[PATCH] Add mandatory flag to SSSD config schema
by Stephen Gallagher
Also add list_mandatory_options() to both SSSDService and
SSSDDomain objects.
There is a new list_options_with_mandatory() function that will
return a longer tuple than list_options(), including the mandatory
flag directly.
list_options() will still return the shorter tuple, for
backwards-compatibility.
This feature will allow authconfig (a consumer of the SSSDConfig API) to
produce a simpler interface listing only the mandatory options for each
provider. This should result in a less confusing GUI.
13 years, 10 months
[PATCH] Added option to use libcrypto from OpenSSL instead of NSS.
by George McCollister
crypto_sha512crypt.c is a clone of nss_sha512crypt.c with the exception that all usage of NSS and related libraries has been switched to libcrypto. I renamed nss_sha512crypt.h to sha512crypt.h since it is common to both crypto_sha512crypt.c and nss_sha512crypt.c. Note that the random number generator is not seeded manually and thus relies on seeding done automatically by libcrypto. On some systems without /dev/urandom seeding may not be performed. See http://www.openssl.org/docs/crypto/RAND_add.html.
Signed-off-by: George McCollister <georgem(a)novatech-llc.com>
---
server/Makefile.am | 28 ++-
server/configure.ac | 14 +-
server/db/sysdb_ops.c | 2 +-
server/responder/pam/pam_LOCAL_domain.c | 2 +-
server/util/crypto_sha512crypt.c | 380 +++++++++++++++++++++++++++++++
server/util/nss_sha512crypt.h | 4 -
server/util/sha512crypt.h | 4 +
7 files changed, 423 insertions(+), 11 deletions(-)
create mode 100644 server/util/crypto_sha512crypt.c
delete mode 100644 server/util/nss_sha512crypt.h
create mode 100644 server/util/sha512crypt.h
13 years, 10 months
[PATCH] Warn the user if authentication happens offline
by Sumit Bose
Hi,
this patch should fix #239. All translatable strings are in the pam
client and now it should be quite easy to add new messages which should
be presented to the user.
It is quite easy to see this message for a console user, but currently a
GUI user needs a very fast eye to catch the message in the gdm or
screensaver window. Maybe we should ask the desktop people to send a
PAM_TEXT_INFO message e.g. with libnotify to the user's desktop.
bye,
Sumit
13 years, 10 months
sssd.spec for SLES
by Sergei V. Kovylov
Here you may find a patch for sssd.spec file which provide correct
build sssd for SLES (testes on SLES10SP1).
In brief:
There are 3 essences:
redhat
fedora
sles
which are detected by /etc/<vendor release file> existence (ex.
/etc/SuSE-release) in spec and all necessary actions are doing along
the OS detection.
Additionally for SLES there is "--without-selinux" flag while
configuring, as SLES doesn't support SELinux.
13 years, 10 months
[PATCH] Check cache_credentials in sysdb_cache_auth_send()
by Sumit Bose
Hi,
although it might be good practice to check cache_credentials before
calling sysdb_cache_auth_send() I think it make sense to add it here,
too. E.g. if someone forgets to check before calling
sysdb_cache_auth_send() and for some reason the configuration is changed
from cache_credentials=true to false. Then we might access some old chached
passwords although it is expected that offline authentication does not
work anymore.
bye,
Sumit
13 years, 10 months
[PATCH] First step to handle LDAP referrals
by Sumit Bose
Hi,
these two patches are a first step to handle LDAP referrals. The first
patch changes the way we add a file descriptor event to the event loop.
Currently it was extracted from the LDAP handle. But here only the fd to
the 'primary' LDAP server is stored. If a referral is found and
LDAP_OPT_REFERRALS is set to LDAP_OPT_ON the openLDAP library will open
new connections to the new LDAP servers automatically. To keep track of
the activity on these connection we need to add the new fds to the event
loop, too.
To get the fds this patch introduces a connection callback where the fd
is extracted from the provided data and added to the event loop. There
is another callback which removes the fd from the event loop when
ldap_unbind is called.
The second patch adds the config option ldap_referrals to switch the
referral chasing on and off.
Authentication with referrals currently work under the following
conditions:
- the DN of the user is the same on both LDAP servers
- the LDAP server is RHDS/FDS/389, openLDAP does not return the
'Referral' error code when binding to a referral object
bye,
Sumit
13 years, 10 months
[PATCH] Force offline operation with SIGUSR1
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If the monitor receives SIGUSR1, it will instruct all providers to
enter offline operation. If any individual provider receives
SIGUSR1, it alone will enter offline operation.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkte/2wACgkQeiVVYja6o6PDgwCcCxuD8wots8zmop4zJLTsuq9k
pqYAn30Am/r2UXkmHxw1BDEgITEI7hEp
=Hf4R
-----END PGP SIGNATURE-----
13 years, 10 months
[PATCH] Rename PAM_USER_INFO to PAM_SYSTEM_INFO
by Sumit Bose
Hi,
this patch just renames PAM_USER_INFO to PAM_SYSTEM_INFO. Currently
PAM_USER_INFO is only used to send messages which are written to syslog
by the PAM client. It is planned to add new messages which will be
displayed to the user, e.g. if offline authentication was used. To avoid
confusion I think this name change makes sense.
bye,
Sumit
13 years, 10 months
