more terminology questions
by David O'Brien
This time I'm wrestling with "native LDAP" vs any other sort of LDAP,
and where does MS Active Directory fit in?
afaik "native LDAP" just means LDAP provides the identities and does the
authentication. If I'm using OpenLDAP or 389 that's easy enough. Switch
to IPA and Kerberos does the auth (= not native LDAP, right?). What if
I'm using MS Active Directory? Does that or can that do both? Does it
provide identities and rely on Kerberos for auth? Should I not be using
"native LDAP" at all to avoid confusion?
"native" also comes up in the bug report* in relation to Kerberos:
"Should provide an example of using the proxy identity provider in
concert with the native Kerberos authentication." What's "native Kerberos"?
That's probably enough for now. Remind me why I gave up coffee...?
*https://bugzilla.redhat.com/show_bug.cgi?id=601870
--
David
"We couldn't care less about comfort. We make you feel good."
Federico Minoli CEO Ducati Motor S.p.A.
13 years, 10 months
last word on min_id default?
by David O'Brien
The src/examples/sssd.conf file still has min_id = 1000 in the Active
Directory example.
Is this by design or accident?
--
David O'Brien
Senior Technical Writer, Engineering Content Services
Red Hat Asia Pacific Pty Ltd
193 North Quay, Brisbane
"We couldn't care less about comfort. We make you feel good."
Federico Minoli CEO Ducati Motor S.p.A.
13 years, 10 months
[PATCHES] Bugfixes for the negative cache
by Stephen Gallagher
Patch 0001: Ensure that all domains are checked for users/groups
There was a bug in the negative cache checks (probably a leftover
from when filter_users was global-only) that meant that if a user
was filtered out of a domain, the remaining domains would not be
checked for that user. (Same for groups/initgroups)
Patch 0002: Refactor the negative cache
Rename functions from nss_ncache_* to sss_ncache_*
Move negative cache to responder/common and rename as negcache.c/h
Patch 0003: Move setup of filter_users and filter_groups to negcache.c
Creates a new function - sss_ncache_prepopulate() - that can be
shared with other responders, such as PAM.
Patch 0004: Honor filter_users in PAM.
Previously, while the user was filtered out of NSS, we were still trying
to authenticate against the user in PAM.
See https://bugzilla.redhat.com/show_bug.cgi?id=596295 for more details.
(Tested and verified that these patches fix that issue)
--
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
13 years, 10 months
[PATCHES] Bugfixes for the negative cache (sssd-1-2)
by Stephen Gallagher
Patch 0001: Refactor the negative cache
Rename functions from nss_ncache_* to sss_ncache_*
Move negative cache to responder/common and rename as negcache.c/h
Patch 0002: Move setup of filter_users and filter_groups to negcache.c
Creates a new function - sss_ncache_prepopulate() - that can be
shared with other responders, such as PAM.
Patch 0003: Honor filter_users in PAM.
Previously, while the user was filtered out of NSS, we were still trying
to authenticate against the user in PAM.
See https://bugzilla.redhat.com/show_bug.cgi?id=596295 for more details.
(Tested and verified that these patches fix that issue)
Differences from the version submitted to the master branch:
Patch 0001: Not needed in sssd-1-2. There was a regression in the master
branch that this patch fixed.
Patch 0002: Rewritten, because the merge was overly-complicated. (Most
of this patch is just a s/nss_ncache/sss_ncache/g
Patch 0003: Applied cleanly
Patch 0004: Trivial merge was clean.
--
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
13 years, 10 months
[PATCHES] Bugfixes for the negative cache
by Stephen Gallagher
Patch 0001: Ensure that all domains are checked for users/groups
There was a bug in the negative cache checks (probably a leftover
from when filter_users was global-only) that meant that if a user
was filtered out of a domain, the remaining domains would not be
checked for that user. (Same for groups/initgroups)
Patch 0002: Refactor the negative cache
Rename functions from nss_ncache_* to sss_ncache_*
Move negative cache to responder/common and rename as negcache.c/h
Patch 0003: Move setup of filter_users and filter_groups to negcache.c
Creates a new function - sss_ncache_prepopulate() - that can be
shared with other responders, such as PAM.
Patch 0004: Honor filter_users in PAM.
Previously, while the user was filtered out of NSS, we were still trying
to authenticate against the user in PAM.
See https://bugzilla.redhat.com/show_bug.cgi?id=596295 for more details.
(Tested and verified that these patches fix that issue)
--
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
13 years, 10 months
missing patch for sssd.conf?
by David O'Brien
I'm running SSSD and IPA on F12.
I have the following SSSD versions installed:
[root@ipaserver ~]# rpm -qa | grep sss
sssd-1.2.0-0.2010061620git6a7b745.fc12.i686
sssd-client-1.2.0-0.2010061620git6a7b745.fc12.i686
In the installed /etc/sssd/sssd.conf file there exists the following typo:
# Add new domains condifgurations as [domain/<NAME>] sections.
In the src/examples/sssd.conf file in the repo, this exists as:
# Add new domain configurations as [domain/<NAME>] sections,
There are several other changes that don't appear. I'm using the
following SSSD repo; is it no longer valid?
http://jdennis.fedorapeople.org/sssd12/fedora/$releasever/$basearch/os/
thanks
--
David O'Brien
Senior Technical Writer, Engineering Content Services
Red Hat Asia Pacific Pty Ltd
193 North Quay, Brisbane
"We couldn't care less about comfort. We make you feel good."
Federico Minoli CEO Ducati Motor S.p.A.
13 years, 10 months