Commit Graph

582 Commits

Author SHA1 Message Date
Stephen Gallagher
0ad47aae65 - Fix memberOf install path 2011-02-11 11:22:33 -05:00
Stephen Gallagher
e8ab291d89 - Add support for libldb 1.0.0 2011-02-11 09:36:41 -05:00
Dennis Gilmore
8923e26c46 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild 2011-02-09 10:00:19 -06:00
Stephen Gallagher
d12cd5dd26 - Fix nested group member filter sanitization for RFC2307bis
- Put translated tool manpages into the sssd-tools subpackage
2011-02-01 09:20:57 -05:00
Stephen Gallagher
749bf2d662 Bump release number 2011-01-27 14:40:33 -05:00
Stephen Gallagher
7e3a2cd879 - Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during
- rpmbuild
2011-01-27 14:38:13 -05:00
Stephen Gallagher
f151b0669b - New upstream release 1.5.1
- Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins
- Vast performance improvements when enumerate = true
- All PAM actions will now perform a forced initgroups lookup instead of just
- a user information lookup
-   This guarantees that all group information is available to other
-   providers, such as the simple provider.
- For backwards-compatibility, DNS lookups will also fall back to trying the
- SSSD domain name as a DNS discovery domain.
- Support for more password expiration policies in LDAP
-    389 Directory Server
-    FreeIPA
-    ActiveDirectory
- Support for ldap_tls_{cert,key,cipher_suite} config options
-Assorted bugfixes
2011-01-27 13:50:21 -05:00
Stephen Gallagher
3a15e92ce7 - CVE-2010-4341 - DoS in sssd PAM responder can prevent logins 2011-01-11 12:32:39 -05:00
Stephen Gallagher
5225c3262b - New upstream release 1.5.0
- Fixed issues with LDAP search filters that needed to be escaped
- Add Kerberos FAST support on platforms that support it
- Reduced verbosity of PAM_TEXT_INFO messages for cached credentials
- Added a Kerberos access provider to honor .k5login
- Addressed several thread-safety issues in the sss_client code
- Improved support for delayed online Kerberos auth
- Significantly reduced time between connecting to the network/VPN and
- acquiring a TGT
- Added feature for automatic Kerberos ticket renewal
- Provides the kerberos ticket for long-lived processes or cron jobs
- even when the user logs out
- Added several new features to the LDAP access provider
- Support for 'shadow' access control
- Support for authorizedService access control
- Ability to mix-and-match LDAP access control features
- Added an option for a separate password-change LDAP server for those
- platforms where LDAP referrals are not supported
- Added support for manpage translations
2010-12-22 14:08:33 -05:00
Stephen Gallagher
9600ada0fd Fix release number 2010-11-18 08:44:23 -05:00
Stephen Gallagher
069ad4076b - Solve a shutdown race-condition that sometimes left processes running
- Resolves: rhbz#606887 - SSSD stops on upgrade
2010-11-18 08:41:39 -05:00
Stephen Gallagher
4e1de07cd8 - Log startup errors to the syslog
- Allow cache cleanup to be disabled in sssd.conf
2010-11-16 12:48:57 -05:00
Stephen Gallagher
9d5bcde0eb - New upstream release 1.4.1
- Add support for netgroups to the proxy provider
- Fixes a minor bug with UIDs/GIDs >= 2^31
- Fixes a segfault in the kerberos provider
- Fixes a segfault in the NSS responder if a data provider crashes
- Correctly use sdap_netgroup_search_base
2010-11-01 09:02:47 -04:00
Stephen Gallagher
75efc48618 Fix incorrect tarball URL 2010-10-18 16:06:09 -04:00
Stephen Gallagher
d8a8ec9a9a Fix tarball URL 2010-10-18 16:04:39 -04:00
