[PATCHES] Initgroups support for RFC2307bis nested groups (master)
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Patch 0001: Modify sysdb_[add|remove]_group_member to accept users and
groups
Previously, it assumed that all members were users. This changes
the interface so that either a user or a group can be specified.
Also, it eliminates the need for a memory context to be passed,
since the internal memory should be self-contained.
Patch 0002: Add proper nested initgroup support for RFC2307bis servers
Both of these patches are forward-ported from SSSD 1.2.4 (adjusting for
sysdb changes).
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAky7nR0ACgkQeiVVYja6o6Pc0ACfQ8HrRu1jglyMiQb1sNITy9dS
g5UAnRbQI8d2cF+ev0KjaJQ73qN/BQLE
=T69a
-----END PGP SIGNATURE-----
13 years, 6 months
[PATCH] Documentation update
by Jan Zelený
I'm sending patch removing all references to ldap_user_search_base,
ldap_group_search_base and ldap_netgroup_search_base as discussed on the
meeting.
The ticket #607 suggests to put them into Advanced config options section, but
there is no such section, so I removed them altogether.
In the ticket, it is also stated that Fedora deployment guide has been updated
accordingly, but I found references to this option:
http://docs.fedoraproject.org/en-
US/Fedora_Draft_Documentation/0.1/html/Deployment_Guide/chap-SSSD_User_Guide-
Configuring_Domains.html
http://docs.fedoraproject.org/en-
US/Fedora_Draft_Documentation/0.1/html/Deployment_Guide/sect-SSSD_User_Guide-
Configuring_Domains-Setting_up_Kerberos_Authentication.html
http://docs.fedoraproject.org/en-
US/Fedora_Draft_Documentation/0.1/html/Deployment_Guide/sect-SSSD_User_Guide-
SSSD_Example_Configuration_Files-SSSD_Configuration_File_Format.html
I've already sent an email to David asking him to take care of this. I'll
search our wiki for references to these options during the weekend.
Jan
13 years, 6 months
[PATCHES] Handle nested groups in RFC2307bis (master)
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
These patches are forward-ported from the work done in SSSD 1.2.4.
Patch 0001: Add options for managing nested group limits.
Patch 0002: Shortcut out of sdap_save_users() if there are no users to
save, rather than starting a useless LDB transaction.
Patch 0003: Handle nested groups in RFC2307bis
Like SSSD 1.2.4, these patches only handle the generic case of
RFC2307bis and do not perform any of the optimizations available when
memberOf support is available.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAky4oRUACgkQeiVVYja6o6NUywCeMzJSc7UkUGcmtcltuSltdzU7
S3UAn17UWBN+hn37lG2947ZA8pnyKSmi
=30ki
-----END PGP SIGNATURE-----
13 years, 6 months
[PATCH] Use unsigned long for conversion to id_t
by Jakub Hrozek
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We used strtol() on a number of places to convert into uid_t or gid_t
from a string representation such as LDAP attribute, but on some
platforms, unsigned long might be necessary to store big id_t values.
This patch converts to using strtoul() instead.
Fixes: #650
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAky8WNMACgkQHsardTLnvCVNcgCdHr2kc89RkJ+KvScequEOcnyE
XFYAoKKlUiXcFSYFEiulykIq5gO3Ql/V
=ZpLz
-----END PGP SIGNATURE-----
13 years, 6 months
[PATCH] Save dummy groups to cache during initgroups (master)
by Jakub Hrozek
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[PATCH 1/2] sysdb interface for adding fake groups
Adds a sysdb_add_fake_group() call that adds an expired group entry.
Also tweaks the NSS code a little so the fake group entries that are
invalid are skipped. This is not how we use the fake groups in patch #2
as we also store the gid, but I think it's worth making sure we don't
return fake groups now that we have a mechanism to add them.
[PATCH 2/2] Save dummy groups to cache during initgroups
When performing initgroups/getgrouplist on RFC2307, add fake group
entries for those groups that are not cached already. That way, complete
group membership is returned without saving complete group objects.
These two patches apply to master only but I have a 1.2 counterpart -
currently only in my fedorapeople repo - I can resend them when/if these
are approved as these read much easily, so I think it makes sense to
review them first.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkykhNMACgkQHsardTLnvCVyDgCgqOgmne9qYk9l1uEyB32mJWn5
LQcAnRNErXrbmwHVY49Gx5IANUF946dr
=O6nl
-----END PGP SIGNATURE-----
13 years, 6 months
[PATCH 2/2] Save dummy member users during RFC2307 getgr{nam, uid} (master)
by Jakub Hrozek
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
these two patches add the same functionality we have in the 1.2 branch
into master. I think they read much better b/c of the synchronous sysdb
interface. Both must be applied on top of Ralf's patches in the
"Behaviour of getgrnam/getgrgid" thread.
