Commit Graph

32 Commits

Author SHA1 Message Date
Stephen Gallagher
23b784cf95 Fix https://bugzilla.redhat.com/show_bug.cgi?id=549482 2009-12-21 20:56:43 +00:00
Stephen Gallagher
2cb9a43b4c == Highlights ==
One serious security issue was resolved related to the kerberos provider.
Users who authenticate against Kerberos and have cached credentials could
    log in with a zero-length password
The network exposure of this bug was limited, as users logged in this way
    would not have valid network credentials (by lucky accident).
This issue was present only in the 0.99.x preview releases and not in any
    of the stable releases (0.7.1 and earlier)
Stability fixes since the 0.99.1 preview release
Added or updated several translations
Fixed long-standing "I have no name!" issue with X-based terminals
SSSD now passes "make distcheck" cleanly
SSSD PAM now conforms better to standards regarding PAM_PRELIM_CHECK
== Detailed Changelog == Göran Uddeborg (2):
Update SV translation
Update SV translation
Marina Latini (1):
Update IT translation
Martin Nagy (2):
Don't consider one address with different port numbers as the same
Change the first server pick logic
Sergei V. Kovylov (1):
sssd.spec for SLES
Simo Sorce (2):
Fix upgrade bug #323
Fix ldap child memory hierarchy and other issues
Stephen Gallagher (14):
Properly close STDERR when daemonizing
Fix tight loop in monitor
Don't set explicit default for "timeout" in domains
Fix warning in server.c
Raise DEBUG level of sdap_get_generic_done()
Change default for enumeration to TRUE
Fix tight-loop in monitor part 2
Properly handle EINTR from poll()
Updating ES translation
Add DEBUG messages to getpwnam_callback and getpwuid_callback
Clarify access_provider manpage entry
Do not blindly accept zero-length passwords
Fix broken password changes for local users
Release SSSD 1.0
Sumit Bose (9):
Use sys.exit instead of exit
Check for minimal version of check
Build python modules in builddir
Use --with-ldb-lib-dir while running make distcheck
Cleanup db files after test run
disable password migration code
Handle chauthtok with PAM_PRELIM_CHECK separately
Do not overwrite valid TGTs when offline
Fix for #345
2009-12-19 00:03:20 +00:00
Stephen Gallagher
63ef38d783 Bouska (1): Add French translation to sss_client
David O'Brien (1): Copy-edit sssd-ipa man page
Dmitri Pal (5): COMMON Improvements to the trace macro COLLECTION Create
    reference to the top level collection COLLECTION: Cleaning FIXME
    comments INI: Cleaning FIXME comments. INI Correcting build warnings.
Fabian Affolter (1): Add German translation
Göran Uddeborg (2): Add Swedish translation for sss_client Add Swedish
    translation for SSSD server
Jakub Hrozek (30): Fix migration script for pre-0.5 local domains Do not
    migrate Data Provider Free the PCRE regexp with destructor Do not
    delete users, groups outside domain range Add missing include IPA time
    rules parsing routines Fix regression in error message when deleting
    groups Assorted manpage fixes Make the password field configurable in
    NSS Add Simo's ipachangeconf SSSDChangeConf - a wrapper around
    ipachangeconf Change the upgrade script to use ipachangeconf Convert
    SSSDConfig API to ipachangeconf SSSDConfigAPI fixes upgrade_config
    fixes for SSSD 0.6 and later Split helpers for child processes Get TGT
    in a child process. Warn visibly about permission problems with the
    config file Better error message when there is no local domain
    configured Setup ldap child logging from IPA backend Check the services
    started against a list of known services Handle spaces in config parser
    Fail on nonexistent input file Do not start with provider=files Reduce
    code duplication between LDAP child and Kerberos child Change ares
    usage to be c-ares 1.7.0 compatible Import ares 1.7.0 helpers Don't
    build the SRV and TXT parsing code except for tests Document the
    failover feature in manpages Consolidate code for splitting strings by
    separator
Martin Nagy (8): Add missing include file to files-tests.c Fix a bad free
    in async_resolv.c Add DLIST_FOR_EACH() macro Add simple reference
