[PATCH] Allow more libldap debugging
by Jakub Hrozek
This patch should not be pushed to master, but I would like to get it
reviewed anyway.
It should be used to provide a custom build for users experiencing cases
where ldap_search_ext would block (c.f.
https://bugzilla.redhat.com/show_bug.cgi?id=728343)
For example:
export SSSD_DEBUG_LDAP_SEARCH="0xffff"
would set LDAP_DEBUG_ANY
The attached patch applies cleanly on the RHEL6.1 branch. I also have a
version that applies on master/1.5 if needed.
11 years
[INI] Patches for ding-libs: Merging config sections, handling metadata, remaining Coverity issues...
by Dmitri Pal
Please see the attached patches. I tried to split the patches logically
into manageable sets.
Unfortunately I made a minor mistake and I am afraid I will do something
wrong to fix it.
I merged two wrong patches. Fortunately it was three liner with 1 liner
so it is not a big of the deal but I am really scared that I will do
something wrong and loose the work I have done.
So I hope it is Ok to send it as is.
0001--INI-Making-Coverity-happy.patch <- this is the patch I submitted
earlier that I merged by mistake. I was supposed to merge it with patch
25 but picked the wrong one instead.
Patch 25 addresses the real issue found by Coverity as mentioned in
Stephen's review mail but it did not apply cleanly since it relies on
some code from the patches in the middle.
0002--INI-Adding-missing-function-declararion.patch <- this is the
patch that was rejected from the second set sent earlier. Fixed
according to review comment.
0003--BUILD-Allow-trace-per-component.patch <- This patch allows tracing
per component
The following set of patches introduces the merging of sections during
the reading of the file:
0004--INI-New-error-codes-and-messages.patch
0005--INI-New-merge-flags.patch
0006--INI-Add-new-vars-to-parse-structure.patch
0007--INI-Add-save_error-function.patch
0008--INI-Change-parse_error-to-use-save_error.patch
0009--INI-Preparing-for-merging-sections.patch
0010--INI-Enhance-value-processing.patch
0011--INI-Use-section-line-number.patch
0012--INI-Refactor-section-processing.patch
0013--INI-Return-error-in-DETECT-mode.patch
0014--INI-New-test-files-for-section-merge.patch
0015--INI-Test-DETECT-mode-and-use-new-file.patch
0016--INI-Test-for-all-section-merge-modes.patch
Patches related porting of the meta data from old way of doing things to
the new way of doing things:
0017--INI-Separate-close-and-destroy.patch
0018--INI-Function-to-reopen-file.patch
0019--INI-Metadata-collection-is-gone.patch
0020--INI-Check-access-function.patch
0021--INI-Avoid-double-free.patch <- patch related to 17 (missed check)
0022--INI-Function-to-check-for-changes.patch
0023--INI-Tests-for-access-and-changes.patch
0024--INI-Rename-error-print-function.patch <- rename error printing
function for consistency with new interface
0025--INI-Initialize-variables-in-loops.patch <- Coverity issue
addressed. Related to patch 0001.
0026--INI-Exposing-functions.patch <- Make some internal functions reusable
There is also patch 27. It is a piece of new functionality. It is a
preview. Please see the comment before reviewing it.
Do I need to split it into multiple patches or it is Ok as is? It is
pretty big but all changes are in one file and logically related.
The UNIT test is missing so I am not claiming it actually works as
expected.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
11 years, 8 months
[PATCH 0/4]: Actual memory cache implementation
by Simo Sorce
>From [PATCH 0/0] A shared memory cache to perform better:
0/4: Actual memory cache implementation
These is the bulk of the work, these patches are still a bit rough at
the edges, grep for FIXMEs and TODOs and you'll see some plumbing (for
example configure options in sssd to set expiration time and cache sizes
are missing and are still harcoded).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
11 years, 8 months
[PATCH] Keep sysdb context in domain info struct
by Sumit Bose
Hi,
a few days ago I send a draft patch where the sysdb context is stored
in the domain info struct. I created a patch which is a bot more
conservative than the last one and included the comments by Simo (added
a destructor and don't unconditionally add the context all the time).
This patch will make the handling of sub-domains much easier, because
now only the domain info struct for the sub-domains needs to be
up-to-date.
bye,
Sumit
11 years, 9 months
sssd 1.7.x on Fedora 16 ?
by Marco Pizzoli
Hi again,
What if I wish to play with sssd 1.7 on Fedora 16?
Are rpms available somewhere? I only find those for Fedora 17 rawhide.
Thanks in advance, again
Marco
--
_________________________________________
Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
Jim Morrison
11 years, 10 months
Re: [SSSD] SUDO Integration - in-memory cache
by Jakub Hrozek
Resending, hopefully the mailman issues are gone now..
On Fri, Jan 27, 2012 at 11:39:17AM +0100, Jakub Hrozek wrote:
> On Thu, Jan 26, 2012 at 04:35:04PM +0100, Pavel Březina wrote:
> > Dne 25.1.2012 20:50, Jakub Hrozek napsal(a):
> > >On Wed, Jan 25, 2012 at 08:44:40PM +0100, Jakub Hrozek wrote:
> > >>On Tue, Jan 24, 2012 at 03:10:32PM +0100, Pavel Březina wrote:
> > >>>https://fedorahosted.org/sssd/ticket/1111
> > >>>
> > >>>Requires cn=defaults patches.
> > >>>
> > >>>Please note, that the new sudo responder option (cache_timeout) will
> > >>>be added to SSSDConfig.py as a part of #1144.
