August 2011 - sssd-devel - Fedora Mailing-Lists

by Jakub Hrozek

This patch should not be pushed to master, but I would like to get it reviewed anyway. It should be used to provide a custom build for users experiencing cases where ldap_search_ext would block (c.f. https://bugzilla.redhat.com/show_bug.cgi?id=728343) For example: export SSSD_DEBUG_LDAP_SEARCH="0xffff" would set LDAP_DEBUG_ANY The attached patch applies cleanly on the RHEL6.1 branch. I also have a version that applies on master/1.5 if needed.

10 years, 10 months

4
7
0 / 0

[INI] Patches for ding-libs: Merging config sections, handling metadata, remaining Coverity issues...

by Dmitri Pal

Please see the attached patches. I tried to split the patches logically into manageable sets. Unfortunately I made a minor mistake and I am afraid I will do something wrong to fix it. I merged two wrong patches. Fortunately it was three liner with 1 liner so it is not a big of the deal but I am really scared that I will do something wrong and loose the work I have done. So I hope it is Ok to send it as is. 0001--INI-Making-Coverity-happy.patch <- this is the patch I submitted earlier that I merged by mistake. I was supposed to merge it with patch 25 but picked the wrong one instead. Patch 25 addresses the real issue found by Coverity as mentioned in Stephen's review mail but it did not apply cleanly since it relies on some code from the patches in the middle. 0002--INI-Adding-missing-function-declararion.patch <- this is the patch that was rejected from the second set sent earlier. Fixed according to review comment. 0003--BUILD-Allow-trace-per-component.patch <- This patch allows tracing per component The following set of patches introduces the merging of sections during the reading of the file: 0004--INI-New-error-codes-and-messages.patch 0005--INI-New-merge-flags.patch 0006--INI-Add-new-vars-to-parse-structure.patch 0007--INI-Add-save_error-function.patch 0008--INI-Change-parse_error-to-use-save_error.patch 0009--INI-Preparing-for-merging-sections.patch 0010--INI-Enhance-value-processing.patch 0011--INI-Use-section-line-number.patch 0012--INI-Refactor-section-processing.patch 0013--INI-Return-error-in-DETECT-mode.patch 0014--INI-New-test-files-for-section-merge.patch 0015--INI-Test-DETECT-mode-and-use-new-file.patch 0016--INI-Test-for-all-section-merge-modes.patch Patches related porting of the meta data from old way of doing things to the new way of doing things: 0017--INI-Separate-close-and-destroy.patch 0018--INI-Function-to-reopen-file.patch 0019--INI-Metadata-collection-is-gone.patch 0020--INI-Check-access-function.patch 0021--INI-Avoid-double-free.patch <- patch related to 17 (missed check) 0022--INI-Function-to-check-for-changes.patch 0023--INI-Tests-for-access-and-changes.patch 0024--INI-Rename-error-print-function.patch <- rename error printing function for consistency with new interface 0025--INI-Initialize-variables-in-loops.patch <- Coverity issue addressed. Related to patch 0001. 0026--INI-Exposing-functions.patch <- Make some internal functions reusable There is also patch 27. It is a piece of new functionality. It is a preview. Please see the comment before reviewing it. Do I need to split it into multiple patches or it is Ok as is? It is pretty big but all changes are in one file and logically related. The UNIT test is missing so I am not claiming it actually works as expected. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/

11 years, 5 months

4
30
0 / 0

IPA migration fixes

by Jakub Hrozek

https://fedorahosted.org/sssd/ticket/924 started as a segfault ticket but we could never reproduce the crash afterwards. As Sumit noted it might have been caused by setting the O_NONBLOCK flag twice. However, the changes Sumit proposed in the ticket still make sense because they provide much cleaner solution. Attached are two patches: [PATCH 1/2] Provide means of forcing TLS and GSSAPI enabled/disabled for sdap connections This will be used to force TLS on the auth connection only and allow staying on GSSAPI-backed ID connection for the rest of the request. [PATCH 2/2] IPA migration fixes * use the id connection for looking up the migration flag * force TLS on the password based authentication connection

11 years, 9 months

4
12
0 / 0

[PATCH] The new memberof plugin

by Jan Zelený

Attached patch rewrites almost entire memberof plugin. It heavily utilizes hash tables instead of lists and arrays and it introduces concept of reference counting which should heavily optimize all operations when no loops are present in the user/group tree. I tested the patch by running sysdb test suite, all tests passed. I also attach a document where basic concepts of the plugin are explained. Please note that the patch is functional, although I don't consider it ready. I just want to get pre-ACK or some comments about the patch design. I have yet to implement the recompute task, I will work on that later. Jan

