New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sssd/sssd #2
Commits on Jul 7, 2016
-
PAM: Use qualified names internally in the PAM responder
The name is converted from whatever we receive on input to the internal format before processing the data further. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
SSH: Use a qualified name for user searches in the SSH responder
The name is converted from whatever we receive on input to the internal format before processing the data further. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
LDAP: Rename DP filter value from name to filter_value
filter_value is a better name, because we don't look just by name, the same variable is used to look up certificates etc. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
LDAP: Use shortname for LDAP queries
When looking up users or groups by name, we need to user the plain username in the filter. The domain is typically signified by the search base. When looking up by UPN, we can keep using the raw value from the DP. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
The username we receive from LDAP is short name. Convert it to a qualified name before saving the user. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
LDAP: Convert RFC2307 member attribute values to FQDN-style ghostname…
…s before acting on them Ghostnames must be qualified as well, same as all other name attributes across SSSD. The ghost names are used by the NSS responder during getgr* output and the domain name parsed from the name is used in the output. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
SYSDB: Add a utility function to return a list of qualified names
Adds a utility function the LDAP provider can use. This is different from sss_create_internal_fqname_list in the sense that the LDAP provider passes in the attribute name that contains the name attribute value. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
LDAP: make it clear that sdap_add_incomplete_groups operates on sysdb…
… names Just provides a more descriptive name of a function parameter. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
LDAP: Use fqdns during nested RFC2307 initgroups
All user and group names are already qualified at this point, so let's remove the special case that stored users from trusted domains qualified. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
LDAP: Use FQDNs when saving incomplete groups
Even incomplete groups must be stored using the internal name format instead of whatever we receive from LDAP. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
LDAP: Delete cache entry if not found by UPN
Previously, the user account was only looked by name when the LDAP provider didn't match any entry on the server side. This patch removes the entry from the cache with the matching function, either by name or by UPN. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
LDAP: The access control filter just needs the plain username
The LDAP access control code uses shortnames to construct an LDAP filter. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
PROXY: Use fully qualified names internally
Only user shortnames to interact with the system. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
TOOLS: Make the local domain operate on FQDNs
Normally we convert the names from short to internal format on input. For the local domain tools, we can consider the sss_sync_ops an input interface, to avoid having to convert the name in each tool and interface separately. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
SSS_CACHE: Make internal functions static
No need to export functions that are only used internally. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
SSS_CACHE: Don't use sss_get_domain_name, but create the internal fqn…
…ame instead for users and groups All users and groups are now stored in the cache using the same format, so we can use that one instead of creating a domain-specific name. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
SSS_SEED: Use FQDN for accessing sysdb
Same as all other tools. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
SSS_OVERRIDE: Fixes for fully qualified names
Use sss_create_internal_fqname for internal cache lookups. Because the object's existence is verified using getpw* and getgr*, we keep using sss_tc_fqname there, just to feed the NSS interface the expected qualified or unqualified name format. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
KRB5: Rely on internal fqname when constructing UPNs
Because internally, we use the same name for all users and groups regardless of the domain they belong to, we can parse the username from the qualified name in a simpler manner. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
KRB5: Rely on sysdb names for the renewal task
The domain name is part of the domain name, so we can parse it from there instead of relying on DN components. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
KRB5: Use shortname when expanding the user template in Kerberos ccache
Creating the username part of the ccache file is an output operation, it makes sense to use sss_output_name() there which parses the name out of the internal qualified name. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
AD: No need to separately qualify subdomain users anymore
All usernames across SSSD are stored in the same manner, so there's no need to create per-domain names anymore. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
SYSDB: Construct internal fqnames, not NSS names in sysdb_add_group_m…
…ember_overrides Because all users and groups are stored the same way in sysdb, we can avoid parsing and unparsing the name with NSS functions and instead just grab the name from the FQDN in the cache. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
IPA: Use internal fqname format instead of parsing NSS names
Parsing the extdom plugin output is an "input" operation from the point of the IPA provider, so we need to parse the name and conversely, internally use only the qualified name. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
IPA: expand name in ipa_add_ad_memberships_get_next()
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
IPA: add missing user name to homedir_ctx
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
IPA: make get_object_from_cache() aware of UPN searches
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
IPA: HBAC evaluator consumes shortnames
SSSD uses an internal format to store user and group names, but the libhbac_ipa library uses only short names. Un-qualify the names before passing them on to the HBAC evaluator. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
SELINUX: Parse the internal fqname before using it
libselinux uses getpwnam() to retrieve the user data, therefore we qualify the data with sss_output_name() before calling libselinux. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
RESPONDERS: Return the sysdb name from cache_req
name.name is the input name. Since cache_req is an internal interface, we need to return the sysdb name instead. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
IPA: Save sudoUser qualified in the cache
When converting from the native IPA schema to the sysdb sudo schema, qualify sudoUser attributes that contain user and group names. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
LDAP: Qualify user and group names when saving the sudo users
If the sudoUser values we fetch from LDAP correspond to a user or a group name per: http://www.sudo.ws/man/1.8.14/sudoers.ldap.man.html then we parse the usernames into (name,domain) tuples and store them qualified. This patch not only makes the sudo provider work with qualified names, but also makes it possible to use qualified names on the LDAP side, allowing for example AD users from different domains to access sudo rules. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
IFP: Amend the InfoPipe responder for fqdns
Parses the internal sysdb names and puts them on the bus using the sss_output_name() helper. Previously, the raw sysdb names were used. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
TOOLS: sssctl: Work with trusted users
For users and groups, convert the input name to the qualified format. Resolves: https://fedorahosted.org/sssd/ticket/3059 Reviewed-by: Sumit Bose <sbose@redhat.com>
-
UTIL: Parse internal fqnames in find_domain_by_object_name
Previously, the sss_parse_name function was used. That function is meant to parse SSSD input, mainly in responders, not internal object names. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
The conversion to sysdb made several functions obsolete. Remove them. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
TESTS: Convert the tests to use qualified names for ldb lookups
The timestamp cache tests look into ldb to check the timestamps. This patch converts the lookups to qualified names to make sure the lookups actually match. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
SYSDB: Remove useless parameter from sysdb_init()
