04e870d99e72aa3160bdb6ab05d986fb4005c3ed |
|
16-Aug-2016 |
Pavel Březina <pbrezina@redhat.com> |
DP: Remove old data provider interface
Reverse data provider interface is moved to a better location in
NSS responder. All responders now can have an sbus interface
defined per data provider connection. The unused old data provider
interface is removed.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
78f9a9d4a2725f1b2cb6e582c965b5e6f7bdff7d |
|
07-Jul-2016 |
Jakub Hrozek <jhrozek@redhat.com> |
RESPONDER: Add a helper function sss_resp_create_fqname
When looking up entries in the responders that have not been yet
converted to the cache_req API, we need to perform some common
operations all the time. These include converting the name to the right
case, reverse-replacing whitespace and converting the name to the qualified
format for that domain.
This patch adds a function that performs these steps to avoid code
duplication.
Reviewed-by: Sumit Bose <sbose@redhat.com> |
a8d1a344e580f29699aed9b88d87fc3c6f5d113b |
|
29-Jun-2016 |
Simo Sorce <simo@redhat.com> |
Secrets: Add initial responder code for secrets service
Start implementing the Secrets Service Reponder core.
This commit implements stratup and basic conenction handling and HTTP
parsing (using the http-parser library).
Signed-off-by: Simo Sorce <simo@redhat.com>
Related:
https://fedorahosted.org/sssd/ticket/2913
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
e5911e72198df96ec7cfe486ff66363c2297a5f7 |
|
29-Jun-2016 |
Simo Sorce <simo@redhat.com> |
Responders: Add support for socket activation
Add helper that uses systemd socket activation if available to accept a
pre-listining socket at startup.
Related:
https://fedorahosted.org/sssd/ticket/2913
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
4f3a9d837a55b49448eca3c713c85a406207e523 |
|
29-Jun-2016 |
Simo Sorce <simo@redhat.com> |
Responders: Make the client context more generic
This is useufl to allow reusing the responder code with other protocols.
Store protocol data and responder state data behind opaque pointers and
use tallog_get_type to check they are of the right type.
This also allows to store per responder state_ctx so that, for example,
the autofs responder does not have to carry useless variables used only
by the nss responder.
Resolves:
https://fedorahosted.org/sssd/ticket/2918
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
83a79d93035c2d75a1941f3b54426119174044a0 |
|
20-Jun-2016 |
Pavel Březina <pbrezina@redhat.com> |
RESPONDER: New interface for client registration
This is just a beginning of new responder interface to data provider
and it is just to make the client registration work. It needs further
improvement.
The idea is to take the existing interface and make it work better
with further extensions of data provider. The current interface has
several disadvantages such as it is originally build only for
account requests and doesn't take different set of output parameters.
It also doesn't work well with integration into tevent-made responders.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
dd3a000e6c6160ff6c10fdac9e04549eed3fa2de |
|
11-May-2016 |
Petr Cech <pcech@redhat.com> |
RESPONDER: Removing of redudant function
There is redudant function responder_get_neg_timeout_from_confdb().
This patch removes it.
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
56c9f8731173eae841a05f31bb03d311076a8485 |
|
11-May-2016 |
Petr Cech <pcech@redhat.com> |
RESPONDERS: Negcache in resp_ctx preparing
Preparation for initialization of negative cache in common responder.
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
39d36216a1692eee6cc5359f6c7ccaa7789be76d |
|
11-May-2016 |
Petr Cech <pcech@redhat.com> |
NEGCACHE: Adding timeout to struct sss_nc_ctx
It adds timeout of negative cache to handling
struct sss_nc_ctx.
There is one change in API of negatice cache:
* int sss_ncache_init(TALLOC_CTX *memctx,
uint32_t timeout, <----- new
struct sss_nc_ctx **_ctx);
There is also one new function in common/responder:
* errno_t responder_get_neg_timeout_from_confdb(struct confdb_ctx *cdb,
uint32_t *ncache_timeout);
Resolves:
https://fedorahosted.org/sssd/ticket/2317
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
f6c337c6256879d47356cd099bb00aafba2650f0 |
|
14-Mar-2016 |
Pavel Březina <pbrezina@redhat.com> |
cache_req: improve debugging
Each debug message is matched to a specific request, this way it
will be easier to follow the request flow especially when paralel
request are running.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com> |
6499d0b915209b670f8e337c4fe76a8be9fa6576 |
|
28-Jan-2016 |
Simo Sorce <simo@redhat.com> |
Util: Improve code to get connection credentials
Adds support to get SELINUX context and make code more abstract so
that struct ucred (if availale) can be used w/o redefining uid,gid,pid to
int32. Also gives a layer of indirection that may come handy if we want
to improve the code further in the future.
