Commit Graph

13323 Commits

Author SHA1 Message Date
Armando Neto
a4ca34261a prci: increase timeout for jobs that required AD
Vagrant retries to provision hosts if something happens, it was introduced
in PR-CI after 380c8b8c78.

This takes time, some jobs are killed during test execution, so this
increases the time-out parameter from 1 hour and 20 minutes to 2 hours.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-10-03 09:01:16 -03:00
Cédric Jeanneret
cf7006376d Add new tip for dependencies
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-10-02 15:29:08 +02:00
Alexander Bokovoy
19d51683ca Add local helpers to handle unixid structure
Samba did remove unixid_from_*() helpers in the upstream commit
c906153cc7af21abe508ddd30c447642327d6a5d (Samba 4.11). Since they are
very simple, make a local copy instead.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1757089
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-10-01 10:38:00 -04:00
Mohammad Rizwan Yusuf
7aec6f1037 Check file ownership and permission for dirsrv log instance
Check if file ownership and permission is set to dirsrv:dirsrv
and 770 on /var/log/dirsrv/slapd-<instance> after ipa-restore.

related ticket : https://pagure.io/freeipa/issue/7725

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-10-01 08:17:55 -04:00
Florence Blanc-Renaud
121971a51e
ipatests: fix test_replica_promotion.py::TestHiddenReplicaPromotion
The test test_replica_promotion.py::TestHiddenReplicaPromotion randomly
fails in nightly_f29.

The test is checking that a given IP address is not in the DNS records
for the domain. When we are unlucky, we may come up with the following
situation:
- IP address that is unexpected: 192.168.121.25
- IP address that is found for the DNS record: 192.168.121.254

As 192.168.121.25 is a substring of 192.168.121.254, the test wrongly considers that the unexpected address was found.
Extract of the log:
    for host in hosts_unexpected:
        value = host.hostname if rtype == 'SRV' else host.ip
>       assert value not in txt
E       AssertionError: assert '192.168.121.25' not in 'ipa-ca.ipa.test. 1 IN A 192.168.121.254'
E         '192.168.121.25' is contained here:
E           ipa-ca.ipa.test. 1 IN A 192.168.121.254
E         ?                         ++++++++++++++

This happens because the test is comparing the content of the output as a
string. The fix is extracting the exact hostname/IP address from the
record instead.

Fixes: https://pagure.io/freeipa/issue/8070
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-10-01 09:37:36 +02:00
Florence Blanc-Renaud
387ee6e60f ipatests: add XMLRPC test for user-add when UPG plugin is disabled
Add a new XMLRPC test in test_user_plugin:
- disable the UPG plugin
- create a user without the --gid parameter
  as the default group for new users is not POSIX (ipausers), the
  command is expected to fail
- create a user with the --gid parameter
  The provided gid is used and command is expected to succeed
- create a user with the same name as an existing group
  As the UPG plugin is disabled, the user creation will not trigger
  the creation of a group with the same name, and command is
  expected to succeed
- re-enable the UPG plugin for other tests

Related to: https://pagure.io/freeipa/issue/4972

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-09-27 15:33:15 +02:00
Florence Blanc-Renaud
b2a2d7f4e4 ipa user_add: do not check group if UPG is disabled
The UPG plugin is used to create a user private group when a new
IPA user is created, with the same name as the user. When this plugin
is enabled, the user creation must ensure that no group exists with
the same name.

When the UPG plugin is disabled, or when the user is created with the
--noprivate option, there is no need to perform this check as the
private group will not get created.

Currently, the --noprivate option correctly skips the test, but a
disabled UPG plugin does not skip the test. The fix ensures that
UPG plugin status is checked.

