sssd-devel January 2012

sssd-devel@lists.fedorahosted.org

18 participants
67 discussions

[PATCH] Allow more libldap debugging
by Jakub Hrozek 28 Nov '12

28 Nov '12

This patch should not be pushed to master, but I would like to get it reviewed anyway. It should be used to provide a custom build for users experiencing cases where ldap_search_ext would block (c.f. https://bugzilla.redhat.com/show_bug.cgi?id=728343) For example: export SSSD_DEBUG_LDAP_SEARCH="0xffff" would set LDAP_DEBUG_ANY The attached patch applies cleanly on the RHEL6.1 branch. I also have a version that applies on master/1.5 if needed.

4 7

[INI] Patches for ding-libs: Merging config sections, handling metadata, remaining Coverity issues...
by Dmitri Pal 05 Apr '12

05 Apr '12

Please see the attached patches. I tried to split the patches logically into manageable sets. Unfortunately I made a minor mistake and I am afraid I will do something wrong to fix it. I merged two wrong patches. Fortunately it was three liner with 1 liner so it is not a big of the deal but I am really scared that I will do something wrong and loose the work I have done. So I hope it is Ok to send it as is. 0001--INI-Making-Coverity-happy.patch <- this is the patch I submitted earlier that I merged by mistake. I was supposed to merge it with patch 25 but picked the wrong one instead. Patch 25 addresses the real issue found by Coverity as mentioned in Stephen's review mail but it did not apply cleanly since it relies on some code from the patches in the middle. 0002--INI-Adding-missing-function-declararion.patch <- this is the patch that was rejected from the second set sent earlier. Fixed according to review comment. 0003--BUILD-Allow-trace-per-component.patch <- This patch allows tracing per component The following set of patches introduces the merging of sections during the reading of the file: 0004--INI-New-error-codes-and-messages.patch 0005--INI-New-merge-flags.patch 0006--INI-Add-new-vars-to-parse-structure.patch 0007--INI-Add-save_error-function.patch 0008--INI-Change-parse_error-to-use-save_error.patch 0009--INI-Preparing-for-merging-sections.patch 0010--INI-Enhance-value-processing.patch 0011--INI-Use-section-line-number.patch 0012--INI-Refactor-section-processing.patch 0013--INI-Return-error-in-DETECT-mode.patch 0014--INI-New-test-files-for-section-merge.patch 0015--INI-Test-DETECT-mode-and-use-new-file.patch 0016--INI-Test-for-all-section-merge-modes.patch Patches related porting of the meta data from old way of doing things to the new way of doing things: 0017--INI-Separate-close-and-destroy.patch 0018--INI-Function-to-reopen-file.patch 0019--INI-Metadata-collection-is-gone.patch 0020--INI-Check-access-function.patch 0021--INI-Avoid-double-free.patch <- patch related to 17 (missed check) 0022--INI-Function-to-check-for-changes.patch 0023--INI-Tests-for-access-and-changes.patch 0024--INI-Rename-error-print-function.patch <- rename error printing function for consistency with new interface 0025--INI-Initialize-variables-in-loops.patch <- Coverity issue addressed. