redhat.com> |
Add a new option ldap_group_external_member
Required for:
https://fedorahosted.org/sssd/ticket/2522
Reviewed-by: Sumit Bose <sbose@redhat.com> |
4180d485829969d4626cc7d49d2b5f7146512f21 |
|
17-Feb-2016 |
Pavel Reichl <preichl@redhat.com> |
PAM: Pass account lockout status and display message
Tested against Windows Server 2012.
Resolves:
https://fedorahosted.org/sssd/ticket/2839
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
8babbeee01e67893af4828ddfc922ecac0be4197 |
|
20-Jan-2016 |
Pavel Reichl <preichl@redhat.com> |
IDMAP: Add support for automatic adding of ranges
Resolves:
https://fedorahosted.org/sssd/ticket/2188
Reviewed-by: Sumit Bose <sbose@redhat.com> |
5f7cd30c865046a7ea69944f7e07c85b4c43465a |
|
19-Jan-2016 |
Sumit Bose <sbose@redhat.com> |
AD: add task to renew the machine account password if needed
AD expects its clients to renew the machine account password on a
regular basis, be default every 30 days. Even if a client does not renew
the password it might not cause issues because AD does not enforce the
renewal. But the password age might be used to identify unused machine
accounts in large environments which might get disabled or deleted
automatically.
With this patch SSSD calls an external program to check the age of the
machine account password and renew it if needed. Currently 'adcli' is
used as external program which is able to renew the password since
version 0.8.0.
Resolves https://fedorahosted.org/sssd/ticket/1041
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
544a20de7667f05c1a406c4dea0706b0ab507430 |
|
26-Nov-2015 |
Sumit Bose <sbose@redhat.com> |
p11: enable ocsp checks
This patch enables the Online Certificate Status Protocol in NSS and
adds an option to disable it if needed. To make further tuning of
certificate verification more easy it is not an option on its own but an
option to the new certificate_verification configuration option.
Resolves https://fedorahosted.org/sssd/ticket/2812
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
89530c830ded58c6140cdb34c9de07bf77bb5bc0 |
|
13-Nov-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
SSSD: Add a new option diag_cmd
This option is an optional one that is run when a sbus ping times out
and before a SIGKILL signal is sent.
It is undocumented by default.
diag_cmd (string):
A command that should be run for diagnostic purpose when an sbus timeout
fails. The option value may contain %p which would be expanded for the
process ID of the process that timed out
Example:
pstack %p
This setting would print the stackstrace of the service whose ping timed out.
Default: not set.
Reviewed-by: Petr Cech <pcech@redhat.com> |
6a044fa43d53638c1d0b874d43f58c0428820362 |
|
19-Oct-2015 |
Michal Židek <mzidek@redhat.com> |
SSSDConfig: Do not raise exception if config_file_version is missing
Ticket:
https://fedorahosted.org/sssd/ticket/2837
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
d85be8ad409c9efa9cf9e9ab6f9c2d911b01e5c1 |
|
23-Sep-2015 |
Michal Židek <mzidek@redhat.com> |
PAM: Make p11_child timeout configurable
Ticket:
https://fedorahosted.org/sssd/ticket/2773
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com> |
175613be0cfb0890174d12d941e634d833b63dd9 |
|
03-Sep-2015 |
Michal Židek <mzidek@redhat.com> |
CONFDB: Assume config file version 2 if missing
Default to config file version 2 if the version
is not specified explicitly.
Ticket:
https://fedorahosted.org/sssd/ticket/2688
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
8145ab51b05aa86b2f1a21b49383f55e50b0a2e3 |
|
14-Aug-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
DYNDNS: Add a new option dyndns_server
Some environments use a different DNS server than identity server. For
these environments, it would be useful to be able to override the DNS
server used to perform DNS updates.
This patch adds a new option dyndns_server that, if set, would be used
to hardcode a DNS server address into the nsupdate message.
