Downcast to errno_t after tevent_req_is_error Functions tevent_req_is_error and _tevent_req_error use type uint64_t for error code. SSSD uses errno_t which is an alias for int. Therefore complier assumes that macro TEVENT_REQ_RETURN_ON_ERROR can return 0 due to implicit down casting from uint64_t -> int. This patch makes down casting explicit and returns EINVAL if result of downcasting is 0. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Inform about (un)successful connection Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SDAP: Add return code ERR_ACCOUNT_LOCKED Add code to distinquish state when account is locked in Active Directory server. Tested against Windows Server 2012 This patch is best effort only as decision whether account is actually locked is based on parsing error message returned by AD. The format and content of this error message might be subject of change in future releases and also can be modified by AD administrators. If account is locked bind operation is expected to return following error message: ----------------------------------------------------------------------- Invalid credentials(49), 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 775, v23f0 ----------------------------------------------------------------------- Where sub string 'data 775' implies that account is locked (ERROR_ACCOUNT_LOCKED_OUT) [1]. However the 80090308 (error code 0x80090308, SEC_E_INVALID_TOKEN) is the only guaranteed part of error string [2]. Error message is described in further detail as [3]: ----------------------------------------------------------------------- When the server fails an LDAP operation with an error, and the server has sufficient resources to compute a string value for the errorMessage field of the LDAPResult, it includes a string in the errorMessage field of the LDAPResult (see [RFC2251] section 4.1.10). The string contains further information about the error. The first eight characters of the errorMessage string are a 32-bit integer, expressed in hexadecimal. Where protocol specifies the extended error code "<unrestricted>" there is no restriction on the value of the 32-bit integer. It is recommended that implementations use a Windows error code for the 32-bit integer in this case in order to improve usability of the directory for clients. Where protocol specifies an extended error code which is a Windows error code, the 32-bit integer is the specified Windows error code. Any data after the eighth character is strictly informational and used only for debugging. Conformant implementations need not put any value beyond the eighth character of the errorMessage field. ----------------------------------------------------------------------- [1] https://msdn.microsoft.com/en-us/library/windows/desktop/ms681386%28v=vs.85%29.aspx [2] https://social.msdn.microsoft.com/Forums/en-US/e1d600c8-60b7-4ed0-94cb-20ddd6c1a1c6/msadts-user-locking-password-policies?forum=os_windowsprotocols [3] MS-ADTS 3.1.1.3.1.9 https://msdn.microsoft.com/en-us/library/cc223253.aspx Resolves: https://fedorahosted.org/sssd/ticket/2839 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sdap_connect_send: fail if uri or sockaddr is NULL Resolves: https://fedorahosted.org/sssd/ticket/2904 Reviewed-by: Michal Židek <mzidek@redhat.com>

FO: Use refcount to keep track of servers returned to callers Resolves: https://fedorahosted.org/sssd/ticket/2829 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: Improve messages about failures Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: Consolidate SDAP_SASL_REALM/SDAP_KRB5_REALM behaviour Reviewed-by: Sumit Bose <sbose@redhat.com>

LDAP: Do not set keytab through environment variable Otherwise each connection would clobber the environment variable with its own. This is a temporary workaround until SSSD's ldap_child is able to store ccaches in a collection. Reviewed-by: Sumit Bose <sbose@redhat.com>

LDAP: return after tevent_req_error Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SDAP: Make StartTLS bind configurable with ldap_opt_timeout Related: https://fedorahosted.org/sssd/ticket/1501 Reviewed-by: Pavel Reichl <preichl@redhat.com>

SDAP: Make simple bind timeout configurable Resolves: https://fedorahosted.org/sssd/ticket/1501 Reuse the value of sdap_opt_timeout to set a longer bind timeout for user authentication, ID connection authentication and authentication during IPA migration mode. Reviewed-by: Pavel Reichl <preichl@redhat.com>