Fixes: https://pagure.io/freeipa/issue/4972
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-09-27 15:33:15 +02:00
Rafael Guterres Jeffman
883b44243a Fixes pylint errors introduced by version 2.4.0.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-09-27 09:38:32 +02:00
Rafael Guterres Jeffman
73529e065c Removed unnecessary imports after code review.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-09-27 09:38:32 +02:00
Rafael Guterres Jeffman
d4fab33605 Removes several pylint warnings.
This patche removes 93 pylint deprecation warnings due to invalid escape
sequences (mostly 'invalid escape sequence \d') on unicode strings.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-09-27 09:38:32 +02:00
Rafael Guterres Jeffman
51e0f56487 Removed unnecessary imports after code review.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-09-27 09:38:32 +02:00
Rafael Guterres Jeffman
c898be1df9 Removes several pylint warnings.
This patche removes 93 pylint deprecation warnings due to invalid escape
sequences (mostly 'invalid escape sequence \d') on unicode strings.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-09-27 09:38:32 +02:00
Rafael Guterres Jeffman
bc53544c6f Removes rpmlint warning on freeipa.spec.
This patch removes a warning due to mixed usage of spaces and tabs
in freeipa.spec.in file.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-09-27 09:38:32 +02:00
Florence Blanc-Renaud
6127aa0eac ipatests: fix fedora29 nightly definition
test_sssd is using a wrong dependency (fedora30 build instead
of fedora29 build). As a result, this test is not triggered
by PRCI because it's waiting forever for a dependency.
(See the status: fedora-30/test_sssd Pending — unassigned)

Fix the version in the fedora 29 nightly definition.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-09-25 15:59:51 -04:00
Rob Crittenden
c8b0d1d6a0 Disable dogtag cert publishing
Dogtag had only one switch, ca.publish.enable, for both CRLs and certs.

Since cert publishing is not used in IPA it should be disabled to
avoid false positives in the logs.

https://pagure.io/freeipa/issue/7522

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-09-25 11:38:31 -04:00
Stanislav Levin
feae9de73e Setup DNS for AP Docker container
Docker utilizes its own way to provide DNS (hostname, hosts, NS).
By default, they are almost the same as the host's ones.
For instance, below is from AP container:
```
cat /etc/hosts

127.0.0.1	localhost
::1	localhost ip6-localhost ip6-loopback
fe00::0	ip6-localnet
ff00::0	ip6-mcastprefix
ff02::1	ip6-allnodes
ff02::2	ip6-allrouters
172.17.0.2	ipa.example.test ipa

cat /etc/resolv.conf
nameserver 168.63.129.16
search hqdv2iuiph0ufpcrhp4amkgzwf.fx.internal.cloudapp.net
```

As a result FreeIPA uses 168.63.129.16 (AP DNS NS [1]) as a DNS forwarder.
It's not desirable to rely on this.
Let's clear test environment.

[1] https://docs.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16

Related: https://pagure.io/freeipa/issue/8077
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-09-25 20:14:06 +10:00
Stanislav Levin
d0b420f6dd Fixed errors newly exposed by pylint 2.4.0
Newest Pylint introduced additional checks [1]:

- import-outside-toplevel [2]

> This check warns when modules are imported from places other
than a module toplevel, e.g. inside a function or a class.

- no-else-continue [3]

> These checks highlight unnecessary else and elif blocks after
break and continue statements.

- unnecessary-comprehension [4]

> This check is emitted when pylint finds list-, set- or
dict-comprehensions, that are unnecessary and can be rewritten
with the list-, set- or dict-constructors.

[1] https://github.com/PyCQA/pylint/blob/pylint-2.4.0/doc/whatsnew/2.4.rst
[2] https://github.com/PyCQA/pylint/issues/3067
[3] https://github.com/PyCQA/pylint/issues/2327
[4] https://github.com/PyCQA/pylint/issues/2905

Fixes: https://pagure.io/freeipa/issue/8077
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-09-25 20:14:06 +10:00
Fraser Tweedale
7c7a827c09 Bump Dogtag min version to 10.7.3
Dogtag 10.7.3 adds AES support for key export, enabling lightweight
CA key replication to use AES.  Bump the Requires min version.

Fixes: https://pagure.io/freeipa/issue/8020
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2019-09-25 12:42:06 +10:00
Fraser Tweedale
bfead9ce66 ipa-pki-retrieve-key: request AES encryption (with fallback)
Update the ipa-pki-retrieve-key client to issue a request that
specifies that AES encryption should be used.  If the server
responds 404, fall back to a request *without* an algorithm
parameter.  This handles both of the possible 404 scenarios:

a) It is an old server that does not support extra Custodia key
   parameters;

b) The server supports extra parameters but the key does not exist,
   in which case the fallback request will also fail with 404.