The function sysdb_init() is never used to allow upgrade, so the allow_upgrade parameter was pointless. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
SYSDB: Allow passing a context to sysdb upgrade functions
We decide on whether to upgrade or not based on a pointer value, not a boolean. This pointer points to a structure that the upgrade invoker (typically the monitor) can use to fill auxilary data the sysdb upgrade has no means of instantiating. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
SYSDB: Fix small issues during db upgrade
This patch fixes several issues introduced during the recent sysdb upgrade: 1) The upgrade code often accesses sysdb->ldb, but at this point, the ldb pointer might not be initialized yet. As a kind of an ugly, yet functional workaround, we pass in the ldb pointer that we received from the caller as part of the sysdb structure. 2) the version that sysdb_domain_cache_upgrade() returns is not a talloc pointer, so the upgrade was crashing when we tried to steal it. 3) the ldb pointer sysdb_cache_connect() returns was kept allocated on the tmp_ctx. We need to steal it instead. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
SYSDB: Remove the timestamps cache on update
When the cache is upgraded, we want to avoid upgrading the timestamps cache, because it was only introduced recently in Beta, so it doesn't make senes to write complex code to change the format. This patch rather removes the cache during upgrade, it will be recreated with later lookups anyway. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
MEMBEROF: Allow bypassing memberof during upgrade
The next sysdb upgrade will be changing memberUid and memberOf attributes as well. To avoid chanding the memberof module just because of an upgrade, add a environment variable that disabled the memberof plugin altogether when set. The variable will be set at the beginning of the upgrade and unset later. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
SYSDB: Upgrade sysdb to use qualified names for users and groups, sud…
…o rules and override objects Runs a sysdb upgrade that changes objects that represent users, groups, sudo rules and overrides to the new schema, which uses the fully qualified names. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
SYSDB: qualify_attr: create new attribute only once
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
TOOLS: Some tools command might not need initialization to succeed
Since we want to use the sssctl tool during upgrade, we need to amend the tools initialization code to not error out if sysdb can't be instantiated, but rather return errno and let the tool handle the error. Each tool command now has a 'allowed errno' the command is able to handle. In this patch iteration, only a single errno can be handled and only the upgrade command is able to do so. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
TOOLS: Add the upgrade-cache command
Allows to upgrade the cache using the sssctl tool, which might be useful e.g. in RPM %post scripts. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
sudo: solve problems with fully qualified names
sudo expects the same name in sudo rule as login name. Therefore if fully qualified name is used or even enforced by setting use_fully_qualified_names to true or by forcing default domain with default_domain_suffix sssd is able to correctly return the rules but sudo can't match the user with contect of sudoUser attribute since it is not qualified. This patch changes the rules on the fly to avoid using names at all. We do this in two steps: 1. We fetch all rules that match current user name, id or groups and replace sudoUser attribute with sudoUser: #uid. 2. We fetch complementry rules that contain netgroups since it is expected we don't have infromation about existing netgroups in cache, sudo still needs to evaluate it for us if needed. This patch also remove test for sysdb_get_sudo_filter since it wasn't sufficient anyway and I did not rewrite it since I don't thing it is a good thing to have filter tests that depends on exact filter order. Resolves: https://fedorahosted.org/sssd/ticket/2919 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
SUDO: Add more low-level tracing messages
Just adds more debugging messages that are handy in seeing what gets passed between sudo responder and client. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
fix some 'might be used uninitialized' warnings
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
PAM/KRB5: optional otp and password prompting
Depending on the available Kerberos pre-authentication methods pam_sss will prompt the user for a password, 2 authentication factors or both. Resolves https://fedorahosted.org/sssd/ticket/2988 Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
Fix packet size calculation in sss_packet_new
Use division instead of modulo while rounding the created packet size up to a multiple of SSSSRV_PACKET_MEM_SIZE in sss_packet_new. This fixes potentially packet buffer overflows with certain body sizes. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-
sss_ini: Small refacoring of sss_ini_call_validators
Separate logic to fill errobj so that the errors can be printed by the caller. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
sssctl: Add config-check command
Fixes: https://fedorahosted.org/sssd/ticket/2269 sssctl sconfig-check command allows to call SSSD config file validators on demand. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
Related to: https://fedorahosted.org/sssd/ticket/2247 Explain configuration merging in sssd.conf man page. Signed-off-by: Dan Lavu <dlavu@redhat.com> Reviewed-by: Dan Lavu <dlavu@redhat.com>
-
LDAP: Lookup services by all protocols unless a protocol is specified
The DP refactoring changed the way we handle strings from sbus. We no longer receive NULL strings, but empty strings instead. Reviewed-by: Sumit Bose <sbose@redhat.com>
-
CONFIGURE: Inform about optional build dependencies
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
SSH-CERT: always initialize cert_verify_opts
Currently cert_verify_opts is only initialized when there is an option in the config file. This might cause issues later when the struct is accessed. Since parse_cert_verify_opts() can already handle an empty option the additional check is not needed at all. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
cert_to_ssh_key: properly add leading 0 to bignums
In the ssh keys a leading 0 is added to the bignums of the RSA modulus and exponent if the leading bit is set to avoid the interpretation as a negative number. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
Resolves: https://fedorahosted.org/sssd/ticket/3055 Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
-
-
Commits on Jul 11, 2016
-
Functions sysdb_user_base_dn() and sysdb_group_base_dn() expect that struct sss_domain_info contains pointer to struct sysdb_ctx. This is not true in case of sysdb_upgrade functions. This patch fixes the situation and revert code to the state before 12a000c commit. Resolves: https://fedorahosted.org/sssd/ticket/3023 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>
Petr Cech authored and Lukas Slebodnik committedJul 11, 2016 -
sssctl: Fix error handling after memory allocation failure
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Lukas Slebodnik committedJul 11, 2016 -
sssctl: config-check access check report
Improve output when access check error is detected by sssctl config-check command. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Commits on Jul 12, 2016
-
FO: Set port to NOT_WORKING when trying a next server
Resolves: https://fedorahosted.org/sssd/ticket/3009 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-
sssctl: Fix format string for size_t
src/tools/sssctl/sssctl_config.c: In function 'sssctl_config_check': src/tools/sssctl/sssctl_config.c:93:14: warning: format '%lu' expects argument of type 'long unsigned int', but argument 2 has type 'size_t {aka unsigned int}' [-Wformat=] printf(_("Issues identified by validators: %lu\n"), num_errors); ^ src/tools/sssctl/sssctl_config.c:93:12: note: in expansion of macro '_' printf(_("Issues identified by validators: %lu\n"), num_errors); ^ Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
doxygen: Fix path to header file ipa_hbac.h
Warning: tag INPUT: input source `src/providers/ipa/ipa_hbac.h' does not exist warning: source src/providers/ipa/ipa_hbac.h is not a readable file or directory... skipping. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
ipa_hbac: Fix documentation for hbac_enable_debug
src/lib/ipa_hbac/ipa_hbac.h:68: warning: expected whitespace after [ command Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
sssctl: Fix warning maybe-uninitialized
