[PATCH] Allow more libldap debugging
by Jakub Hrozek
This patch should not be pushed to master, but I would like to get it
reviewed anyway.
It should be used to provide a custom build for users experiencing cases
where ldap_search_ext would block (c.f.
https://bugzilla.redhat.com/show_bug.cgi?id=728343)
For example:
export SSSD_DEBUG_LDAP_SEARCH="0xffff"
would set LDAP_DEBUG_ANY
The attached patch applies cleanly on the RHEL6.1 branch. I also have a
version that applies on master/1.5 if needed.
10 years, 10 months
[INI] Patches for ding-libs: Merging config sections, handling metadata, remaining Coverity issues...
by Dmitri Pal
Please see the attached patches. I tried to split the patches logically
into manageable sets.
Unfortunately I made a minor mistake and I am afraid I will do something
wrong to fix it.
I merged two wrong patches. Fortunately it was three liner with 1 liner
so it is not a big of the deal but I am really scared that I will do
something wrong and loose the work I have done.
So I hope it is Ok to send it as is.
0001--INI-Making-Coverity-happy.patch <- this is the patch I submitted
earlier that I merged by mistake. I was supposed to merge it with patch
25 but picked the wrong one instead.
Patch 25 addresses the real issue found by Coverity as mentioned in
Stephen's review mail but it did not apply cleanly since it relies on
some code from the patches in the middle.
0002--INI-Adding-missing-function-declararion.patch <- this is the
patch that was rejected from the second set sent earlier. Fixed
according to review comment.
0003--BUILD-Allow-trace-per-component.patch <- This patch allows tracing
per component
The following set of patches introduces the merging of sections during
the reading of the file:
0004--INI-New-error-codes-and-messages.patch
0005--INI-New-merge-flags.patch
0006--INI-Add-new-vars-to-parse-structure.patch
0007--INI-Add-save_error-function.patch
0008--INI-Change-parse_error-to-use-save_error.patch
0009--INI-Preparing-for-merging-sections.patch
0010--INI-Enhance-value-processing.patch
0011--INI-Use-section-line-number.patch
0012--INI-Refactor-section-processing.patch
0013--INI-Return-error-in-DETECT-mode.patch
0014--INI-New-test-files-for-section-merge.patch
0015--INI-Test-DETECT-mode-and-use-new-file.patch
0016--INI-Test-for-all-section-merge-modes.patch
Patches related porting of the meta data from old way of doing things to
the new way of doing things:
0017--INI-Separate-close-and-destroy.patch
0018--INI-Function-to-reopen-file.patch
0019--INI-Metadata-collection-is-gone.patch
0020--INI-Check-access-function.patch
0021--INI-Avoid-double-free.patch <- patch related to 17 (missed check)
0022--INI-Function-to-check-for-changes.patch
0023--INI-Tests-for-access-and-changes.patch
0024--INI-Rename-error-print-function.patch <- rename error printing
function for consistency with new interface
0025--INI-Initialize-variables-in-loops.patch <- Coverity issue
addressed. Related to patch 0001.
0026--INI-Exposing-functions.patch <- Make some internal functions reusable
There is also patch 27. It is a piece of new functionality. It is a
preview. Please see the comment before reviewing it.
Do I need to split it into multiple patches or it is Ok as is? It is
pretty big but all changes are in one file and logically related.
The UNIT test is missing so I am not claiming it actually works as
expected.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
11 years, 5 months
Announcing SSSD 1.6.2
by Stephen Gallagher
The SSSD team is proud to announce the version 1.6.2 enhancement and
bugfix release of the System Security Services Daemon.