Reviewed-by: Pavel Reichl <preichl@redhat.com> |
52e3ee5c5ff2c5a4341041826a803ad42d2b2de7 |
|
14-Aug-2015 |
Pavel Březina <pbrezina@redhat.com> |
sudo: use "higher value wins" when ordering rules
This commit changes the default ordering logic (lower value wins) to
a correct one that is used by native ldap support. It also adds a new
option sudo_inverse_order to switch to the original SSSD (incorrect)
behaviour if needed.
Resolves:
https://fedorahosted.org/sssd/ticket/2682
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
2ab9822a792e26e9ddb47cbb6bc788a0727c8556 |
|
04-Aug-2015 |
Lukas Slebodnik <lslebodn@redhat.com> |
SSSDConfig: Return correct types in python3
In Python 3, dict.keys() returns a view rather than a list. Since dict keys
aren't in any particular order, indexing them doesn't make sense.
Resolves:
https://fedorahosted.org/sssd/ticket/2699
Reviewed-by: Christian Heimes <cheimes@redhat.com> |
4de84af23db74e13e867985c9093f394c9fa8d51 |
|
31-Jul-2015 |
Sumit Bose <sbose@redhat.com> |
ssh: generate public keys from certificate
Resolves: https://fedorahosted.org/sssd/ticket/2711
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
b9e74a747b8f1012bba3575f3e4289ef4877d64a |
|
15-Jul-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Add the wildcard_limit option
Related:
https://fedorahosted.org/sssd/ticket/2553
Adds a new wildcard_limit option that is set by default to 1000 (one
page). This option limits the number of entries that can by default be
returned by a wildcard search.
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
0aa18cc0bf3447ca734476926724f1632e160807 |
|
06-Jul-2015 |
Pavel Reichl <preichl@redhat.com> |
PAM: authenticate agains cache
Enable authenticating users from cache even when SSSD is in online mode.
Introduce new option `cached_auth_timeout`.
Resolves:
https://fedorahosted.org/sssd/ticket/1807
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
e22e04517b9f9d0c7759dc4768eedfd05908e9b6 |
|
19-Jun-2015 |
Sumit Bose <sbose@redhat.com> |
LDAP: add ldap_user_certificate option
Related to https://fedorahosted.org/sssd/ticket/2596
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
070bb515321a7de091b884d9e0ab357b7b5ae578 |
|
19-Jun-2015 |
Sumit Bose <sbose@redhat.com> |
adding ldap_user_auth_type where missing
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
1711cbfd2e36d44af1ae50e3a2beeec3a1f0b5e8 |
|
05-Jun-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
confdb: Add new option subdomain_inherit
Adds a new option subdomain_inherit that would allow administrators to pick
and choose which option to pass to subdomains.
This option is required for:
https://fedorahosted.org/sssd/ticket/2644
as a short-term fix.
The proper solution is described in:
https://fedorahosted.org/sssd/ticket/2599
Reviewed-by: Pavel Reichl <preichl@redhat.com> |
aa8a8318aaa3270e9d9957d0c22dec6342360a37 |
|
28-May-2015 |
Pavel Reichl <preichl@redhat.com> |
krb5: new option krb5_map_user
New option `krb5_map_user` providing mapping of ID provider names to
Kerberos principals.
Resolves:
https://fedorahosted.org/sssd/ticket/2509
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
6dff95bdfe437afc0b62b5270d0d84140981c786 |
|
24-Mar-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
IPA: Remove the ipa_hbac_treat_deny_as option
https://fedorahosted.org/sssd/ticket/2603
Since deny rules are no longer supported on the server, the client
should no longer support them either. Remove the option.
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
e039f1aefecc65a7b3c2d4a13a612bff1dd367c8 |
|
23-Feb-2015 |
Pavel Reichl <preichl@redhat.com> |
PAM: new option pam_account_expired_message
This option sets string to be printed when authenticating using SSH
keys and account is expired.