    counting wrappers for talloc Add fail over utility functions Fix
    egg-info file generation in the spec file Add some debugging statements
    to fail_over and resolver Correctly restart server status after the
    timeout
Piotr Drąg (1): Updating polish translation for 0.7.0
Simo Sorce (65): Copy option overrides. Read the right buffer, avoids
    potential segfaults Add IPA conf template Zero pointers on free Use
    standard coding practice to set last login Fix segfault Add proper
    support for IPA/AD schemas Move responsibility for entry expiration
    timeout Kill the ldap connection when we go offline Tidy up ipa options
    Add support to get rootDSE from the LDAP server. Fix segfault when SASL
    is not used at all Rename sdap_id_map to sdap_attr_map Make available
    method to quickly retrive string Make useful function more broadly
    available. Store the original memberof attributes if any Unify parse
    routines, use maps in generic searches Fix and enhance initgroups call
    Unify code to use the generic search interface Reorganize ldap id
    provider files Split async helpers in multiple files Always set last
    update and expire time Fix build Fix ldap driver Check return, zero
    free hostent, adhere to style Fix enumerations Fix tevent_req error
    checking. Refactor delete functions and add a few Add cleanup task Try
    to fix offline logins Fix double free case. Fix check_cache bug in
    dealing with the callback Change var name to make its use more clear.
    Fix crash due to uninitialized timeout variable Change initgroups code
    to use and check the cache Change the pam code to perform an initgroups
    call Store initgr expire time on initgr call Failover fixes and
    additions Better behavior on cleanup Correctly escape DN value. Add
    reference to sssd-krb5 man page. Optimize sysdb_enumgrent Filter by id
    range before actually storing entries. Raise some timeouts Add initial
    failover support for ldap and ipa Fix ticket #289 Fix internal options
    numbers test In IPA, the realm is always the domain uppercased. Fix
    tabs Fix memberof plugin Compute and save memberuid in cache as well
    Use memberuid and not member in group enumerations Use the custom
    password field in groups too. Resolve nested groups also when
    rfc2307bis is used Make strdn build functions more available Fix nested
    group memberships Allow nesting to fix #310 Fix bug #311, properly set
    callback attribute Change dhash API to be talloc-friendly dhash: Add
    private pointer for delete callback Add comments to document latest
    changes Add rebuild task to memberof plugin Handle the special 02
    upgrade case for 04->05 Fix for #316 Fix for #322, update from old
    database versions.
Stephen Gallagher (60): Remove DP from example configuration Remove [dp]
    section from example config Fix sssd.api.conf with correct
    entry_cache_timeout Clean up warnings in dhash tests Make
    config_file_version a hidden setting in SSSDConfig API Remove
    magic_private_groups from SSSDConfig API schema Add support for option
    descriptions to SSSDConfig API Localize SSSDConfig strings Add complete
    pydoc for SSSDConfig API Add Requires: cyrus-sasl-gssapi Simplify
    debug_fn() Add configure check for sasl.h Update midpoint refresh logic
    to be relative to cache timeout Increase the sbus dispatch DEBUG level
    to 9 Build files.c only for tools Clean up unused dependencies Update
    sssd.spec to use only the required KRB5_LIBS and NSS_LIBS Fix segfault
    on unknown user/domain Fix Requires: sssd-client line in specfile Make
    the sysdb user and group names case-sensitive Upgrade cache and local
    databases to case-sensitive names Update translatable strings Fix sysdb
    upgrade bug Add empty NL translation Only display errors in unit tests
    Update PL translation Update NL translation Make backend request type a
    bitfield Speed up user requests while offline Update translation
    strings for string freeze Fix bug with bad ldb pkg-config files Update
