PROXY: Use right name in ldap filter We used internal fq name in ldap filter with id_provider proxy to files and auth provider ldap [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=testuser1@ldap)(objectclass=posixAccount))][dc=example,dc=com]. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Fixing wrong pam error code for passwd This patch adds right pam error code for sssd offline state. Resolves: https://fedorahosted.org/sssd/ticket/3109

DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SDAP: Add return code ERR_ACCOUNT_LOCKED Add code to distinquish state when account is locked in Active Directory server. Tested against Windows Server 2012 This patch is best effort only as decision whether account is actually locked is based on parsing error message returned by AD. The format and content of this error message might be subject of change in future releases and also can be modified by AD administrators. If account is locked bind operation is expected to return following error message: ----------------------------------------------------------------------- Invalid credentials(49), 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 775, v23f0 ----------------------------------------------------------------------- Where sub string 'data 775' implies that account is locked (ERROR_ACCOUNT_LOCKED_OUT) [1]. However the 80090308 (error code 0x80090308, SEC_E_INVALID_TOKEN) is the only guaranteed part of error string [2]. Error message is described in further detail as [3]: ----------------------------------------------------------------------- When the server fails an LDAP operation with an error, and the server has sufficient resources to compute a string value for the errorMessage field of the LDAPResult, it includes a string in the errorMessage field of the LDAPResult (see [RFC2251] section 4.1.10). The string contains further information about the error. The first eight characters of the errorMessage string are a 32-bit integer, expressed in hexadecimal. Where protocol specifies the extended error code "<unrestricted>" there is no restriction on the value of the 32-bit integer. It is recommended that implementations use a Windows error code for the 32-bit integer in this case in order to improve usability of the directory for clients. Where protocol specifies an extended error code which is a Windows error code, the 32-bit integer is the specified Windows error code. Any data after the eighth character is strictly informational and used only for debugging. Conformant implementations need not put any value beyond the eighth character of the errorMessage field. ----------------------------------------------------------------------- [1] https://msdn.microsoft.com/en-us/library/windows/desktop/ms681386%28v=vs.85%29.aspx [2] https://social.msdn.microsoft.com/Forums/en-US/e1d600c8-60b7-4ed0-94cb-20ddd6c1a1c6/msadts-user-locking-password-policies?forum=os_windowsprotocols [3] MS-ADTS 3.1.1.3.1.9 https://msdn.microsoft.com/en-us/library/cc223253.aspx Resolves: https://fedorahosted.org/sssd/ticket/2839 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

FO: Use refcount to keep track of servers returned to callers Resolves: https://fedorahosted.org/sssd/ticket/2829 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: Add sdap_lookup_type enum Related: https://fedorahosted.org/sssd/ticket/2553 Change the boolan parameter of sdap_get_users_send and sdap_get_groups_send to a tri-state that controls whether we expect only a single entry (ie don't use the paging control), multiple entries with a search limit (wildcard request) or multiple entries with no limit (enumeration). Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: Set sdap handle as explicitly connected in LDAP auth In case SSSD is set with id_provider=proxy and auth_provider=ldap, the LDAP provider is not used to retrieve the user info with the higher-level calls, but the lower-level connection establishment is used instead. In this case, we need to make sure to mark the connection as explicitly connected to be notified about results of looking up the DN. Resolves: https://fedorahosted.org/sssd/ticket/2620 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

ldap: refactor check_pwexpire_kerberos to use util func Refactor check_pwexpire_kerberos() to use utility function sss_utc_to_time_t(). Modify test to handle new error code ERR_TIMESPEC_NOT_SUPPORTED Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SDAP: Make password change timeout configurable with ldap_opt_timeout Related: https://fedorahosted.org/sssd/ticket/1501 Reviewed-by: Pavel Reichl <preichl@redhat.com>

SDAP: Make simple bind timeout configurable Resolves: https://fedorahosted.org/sssd/ticket/1501 Reuse the value of sdap_opt_timeout to set a longer bind timeout for user authentication, ID connection authentication and authentication during IPA migration mode. Reviewed-by: Pavel Reichl <preichl@redhat.com>

SDAP: enable change phase of pw expire policy check Implement new option which does checking password expiration policy in accounting phase. This allows SSSD to issue shadow expiration warning even if alternate authentication method is used. Resolves: https://fedorahosted.org/sssd/ticket/2167 Reviewed-by: Sumit Bose <sbose@redhat.com>