Resolves:
https://fedorahosted.org/sssd/ticket/2050
Reviewed-by: Sumit Bose <sbose@redhat.com> |
a71004c112cd5d61d3a9e37a4cfc5760dc9a1cec |
|
13-Feb-2015 |
Lukas Slebodnik <lslebodn@redhat.com> |
SSSDConfig: Port missing parts to python3
* fix incompatible imports
* fix translation.[u]?gettext
* fix dict method has_key
* fix octal literals PEP 3127
* long is not defined in python3
Resolves:
https://fedorahosted.org/sssd/ticket/2017
Reviewed-by: Petr Viktorin <pviktori@redhat.com> |
1ac368d0962ef8cc83dcd642c7fec8b3cba5b6fe |
|
13-Feb-2015 |
Lukas Slebodnik <lslebodn@redhat.com> |
SSSDConfig: Remove unused exception name
"except ValueError, e:" was the syntax used for what is normally written
as "except ValueError as e:" in modern Python. The old syntax is still
supported in python2 for backwards compatibility.
This means "except ValueError, KeyError:" is not equivalent to
"except (ValueError, KeyError):" but to "except ValueError as KeyError:"
and variable with name "KeyError" was not used in exception handler.
Resolves:
https://fedorahosted.org/sssd/ticket/2017
Reviewed-by: Petr Viktorin <pviktori@redhat.com> |
b22e0da9e644f5eb84ee0c8986979fec3fe7eb56 |
|
26-Jan-2015 |
Pavel Reichl <preichl@redhat.com> |
AD: add new option ad_site
This option overrides a result of the automatic site discovery.
Resolves:
https://fedorahosted.org/sssd/ticket/2486
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
4fa184e2c60b377fd71e0115a618bd68dc73627d |
|
25-Nov-2014 |
Sumit Bose <sbose@redhat.com> |
AD/IPA: add krb5_confd_path configuration option
With this new parameter the directory where Kerberos configuration
snippets are created can be specified.
Fixes https://fedorahosted.org/sssd/ticket/2473
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
69a88c4757dd24b1857954de7d043af1e5590b7f |
|
06-Nov-2014 |
Sumit Bose <sbose@redhat.com> |
Revert "LDAP: Remove unused option ldap_group_uuid"
This reverts commit b5242c146cc0ca96e2b898a74fb060efda15bc77.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
1dfa1e2968ce2031deb6da7c28b09ce1b5ba56f2 |
|
06-Nov-2014 |
Sumit Bose <sbose@redhat.com> |
Revert "LDAP: Remove unused option ldap_user_uuid"
This reverts commit dfb2960ab251f609466fa660449703835c97f99a.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
a10ac1d0a7210def232205a48c53a075930e82f6 |
|
22-Oct-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
SSSD: Load a user to run a service as from configuration
Related:
https://fedorahosted.org/sssd/ticket/2370
Adds a option, user to run as, that is specified in the [sssd] section. When
this option is specified, SSSD will run as this user and his private
group. When these are not specified, SSSD will run as the configure-time
user and group (usually root).
Currently all services and providers are started as root. There is a
temporary svc_supported_as_nonroot() function that returns true for a
service if that service runs and was tested as nonroot and false
otherwise. Currently this function always returns false, but will be
amended in future patches.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com> |
08ab0d4ede41a1749e0bc26f78a37a4d10c20db8 |
|
16-Oct-2014 |
Sumit Bose <sbose@redhat.com> |
IPA: add view support and get view name
Related to https://fedorahosted.org/sssd/ticket/2375
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
830ded27453015080a54d6ba85fd4999ee7e9af1 |
|
29-Sep-2014 |
Pavel Reichl <preichl@redhat.com> |
PAM: new options pam_trusted_users & pam_public_domains
pam_public_domains option is a list of numerical UIDs or user names
that are trusted.
pam_public_domains option is a list of domains accessible even for
untrusted users.
Based on:
https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
f2b40ec8a4158fec75873828e4980965abbe7f66 |
|
08-Sep-2014 |
Yassir Elley <yelley@redhat.com> |
AD-GPO: config changes for gpo_map_* options
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
5668d294a39326f7024cbf24333e33ee970caf2d |
|
27-Aug-2014 |
Pavel Reichl <preichl@redhat.com> |
SDAP: new option - DN to ppolicy on LDAP
To check value of pwdLockout attribute on LDAP server, DN of ppolicy
must be set.
Resolves:
https://fedorahosted.org/sssd/ticket/2364
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
1f3127e88a87953f059c9a70d3582ae1719594b1 |
|
13-Aug-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
Only replace space with the specified substitution
https://fedorahosted.org/sssd/ticket/2397
- make sss_replace_whitespaces only replace space (' ') not any
whitespace
- make sss_replace_whitespaces only replace a single char, not the whole
string
- rename CONFDB_NSS_OVERRIDE_DEFAULT_WHITESPACE to
CONFDB_NSS_OVERRIDE_DEFAULT_SPACE
- rename the override_default_whitespace option to override_space
- rename sss_replace_whitespaces() to sss_replace_space()
- rename sss_reverse_replace_whitespaces() to sss_reverse_replace_space()
- rename nctx->override_default_wsp_str to nctx->override_space
- make the return value of sss_replace_space non-const to avoid freeing
the result without compilation warnings
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
ff4b603cc14ea6ea15caaf89a03e927920124af4 |
|
31-Jul-2014 |
Yassir Elley <yelley@redhat.com> |
AD-GPO: add ad_gpo_cache_timeout option
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
21bc143c2855638242e9dfe01ea66198b5883b8a |
|
28-Jul-2014 |
Lukas Slebodnik <lslebodn@redhat.com> |
NSS: Replace spaces with specified string in names.
This patch add possibility to replace whitespace in user and group names with
a specified string. With string "-", sssd will return the same result as
winbind enabled option "winbind normalize names"
Resolves:
https://fedorahosted.org/sssd/ticket/1854
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com> |
dfb2960ab251f609466fa660449703835c97f99a |
|
25-Jul-2014 |
Lukas Slebodnik <lslebodn@redhat.com> |
LDAP: Remove unused option ldap_user_uuid
There is problem with OpenLDAP server and dereferencing of attributes
that is not in the schema of the server?
sh-4.2$ ldapsearch -x -LLL -h openldap.server.test -b 'dc=example,dc=com' \
-E 'deref=member:uid,dummy_attr' cn=ref_grp
Protocol error (2)
Additional information: Dereference control: attribute decoding error
sh-4.2$ echo $?
2
The attribute nsUniqueID is a 389-only, non-standard attribute.
It is an operational attribute that is not in the rfc2307bis nor inetOrgPerson
nor posixAccount schema. It was a default value of option ldap_user_uuid,
but it was not use anywhere.
Resolves:
https://fedorahosted.org/sssd/ticket/2383
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
b5242c146cc0ca96e2b898a74fb060efda15bc77 |
|
25-Jul-2014 |
Lukas Slebodnik <lslebodn@redhat.com> |
LDAP: Remove unused option ldap_group_uuid
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
87ff519b472568b19809963ca860d2182e874fcd |
|
25-Jul-2014 |
Lukas Slebodnik <lslebodn@redhat.com> |
LDAP: Remove unused option ldap_netgroup_uuid
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
7c30e60c525ea798aaab142766ff00eef4b5df3b |
|
15-Jul-2014 |
Pavel Březina <pbrezina@redhat.com> |
sudo: fetch sudoRunAs attribute
This attribute was used in pre 1.7 versions of sudo and it is now
deprecated by sudoRunAsUser and sudoRunAsGroup. However, some users
still use this attribute so we need to support it to ensure backward
compatibility.
This patch makes sure that this attribute is downloaded if present and
provided to sudo. Sudo than decides how to handle it.
