[PATCHES] Syslog patches for the SSSD
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch replaces the patches in the threads "Log TLS errors to
syslog" and "Add syslog messages for LDAP GSSAPI bind"
Patch 0001: Add sss_log() function
Right now, this log function writes to the syslog. In the future,
it could be modified to work with ELAPI or another logging API.
Patch 0002: Add log notifications for startup and shutdown.
Patch 0003: Add syslog messages for LDAP GSSAPI bind
We will now emit a level 0 debug message on keytab errors, and
also write to the syslog (LOG_DAEMON)
Patch 0004: Log TLS errors to syslog
Also adds support for detecting LDAPS errors by adding a check for
SDAP_DIAGNOSTIC_MESSAGE after ldap_search_ext()
These patches address https://bugzilla.redhat.com/show_bug.cgi?id=591715
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkw14/UACgkQeiVVYja6o6NeugCgrm0Tsx1POxBTjN1EsHzns3IA
OfQAnAmf5BMnyDX5TAl9spiND7zDMprt
=GDzi
-----END PGP SIGNATURE-----
13 years, 9 months
Announcing SSSD 1.2.91 (release candidate for SSSD 1.3.0)
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The SSSD team is proud to announce the release of the System Security
Services Daemon, version 1.2.91. Please give it a spin and report any
bugs you find!
As always, SSSD 1.2.91 is available for download at
https://fedorahosted.org/sssd
== Highlights ==
* Rewrote the internal LDB cache API. As a synchronous API it is now
faster to access and easier to work with
* Eugene Indenbom contributed a sizeable amount of code to the LDAP
provider
* We now handle failover situations much more reliably than we did
previously
* If a request fails partway through (due to a remote server ceasing
to function) we will now restart the conversation with the next server
in the failover list
* We also will now monitor the GSSAPI kerberos ticket and
automatically renew it when appropriate, instead of waiting for a
connection to fail
* Support for netlink now allows us to more quickly detect situations
where we may have come online
* New option {{{dns_discovery_domain}}} allows better configuration for
using SRV records for failover
== Detailed Changelog ==
Alexander Gordeev (1):
* Add explicit requests for several operational attrs
David O'Brien (1):
* Copy-edit and format review sssd.conf
Dmitri Pal (16):
* Adding metadata interface
* Adding content to the metadata
* Resolve paths for reporting purposes
* Acess control and config change checks
* Add ability to trace 64bit numbers
* Fixing spec file to match version.
* Fixing build
* Code restructuring
* Extending refarray interface
* Introducing a comment object
* Adding support for explicit 32/64 types (attempt 2).
* Addressing initialization issues.
* Fixing types in queue and stack interfaces
* Fixing memory leaks in the unit test.
* Fixing NULL dereferencing in ini_config
* Memory leak in case of empty value
Héctor Daniel Cabrera (1):
* Updating ES translation
Jakub Hrozek (32):
* Treat server names as case-insensitive in failover code
* Do not mark a request as failed twice
* Sort SRV replies according to RFC 2782
* Remove freed server_common entities from list
* Support SRV servers in failover
* Silence warnings with -O2
* Fix uninitialized variable
* Add a README file
* Use all available servers in LDAP provider
* Improve the offline authentication message
* Fix memory hierarchy in the ipa timerules
* Use service discovery in backends
* SSSDConfigAPI fixes
* Try all servers during Kerberos auth
* Remove dead code from the PAM responder
* Man page fixes
* Don't return uninitialized value in proxy provider
* Skip empty attributes with warning
* Fix realm_str dereference
* Fix potential NULL dereference in fail_over.c
* Fix Incorrect NULL check in get_server_common()
* Add missing break to switch statement
* get_uid_from_pid should use fstat rather than lstat
* Remove krb5_changepw_principal option
* Remove the -g option from useradd