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com> |
2f6a94e30458df92fb26c3d810f613d1e4cff99b |
|
14-Oct-2015 |
Petr Cech <pcech@redhat.com> |
REFACTOR: SCKT_RSP_UMASK constant in responder code
This patch adds new SCKT_RSP_UMASK constant which stands for 0111. And
it replaces all occurances in responder code.
Resolves:
https://fedorahosted.org/sssd/ticket/2424
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
d9c2a21119a6d04203060ad54fa8d20f17f5c0b7 |
|
14-Oct-2015 |
Petr Cech <pcech@redhat.com> |
REFACTOR: DFL_RSP_UMASK constant in responder code
There is DFL_RSP_UMASK constant for very secure umask in responder
code. This patch replaces occurances of value 0177 with this constant.
Resolves:
https://fedorahosted.org/sssd/ticket/2424
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
cdc44abdf944b0de541fe93ecd77df4d09c856b1 |
|
15-Jul-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
DP: Add DP_WILDCARD and SSS_DP_WILDCARD_USER/SSS_DP_WILDCARD_GROUP
Related:
https://fedorahosted.org/sssd/ticket/2553
Extends the Data Provider interface and the responder<->Data provider
interface with wildcard lookups.
The patch uses a new "wildcard" prefix rather than reusing the existing
user/group prefixes.
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
827a016a07d5f911cc4195be89896a376fd71f59 |
|
19-Jun-2015 |
Sumit Bose <sbose@redhat.com> |
IFP: add FindByCertificate method for User objects
Related to https://fedorahosted.org/sssd/ticket/2596
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
0528fdec17d0031996e919fcd852459e86592c35 |
|
09-Apr-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
responders: reset ncache after domains are discovered during startup
After responders start, they add a lookup operation that discovers the
subdomains so that qualifying users works. After this operation is
finishes, we need to reset negcache to allow users to be added into the
newly discovered domains.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
115de6d50f0d0bdd5745a5d8eb0d067be9128528 |
|
05-Nov-2014 |
Sumit Bose <sbose@redhat.com> |
Add parse_attr_list_ex() helper function
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
458f5245dd5130d12666cce6faf8ef1ec7f80169 |
|
29-Oct-2014 |
Pavel Reichl <preichl@redhat.com> |
RESPONDERS: Set default value for umask
Resolves: https://fedorahosted.org/sssd/ticket/2468
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
f3b9a5b3cf62124bdb5fc11ae2fe6a89ff921539 |
|
27-Oct-2014 |
Pavel Reichl <preichl@redhat.com> |
RESPONDERS: refactor create_pipe_fd()
Resolves:
https://fedorahosted.org/sssd/ticket/2470
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
8bccd95e275fae760a991da394235e4e70e57bbd |
|
22-Oct-2014 |
Michal Zidek <mzidek@redhat.com> |
responders: Do not initialize pipe fd if already present
Allow to skip initialization of pipe file descriptor
if the responder context already has one.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com> |
2ce29e05e62b2702ba4df5f3316eaf250b0ada7f |
|
22-Oct-2014 |
Michal Zidek <mzidek@redhat.com> |
responder_common: Create fd for pipe in helper
Move creating of file descriptor for pipes into
helper function and make this function public.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com> |
5eda23c28c582b43b2a0a165b1750f3875c0fa84 |
|
22-Oct-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
UTIL: Add a function to convert id_t from a number or a name
We need a custom function that would convert a numeric or string input
into uid_t. The function will be used to drop privileges in servers and
also in the PAC and IFP responders.
Includes a unit test to test all code that changed as well as a fix for
a misnamed attribute in the csv_to_uid_list function synopsis.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com> |
f3a5ac1a50c1fccd0801023658e42d2093e1a33a |
|
13-Aug-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
Make the space override responder-agnostic
https://fedorahosted.org/sssd/ticket/2397
In order to make the override_space option usable by other responders,
we need to move the override_space option to the generic responder
structure.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
7caf7ed4f2eae1ec1c0717b4ee6ce78bdacd5926 |
|
22-Apr-2014 |
Jakub Hrozek <jhrozek@redhat.com> |
RESPONDERS: Add a new request sss_parse_inp_send
The responders were copying code to parse input and on encountering an
uknown domain, send the discover subdomain request. This patch adds a
reusable request that can always be called in responders and in case the
name can be parsed, just shortcut.
