Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ipa: support disabled domains #884

Closed
wants to merge 5 commits into from
Closed

ipa: support disabled domains #884

wants to merge 5 commits into from

Commits on Sep 18, 2019

  1. utils: extend some find_domain_* calls to search disabled domain 

    This extension is needed to support disabled domains since it is
now important to know if a domain is really unknown or only disabled.
While an unknown domain might typically lead to an error, a caller might
just ignore requests for disabled domains or objects from disabled
domains.

Related to https://pagure.io/SSSD/sssd/issue/4078
    @sumit-bose
    sumit-bose committed Sep 18, 2019
    Configuration menu
    Copy the full SHA
    16bc34b View commit details
    Browse the repository at this point in the history

  2. ipa: support disabled domains 

    IPA does not disable domains with the help of a flag in the domain
objects but more general with the help of the SID blacklist. With this
patch the blacklist is read with other data about trusted domains and if
the domain SID of a trusted domain is found the domain is disabled. As a
result uses and groups from this domain cannot be looked up anymore.

Related to https://pagure.io/SSSD/sssd/issue/4078
    @sumit-bose
    sumit-bose committed Sep 18, 2019
    Configuration menu
    Copy the full SHA
    e9969b7 View commit details
    Browse the repository at this point in the history

  3. ipa: ignore objects from disabled domains on the client 

    It is possible that a domain is already disabled on an IPA client but
still  active on the server. This might happen e.g. if the version of
SSSD running on the IPA server does not support disabled domains or if
SSSD on the IPA client updates the domain data before the IPA server and
sees a freshly disabled domain more early.

As a result the server is still sending objects from disabled domains in
the lists of group members or group memberships of a user. The client
should just ignore those objects.

Related to https://pagure.io/SSSD/sssd/issue/4078
    @sumit-bose
    sumit-bose committed Sep 18, 2019
    Configuration menu
    Copy the full SHA
    2a9c531 View commit details
    Browse the repository at this point in the history

  4. sysdb: add sysdb_subdomain_content_delete() 

    sysdb_subdomain_content_delete() will remove all user and group objects
from a sub-domain container but not the sub-domain object and the user
and group container itself.

Related to https://pagure.io/SSSD/sssd/issue/4078
    @sumit-bose
    sumit-bose committed Sep 18, 2019
    Configuration menu
    Copy the full SHA
    0b40fac View commit details
    Browse the repository at this point in the history

  5. ipa: delete content of disabled domains 

    Related to https://pagure.io/SSSD/sssd/issue/4078
    @sumit-bose
    sumit-bose committed Sep 18, 2019
    Configuration menu
    Copy the full SHA
    c6e6b31 View commit details
    Browse the repository at this point in the history