[PATCH] Check for controls before using them
by Simo Sorce
Some time ago I added code to fetch the rootdse on connection, but
didn't publicize it too much.
Attached find 2 patches.
1) Rework the way we store data fetched from the rootdse so the it is
more useful and is actually attached to the ldap handle.
2) Check controls are supported before using them.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
13 years, 2 months
[PATCH] Make sss_userdel check for logged in users
by Jakub Hrozek
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
sss_userdel now refuses to delete users who are logged in unless --force
is used.
Fixes: #229
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkujfbIACgkQHsardTLnvCX4sACfZOYnwyRdRwP3vp6bSZXl0DbA
1oQAoK0FJuq6nnLl2pW4apXLhqK86PDS
=OKSx
-----END PGP SIGNATURE-----
13 years, 7 months
[PATCH] Use SO_PEERCRED on the PAM socket
by Sumit Bose
Hi,
please find attached my second attempt to exchange uid, gid and pid
between PAM client and responder. This new apporoach does not require
any communication between the client and the responder and should behave
much better than the previous one based on SO_PASSCRED and
SCM_CREDENTIALS.
To make the review easier the first patch reverts the previous attempt.
bye,
Sumit
13 years, 8 months
Re: [SSSD] Patch to fix LDAP ID backend GSSAPI credential expired messages
by Eugene Indenbom
Hi Simon,
I have to admit that the patch is really quite big and, actually, it
has by far exceeded size and time limits I would normally apply to
patches to third party components.
The patch can be theoretically split into 3 parts:
1. Changes to ldap_child related to returned ticket expiration date;
2. Changes to failover subsystem needed to return number of servers
registered for failover;
3. Changes to LDAP ID backend connection and retry logic.
As you can see, the first two items are really small and absolutely
pointless without the last.
The reason why the changes to LDAP ID backend connection and retry
logic must go together are very simple: old logic relies on gsh member
of sdap_id_ctx, while in new logic there is no such a member.
The reason why gsh needs to go away is as follows:
1. gsh enforces that there will be one and only one connection to DS;
2. When connection is about to expire we can not use it for new
request as it will expire halfway;
3. But at the same time connection could be yet busy with previous request;
4. Therefore we have to make a new connection and close old one as
soon as requests using it are finished.
> The goal of SSSD is to never use more than one connection at a time for
> account information. So your patch is kind of changing our fundamental
> goal by allowing multiple connections. We need to carefully evaluate
> that part.
As I have explained above, the only time we have more then one
connection to DS is when old connection is about to expire and we need
to open new one. So when ticket lifetime is long enough (as it is in
normal Kerberos configuration) there will be no more then 2
connections open.
> I see you started passing around sdap_id_op. The memory hierarchy
> around sdap_is_op is very delicate and required a lot of very careful
> handling to avoid having it disappear under our feet at the wrong time.
> It is meant to represent a single ldap operation tied to a specific ldap
> context, any changes to its use should be in a separate patch that I
> want to review carefully. But ideally sdap_id_op is opaque to most of
> the code and is internal to the processing of replies from the openldap
> libraries. It should never be used out of this context.
I agree that both sdap_id_op and sdap_id_connection are opaque types.
You can move the definitions to ldap_common.c from headers. More over
even declaration of sdap_id_connection can be visible only to
ldap_common.c.
I were not really sure what coding style is used in project. There are
files coded quite differently from each other.
On the other hand I do not see why you find handling of these
structures delicate:
1. sdap_id_op is owned by operation state (e.g. by global_enum_state).
So it will be automatically destroyed as operation (tevent request) is
completed
2. sdap_id_connection is owned by sdap_id_ctx and logic of its
life-cycle boils down to single method - sdap_id_release_connection.
Connection is released when:
a) There is no operation using it
b) It is not cached
c) It is not in connection notify loop (notify_lock == 0)
I hope I have explained why changes were made the way they have been done.
I really do not see a way to split the patch and would appreciate very
much if you give me some advice on how to make it more readable and
easier to understand.
If you have any ideas on how to split the patch, I am ready to discuss
them and implement if needed.
Regards, Eugene
13 years, 8 months
SELinux login management
by Jakub Hrozek
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Adds a new option -Z to sss_useradd and sss_usermod. This option allows
user to specify the SELinux login context for the user. On deleting the
user with sss_userdel, the login mapping is deleted, so subsequent
adding of the same user would result in the default login context unless
- -Z is specified again.
MLS security is not supported as of this patch.
Also adds explicit build dependency on libselinux-devel - it is dragged
in by krb5-devel currently, but I think the dependency should be listed
since we directly use functions from libselinux to set homedir contexts.
Addresses: #230
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkuzLiMACgkQHsardTLnvCWgTQCg65NQNehKqYLiPjsCFs0kYLiU
4KYAoMcBB7/lAAkCblraMBpaZsGh1XzF
=q2rI
-----END PGP SIGNATURE-----
13 years, 8 months
PATCH] Add userdel_cmd param
by Jakub Hrozek
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Fixes: #229
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkuonwoACgkQHsardTLnvCXcnACfXxDzhq5vU2vuQUJhSZobMf5z
7A8AoOhznVpfQgciV0Q7VjNhSfNPooAf
=haVk
-----END PGP SIGNATURE-----
13 years, 8 months
#425
by Dmitri Pal
Hi,
If we want to fix #425 as proposed, should we fix #56 first or there is
no need to do this and the password file should be edited manually?
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
13 years, 8 months
[PATCHES] Do not revert options to defaults in SSSDConfig.get_domain()
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Patch 0001: Add regression test to demonstrate the issue.
Patch 0002: There was a faulty check in get_domain() that led to the
*_provider options being re-added, sometimes after options related
to them had already been set. If those options had a default
value, they would be overwritten by the default.
Fixes: https://fedorahosted.org/sssd/ticket/441
This is a critical fix for 1.1.1, as it relates to authconfig in F13.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkuzS9sACgkQeiVVYja6o6M4pQCfWULGzA73OVcM1hewsUv7oDEw
BPEAn2ln4kwpyIcKELymIFMK/zkXKAIn
=k2K4
-----END PGP SIGNATURE-----
13 years, 8 months
