[PATCH] Do not call talloc_free() on uninitialized memory
by Sumit Bose
Hi,
during the sdap_cli_connect request we loop over all configured LDAP
servers until we find a working one. For this we talloc_free() the old
sdap handle before requesting a new one. But for the first attempt the
handle is not initialized and we may free random memory.
bye,
Sumit
12 years, 9 months
supportedControl and OpenLDAP
by Sumit Bose
Hi,
by chance I realized that an OpenLDAP server does not list all controls
it can handle in the rootDSE attribute supportedControl.
Especially LDAP_CONTROL_PASSWORDPOLICY is not listed. According to the
OpenLDAP developers this is because the related spec
(http://tools.ietf.org/html/draft-behera-ldap-password-policy-10) is
still a draft and not finalized
(http://www.openldap.org/lists/openldap-software/200606/msg00220.html).
Since sssd only uses controls which are in the supportedControl list we
will not be able to give the user expiration warnings or information
about grace logins for OpenLDAP servers with the password policy overlay
enabled.
I'm not sure if we need to do anything about it but at least I think it
is good to be aware of.
bye,
Sumit
12 years, 9 months
[PATCH] Fix python HBAC bindings for python <= 2.4
by Jakub Hrozek
Several parts of the HBAC python bindings did not work on old Python
versions, such as the one shipped in RHEL5.
The changes include:
* a compatibility wrapper around python set object
* PyModule_AddIntMacro compat macro
* HbacRule.enabled is now a getsetter to avoid using T_BOOL which is
not present in old Python versions
* Py_ssize_t compat definition
* Do not use PyUnicode_FromFormat
* several function prototypes and structures used to have "char *"
arguments where they have "const char *" in recent versions. This
caused compilation warnings this patch mitigates by using the
discard_const hack
It also plugs one memory leak - HbacRequest.rule_name wasn't freed in
HbacRequest destructor.
12 years, 9 months
[PATCH] Filter out IP addresses inappropriate for DNS forward records
by Jakub Hrozek
When used with the ipa_dyndns_iface option, the dynamic DNS code would
blindly put in any addresses the interface has. I think we should filter
addresses such as multicast, loopback and IPv6 link-local -- they don't
belong to DNS.
Adding Honza to CC list as he's probably got the most experience with
address formats and was solving a similar issue on the server side. Are
there any other I should filter out?
12 years, 9 months
[PATCH] Check DNS records before updating
by Jakub Hrozek
https://fedorahosted.org/sssd/ticket/802
[PATCH 1/4] Do not hardcode default resolver timeout
This will allow us to reuse the timeout during the dyndns check
[PATCH 2/4] Split reading resolver family order into a separate function
The new function will be reused as well
[PATCH 3/4] Allow returning arbitrary address from resolv_hostent as string
While we always connect to the first address in the list returned from
DNS, the dyndns check code needs the complete list
[PATCH 4/4] Check DNS records before updating
The check itself.
The patch also includes one change that I was wondering about splitting
out as a separate patch. The previous code would always delete both
address families even in case the updated address was detected from the
LDAP socket, so the other address family would disappear if set. This
patch changes the behaviour such that only the address family of the
ldap socket is deleted and readded (and also checked for in DNS).
12 years, 9 months
[PATCH] Add LDAP access control based on NDS attributes
by Sumit Bose
Hi,
this patch adds support for the NDS/eDirectory access control attributes
loginDisabled, loginExpirationTime and loginAllowedTimeMap. It is not
fully tested because currently I do not have access to an eDirectory
server. Since the impact on other parts of the code is minimal I didn't
add a seperate configure option for it but only mark it in the man page
as experimental.
I you have a chance to test this feature please let me know the result.
bye,
Sumit
12 years, 9 months