    version to 0.99.0 Remove ELAPI from build and tarball Stop configuring
    ELAPI Make debug log timestamps human-readable Raise debug log level
    for LDB_DEBUG_WARNING Add allocation error check Avoid returning
    uninitialized result. Fix potential uninitialized value errors in
    nsssrv_cmd.c Fix potential uninitialized value error in responder_dp.c
    SSSDDomain.remove_provider() requires only the provider type Make
    SSSDDomain.remove_provider() remove configured options Run dhash tests
    Add SSSDDomain.set_name() function to SSSDConfig API Reduce the
    verbosity of the SSSDConfigTest Fix broken SSSDChangeConf.set()
    function Fix SSSDConfig API bugs around [de-]activation of domains Fix
    RPM spec for RHEL6 SSSDConfig API: fix deactivate_domain()
    SSSDConfig.get_domain() should properly detect active state Ensure that
    list_active_domains returns the real value Properly deny
    id_provider=files Add missing options to sssd-ipa configuraion Add
    missing SSSDConfig file for IPA for make install Fix processing of
    Boolean values in SSSDConfig Add 'permit' and 'deny' access providers
    to SSSDConfig API Remove default for ldap_use_start_tls in IPA
    providers Run SSSDConfig tests during 'make check' Fix stupid
    copy-paste error Updating to version 0.99.1
Sumit Bose (45): store original DN with cached group objects if available
    added a ASQ search API for sysdb Allow sysdb_search_entry request to
    return more than one result Add AM_CFLAGS to unit tests Fix compiler
    warnings in krb5_utils-tests. remove old sysdb file before starting
    tests set ipa_hostname if not given in config file Make debug message
    less irritating. add sysdb_delete_recursive request to sysdb API Add
    sysdb_attrs_replace_name to sysdb API. Fix for a seg fault during
    recursive delete add replacements for missing Kerberos calls Check is
    ccache structure is initialized before calling krb5_cc_destroy added
    access module of IPA provider Simplify krb5 child handler Add check for
    access-time rules to ipa_access. Add support for host, source host and
    user category Fix inconsistent use of krb5_ccname_template Fixes for
    proxy provider Make 'permit' the default for the access target Fix
    option name krb5_changepw_principal Validate Kerberos credentials with
    local keytab Improve handling of ccache files Add ipa_auth Enhance
    check for remote hosts Add ldap_pwd_policy option Read KDC info from
    file instead from environment Really check return value from
    pam_set_item Use ldb modules from build root for tests Make ldb lib dir
    configurable Fix an internal error when cache_credentials=FALSE Remove
    unneeded debugging code Do not include libsss_ipa.la in rpm package
    Immediately return a krb5 change password request when offline Check
    LDAP structure before calling ldap_unbind_ext() Add sysdb_search_custom
    request Do not treat missing proc files as errors. Add basic OS
    detection Make packaging of *.egg-info files more flexible Try to renew
    Kerberos credentials Add checks to test the memberuid handling Add
    offline support for ipa_access Add dummy credentials to an empty ccache
    file Always update sysdb to the latest version Fix DEBUG message for
    sysdb_init
beckerde (1): Add Spanish translation
deneb (1): Add Italian translation for sss_client
noriko (1): Adding Japanese translation
raven (1): Update PL translation
ruigo (1): Add Portuguese translation
2009-12-14 19:49:49 +00:00
Bill Nottingham
7a0d36cf7e Fix typo that causes a failure to update the common directory. (releng
#2781)
2009-11-26 01:43:33 +00:00
Stephen Gallagher
65c803204c New upstream release
Fix segfaults and upgrade issues. Provide newer default configuration.
2009-10-27 20:00:57 +00:00
Stephen Gallagher
f7f8bc2025 Fix upgrade issues from old (pre-0.5.0) releases of SSSD
Configuration files before 0.5.0 did not enforce provider= in local domains
    it did special-case by domain name (LOCAL). Our script was relying on
    provider= value, this patch adds the special-casing in case the domain
    was called LOCAL.