SDAP: refactor pwexpire policy Move part of pwexpire policy code to a separate function. Relates to: https://fedorahosted.org/sssd/ticket/2167 Reviewed-by: Sumit Bose <sbose@redhat.com>

LDAP: Do not shortcut on ret != EOK during password expiry check https://fedorahosted.org/sssd/ticket/2323 The functions that check for password expiration can return non-zero return codes not only on internal failure, but also to indicate that the password was expired. The code would in this case shortcut in the error handler instead of making its way to the switch-case code below that translates the SSSD error codes into PAM error codes. We don't lose the error reporting, because any internal error would translate into PAM_SYSTEM_ERROR anyway. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

LDAP: Don't use macro _XOPEN_SOURCE for extra features We defined macro _XOPEN_SOURCE before time.h, because we need function strptime The problem is with undef after including header time.h The macro _XOPEN_SOURCE can be defined on some platforms and undef can cause problems. We detect all necessary feature macros in configure script using AC_USE_SYSTEM_EXTENSIONS or AC_GNU_SOURCE. It is better to include header file config.h instead of defining macro _XOPEN_SOURCE Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Update DEBUG* invocations to use new levels Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Remove unused parameter from get_user_dn

LDAP: Search for original DN during auth if it's missing Resolves: https://fedorahosted.org/sssd/ticket/2077 If during the LDAP authentication we find out that the originalDN to bind as is missing (because the ID module is not LDAP based), we can try to look up the user from LDAP without saving him just in order to receive the originalDN.

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2)

SYSDB: Drop the sysdb_ctx parameter from the sysdb_search module

Fix formating of variables with type: time_t

Fix formating of variables with type: long

ldap, krb5: More descriptive msg on chpass failure. Print more descriptive message when wrong current password is given during password change operation. resolves: https://fedorahosted.org/sssd/ticket/2029

ldap: only update shadowLastChange when password change is successful https://fedorahosted.org/sssd/ticket/1999 ldap_auth.c code which was added to SSSD for updating the shadowLastChange when "ldap_chpass_update_last_change" option is enabled updates shadowLastChange even when the PAM password change status reports failure. We should only update shadowLastChange on PAM password change success or we open up a work around for users to avoid changing their passwords periodically as required by policy. The user simply attempts to change password, fails by trying to set new password which invalid (denied due to password history check) yet shadowLastChange is updated, avoiding their need to actually change the password they are using.

Display the last grace warning, too Due to a comparison error, the last warning when an LDAP password was in its grace period was never displayed. https://fedorahosted.org/sssd/ticket/1890

Making the authtok structure really opaque. Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830

Use common error facility instead of sdap_result Simplifies and consolidates error reporting for ldap authentication paths. Adds 3 new error codes: ERR_CHPASS_DENIED - Used when password constraints deny password changes ERR_ACCOUNT_EXPIRED - Account is expired ERR_PASSWORD_EXPIRED - Password is expired

Add be_req_get_data() helper funciton. In preparation for making struct be_req opaque.

Add be_req_get_be_ctx() helper. In preparation for making be_req opaque

Introduce be_req_terminate() helper Call it everywhere instead of directly dereferencing be_req->fn This is in preparation of making be_req opaque.

Remove domain from be_req structure

Remove sysdb as a be context structure member The sysdb context is already available through the 'domain' structure.

Add domain argument to sysdb_cache_password()

Add domain argument to sysdb_get_user_attr()

Change pam data auth tokens. Use the new authtok abstraction and interfaces throught the code.

let ldap_chpass_uri failover work when using same hostname https://fedorahosted.org/sssd/ticket/1699 We want to continue with the next server on all errors, not only on ETIMEDOUT. This particullar ticket was dealing with ECONNREFUSED.

warn user if password is about to expire https://fedorahosted.org/sssd/ticket/1638 If pwd_exp_warning == 0, expiry warning should be printed if it is returned by server. If pwd_exp_warning > 0, expiry warning should be printed only if the password will expire in time <= pwd_exp_warning. ppolicy->expiry contains period in seconds after which the password expires. Not the exact timestamp. Thus we should not add 'now' to pwd_exp_warning.