* Fix potential resource leak in copy_tree_ctx()
* Potential memory leak in _nss_sss_*_r()
* Check closedir call in find_uid
* Print correct return code
* Resend SIGINT as SIGTERM in services
* Add dns_discovery_domain option
* Use netlink to detect going online
Petter Reinholdtsen (2):
* Allow Debian/Ubuntu build to pass --install-layout=deb to setup.py
* Remove bash-isms from configure macros
Piotr Drąg (1):
* Update Polish translation
Rui Gouveia (2):
* Updating pt translation
* Update pt translation
Simo Sorce (45):
* sysdb: start conversion from async to sync
* sysdb: use sysdb_delete_entry in recursive delete
* sysdb: convert sysdb_delete_custom
* sysdb: convert sysdb_search_entry and sysdb_delete_recursive
* sysdb: convert sysdb_search_user_by_name/uid
* sysdb: convert sysdb_search_group_by_name/gid
* sysdb: convert sysdb_set_entry/user/group_attr
* sysdb: convert sysdb_get_new_id
* sysdb: convert sysdb_store/add(_basic)_user
* sysdb: convert sysdb_store/add(_basic)_group
* sysdb: convert sysdb_mod/add/remove_group_member
* sysdb: convert sysdb_cache_password
* sysdb: convert sysdb_search_custom
* sysdb: convert sysdb_store_custom
* sysdb: convert sysdb_asq_search
* sysdb remove sldb_request_send, not used anymore
* sysdb: convert sysdb_search_users
* sysdb: convert sysdb_delete_user
* sysdb: delete sysdb_delete_group
* sysdb: convert sysdb_search_groups
* sysdb: convert sysdb_cache_auth
* sysdb: remove sysdb_check_handle
* tests: remove use of asynchronus transactions
* sysdb: add synchronous transaction functions
* proxy: complete conversion to synchronous sysdb
* Use the sysdb synchronous transaction functions
* Remove remaining use of sysdb_transaction_send
* sysdb: remove async transactions
* sysdb: add automatic transactions where needed
* sysdb: convert sysdb_getpwnam
* sysdb: convert sysdb_getpwuid
* sysdb: convert sysdb_getgrnam
* sysdb: convert sysdb_getgrgid
* sysdb: convert sysdb_get_user_attr
* sysdb: convert sysdb_enumpwent
* sysdb: convert sysdb_enumgrent
* Adjust fill_pwent and fill_grent
* sysdb: convert sysdb_initgroups
* sysdb: remove obsolete helpers from sysdb
* sysdb: remove remaining traces of sysdb_handle
* sysydb: Finally stop using a common event context
* Make groupshow synchronous.
* tools: remove creation of event_context
* Better handle sdap_handle memory from callers.
* Avoid freeing sdap_handle too early
Stephen Gallagher (68):
* Support docdir and abs_builddir
* sysdb: convert sysdb_delete_entry
* Bumping version on master to 1.2.90
* Update translations for master branch
* Fix merge error for sss_userdel.c
* Remove unused configure macro
* Fix warning in sysdb-tests.c
* Fix ini_config unit test
* Give information about ldap_schema in the sample config
* Make ID provider init functions clearer
* Remove the NSS_LIBS and KRB5_LIBS variables from sssd.spec
* Add dns_resolver_timeout option
* Fix segfault in GSSAPI reconnect code
* Make krb5_kpasswd available for any krb5 provider
* Clean up kdcinfo and kpasswdinfo files when exiting
* Add callback when the ID provider switches from offline to online
* Add dynamic DNS updates to FreeIPA
* Revert "Add dynamic DNS updates to FreeIPA"
* Properly set up SIGCHLD handlers
* Add dynamic DNS updates to FreeIPA
* Don't report a fatal error for an HBAC denial
* Add a better error message for TLS failures
* Add enumerate details to the manpage and examples
* Revert "Copy pam data from DBus message"
* Display name of PAM action in pam_print_data()
* Make data provider id_callback public
* Fix error reporting for be_pam_handler
* Proxy provider PAM handling in child process
* Support password changes in chpass_provider = proxy
* Add ldap_access_filter option
* Fix typo in Makefile
* Fix broken build against older versions of OpenLDAP
* Fix typo in Makefile.am
* Disable connection callbacks when going online
* Change default min_id to 1
* Allow ldap_access_filter values wrapped in parentheses
