f31610a9ba26b46de9eeab2b0719ff6ad8961104 |
|
16-Aug-2016 |
Pavel Březina <pbrezina@redhat.com> |
NSS: Remove unused functions
When removing the old data provider I noticed that those functions
are not used at all.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
6f0a0ae7599e3947c0b2e4649039f85829e57637 |
|
10-Aug-2016 |
Lukas Slebodnik <lslebodn@redhat.com> |
NSS: Use correct name for invalidating memory cache
After refactoring of sysdb, we get and internal fully qualified
name from backend in org.freedesktop.sssd.dataprovider_rev.initgrCheck
Previously we got short name and we created fq name in
nss_update_initgr_memcache. Memory cache still need to use short names
if it was specified.
This patch uses right name in different places.
Reviewed-by: Petr Cech <pcech@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
4f3a9d837a55b49448eca3c713c85a406207e523 |
|
29-Jun-2016 |
Simo Sorce <simo@redhat.com> |
Responders: Make the client context more generic
This is useufl to allow reusing the responder code with other protocols.
Store protocol data and responder state data behind opaque pointers and
use tallog_get_type to check they are of the right type.
This also allows to store per responder state_ctx so that, for example,
the autofs responder does not have to carry useless variables used only
by the nss responder.
Resolves:
https://fedorahosted.org/sssd/ticket/2918
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
b9901fe3d6cfe05cd75a2440c0f9c7985aea36c6 |
|
20-Aug-2015 |
Lukas Slebodnik <lslebodn@redhat.com> |
NSS: Fix use after free
It can happed if there are two domains and user is not found
in the first one.
==29279== Invalid read of size 1
==29279== at 0x4C2CBA2: strlen (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==29279== by 0x89A7AC4: talloc_strdup (in /usr/lib64/libtalloc.so.2.1.2)
==29279== by 0x11668A: nss_cmd_initgroups_search (nsssrv_cmd.c:4191)
==29279== by 0x118B27: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1208)
==29279== by 0x10F2B4: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:759)
==29279== by 0x126AFB: sss_dp_internal_get_done (responder_dp.c:802)
==29279== by 0x56EA861: ??? (in /usr/lib64/libdbus-1.so.3.7.4)
==29279== by 0x56EDB50: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.4)
==29279== by 0x50721E1: sbus_dispatch (sssd_dbus_connection.c:96)
==29279== by 0x879B22E: tevent_common_loop_timer_delay (tevent_timed.c:341)
==29279== by 0x879C239: epoll_event_loop_once (tevent_epoll.c:911)
==29279== by 0x879A936: std_event_loop_once (tevent_standard.c:114)
==29279== Address 0xbbad240 is 96 bytes inside a block of size 106 free'd
==29279== at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==29279== by 0x89A46E3: _talloc_free (in /usr/lib64/libtalloc.so.2.1.2)
==29279== by 0x116679: nss_cmd_initgroups_search (nsssrv_cmd.c:4190)
==29279== by 0x118B27: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1208)
==29279== by 0x10F2B4: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:759)
==29279== by 0x126AFB: sss_dp_internal_get_done (responder_dp.c:802)
==29279== by 0x56EA861: ??? (in /usr/lib64/libdbus-1.so.3.7.4)
==29279== by 0x56EDB50: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.4)
==29279== by 0x50721E1: sbus_dispatch (sssd_dbus_connection.c:96)
==29279== by 0x879B22E: tevent_common_loop_timer_delay (tevent_timed.c:341)
==29279== by 0x879C239: epoll_event_loop_once (tevent_epoll.c:911)
==29279== by 0x879A936: std_event_loop_once (tevent_standard.c:114)
Resolves:
https://fedorahosted.org/sssd/ticket/2749
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
dda0258705de7255e6ec54b7f9adbde83a220996 |
|
05-Aug-2015 |
Lukas Slebodnik <lslebodn@redhat.com> |
NSS: Initgr memory cache should work with fq names
We need to stored two versions of name to the initgroups memory cache.
Otherwise it could be stored many times if sssd is configured with
case_sensitive = false. It would be impossible to invalidate all
version of names after user login. As a result of this wrong user
groups could be returned from initgroups memory cache.
Therefore we store raw name provided by glibc function
and internal sanitized fully qualified name,
which is unique for particular user.
This patch also increase average space for initgroups
because there are also stored two quite long names in case of
fq names.