As always, it can be downloaded from https://fedorahosted.org/sssd/
== Highlights ==
* Improved handling of users and groups with multi-valued name
attributes (aliases)
* Performance enhancements
* Initgroups on RFC2307bis/FreeIPA
* HBAC rule processing
* Improved process-hang detection and restarting
* Enabled the midpoint cache refresh by default (fewer cache misses on
commonly-used entries)
* Cleaned up the example configuration
== Detailed Changelog ==
Jakub Hrozek (23):
* Improve error message for LDAP password constraint violation
* Keep deref controls until the whole request is finished
* Fix uninitialized pointer read in sdap_gssapi_get_default_realm()
* IPA access: hostname comparison should be case-insensitive
* Add sysdb interface to get name aliases
* Add a sysdb_get_direct_parents function
* Store name aliases for users, groups
* Return users and groups based on alias
* Use explicit base 10 for converting strings to integers
* Fix typo in sysdb_get_direct_parents
* Add option to follow symlinks to check_file()
* Append PID to sbus server socket name, let clients use a symlink
* Streamline the example config
* Do not delete requests inside hash_iterate loop
* Check if dp_requests hash table exists before using it
* Fix off-by-one error in remove_socket_symlink()
* Report on errno, not return code in create_socket_symlink
* Add a missing break
* Sanitize DN in sysdb_get_direct_parents
* gitignore additions
* Utility functions for LDAP nested schema initgroups
* Use fewer transactions during RFC2307bis initgroups
* Use fewer transactions during IPA initgroups
Jan Zeleny (2):
* man page fix (lists are comma-separated)
* Fixed timeout handling in responders
Marko Myllynen (3):
* Add missing options to sssd.api.conf
* Unbreak ./configure
* Update sssd-example.conf
Pavel Březina (3):
* sss_ldap_err2string() - function created
* sss_ldap_err2string() - ldap_err2string() to sss_ldap_err2string()
* Added quiet option to pam_sss
Pavel Zuna (1):
* Fix small bug where TALLOC_CTX could end up unfreed.
Stephen Gallagher (18):
* Bumping version to 1.6.2
* Add option to specify the kerberos replay cache dir
* Fix typo in %configure
* Remove all libtool .la files from RPM
* Improve documentation of libipa_hbac
* Add libipa_hbac documentation to the -devel package
* MONITOR: Correctly detect lack of response from services
* Do not build documentation on RHEL 5
* Fix typo in specfile
* MAN: Add more information about internal credential storage
* Enable the midpoint cache update by default
* HBAC: fix typos preventing proper hostgroup evaluation
* HBAC: Do not save member/memberOf links
* HBAC: Use originalMember for identifying servicegroups
* HBAC: Use originalMember for identifying hostgroups
* BUILDSYS: Fix --without-manpages
* MONITOR: fix timeout conversion
* Updating translation files for string freeze
Sumit Bose (1):
* Do not access memory out of bounds
11 years, 9 months
Re: [SSSD] Announcing SSSD 1.5.14
by GOLLSCHEWSKY, Tim
> > I'm not sure if artificially trimming the group list is a good idea.
> > It wouldn't work for everyone and I would be wary of breaking access
> > control mechanisms.
>
> Noted. And yes I agree this (non-mandatory) config option wouldn't be useful for everyone, it's just something
> that fixes my particular problem (reduces ssh login times from 30 seconds to <5).
>
> I may have to write my own patch and apply it to the SRPM as each official version of SSSD is released. It won't be
> supported by Red Hat obviously but my users won't be complaining about slow login times anymore. So partial win. :)
Just thought I'd contribute my results in case this helps with your investigation of the larger problem. I assume there are other organisations with huge AD/LDAP directories that are having similar issues with ssh authentication times.
I've finished my local patch and added a config option called: ldap_rfc2307bis_initgroups_filter
If not specified, sssd just reverts to normal behaviour (cn=*) during the initgroups run.
With no ldap_rfc2307bis_initgroups_filter:
# time ssh myhost groups
xxxxdm xxxxdef xxxxgmt xxxx002 xxxx003 xxxxp xxxx001 xxxx002 xxxxt xxxxp xxxxange xxxxra xxxxb2 xxxxp xxxxd xxxxt xxxxp xxxxp xxxxp xxxxp xxxxd xxxxd xxxxp xxxxd xxxxd xxxxd xxxxp xxxxp xxxxd xxxxd xxxxp xxxxt xxxxd xxxxlemr xxxxp xxxxd xxxxp xxxxp xxxxd xxxxt xxxxd xxxxp xxxxd xxxxd xxxxt xxxxp xxxxt xxxxp xxxxd xxxxd xxxxt xxxxp xxxxd xxxxu xxxxp xxxxp xxxxp xxxxp xxxxd xxxxp xxxxp xxxxu xxxxp xxxxp xxxxt xxxxp xxxxd xxxxd xxxxt xxxxp xxxxd xxxxt xxxxt xxxxd xxxxt xxxxp xxxxp xxxxi xxxxd xxxxd xxxxp xxxxd xxxxp xxxxp xxxxd xxxxd xxxxp xxxxp xxxxd xxxxp xxxxd xxxxp xxxxd xxxxp xxxxp xxxxp xxxxp xxxxd xxxxd xxxxd xxxxd xxxxp xxxxp xxxxp xxxxd xxxxd xxxxd xxxxd xxxxd xxxxp xxxxp xxxxd xxxxd xxxxd xxxxd xxxxd xxxxd xxxxp xxxxp xxxxd xxxxp xxxxd xxxxd xxxxp xxxxd xxxxd xxxxd xxxxd xxxxd xxxxp xxxxd xxxxd xxxxd xxxxd xxxxd xxxxd xxxxd xxxxp xxxxd xxxxd xxxxp xxxxt xxxxp xxxxd xxxxd xxxxp xxxxd xxxxd xxxxd xxxxp xxxxd xxxxd
real 0m48.47s
user 0m0.15s
sys 0m0.02s
With ldap_rfc2307bis_initgroups_filter = (|(cn=xxxrd)(cn=xxxxp)(cn=xxxxd))
# time ssh myhost groups
xxxxdm xxxxgmt xxxxd xxxxp xxxxd
real 0m5.11s
user 0m0.15s
sys 0m0.03s
This hack will have to do until a better solution is found. I'm hoping the fixes coming in 1.7.0 will do the trick. :)
Thanks to everyone who helped me get to this point.