The new mapping option is not present in a man page since this
attribute is deprecated in sudo for a very long time.
Resolves:
https://fedorahosted.org/sssd/ticket/2212
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
69994add9cd4e57d40b3b7a0b1783ef2d0aa974c |
|
02-Jun-2014 |
Pavel Reichl <preichl@redhat.com> |
SDAP: Add option to disable use of Token-Groups
Disabling use of Token-Groups is mandatory if expansion of nested groups is not
desired (ldap_group_nesting_level = 0) for AD provider.
Resolves:
https://fedorahosted.org/sssd/ticket/2294
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
770dc892f867639f36f84455d65be6287935a529 |
|
13-May-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
IFP: Per-attribute ACL for users
Introduces a new option called user_attributes that allows to specify
which user attributes are allowed to be queried from the IFP responder.
By default only the default POSIX set is allowed, this option allows to
either add other attributes (+attrname) or remove them from the default
set (-attrname).
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
60cab26b12df9a2153823972cde0c38ca86e01b9 |
|
13-May-2014 |
Yassir Elley <yelley@redhat.com> |
Implemented LDAP component of GPO-based access control
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
3660f49f81e4db07be66fe0887af9d62065f1f2c |
|
13-May-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
IFP: use a list of allowed_uids for authentication
Similar to the PAC responder, the InfoPipe uses a list of UIDs that are
allowed to communicate with the IFP responder.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Stef Walter <stefw@redhat.com> |
4dd38025efda88f123eac672f87d3cda12f050c8 |
|
02-May-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
LDAP: Make it possible to extend an attribute map
https://fedorahosted.org/sssd/ticket/2073
This commit adds a new option ldap_user_extra_attrs that is unset by
default. When set, the option contains a list of LDAP attributes the LDAP
provider would download and store in addition to the usual set.
The list can either contain LDAP attribute names only, or colon-separated
tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP
attribute name is specified, the attribute is saved to the cache verbatim.
Using a custom SSSD attribute name might be required by environments that
configure several SSSD domains with different LDAP schemas.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
9ac564a9155e546571a36a73ae1553f1708af469 |
|
16-Apr-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
ConfigAPI: Add two missing AD options
Reviewed-by: Sumit Bose <sbose@redhat.com> |
17f08cbd0f909181536b93d6c12c7cd69995f09e |
|
02-Mar-2014 |
Sumit Bose <sbose@redhat.com> |
config API: read only specific files from schemaplugindir
Currently the config API read any file in the schema plugin dir,
typically /usr/share/sssd/sssd.api.d. If there are any unexpected files,
like e.g. editor copies or backups, the python code might break because
it cannot parse the files.
With this patch only files matching the pattern '^sssd-.*\.conf$' are
read from this directory.
Additionally this patch contains a file which will break the config API
self test if it is not filtered out correctly.
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> |
022456e93c9b175ce3774afe524e3926f41ba80f |
|
19-Dec-2013 |
Sumit Bose <sbose@redhat.com> |
Add new option ldap_group_type |
cd4cc8d8829f1ea5257bf874b91980368114275f |
|
25-Oct-2013 |
Pavel Březina <pbrezina@redhat.com> |
dp: make subdomains refresh interval configurable
This patch makes the refresh of available subdomains configurable.
New option:
subdomain_refresh_interval (undocumented)
Resolves:
https://fedorahosted.org/sssd/ticket/1968 |
33c865412732554ef255e93c4e7a58b0bce963c6 |
|
28-Aug-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
Add a new option to control subdomain enumeration |
eceefd520802efe356d413a13247c5f68d8e27c8 |
|
28-Jun-2013 |
Sumit Bose <sbose@redhat.com> |
Add now options ldap_min_id and ldap_max_id
Currently the range for Posix IDs stored in an LDAP server is unbound.