11 years, 11 months

4
31
0 / 0

SSO login and username case sensitivity

by GOLLSCHEWSKY, Tim

Hi guys, We've been experimenting with putty v0.61 and windows SSO authentication. e.g. You log into windows with username "tim" and when then load up putty and try and connect to a RHEL6 machine, it passes along my Windows GSSAPI credentials and automatically logs me in to the RHEL6 box. SSSD has been configured to talk to Active Directory like so: [domain/KRB5DOMAIN] enumerate = True ldap_id_use_start_tls = False cache_credentials = True id_provider = ldap auth_provider = krb5 chpass_provider = krb5 debug_level = 1 ldap_schema = rfc2307bis ldap_force_upper_case_realm = True ldap_user_object_class = user ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory ldap_user_name = msSFU30Name ldap_user_member_of = msSFU30PosixMemberOf ldap_group_member = msSFU30PosixMember access_provider = ldap ldap_uri = ldap://xxxx/ ldap_search_base = xxx ldap_user_search_base = xxx ldap_group_search_base = xxx ldap_sasl_mech = gssapi ldap_sasl_authid = xxx ldap_krb5_keytab = xxx ldap_krb5_init_creds = true ldap_tls_cacertdir = /etc/openldap/cacerts krb5_realm = xxx krb5_kpasswd = xxx krb5_server = xxx What we're finding is Windows for some reason stores the username in UPPERCASE and passes the uppercase value in the GSSAPI credentials. However the username attribute in AD (msSFU30Name) stores the username in lowercase, which is the standard for Unix usernames and something we are very comfortable with. Because the username comparison is case-sensitive, the user is denied access. If we hard-code the login name in putty to be lowercase it works, so I'm pretty sure the GSSAPI auth is working. So, my question is: Is there a way to make the username comparison to LDAP case-insensitive? Or do we need to update our AD/LDAP to uppercase all the msSFU30Name attributes? Or is there another option? I understand usernames should be compared case-sensitive to be POSIX compliant. I've just been asked to see if I can get this to work. BTW I've been browsing trac and it looks like you were considering a "force_lowercase_names" config option at one point. Is this still under consideration? https://fedorahosted.org/sssd/ticket/246 Best regards, Tim Gollschewsky. This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related entities "Suncorp". Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at suncorp.com.au. The content of this e-mail is the view of the sender or stated author and does not necessarily reflect the view of Suncorp. The content, including attachments, is a confidential communication between Suncorp and the intended recipient. If you are not the intended recipient, any use, interference with, disclosure or copying of this e-mail, including attachments, is unauthorised and expressly prohibited. If you have received this e-mail in error please contact the sender immediately and delete the e-mail and any attachments from your system.

11 years, 12 months

6
14
0 / 0

[PATCHES] DEBUG timestamps offer higher precision

by Pavel Březina

https://fedorahosted.org/sssd/ticket/956 [PATCH 1/3] timestamps offer higher precision [PATCH 2/3] updated man pages [PATCH 3/3] updated debug unit tests

12 years

2
3
0 / 0

[PATCH] Fixed implicit declaration of function 'time' in src/sss_client/common.c

by Pavel Březina

Fixed implicit declaration of function 'time' in src/sss_client/common.c

12 years

3
3
0 / 0

[PATCH] Allow turning dereference off by setting the threshold to 0

by Jakub Hrozek

I think this might be useful and the use of zero to "turn off" is in sync with how we use some other tunables.

12 years

2
3
0 / 0

[PATCH] new tool - sss_debuglevel

by Pavel Březina

sss_debuglevel - change the debug level on the fly https://fedorahosted.org/sssd/ticket/950 Requires "New DEBUG facility" patches.