2009-10-26 13:43:50 +00:00
Stephen Gallagher
29d7ea102f Dmitri Pal (10):
COLLECTION Adding item comparison and sorting
COLLECTION Realigning collection code
COLLECTION Making iterations pinnable
COLLECTION Enhancing hashing and iteration functions
ELAPI Event resolver
ELAPI Resolving message attribute
ELAPI Fixing warnings in the example
ELAPI Rename variables and functions not to use word template
ELAPI Fixed the host name resolution
ELAPI Compatibility code for getifaddr()
Jakub Hrozek (3):
Fix python sync operations and mem hierarchy
Fix error messages in tools
User home directories management
Martin Nagy (7):
Use correct talloc context in sss_names_init()
Fix potential memory leaks in the data provider
Use talloc_get_type() for type safety
Use talloc to copy data from c-ares
Add a new set of helpful common functions for tests
Various improvements to the resolv test suite
Delete sssd-i18n.h and put it's old contents into util.h
Piotr Dr?g (1):
Update polish translation for 0.6.0
Ralf Haferkamp (2):
LDAP provider needs to link against krb libraries
SUSE specific init script
Simo Sorce (21):
Tighten up permission.
Initial implementation of sasl bind support
Fix tools sync operations and mem hierarchy
Fix long timeout on ldap operation
Make dp requests more robust
Differentiate between search and network timeouts
Remove DP process
Start responders predictably after providers
Remove magicPrivateGroups option
Fix services startup when only LOCAL is configured
Make options parser available to all providers
Move ldap provider configuration into its own file
Fix offline authentication
Return the dp error from the providers
Move all ldap provider init functions
Move all krb5 provider init functions
Add first basic IPA provider
Always list inputs before outputs
Start implementing ipa specific options.
Better offline/enumeration behavior
Fix setting the schema in the ipa provider
Stephen Gallagher (24):
Update version to 0.6.0
Fix infinite loop with empty group enumeration
Updating release script to use the VERSION file
Change requirement on libldb to libldb >= 0.9.3
INI Add config_from_fd() to ini_config
Remove unused btreemap code
Add new SSSDConfig python API
Add plugin configuration schema for proxy provider
Package SSSDConfig API
Clean up warnings in pysss.c
Remove warnings caused by 5e2301b8a75d10e5cbbe11e26e5192b894af6ad7
Remove two unused functions.
Fix segfault when using SSS tools with no local provider
Do not allow setting auth, access or chpass providers for LOCAL
Add krb5_common.h to the list of headers to 'make dist'
Use Python 3-compatible sitearch and sitelib
Better detect installed language files
Clean up rpmlint errors and warnings in sssd-client package
Set the Default-Stop LSB option for the SSSD sysv init script
Fix RPM builds on older versions of rpmbuild
Bring SSSDConfig API options up-to-date
Add pam_ctx (similar to nss_ctx) for storing global PAM config
Add support for offline auth cache timeout
Update version to 0.7.0
Sumit Bose (28):
update sysdb tests to new config file version
add utility call check_and_open_readonly
more documentation and test for sssd.conf
handle expired password during authentication
move password handling into subroutines
ask for new password if password is expired
remove redundant talloc_free
add description of chpass_provider option to sssd.conf man page
add support for server side LDAP password policies
add syslog message similar to pam_unix
use the correct kerberos context for each target
fix a wrong argument to unpack_buffer
add -Werror-implicit-function-declaration to default gcc flags
add a replacement if ldap_control_create is missing
use PYTHON_PREFIX to install SSSDConfig python API
add missing %defattr to the filelist of the client package
make sdap_id_connect_* independent of sdap_id_ctx
send a message if a backend target is not configured
use old password if available during password change
set chpass_provider implicit if not set explicit
more implicit provider target settings
enable debugging of krb5_child
Check for expired passwords in LDAP provider
added generic LDAP search sdap_get_generic_send/_recv
add store/search/delete interface for custom sysdb objects
update krb5 option handling to new option scheme
update ipa auth options to new option scheme
fix a compiler warning about redefinition of DEBUG
Detailed changes since 0.5.0
Dmitri Pal (8):
ELAPI sinks and providers
ELAPI Adding file provider and CSV format
ELAPI Laying foundation for the async processing
COLLECTION Copy collection flat with concatenated names
COLLECTION Improvements to copy functions
COLLECTION Functions to deal with hash
ELAPI Better separation from collection internals.