Fixes: https://pagure.io/freeipa/issue/8020
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2019-09-25 12:42:06 +10:00
Fraser Tweedale
8fbcc33534 NSSWrappedCertDB: accept optional symmetric algorithm
Add support for Custodia ca_wrapped clients to specify the desired
symmetric encryption algorithm for exporting the wrapped signing key
(this mechanism is used for LWCA key replication).  If not
specified, we must assume that the client has an older Dogtag
version that can only import keys wrapped with DES-EDE3-CBC
encryption.

The selected algorithm gets passed to the 'nsswrappedcert' handler,
which in turn passes it to the 'pki ca-authority-key-export' command
(which is part of Dogtag).

Client-side changes will occur in a subsequent commit.

Part of: https://pagure.io/freeipa/issue/8020

Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2019-09-25 12:42:06 +10:00
Fraser Tweedale
7e92e65190 IPASecStore: support extra key arguments
To support lightweight CA key replication using AES, while retaining
backwards compatibility with old servers, it is necessary to signal
support for AES.  Whereas we currently request a key with the path:

  /keys/ca_wrapped/<nickname>

and whereas paths with > 3 components are unsupported, add support
for handlers to signal that they support extra arguments (defaulting
to False), those arguments being conveyed as additional path
components, e.g.:

  # 2.16.840.1.101.3.4.1.2 = aes128-cbc
  /keys/ca_wrapped/<nickname>/2.16.840.1.101.3.4.1.2

This commit only adds the Custodia support for extra handler
arguments.  Work to support LWCA key replication with AES wrapping
will continue in subsequent commits.

Part of: https://pagure.io/freeipa/issue/8020

Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2019-09-25 12:42:06 +10:00
Christian Heimes
90f7232454 Don't create log files from help scripts
Helper scripts now use api.bootstrap(log=None) to avoid the creation of
log files. Helper scripts are typically executed from daemons which
perform their own logging. The helpers still log to stderr/stdout.

This also gets rid of some SELinux AVCs when the script tries to write
to /root/.ipa/.

Fixes: https://pagure.io/freeipa/issue/8075
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-09-24 15:23:30 +02:00
Armando Neto
98ee5f2472 prci: update packages for pki and testing nightly runs
This forces PR-CI to update the packages instead of using the versions
already included in the vagrant image.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-09-23 12:23:37 -03:00
Rob Crittenden
8da0e2e977 ipa-restore: Restore ownership and perms on 389-ds log directory
Previously it would end up being owned by root:root mode 0755
instead of dirsrv:dirsrv mode 0770.

https://pagure.io/freeipa/issue/7725

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-09-23 09:27:28 -04:00
Florence Blanc-Renaud
802e54dd0e replica install: enforce --server arg
When the --server option is provided to ipa-replica-install (1-step
install), make sure that the server offers all the required roles
(CA, KRA). If it's not the case, refuse the installation.

Note that the --server option is ignored when promoting from client to
replica (2-step install with ipa-client-install and ipa-replica-install),
meaning that the existing behavior is not changed in this use case:
by default the host specified in default.conf as server is used for
enrollment, but if it does not provide a required role, another host can
be picked for CA or KRA setup.

Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2019-09-23 14:36:10 +02:00
Florence Blanc-Renaud
2919237753 ipatests: ensure that backup/restore restores pkcs 11 modules config file
In the test_backup_and_restore, add a new test:
- before backup, save the content of /etc/pkcs11/modules/softhsm2.module
- after restore, ensure the file is present with the same content.

Related: https://pagure.io/freeipa/issue/8073
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-09-22 20:29:41 +03:00
Florence Blanc-Renaud
055ea253df ipa-backup: backup the PKCS module config files setup by IPA
ipa installer creates /etc/pkcs11/modules/softhsm2.module in order
to disable global p11-kit configuration for NSS.
This file was not included in the backups, and not restored.

The fix adds the file to the list of files to include in a backup.