Stephen Gallagher
4926f3ae3a Merge branch 'master' into f14 2010-10-18 15:37:53 -04:00
Stephen Gallagher
e439c0b36c Uploading SSSD 1.4.0 tarball 2010-10-18 14:50:39 -04:00
Stephen Gallagher
9b0ef1cecd - New upstream release 1.4.0
- Added support for netgroups to the LDAP provider
- Performance improvements made to group processing of RFC2307 LDAP servers
- Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin
- Build-system improvements to support Gentoo
- Split out several libraries into the ding-libs tarball
- Manpage reviewed and updated
2010-10-18 14:44:48 -04:00
Stephen Gallagher
d856e9b109 Merge branch 'master' into f14 2010-10-04 09:48:41 -04:00
Stephen Gallagher
2d631b340a - Fix pre and post script requirements 2010-10-04 09:47:22 -04:00
Stephen Gallagher
c0762ac0e0 Merge branch 'master' into f14 2010-10-04 09:27:12 -04:00
Stephen Gallagher
3f786445f0 - Resolves: rhbz#606887 - sssd stops on upgrade 2010-10-04 09:23:20 -04:00
Stephen Gallagher
8cdc9d4fbc - Resolves: rhbz#626205 - Unable to unlock screen 2010-10-04 09:14:17 -04:00
Stephen Gallagher
c7ce53cc09 - Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but
-                         doesn't require it
2010-09-28 08:07:15 -04:00
Stephen Gallagher
c99e02ae14 Bump release number and fix changelog message 2010-09-28 07:55:09 -04:00
Stephen Gallagher
d19c240979 - Resolves: 637955 - libini_config-devel needs libcollection-devel but
-                    doesn't require it
2010-09-28 07:49:22 -04:00
Stephen Gallagher
6931ca88fa - Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib 2010-09-16 09:34:47 -04:00
Stephen Gallagher
cfa7be9344 - Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib 2010-09-16 09:32:53 -04:00
Stephen Gallagher
8c665d0af5 Resolves: CVE-2010-2940 2010-08-24 12:10:04 -04:00
Fedora Release Engineering
22218bb857 dist-git conversion 2010-07-29 13:10:57 +00:00
dmalcolm
eb2fc3c856 - Rebuilt for
https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild
2010-07-22 06:37:10 +00:00
Stephen Gallagher
bd215c451c - New upstream version 1.2.91 (1.3.0rc1)
- Improved LDAP failover
- Synchronous sysdb API (provides performance enhancements)
- Better online reconnection detection
2010-07-09 18:52:22 +00:00
Stephen Gallagher
d41b28e7ec - New stable upstream version 1.2.1
- Resolves: rhbz#595529 - spec file should eschew %define in favor of
- %global
- Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd
    service
- to fail while restart.
- Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel
- keyring
- Resolves: rhbz#599724 - sssd is broken on Rawhide
2010-06-21 11:37:06 +00:00
Stephen Gallagher
d5f2e4a868 - New stable upstream version 1.2.0
- Support ServiceGroups for FreeIPA v2 HBAC rules
- Fix long-standing issue with auth_provider = proxy
- Better logging for TLS issues in LDAP
2010-05-24 19:19:33 +00:00
Stephen Gallagher
439d34ed5c - New LDAP access provider allows for filtering user access by LDAP
attribute
- Reduced default timeout for detecting offline status with LDAP
- GSSAPI ticket lifetime made configurable
- Better offline->online transition support in Kerberos
2010-05-18 18:02:30 +00:00
Stephen Gallagher
6a6c9eb9a8 - Release new upstream version 1.1.91
- Enhancements when using SSSD with FreeIPA v2
- Support for deferred kinit
- Support for DNS SRV records for failover
2010-05-07 21:36:48 +00:00
Simo Sorce
e5b19bf276 - Bump up release number to avoid library sub-packages version issues with
previous releases.