INI Error handling and interface cleanup
Jakub Hrozek (17):
Remove shadow-utils support from tools
Small changes to the example config and manpage
Add copyright notices
Fix dispatcher structure initialization
Add binaries and backup files to .gitignore
Refactor tools code
Decouple synchronous sysdb interface from tools
Provide python bindings for sysdb
Use syslog for logging error conditions in SSSD
fix varargs call, update unit tests
Ticket 161: Initialize structures with calloc instead of enumerating
    members
Allow entering parent groups as FQDN
Remove provider=files
Manpages update
script to upgrade config to v2
Send debug messages to logfile
Convert the example config to v2 format, upgrade config on update only
Jeff Schroeder (1):
Add documentation for installing build dependencies
Piotr Drąg (1):
Add pl translation
Ralf Haferkamp (2):
Fix initgroups search filter when using rfc2307bis
Avoid crash when timestamp is NULL
Simo Sorce (30):
Use the correct structure.
Initial support for multiple schema types
Always save using member/memberOf
Fix group replies when using member/memberof
Upgrade database to 0.2
Remove redunant function and always pass attrs.
Make enumeration an independent task
Speed-up enumerations.
Correctly handle !DbusWatch behavior.
Turn enumeration into a boolean value
Honor enumerate option in ldap_id
Fix proxy enumeration
Fix two possible uninitialized values
Split database in multiple files
Tools are allowed to touch only the 'local' domain
Fix Ldap id backend offline code
Fix memory mishandling.
Fix ldap enumeration async task
Fix getgrnam and getgrgid calls
Complete the removal of "legacy" option.
Update documentation and examples
Make the offline status backend-global
Turn ldap driver options into multitype
Fix copy&paste error.
Better handle groups w/o members
Fix copy&paste of wrong structure
Don't try to use initgroups_dyn if not available
Handle suspend cases
Split out an sssd-clients package
Let backend respond while fetching large results
Stephen Gallagher (26):
Move RPM specfiles into contrib/
Consolidate cache lookups in the NSS
Add support for the !EntryCacheNoWaitRefreshTimeout
Check for valid min and max IDs in confdb_get_domains
Update manpage to reflect new syntax for enumerate
Add strtoint32 and strtouint32 convenience functions
Properly detect negative/invalid values for the minId and maxId
Remove unused event context argument from confdb_init
Read the configuration parsing before daemonization
Fix first-time confdb generation
Add 'make tests' target
Add strtoint32 and strtouint32 tests
Print error message when connection to the config db fails
Exit if the sssd is launched as a user other than root
Include m4 directories in tarball
Allow rerunning autoreconf from the tarball
Add PRERELEASE_VERSION variable for use in sssd.spec.in
Add missing updates to LINGUAS for pl translation
Add missing reference to sssd-ldap(5) in sssd.conf(5) manpage
Include groupSearchBase in sssd-ldap(5) manpage
Several fixes and enhancements for config file processing
Make configure script compatible with older python versions
Revert "Use syslog for logging error conditions in SSSD"
Temporarily disable automatic config file reread
Upgrade confdb to version 2
Update version to 0.6.0
Sumit Bose (31):
removed unused header file
do not show server messages to user
fix internal order of ldap user mapping options
add configure check for errno_t
send SSSD_REALM and SSSD_KDCIP environment to the client
check if gid attribute is empty
stop processing a domain if no provider is given