* Properly handle read() and write() throughout the SSSD
* Fix misuse of errno in find_uid.c
* Avoid potential NULL dereference
* Properly handle missing originalMemberOf entry in initgroups
* Don't leak directory access resources on errors in directory_list()
* Check the correct variable for NULL after creating timer
* Properly check that the timeout event was created for cleanup/enum
* Check return code of hash_delete in proxy_child_destructor
* Eliminate unused variable from pc_init_timeout()
* Make sure to close varargs before returning from a function
* Properly null-terminate socket path
* Add ldap_force_upper_case_realm to example AD config
* Don't segfault if ldap_access_filter is unspecified
* Handle (ignore) unknown options in get_domain() and get_service()
* Remove references to the DP service from the SSSDConfig API tests
* Standardize on correct spelling of "principal" for krb5
* Initialize len before looping to read the pidfile
* Ensure that all domains are checked for users/groups
* Refactor the negative cache
* Move setup of filter_users and filter_groups to negcache.c
* Honor filter_users in PAM
* Fix potential resource leak in remove_tree_with_ctx()
* Fix return value from remove_connection_callback() destructor
* Protect against segfault in remove_ldap_connection_callbacks
* Drop release requirement from versions
* Bump libini_config version to 0.6.0
* Replace %define with %global in example spec
* Make RootDSE optional
* Rename proxy_ctx to proxy_id_ctx for clarity
* Split proxy.c into smaller files
* Add try_inotify option
* Release SSSD 1.2.91 (1.3.0rc1)
Sumit Bose (50):
* Revert "Add better checks on PAM socket"
* Use SO_PEERCRED on the PAM socket
* Set LDAP_OPT_RESTART for all LDAP connections
* Fix a potential memory violation
* Make the handling of fd events opaque
* Unset authentication tokens if password change fails
* Display a message if a password reset by root fails
* Fix wrong return value
* Fix a wrong return value in IPA HBAC
* Split pam_data utilities into a separate file
* Create kdcinfo and kpasswdinfo file at startup
* Compare the full service name
* Add retry option to pam_sss
* Add more warnings about nearly expired passwords
* Make Kerberos authentication a tevent_req
* New version of IPA auth and password migration
* Add ldap_krb5_ticket_lifetime option
* Defer sbus_dispatch() for 30ms during reconnect
* Copy pam data from DBus message
* Do not modify IPA_DOMAIN when setting Kerberos realm
* Handle Krb5 password expiration warning
* Add support for delayed kinit if offline
* Fix handling of ccache file when going offline
* Move parse_args() to util
* Copy pam data from DBus message
* Revert "Create kdcinfo and kpasswdinfo file at startup"
* Refactor data provider callbacks
* Add offline callbacks
* Refactor krb5_finalize()
* Add run_callbacks flag
* Add callback to remove krb5 info files when going offline
* Krb5 locator plugin returns KRB5_PLUGIN_NO_HANDLE
* Refactor krb5 SIGTERM handler installation
* Add krb5 SIGTERM handler to ipa auth provider
* Add offline callback to disconnect global SDAP handle
* Reset run_online_cb flag even if there are no callbacks
* Fix check if LDAP id provider is already initialized
* Remove signal event if child was terminated by a signal
* Check ipaEnabledFlag
* Add sysdb_attrs_get_string_array()
* Use sysdb_attrs_get_string_array() instead of sysdb_attrs_get_el()
* Use new schema for HBAC service checks
* Remove service groups
* Compare full service name
* Unify sdap and sysdb data handling
* Initialize pam_data in Kerberos child.
* Avoid a potential double-free
* Add a missing initializer
* Add a missing free()
* Fix SASL authentication
Yuri Chornoivan (1):
* Update Ukrainian translation
eindenbom (14):
* Avoid accessing half-deallocated memory when using talloc_zfree macro.
* GSSAPI ticket expiry time is returned from ldap_child and stored in
sdap_handle for future reference.
