History log of /sssd/src/providers/ad/ad_init.c
Revision Date Author Comments Expand
3d29430867cf92b2d71afa95abb679711231117c 15-Jul-2016 Pavel Březina <pbrezina@redhat.com>

DP: rename be_acct_req to dp_id_data Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

ad_id.c ad_id.h ad_init.c ad_pac.c ad_pac.h /sssd/src/providers/data_provider/dp_custom_data.h /sssd/src/providers/data_provider/dp_target_id.c /sssd/src/providers/ipa/ipa_id.c /sssd/src/providers/ipa/ipa_id.h /sssd/src/providers/ipa/ipa_init.c /sssd/src/providers/ipa/ipa_s2n_exop.c /sssd/src/providers/ipa/ipa_subdomains.h /sssd/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd/src/providers/ipa/ipa_subdomains_id.c /sssd/src/providers/ipa/ipa_views.c /sssd/src/providers/ldap/ldap_common.h /sssd/src/providers/ldap/ldap_id.c /sssd/src/providers/ldap/ldap_init.c /sssd/src/providers/ldap/sdap_refresh.c /sssd/src/providers/proxy/proxy.h /sssd/src/providers/proxy/proxy_id.c /sssd/src/providers/proxy/proxy_init.c /sssd/src/providers/simple/simple_access_check.c /sssd/src/tests/cmocka/test_ad_common.c
dea636af4d1902a081ee891f1b19ee2f8729d759 20-Jun-2016 Pavel Březina <pbrezina@redhat.com>

DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

/sssd/Makefile.am ad_access.c ad_access.h ad_autofs.c ad_common.h ad_id.c ad_id.h ad_init.c ad_subdomains.c ad_subdomains.h ad_sudo.c /sssd/src/providers/backend.h /sssd/src/providers/data_provider/dp_custom_data.h /sssd/src/providers/data_provider/dp_iface.c /sssd/src/providers/data_provider/dp_iface.h /sssd/src/providers/data_provider/dp_target_auth.c /sssd/src/providers/data_provider/dp_target_autofs.c /sssd/src/providers/data_provider/dp_target_hostid.c /sssd/src/providers/data_provider/dp_target_id.c /sssd/src/providers/data_provider/dp_target_subdomains.c /sssd/src/providers/data_provider/dp_target_sudo.c /sssd/src/providers/data_provider_be.c /sssd/src/providers/data_provider_req.c /sssd/src/providers/data_provider_req.h /sssd/src/providers/ipa/ipa_access.c /sssd/src/providers/ipa/ipa_access.h /sssd/src/providers/ipa/ipa_auth.c /sssd/src/providers/ipa/ipa_auth.h /sssd/src/providers/ipa/ipa_autofs.c /sssd/src/providers/ipa/ipa_common.h /sssd/src/providers/ipa/ipa_hbac_common.c /sssd/src/providers/ipa/ipa_hostid.c /sssd/src/providers/ipa/ipa_hostid.h /sssd/src/providers/ipa/ipa_id.c /sssd/src/providers/ipa/ipa_id.h /sssd/src/providers/ipa/ipa_init.c /sssd/src/providers/ipa/ipa_selinux.c /sssd/src/providers/ipa/ipa_selinux.h /sssd/src/providers/ipa/ipa_subdomains.c /sssd/src/providers/ipa/ipa_subdomains.h /sssd/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd/src/providers/ipa/ipa_subdomains_id.c /sssd/src/providers/ipa/ipa_subdomains_server.c /sssd/src/providers/ipa/ipa_sudo.c /sssd/src/providers/krb5/krb5_auth.c /sssd/src/providers/krb5/krb5_auth.h /sssd/src/providers/krb5/krb5_common.h /sssd/src/providers/krb5/krb5_init.c /sssd/src/providers/ldap/ldap_access.c /sssd/src/providers/ldap/ldap_auth.c /sssd/src/providers/ldap/ldap_common.c /sssd/src/providers/ldap/ldap_common.h /sssd/src/providers/ldap/ldap_id.c /sssd/src/providers/ldap/ldap_init.c /sssd/src/providers/ldap/sdap_access.h /sssd/src/providers/ldap/sdap_autofs.c /sssd/src/providers/ldap/sdap_autofs.h /sssd/src/providers/ldap/sdap_idmap.c /sssd/src/providers/ldap/sdap_online_check.c /sssd/src/providers/ldap/sdap_sudo.c /sssd/src/providers/ldap/sdap_sudo.h /sssd/src/providers/proxy/proxy.h /sssd/src/providers/proxy/proxy_auth.c /sssd/src/providers/proxy/proxy_client.c /sssd/src/providers/proxy/proxy_id.c /sssd/src/providers/proxy/proxy_init.c /sssd/src/providers/simple/simple_access.c /sssd/src/providers/simple/simple_access_check.c /sssd/src/responder/autofs/autofssrv_dp.c /sssd/src/responder/common/responder_dp.c /sssd/src/responder/ssh/sshsrv_dp.c /sssd/src/responder/sudo/sudosrv_dp.c /sssd/src/tests/cmocka/test_nested_groups.c /sssd/src/tests/simple_access-tests.c
892ddeb5190dd5c1ffa26a95142a10a0034fc5e3 20-Jun-2016 Pavel Březina <pbrezina@redhat.com>