Fixes: https://pagure.io/freeipa/issue/8073
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-09-22 20:29:41 +03:00
Robbie Harwood
c11fd328bc Fix segfault in ipadb_parse_ldap_entry()
lcontext may be NULL here, probably due to a restarted 389ds.  Based on
a patch by Rob Crittenden.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-09-22 20:27:25 +03:00
Florence Blanc-Renaud
a2313114fb ipatests: enable 389-ds audit log and collect audit file
In test_integration, enable 389-ds audit log and auditfail log by setting
nsslapd-auditlog-logging-enabled: on
nsslapd-auditfaillog-logging-enabled: on

and collect the generated audit file. This will help troubleshoot failures
related to DS.

Fixes: https://pagure.io/freeipa/issue/8064
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-09-20 13:14:18 -04:00
Rob Crittenden
5b28c458b9 Report if a certmonger CA is missing
If a certmonger CA is not defined but is referenced within
a request (so was removed sometime after a request was
created) then anything that pulls all certmonger requests would
fail with the cryptic error:

"Failed to get request: bus, object_path and dbus_interface
must not be None."

This was often seen during upgrades.

Catch this specific condition and report a more specific error
so the user will have some bread crumb to know how to address
the issue.

https://pagure.io/freeipa/issue/7870

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-09-20 10:16:57 -04:00
Rafael Guterres Jeffman
9c20641f5c Re-add function façades removed by commit 2da9088.
ansible-freeipa breaks if this functions do not exist, so they will be
added back and marked as deprecated.

Related Tickets:
https://pagure.io/freeipa/issue/8062

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-09-20 10:12:09 -04:00
Armando Neto
78d27f8252 Update definitions for nightly tests
Update nightly definitions used to test if FreeIPA works when repo
`updates-testing` is enabled.

These changes include all tests currently defined in `nightly_master.yaml`.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-09-20 08:12:21 -03:00
Alexandre Mulatinho
a38a384359 ipa-scripts: fix all ipa command line scripts to operate with -I
Replacing -E flag to -I on all ipa python scripts except tests.

Signed-off-by: Alexandre Mulatinho <alex@mulatinho.net>
Related: https://pagure.io/freeipa/issue/7987
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-09-19 10:44:09 -04:00
Rob Crittenden
ffb4b624fc Re-order tasks.restore_pkcs11_modules() to run earlier
It was executed after restore_all_files() so PKCS11_MODULES was
already restored so that part was a no-op, but the redhat
restore_pkcs11_modules() also calls unlink() on each restored
file so basically the file would be restored, unlinked, then
since it was already restored, skipped.

By moving the call to restore_pkcs11_modules() earlier it can
do the expected restoration properly.

https://pagure.io/freeipa/issue/8034

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-09-19 10:13:26 -04:00
Rob Crittenden
48a3f4af46 Don't log host passwords when they are set/modified
The host password was defined as a Str type so would be
logged in cleartext in the Apache log.

A new class, HostPassword, was defined to only override
safe_value() so it always returns an obfuscated value.

The Password class cannot be used because it has special treatment
in the frontend to manage prompting and specifically doesn't
allow a value to be passed into it. This breaks backwards
compatibility with older clients. Since this class is derived
from Str old clients treat it as a plain string value.

This also removes the search option from passwords.

https://pagure.io/freeipa/issue/8017

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-09-19 10:11:52 -04:00
Anuja More
e5e0693aa2 Extdom plugin should not return error (32)/'No such object'
Regression test for https://pagure.io/freeipa/issue/8044

If there is a timeout during a request to SSSD the extdom plugin
should not return error 'No such object' and the existing
user should not be added to negative cache on the client.

