[INI] Patches for ding-libs: Merging config sections, handling metadata, remaining Coverity issues...
by Dmitri Pal
Please see the attached patches. I tried to split the patches logically
into manageable sets.
Unfortunately I made a minor mistake and I am afraid I will do something
wrong to fix it.
I merged two wrong patches. Fortunately it was three liner with 1 liner
so it is not a big of the deal but I am really scared that I will do
something wrong and loose the work I have done.
So I hope it is Ok to send it as is.
0001--INI-Making-Coverity-happy.patch <- this is the patch I submitted
earlier that I merged by mistake. I was supposed to merge it with patch
25 but picked the wrong one instead.
Patch 25 addresses the real issue found by Coverity as mentioned in
Stephen's review mail but it did not apply cleanly since it relies on
some code from the patches in the middle.
0002--INI-Adding-missing-function-declararion.patch <- this is the
patch that was rejected from the second set sent earlier. Fixed
according to review comment.
0003--BUILD-Allow-trace-per-component.patch <- This patch allows tracing
per component
The following set of patches introduces the merging of sections during
the reading of the file:
0004--INI-New-error-codes-and-messages.patch
0005--INI-New-merge-flags.patch
0006--INI-Add-new-vars-to-parse-structure.patch
0007--INI-Add-save_error-function.patch
0008--INI-Change-parse_error-to-use-save_error.patch
0009--INI-Preparing-for-merging-sections.patch
0010--INI-Enhance-value-processing.patch
0011--INI-Use-section-line-number.patch
0012--INI-Refactor-section-processing.patch
0013--INI-Return-error-in-DETECT-mode.patch
0014--INI-New-test-files-for-section-merge.patch
0015--INI-Test-DETECT-mode-and-use-new-file.patch
0016--INI-Test-for-all-section-merge-modes.patch
Patches related porting of the meta data from old way of doing things to
the new way of doing things:
0017--INI-Separate-close-and-destroy.patch
0018--INI-Function-to-reopen-file.patch
0019--INI-Metadata-collection-is-gone.patch
0020--INI-Check-access-function.patch
0021--INI-Avoid-double-free.patch <- patch related to 17 (missed check)
0022--INI-Function-to-check-for-changes.patch
0023--INI-Tests-for-access-and-changes.patch
0024--INI-Rename-error-print-function.patch <- rename error printing
function for consistency with new interface
0025--INI-Initialize-variables-in-loops.patch <- Coverity issue
addressed. Related to patch 0001.
0026--INI-Exposing-functions.patch <- Make some internal functions reusable
There is also patch 27. It is a piece of new functionality. It is a
preview. Please see the comment before reviewing it.
Do I need to split it into multiple patches or it is Ok as is? It is
pretty big but all changes are in one file and logically related.
The UNIT test is missing so I am not claiming it actually works as
expected.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
11 years, 6 months
[PATCH] Add support for ADS pwdLastSet
by Pierre Carrier
Documented on http://msdn.microsoft.com/en-us/library/cc220785(v=prot.10).aspx
Introduced in nss_ldap 208:
* add support for native Active Directory password
policy attributes (enabled if shadowLastChange is
mapped to pwdLastSet)
---
src/config/SSSDConfig.py | 1 +
src/config/etc/sssd.api.d/sssd-ldap.conf | 1 +
src/man/sssd-ldap.5.xml | 15 ++++++++++
src/providers/ldap/ldap_auth.c | 9 +++++-
src/providers/ldap/ldap_common.c | 43 ++++++++++++++++++++++++++++++
src/providers/ldap/ldap_common.h | 1 +
src/providers/ldap/sdap.h | 1 +
7 files changed, 70 insertions(+), 1 deletions(-)
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 5135174..992e1f4 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -167,6 +167,7 @@ option_strings = {
'ldap_user_modify_timestamp' : _('Modification time attribute'),
#replaced by ldap_entry_usn# 'ldap_user_entry_usn' : _('entryUSN attribute'),