Rename dp_dyndns.h to be_dyndns.h Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

9a6ff0851fc707f21165818f66ae926fa14d7226 07-Jun-2016 Petr Cech <pcech@redhat.com>

AD_PROVIDER: Fix constant char * This patch fixes loading of ad_domain option. It is declared like const, co we should use dp_opt_get_cstring() instead of dp_opt_get_string(). Reviewed-by: Sumit Bose <sbose@redhat.com>

5f7cd30c865046a7ea69944f7e07c85b4c43465a 19-Jan-2016 Sumit Bose <sbose@redhat.com>

AD: add task to renew the machine account password if needed AD expects its clients to renew the machine account password on a regular basis, be default every 30 days. Even if a client does not renew the password it might not cause issues because AD does not enforce the renewal. But the password age might be used to identify unused machine accounts in large environments which might get disabled or deleted automatically. With this patch SSSD calls an external program to check the age of the machine account password and renew it if needed. Currently 'adcli' is used as external program which is able to renew the password since version 0.8.0. Resolves https://fedorahosted.org/sssd/ticket/1041 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

03b859510dc13a13a456ca4aa94c0561a0e9684c 26-Nov-2015 Jakub Hrozek <jhrozek@redhat.com>

AD: Add autofs provider https://fedorahosted.org/sssd/ticket/1632 Adds the possibility to configure: autofs_provider = ad The AD autofs provider uses the rfc2307 (nis*) attribute maps. This is different (at the moment) from using autofs_provider=ldap with ldap_schema=ad. Reviewed-by: Ondrej Valousek <ondrejv2@fedoraproject.org> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

bfa5e3869bb68213f08169efe55c45cb625e8fd0 01-Sep-2015 Pavel Reichl <preichl@redhat.com>

AD: send less logs to syslog Create new callback that handles logging messages in cyrus sasl library. Resolves: https://fedorahosted.org/sssd/ticket/2561 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

87f8bee53ee1b4ca87b602ff8536bc5fd5b5b595 17-Mar-2015 Lukas Slebodnik <lslebodn@redhat.com>

Add missing new lines to debug messages Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

/sssd/src/confdb/confdb_setup.c /sssd/src/db/sysdb_autofs.c /sssd/src/db/sysdb_sudo.c /sssd/src/db/sysdb_views.c /sssd/src/monitor/monitor.c /sssd/src/monitor/monitor_netlink.c ad_common.c ad_init.c ad_subdomains.c /sssd/src/providers/data_provider_be.c /sssd/src/providers/dp_dyndns.c /sssd/src/providers/dp_ptask.c /sssd/src/providers/ipa/ipa_access.c /sssd/src/providers/ipa/ipa_hbac_rules.c /sssd/src/providers/ipa/ipa_hostid.c /sssd/src/providers/ipa/ipa_selinux.c /sssd/src/providers/ipa/ipa_subdomains.c /sssd/src/providers/krb5/krb5_child.c /sssd/src/providers/krb5/krb5_wait_queue.c /sssd/src/providers/ldap/ldap_id.c /sssd/src/providers/ldap/sdap.c /sssd/src/providers/ldap/sdap_async.c /sssd/src/providers/ldap/sdap_async_connection.c /sssd/src/providers/ldap/sdap_async_initgroups.c /sssd/src/providers/ldap/sdap_utils.c /sssd/src/responder/autofs/autofssrv_cmd.c /sssd/src/responder/common/responder_dp.c /sssd/src/responder/nss/nsssrv_cmd.c /sssd/src/responder/nss/nsssrv_netgroup.c /sssd/src/responder/pac/pacsrv_cmd.c /sssd/src/responder/pac/pacsrv_utils.c /sssd/src/responder/pam/pamsrv.c /sssd/src/responder/sudo/sudosrv_get_sudorules.c /sssd/src/responder/sudo/sudosrv_query.c /sssd/src/sbus/sssd_dbus_server.c /sssd/src/tests/krb5_child-test.c /sssd/src/tools/files.c /sssd/src/tools/sss_sync_ops.c /sssd/src/util/debug.c /sssd/src/util/domain_info_utils.c /sssd/src/util/find_uid.c /sssd/src/util/server.c /sssd/src/util/sss_ini.c /sssd/src/util/sss_krb5.c /sssd/src/util/sss_semanage.c /sssd/src/util/usertools.c
17531a398cc9084036cb08d69fe876a8f12707bb 08-Mar-2015 Pavel Březina <pbrezina@redhat.com>