Add missing new lines to debug messages Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SDAP: check that connection is open before bind Tivoli server does not return an empty response when being asked for the rootDSE data but an error. In this case the rootDSE lookup in SSSD will terminate the connection to the server and return a error. But since errors except timeouts are ignored SSSD will try to continue with the bind, but since the connection is already terminated this will fail as well. And this will terminate the whole operation. Make sure the connection is open before performing bind operation. Resolves: https://fedorahosted.org/sssd/ticket/2435 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SDAP: move deciding of tls usage into new function Separate code for deciding tls usage from sdap_cli_connect_send() to new function decide_tls_usage(). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Do not clobber return value when multiple controls are returned We loop over the array of returned controls and set 'ret' based on the control value. In case multiple controls were returned, the 'ret' variable might be clobbered with result of a string-to-int conversion. Reviewed-by: Pavel Reichl <preichl@redhat.com>

LDAP: Check the LDAP handle before using it As the connection code is async-driven, the LDAP handle might be invalidated before SSSD attempts to use it. Similar to commit 5fe6ca5e339fd345119752e996c14edf8db57660, this patch adds a NULL check for the LDAP handle and aborts the request instead of crashing. Resolves: https://fedorahosted.org/sssd/ticket/2305

sdap: move non async functions from sdap_async_connection.c to sdap_utils.c Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Update DEBUG* invocations to use new levels Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Fix formating of variables with ber_ type

Fix formating of variables with type: time_t

Fix formating of variables with type: int

LDAP: new SDAP domain structure Previously an sdap_id_ctx was always tied to one domain with a single set of search bases. But with the introduction of Global Catalog lookups, primary domain and subdomains might have different search bases. This patch introduces a new structure sdap_domain that contains an sssd domain or subdomain and a set of search bases. With this patch, there is only one sdap_domain that describes the primary domain.

Fixing critical format string issues. --missing arguments. --format '%s', but argument is integer. --wrong format string, examle: '%\n'

sdap: add sdap_connect_host request Create connection to specified LDAP server without using any failover stuff.

Display the last grace warning, too Due to a comparison error, the last warning when an LDAP password was in its grace period was never displayed. https://fedorahosted.org/sssd/ticket/1890

LDAP: Fix value initialization warnings

Making the authtok structure really opaque. Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830

LDAP: Fix value initialization

Use common error facility instead of sdap_result Simplifies and consolidates error reporting for ldap authentication paths. Adds 3 new error codes: ERR_CHPASS_DENIED - Used when password constraints deny password changes ERR_ACCOUNT_EXPIRED - Account is expired ERR_PASSWORD_EXPIRED - Password is expired

LDAP: Check for authtok validity The default authtok type in the LDAP provider (unlike the new IPA and AD providers) is "password". This oddity dates back to when password was the only supported authtok type in the SSSD, so configuration specifying only the password and bind DN was valid. We need to check the authtok validity as well before attempting to use it.

Fix LDAP authentication - invalid password length sss_authtok_get_password() already returns length without terminating zero. This broke authentication over LDAP because we removed the last password character.

Change pam data auth tokens. Use the new authtok abstraction and interfaces throught the code.

LDAP: Expire even non authenticated connections The connections request was terminated before setting the expiry timeout in case no authentication was set. https://fedorahosted.org/sssd/ticket/1649

FO: Check server validity before setting status The list of resolved servers is allocated on the back end context and kept in the fo_service structure. However, a single request often resolves a server and keeps a pointer until the end of a request and only then gives feedback about the server based on the request result. This presents a big race condition in case the SRV resolution is used. When there are requests coming in in parallel, it is possible that an incoming request will invalidate a server until another request that holds a pointer to the original server is able to give a feedback. This patch simply checks if a server is in the list of servers maintained by a service before reading its status. https://fedorahosted.org/sssd/ticket/1364

Unbreak SASL Patch bc76428246c4ce532abd0eadcd539069fc1d94a8 changed the data type of sasl_minssf from int to ber_len_t. Unfortunately, default value of ldap_sasl_minssf is -1 but ber_len_t is defined as unsigned long. This made SASL mechanism inoperative.