It looks like some special gcc optimalisation and special case may cause to have unitialized output argument _dom when return code is EOK src/tools/sssctl/sssctl_cache.c: In function ‘sssctl_print_object’: src/tools/sssctl/sssctl_cache.c:491:8: error: ‘dom’ may be used uninitialized in this function [-Werror=maybe-uninitialized] if (dom == NULL) { ^ src/tools/sssctl/sssctl_cache.c:447:15: error: ‘entry’ may be used uninitialized in this function [-Werror=maybe-uninitialized] *_entry = talloc_steal(mem_ctx, entry); ^~~~~~~~~~~~ src/tools/sssctl/sssctl_cache.c:412:25: note: ‘entry’ was declared here struct sysdb_attrs *entry; ^~~~~ Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
MAN: Update description of sssctl
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-
views: allow override added for non-default views at runtime
Currently a new override for a non-default view cannot be displayed at run-time. It even does not only require a restart but the view must be un-applied and applied again to make the changes visible. This patch fixes this and makes non-default view behave like the default view where the data from a newly added override are displayed after the cached entry of the related object is expired. Resolves https://fedorahosted.org/sssd/ticket/3092 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-
nss-srv-tests: Fix prototype of wrapped ncache functions
The argument ttl was recently removed from negative cache functions (sss_ncache_check_user, sss_ncache_check_uid, sss_ncache_check_sid, sss_ncache_check_cert) but it was not removed from wrapped versions in nss-srv-tests. It caused a crash on machine with big endian and when configure wih --coverage. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-
TOOLS: Prevent dereference of null pointer
VAR_CHECK is called with (var, EOK, ...) EOK would be returned in case of "var != EOK" and output argument _attrs would not be initialized. Therefore there could be dereference of null pointer after calling function usermod_build_attrs. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-
config: override_space is monitor's option
We read override_space from [sssd] not [nss] section. Resolves: https://fedorahosted.org/sssd/ticket/3068 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
Fixes: https://fedorahosted.org/sssd/ticket/3068 Option user_attributes is also available in NSS responder, but not in PAC responder. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
sysdb-tests: Fix cast from pointer to integer
src/tests/sysdb-tests.c: In function 'test_sysdb_memberof_close_loop': src/tests/sysdb-tests.c:2740:5: warning: passing argument 1 of '_ck_assert_msg' makes integer from pointer without a cast [enabled by default] fail_unless(data->attrlist[0], "talloc_array failed."); ^ In file included from src/tests/sysdb-tests.c:23:0: /usr/include/check.h:237:16: note: expected 'int' but argument is of type 'const char *' void CK_EXPORT _ck_assert_msg (int result, const char *file, ^ Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Lukas Slebodnik committedJul 12, 2016 -
PROVIDERS: Setting right {u,g}id if unprivileged
be_ctx had talloc_zero() initialized uid and gid which was used in function dp_init(). Therefore back-end was every time started as root and therefore non-root responders could not communicate with back-end due to wrong permission of unix sockets. This patch sets right uid and gid to data-providers if sssd runs as non-root user. Resolves: https://fedorahosted.org/sssd/ticket/3077 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Petr Cech authored and Lukas Slebodnik committedJul 12, 2016 -
config: Allow timeout for all sevices
Allow option "timeout" for all sevices. Also remove unused macro CONFDB_SERVICE_TIMEOUT. Resolves: https://fedorahosted.org/sssd/ticket/3068 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
config: Add config_file_version to schema
Resolves: https://fedorahosted.org/sssd/ticket/3068 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Commits on Jul 13, 2016
-
Fixes: https://fedorahosted.org/sssd/ticket/3076 We segfaulted in this area once. This patch makes the code more defensive and adds some DEBUG messages. Normally the structures are filled in online and/or resolve callbacks. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-
sssctl: move filter creation to separate function
Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>
-
sssctl: improve readability of a condition
Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>
Commits on Jul 15, 2016
-
DP: rename be_acct_req to dp_id_data
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
sdap: Fix ldap_rfc_2307_fallback_to_local_users
We wrongly tried to store empty user attributes instead of the local user attributes with ldap_rfc_2307_fallback_to_local_users set to true. This gave us bad initgroups results and caused segfaults. Resolves: https://fedorahosted.org/sssd/ticket/3045 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Commits on Jul 18, 2016
-
SPEC: Move nfsidmap plugin to separate package
Resolves: https://fedorahosted.org/sssd/ticket/3024 Reviewed-by: Noam Meltzer <tsnoam@gmail.com>
Lukas Slebodnik committedJul 18, 2016 -
sssctl: Use localtime for time stamps
Resolves: https://fedorahosted.org/sssd/ticket/3096 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-
test_utils: Clean files after sss_write_krb5_conf_snippet
The test directory was not removed (tp_test_utils-test_utils) because it contain the snippet for krb5_libdefaults. Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>
Lukas Slebodnik committedJul 18, 2016 -
IPA: read ipaNTAdditionalSuffixes for master and trusted domains
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
sysdb: add UPN suffix support for the master domain
sysdb_master_domain_update() and sysdb_master_domain_add_info() are now aware of the UPN suffix attribute. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
sysdb: make subdomain calls aware of upn_suffixes
sysdb_subdomain_store() and sysdb_update_subdomains() can now update upn_suffixes as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
IPA: add ipa_init_get_krb5_auth_ctx()
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
IPA: enable enterprise principals if server supports them
If there are alternative UPN suffixes found on the server we can safely assume that the IPA server supports enterprise principals. Resolves https://fedorahosted.org/sssd/ticket/3018 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Commits on Jul 22, 2016
-
CI: Use /bin/sh as a CONFIG SHELL
There is a bug on debian_testing in bash. sh$ valgrind /bin/bash ==25145== Memcheck, a memory error detector ==25145== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==25145== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info ==25145== Command: /bin/bash ==25145== ==25145== Invalid read of size 1 ==25145== at 0x4B90B1: ??? (in /bin/bash) ==25145== by 0x43FE9B: initialize_shell_variables (in /bin/bash) ==25145== by 0x41E4C0: ??? (in /bin/bash) ==25145== by 0x41F722: main (in /bin/bash) ==25145== Address 0x58307f8 is 8 bytes before a block of size 31 alloc'd ==25145== at 0x4C2BBCF: malloc (vg_replace_malloc.c:299) ==25145== by 0x475D1A: xmalloc (in /bin/bash) ==25145== by 0x4B7F4A: tilde_expand (in /bin/bash) ==25145== by 0x42E63D: bash_tilde_expand (in /bin/bash) ==25145== by 0x43FE79: initialize_shell_variables (in /bin/bash) ==25145== by 0x41E4C0: ??? (in /bin/bash) ==25145== by 0x41F722: main (in /bin/bash) ==25145== malloc: .././variables.c:570: assertion botched free: called with unallocated block argument last command: (null) Aborting...==25145== And /bin/bash was used as a default SHELL in scripts generated by configure+libtool. It starting to fail with the latest valgrind valgrind-3.12.0~svn20160714-1 Workaround is to use /bin/sh which is a symlink to /bin/dash Reviewed-by: Petr Cech <pcech@redhat.com>
Lukas Slebodnik committedJul 22, 2016 -
SECRETS: Log message for failures with removing file
Type: Unchecked return value Reported by coverity Reviewed-by: Petr Čech <pcech@redhat.com>
Lukas Slebodnik committedJul 22, 2016
Commits on Jul 25, 2016
-
the capaths for a single domain should be collected in a single sub-section in the MIT Kerberos configuration not spread over multiple one. See the capaths section of the krb5.conf man page for details. Resolves: https://fedorahosted.org/sssd/ticket/3103 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
UTIL: make domain mapping content testable
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
tests: add tests for sss_get_domain_mappings_content()
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
Amend debug messages after failure of unlink
Some messages did not have errno or name of problematic file. There was also improper use of negative value. The function strerror was called with -1 instead of errno Reviewed-by: Petr Čech <pcech@redhat.com>
Lukas Slebodnik committedJul 25, 2016 -
SYSDB: Do not try to modify ts cache for unsupported DNs
Only users and groups have timestamp data in separate cache. It caused false positive warnings for autofs, netgroup ... Reviewed-by: Petr Čech <pcech@redhat.com>
Lukas Slebodnik committedJul 25, 2016 -
AD: avoid memory leak in netlogon_get_domain_info() and make it public
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