This might lead to conflicts in a setup with AD and trusts when the
configured domain uses IDs from LDAP. With the two noe options this
conflict can be avoided. |
14452cd066b51e32ca0ebad6c45ae909a1debe57 |
|
10-Jun-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
A new option krb5_use_kdcinfo
https://fedorahosted.org/sssd/ticket/1883
The patch introduces a new Kerberos provider option called
krb5_use_kdcinfo. The option is true by default in all providers. When
set to false, the SSSD will not create krb5 info files that the locator
plugin consumes and the user would have to set up the Kerberos options
manually in krb5.conf |
0cf0e2d758d09e9b314ba72ce6638df10b258462 |
|
10-Jun-2013 |
Pavel Březina <pbrezina@redhat.com> |
back end: add refresh expired records periodic task
https://fedorahosted.org/sssd/ticket/1713
Add new option refresh_expired_interval. |
6263578b03a52b3ec3a2e33e097554241780fc20 |
|
23-May-2013 |
Lukas Slebodnik <lslebodn@redhat.com> |
Adding option to disable retrieving large AD groups.
This commit adds new option ldap_disable_range_retrieval with default value
FALSE. If this option is enabled, large groups(>1500) will not be retrieved and
behaviour will be similar like was before commit ae8d047122c
"LDAP: Handle very large Active Directory groups"
https://fedorahosted.org/sssd/ticket/1823 |
e15a9f81eb33066937710d7dee6976a3646d119c |
|
03-May-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
dyndns: new option dyndns_auth
This options is mostly provided for future expansion. Currently it is
undocumented and both IPA and AD dynamic DNS updates default to
GSS-TSIG. Allowed values are GSS-TSIG and none. |
e45b81abe0aafa8a04bd64ac31a2fac63ce675b7 |
|
03-May-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
dyndns: new option dyndns_force_tcp
https://fedorahosted.org/sssd/ticket/1831
Adds a new option that can be used to force nsupdate to only use TCP to
communicate with the DNS server. |
38ebc764eeb7693e0c4f0894d6687e54fbba871b |
|
03-May-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
dyndns: New option dyndns_update_ptr
https://fedorahosted.org/sssd/ticket/1832
While some servers, such as FreeIPA allow the PTR record to be
synchronized when the forward record is updated, other servers,
including Active Directory, require that the PTR record is synchronized
manually.
This patch adds a new option, dyndns_update_ptr that automatically
generates appropriate DNS update message for updating the reverse zone.
This option is off by default in the IPA provider.
Also renames be_nsupdate_create_msg to be_nsupdate_create_fwd_msg |
5a4239490c7fb7d732180a9d40f27f0247c56631 |
|
03-May-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
dyndns: new option dyndns_refresh_interval
This new options adds the possibility of updating the DNS entries
periodically regardless if they have changed or not. This feature
will be useful mainly in AD environments where the Windows clients
periodically update their DNS records. |
04868f1573f4b26ef34610b6d7069172f93bd8ab |
|
03-May-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
Convert IPA-specific options to be back-end agnostic
This patch introduces new options for dynamic DNS updates that are not
specific to any back end. The current ipa dyndns options are still
usable, just with a deprecation warning. |
a679f0167b646cffdae86546ed77e105576991b0 |
|
02-May-2013 |
Pavel Březina <pbrezina@redhat.com> |
DNS sites support - add AD SRV plugin
https://fedorahosted.org/sssd/ticket/1032 |
edaa983d094c239c3e1ba667bcd20ed3934be3b8 |
|
22-Apr-2013 |
Sumit Bose <sbose@redhat.com> |
Allow usage of enterprise principals
Enterprise principals are currently most useful for the AD provider and
hence enabled here by default while for the other Kerberos based
authentication providers they are disabled by default.
If additional UPN suffixes are configured for the AD domain the user
principal stored in the AD LDAP server might not contain the real
Kerberos realm of the AD domain but one of the additional suffixes which
might be completely randomly chooses, e.g. are not related to any
existing DNS domain. This make it hard for a client to figure out the
right KDC to send requests to.