be_refresh: add sdap_refresh_init Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

e438fbf102c3d787902504bdae177e84230cbbc9 26-Jan-2015 Pavel Reichl <preichl@redhat.com>

AD: support for AD site override Override AD site found during DNS discovery. Resolves: https://fedorahosted.org/sssd/ticket/2486 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

a8356a0c98ee44e7256bb1c7767159c70e1fc218 08-Sep-2014 Yassir Elley <yelley@redhat.com>

AD-GPO: processing changes for gpo_map_* options Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

ff4b603cc14ea6ea15caaf89a03e927920124af4 31-Jul-2014 Yassir Elley <yelley@redhat.com>

AD-GPO: add ad_gpo_cache_timeout option Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

60cab26b12df9a2153823972cde0c38ca86e01b9 13-May-2014 Yassir Elley <yelley@redhat.com>

Implemented LDAP component of GPO-based access control Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

61804568ce5ede3b1a699cda17c033dd6c23f0e3 02-Mar-2014 Sumit Bose <sbose@redhat.com>

SUDO: AD provider This patch adds the sudo target to the AD provider. The main reason is to cover different default settings in the LDAP and AD provider. E.g. the default for ldap_id_mapping is True in the AD provider and False in the LDAP provider. If ldap_id_mapping was not set explicitly in the config file both components worked with different setting. Fixes https://fedorahosted.org/sssd/ticket/2256 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

a3c8390d19593b1e5277d95bfb4ab206d4785150 12-Feb-2014 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