> > >>
> > >>Nack,
> > >>
> > >>Please name the new option "sudo_cache_timeout" to avoid name-clash with
> > >>the general cache timeout. Cache timeouts are being separated in 1.8
> > >>anyway.
> >
> > Done.
> >
> > >>Nitpick: sudosrc_cache.c has the diacritics in your surname mangled.
> >
> > I don't know how that happened, I hope that it is alright this time.
> >
> > >>I would prefer to have a different prefix than res_ in struct
> > >>sudo_cache_entry. I realize that res is a common name used for
> > >>sysdb_attrs but that's largely used as a shorthand for "result". Simply
> > >>using "rules" and "num_rules" would be nicer.
> >
> > Done.
> >
> > >>The way FQDN-only domains are skipped is different from the
> > >>"cn=defaults" patch (and I prefer that approach). In this patch,
> > >>only the first domain is checked for being FQDN-only,
> >
> > I'm sorry, I don't follow. Could you provide me some more information?
> > However, I've corrected a bug in sudosrv_cache_lookup() where I was
> > passing dctx->domain instead of domain as a parameter. It is fixed
> > in this patch.
> >
> >
> > I think it would
> > >>be better to move the check into the loop, or (and that probably better)
> > >>move the cache into sudosrv_get_rules().
> >
> > Are you getting at this situation?
> > - We have domains A and B
> > - User x@B
> > - x@B calls 'sudo cmd' which stores rules for this user into sysdb
> > and into in-memory cache
> > - we create user x@A
> > - x@A uses sudo but it would use the rules for x@B until the
> > in-memory cache is expired
> >
> > Your solution would certainly work for this situation but there
> > wouldn't be the need of in-memory cache anymore, we can use just
> > sysdb.
> >
> > The purpose of having in-memory cache is for the sudo request to be
> > as fast as possible. And I would like to point out that it is still
> > just a cache - and cache doesn't have to be necessary current.
> >
> > >>Also please remove the FIXME from sudosrv_get_rules().
> >
> > Thank you. I've also removed the other cache related FIXME, because
> > I believe it is sorted out this way. Please, correct me if I'm
> > wrong.
> >
> >
> > >One more thing - the new option needs to be documented in man pages and
> > >settable by the configAPI.
> >
> > Unfortunately it is not that simple. This affects the config tests
> > as it requires support of a new responder in the tests. It will be
> > done in #1144.
> >
> > Thank you for the review.
> >
>
> I should have bring this up sooner but I this it is much cleaner that
> the entries are deleted with a tevent timer after their TTL is over than
> checking if they are valid when reading them from the hash.
>
> The cache logic can then be reduced to looking up an entry in the hash.
>
> Check out pam_initgr_cache_remove() for an example.
11 years, 10 months
[PATCHES][PRELIMINARY] Support of SELinux user maps in SSSD
by Jan Zelený
Hi,
I'm sending all patches implementing support for SELinux user maps. Some
support patches are included as well.
#0001:
Implemented support for multiple search bases in HBAC rules and services. As
discussed before, this is not strictly needed, but I did it anyway to unify
the approach to multiple search bases. Just a reminder: the plan is to use
these structures and then limit maximal number of search bases to 1 since
there is no support in IPA server for more bases anyway.
#0002:
This fixes minor regression brought by my previous patch which is already
pushed (multiple search bases in IPA hosts).
#0003:
Add generic routines to retrieve IPA configuration object. These routines will
be used in other parts of the code.
#0004:
Rewrite retrieval of password migration flag from IPA config to user previously
implemented generic IPA config interface.
#0005:
Some sysdb netgroup attributes will be used in SELinux user maps. They will
also have the same semantics, therefore they should be renamed and then re-
used.
#0006:
Some sysdb routines for SELinux support. Please note that some routines are
written in very generic way - I'd like to use them also elsewhere in the
current code, perhaps as a part of some sysdb refactoring.
#0007:
Utility functions for SELinux map matching against information about current
user and host.
#0008:
SELinux user maps support in IPA provider. Also generig data provider related
code is here. I'm considering splitting this patch in two or three. Let me
know your opinion.
#0009:
Responder support of SELinux user maps - retrieve all applicable maps from
sysbd and create content of the user mapping file
/etc/selinux/<policy>/logins/<usernale>
#0010:
Get the file content from PAM responder and write it to the file. I'm not
completely sure whether or not to implement some kind of locking to prevent
possible race conditions when reading/writing to this file.
Thanks in advance for the review. Any advices how to improve the code will be
appreciated.
Jan
11 years, 10 months
SUDO: provide manual pages
by Jakub Hrozek
Unfortunately Pavel did not have enough time to finish all the sudo
related tickets that would change strings and therefore must be done in
time for 1.7.9.
I've been pulling patches from his personal git tree, finishing and
polishing them up as appropriate. Attached are two patches that build
sudo-related manual pages.
https://fedorahosted.org/sssd/ticket/1109
[PATCH 1/2] SUDO Integration - manual page
This is Pavel's original patch. I just removed documentation on one
option that is not yet in master and squashed it into the appropriate
patch that I will send for review later.
[PATCH 2/2] Include sudo manual pages only conditionally
Sudo is still an experimental feature. We don't want to document it for
builds that do not include the sudo feature.
I used the "profiling" feature of DocBook to achieve that:
http://www.sagehill.net/docbookxsl/Profiling.html
Each subsequent experimental feature would then just add a new CONDS+=
to the Makefile and mark the optional section with the standard DocBook
"condition" parameter.
The patch also marks the sections in the man page as experimental.
11 years, 10 months