To get around this enterprise principals (see
http://tools.ietf.org/html/rfc6806 for details) were introduced.
Basically a default realm is added to the principal so that the Kerberos
client libraries at least know where to send the request to. It is not
in the responsibility of the KDC to either handle the request itself,
return a client referral if he thinks a different KDC can handle the
request or return and error. This feature is also use to allow
authentication in AD environments with cross forest trusts.
Fixes https://fedorahosted.org/sssd/ticket/1842 |
88275cccddf39892e01682b39b02292eb74729bd |
|
10-Apr-2013 |
Pavel Březina <pbrezina@redhat.com> |
DNS sites support - add IPA SRV plugin
https://fedorahosted.org/sssd/ticket/1032 |
ba4378f49914e65a7d687a872d9b938173841154 |
|
19-Mar-2013 |
Michal Zidek <mzidek@redhat.com> |
Make the SELinux refresh time configurable.
Option ipa_selinux_refresh is added to basic ipa options. |
59f136cd254d1acf2991c97221eb08803784777d |
|
15-Nov-2012 |
Paul B. Henson <henson@acm.org> |
Add ignore_group_members option.
https://fedorahosted.org/sssd/ticket/1376 |
4fb12db7504920d12ea7db71f312334c877bff7c |
|
16-Oct-2012 |
James Hogarth <james.hogarth@gmail.com> |
Make TTL configurable for dynamic dns updates |
3882325ff60f89d0c312e9519bdfd1351978fd73 |
|
05-Oct-2012 |
Jan Cholasta <jcholast@redhat.com> |
SSH: Expire hosts in known_hosts |
e9cbbaf5b12a2d7aad69337d9d396449068a7786 |
|
01-Oct-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
Document ldap_chpass_update_last_change
Add the option to the manual page and the configAPI
https://fedorahosted.org/sssd/ticket/1494 |
1542b85f13d72329685bdd97aa879c36d11f81be |
|
01-Oct-2012 |
Sumit Bose <sbose@redhat.com> |
Add new option default_domain_suffix |
bf960d6a15feffff26dff782a876cb0b6e7dd935 |
|
05-Aug-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
SSSDConfig: Fix nonfunctional SSSDDomain.remove_provider()
Also adds a regression test to the unit test suite.
https://fedorahosted.org/sssd/ticket/1388 |
294e9a5521d327c5cdc49beeb9cb9e703b3134f1 |
|
01-Aug-2012 |
Jan Zeleny <jzeleny@redhat.com> |
Primary server support: new option in AD provider
This patch adds support for new config option ad_backup_server. The
description of this option's functionality is included in man page in
one of previous patches. |
46118ee53dc0d25e449cd7e37e624a4c62b78ee2 |
|
01-Aug-2012 |
Jan Zeleny <jzeleny@redhat.com> |
Primary server support: new option in IPA provider
This patch adds support for new config option ipa_backup_server. The
description of this option's functionality is included in man page in
one of previous patches. |
07b7b76d7cd494cbd26263503ba2732c21819941 |
|
01-Aug-2012 |
Jan Zeleny <jzeleny@redhat.com> |
Primary server support: new options in krb5 provider
This patch adds support for new config options krb5_backup_server and
krb5_backup_kpasswd. The description of this option's functionality
is included in man page in one of previous patches. |
f6cd1236c27817b97db002094b76648d92b55f82 |
|
01-Aug-2012 |
Jan Zeleny <jzeleny@redhat.com> |
Primary server support: new option in ldap provider
This patch adds support for new config option ldap_backup_uri. The
description of this option's functionality is included in man page in
previous patch. |
695bca9d2f73096254308e0883fcc74b2631850e |
|
20-Jul-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
NSS: Add override_shell option
If override_shell is specified in the [nss] section, all users
managed by SSSD will have their shell set to this value. If it is
specified in the [domain/DOMAINNAME] section, it will apply to
only that domain (and override the [nss] value, if any).
https://fedorahosted.org/sssd/ticket/1087 |
2d257ccf620ce1b611f89cec8f0a94c88c2f2881 |
|
10-Jul-2012 |
Sumit Bose <sbose@redhat.com> |
pac responder: limit access by checking UIDs
A check for allowed UIDs is added in the common responder code directly
after accept(). If the platform does not support reading the UID of the
peer but allowed UIDs are configured, access is denied.