/sssd/src/confdb/confdb.c /sssd/src/confdb/confdb_setup.c /sssd/src/db/sysdb.c /sssd/src/db/sysdb_autofs.c /sssd/src/db/sysdb_idmap.c /sssd/src/db/sysdb_ops.c /sssd/src/db/sysdb_ranges.c /sssd/src/db/sysdb_search.c /sssd/src/db/sysdb_selinux.c /sssd/src/db/sysdb_services.c /sssd/src/db/sysdb_ssh.c /sssd/src/db/sysdb_subdomains.c /sssd/src/db/sysdb_sudo.c /sssd/src/db/sysdb_upgrade.c /sssd/src/monitor/monitor.c /sssd/src/monitor/monitor_netlink.c /sssd/src/monitor/monitor_sbus.c ad_access.c ad_common.c ad_domain_info.c ad_dyndns.c ad_id.c ad_init.c ad_srv.c ad_subdomains.c /sssd/src/providers/data_provider_be.c /sssd/src/providers/data_provider_callbacks.c /sssd/src/providers/data_provider_fo.c /sssd/src/providers/data_provider_opts.c /sssd/src/providers/dp_auth_util.c /sssd/src/providers/dp_dyndns.c /sssd/src/providers/dp_pam_data_util.c /sssd/src/providers/dp_ptask.c /sssd/src/providers/dp_refresh.c /sssd/src/providers/fail_over.c /sssd/src/providers/fail_over_srv.c /sssd/src/providers/ipa/ipa_access.c /sssd/src/providers/ipa/ipa_auth.c /sssd/src/providers/ipa/ipa_autofs.c /sssd/src/providers/ipa/ipa_common.c /sssd/src/providers/ipa/ipa_config.c /sssd/src/providers/ipa/ipa_dyndns.c /sssd/src/providers/ipa/ipa_hbac_common.c /sssd/src/providers/ipa/ipa_hbac_hosts.c /sssd/src/providers/ipa/ipa_hbac_rules.c /sssd/src/providers/ipa/ipa_hbac_services.c /sssd/src/providers/ipa/ipa_hbac_users.c /sssd/src/providers/ipa/ipa_hostid.c /sssd/src/providers/ipa/ipa_hosts.c /sssd/src/providers/ipa/ipa_id.c /sssd/src/providers/ipa/ipa_idmap.c /sssd/src/providers/ipa/ipa_init.c /sssd/src/providers/ipa/ipa_netgroups.c /sssd/src/providers/ipa/ipa_s2n_exop.c /sssd/src/providers/ipa/ipa_selinux.c /sssd/src/providers/ipa/ipa_selinux_maps.c /sssd/src/providers/ipa/ipa_srv.c /sssd/src/providers/ipa/ipa_subdomains.c /sssd/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd/src/providers/ipa/ipa_subdomains_id.c /sssd/src/providers/ipa/ipa_sudo.c /sssd/src/providers/krb5/krb5_access.c /sssd/src/providers/krb5/krb5_auth.c /sssd/src/providers/krb5/krb5_become_user.c /sssd/src/providers/krb5/krb5_child.c /sssd/src/providers/krb5/krb5_child_handler.c /sssd/src/providers/krb5/krb5_common.c /sssd/src/providers/krb5/krb5_delayed_online_authentication.c /sssd/src/providers/krb5/krb5_init.c /sssd/src/providers/krb5/krb5_init_shared.c /sssd/src/providers/krb5/krb5_renew_tgt.c /sssd/src/providers/krb5/krb5_utils.c /sssd/src/providers/krb5/krb5_wait_queue.c /sssd/src/providers/ldap/ldap_access.c /sssd/src/providers/ldap/ldap_auth.c /sssd/src/providers/ldap/ldap_child.c /sssd/src/providers/ldap/ldap_common.c /sssd/src/providers/ldap/ldap_id.c /sssd/src/providers/ldap/ldap_id_cleanup.c /sssd/src/providers/ldap/ldap_id_enum.c /sssd/src/providers/ldap/ldap_id_netgroup.c /sssd/src/providers/ldap/ldap_id_services.c /sssd/src/providers/ldap/ldap_init.c /sssd/src/providers/ldap/sdap.c /sssd/src/providers/ldap/sdap_access.c /sssd/src/providers/ldap/sdap_async.c /sssd/src/providers/ldap/sdap_async_autofs.c /sssd/src/providers/ldap/sdap_async_connection.c /sssd/src/providers/ldap/sdap_async_enum.c /sssd/src/providers/ldap/sdap_async_groups.c /sssd/src/providers/ldap/sdap_async_groups_ad.c /sssd/src/providers/ldap/sdap_async_initgroups.c /sssd/src/providers/ldap/sdap_async_initgroups_ad.c /sssd/src/providers/ldap/sdap_async_nested_groups.c /sssd/src/providers/ldap/sdap_async_netgroups.c /sssd/src/providers/ldap/sdap_async_services.c /sssd/src/providers/ldap/sdap_async_sudo.c /sssd/src/providers/ldap/sdap_async_sudo_hostinfo.c /sssd/src/providers/ldap/sdap_async_sudo_timer.c /sssd/src/providers/ldap/sdap_async_users.c /sssd/src/providers/ldap/sdap_autofs.c /sssd/src/providers/ldap/sdap_child_helpers.c /sssd/src/providers/ldap/sdap_dyndns.c /sssd/src/providers/ldap/sdap_fd_events.c /sssd/src/providers/ldap/sdap_id_op.c /sssd/src/providers/ldap/sdap_idmap.c /sssd/src/providers/ldap/sdap_range.c /sssd/src/providers/ldap/sdap_refresh.c /sssd/src/providers/ldap/sdap_reinit.c /sssd/src/providers/ldap/sdap_sudo.c /sssd/src/providers/ldap/sdap_sudo_cache.c /sssd/src/providers/proxy/proxy_auth.c /sssd/src/providers/proxy/proxy_child.c /sssd/src/providers/proxy/proxy_id.c /sssd/src/providers/proxy/proxy_init.c /sssd/src/providers/proxy/proxy_netgroup.c /sssd/src/providers/proxy/proxy_services.c /sssd/src/providers/simple/simple_access.c /sssd/src/providers/simple/simple_access_check.c /sssd/src/resolv/async_resolv.c /sssd/src/resolv/async_resolv_utils.c /sssd/src/responder/autofs/autofssrv.c /sssd/src/responder/autofs/autofssrv_cmd.c /sssd/src/responder/autofs/autofssrv_dp.c /sssd/src/responder/common/negcache.c /sssd/src/responder/common/responder_cmd.c /sssd/src/responder/common/responder_common.c /sssd/src/responder/common/responder_dp.c /sssd/src/responder/common/responder_get_domains.c /sssd/src/responder/nss/nsssrv.c /sssd/src/responder/nss/nsssrv_cmd.c /sssd/src/responder/nss/nsssrv_mmap_cache.c /sssd/src/responder/nss/nsssrv_netgroup.c /sssd/src/responder/nss/nsssrv_private.h /sssd/src/responder/nss/nsssrv_services.c /sssd/src/responder/pac/pacsrv.c /sssd/src/responder/pac/pacsrv_cmd.c /sssd/src/responder/pac/pacsrv_utils.c /sssd/src/responder/pam/pam_LOCAL_domain.c /sssd/src/responder/pam/pam_helpers.c /sssd/src/responder/pam/pamsrv.c /sssd/src/responder/pam/pamsrv_cmd.c /sssd/src/responder/pam/pamsrv_dp.c /sssd/src/responder/ssh/sshsrv.c /sssd/src/responder/ssh/sshsrv_cmd.c /sssd/src/responder/ssh/sshsrv_dp.c /sssd/src/responder/sudo/sudosrv.c /sssd/src/responder/sudo/sudosrv_cmd.c /sssd/src/responder/sudo/sudosrv_dp.c /sssd/src/responder/sudo/sudosrv_get_sudorules.c /sssd/src/responder/sudo/sudosrv_query.c /sssd/src/sbus/sbus_client.c /sssd/src/sbus/sssd_dbus_common.c /sssd/src/sbus/sssd_dbus_connection.c /sssd/src/sbus/sssd_dbus_server.c /sssd/src/sss_client/ssh/sss_ssh_authorizedkeys.c /sssd/src/sss_client/ssh/sss_ssh_knownhostsproxy.c /sssd/src/tests/auth-tests.c /sssd/src/tests/cmocka/test_dyndns.c /sssd/src/tests/cmocka/test_fqnames.c /sssd/src/tests/cmocka/test_nss_srv.c /sssd/src/tests/cmocka/test_utils.c /sssd/src/tests/common_dom.c /sssd/src/tests/common_tev.c /sssd/src/tests/debug-tests.c /sssd/src/tests/files-tests.c /sssd/src/tests/krb5_child-test.c /sssd/src/tests/resolv-tests.c /sssd/src/tests/simple_access-tests.c /sssd/src/tests/sysdb-tests.c /sssd/src/tests/sysdb_ssh-tests.c /sssd/src/tools/files.c /sssd/src/tools/selinux.c /sssd/src/tools/sss_cache.c /sssd/src/tools/sss_debuglevel.c /sssd/src/tools/sss_groupadd.c /sssd/src/tools/sss_groupdel.c /sssd/src/tools/sss_groupmod.c /sssd/src/tools/sss_groupshow.c /sssd/src/tools/sss_seed.c /sssd/src/tools/sss_sync_ops.c /sssd/src/tools/sss_useradd.c /sssd/src/tools/sss_userdel.c /sssd/src/tools/sss_usermod.c /sssd/src/tools/tools_mc_util.c /sssd/src/tools/tools_util.c /sssd/src/tools/tools_util.h /sssd/src/util/authtok.c /sssd/src/util/backup_file.c /sssd/src/util/check_and_open.c /sssd/src/util/child_common.c /sssd/src/util/crypto/libcrypto/crypto_base64.c /sssd/src/util/crypto/libcrypto/crypto_obfuscate.c /sssd/src/util/crypto/nss/nss_obfuscate.c /sssd/src/util/crypto/nss/nss_util.c /sssd/src/util/debug.c /sssd/src/util/domain_info_utils.c /sssd/src/util/find_uid.c /sssd/src/util/nscd.c /sssd/src/util/server.c /sssd/src/util/signal.c /sssd/src/util/sss_ini.c /sssd/src/util/sss_krb5.c /sssd/src/util/sss_krb5.h /sssd/src/util/sss_ldap.c /sssd/src/util/sss_nss.c /sssd/src/util/sss_selinux.c /sssd/src/util/sss_ssh.c /sssd/src/util/sss_tc_utf8.c /sssd/src/util/user_info_msg.c /sssd/src/util/usertools.c /sssd/src/util/util.c /sssd/src/util/util.h /sssd/src/util/util_lock.c /sssd/src/util/well_known_sids.c
f8407faaeb6726bef6463d84f183f2b0ad1f99d4 29-Jan-2014 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Pass a private context to enumeration ptask instead of hardcoded connection Previously, the sdap-domain enumeration request used a single connection context to download all the data. Now we'd like to use different connections to download different objects, so the ID context is passed in and the request itself decides which connection to use for the sdap-domain enumeration.