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
07e941c1bbdc752142bbd3b838c540bc7ecd0ed7 |
|
14-Mar-2014 |
Stef Walter <stefw@redhat.com> |
sbus: Refactor how we export DBus interfaces
Most importantly, stop using per connection private data. This doesn't
scale when you have more than one thing exporting or exported on a
connection.
Remove struct sbus_interface and expand sbus_conn_add_interface()
function. Remove various struct sbus_interface args to connection
initialization functions and make callers use sbus_conn_add_interface()
directly. The old method was optimized for exporting one interface
on a connection. We'll have connections that export zero, one or more
interfaces.
To export an interface on a DBus server, call sbus_conn_add_interface()
from within the sbus_server_conn_init_fn. To export an interface on
a DBus client, call sbus_conn_add_interface() after sbus_new_connection()
returns.
As before struct sbus_interface represents an object exported via DBus.
However it is now talloc allocated. One can set instance data on the
struct sbus_interface. This instance data is passed to the various
handlers and used in their implementation.
However, we now have type safe interface exporting in the various
high level sss_process_init() sss_monitor_init() and so on.
Introspection support was not in use, and is now gone until we
implement it using the metadata (future patch).
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
d9577dbd92555b0755881e37724019ef9c578404 |
|
14-Mar-2014 |
Stef Walter <stefw@gnome.org> |
sbus: Add struct sbus_request to represent a DBus invocation
struct sbus_request represents a request from a dbus client
being handled by a dbus server implementation. The struct
contains the message, connection and method (and in the
future teh property) which is being requested.
In the future it will contain caller information as well.
sbus_request is a talloc memory context, and is a good place to
attach any allocations and memory specific to the request.
Each handler accepts an sbus_request. If a handler returns
EOK, it is assumed that the handler will finish the request.
Any of the sbus_request_*finish() methods can be used to
complete the request and send back a reply.
sbus_request_return_and_finish() uses the same argument
varargs syntax as dbus_message_append_args(), which isn't
a great syntax. Document it a bit, but don't try to redesign:
The marshalling work (will follow this patch set) will remove
the need to use varargs for most DBus implementation code.
This patch migrates the monitor and data provider dbus code
to use sbus_request, but does not try to rework the talloc
context's to use it.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
9de5878d247b77b8f520a57727cd55f42e179caa |
|
22-Oct-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
UTIL: Move sss_parse_name_for_domains declaration to util.h |
a573d112013e44373f03b98f653fede0feee9fdc |
|
22-Oct-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
Remove duplicate declaration |
19b4bb652f5cdc2797b66595eaf8811881aa9873 |
|
22-Oct-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
Include external headers with #include <foo.h>
I find it more readable to include headers from outside the sssd tree
with <foo.h>, not "foo.h". The latter should be used for in-tree headers
only. |
909a86af4eb99f5d311d7136cab78dca535ae304 |
|
04-Jun-2013 |
Sumit Bose <sbose@redhat.com> |
Lookup domains at startup
To make sure that e.g. the short/NetBIOS domain name is available this
patch make sure that the responders send a get_domains request to their
backends at startup the collect the domain information or read it from
the cache if the backend is offline.
For completeness I added this to all responders even if they do not need
the information at the moment.
Fixes https://fedorahosted.org/sssd/ticket/1951 |
498dcbdfdfffa1aee65d53e83c7eafd5e3b084a5 |
|
02-May-2013 |
Sumit Bose <sbose@redhat.com> |
Add responder_get_domain_by_id()
This new call is similar to responder_get_domain() but uses the domain
SID as search parameter. Since the length of the stored domain SID is
used in the comparison, SIDs of users and groups and be used directly
without stripping the RID component.