AD: netlogon_get_domain_info() allow missing arguments and empty results
netlogon_get_domain_info() should not fail if not all parameters can be retrieved. It should be the responsibility of the caller to see if the needed data is available and act accordingly. Resolves: https://fedorahosted.org/sssd/ticket/3104 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
tests: add tests for netlogon_get_domain_info
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
AD: replace ad_get_client_site_parse_ndr() with netlogon_get_domain_i…
…nfo() netlogon_get_domain_info() does not fail if only the site is missing in the CLDAP ping respond. If the site is not available a Global Catalog can still be looked up with the forest name. Only if the forest name is missing as well we fall back to the configured domain name. Resolves: https://fedorahosted.org/sssd/ticket/3104 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
sysdb_master_domain_add_info: properly set do_update
do_update should be only set if there is a change, i.e if something was added to the ldb_message. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Commits on Jul 26, 2016
-
SYSDB: Removing of duplication of sysdb_ts_cache_attrs
Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>
Petr Cech authored and Lukas Slebodnik committedJul 26, 2016 -
test_utils: Fixing assignment discards 'const' qualifier
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Petr Cech authored and Lukas Slebodnik committedJul 26, 2016
Commits on Jul 29, 2016
-
IPA: make ipa_resolve_user_list_{send|recv} public and allow AD users
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
IPA: expand ghost members of AD groups in server-mode
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
sysdb: add sysdb_get_user_members_recursively()
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
views: properly override group member names
Resolves https://fedorahosted.org/sssd/ticket/2948 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
IPA: fix lookup by UPN for subdomains
Currently the user name used in the extdom exop request is unconditionally set to the short name. While this is correct for the general name based lookups it breaks UPN/email based lookups where the name part after the @-sign might not match to domain name. I guess this was introduce during the sysdb refactoring. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
LDAP: allow multiple user principals
In general a user can have multiple principals and recent IPA version added support to defined multiple principals. With this patch SSSD does not only store the first but all principals read by LDAP from a server. Resolves https://fedorahosted.org/sssd/ticket/2958 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
LDAP: new attribute option ldap_user_email
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
sysdb: include email in UPN searches
Email addresses and Kerberos user principals names (UPNs) do not only look similar they also can be used to identify a user uniquely. In future this approach should be replace by a more generic one where the attributes which can uniquely identifies a user can be configured to support even a wider range of login names. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
LDAP: include email in UPN searches
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
NSS: add user email to fill_orig()
The IPA server must send the email address of a user to the clients to allow login by email. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
utils: add is_email_from_domain()
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
LDAP/IPA: add local email address to aliases
Adding email-addresses from the local domain to the alias names is strictly not needed by might help to speed up lookups in the NSS responder. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
NSS: continue with UPN/email search if name was not found
Currently we only search for UPNs if the domain part of the name was not know, with Kerberos aliases and email addresses we have to do this even if the domain name is a know domain. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
PAM: continue with UPN/email search if name was not found
Currently we only search for UPNs if the domain part of the name was not know, with Kerberos aliases and email addresses we have to do this even if the domain name is a know domain. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
NSS: use different neg cache name for UPN searches
If Kerberos principals or email address have the same domain suffix as the domain itself the first user lookup by name might have already added the name to the negative cache and the second lookup by UPN/email will skip the domain because of the neg cache entry. To avoid this a special name with a '@' prefix is used here. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
PAM: Fix domain for UPN based lookups
Since sysdb_search_user_by_upn() searches the whole cache we have to set the domain so that it matches the result. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
SDAP: add special handling for IPA Kerberos enterprise principal strings
Unfortunately principal aliases with an alternative realm are stored in IPA as the string representation of an enterprise principal, i.e. name\@alt.realm@IPA.REALM. To allow searches with the plain alias 'name@alt.realm' the returned value is converted before it is saved to the cache. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
SDAP: add enterprise principal strings for user searches
Unfortunately principal aliases with an alternative realm are stored in IPA as the string representation of an enterprise principal, i.e. name\@alt.realm@IPA.REALM. To be able to lookup the alternative principal in LDAP properly the UPN search filter is extended to search for this type of name as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Commits on Aug 2, 2016
-
LDAP: Fix storing initgroups for users with no supplementary groups
If there are no supplementary groups, we tried to qualify a NULL pointer to an array which resulted in an error. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
LDAP: Changing of confusing debug message
This debug message used to confuse our customer. So this patch changes it. Resolves: https://fedorahosted.org/sssd/ticket/3091 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Petr Cech authored and Lukas Slebodnik committedAug 2, 2016
Commits on Aug 4, 2016
-
LDAP: Use FQDN when linking parent LDAP groups
Resolves: https://fedorahosted.org/sssd/ticket/3093 Because we compare the list of LDAP names with the list of sysdb names, we need to qualify the list of LDAP names before running the diff. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>
-
RESPONDERS: Decrease debug level for failures in SELINUX_getpeercon()
As this is not FATAL and may happen when SELinux is disabled, let's just decrease the debug level to MINOR_FAILURE Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Related: https://fedorahosted.org/sssd/ticket/3094 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
RESPONDERS: Show a bit more info in case of SELINUX_getpeercon() failure
Be explicit that it may happen when SELinux is disabled and also suggest to enable SELinux. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Related: https://fedorahosted.org/sssd/ticket/3094 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
RESPONDERS: Pass errno to strerror() when SELINUX_getpeercon() fails
Currently ret, which is -1, is passed to strerror() instead of errno. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Related: https://fedorahosted.org/sssd/ticket/3094 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
sss_ini: Change debug level of config error msgs
Syntax errors in configuration files prevent SSSD or sssctl to start completely. It would be good to display these errors by default with the highest level. Reviewed-by: Petr Čech <pcech@redhat.com>
Commits on Aug 5, 2016
-
sssctl: Consistent commands naming
Use TOPIC-ACTION pattern for sssctl command names. Resolves: https://fedorahosted.org/sssd/ticket/3087 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
SDAP: sanitize member name before using in filter
It caused an errors. (Tue Aug 2 06:29:39 2016) [sssd[be[LDAP]]] [sysdb_cache_search_users] (0x2000): Search users with filter: (&(objectclass=user)(nameAlias=t(u)ser@ldap)) (Tue Aug 2 06:29:39 2016) [sssd[be[LDAP]]] [sysdb_cache_search_users] (0x0080): Error: 5 (Input/output error) Resolves: https://fedorahosted.org/sssd/ticket/3121 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Lukas Slebodnik committedAug 5, 2016 -
SDAP: sysdb_search_users does not set users_count for failures