Resolves:
https://fedorahosted.org/sssd/ticket/2712
Reviewed-by: Michal Židek <mzidek@redhat.com> |
1a818ee8e01136166e7f2b37a441e7e779c6b1f4 |
|
10-Nov-2014 |
Lukas Slebodnik <lslebodn@redhat.com> |
NSS: Fix warning enumerated type mixed with another type
src/responder/nss/nsssrv_cmd.c:688: mixed_enum_type: enumerated type mixed with
another type
"enum sss_dp_acct_type" was mixed with type "int". ANSI C is not very
strict in this.
Reviewed-by: Michal Židek <mzidek@redhat.com> |
899d1bdc048cd74518170d7d9535d76d3f46d4af |
|
01-Sep-2014 |
Sumit Bose <sbose@redhat.com> |
PAM, NSS: allow UPN login names
With this patch the NSS and PAM responders can handle user principal
names besides the fully qualified user names.
User principal names are build from a user name and a domain suffix
separated by an '@' sign. But the domain suffix does not necessarily has
to be the same as the configured domain name in sssd.conf of the
dynamically discovered DNS domain name of a domain. The typical use case
is an Active Directory forest with lots of different domains. To not
force the users to remember the name of the individual domain they
belong to the AD administrator can set a common domain suffix for all
users from all domains in the forest. This is typically the domain name
used for emails to make it even more easy to the users to remember it.
Since SSSD splits name and domain part at the '@' sign and the common
domain suffix might not be resolvable by DNS or the given user is not a
member of that domain (e.g. in the case where the forest root is used as
common domain suffix) SSSD might fail to look up the user.
With this patch the NSS and PAM responder will do an extra lookup for a
UPN if the domain part of the given name is not known or the user was
not found and the login name contained the '@' sign.
Resolves https://fedorahosted.org/sssd/ticket/1749 |
7d2437adc312d3322d36043ff458fafdb4b7f2cf |
|
01-Sep-2014 |
Sumit Bose <sbose@redhat.com> |
NSS: check_cache() add extra option
This patch adds a new parameter to check_cache() to allow to set the
extra value which is send to the backend during lookup requests. |
83bf46f4066e3d5e838a32357c201de9bd6ecdfd |
|
12-Feb-2014 |
Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> |
Update DEBUG* invocations to use new levels
Use a script to update DEBUG* macro invocations, which use literal
numbers for levels, to use bitmask macros instead:
grep -rl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e 'use strict;
use File::Slurp;
my @map=qw"
SSSDBG_FATAL_FAILURE
SSSDBG_CRIT_FAILURE
SSSDBG_OP_FAILURE
SSSDBG_MINOR_FAILURE
SSSDBG_CONF_SETTINGS
SSSDBG_FUNC_DATA
SSSDBG_TRACE_FUNC
SSSDBG_TRACE_LIBS
SSSDBG_TRACE_INTERNAL
SSSDBG_TRACE_ALL
";
my $text=read_file(\*STDIN);
my $repl;
$text=~s/
^
(
.*
\b
(DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM)
\s*
\(\s*
)(
[0-9]
)(
\s*,
)
(
\s*
)
(
.*
)
$
/
$repl = $1.$map[$3].$4.$5.$6,
length($repl) <= 80
? $repl
: $1.$map[$3].$4."\n".(" " x length($1)).$6
/xmge;
print $text;
' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com> |
a3c8390d19593b1e5277d95bfb4ab206d4785150 |
|
12-Feb-2014 |
Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> |
Make DEBUG macro invocations variadic
Use a script to update DEBUG macro invocations to use it as a variadic
macro, supplying format string and its arguments directly, instead of
wrapping them in parens.