The functionality is not merged into responder_get_domain() to allow to
calculate the timeout correctly and return a specific error code if the
entry is expired. |
f0944fdd627bd684ff36c9670dc857ffdedc343f |
|
02-May-2013 |
Sumit Bose <sbose@redhat.com> |
Add two new request types to the data-provider interface
The patch adds two new request types for SID related requests. The first
one is used if a SID is given and the corresponding object should be
found. The second one can be used if the SID for an object is requested
but it is not clear if the object is a user or a group. |
4668b4765530cf37289235e483f301100cc1ae21 |
|
02-May-2013 |
Sumit Bose <sbose@redhat.com> |
Remove unused TALLOC_CTX from responder_get_domain()
Recent refactoring removed the need to copy the domain info data of
sub-domains because the related objects will not be removed from memory
anymore. |
1a5d83798af7bd88c9d20862c8830ebb5b755e2d |
|
08-Mar-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
Move sss_cmd_execute from client to responder code.
I think it logically belongs there and allows to better exercise the
responder commands from unit tests. |
72aa8e7b1d234b6b68446d42efa1cff22b70c81b |
|
15-Jan-2013 |
Simo Sorce <simo@redhat.com> |
Refactor sysdb initialization
Change the way sysdbs are initialized. Make callers responsible for providing
the list of domains.
Remove the returned array of sysdb contexts, it was used only by sss_cache
and not really necessary there either as that tool can easily iterate the
domains.
Make sysdb ctx children of their respective domains.
Neither sysdb context nor domains are ever freed until a program is done so
there shouldn't be any memory hierarchy issue. As plus we simplify the code by
removing a destructor and a setter function. |
20ae5925d2963937dfc6a66017c05bb018cedd3f |
|
11-Oct-2012 |
Pavel Březina <pbrezina@redhat.com> |
do not call dp callbacks when responder is shutting down
https://fedorahosted.org/sssd/ticket/1514
We were experiencing crash duting responder shut down. This happened
when there were some unresolved dp request during the shut down.
The memory hierarchy is main_ctx->specific_ctx->rctx, where
specific_ctx may be one of the pam, nss, sudo, etc. contexts.
If we try to call dp request callback as a result of responder
termination, the specific context is already semi freed, which may
cause crash. |
1542b85f13d72329685bdd97aa879c36d11f81be |
|
01-Oct-2012 |
Sumit Bose <sbose@redhat.com> |
Add new option default_domain_suffix |
2d257ccf620ce1b611f89cec8f0a94c88c2f2881 |
|
10-Jul-2012 |
Sumit Bose <sbose@redhat.com> |
pac responder: limit access by checking UIDs
A check for allowed UIDs is added in the common responder code directly
after accept(). If the platform does not support reading the UID of the
peer but allowed UIDs are configured, access is denied.
Currently only the PAC responder sets the allowed UIDs for a socket. The
default is that only root is allowed to access the socket of the PAC
responder.
Fixes: https://fedorahosted.org/sssd/ticket/1382 |
bb79e7559dae451a14150377099e32d6b5159a6c |
|
18-Jun-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
Make the client idle timeout configurable |
dd94e9c9c586fb2c2a0e7175251c08c2762598b0 |
|
18-Jun-2012 |
Shantanu Goel <sgoel@trade4.test-jc.tower-research.com> |
Add support for terminating idle connections |
3c60433641ce2e86b9b04778c8f8652ef0d097e4 |
|
13-Jun-2012 |
Stef Walter <stefw@gnome.org> |
Make re_expression and full_name_format per domain options
* Allows different user/domain qualified names for different
domains. For example Domain\User or user@domain.
* The global re_expression and full_name_format options remain
as defaults for the domains.
* Subdomains get the re_expression and full_name_format of
their parent domain.
https://bugzilla.redhat.com/show_bug.cgi?id=811663 |
b42b5d5aaf4da165582e73ad985fdff6e34e61e4 |
|
03-May-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
SSH: Add dp_get_host_send to common responder code
Instead of using account_info request, creates a new ssh specific
request. This improves code readability and will make the code more
flexible in the future.
https://fedorahosted.org/sssd/ticket/1176 |
6fdde3913a11cd6148627696fa8717c34e8460fc |
|
24-Apr-2012 |
Jan Zeleny <jzeleny@redhat.com> |
Modified responder_get_domain()
Now it checks for subdomains as well as for the domain itself |
c0f9698cd951b7223f251ff2511c4b22a6e4ba60 |
|
24-Apr-2012 |
Jan Zeleny <jzeleny@redhat.com> |
Responder part of the subdomain retrieval work |
65976ea5e9767bfaced81dfb97dc87d59f50b57e |
|
08-Mar-2012 |
Simo Sorce <simo@redhat.com> |
Use the correct hash table for pending requests
The function that handled pending requests on reconnect was checking an
orphaned global variable that was never used, redenring the whole function
uselsess.