==32577== Conditional jump or move depends on uninitialised value(s) ==32577== at 0x140DCE10: sdap_process_missing_member_2307 (sdap_async_groups.c:1556) ==32577== by 0x140DCE10: sdap_process_group_members_2307 (sdap_async_groups.c:1625) ==32577== by 0x140DCE10: sdap_process_group_send (sdap_async_groups.c:1298) ==32577== by 0x140DCE10: sdap_get_groups_process (sdap_async_groups.c:2130) ==32577== by 0x140CFDA8: generic_ext_search_handler.isra.3 (sdap_async.c:1688) ==32577== by 0x140D2416: sdap_get_generic_op_finished (sdap_async.c:1578) ==32577== by 0x140D0DFC: sdap_process_message (sdap_async.c:353) ==32577== by 0x140D0DFC: sdap_process_result (sdap_async.c:197) ==32577== by 0x8BF1B4E: tevent_common_loop_timer_delay (tevent_timed.c:341) ==32577== by 0x8BF2B59: epoll_event_loop_once (tevent_epoll.c:911) ==32577== by 0x8BF1256: std_event_loop_once (tevent_standard.c:114) ==32577== by 0x8BED40C: _tevent_loop_once (tevent.c:533) ==32577== by 0x8BED5AA: tevent_common_loop_wait (tevent.c:637) ==32577== by 0x8BF11F6: std_event_loop_wait (tevent_standard.c:140) ==32577== by 0x529DD02: server_loop (server.c:702) ==32577== by 0x110951: main (data_provider_be.c:587) Resolves: https://fedorahosted.org/sssd/ticket/3121 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Lukas Slebodnik committedAug 5, 2016 -
SYSDB: Sanitize dn in sysdb_get_user_members_recursively
There was a crash in nss responder when a group contained a user with special charactes which shoudl be sanitized before using in filter. ==31651== Conditional jump or move depends on uninitialised value(s) ==31651== at 0x8BEA7DE: _talloc_steal_loc (talloc.c:1215) ==31651== by 0x5264889: sysdb_get_user_members_recursively (sysdb_ops.c:4759) ==31651== by 0x5278F61: sysdb_add_group_member_overrides (sysdb_views.c:1375) ==31651== by 0x526677C: sysdb_getgrnam_with_views (sysdb_search.c:799) ==31651== by 0x1172F6: nss_cmd_getgrnam_search (nsssrv_cmd.c:3168) ==31651== by 0x119C67: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1382) ==31651== by 0x10FD14: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:916) ==31651== by 0x12898B: sss_dp_internal_get_done (responder_dp.c:791) ==31651== by 0x58FF861: complete_pending_call_and_unlock (dbus-connection.c:2314) ==31651== by 0x5902B50: dbus_connection_dispatch (dbus-connection.c:4580) ==31651== by 0x527F261: sbus_dispatch (sssd_dbus_connection.c:96) ==31651== by 0x89D8B4E: tevent_common_loop_timer_delay (tevent_timed.c:341) Resolves: https://fedorahosted.org/sssd/ticket/3121 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Lukas Slebodnik committedAug 5, 2016 -
SYSDB: Fix setting dataExpireTimestamp if sysdb is supposed to set th…
…e current time sysdb is already able to retrieve the current timestamp if the caller doesn't specify it. However, for the timestamp cache this came too late and the timestamp cache used zero as the 'now' time. Resolves: https://fedorahosted.org/sssd/ticket/3064 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-
IPA: Changing of confusing debug message
This debug message used to confuse our users. So this patch changes it. Old version: "Trust direction of %s is %s\n" New version: "Trust type of [%s]: %s\n" Resolves: https://fedorahosted.org/sssd/ticket/3090 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Petr Cech authored and Lukas Slebodnik committedAug 5, 2016 -
Revert "LDAP: Lookup services by all protocols unless a protocol is s…
…pecified" This reverts commit aa58e21. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Petr Cech authored and Lukas Slebodnik committedAug 5, 2016 -
PROVIDER: Conversion empty string from D-Bus to NULL
This patch fixes the issue with empty string recieving from D-Bus. Data providers obtains NULL. So this is simple conversin. Resolves: https://fedorahosted.org/sssd/ticket/3084 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Petr Cech authored and Lukas Slebodnik committedAug 5, 2016 -
tools: Add missing gettext macro
The message in SSS_TOOL_DELIMITER should be translated. Reviewed-by: Petr Čech <pcech@redhat.com>
-
SDAP: Don't log an op failure when no users are found
When no users are found during the search users process, just log (at TRACEL_ALL level) that zero users were retrieve and avoid logging (at OP_FAILURE level) that a failure has occurred, which may end up misleading admins, giving them the impression that something wrong has happened. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Resolves: https://fedorahosted.org/sssd/ticket/3089 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Commits on Aug 8, 2016
-
LDAP: Fix Dereference after NULL check
The commit dc30c60 changed the logic in NULL check - if (protocol) { + if (protocol == NULL) { Found by Coverity: Reviewed-by: Petr Čech <pcech@redhat.com>
Lukas Slebodnik committedAug 8, 2016 -
LDAP: Fixing wrong pam error code for passwd
This patch adds right pam error code for sssd offline state. Resolves: https://fedorahosted.org/sssd/ticket/3109
Petr Cech authored and Lukas Slebodnik committedAug 8, 2016 -
PAM: Do not act on ldb_message in case of a failure
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
IPA: Check the return value of sss_parse_internal_fqname
We should fail the request if sss_parse_internal_fqname() fails. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Commits on Aug 9, 2016
-
DP: Initialize D-Bus as soon as possible
Resolves: https://fedorahosted.org/sssd/ticket/3111 Reviewed-by: Petr Cech <pcech@redhat.com>
-
sssctl: Generic help for cache-upgrade and config-check
sssctl COMMAND --help should print at least generic help, even if the command does not accept any command specific options. Resolves: https://fedorahosted.org/sssd/ticket/3086 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-
NSS: Do not check local users with disabled local_negative_timeout
sssd_nss can set different negative timeout for local users and groups. However, checking whether user/group is local is quite expensive operation. We can avoid such operations if local_negative_timeout is not set. This fix improve performance(40%) of lookup non-existing entries in offline mode and with disabled local_negative_timeout. sh$ cat pok.sh for i in {1..10000}; do getent passwd -s sss temp$i getent group -s sss temp$i done #without patch sh $time /bin/bash pok.sh real 0m41.534s user 0m3.580s sys 0m14.202s #with patch sh $time /bin/bash pok.sh real 0m26.686s user 0m3.292s sys 0m13.165s Resolves: https://fedorahosted.org/sssd/ticket/3122 Reviewed-by: Petr Cech <pcech@redhat.com>
-
UTILS: Fixing duplication of pid file declaration
Resolves: https://fedorahosted.org/sssd/ticket/2978 Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
Remove all entries in a directory but will not remove the directory itself. Reviewed-by: Petr Cech <pcech@redhat.com>
-
sssctl: use internal API to remove files
Reviewed-by: Petr Cech <pcech@redhat.com>
Commits on Aug 10, 2016
-
config_schema: Add ldap_user_email to schema
Resolves: https://fedorahosted.org/sssd/ticket/3068 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Lukas Slebodnik committedAug 10, 2016 -
intg: Make location of sssd nss module configurable
The path to sssd nss module (libsss_nss.so) was relative to prefix and expected subdirectory "lib". 32bit and 64bit platforms and different distributions use different paths. This patch allows to use python module sssd_id even with real module and not just integration tests. It is just required to prepare "config.py" with right path. e.g. cd ~/sssd/src/tests/intg [~/sssd/src/tests/intg]$ echo "NSS_MODULE_DIR = '/usr/lib64'" > config.py [~/sssd/src/tests/intg]$ python Python 2.7.12 (default, Jul 18 2016, 09:57:01) [GCC 6.1.1 20160621 (Red Hat 6.1.1-3)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import sssd_id >>> sssd_id.get_user_gids('user') (1, 0, [5977, 1070, 5845, 1076, 1074, 10327, 5975, 5766]) Reviewed-by: Petr Čech <pcech@redhat.com>
Lukas Slebodnik committedAug 10, 2016 -
sh-4.2# getent netgroup -s sss QAUsers QAUsers ( ,qa1,example.com) ( ,qa2,example.com) ( ,qa3,example.com) sh-4.2# getent netgroup -s sss QASystems QASystems (qahost1.example.com,,) (qahost2.lab.eng.pnq.redhat.com,,) sh-4.2# getent netgroup -s sss test sh-4.2# echo $? 2 sh-4.2# python Python 2.7.5 (default, Aug 2 2016, 04:20:16) [GCC 4.8.5 20150623 (Red Hat 4.8.5-4)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import sssd_netgroup >>> sssd_netgroup.get_sssd_netgroups('QAUsers') (1, 0, [(None, 'qa1', 'example.com'), (None, 'qa2', 'example.com'), (None, 'qa3', 'example.com')]) >>> sssd_netgroup.get_sssd_netgroups('QASystems') (1, 0, [('qahost1.example.com', None, None), ('qahost2.lab.eng.pnq.redhat.com', None, None)]) >>> sssd_netgroup.get_sssd_netgroups('test') (0, 0, []) >>> Reviewed-by: Petr Čech <pcech@redhat.com>
Lukas Slebodnik committedAug 10, 2016 -
NSS: Use correct name for invalidating memory cache
After refactoring of sysdb, we get and internal fully qualified name from backend in org.freedesktop.sssd.dataprovider_rev.initgrCheck Previously we got short name and we created fq name in nss_update_initgr_memcache. Memory cache still need to use short names if it was specified. This patch uses right name in different places. Reviewed-by: Petr Cech <pcech@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
SYSDB: Avoid optimisation with modifyTimestamp for users