72ae534f5aef6d2e5d3f2f51299aede5abf9687e 19-Dec-2013 Jakub Hrozek <jhrozek@redhat.com>

AD: Add a utility function to create list of connections ad_id.c and ad_access.c used the same block of code. With the upcoming option to disable GC lookups, we should unify the code in a function to avoid breaking one of the code paths. The same applies for the LDAP connection to the trusted AD DC. Includes a unit test.

008e1ee835602023891ac45408483d87f41e4d5c 19-Dec-2013 Sumit Bose <sbose@redhat.com>

AD: cross-domain membership fix A recent patch directed all call related to group membership lookups to the AD LDAP port to fix an issue related to missing group memberships in the Global Catalog. As a side-effect it broke cross-domain group-memberships because those cannot be resolved by the connection to the LDAP port. The patch tires to fix this by restoring the original behaviour in the top-level lookup calls in the AD provider and switching to the LDAP port only for the LDAP request which is expected to return the full group membership. Additionally this patch contains a related fix for the tokenGroups with Posix attributes patch. The original connection, typically a Global Catalog connection in the AD case is passed down the stack so that the group lookup after the tokenGroups request can run over the same connection.

1ce58f139699dd26b8888f4131c996263b6a80a5 25-Oct-2013 Jakub Hrozek <jhrozek@redhat.com>

AD: Add extended access filter https://fedorahosted.org/sssd/ticket/2082 Adds a new option that allows the admin to specify a LDAP access filter that can be applied globally, per-domain or per-forest.

67b1fc914190e12ab014c0616b7f0a642fbe6356 25-Oct-2013 Jakub Hrozek <jhrozek@redhat.com>

AD: Search GC by default during access control, fall back to LDAP Resolves: https://fedorahosted.org/sssd/ticket/2082 In order to allow the ad_access_filter option to work for subdomain users as well, the Global Catalog must be searched. This patch adds a wrapper request atop sdap_access_send that selects the right connection (GC or LDAP) and optionally falls back to LDAP.

efe6b4a9d374339cac2528cdeb43720957c6b7c9 25-Oct-2013 Jakub Hrozek <jhrozek@redhat.com>

AD: Use the ad_access_filter if it's set Related: https://fedorahosted.org/sssd/ticket/2082 Currently the AD access control only checks if an account has been expired. This patch amends the logic so that if ad_access_filter is set, it is used automatically.

74802794554e0f87d1354b6788f1719cd7d80a6c 18-Sep-2013 Jakub Hrozek <jhrozek@redhat.com>

AD: Download master domain info when enumerating https://fedorahosted.org/sssd/ticket/2068 With the current design, downloading master domain data was tied to subdomains refresh, triggered by responders. But because enumeration is a background task that can't be triggered on its own, we can't rely on responders to download the master domain data and we need to check the master domain on each enumeration request.

31ad608192c24eb56cf7a8294f6bfc080893193c 18-Sep-2013 Jakub Hrozek <jhrozek@redhat.com>

AD: async request to retrieve master domain info Adds a reusable async request to download the master domain info.

1c4144a6ce68dbd54c7c08a517d1f982ea57f19a 28-Aug-2013 Jakub Hrozek <jhrozek@redhat.com>

LDAP: Make sdap_id_setup_tasks reusable for subdomains Instead of always performing the setup for the main domain, the setup can now be performed for subdomains as well.