This fixes a very nasty bug that was causing requests for which we never
received an answer for (for example because the backend failed and was
restarted) to be never removed and therefore causing a black hole effect for
any other request of the same type.
Fixes: https://fedorahosted.org/sssd/ticket/1229 |
1a63155b0797c2b1963424e5c0f5d3a62f8cc7cc |
|
17-Feb-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
RESPONDERS: Allow increasing the file-descriptor limit
This patch will increase the file descriptor limit to 8k or the
limits.conf maximum, whichever is lesser.
https://fedorahosted.org/sssd/ticket/1197 |
2cba1c86f48db866fc72738a32eecbbdcdf3dbdb |
|
13-Feb-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
Remove setent structure when callback is called |
bd3cf7d6414171fcd605d9f831965be107e411d7 |
|
07-Feb-2012 |
Jan Cholasta <jcholast@redhat.com> |
DP: Add support for hosts in sss_dp_get_account
Host requests are directed to the host info handler. |
9e80079370ff3b943832adc3c5ef430e64be0a0c |
|
06-Feb-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
AUTOFS: responder |
e24a0656252c167e644b4758e5e53afe69be02e1 |
|
06-Feb-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
Split the logic to check cache expiration into separate function |
98076cabc2a8b8f71dc3bc1263519827f71a5fcc |
|
06-Feb-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
RESPONDERS: Refactor setent_req_list
Makes the setent_add_ref() and setent_notify_*() functions more generic
to be reusable by the autofs responder. |
405a06682b3772b70bb06d3adba780a062959641 |
|
03-Feb-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
RESPONDERS: Provide a common sss_cmd_send_error function
The common function could be reused in new responders |
ab68008f87504ace9451c14ba2a7e8dfec435779 |
|
01-Feb-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
Refactor nss_cmd_send_empty |
cd5525d7dcde6ffbf162608706c502aa33951789 |
|
27-Jan-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
NSS: Add service enumeration support to NSS provider |
990b7ebaf67b6d4cc982c805a8ec1126111bd4b4 |
|
27-Jan-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
DP: Refactor responder_dp_req so it's reusable by other responders
* the internal request is now more generic and is decoupled from
account-specific data. There is a new sss_dp_issue_request() wrapper
that issues a BE request or registers a callback
* the public requests all use struct sss_dp_req_state as the tevent_req
state data. This allows to report back data from the internal request
even if the caller is just a callback notifier
* each specific request now uses an _info structure that contains all
the data necessary to construct a DBusMessage passed to provider
* each specific request now defines a sss_dp_get_$data_msg callback that
is called from the sss_dp_issue_request() common wraper. The purpose
of the wrapper is to construct a DBusMessage and bind it to a DBus
method so the message can be just sent over to back end
The miscellanous changes include:
* change SSS_DP_ constants to an enum. This way, a switch() would error
if a value is not handled.
* rename sss_dp_get_account_int_send() to sss_dp_internal_get_send()
request because the internal request is going to handle more than just
account data
* the DBus return values were renamed from err_maj, err_min to dp_err
and dp_ret respectively |
6748486d61680426e8739bb5e7db7dd8409ef44c |
|
27-Jan-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
DP: Add support for services in dp requests |
0c7aa697991ea9df960fae14fd567ebdda3b4ff4 |
|
21-Jan-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
RESPONDER: Extend sss_dp_account_send() to include extra data
Some NSS maps such as 'services' require more values to be passed
to the data provider than just the name or ID. In these cases, we
will amend an optional component to filter value to pass to the
data provider backend. |
d844aab866ae237844360cea70e2dccdc90c783d |
|
20-Dec-2011 |
Stephen Gallagher <sgallagh@redhat.com> |
PAM: make initgroups timeout work across multiple clients
Instead of timing out the initgroups lookup on a per-cctx basis,
we will maintain a hash table of recently-seen users and use this
instead. This will allow SSSD to handle user's logging into
multiple services simultaneously more graciously, as well as
playing nicer with SSH (which makes calls to PAM both before and
after a fork).