Fix uninitialized values https://fedorahosted.org/sssd/ticket/1379

LDAP: Properly cast type for MINSSF value

LDAP: Print extended failure message for SASL bind

Simple implementation of Netscape password warning expiration control

Try all KDCs when getting TGT for LDAP When the ldap child process is killed after a timeout, try the next KDC. When none of the ldap child processes succeed, just abort the connection because we wouldn't be able to authenticate to the LDAP server anyway. https://fedorahosted.org/sssd/ticket/1324

Get the RootDSE after binding if not successfull before https://fedorahosted.org/sssd/ticket/1258

Free controls in sdap_rebind_proc

Do not call sdap_auth if not needed

LDAP: Fix memory leaks in synchronous_tls_setup We were never freeing "result" if it was allocated by ldap_result(). We were also not freeing "errmsg" if it was allocated but ldap_parse_result() returned an error. Also disambiguate error messages from ldap_parse_result() and error messages from sss_ldap_get_diagnostic_msg() since they use differing memory-management functions.

LDAP: Errors retrieving the RootDSE should not be fatal If we can't reach the RootDSE, let's just proceed as if it's unavailable with reasonable defaults. If we fail later on, that's fine. Fixes https://fedorahosted.org/sssd/ticket/1257

Detect cycle in the fail over on subsequent resolve requests only

Only do one cycle when resolving a server https://fedorahosted.org/sssd/ticket/1214

LDAP: Copy URI instead of pointing at failover service record In a heavy load environment, sometimes the failover service record would be updated and free the URI value. We need to guarantee that this URI string remains valid throughout the entire request. https://fedorahosted.org/sssd/ticket/1139

Add sdap_connection_expire_timeout option https://fedorahosted.org/sssd/ticket/1036

LDAP: Fix missing break statements in force_tls Also add a default case to protect against bad input

LDAP provider: Error while setting the nocanon option should not be fatal https://fedorahosted.org/sssd/ticket/1100

Add ldap_sasl_minssf option https://fedorahosted.org/sssd/ticket/1075

Provide means of forcing TLS and GSSAPI enabled/disabled for sdap connections

LDAP: Try next failover server on any error

Cleanup: Remove unused parameters

Prevent printing NULL in several places of LDAP provider

Support to request canonicalization in LDAP/IPA provider https://fedorahosted.org/sssd/ticket/957

sss_ldap_err2string() - ldap_err2string() to sss_ldap_err2string() https://fedorahosted.org/sssd/ticket/986

sss_ldap_err2string() - function created https://fedorahosted.org/sssd/ticket/986

Add LDAP provider option to set LDAP_OPT_X_SASL_NOCANON https://fedorahosted.org/sssd/ticket/978

Handle timeout during sss_ldap_init_send In some cases, where there would be no response from the LDAP server, there would be no R/W events on the LDAP fd, so sdap_async_sys_connect_done would never be called. This patch adds a tevent timer that cancels the connection after SDAP_NETWORK_TIMEOUT seconds.

Request password control unconditionally during bind https://fedorahosted.org/sssd/ticket/940

Use ldap_init_fd() instead of ldap_initialize() if available

Add ldap_page_size configuration option

Modify principal selection for keytab authentication Currently we construct the principal as host/fqdn@REALM. The problem with this is that this principal doesn't have to be in the keytab. In that case the provider fails to start. It is better to scan the keytab and find the most suitable principal to use. Only in case no suitable principal is found the backend should fail to start. The second issue solved by this patch is that the realm we are authenticating the machine to can be in general different from the realm our users are part of (in case of cross Kerberos trust). The patch adds new configuration option SDAP_SASL_REALM. https://fedorahosted.org/sssd/ticket/781

Initialise rootdse to NULL if not available

Initialise srv_opts even if rootDSE is missing

Read only rootDSE data if rootDSE is available

Don't pass NULL to printf for TLS errors https://fedorahosted.org/sssd/ticket/643

Do not attempt to use START_TLS on SSL connections Not all LDAP servers are capable of handling dual-encryption with both TLS and SSL. https://fedorahosted.org/sssd/ticket/795

Convert obfuscated password once at startup

Mark unavailable Kerberos server as PORT_NOT_WORKING

ldap: add checks to determine if USN features are available.