2010-04-02 15:48:31 +00:00
Stephen Gallagher
db77daa344 - New upstream release 1.1.1
- Fixed the IPA provider (which was segfaulting at start)
- Fixed a bug in the SSSDConfig API causing some options to revert to
- their defaults
- This impacted the Authconfig UI
- Ensure that SASL binds to LDAP auto-retry when interrupted by a signal
2010-04-01 15:19:19 +00:00
Stephen Gallagher
58c745dac6 - Release SSSD 1.1.0 final
- Fix two potential segfaults
- Fix memory leak in monitor
- Better error message for unusable confdb
2010-03-22 19:54:48 +00:00
Stephen Gallagher
026e8e0f23 - Release candidate for SSSD 1.1
- Add simple access provider
- Create subpackages for libcollection, libini_config, libdhash and
    librefarray
- Support IPv6
- Support LDAP referrals
- Fix cache issues
- Better feedback from PAM when offline
2010-03-17 16:53:01 +00:00
Stephen Gallagher
7362f8c6bd - Rebuild against new libtevent 2010-02-24 20:44:32 +00:00
Stephen Gallagher
94dadd289a - Fix licenses in sources and on RPMs 2010-02-19 15:39:59 +00:00
Stephen Gallagher
48e4ae867d - Fix regression on 64-bit platforms 2010-01-25 18:52:14 +00:00
Stephen Gallagher
2600cc3d21 - Fixes link error on platforms that do not do implicit linking
- Fixes double-free segfault in PAM
- Fixes double-free error in async resolver
- Fixes support for TCP-based DNS lookups in async resolver
- Fixes memory alignment issues on ARM processors
- Manpage fixes
2010-01-22 15:15:20 +00:00
Stephen Gallagher
23f12b722f - Fixes a bug in the failover code that prevented the SSSD from detecting
when it went back online
- Fixes a bug causing long (sometimes multiple-minute) waits for NSS
    requests
- Several segfault bugfixes
2010-01-14 17:03:05 +00:00
Stephen Gallagher
2de26e9e6f Updating to SSSD 1.0.1
Fixes: CVE-2010-0014
2010-01-11 14:23:23 +00:00
Stephen Gallagher
d9fd9eee1e Fix https://bugzilla.redhat.com/show_bug.cgi?id=549482 2009-12-21 20:39:34 +00:00
Stephen Gallagher
f5d8b9bca4 == Highlights ==
One serious security issue was resolved related to the kerberos provider.
Users who authenticate against Kerberos and have cached credentials could
    log in with a zero-length password
The network exposure of this bug was limited, as users logged in this way
    would not have valid network credentials (by lucky accident).
This issue was present only in the 0.99.x preview releases and not in any
    of the stable releases (0.7.1 and earlier)
Stability fixes since the 0.99.1 preview release
Added or updated several translations
Fixed long-standing "I have no name!" issue with X-based terminals
SSSD now passes "make distcheck" cleanly
SSSD PAM now conforms better to standards regarding PAM_PRELIM_CHECK
== Detailed Changelog == Göran Uddeborg (2):
Update SV translation
Update SV translation
Marina Latini (1):
Update IT translation
Martin Nagy (2):
Don't consider one address with different port numbers as the same
Change the first server pick logic
Sergei V. Kovylov (1):
sssd.spec for SLES
Simo Sorce (2):
Fix upgrade bug #323
Fix ldap child memory hierarchy and other issues
Stephen Gallagher (14):
Properly close STDERR when daemonizing
Fix tight loop in monitor
Don't set explicit default for "timeout" in domains
Fix warning in server.c
Raise DEBUG level of sdap_get_generic_done()
Change default for enumeration to TRUE
Fix tight-loop in monitor part 2
Properly handle EINTR from poll()
Updating ES translation
Add DEBUG messages to getpwnam_callback and getpwuid_callback
Clarify access_provider manpage entry
Do not blindly accept zero-length passwords
Fix broken password changes for local users
Release SSSD 1.0
Sumit Bose (9):
Use sys.exit instead of exit
Check for minimal version of check
Build python modules in builddir
Use --with-ldb-lib-dir while running make distcheck
Cleanup db files after test run
disable password migration code
Handle chauthtok with PAM_PRELIM_CHECK separately
Do not overwrite valid TGTs when offline
Fix for #345
2009-12-18 23:53:16 +00:00
Stephen Gallagher
336aac3e2c David O'Brien (1):
Copy-edit sssd-ipa man page
Dmitri Pal (5):
COMMON Improvements to the trace macro
COLLECTION Create reference to the top level collection
Cleaning FIXME comments
Cleaning FIXME comments.
INI Correcting build warnings.
Fabian Affolter (1):
Add German translation
Göran Uddeborg (2):
Add Swedish translation for sss_client
Add Swedish translation for SSSD server
Jakub Hrozek (13):
Warn visibly about permission problems with the config file
Better error message when there is no local domain configured
Setup ldap child logging from IPA backend
Check the services started against a list of known services
Handle spaces in config parser
Fail on nonexistent input file
Do not start with provider=files
Reduce code duplication between LDAP child and Kerberos child
Change ares usage to be c-ares 1.7.0 compatible
Import ares 1.7.0 helpers
Don't build the SRV and TXT parsing code except for tests
Document the failover feature in manpages
Consolidate code for splitting strings by separator
Martin Nagy (3):
Fix egg-info file generation in the spec file
Add some debugging statements to fail_over and resolver
Correctly restart server status after the timeout
Simo Sorce (17):
Fix tabs
Fix memberof plugin
Compute and save memberuid in cache as well
Use memberuid and not member in group enumerations
Use the custom password field in groups too.
