24d8c85fae253f988165c112af208198cf48eef6 |
|
03-Nov-2016 |
Jakub Hrozek <jhrozek@redhat.com> |
SYSDB: Augment sysdb_try_to_find_expected_dn to match search base as well
In cases where the domain name in sssd.conf does not match the AD
domain, our previous matching process wouldn't match. This patch
augments the matching as follows:
- the search base is known to sysdb_try_to_find_expected_dn and is
expected to be non-NULL
- the existing matching is ran first
- during the search base, matching, all the non-DC components are
stripped from the search base to 'canonicalize' the search base
- if only a single entry that matches with a non-DC DN component
(matching with a DC component would mean the DN comes from a
different domain) then this entry is a match and is returned
Resolves:
https://fedorahosted.org/sssd/ticket/3199
Reviewed-by: Sumit Bose <sbose@redhat.com> |
20348a30feb4be619b3b691c24c9be8131507c46 |
|
18-Jul-2016 |
Sumit Bose <sbose@redhat.com> |
sysdb: make subdomain calls aware of upn_suffixes
sysdb_subdomain_store() and sysdb_update_subdomains() can now update
upn_suffixes as well.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
132b31fd5fb74a7627896cdceaf29c7601ed4795 |
|
18-Jul-2016 |
Sumit Bose <sbose@redhat.com> |
sysdb: add UPN suffix support for the master domain
sysdb_master_domain_update() and sysdb_master_domain_add_info() are now
aware of the UPN suffix attribute.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
5ff7a765434ed0b4d37564ade26d7761d06f81c3 |
|
01-Mar-2016 |
Sumit Bose <sbose@redhat.com> |
sdap: improve filtering of multiple results in GC lookups
The Global Catalog of AD contains some information about all users and
groups in an AD forest. Users from different domain in the forest can
have the same name. The most obvious example is the Administrator user
which is present in all domains. Although SSSD uses a domain specific
search base for looking up users in the GC the search might still return
multiple results if there is a user with the same name in one of the
child (or grand-child ...) domains because of the hierarchic nature of
the LDAP tree. Limiting the search depth would not help because users
can be created in deeply nested OUs.
Currently SSSD expects in this case that the user object is store in
CN=Users or below. This works for all default users like Administrator
but in general users can be created anywhere in the directory tree. If a
user is created outside of CN=Users and there is a user with the same
name in a child domain the initgroups command to look up the
group-memberships of the user fails because it is not clear which of the
two results should be used (initgroups for the child domain user works
fine).
This patch adds an additional scheme to select the right result based on
the domain component attribute name 'dc'. This attribute indicates an
additional component in the domain name and hence a child domain. So as
long as the result contains a dc component following out search base it
cannot be the object we are looking for. This scheme includes the old
CN=Users based one but since it is more expensive I kept the old scheme
which so far worked all the time and only use the new one if the old one
fails.
Resolves https://fedorahosted.org/sssd/ticket/2961
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
06d4c022874d4f12d70e79c3c749d52fe020dad6 |
|
14-Nov-2015 |
Lukas Slebodnik <lslebodn@redhat.com> |
test_sysdb_subdomains: Do not use assignment in assertions
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
b5825c74b6bf7a99ae2172392dbecb51179013a6 |
|
21-Sep-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
UTIL: Convert domain->disabled into tri-state with domain states
Required for:
https://fedorahosted.org/sssd/ticket/2637
This is a first step towards making it possible for domain to be around,
but not contacted by Data Provider.
Also explicitly create domains as active, previously we only relied on
talloc_zero marking dom->disabled as false.
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
50c9d542e8bf641412debaa82a4dcf67ddb72258 |
|
18-Sep-2015 |
Lukas Slebodnik <lslebodn@redhat.com> |
tests: Use unique name for TEST_PATH
We had a cases in patch where two tests were using the same TEST_PATH
and therefore they were stepping each other to the same files
which caused failures. These failures are not easy to reproduce.
This patch uses macro BASE_FILE_STEM for unique name. It should prevent
copy&paste problem resulting to intermittent failures.
@see also
https://www.gnu.org/software/make/manual/html_node/Automatic-Variables.html
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
b50baee36c9ba9e1dd3f6b9c1356482aecd08128 |
|
14-Jun-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
SYSDB: Add a forest root attribute to sss_domain_info
Instead of complex forest root search methods, establish forest root
during subdomain list update. The subdomain code can then just use the
forest_root pointer.
Reviewed-by: Sumit Bose <sbose@redhat.com> |
9af86b9c936d07cff9d0c2054acde908749ea522 |
|
14-Jun-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
SYSDB: Add realm to sysdb_master_domain_add_info
Adding realm to both master domain and subdomain will make it easier to
set and select forest roots. Even master domains can be forest members,
it's preferable to avoid special-casing as much as possible.
Includes a unit test.
Reviewed-by: Sumit Bose <sbose@redhat.com> |
526a15438525417cd701f837d7085b7f8c8a6325 |
|
14-Jun-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
TESTS: Add a test for sysdb_subdomains.c
The sysdb_subdomains.c module should have its own sysdb test, not share
the generic sysdb one.
Reviewed-by: Sumit Bose <sbose@redhat.com> |