This patch should not be pushed to master, but I would like to get it
It should be used to provide a custom build for users experiencing cases
where ldap_search_ext would block (c.f.
would set LDAP_DEBUG_ANY
The attached patch applies cleanly on the RHEL6.1 branch. I also have a
version that applies on master/1.5 if needed.
Please see the attached patches. I tried to split the patches logically
into manageable sets.
Unfortunately I made a minor mistake and I am afraid I will do something
wrong to fix it.
I merged two wrong patches. Fortunately it was three liner with 1 liner
so it is not a big of the deal but I am really scared that I will do
something wrong and loose the work I have done.
So I hope it is Ok to send it as is.
0001--INI-Making-Coverity-happy.patch <- this is the patch I submitted
earlier that I merged by mistake. I was supposed to merge it with patch
25 but picked the wrong one instead.
Patch 25 addresses the real issue found by Coverity as mentioned in
Stephen's review mail but it did not apply cleanly since it relies on
some code from the patches in the middle.
0002--INI-Adding-missing-function-declararion.patch <- this is the
patch that was rejected from the second set sent earlier. Fixed
according to review comment.
0003--BUILD-Allow-trace-per-component.patch <- This patch allows tracing
The following set of patches introduces the merging of sections during
the reading of the file:
Patches related porting of the meta data from old way of doing things to
the new way of doing things:
0021--INI-Avoid-double-free.patch <- patch related to 17 (missed check)
0024--INI-Rename-error-print-function.patch <- rename error printing
function for consistency with new interface
0025--INI-Initialize-variables-in-loops.patch <- Coverity issue
addressed. Related to patch 0001.
0026--INI-Exposing-functions.patch <- Make some internal functions reusable
There is also patch 27. It is a piece of new functionality. It is a
preview. Please see the comment before reviewing it.
Do I need to split it into multiple patches or it is Ok as is? It is
pretty big but all changes are in one file and logically related.
The UNIT test is missing so I am not claiming it actually works as
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
The SSSD team is proud to announce the version 1.6.2 enhancement and
bugfix release of the System Security Services Daemon.
As always, it can be downloaded from https://fedorahosted.org/sssd/
== Highlights ==
* Improved handling of users and groups with multi-valued name
* Performance enhancements
* Initgroups on RFC2307bis/FreeIPA
* HBAC rule processing
* Improved process-hang detection and restarting
* Enabled the midpoint cache refresh by default (fewer cache misses on
* Cleaned up the example configuration
== Detailed Changelog ==
Jakub Hrozek (23):
* Improve error message for LDAP password constraint violation
* Keep deref controls until the whole request is finished
* Fix uninitialized pointer read in sdap_gssapi_get_default_realm()
* IPA access: hostname comparison should be case-insensitive
* Add sysdb interface to get name aliases
* Add a sysdb_get_direct_parents function
* Store name aliases for users, groups
* Return users and groups based on alias
* Use explicit base 10 for converting strings to integers
* Fix typo in sysdb_get_direct_parents
* Add option to follow symlinks to check_file()
* Append PID to sbus server socket name, let clients use a symlink
* Streamline the example config
* Do not delete requests inside hash_iterate loop
* Check if dp_requests hash table exists before using it
* Fix off-by-one error in remove_socket_symlink()
* Report on errno, not return code in create_socket_symlink
* Add a missing break
* Sanitize DN in sysdb_get_direct_parents
* gitignore additions
* Utility functions for LDAP nested schema initgroups
* Use fewer transactions during RFC2307bis initgroups
* Use fewer transactions during IPA initgroups
Jan Zeleny (2):
* man page fix (lists are comma-separated)
* Fixed timeout handling in responders
Marko Myllynen (3):
* Add missing options to sssd.api.conf
* Unbreak ./configure
* Update sssd-example.conf
Pavel Březina (3):
* sss_ldap_err2string() - function created
* sss_ldap_err2string() - ldap_err2string() to sss_ldap_err2string()
* Added quiet option to pam_sss
Pavel Zuna (1):
* Fix small bug where TALLOC_CTX could end up unfreed.