https://fedorahosted.org/sssd/ticket/1063 |
247a7056af42fc50bbc896cddb66a60154ca12e9 |
|
16-Dec-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
Responders: Split getting domain by name into separate function |
069a5fe72d38f8e15b4416992453ac41a425ce9a |
|
29-Nov-2011 |
Stephen Gallagher <sgallagh@redhat.com> |
RESPONDER: Refactor DP requests into tevent_req style |
872f2d32d979a1dd2145667487f170fec8b5189a |
|
18-Nov-2011 |
Stephen Gallagher <sgallagh@redhat.com> |
RESPONDER: Ensure that all input strings are valid UTF-8 |
d818283d39d56204ffe710b6c9b83a2cf497f946 |
|
06-May-2011 |
Stephen Gallagher <sgallagh@redhat.com> |
Allow changing the log level without restart
We will now re-read the confdb debug_level value when processing
the monitor_common_logrotate() function, which occurs when the
monitor receives a SIGHUP. |
c71ff1e4615ec8560b90ca7d4827d99424ad0355 |
|
22-Dec-2010 |
Stephen Gallagher <sgallagh@redhat.com> |
Update the ID cache for any PAM request
Also adds an option to limit how often we check the ID provider,
so that conversations with multiple PAM requests won't update the
cache multiple times.
https://fedorahosted.org/sssd/ticket/749 |
4967fe0bc52580f7e96974e30d3cf2f33fadaabe |
|
26-Oct-2010 |
Sumit Bose <sbose@redhat.com> |
Remove all nss requests after a reconnect
Currently we do not handle the open nss request after a reconnect and
wait until they timeout (which is a couple of minutes!). This patch adds
a handler that terminates all requests after a reconnect. Then responder
will return matching cache entries or nothing. |
ef39c0adcb61b16f9edc7beb4cdc8f3b0d5a8f15 |
|
13-Oct-2010 |
Stephen Gallagher <sgallagh@redhat.com> |
Add netgroup support to the NSS responder |
c53ed27b33ecc7fcce62d4b3a3e55ce9cda1ca7c |
|
08-Sep-2010 |
Stephen Gallagher <sgallagh@redhat.com> |
Handle multiple simultaneous enumeration requests
Previously, if a second enumeration request arrived while one was
already being processed, each process would receive only a subset
of the total number of available users or groups. This is because
we were maintaining the response object as a global value in the
NSS responder. The second request would come in, see that the data
set was already populated, and start reading from wherever the
cursor was currently pointed.
With this patch, we now move the cursor to the client context
instead of the global NSS context.
Additionally, this patch completely rewrites the approach to
enumerations in the tevent_req style. This makes it much easier to
follow in the code.
In order to ensure that a slow or malicious client cannot hold
onto a reference for the setent result object indefinitely, we
set an expiration on the object. We use the enum_cache_timeout
here, since that is an appropriate value.
If the timeout fires during the normal operation of the get*ent()
loop of a client program, we will save the current values of the
read index so that we can resume as soon as the object has been
refreshed by an implicit setent call.
Instead of deleting the enumeration result object immediately
after the last in-progress client has read it, we'll keep the
object around for the lifetime of enum_cache_timeout. This way,
additional clients making enumeration requests can still access
the results in-memory. |
ea0173fe8ba915960621454168651c62301833cb |
|
16-Apr-2010 |
Sumit Bose <sbose@redhat.com> |
Use SO_PEERCRED on the PAM socket
This is the second attempt to let the PAM client and the PAM responder
exchange their credentials, i.e. uid, gid and pid. Because this approach
does not require any message interchange between the client and the
server the protocol version number is not changed.
On the client side the connection is terminated it the responder is not
run by root. On the server side the effective uid and gid and the pid of
the client are available for future use.
The following additional changes are made by this patch:
- the checks of the ownership and the permissions on the PAM sockets are
enhanced
- internal error codes are introduced on the client side to generate
more specific log messages if an error occurs |
b9923919909cb976ddf42002c56a42b1893e3547 |
|
16-Apr-2010 |
Sumit Bose <sbose@redhat.com> |
Revert "Add better checks on PAM socket"
This reverts commit 5a88e963744e5da453e88b5c36499f04712df097. |
5a88e963744e5da453e88b5c36499f04712df097 |
|
11-Mar-2010 |
Sumit Bose <sbose@redhat.com> |
Add better checks on PAM socket
- check if the public socket belongs to root and has 0666 permissions
- use a SCM_CREDENTIALS message if available |
1c48b5a62f73234ed26bb20f0ab345ab61cda0ab |
|
18-Feb-2010 |
Stephen Gallagher <sgallagh@redhat.com> |
Rename server/ directory to src/
Also update BUILD.txt |