Best regards,
Tim Gollschewsky.
This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related entities "Suncorp".
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at suncorp.com.au.
The content of this e-mail is the view of the sender or stated author and does not necessarily reflect the view of Suncorp. The content, including attachments, is a confidential communication between Suncorp and the intended recipient. If you are not the intended recipient, any use, interference with, disclosure or copying of this e-mail, including attachments, is unauthorised and expressly prohibited. If you have received this e-mail in error please contact the sender immediately and delete the e-mail and any attachments from your system.
11 years, 9 months
GSSAPI and Kerberos - understanding question
by Josh Geisser
Hi list
I'm sure I have gabs of understanding of how to use SSSD without using plain binding-user credentials in the configfile. I followed the guide for Win2008 allthough I only have 2003 SFU - would that work?
- I see it right that GSSAPI should enable looking up stuff in the LDAP using a machine-account instead of the binding-user/passwd?
- Kerberos (which has the machine-auth-ticket) comes into play for LDAP, but this exceeds the basic LDAP authentication (eg. Auth via Kerberos on the LDAP server)? Is this enough to feed nsswitch (e.g. getent) or is an additional valid user/pass still required?
The trouble I'm having here is the ktpasswd.exe generated-key is always dated at 01/01/70 01:00:00 which I guess is also the reason why ldapsearch -Y GSSAPI and kinit fail? 2003 behaviour?
The krb and ldap configuration works quite fine with bind-dn, just struggeling with SASL/GSSAPI.
Cheers
Josh
--
----
ASG at hnet
11 years, 9 months
[PATCH] Add common SIGCHLD handling.
by Pavel Zuna
Base on the second proposal:
https://fedorahosted.org/sssd/wiki/DesignDocs/SigChld
There is some old SIGCHLD handling code in src/providers/child_common.[ch], that
should probably go away if this gets accepted. There was also a naming conflict
with the sss_child_ctx structure. This structure is only used internally by
functions defined src/providers/child_common.c. I renamed the original structure
to sss_child_ctx_old for now.
Pavel
11 years, 9 months
[PATCHES] Support native IPA netgroups
by Jan Zelený
I'm sending couple patches which add support for IPA netgroups:
#53
These routines were not static, so I renamed them in order to avoid confusion
and possible collision with equivalent routines in IPA provider
#54
Some new config options, please focus on this patch, I'm not entirely sure if
my approach was the correct one.
#55
This new context was necessary so I can pass ipa options to routine
determining host search base.
#56
This is netgroups support itself
#57
IPA id provider which is utilizing previously added support of netgroup
fetching
Thanks
Jan
11 years, 9 months
[PATCH] Add ldap_sasl_minssf option
by Jan Zelený
https://fedorahosted.org/sssd/ticket/1075
The only thing is that I'm not sure if 72 is the right default minssf value
for IPA provider, as default IPA installation works with 56 as the highest
possible value for me. In default SSSD installation, this means that
communication with IPA server will be rejected with no information about the
reason being min SSF. I think this will be very confusing to SSSD users.
Can anyone give me a hint how to proceed? Lower the default value in SSSD or
do the change in IPA?
Thanks
Jan
11 years, 9 months