Resolve nested groups also when rfc2307bis is used
Make strdn build functions more available
Fix nested group memberships
Allow nesting to fix #310
Fix bug #311, properly set callback attribute
Change dhash API to be talloc-friendly
Add private pointer for delete callback
Add comments to document latest changes
Add rebuild task to memberof plugin
Handle the special 02 upgrade case for 04->05
Fix for #316
Fix for #322, update from old database versions.
Stephen Gallagher (28):
Remove ELAPI from build and tarball
Stop configuring ELAPI
Make debug log timestamps human-readable
Raise debug log level for LDB_DEBUG_WARNING
Add allocation error check
Avoid returning uninitialized result.
Fix potential uninitialized value errors in nsssrv_cmd.c
Fix potential uninitialized value error in responder_dp.c
SSSDDomain.remove_provider() requires only the provider type
Make SSSDDomain.remove_provider() remove configured options
Run dhash tests
Add SSSDDomain.set_name() function to SSSDConfig API
Reduce the verbosity of the SSSDConfigTest
Fix broken SSSDChangeConf.set() function
Fix SSSDConfig API bugs around [de-]activation of domains
Fix RPM spec for RHEL6
fix deactivate_domain()
SSSDConfig.get_domain() should properly detect active state
Ensure that list_active_domains returns the real value
Properly deny id_provider=files
Add missing options to sssd-ipa configuraion
Add missing SSSDConfig file for IPA for make install
Fix processing of Boolean values in SSSDConfig
Add 'permit' and 'deny' access providers to SSSDConfig API
Remove default for ldap_use_start_tls in IPA providers
Run SSSDConfig tests during 'make check'
Fix stupid copy-paste error
Updating to version 0.99.1
Sumit Bose (13):
Do not include libsss_ipa.la in rpm package
Immediately return a krb5 change password request when offline
Check LDAP structure before calling ldap_unbind_ext()
Add sysdb_search_custom request
Do not treat missing proc files as errors.
Add basic OS detection
Make packaging of *.egg-info files more flexible
Try to renew Kerberos credentials
Add checks to test the memberuid handling
Add offline support for ipa_access
Add dummy credentials to an empty ccache file
Always update sysdb to the latest version
Fix DEBUG message for sysdb_init
beckerde (1):
Add Spanish translation
ruigo (1):
Add Portuguese translation
2009-12-11 14:16:51 +00:00
Stephen Gallagher
ad368b8c32 == Highlights ==
Enhanced IPA provider with host-based access control support
Added server failover feature
Vast performance enhancements to enumerations
Performance enhancements to offline user lookups
Improvements to the SSSDConfig API and configuration upgrade scripts. They
    will now retain comments and ordering.
Several new translations
== Known Bugs ==
Nested groups are known to be broken in 0.99. A fix is basically ready, but
    was too late for inclusion in this release. This will be fixed before
    the 1.0 release.
== Detailed changes since 0.7.1 == Bouska (1):
Add French translation to sss_client
Jakub Hrozek (17):
Fix migration script for pre-0.5 local domains
Do not migrate Data Provider
Free the PCRE regexp with destructor
Do not delete users, groups outside domain range
Add missing include
IPA time rules parsing routines
Fix regression in error message when deleting groups
Assorted manpage fixes
Make the password field configurable in NSS
Add Simo's ipachangeconf
SSSDChangeConf - a wrapper around ipachangeconf
Change the upgrade script to use ipachangeconf
Convert SSSDConfig API to ipachangeconf
SSSDConfigAPI fixes
upgrade_config fixes for SSSD 0.6 and later
Split helpers for child processes
Get TGT in a child process.
Martin Nagy (5):
Add missing include file to files-tests.c
Fix a bad free in async_resolv.c
Add DLIST_FOR_EACH() macro
Add simple reference counting wrappers for talloc
Add fail over utility functions
Piotr Drąg (1):
Updating polish translation for 0.7.0
Simo Sorce (48):
Copy option overrides.