12 years

4
5
0 / 0

[PATCH] Add support for ADS pwdLastSet

by Pierre Carrier

Documented on http://msdn.microsoft.com/en-us/library/cc220785(v=prot.10).aspx Introduced in nss_ldap 208: * add support for native Active Directory password policy attributes (enabled if shadowLastChange is mapped to pwdLastSet) --- src/config/SSSDConfig.py | 1 + src/config/etc/sssd.api.d/sssd-ldap.conf | 1 + src/man/sssd-ldap.5.xml | 15 ++++++++++ src/providers/ldap/ldap_auth.c | 9 +++++- src/providers/ldap/ldap_common.c | 43 ++++++++++++++++++++++++++++++ src/providers/ldap/ldap_common.h | 1 + src/providers/ldap/sdap.h | 1 + 7 files changed, 70 insertions(+), 1 deletions(-) diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index 5135174..992e1f4 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -167,6 +167,7 @@ option_strings = { 'ldap_user_modify_timestamp' : _('Modification time attribute'), #replaced by ldap_entry_usn# 'ldap_user_entry_usn' : _('entryUSN attribute'), 'ldap_user_shadow_last_change' : _('shadowLastChange attribute'), + 'ldap_user_ads_last_change' : _('pwdLastSet attribute'), 'ldap_user_shadow_min' : _('shadowMin attribute'), 'ldap_user_shadow_max' : _('shadowMax attribute'), 'ldap_user_shadow_warning' : _('shadowWarning attribute'), diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf index 5fd0cfb..6700df9 100644 --- a/src/config/etc/sssd.api.d/sssd-ldap.conf +++ b/src/config/etc/sssd.api.d/sssd-ldap.conf @@ -51,6 +51,7 @@ ldap_user_member_of = str, None, false ldap_user_modify_timestamp = str, None, false ldap_user_entry_usn = str, None, false ldap_user_shadow_last_change = str, None, false +ldap_user_ads_last_change = str, None, false ldap_user_shadow_min = str, None, false ldap_user_shadow_max = str, None, false ldap_user_shadow_warning = str, None, false diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 2a39732..0db3ce7 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -313,6 +313,21 @@ </varlistentry> <varlistentry> + <term>ldap_user_ads_last_change (string)</term> + <listitem> + <para> + When using ldap_pwd_policy=shadow, this parameter + contains the name of an LDAP attribute corresponding + to pwdLastSet in Active Directory server, fell back to + when ldap_user_shadow_last_change was not available. + </para> + <para> + Default: pwdLastSet + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>ldap_user_shadow_min (string)</term> <listitem> <para> diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index e45d5b3..5ebd72c 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -286,7 +286,8 @@ static errno_t find_password_expiration_attributes(TALLOC_CTX *mem_ctx, return EINVAL; } } else if (strcasecmp(pwd_policy, PWD_POL_OPT_SHADOW) == 0) { - mark = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL); + mark = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL) | + ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_ADS_LASTCHANGE, NULL); if (mark != NULL) { DEBUG(9, ("Found shadow password expiration attributes.\n")) spwd = talloc_zero(mem_ctx, struct spwd); @@ -297,6 +298,12 @@ static errno_t find_password_expiration_attributes(TALLOC_CTX *mem_ctx, val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL); ret = string_to_shadowpw_days(val, &spwd->sp_lstchg); + + /* Fallback to pwdLastSet for ADS */ + if (ret != EOK) { + val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_ADS_LASTCHANGE, NULL); + ret = ads_pwdlastset_to_shadowpw_days(val, &spwd->sp_lstchg); + } if (ret != EOK) goto shadow_fail; val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_MIN, NULL); diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index 9eb9cc3..22c9bb7 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -163,6 +163,7 @@ struct sdap_attr_map rfc2307bis_user_map[] = { { "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }, { "ldap_user_entry_usn", NULL, SYSDB_USN, NULL }, { "ldap_user_shadow_last_change", "shadowLastChange", SYSDB_SHADOWPW_LASTCHANGE, NULL }, + { "ldap_user_ads_last_change", "pwdLastSet", SYSDB_SHADOWPW_ADS_LASTCHANGE, NULL }, { "ldap_user_shadow_min", "shadowMin", SYSDB_SHADOWPW_MIN, NULL }, { "ldap_user_shadow_max", "shadowMax", SYSDB_SHADOWPW_MAX, NULL }, { "ldap_user_shadow_warning", "shadowWarning", SYSDB_SHADOWPW_WARNING, NULL }, @@ -878,6 +879,48 @@ errno_t string_to_shadowpw_days(const char *s, long *d) return EOK; } +errno_t ads_pwdlastset_to_shadowpw_days(const char *s, long *d) +{ + long long ll; + long days; + char *endptr; + + if (s == NULL || *s == '\0') { + *d = -1; + return EOK; + } + + errno = 0; + ll = strtoll(s, &endptr, 10); + if (errno != 0) { + DEBUG(1, ("strtoll failed [%d][%s].\n", errno, strerror(errno))); + return errno; + } + + if (*endptr != '\0') { + DEBUG(1, ("Input string [%s] is invalid.\n", s)); + return EINVAL; + } + + /* Magic value for password reset */ + if (ll = 0LL) { + DEBUG(9, ("Magic pwdLastSet date 0, password change forced.\n")); + *d = 0L; + return EOK; + } + + days = ll / 864000000000LL - 134774LL; + + if (days < 0L) { + DEBUG(1, ("Date is before Jan 1, 1970 [%d].\n", ll)); + return EINVAL; + } + + *d = days; + + return EOK; +} + errno_t get_sysdb_attr_name(TALLOC_CTX *mem_ctx, struct sdap_attr_map *map, size_t map_size, diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h index 9146da5..cf301de 100644 --- a/src/providers/ldap/ldap_common.h +++ b/src/providers/ldap/ldap_common.h @@ -146,6 +146,7 @@ int setup_child(struct sdap_id_ctx *ctx); errno_t string_to_shadowpw_days(const char *s, long *d); +errno_t ads_pwdlastset_to_shadowpw_days(const char *s, long *d); errno_t get_sysdb_attr_name(TALLOC_CTX *mem_ctx, struct sdap_attr_map *map, diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index 32dc344..fdd5b7a 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -115,6 +115,7 @@ struct sdap_ppolicy_data { }; #define SYSDB_SHADOWPW_LASTCHANGE "shadowLastChange" +#define SYSDB_SHADOWPW_ADS_LASTCHANGE "pwdLastSet" #define SYSDB_SHADOWPW_MIN "shadowMin" #define SYSDB_SHADOWPW_MAX "shadowMax" #define SYSDB_SHADOWPW_WARNING "shadowWarning" -- 1.7.4.4

12 years

4
11
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel August 2011