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2019-09-19 15:52:51 +02:00
Sergey Orlov
4ab2842b76
ipatests: add tests for cached_auth_timeout in sssd.conf
The tests check that auth cache
* is disabled by default
* is working when enabled
* expires after specified time
* is inherited by trusted domain

Related to: https://bugzilla.redhat.com/1685581

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-19 10:26:58 +02:00
Sergey Orlov
4ea9aead5c
ipatests: refactoring: use library function to check if selinux is enabled
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-19 10:26:58 +02:00
Sergey Orlov
7dde3a4220
ipatests: add new utilities for file management
Added utilities for working with remote hosts
* backup and restore files
* modify .ini files
* check if selinux is enabled

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-19 10:26:58 +02:00
Serhii Tsymbaliuk
4dbc6926b1 WebUI: Fix new test initialization on "HBAC Test" page
"New Test" action cleared only information about selected options but kept
radio buttons checked. It confused users and caused an error on validation step.

New behaviour is:
- tables forget all selected values after "New Test" click;
- first table record is checked initially in case the option is mandatory;
- all records is unchecked initially in case the option is not mandatory.

Ticket: https://pagure.io/freeipa/issue/8031

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2019-09-17 18:12:43 -03:00
Serhii Tsymbaliuk
755154318a
WebUI: Fix changing category on HBAC/Sudo/etc Rule pages
No object can be added to a rule when object category is 'all'.
So while editing rule there is needed to save actual category value
before adding related objects.

Ticket: https://pagure.io/freeipa/issue/7961

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2019-09-17 08:35:32 +02:00
Tibor Dudlák
f1e20b45c5
Add container environment check to replicainstall
Inside the container environment master's IP address
does not resolve to its name.

Resolves: https://pagure.io/freeipa/issue/6210
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-09-16 09:44:52 +02:00
ndehadra
6064365aa0 Hidden Replica: Add a test for Automatic CRL configuration
Added test to check whether hidden replica can be configurred
as CRL generation master.

Related Tickets:
https://pagure.io/freeipa/issue/7307

Signed-off-by: ndehadra <ndehadra@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-13 14:46:46 +02:00
Alexander Bokovoy
0be9888499 adtrust: add default read_keys permission for TDO objects
If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys
attribute values, it cannot be used by SSSD to retrieve TDO keys and the
whole communication with Active Directory domain controllers will not be
possible.

This seems to affect trusts which were created before
ipaAllowedToPerform;read_keys permission granting was introduced
(FreeIPA 4.2). Add back the default setting for the permissions which
grants access to trust agents and trust admins.

Resolves: https://pagure.io/freeipa/issue/8067

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-09-12 17:17:53 +03:00
Alexander Bokovoy
9aeb6bae23 add default access control when migrating trust objects
It looks like for some cases we do not have proper set up keytab
retrieval configuration in the old trusted domain object. This mostly
affects two-way trust cases. In such cases, create default configuration
as ipasam would have created when trust was established.

Resolves: https://pagure.io/freeipa/issue/8067

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-09-12 17:17:53 +03:00
Francisco Trivino
991d508a5c prci: increase gating tasks priority
Sometimes the gating tasks (build and jobs) are blocked because of nightly
regression remaining tasks are in progress. The reason is because nightly
regressions are not finished or they are re-triggered during day-time.
Gating tasks are blocked because they have same priority than nightly tasks.

This commit increases gating tasks priority so the testing of pull requests
will not be blocked anymore.

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-12 11:17:15 +02:00
Tomas Halman
bddf64b9da extdom: add extdom protocol documentation
Add the description of extdom protocol and its versions

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-09-12 10:48:13 +03:00
Tomas Halman
84b6c0f53b extdom: use sss_nss_*_timeout calls
Use nss calls with timeout in extdom plugin

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-09-12 10:48:13 +03:00
Tomas Halman
5f898c3c61 extdom: plugin doesn't use timeout in blocking call
Expose nss timeout parameter. Use sss_nss_getorigbyname_timeout
instead of sss_nss_getorigbyname

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-09-12 10:48:13 +03:00
Tomas Halman
e5f04258b5 extdom: plugin doesn't allow @ in group name
Old implementation handles username and group names with
one common call. Character @ is used in the call to detect UPN.

Group name can legaly contain this character and therefore the
common approach doesn't work in such case.

Also the original call is less efficient because it tries to resolv
username allways then it fallback to group resolution.

Here we implement two new separate calls for resolving users and
groups.

Fixes: https://bugzilla.redhat.com/1746951
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-09-12 10:48:13 +03:00