* Added an interface to query number of configured (and currently
resolved through SRV records) failover servers.
* LDAP connection usage tracking, sharing and failover retry framework.
* Add an interface to try next fail-over server after connection to the
active server was unexpectedly dropped.
* Use new LDAP connection framework to get user account info from LDAP.
* Use new LDAP connection framework to get group account info from LDAP.
* Use new LDAP connection framework to get user account groups from LDAP.
* Use new LDAP connection framework for LDAP user and group enumeration.
* Use new LDAP connection framework in LDAP access backend.
* Use new LDAP connection framework in IPA access backend.
* Use new LDAP connection framework in IPA dynamic DNS forwarder.
* Remove remainder of now unused global LDAP connection handle.
* Eliminate delayed sdap_handle destruction after fail-over retry.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkw3avYACgkQeiVVYja6o6Pd6ACgjbMCAzOebbdZK8la/ERGe9j1
htIAn3urF0A8YIjMAhlfCpDnkF145fvd
=Qis7
-----END PGP SIGNATURE-----
13 years, 9 months
Eliminate delayed sdap_handle destruction after fail-over retry.
by Eugene Indenbom
The patch attached addresses the following issue:
Prerequisites:
1. One or more fail-over server is configured;
2. The first server to try can be resolved but LDAP service is down;
3. There is at least one operational LDAP server configured;
Synopsis:
1. sdap_async_connection.c tries to connect to first resolved host and
creates sdap_handle;
2. After connection to dead LDAP service is failed it tries next server
in fail-over sequence;
3. sdap_handle to from step 1 is leaked and is destroyed only when all
connection retries fail or connection is established;
4. sdap_handle from step 1 may have open file descriptors.
Fix:
The patch attached makes sure that sdap_handle from failed connection
attempt is destroyed before next connection attempt is started.
Eugene Indenbom
13 years, 9 months
[PATCH] Use netlink to detect going online v2
by Jakub Hrozek
Hi,
This is v2 of my previous patch to add libnl support to SSSD, just
sent from a different account as I am roaming right now and don't have
access to my usual mail account. It should address Stephen's comments:
> sssd.spec.in needs to have a BuildRequires added for libnl-devel
Fixed
> setup_netlink() should set *_nlctx = NULL when HAVE_LIBNL is not defined.
Fixed
> I don't like having both HAVE_LIBNL_OLDER_THAN_1_1 and
> HAVE_LIBNL_AT_LEAST_1_1 defined. Please pick one and stick with it.
Only OLDER_THAN in the current code.
> Furthermore, if possible I'd rather you base this decision on the
> existence of the nl_socket_get_fd(), nl_set_passcred(),
> nl_socket_add_membership() and nl_socket_modify_cb() functions, rather
> than relying on pkgconfig reporting a version number correctly.
nl_socket_get_fd() is now used to detect pre-1.1 API, the other
functions with completely different semantics are checked for
individually and have their own HAVE_NL_FOOFUNCTION define.
Jakub
13 years, 9 months
LDAP connection tracking, sharing and fail-over retry framework
by Eugene Indenbom
The patches attached provide a framework for LDAP connection tracking,
sharing and fail-over retries in LDAP ID backend, which is designed to
address the tickets #468, 464, 465 and 466.
The patches are structured as follows:
0001-GSSAPI-ticket-expiry-time-is-returned-from-ldap_chil.patch
A small utility patch saving GSSAPI ticket expiry time in
sdap_handle for future use.
