- 08 May, 2020 2 commits
-
-
Timo Aaltonen authored
-
Timo Aaltonen authored
-
- 20 Apr, 2020 3 commits
-
-
Timo Aaltonen authored
-
Timo Aaltonen authored
-
Timo Aaltonen authored
-
- 06 Mar, 2020 2 commits
-
-
Timo Aaltonen authored
-
Timo Aaltonen authored
-
- 27 Feb, 2020 3 commits
-
-
Timo Aaltonen authored
-
Timo Aaltonen authored
-
Timo Aaltonen authored
-
- 20 Feb, 2020 3 commits
-
-
Timo Aaltonen authored
-
Timo Aaltonen authored
-
Timo Aaltonen authored
-
- 13 Feb, 2020 1 commit
-
-
Timo Aaltonen authored
-
- 12 Feb, 2020 1 commit
-
-
Timo Aaltonen authored
-
- 30 Nov, 2019 5 commits
-
-
Michal Židek authored
-
Michal Židek authored
Missing new lines were causing errors when generating the translations.
-
Michal Židek authored
Some new man pages were added recentley, but they were not added to the src/man/po/po4a.cfg. This caused failures when generating updated translations.
-
Tomas Halman authored
Check whether "sssctl config-check" prints correct message in case that there are only configuration snippets or no configuration at all. Related to: https://pagure.io/SSSD/sssd/issue/3938 Reviewed-by:
Michal Židek <mzidek@redhat.com>
-
Tomas Halman authored
The sssctl config-check is giving the wrong error message when there are only snippet files and no sssd.conf. To address this problem sss_ini code had to be partially rewritten to allow proper configuration testing. Resolves: https://pagure.io/SSSD/sssd/issue/3938 Reviewed-by:
-
- 29 Nov, 2019 18 commits
-
-
Sumit Bose authored
While reading the different components of the HBAC rules failover handling was missing. Since the access control is typically the second step after authentication SSSD would have already switched to a working server or into offline mode during authentication. But if e.g. ssh keys are used for authentication and user data are read from cache the HABC rule searches might have to handle failover as well. Related to https://pagure.io/SSSD/sssd/issue/4114 Reviewed-by:
-
Sumit Bose authored
In the ipa_id_get_account_info request failover handling was missing. Related to https://pagure.io/SSSD/sssd/issue/4114 Reviewed-by:
-
Sumit Bose authored
To make the checks for revoked certificates more flexible if the system is offline this patch add the new values for the 'certificate_verification' option. With 'soft_ocsp' the OCSP check is skipped if the OCSP responder cannot be connected. With 'soft_crl' an expired CRL will be ignored. If a certificate is considered valid dues to one of those option a syslog message is generated to indicate that the certificate was allowed because the check if the certificate was revoked was ignored. Related to https://pagure.io/SSSD/sssd/issue/3677 Reviewed-by:
Alexey Tikhonov <atikhono@redhat.com>
-
Alexey Tikhonov authored
- copies of LDAP master password are erased as soon as they are not needed anymore; - got rid of `simple_bind_state::pw` as it was set to point to a variable on the stack (bug) and was not used anyway Relates: https://pagure.io/SSSD/sssd/issue/3956 Reviewed-by:
Sumit Bose <sbose@redhat.com>
-
Alexey Tikhonov authored
sss_authtok_new() is the only legal way to create instance of sss_auth_token. Setting destructor in this factory function allows for secure erasure of sensitive data. Relates: https://pagure.io/SSSD/sssd/issue/3956 Reviewed-by:
-
Alexey Tikhonov authored
Relates: https://pagure.io/SSSD/sssd/issue/3956 Reviewed-by:
-
Alexey Tikhonov authored
Relates: https://pagure.io/SSSD/sssd/issue/3956 Reviewed-by:
-
Alexey Tikhonov authored
Reviewed-by: -
Alexey Tikhonov authored
Memory alignment of key, salt and some auxiliary variables was inherited from original code which took care about alignment because of the way own hash functions were implemented. In current implementation that uses OpenSSL for hashing those gimmicks are not required. Removing it makes code clearer and also makes it unnecessary to clean copied_ key/salt properly (memset() used currently is not proper way) Reviewed-by: -
Alexey Tikhonov authored
Reviewed-by: -
Alexey Tikhonov authored
Relates: https://pagure.io/SSSD/sssd/issue/3956 Reviewed-by:
-
Alexey Tikhonov authored
Specially designated for this purpose `explicit_bzero()` function is used in case it is available. Otherwise well known trick with a volatile pointer to memset() is used to prevent compiler optimization. Relates: https://pagure.io/SSSD/sssd/issue/3956 Reviewed-by:
-
Alexey Tikhonov authored
- moved private `struct mem_holder` out of public header - moved `sss_mem_attach()` function description to the declaration - changed `sss_mem_attach()` to return error code instead of a pointer as data it points to is not expected to be manipulated by a user - got rid of redundant `sdap_msg_attach()` Reviewed-by: -
Sumit Bose authored
Currently p11_child rejects the verification of a certificate if the 'no_verification' option is set. As a result the ssh responder does not work as expected if 'no_verification' is set. Related to https://pagure.io/SSSD/sssd/issue/4121 Reviewed-by:
Tomáš Halman <thalman@redhat.com>
-
Sumit Bose authored
The ssh responder didn't initialize the logging for p11_child properly. Related to https://pagure.io/SSSD/sssd/issue/4121 Reviewed-by:
-
Sumit Bose authored
Add a new option ssh_use_certificate_matching_rules to select the matching rules which should be used to filter the certificates to derive ssh keys. Related to https://pagure.io/SSSD/sssd/issue/4121 Reviewed-by:
-
Sumit Bose authored
Use available certificate matching rules to select certificates to derive ssh-keys. Related to https://pagure.io/SSSD/sssd/issue/4121 Reviewed-by:
-
Sumit Bose authored
Add missing entries for ssh_use_certificate_keys to API and config check files. Related to https://pagure.io/SSSD/sssd/issue/3688 Reviewed-by:
-
- 27 Nov, 2019 2 commits
-
-
Alexey Tikhonov authored
Reviewed-by: -
Alexey Tikhonov authored
It didn't make any sense to skip close_low_fds() but keep working in case of chdir() fail. Reviewed-by:
-