Fix offline detection in sdap_cli_connect request sdap_cli_connect_recv_ext() checks if the failover server is not set to determine if the backend is offline. To make this work properly if multiple servers are defined the failover server must be set to NULL if all servers are checked.

Use (default)namingContext to set empty search bases

Allow authentication for referrals

Add some missing ldap_memfree()

Add ldap_deref option

Initialize kerberos service for GSSAPI

Make ldap_child report kerberos return code to parent

Check if control is supported before using it.

Revert "Make ldap bind asynchronous" This reverts 56d8d19ac9d857580a233d8264e851883b883c67

Store rootdse supported features in sdap_handler

Deobfuscate password in back ends When obfuscated password is used in config file, the LDAP backend converts it back to clear text and uses it to authenticate to the server.

Make ldap bind asynchronous Every ldap function that could possibly create a new connection is now wrapped in a tevent_req. If the connection is created, we will call the function again after the socket is ready for writing.

Log TLS errors to syslog Also adds support for detecting LDAPS errors by adding a check for SDAP_DIAGNOSTIC_MESSAGE after ldap_search_ext()

Eliminate delayed sdap_handle destruction after fail-over retry.

Use new LDAP connection framework in IPA dynamic DNS forwarder.

LDAP connection usage tracking, sharing and failover retry framework.

GSSAPI ticket expiry time is returned from ldap_child and stored in sdap_handle for future reference.

Make RootDSE optional In violation of the standard, some LDAP servers control access to the RootDSE, thus preventing us from being able to read it before performing a bind. This patch will allow us to continue on if the RootDSE was inaccessible. All of the places that we use the return value of the RootDSE after this are already checked for NULL and use sane defaults if the RootDSE is unavailable

Fix SASL authentication

Fix broken build against older versions of OpenLDAP OpenLDAP < 2.4 used LDAP_OPT_ERROR_STRING. It was changed to LDAP_OPT_DIAGNOSTIC_MESSAGE in 2.4. This patch will allow the TLS error messages to be displayed on either version.

Add a better error message for TLS failures

Add ldap_krb5_ticket_lifetime option

Add callback when the ID provider switches from offline to online Allow backends to set a callback in the be_ctx that should be invoked when the ID provider goes online. This can be used to perform regular maintenance tasks that are valid only when going online.

Use all available servers in LDAP provider

Better handle sdap_handle memory from callers. Always just mark the sdap_handle as not connected and let later _send() functions to take care of freeing the handle before reconnecting. Introduce restart functions to avoid calling _send() functions in _done() functions error paths as this would have the same effect as directly freeing the sdap_handle and cause access to freed memory in sdap_handle_release() By freeing sdap_handle only in the connection _recv() function we guarantee it can never be done within sdap_handle_release() but only in a following event.

Make the handling of fd events opaque Depending on the version of the OpenLDAP libraries we use two different schemes to find the file descriptor of the connection to the LDAP server. This patch removes the related ifdefs from the main code and introduces helper functions which can handle the specific cases.

Set LDAP_OPT_RESTART for all LDAP connections

Set LDAP_OPT_RESTART for ldap_sasl_interactive_bind_s() This option is needed for the rare case where a poll() call during ldap_sasl_interactive_bind_s() is interrupted by a signal. LDAP_OPT_RESTART enables the handling of the EINTR error instead of returning an error.

Improvements for LDAP Password Policy support Display warnings about remaining grace logins and password expiration to the user, when LDAP Password Policies are used. Improved detection if LDAP Password policies are supported by LDAP Server.

Fix error message for ldap_start_tls

Fixed check for expired passwords When the user's password is expired it might also be indicated by the bind operation returning "INVALID_CREDENTIALS" with the ppolicy control's errorcode set to "PP_passwordExpired".

Rename server/ directory to src/ Also update BUILD.txt