0002-Added-an-interface-to-query-number-of-configured-and.patch
Another utility patch allowing to dynamically determine number
of fail-over servers (including resolved through SRV records)
0003-LDAP-connection-usage-tracking-sharing-and-failover-.patch
The main patch -- LDAP connection tracking, sharing and
fail-over retry framework
0004-Use-new-LDAP-connection-framework-to-get-user-accoun.patch
Sample usage of the new LDAP connection framework for user
account information request
The key object of the framework is sdap_id_op object. It keeps
per-request data required for:
- LDAP connection usage tracking and sharing
- Fail-over retry logic
The typical lifespan of sdap_id_op object equals to lifespan of LDAP ID
backend request. The usage pattern is as follows:
1. At the beginning of request execution sdap_id_op is created
with sdap_id_op_create method
2. When LDAP connection is needed sdap_id_op_connect is called,
which obtains the LDAP connection (from cache or establishes new one)
and locks the obtained connection for use
3. LDAP query is executed using connection obtained
4. When query completes (succeeds or fails) sdap_id_op_done is
called to mark the LDAP connection as no longer used by the backend
request. If LDAP query has failed sdap_id_op_done also translates error
code into data provider error and provides recommendation for fail-over
retry.
5. Fail-over retry continues from step 2.
6. When the backend request completes sdap_id_op is destroyed.
Another important object of the framework is sdap_id_conn_cache, which
implements LDAP connection caching and sharing logic. As the connection
caching logic is completely opaque to BE request code, it can be changed
or improved later on with minimal impact on the other code.
The connection caching logic proposed in this patch is very similar to
the approach implemented in SSSD 1.2:
- LDAP connection is established on the first request to LDAP server;
- Single LDAP connection is shared between all concurrently
executed requests;
- LDAP connection is removed from cache when its GSSAPI ticket is
about to expire and closed as soon as all BE requests using it (if any)
complete;
To summarize, this patch will allow us to address the following issues:
- To establish only one LDAP connection when 2 or more requests are
executed in parallel (ticket #464)
- To keep track of LDAP connection usage providing support
connection caching and expired (or otherwise unwanted) connection
disposal (ticket #468)
- Consistent fail-over retry handling: attempt a fail-over retry
also when master server goes down during LDAP query execution (ticket #465)
- Promptly to close LDAP connection when GSSAPI ticket is about to
expire (ticket #466)
Please note that the patches are provided only as a material for
comments and discussion on solution architecture. I have only made sure
that they compile. I am completely open to suggestions and other
approaches on how to solve the above problems.
Eugene Indenbom
13 years, 9 months
[PATCH] Use netlink to detect going online
by Jakub Hrozek
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Integrates libnl to detect adding routes. When a route is added, the
offline status of all back ends is reset. This patch adds no heuristics
to detect whether back end went offline.
Fixes: #456
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkwxzkwACgkQHsardTLnvCXspgCg2vrJyg7PfTb1YOh4x87wTzR1
8LYAniUSKv10D+g34uQI87T2X/NtMCJ6
=cX1l
-----END PGP SIGNATURE-----
13 years, 9 months
[PATCH] Log TLS errors to syslog
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Also adds support for detecting LDAPS errors by adding a check for
SDAP_DIAGNOSTIC_MESSAGE after ldap_search_ext()
This should make debugging an initial setup easier, as the most common
configuration errors will appear in /var/log/messages, instead of
requiring the user to turn on the debug logs.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkwt4P0ACgkQeiVVYja6o6OcZwCeJGV4ZSkWtJsU2VN6klbiSkKr
zuoAn2n93HJyU7K+klQwUVL0GQH21Szp
=UEVl
-----END PGP SIGNATURE-----
13 years, 9 months
libnl route callbacks in RHEL5
by Jakub Hrozek
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Dan,
I managed to complete the detection of routes going up/down and the
associated SSSD-specific work using libnl 1.1 on Fedora 12/13 based on
your code from NetworkManager.
However, I ran into some trouble with the RHEL5 version of libnl
(1.0-pre5) as it doesn't seem to have support for subscribing to group
(nl_socket_add_membership etc.). Can you recall if there is any
workaround with the old libnl code? The last resort would be to not
support this functionality on RHEL5, but I'd like to avoid that if possible.
Thank you for your time!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkwrlmQACgkQHsardTLnvCV8gwCfYmp6i+7FaK1I9L1Dgfh7TRFX
hNcAniGqFI7ZxVToQEdd35GSD+D8bqkx
=G1EH
-----END PGP SIGNATURE-----
13 years, 9 months