The usage of modifyTimestamp needn't be a reliable way for detecting of changes in user entry in LDAP. The authorisation need to rely current data from LDAP and therefore we will temporary disable optimisation with modifyTimestamp and we will rather rely on deep comparison of attributes. In he future, it might be changed and responders might control the optimization level. Resolves: https://fedorahosted.org/sssd/ticket/3110 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
dyndns-tests: Fix false positive failures
The child process finished faster then it has handled by parent and therefore it timed out. It's the similar solution as in b3074dc [ RUN ] dyndns_test_error (Fri Jul 29 16:12:00:621444 2016) [sssd] [nsupdate_child_timeout] (0x0020): Timeout reached for dynamic DNS update Could not run the test - check test fixtures [ ERROR ] dyndns_test_error Reviewed-by: Petr Čech <pcech@redhat.com>
Lukas Slebodnik committedAug 10, 2016 -
SIMPLE: Do not parse names on startup
It's not required to parse names on SSSD startup in the simple access provider. We can instead just parse the name when the access request is processed. Resolves: https://fedorahosted.org/sssd/ticket/3101 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
SIMPLE: Fail on any error parsing the access control list
Luckily this error was hidden by the fact that SSSD didn't start at all when an unparseable name was encountered after startup. Otherwise, this would have been a security issue. Nonetheless, we should just fail and deny access if we can't parse a name in a simple access list. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
SIMPLE: Make the DP handlers testable
To make it possible to call the whole DP handler in the unit test, not just the evaluator part. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
TESTS: Use the DP handlers in simple provider tests, add more tests
Use the full simple access control handlers, just like SSSD does in the tests. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Commits on Aug 11, 2016
-
gpo: gPCMachineExtensionNames with just whitespaces
Resolves: https://fedorahosted.org/sssd/ticket/3114 We failed GPO procesing if the gPCMachineExtensionNames attribute contained just whitespaces. This coused failures in some server settings. Comment from Alexander Bokovoy quoting: You should use MS-GPOL spec. 2.2.4 'GPO Search' section says that when processing gPCMachineExtensionNames, "Group Policy processing terminates at the first <CSE GUIDn> out of sequence." Since ' ' (space only) does not fall into defined syntax for gPCMachineExtensionNames, this Group Policy processing is stopped and its CSE GUIDs are set to 'empty list'. Because of the 3.2.5.1.10 'Extension Protocol Sequences' language ------------------------------------------------------------------------ The Group Policy client MUST evaluate the subset of the abstract element Filtered GPO list separately for each Group Policy extension by including in the subset only those GPOs whose gPCUserExtensionNames (for user policy mode) or gPCMachineExtensionNames (for computer policy mode) attributes contain CSE GUID that correspond to the Group Policy extension. If the CSE GUID corresponding to the Group Policy extension is present in Extension List, it is invoked using the Implementation Identifier field. Applicability is determined as specified in section 3.2.1.5. The Group Policy Registry Extension MUST always execute first. All other applicable Group Policy extensions in the Extension List MUST be loaded and executed in Extension List order. A failure in any Group Policy extension sequence MUST NOT affect the execution of other Group Policy extensions. ------------------------------------------------------------------------- I think we can practically treat wrong content of gPCMachineExtensionNames (and gPCUserExtensionNames) as inability of the GPO to pass through the Filtered GPO list. Thus, the GPO would be ignored. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Commits on Aug 12, 2016
-
CONFIG: full_name_format is an allowed option for all domains
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
CONFIG: re_expression is an allowed option for all domains
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Commits on Aug 16, 2016
-
rdp: add ability to forward reply to the client request
In cases where the InfoPipe servers just as a middle-man between the DataProvider and a client we can simply forward the reply reducing amount of coded needed in the InfoPipe. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
sbus: add sbus_request_reply_error()
This simplifies error handling in sbus requests since we avoid creating DBusError and checking for NULL manually. It removes few lines of code. This patch does not replace all calls to sbus_request_fail_and_finish since sometimes it is desirable to create the error manualy. But it replaces it in most recent places. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
sbus: add utility function to simplify message and reply handling
This patch adds the ability to hook DBusMessage to a talloc context to remove the need of calling dbus_message_unref(). It also provides an automatical way to detect error in a reply so the caller does not need to parse it manually and the whole code around DBusError can be avoided. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
This way we completely move D-Bus memory management to talloc and we reduce number of code lines needed to send and receive reply. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
failover: mark subdomain service with sd_ prefix
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
sssctl: print active server and server list
Resolves: https://fedorahosted.org/sssd/ticket/3069 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
sssd-1.14.1/src/lib/sifp/sss_sifp_dbus.c:51: check_return: Calling "dbus_message_append_args_valist" without checking return value (as is done elsewhere 4 out of 5 times). Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
sbus: allow freeing msg through dbus api when using talloc
When a talloc-bound message was freed by removing all references to it with dbus_message_unref we failed to free the talloc context and thus leaking memory or unreferencing invalid message when the parent context is freed. This patch allows to bound dbus message to talloc in the way that allows us to free the message by both talloc and dbus api. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
PROXY: Do not abuse data provider interface
We want to use custom interface for proxy provider so we do not abuse the data provider one. This way we gain more control over it and we can remove the old interface entirely. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
DP: Remove old data provider interface
Reverse data provider interface is moved to a better location in NSS responder. All responders now can have an sbus interface defined per data provider connection. The unused old data provider interface is removed. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
When removing the old data provider I noticed that those functions are not used at all. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
Make resolv_is_address() function public and create some basic tests
Resolves: https://fedorahosted.org/sssd/ticket/2789 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
Warn if IP address is used as option for ipa_server/ad_server
GSSAPI is dependent on DNS with hostnames and we should warn about this. Resolves: https://fedorahosted.org/sssd/ticket/2789 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Commits on Aug 17, 2016
-
AD_PROVIDER: Add ad_enabled_domains option
Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
AD_PROVIDER: Initializing of ad_enabled_domains
We add ad_enabled_domains into ad_subdomains_ctx. Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
AD_PROVIDER: ad_enabled_domains - only master
We can skip looking up other domains if option ad_enabled_domains contains only master domain. Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
AD_PROVIDER: ad_enabled_domains - other then master
We can skip looking up other domains if option ad_enabled_domains doesn't contain them. Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
TESTS: Adding tests for ad_enabled_domains option
There is special logic around ad_enabled_domains option: * option is disabled by default * master domain is always added to enabled domains Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
LDAP: Adding support for SIGTERM signal
We add support for handling SIGTERM signal. If ldap_child receives SIGTERM signal it removes temporary file. Resolves: https://fedorahosted.org/sssd/ticket/3106 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
LDAP: Adding SIGTERM signal before SIGKILL
We add better termination of ldap_child. If ldap_child reaches the timeout for termination parent sents SIGTERM signal. Child has 2 seconds for removing temporary file and exit. If it is not sufficient there is SIGKILL send to the child. Resolves: https://fedorahosted.org/sssd/ticket/3106 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