483728c1f9719e419830cce93b7e411370a5364b 09-Aug-2013 Ondrej Kos <okos@redhat.com>

AD: Cast SASL callbacks to propper type The initialization of ad_sasl_callbacks raised an incompatible pointer type warning. This was caused because the cyrus-sasl API hasa changed. The callback function list needs to be cast now.

fb945a2cacc5506a2acb50349670f22078f1d4f5 06-Aug-2013 Simo Sorce <simo@redhat.com>

sssd_ad: Add hackish workaround for sasl ad_compat This tries to set the ad_compat option for sasl, by working around the openldap/sasl initialization as openldap does not allow us to pass down to sasl our own getopt callback. Resolves: https://fedorahosted.org/sssd/ticket/2040

48657b5de36a63b0c13ed5d53065871d59d8f10b 23-Jul-2013 Jakub Hrozek <jhrozek@redhat.com>

KRB5: Do not send PAC in server mode The krb5 child contacts the PAC responder for any user except for the IPA native users if the PAC is configured. This works fine for the general case but the ipa_server_mode is a special one. The PAC responder is there, but since in the server mode we should be operating as AD provider default, the PAC shouldn't be analyzed either in this case.

59415636c92c6e9764ddc65a85ad61002310519d 28-Jun-2013 Jakub Hrozek <jhrozek@redhat.com>

AD: initialize failover with custom realm, domain and failover service This is needed so we can initialize failover using IPA realm and on-the-fly discovered DNS domain. The subdomains discovered on-thefly will use the subdomain name for realm, domain and failover service to avoid conflicts. Subtaks of: https://fedorahosted.org/sssd/ticket/1962

ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9 28-Jun-2013 Jakub Hrozek <jhrozek@redhat.com>

AD: decouple ad_id_ctx initialization The IPA subdomain code will perform lookups on its own in the server mode. For this, the AD provider must offer a way to initialize the ad_id_ctx for external consumers. Subtask of: https://fedorahosted.org/sssd/ticket/1962

e23f790d0e38a8dce04560e34c189208d146ddd8 17-Jun-2013 Jakub Hrozek <jhrozek@redhat.com>

Fix allocation check

8d95aa1b58139002ace4b4418d5391ee7bfc78cb 11-Jun-2013 Jakub Hrozek <jhrozek@redhat.com>

Fix allocation check in the AD provider https://fedorahosted.org/sssd/ticket/1976

7b5e7e539ae9312ab55d75aa94feaad549b2a708 10-Jun-2013 Pavel Březina <pbrezina@redhat.com>

providers: refresh expired netgroups https://fedorahosted.org/sssd/ticket/1713

55d80b1301fe969fb4ba2b9481027887b9462dbb 07-Jun-2013 Jakub Hrozek <jhrozek@redhat.com>

AD: Add additional service to support Global Catalog lookups When fixed host names of AD servers are configured in the config file, we can't know (unlike when service discovery is at play) if the servers are Global Catalogs or not. This patch adds a private data to servers read from the config file that denote whether the server can be tried for contacting the Global Catalog port or just LDAP. The GC or LDAP URIs are generated based on contents of this private data structure. Because SSSD sticks to a working server, we don't have to disable or remove the faulty GC servers from the list.

dcb44c39dda9699cdd6488fd116a51ced0687de3 07-Jun-2013 Jakub Hrozek <jhrozek@redhat.com>

LDAP: sdap_id_ctx might contain several connections With some LDAP server implementations, one server might provide different "views" of the identites on different ports. One example is the Active Directory Global catalog. The provider would contact different view depending on which operation it is performing and against which SSSD domain. At the same time, these views run on the same server, which means the same server options, enumeration, cleanup or Kerberos service should be used. So instead of using several different failover ports or several instances of sdap_id_ctx, this patch introduces a new "struct sdap_id_conn_ctx" that contains the connection cache to the particular view and an instance of "struct sdap_options" that contains the URI. No functional changes are present in this patch, currently all providers use a single connection. Multiple connections will be used later in the upcoming patches.

ad_init.c ad_subdomains.c /sssd/src/providers/ipa/ipa_access.c /sssd/src/providers/ipa/ipa_auth.c /sssd/src/providers/ipa/ipa_hostid.c /sssd/src/providers/ipa/ipa_id.c /sssd/src/providers/ipa/ipa_init.c /sssd/src/providers/ipa/ipa_selinux.c /sssd/src/providers/ipa/ipa_subdomains.c /sssd/src/providers/ipa/ipa_subdomains_id.c /sssd/src/providers/ldap/ldap_common.c /sssd/src/providers/ldap/ldap_common.h /sssd/src/providers/ldap/ldap_id.c /sssd/src/providers/ldap/ldap_id_enum.c /sssd/src/providers/ldap/ldap_id_netgroup.c /sssd/src/providers/ldap/ldap_id_services.c /sssd/src/providers/ldap/ldap_init.c /sssd/src/providers/ldap/sdap_access.c /sssd/src/providers/ldap/sdap_autofs.c /sssd/src/providers/ldap/sdap_dyndns.c /sssd/src/providers/ldap/sdap_id_op.c /sssd/src/providers/ldap/sdap_id_op.h /sssd/src/providers/ldap/sdap_sudo.c
eb64d3406c15dcc5cb42c94488737bdbb9a15655 20-May-2013 Jakub Hrozek <jhrozek@redhat.com>

Remove unneeded parameter of setup_child and namespace it setup_child() was accepting a parameter it didn't use. Also the function name was too generic, so I added a sdap prefix.