check if libpcre version is above or below 7
remove the concept of a backend name
configure cleanups
fix libdbus configure check
initialize sockaddr_in structure
add change password target to krb5 backend
use fork+exec for kerberos helper
Let the PAM client send its PID
remove unused client locale from PAM protocol
make cli_pid mandatory and increase version number of pam protocol
add krb5ccache_dir and krb5ccname_template option
fix the wrong usage of an offset
added child timeout handler
Check if SSL/TLS handler is already in place
use getaddrinfo to resolve IP address of KDC
add a man page for pam_sss
toggle debug output of sssd_krb5_locator_plugin with an environment
    variable
add new config options ldap_tls_cacert and ldap_tls_cacertdir
fix possible short reads in kerberos provider
remove krb5_try_simple_upn option and make it a default fallback
add defines for large file support to standard CFLAGS
more fixes for older libpcre versions
Cleanups for library linking
added support for older MIT kerberos versions
2009-10-23 20:03:33 +00:00
Simo Sorce
9d83b67767 - New upstream release 0.5.0 2009-08-24 21:13:27 +00:00
Jakub Hrozek
f014bf6b02 Fix for CVE-2009-2410 - Native SSSD users with no password set could log in
without a password. (Patch by Stephen Gallagher)
2009-07-29 11:27:19 +00:00
Simo Sorce
a9ec5308cf - Fix a couple of segfaults that may happen on reload 2009-06-22 14:47:06 +00:00
Simo Sorce
c801bd26a0 - add missing configure check that broke stopping the daemon
- also fix default config to add a missing required option
2009-06-11 15:07:18 +00:00
Simo Sorce
34dc95e4aa - latest upstream release.
- also add a patch that fixes debugging output (potential segfault)
2009-06-08 17:40:52 +00:00
Simo Sorce
ba6b3db30f - Add use_first_pass option to fix pam stack problems 2009-04-29 22:05:00 +00:00
Simo Sorce
6c244a6eda - Add use_first_pass option to fix pam stack problems 2009-04-29 22:02:13 +00:00
Simo Sorce
3a21c0ede9 Add 2 other patches around offline auth caching 2009-04-28 17:49:58 +00:00
Simo Sorce
4e5c172095 - Add patches to fix password caching 2009-04-28 17:37:45 +00:00
Simo Sorce
e28b3dea2b - Version 0.3.3 2009-04-27 21:39:33 +00:00
Simo Sorce
0f6270b29b - release out of the official 0.3.2 tarball 2009-04-20 19:27:26 +00:00
Jakub Hrozek
24800eede1 commit the sources file for 0.3.2 2009-04-20 18:30:49 +00:00
Jakub Hrozek
80981e3d07 Update to 0.3.2 2009-04-20 18:29:07 +00:00
Jesse Keating
164697d920 Initialize branch F-11 for sssd 2009-04-15 07:10:48 +00:00
Simo Sorce
cb09420cd2 add patch 0002 too 2009-04-14 21:53:40 +00:00
Simo Sorce
d4c7182341 - Add last minute bug fixes, found in testing the package 2009-04-14 21:24:36 +00:00
Simo Sorce
9797cfd950 - Version 0.3.1
- includes previous release patches
2009-04-13 22:37:11 +00:00
Simo Sorce
abd724acaf - Try to fix build adding automake as an explicit BuildRequire
- Add also a couple of last minute patches from upstream
2009-04-13 17:48:03 +00:00
Simo Sorce
740369efcf Some more build requires 2009-04-13 17:11:39 +00:00
Simo Sorce
9afc8fce0b - Try to fix build adding automake as an explicit BuildRequire 2009-04-13 16:04:16 +00:00
Simo Sorce
276bbb1dfb - Version 0.3.0
- Provides file based configuration and lots of improvements
2009-04-13 15:49:54 +00:00
Simo Sorce
a85a9618e4 - Version 0.2.1 2009-03-10 21:34:16 +00:00
Simo Sorce
4f143048ca - Version 0.2.0 2009-03-10 20:43:08 +00:00
Jakub Hrozek
abb369a4fb Initial import of sssd into Fedora 2009-03-09 17:07:25 +00:00
Toshio くらとみ
240ceae578 Setup of module sssd 2009-03-09 16:42:03 +00:00