Read the right buffer, avoids potential segfaults
Add IPA conf template
Zero pointers on free
Use standard coding practice to set last login
Fix segfault
Add proper support for IPA/AD schemas
Move responsibility for entry expiration timeout
Kill the ldap connection when we go offline
Tidy up ipa options
Add support to get rootDSE from the LDAP server.
Fix segfault when SASL is not used at all
Rename sdap_id_map to sdap_attr_map
Make available method to quickly retrive string
Make useful function more broadly available.
Store the original memberof attributes if any
Unify parse routines, use maps in generic searches
Fix and enhance initgroups call
Unify code to use the generic search interface
Reorganize ldap id provider files
Split async helpers in multiple files
Always set last update and expire time
Fix build
Fix ldap driver
Check return, zero free hostent, adhere to style
Fix enumerations
Fix tevent_req error checking.
Refactor delete functions and add a few
Add cleanup task
Try to fix offline logins
Fix double free case.
Fix check_cache bug in dealing with the callback
Change var name to make its use more clear.
Fix crash due to uninitialized timeout variable
Change initgroups code to use and check the cache
Change the pam code to perform an initgroups call
Store initgr expire time on initgr call
Failover fixes and additions
Better behavior on cleanup
Correctly escape DN value.
Add reference to sssd-krb5 man page.
Optimize sysdb_enumgrent
Filter by id range before actually storing entries.
Raise some timeouts
Add initial failover support for ldap and ipa
Fix ticket #289
Fix internal options numbers test
In IPA, the realm is always the domain uppercased.
Stephen Gallagher (32):
Remove DP from example configuration
Remove [dp] section from example config
Fix sssd.api.conf with correct entry_cache_timeout
Clean up warnings in dhash tests
Make config_file_version a hidden setting in SSSDConfig API
Remove magic_private_groups from SSSDConfig API schema
Add support for option descriptions to SSSDConfig API
Localize SSSDConfig strings
Add complete pydoc for SSSDConfig API
cyrus-sasl-gssapi
Simplify debug_fn()
Add configure check for sasl.h
Update midpoint refresh logic to be relative to cache timeout
Increase the sbus dispatch DEBUG level to 9
Build files.c only for tools
Clean up unused dependencies
Update sssd.spec to use only the required KRB5_LIBS and NSS_LIBS
Fix segfault on unknown user/domain
sssd-client line in specfile
Make the sysdb user and group names case-sensitive
Upgrade cache and local databases to case-sensitive names
Update translatable strings
Fix sysdb upgrade bug
Add empty NL translation
Only display errors in unit tests
Update PL translation
Update NL translation
Make backend request type a bitfield
Speed up user requests while offline
Update translation strings for string freeze
Fix bug with bad ldb pkg-config files
Update version to 0.99.0
Sumit Bose (32):
store original DN with cached group objects if available
added a ASQ search API for sysdb
Allow sysdb_search_entry request to return more than one result
Add AM_CFLAGS to unit tests
Fix compiler warnings in krb5_utils-tests.
remove old sysdb file before starting tests
set ipa_hostname if not given in config file
Make debug message less irritating.
add sysdb_delete_recursive request to sysdb API
Add sysdb_attrs_replace_name to sysdb API.
Fix for a seg fault during recursive delete
add replacements for missing Kerberos calls
Check is ccache structure is initialized before calling krb5_cc_destroy
added access module of IPA provider
Simplify krb5 child handler
Add check for access-time rules to ipa_access.
Add support for host, source host and user category
Fix inconsistent use of krb5_ccname_template
Fixes for proxy provider
Make 'permit' the default for the access target
Fix option name krb5_changepw_principal
Validate Kerberos credentials with local keytab
Improve handling of ccache files
Add ipa_auth
Enhance check for remote hosts
Add ldap_pwd_policy option
Read KDC info from file instead from environment
Really check return value from pam_set_item
Use ldb modules from build root for tests
Make ldb lib dir configurable
Fix an internal error when cache_credentials=FALSE
Remove unneeded debugging code
deneb (1):
Add Italian translation for sss_client
noriko (1):
Adding Japanese translation
raven (1):
Update PL translation
2009-11-30 15:39:15 +00:00