4cdaf239d4504966bed8ecd5e3fa07def74c7302 07-May-2013 Sumit Bose <sbose@redhat.com>

AD: read flat name and SID of the AD domain For various features either the flat/short/NetBIOS domain name or the domain SID is needed. Since the responders already try to do a subdomain lookup when and known domain name is encountered I added a subdomain lookup to the AD provider which currently only reads the SID from the base DN and the NetBIOS name from a reply of a LDAP ping. The results are written to the cache to have them available even if SSSD is started in offline mode. Looking up trusted domains can be added later. Since all the needed responder code is already available from the corresponding work for the IPA provider this patch fixes https://fedorahosted.org/sssd/ticket/1468

2e4f8db631a10224dac20e8a472f751fef0e3fcd 03-May-2013 Jakub Hrozek <jhrozek@redhat.com>

AD: Always initialize ID mapping Because we now always store SIDs in the LDAP provider, we also need to always initialize the ID mapping context even if ID mapping itself is off.

74e95cfd9d3939dfe9417d79d2f6fc79b361405f 03-May-2013 Jakub Hrozek <jhrozek@redhat.com>

Active Directory dynamic DNS updates https://fedorahosted.org/sssd/ticket/1504 Implements dynamic DNS updates for the AD provider. By default, the updates also update the reverse zone and run periodically every 24 hours.

a679f0167b646cffdae86546ed77e105576991b0 02-May-2013 Pavel Březina <pbrezina@redhat.com>

DNS sites support - add AD SRV plugin https://fedorahosted.org/sssd/ticket/1032

1abdf56dcda5f6bed7b144e544c00dbdd501b3fc 10-Apr-2013 Pavel Březina <pbrezina@redhat.com>

DNS sites support - use SRV DNS lookup plugin in all providers https://fedorahosted.org/sssd/ticket/1032 We set a plugin during an initialization of ID provider, which is an authoritative provider for a plugin choice. The plugin is set only once. When other provider is initalized (e.g. id = IPA, sudo = LDAP), we do not overwrite the plugin. Since sssm_*_id_init() is called from all module constructors, this patch relies on the fact, that ID provider is initialized before all other providers.

e523233315f44b8f77ab9c5143a3d80364ebf955 23-Aug-2012 Ondrej Kos <okos@redhat.com>

AD context was set to null due to type mismatch

294e9a5521d327c5cdc49beeb9cb9e703b3134f1 01-Aug-2012 Jan Zeleny <jzeleny@redhat.com>

Primary server support: new option in AD provider This patch adds support for new config option ad_backup_server. The description of this option's functionality is included in man page in one of previous patches.

016e0d7202ff965018e41869c5ab501f86b0d081 01-Aug-2012 Jan Zeleny <jzeleny@redhat.com>

Primary server support: AD adaptation This patch adds support for the primary server functionality into AD provider. No backup servers are added at the moment, just the basic support is in place.

a4cce2c98eedecb5d3b47da62104634cae268434 06-Jul-2012 Stephen Gallagher <sgallagh@redhat.com>

AD: Add AD access-control provider This patch adds support for checking whether a user is expired or disabled in AD.

d92c50f6d75ae980b0d130134112a33e1584724c 06-Jul-2012 Stephen Gallagher <sgallagh@redhat.com>

AD: Add AD auth and chpass providers These new providers take advantage of existing code for the KRB5 provider, providing sensible defaults for operating against an Active Directory 2008 R2 or later server.

effcbdb12c7ef892f1fd92a745cb33a08ca4ba30 06-Jul-2012 Stephen Gallagher <sgallagh@redhat.com>

AD: Add AD identity provider This new identity provider takes advantage of existing code for the LDAP provider, but provides sensible defaults for operating against an Active Directory 2008 R2 or later server.