'ldap_user_shadow_last_change' : _('shadowLastChange attribute'),
+ 'ldap_user_ads_last_change' : _('pwdLastSet attribute'),
'ldap_user_shadow_min' : _('shadowMin attribute'),
'ldap_user_shadow_max' : _('shadowMax attribute'),
'ldap_user_shadow_warning' : _('shadowWarning attribute'),
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index 5fd0cfb..6700df9 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -51,6 +51,7 @@ ldap_user_member_of = str, None, false
ldap_user_modify_timestamp = str, None, false
ldap_user_entry_usn = str, None, false
ldap_user_shadow_last_change = str, None, false
+ldap_user_ads_last_change = str, None, false
ldap_user_shadow_min = str, None, false
ldap_user_shadow_max = str, None, false
ldap_user_shadow_warning = str, None, false
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 2a39732..0db3ce7 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -313,6 +313,21 @@
</varlistentry>
<varlistentry>
+ <term>ldap_user_ads_last_change (string)</term>
+ <listitem>
+ <para>
+ When using ldap_pwd_policy=shadow, this parameter
+ contains the name of an LDAP attribute corresponding
+ to pwdLastSet in Active Directory server, fell back to
+ when ldap_user_shadow_last_change was not available.
+ </para>
+ <para>
+ Default: pwdLastSet
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>ldap_user_shadow_min (string)</term>
<listitem>
<para>
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index e45d5b3..5ebd72c 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -286,7 +286,8 @@ static errno_t find_password_expiration_attributes(TALLOC_CTX *mem_ctx,
return EINVAL;
}
} else if (strcasecmp(pwd_policy, PWD_POL_OPT_SHADOW) == 0) {
- mark = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL);
+ mark = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL) |
+ ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_ADS_LASTCHANGE, NULL);
if (mark != NULL) {
DEBUG(9, ("Found shadow password expiration attributes.\n"))
spwd = talloc_zero(mem_ctx, struct spwd);
@@ -297,6 +298,12 @@ static errno_t find_password_expiration_attributes(TALLOC_CTX *mem_ctx,
val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL);
ret = string_to_shadowpw_days(val, &spwd->sp_lstchg);
+
+ /* Fallback to pwdLastSet for ADS */
+ if (ret != EOK) {
+ val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_ADS_LASTCHANGE, NULL);
+ ret = ads_pwdlastset_to_shadowpw_days(val, &spwd->sp_lstchg);
+ }
if (ret != EOK) goto shadow_fail;
val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_MIN, NULL);
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 9eb9cc3..22c9bb7 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -163,6 +163,7 @@ struct sdap_attr_map rfc2307bis_user_map[] = {
{ "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
{ "ldap_user_entry_usn", NULL, SYSDB_USN, NULL },
{ "ldap_user_shadow_last_change", "shadowLastChange", SYSDB_SHADOWPW_LASTCHANGE, NULL },
+ { "ldap_user_ads_last_change", "pwdLastSet", SYSDB_SHADOWPW_ADS_LASTCHANGE, NULL },
{ "ldap_user_shadow_min", "shadowMin", SYSDB_SHADOWPW_MIN, NULL },
{ "ldap_user_shadow_max", "shadowMax", SYSDB_SHADOWPW_MAX, NULL },
{ "ldap_user_shadow_warning", "shadowWarning", SYSDB_SHADOWPW_WARNING, NULL },
@@ -878,6 +879,48 @@ errno_t string_to_shadowpw_days(const char *s, long *d)
return EOK;
}
+errno_t ads_pwdlastset_to_shadowpw_days(const char *s, long *d)
+{
+ long long ll;
+ long days;
+ char *endptr;
+
+ if (s == NULL || *s == '\0') {
+ *d = -1;
+ return EOK;
+ }
+
+ errno = 0;
+ ll = strtoll(s, &endptr, 10);
+ if (errno != 0) {
+ DEBUG(1, ("strtoll failed [%d][%s].\n", errno, strerror(errno)));
+ return errno;
+ }
+
+ if (*endptr != '\0') {
+ DEBUG(1, ("Input string [%s] is invalid.\n", s));
+ return EINVAL;
+ }
+
+ /* Magic value for password reset */
+ if (ll = 0LL) {