FO: Check server validity before setting status The list of resolved servers is allocated on the back end context and kept in the fo_service structure. However, a single request often resolves a server and keeps a pointer until the end of a request and only then gives feedback about the server based on the request result. This presents a big race condition in case the SRV resolution is used. When there are requests coming in in parallel, it is possible that an incoming request will invalidate a server until another request that holds a pointer to the original server is able to give a feedback. This patch simply checks if a server is in the list of servers maintained by a service before reading its status. https://fedorahosted.org/sssd/ticket/1364

Retry the next server if bind during LDAP auth times out

Modify behavior of pam_pwd_expiration_warning New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider.

Detect cycle in the fail over on subsequent resolve requests only

Only do one cycle when resolving a server https://fedorahosted.org/sssd/ticket/1214

Update shadowLastChanged attribute during LDAP password change https://fedorahosted.org/sssd/ticket/1019

Cleanup: Remove unused parameters

Multiline macro cleanup This is mostly a cosmetic patch. The purpose of wrapping a multi-line macro in a do { } while(0) is to make the macro usable as a regular statement, not a compound statement. When the while(0) is terminated with a semicolon, the do { } while(0); block becomes a compound statement again.

Improve error message for LDAP password constraint violation https://fedorahosted.org/sssd/ticket/985

Improve password policy error code and message Instead of returning PAM_SYSTEM_ERR if they necessary attributes for the requested password policy cannot be found we return PAM_PERM_DENIED. Additionally the log message says that the access is denied.

sysdb refactoring: memory context deleted This patch deletes memory context parameter in those places in sysdb where it is not necessary. The code using modified functions has been updated. Tests updated as well.

sysdb refactoring: deleted domain variables in sysdb API The patch also updates code using modified functions. Tests have also been adjusted.

Use ldap_init_fd() instead of ldap_initialize() if available

Do not check pwdAttribute It is not safe to check pwdAttribute to see if server side password policies are active. Only if a LDAP_CONTROL_PASSWORDPOLICYRESPONSE is present the bind response we can assume that there is a server side password policy.

Fix unchecked return values of pam_add_response https://fedorahosted.org/sssd/ticket/798

Do not attempt to use START_TLS on SSL connections Not all LDAP servers are capable of handling dual-encryption with both TLS and SSL. https://fedorahosted.org/sssd/ticket/795

Add option to disable TLS for LDAP auth Option is named to discourage use in production environments and is intentionally not listed in the SSSDConfig API.

Fix return value check

Add ldap_chpass_uri config option

Make string_to_shadowpw_days() public

Fix offline detection for LDAP auth/chpass

Return offline instead of error When the failover code returns that there are no available servers while we are marked offline, we were returning an error to the PAM authentication code. Instead, we should return success with a result value of SDAP_UNAVAIL so that the PAM responder will mark the domain offline and attempt offline authentication.

Treat a zero-length password as a failure Some LDAP servers allow binding with blank passwords. We should not allow a blank password to authenticate the SSSD.

Fix chpass operations with LDAP provider The initial verification of the old password was returning an error because we were not explicitly setting dp_err to DP_ERR_SUCCESS and it was initialized earlier in the function to DP_ERR_FATAL.

Add more warnings about nearly expired passwords For the shadow and mit_kerberos password policy warnings are sent to the client if the password is about to expire.

Use all available servers in LDAP provider

Display a message if a password reset by root fails

sysdb: convert sysdb_get_user_attr

sysdb: convert sysdb_cache_password

Fix warnings from -Wmissing-field-initializers This patch removes some tab-indentations from pamsrv.c, too.

Improvements for LDAP Password Policy support Display warnings about remaining grace logins and password expiration to the user, when LDAP Password Policies are used. Improved detection if LDAP Password policies are supported by LDAP Server.

Fixed authentication check for CHAUTHTOK_PRELIM When changing passwords, treat SDAP_AUTH_PW_EXPIRED as a successful authentication in SSS_PAM_CHAUTHTOK_PRELIM.

Handle expired passwords like other PAM modules So far we handled expired password during authentication. Other PAM modules typically detect expired password during account management and return PAM_NEW_AUTHTOK_REQD if the password is expired and should be changed. The PAM library then calls the change password routines. To meet these standards pam_sss is change accordingly. As a result it is now possible to update an expired password via ssh if sssd is running with PasswordAuthentication=yes. One drawback due to limitations of PAM is that the user now has to type his current password again before setting a new one.

Rename server/ directory to src/ Also update BUILD.txt