This patch adds SIGCHLD callback for ldap_child. So if timeout is reached and ldap_child is terminated by handler we have debug message about it. Resolves: https://fedorahosted.org/sssd/ticket/3106 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
UTIL: Use sss_atomic_read_s in generate_csprng_buffer
There was a bug in generate_csprng_buffer() where if we read the exact amount of bytes from /dev/urandom, we would always return EIO. Instead, let's reuse the existing code from sss_atomic_read_s() which fixes this bug and reduces code duplication. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>
-
SECRETS: Use sss_atomic_read/write for better readability
sss_atomic_read_s and sss_atomic_write_s are macro-wrappers around sss_atomic_io_s but it's easier to follow the code with the read/write vairants used directly. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>
-
BUILD: Ship systemd service file for sssd-secrets
Adds two new files: sssd-secrets.socket and sssd-secrets.service. These can be used to socket-acticate the secrets responder even without explicitly starting it in the sssd config file. The specfile activates the socket after installation which means that the admin would just be able to use the secrets socket and the sssd_secrets responder would be started automatically by systemd. The sssd-secrets responder is started as root, mostly because I didn't think of an easy way to pass the uid/gid to the responders without asking about the sssd user identity in the first place. But nonetheless, the sssd-secrets responder wasn't tested as non-root and at least the initialization should be performed as root for the time being. Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
LDAP: Log autofs rfc2307 config changes only with enabled responder
grep -nE "0x0040" /var/log/sssd/sssd_example.com.log 361:(Tue Aug 16 13:04:04 2016) [sssd[be[example.com]]] [ldap_get_autofs_options] (0x0040): Your configuration uses the autofs provider with schema set to rfc2307 and default attribute mappings. The default map has changed in this release, please make sure the configuration matches the server attributes. Reviewed-by: Petr Čech <pcech@redhat.com>
Lukas Slebodnik committedAug 17, 2016 -
DP: Add log message for get account info
Reviewed-by: Petr Čech <pcech@redhat.com>
Lukas Slebodnik committedAug 17, 2016 -
Monitor: Add support for disabling netlink
Resolves: https://fedorahosted.org/sssd/ticket/2860 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Commits on Aug 18, 2016
-
SSSCTL: More helpful error message when InfoPipe is disabled
Resolves: https://fedorahosted.org/sssd/ticket/3130 Reviewed-by: Petr Čech <pcech@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-
ds.py: Do not call teardown in destructor
We use finalizers in pytest for cleaning up of openldap server. But sometimes destructor was called in case of failure which causes many issues in tests. Running teardown in destructor is not reliable due to pyhton nature. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Lukas Slebodnik committedAug 18, 2016 -
test_local_domain: Restore correct env variable
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Lukas Slebodnik committedAug 18, 2016 -
intg: rename test with enumeration
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Lukas Slebodnik committedAug 18, 2016 -
test_enumeration: Remove test without enumeration
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Lukas Slebodnik committedAug 18, 2016 -
intg: create ldap test without enumeration
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Lukas Slebodnik committedAug 18, 2016 -
sssd_id.py: Primary group should be returned for initgroups
Side effect of this change was that some primary groups could not be resolved and therefore get_user_groups failed in override tests. We should do the same as "id user". return decimal representation GID if it cannot be mapped to name. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Lukas Slebodnik committedAug 18, 2016 -
E302 expected 2 blank lines, found 1 E303 too many blank lines (2) E501 line too long (84 > 79 characters) Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Lukas Slebodnik committedAug 18, 2016 -
test_ldap: test nested membership with rfc2307bis
Integration test for SSSD#3093 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Lukas Slebodnik committedAug 18, 2016 -
test_ldap: test resolving of names with special characters
Integration test for SSSD#3121 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Lukas Slebodnik committedAug 18, 2016
Commits on Aug 19, 2016
-
sdap: Skip exact duplicates when extending maps
When extending map with entry that already exists in the map in the exacty same form, then there is no need to fail. We should only fail if we try to change purpose of already used sysdb attribute. Resolves: https://fedorahosted.org/sssd/ticket/3120 Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
intg: Test extra attributes duplicate
Regresion test for ticket SSSD#3120 Resolves: https://fedorahosted.org/sssd/ticket/3120 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
-
Commits on Aug 23, 2016
-
CONFIG: selinux_provider is a valid provider type
We should not warn about it in the validator and should allow selinux_provider from the config API. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
-
CONFIG: session_provider does not exist anymore
The session_provider used to exist a long time ago when we used to set the SELinux context from it, but the provider had been removed for a long time. We just forgot to remove the value from the config API and the validator. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Commits on Aug 24, 2016
-
PROXY: Use the fqname when converting to lowercase
When saving the user there is a comparison between the "cased alias" and the "lowercase password name". However, the first doesn't use fully qualified name while the second does, resulting in a not expected override of the "nameAlias" attribute of a stored user when trying to authenticate more than once using an alias. Resolves: https://fedorahosted.org/sssd/ticket/3134 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
sssd_netgroup.py: Resolve nested netgroups
Reviewed-by: Petr Čech <pcech@redhat.com>
Lukas Slebodnik committedAug 24, 2016 -
LDAP: Fixing of removing netgroup from cache
There were problem with local key which wasn't properly removed. This patch fixes it. Resolves: https://fedorahosted.org/sssd/ticket/2841 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Petr Cech authored and Lukas Slebodnik committedAug 24, 2016 -
INTG: Adding support for netgroups to ldap_ent
Resolves: https://fedorahosted.org/sssd/ticket/2841 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Petr Cech authored and Lukas Slebodnik committedAug 24, 2016 -
INTG: Tests for ldap nested netgroups
This patch adds tests on reproducer of t2841. Resolves: https://fedorahosted.org/sssd/ticket/2841 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Petr Cech authored and Lukas Slebodnik committedAug 24, 2016
Commits on Aug 25, 2016
-
watchdog: cope with time shift
When a time is changed into the past during sssd runtime (e.g. on boot during time correction), it is possible that we never hit watchdog tevent timer since it is based on system time. This patch adds a past-time shift detection mechanism. If a time shift is detected we restart watchdog. Resolves: https://fedorahosted.org/sssd/ticket/3154 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Commits on Aug 26, 2016
-
BUILD: Allow to read private pipes for root
Root can read anything from any directory even with permissions 000. However SELinux checks discretionary access control (DAC) and deny access if access is not allowed for root by DAC. The pam_sss use different unix socket /var/lib/sss/pipes/private/pam for user with uid 0. Therefore root need to be able read content of directory with private pipes. type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied { dac_read_search } for pid=20257 comm=vsftpd capability=dac_read_search scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied { dac_override } for pid=20257 comm=vsftpd capability=dac_override scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability Resolves: https://fedorahosted.org/sssd/ticket/3143 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
SYSDB: Rework sysdb_cache_connect()
As sysdb_cache_connect() has two very specific use cases (connect to the cache and connect to the timestamp cache) and each of those calls have a predetermined/fixed sets of values for a few parameters, let's try to make the code a bit simpler to follow by having explicit functions for connecting to the cache and connecting to the timestamp cache. Macros could be used as well, but I have a slightly preference for having two new functions instead of macros accessing internal parameters of the macro's parameter. Related: https://fedorahosted.org/sssd/ticket/3128 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
SYSDB: Remove the timestamp cache for a newly created cache