+ DEBUG(9, ("Magic pwdLastSet date 0, password change forced.\n"));
+ *d = 0L;
+ return EOK;
+ }
+
+ days = ll / 864000000000LL - 134774LL;
+
+ if (days < 0L) {
+ DEBUG(1, ("Date is before Jan 1, 1970 [%d].\n", ll));
+ return EINVAL;
+ }
+
+ *d = days;
+
+ return EOK;
+}
+
errno_t get_sysdb_attr_name(TALLOC_CTX *mem_ctx,
struct sdap_attr_map *map,
size_t map_size,
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index 9146da5..cf301de 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -146,6 +146,7 @@ int setup_child(struct sdap_id_ctx *ctx);
errno_t string_to_shadowpw_days(const char *s, long *d);
+errno_t ads_pwdlastset_to_shadowpw_days(const char *s, long *d);
errno_t get_sysdb_attr_name(TALLOC_CTX *mem_ctx,
struct sdap_attr_map *map,
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 32dc344..fdd5b7a 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -115,6 +115,7 @@ struct sdap_ppolicy_data {
};
#define SYSDB_SHADOWPW_LASTCHANGE "shadowLastChange"
+#define SYSDB_SHADOWPW_ADS_LASTCHANGE "pwdLastSet"
#define SYSDB_SHADOWPW_MIN "shadowMin"
#define SYSDB_SHADOWPW_MAX "shadowMax"
#define SYSDB_SHADOWPW_WARNING "shadowWarning"
--
1.7.4.4
12 years, 1 month
[PATCH] Add experimental support to receive PAC via GSSAPI
by Sumit Bose
Hi,
this series of patches adds support to receive a windows PAC via GSSAPI
and to create a user based on the data in the PAC. This is useful
because in an environment with lots of trust relationships between AD
server it might be quite time consuming to find out about all the group
memberships of a domain user by querying the domain controllers. But the
PAC contains all information about group memberships of the
corresponding user.
The general idea is to add the user, if it doesn't exist in the cache,
to the cache of the corresponding domain (see thread about sub-domains,
currently this patch add the user to the local domain for simplicity)
and to add all group memberships (currently not implemented). If one of
the groups cannot be found in the cache a dummy entry with all data
needed to resolve this group quickly is added to the cache.
Currently there are a couple of loose end, e.g.
- groups and group memberships are not handled
- PAC is not validated
- missing sub-domains
- no real SID to uid/gid mapping
etc, but I like to start the discussion about the code and the general
direction as soon as possible. Currently sssd with these patches can
only be build on rawhide, because of the dependencies to the samba4
package (libndr-krb5pac).
Patch 0007 contains a little example that demonstrates that the pac
responder can also be used to add user and groups based on other input,
e.g. it can be used as a backend for the sss_* utilities. This would
allow a much better control about which user is allowed to do what kind
of operation. Currently only the root user can add and modify user and
group entries with the sss_* tools.
I have used 'pac' as a part of names here because this was the original
target, but I would be happy to change it to a more generic keyword if
anyone has a good suggestion.
bye,
Sumit
12 years, 3 months
[PATCH] AD non-posix group handling
by Jan Zelený
Hi,
since Jakub's RFC2307bis patches are already pushed, I've revisited my AD non-
posix group handling patch:
027
Added function for retrieving boolean value from sysdb attributes. This
function is then utilized in the second patch
028
This is the patch I sent before with all modifications which were discussed
Jan
12 years, 4 months
[PATCH] Add online callback only once for TGT renewal
by Sumit Bose
Hi,
I confused the online callbacks with tevent timers when adding them to
the TGT renewal task with the effect that a new renewal timer was added
every time the system switched back from offline to online. Thanks to
Kaushik for catching this. The attached patch should fix it.
bye,
Sumit
12 years, 4 months