Jakub
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkyy+pAACgkQHsardTLnvCXwFACfYqJBydSwz/K7PD1hBu7Nh/OM
aokAn0qlwTlezT4DLTFqp/e8fkkIRYUu
=rqOw
-----END PGP SIGNATURE-----
13 years, 6 months
[PATCH] Check for GSSAPI before attempting to kinit
by Jakub Hrozek
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I forgot to squash in one more patch for the kdcinfo patchset..we need
to init the GSSAPI service when both SDAP_KRB5_KINIT is true and
SDAP_SASL_MECH is set to GSSAPI.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAky2La8ACgkQHsardTLnvCVA4QCglsFiP9Gr9ybvrW6plVJBg/BL
Ck0AnRDlnPZkpkApFRUKCfVAbLitTDAS
=L93b
-----END PGP SIGNATURE-----
13 years, 6 months
[PATCHES] Two build-system fixes
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Patch 0001: Rename upgrade_config.py and build it properly
Previously, we were just copying the script into the libexec dir
during installation. However, this causes problems for packaging
multilib on several distributions.
https://fedorahosted.org/sssd/ticket/641
Patch 0002: Assorted specfile changes
Several problems with the specfile were fixed in the SSSD release
in certain RPM-based distributions. This patch pulls them into the
example specfile
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAky1t+UACgkQeiVVYja6o6NtFgCfZY2phgT0RQ4MLRbWvSynOUuB
/8IAoKuaYlMEtQUMc8Ie/ot6HRMklRzg
=kupp
-----END PGP SIGNATURE-----
13 years, 6 months
[PATCH] Create kdcinfo files for the LDAP provider
by Jakub Hrozek
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This series of patches implement creation of kdcinfo files when GSSAPI
is used with pure LDAP provider.
[PATCH 1/4] Add KDC to the list of LDAP options
A simple patch that adds a way to specify the KDC
[PATCH 2/4] Report Kerberos error code from ldap_child_get_tgt_sync
While looking at the ldap_child code, I noticed that the call to
ldap_child_get_tgt_sync should return the Kerberos specific error code
rather than errno.
[PATCH 3/4] Make ldap_child report kerberos return code to parent
The buffer used to communicate between parent and child now contains a
new parameter which is the Kerberos error code. An example of use of
this is detecting that KDC was unreachable in the following patch.
[PATCH 4/4] Initialize kerberos service for GSSAPI
I'm not very fond of patch #4 myself - the reason is that as far as I
remember, the sdap_ modules were meant to be a rather thin wrapper to
provide an "async set of LDAP calls", the provider and backend-specific
calls belong one level up, to the ldap_ modules. However, in order to
support fail over in during sdap_kinit_, I used the be_resolve_ family
functions there, which looks like breaking the abstraction level quite a
bit. If there are any suggestions on how to accomplish the kinit w/ fail
over better, I'll be glad to hear them.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkyGK/UACgkQHsardTLnvCX1eACgvWrKscnQpQaUFMBZg5idClEM
lboAmgIdqQDlgenJCkELWL98jPK0yvog
=3NiP
-----END PGP SIGNATURE-----
13 years, 6 months
[PATCHES] Netgroup support for LDAP provider
by Sumit Bose
Hi,
this series of patches continue the work Stephen has started in
"[PATCHES] Support for netgroups in the NSS client and responder".
We decided to try to be as compatible to nss_ldap as possible, i.e. we
do not any group unrolling or loop detection inside of sssd, but rely on
glibc. To achieve this I added support to return netgroup member groups
to the client and glibc. This is mostly done in 0003 and 0006. 0007 and
0008 add the necessary support to the LDAP provider.
There is one difference to nss_ldap. If a netgroup member is not
specified by a plain name but by a DN nss_ldap just returns the DN
string to glibc and then glibc searches for a netgroup where the name is
the returned DN. Even nss_ldap cannot find a matching netgroup for this
name. If sssd detects a DN in the member list it tries to translate it
to the corresponding name of the netgroup. If this fails it will return
the full DN.
The patches 0001 and 0002 fixes two errors in Stephen's patches.
bye,
Sumit
13 years, 6 months