As many users are used to remove the persistent cache without removing the timestamp cache, let's throw away the timestamp cache in this case. Resolves: https://fedorahosted.org/sssd/ticket/3128 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
SECRETS: Return ENOENT when_deleting a non-existent secret
For this, just make use of the sysdb_error_to_errno() function. Resolves: https://fedorahosted.org/sssd/ticket/3125 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
IPA: Parse qualified names when guessing AD user principal
Most AD users store their UPN in an attribute. If they don't, or the sssd was configured (typically in earlier versions to work around a bug) to not look at the principal attribute, then sssd is supposed to guess the attribute. That currently doesn't work in 1.14, because the username is already qualified and then we also append the realm name to it. We need to parse the simple username from the qualified name first. The issue can be reproduced simply by authenticating as the Administrator account in IPA-AD trust setups. Resolves: https://fedorahosted.org/sssd/ticket/3127 Reviewed-by: Sumit Bose <sbose@redhat.com>
Commits on Aug 27, 2016
-
PROXY: Remove lowercase attribute from save_user()
As this function already receives a struct sss_domain_info * parameter as argument, we can simply check whether we will need a lowercase name by accessing domain->case_sensitive. Related: https://fedorahosted.org/sssd/ticket/3134 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
PROXY: Remove cache_timeout attribute from save_user()
As this function already receives a struct sss_domain_info * parameter as argument, we can simply get the cache_timeout attribute by accessing domain->user_timeout. Related: https://fedorahosted.org/sssd/ticket/3134 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
PROXY: Remove cache_timeout attribute from save_group()
As this function already receives a struct sss_domain_info * parameter as argument, we can simply get the cache_timeout attribute by accessing domain->group_timeout. Related: https://fedorahosted.org/sssd/ticket/3134 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
PROXY: Mention that save_user()'s parameters are already qualified
Those comments are similar to what we have in the save_group() function. Related: https://fedorahosted.org/sssd/ticket/3134 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
PROXY: Share common code of save_{group,user}()
These two functions (save_user() and save_group()) share, between themselves, the code preparing the attributes that are going to be stored in the sysdb. This patch basically splits this code out of those functions and introduces the new prepare_attrs_for_saving_ops(). Related: https://fedorahosted.org/sssd/ticket/3134 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Commits on Aug 29, 2016
-
SYSDB: Fix uninitialized scalar variable
The boolean variable newly_created could be used uninitialized in done section in case of failure. The variable was firstly initialized to true after succesfull execution of function sysdb_cache_create_empty. Uninitialized variable usually means true for boolean variable. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Lukas Slebodnik committedAug 29, 2016 -
BUILD: Add a few more targets for intg tests
Running "make intgcheck" has been proven to be a bit painful (mainly when the developer is just writing down a single test case), as it cleans up the build directory and fireis a new build before, finally, run the tests. In order to make it a little less painful, let's break the whole operation into 3 new targets: intgcheck-{prepare,run,clean}. As expected, "make intgcheck" calls these 3 new operations in the same order they were presented, not changing then the current behavior. Each operation will trigger the previous one in case there is no "$$prefix" directory created and the directory is _only_ created in the very first operation (intghcheck-prepare). A note must be done about how to run a simple test file or a simple test from a test file when running "make intgcheck-run". The option always been here but only makes sense now that we have the intgcheck split in a few useful steps. See the examples below (and for more detailed information, check the py.test documentation): #Run a single file make intgcheck-run INTGCHECK_PYTEST_ARGS="-k test_netgroup.py" #Run a single test from a single file make intgcheck-run INTGCHECK_PYTEST_ARGS="-k test_add_empty_netgroup" Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
BUILD: Clean up prerelease targets
Clean up the pre-release targets in order to avoid lines exceeding 80 characters. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
BUILD: Fix typo in intgcheck-run rule
During the review process "intgcheck-build" ended up being merged to the "intgcheck-prepare" rule. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
BUILD: Remove leftover after sysdb refactoring
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Lukas Slebodnik committedAug 29, 2016
Commits on Aug 30, 2016
-
MONITOR: Remove the no longer used diag_cmd command
After introducing the watchdog, the diag_cmd is longer used and makes no sense trying to make it usable by watchdog as the result of "pstack %p" seems next to useless in this context. Related: https://fedorahosted.org/sssd/ticket/3051 Reviewed-by: Petr Čech <pcech@redhat.com>
-
MONITOR: Remove the no longer used kill_service command
After introducing the watchdog, the force_timeout option is no longer used. Resolves: https://fedorahosted.org/sssd/ticket/3052 Reviewed-by: Petr Čech <pcech@redhat.com>
-
WATCHDOG: define and use _MAX_TICKS as 3
Instead of using the number 3 directly, let's introduce and use WATCHDOG_MAX_TICKS. Reviewed-by: Petr Čech <pcech@redhat.com>
-
PROXY: Use right name in ldap filter
We used internal fq name in ldap filter with id_provider proxy to files and auth provider ldap [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=testuser1@ldap)(objectclass=posixAccount))][dc=example,dc=com]. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Lukas Slebodnik committedAug 30, 2016 -
SECRETS: Make internal function static
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-
SECRETS: Make reading the config options more uniform
One of confdb_get_ calls in sec_get_config() used a variable referenced from rctx, the other used a hardcoded string. Use one of them on both places instead. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-
dyndns: fix typo and unify ipa with ad debug message when off
Reviewed-by: Petr Čech <pcech@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-
Applications should never #define USE_GNU themselves, but rather _GNU_SOURCE. This patch removes USE_GNU and replaces it with including config.h which has _GNU_SOURCE defined if applicable for that platform See for example: https://gcc.gnu.org/ml/fortran/2005-10/msg00365.html Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Commits on Aug 31, 2016
-
MONITOR: Remove leftovers from diag_cmd
Seems that when I sent the v2 of 7579cf99 I attached the wrong patch that ended up being pushed. That patch was incomplete as there are still some leftovers. Related: https://fedorahosted.org/sssd/ticket/3051 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Petr Čech <pcech@redhat.com>
-
MONITOR: Remove leftovers from kill_service
Seems that wen I sent the v2 of ac35fe74 I attached the wrong pacth that ended up being pushed. The patch was incomplete as there are still some leftovers. The .po and sssd-docs.pot were not touched as I do believe they are autogenerated from Zanata. Related: https://fedorahosted.org/sssd/ticket/3052 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Petr Čech <pcech@redhat.com>
-
SYSDB: Fix error handling in sysdb_get_user_members_recursively
We ignored failures from sysdb_search_entry Reviewed-by: Petr Čech <pcech@redhat.com>
Lukas Slebodnik committedAug 31, 2016
Commits on Sep 1, 2016
-
DEBUG: Apend line feed to messages from libsemanage
It wasn't simple to read log files from libsemanage because they were on single line. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Lukas Slebodnik committedSep 1, 2016 -
MAN: Document the ldap_user_primary_group option
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-
sdap_initgr_nested_get_membership_diff: use fully-qualified names
I think this is a leftover from the change to use fully-qualified names in sysdb. To verify this you can create a nested group in IPA. Without this patch the id command will only show the groups the user is a direct member of. With the patch the indirect groups memberships should be shown as well. https://fedorahosted.org/sssd/ticket/3163 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-
SYSDB: Removing of unused parameter
There were unused parameter struct ldb_message *cached_group in sysdb_store_group_attrs(). This parameter was introduced by 40de79d SYSDB: Check if group attributes differ before saving a group Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>