Stephen Gallagher (18):
* Bumping version to 1.6.2
* Add option to specify the kerberos replay cache dir
* Fix typo in %configure
* Remove all libtool .la files from RPM
* Improve documentation of libipa_hbac
* Add libipa_hbac documentation to the -devel package
* MONITOR: Correctly detect lack of response from services
* Do not build documentation on RHEL 5
* Fix typo in specfile
* MAN: Add more information about internal credential storage
* Enable the midpoint cache update by default
* HBAC: fix typos preventing proper hostgroup evaluation
* HBAC: Do not save member/memberOf links
* HBAC: Use originalMember for identifying servicegroups
* HBAC: Use originalMember for identifying hostgroups
* BUILDSYS: Fix --without-manpages
* MONITOR: fix timeout conversion
* Updating translation files for string freeze
Sumit Bose (1):
* Do not access memory out of bounds
Base on the second proposal:
There is some old SIGCHLD handling code in src/providers/child_common.[ch], that
should probably go away if this gets accepted. There was also a naming conflict
with the sss_child_ctx structure. This structure is only used internally by
functions defined src/providers/child_common.c. I renamed the original structure
to sss_child_ctx_old for now.
I'm sending couple patches which add support for IPA netgroups:
These routines were not static, so I renamed them in order to avoid confusion
and possible collision with equivalent routines in IPA provider
Some new config options, please focus on this patch, I'm not entirely sure if
my approach was the correct one.
This new context was necessary so I can pass ipa options to routine
determining host search base.
This is netgroups support itself
IPA id provider which is utilizing previously added support of netgroup
https://fedorahosted.org/sssd/ticket/924 started as a segfault ticket
but we could never reproduce the crash afterwards.
As Sumit noted it might have been caused by setting the O_NONBLOCK flag
twice. However, the changes Sumit proposed in the ticket still make
sense because they provide much cleaner solution.
Attached are two patches:
[PATCH 1/2] Provide means of forcing TLS and GSSAPI enabled/disabled
for sdap connections
This will be used to force TLS on the auth connection only and allow
staying on GSSAPI-backed ID connection for the rest of the request.
[PATCH 2/2] IPA migration fixes
* use the id connection for looking up the migration flag
* force TLS on the password based authentication connection
this simple patch allows using AD objectSid as uid source making it
possible to use SSSD against AD instances which do not have Identity
Management for Unix Role Service enabled. The mapping matches winbind's
idmap_rid(8) behaviour. If ldap_user_uid_number is not objectSid then
During the nested initgroups processing review, Jan requested removing
unused "dom" parameter from the code. Instead of doing it on that one
place, I compiled SSSD with -Wunused and cleaned up unused parameters in
the providers code. It's mostly sss_domain_info no longer needed because
of the sysdb refactoring.
The patch brings no functional change, it's just cleanup.
- SUDO plugin API
What does it do currently?
1. sudo plugin sends input data to responder
2. responder sends back to plugin that user is allowed to run the
What does it not do?
- Doesn't require any PAM authentication
- Doesn't read anything from LDAP
- Doesn't set any environment variables (and reset current environment)
This actually can cause some troubles to applications, so far I've
encountered an error message in VIM (no $HOME specified)
How to test it?
1. Install SUDO version 1.8 or greater
I am running 1.8.2 built from source:
2. Enable SUDO plugin in /etc/sudo.conf
Plugin sss_sudo_policy /usr/lib/sudo/libsss_sudoplugin.so
Unfortunately, SUDO doesn't allow to have more than one policy
plugin activated, so comment out standard sudoers plugin.
3. Enable it in sssd.conf ;-)
services += sudo
4. Run sssd
5. Run sudo
I left there some debug messages, so don't worry when you see:
CMD Return code: 0
Command exited with status 0
in the output. But tell me if there is anything else than 0 :-)
Adds a client function that allows client to send data to responder.
And set sudo responder protocol version.
Configure and Makefile updates so we can build plugin and responder.
Just a little update that adds sudo responder to known services of monitor.