Currently only the PAC responder sets the allowed UIDs for a socket. The
default is that only root is allowed to access the socket of the PAC
responder.
Fixes: https://fedorahosted.org/sssd/ticket/1382 |
03532fb1cbb7e8c1d5cf2e93aa3719f926631cab |
|
06-Jul-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
AD: Add manpages and SSSDConfig entries |
9af677f3bae3a7c1386867e4d42970555b3d6b9a |
|
29-Jun-2012 |
Pavel Březina <pbrezina@redhat.com> |
sudo: add host info options
Adds some option that allows to manually configure a host filter.
ldap_sudo_use_host_filter - if false, we will download all rules regardless their sudoHost attribute
ldap_sudo_hostnames - list hostnames and/or fqdn that should be downloaded, separated with spaces
ldap_sudo_ip - list of IPv4/6 address and/or network that should be downloaded, separated with spaces
ldap_sudo_include_netgroups - include rules that contains netgroup in sudoHost
ldap_sudo_include_regexp - include rules that contains regular expression in sudoHost |
dfafb437f49d31e015184e212571e9917aa94eef |
|
29-Jun-2012 |
Pavel Březina <pbrezina@redhat.com> |
sudo: clean up |
db26b4a6f2be8f087987ee6b15008b16350174d0 |
|
29-Jun-2012 |
Pavel Březina <pbrezina@redhat.com> |
sudo provider: add ldap_sudo_smart_refresh_interval |
44bff89750c5451112d4ef7a10b6d9d0c8442f85 |
|
29-Jun-2012 |
Pavel Březina <pbrezina@redhat.com> |
sudo provider: remove old timer |
9f714651c7d21908c94b70fc755697a3b220a22f |
|
29-Jun-2012 |
Pavel Březina <pbrezina@redhat.com> |
sudo provider: add ldap_sudo_full_refresh_interval |
da9fd6373b94a49b748542ab568997b9e2421972 |
|
29-Jun-2012 |
Pavel Březina <pbrezina@redhat.com> |
confdb: add entry_cache_sudo_timeout option |
386a66b1aa18a176e6a06fa126556c9590c373b6 |
|
21-Jun-2012 |
Sumit Bose <sbose@redhat.com> |
Add support for ID ranges |
bb79e7559dae451a14150377099e32d6b5159a6c |
|
18-Jun-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
Make the client idle timeout configurable |
3963d3fa9e3099bc02d612b5051d8b769d6e3a75 |
|
13-Jun-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
LDAP: Add ldap_*_use_matching_rule_in_chain options |
e9f08ebaba5ec61af74c112f50c7d66257998c97 |
|
10-Jun-2012 |
Jan Zeleny <jzeleny@redhat.com> |
Allow fast memcache timeout to be configurable
https://fedorahosted.org/sssd/ticket/1318 |
84c611c1b7c04cc7735ab54d4e5f48284b79e6fb |
|
10-Jun-2012 |
Jan Zeleny <jzeleny@redhat.com> |
IPA subdomains - ask for information about master domain
The query is performed only if there is missing information in the
cache. That means this should be done only once after restart when cache
doesn't exist. All subsequent requests for subdomains won't include the
request for master domain. |
0fe2b52d476afbc7ea0c9e0740cd7cf364ca8d23 |
|
05-Jun-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
Fix the default sssd.conf path |
f1ce53a3b5656361557f80f61dfd42a371230c65 |
|
31-May-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
SSSDConfig: Make default config and schema file locations configurable
https://fedorahosted.org/sssd/ticket/1008 |