This script was used to update the code:
grep -rwl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e \
'use strict;
use File::Slurp;
my $text=read_file(\*STDIN);
$text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs;
print $text;' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com> |
f7257ab0bcea6c41fab5a4677787f3075ecdcb64 |
|
04-Nov-2013 |
Pavel Reichl <pavel.reichl@redhat.com> |
Include ext headers with #include <foo.h> - cont
Changing style of including header files from outside of sssd tree - from "header.h" to <header.h> |
6eadbf9dab2ad9a9463dc23e91c9e2fc804c1e9b |
|
03-May-2013 |
Sumit Bose <sbose@redhat.com> |
Add SID related calls to the NSS responder
The patch adds 4 new calls to the NSS responder:
- SSS_NSS_GETSIDBYNAME
- SSS_NSS_GETSIDBYID
- SSS_NSS_GETNAMEBYSID
- SSS_NSS_GETIDBYSID
to either return the SIDs of the requested object or map the SID to the
name or the POSIX ID of the related object. |
b3e247cef1f1c81a24ae7759903c11289744e94c |
|
21-Apr-2013 |
Sumit Bose <sbose@redhat.com> |
Refactoring: remove duplicated code in nss responder
Different user and group lookup requests used nearly identical code,
this patch unifies some of the related code paths. |
408914f68673f2caa1c82a1a21336fcb7ddd52ef |
|
05-Dec-2012 |
Simo Sorce <simo@redhat.com> |
Hook for mmap cache update on initgroup calls
This set of functions enumerate the user's groups and invalidate them all
if the list does not matches what we get from the caller. |
ebba1aa6b9783daa0d530e9f5e307f7be17d3cd3 |
|
05-Dec-2012 |
Simo Sorce <simo@redhat.com> |
Hook to perform a mmap cache update from sssd_nss
This set of functions enumerate each user/group from all domains
and invalidate any mmap cache record that matches. |
065771c9859df9c4137daa5187be3aa5633b3cd5 |
|
21-Jun-2012 |
Jan Zeleny <jzeleny@redhat.com> |
Fix re_expression matching with subdomains
This patch fixes an issue which resulted in a need to initialize
responder with data from local domain, otherwise it would not correctly
detect requests for subdomains. Similar situation can occur if new
subdomain is added at runtime.
The solution is to ask for a list of subdomains in case there is a
candidate domain identified in the process of matching re_expressions
with given name. |
f2d943ee47bb313e0bb7276122587989a3c54fb4 |
|
24-Apr-2012 |
Jan Zeleny <jzeleny@redhat.com> |
Retrieve subdomains if there is a request for fully qualified user |
acbc134c063e92a8db1237e1444ad4ada5f54ff8 |
|
17-Feb-2012 |
Stephen Gallagher <sgallagh@redhat.com> |
NSS: Always return the same protocol that was requested
https://fedorahosted.org/sssd/ticket/1160 |
2cba1c86f48db866fc72738a32eecbbdcdf3dbdb |
|
13-Feb-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
Remove setent structure when callback is called |
9e80079370ff3b943832adc3c5ef430e64be0a0c |
|
06-Feb-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
AUTOFS: responder |
98076cabc2a8b8f71dc3bc1263519827f71a5fcc |
|
06-Feb-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
RESPONDERS: Refactor setent_req_list
Makes the setent_add_ref() and setent_notify_*() functions more generic
to be reusable by the autofs responder. |
ab68008f87504ace9451c14ba2a7e8dfec435779 |
|
01-Feb-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
Refactor nss_cmd_send_empty |
49a5e85dc4deec84ce73862750b73dc764638d3d |
|
19-Dec-2011 |
Jan Zeleny <jzeleny@redhat.com> |
Deleted declaration of nss_get_dom()
This function has been renamed to responder_get_domain() but this
declaration hasn't been deleted. |
069a5fe72d38f8e15b4416992453ac41a425ce9a |
|
29-Nov-2011 |
Stephen Gallagher <sgallagh@redhat.com> |
RESPONDER: Refactor DP requests into tevent_req style |
7a0e6e2b9fc2fffc10f33e90926bb7edb5198dde |
|
25-Apr-2011 |
Jan Zeleny <jzeleny@redhat.com> |
Don't use negative cache in netgroup lookup
In responder a negative cache is used to indicate that the record has
not been found by previous lookup. This approach is however not
applicable for netgroup lookup because the design of their lookup is a
little different.
This patch removes some pieces of code working with negative cache,
because they didn't fuction well. Instead a new flag has been added to
the positive cache. This flag indicates if the record in the cache
is a record of existing netgroup or it's just a placeholder.
https://fedorahosted.org/sssd/ticket/820 |
c5f66b8c471e472b3c6eecf87c93373ecf8d0890 |
|
06-Jan-2011 |
Sumit Bose <sbose@redhat.com> |
Remove unused enumeration cache timeout checks
The existence of the getent_ctx is used to track the enumeration cache
timeout. |
5ea3cfbb8272f5e02f8e9683c0028b3e1a3c9045 |
|
06-Jan-2011 |
Sumit Bose <sbose@redhat.com> |
Post enumeration tevent request if needed |
8c64b46e923ec590984325beedb29fcd09aac0e4 |
|
13-Oct-2010 |
Sumit Bose <sbose@redhat.com> |
Also return member groups to the client |
88a9c6a44b474bff0f7e22f9eb28a9e55df2c0b5 |
|
13-Oct-2010 |
Stephen Gallagher <sgallagh@redhat.com> |
Split out some helper functions for the NSS responder
Create a new private header and make some functions available for
other object files. |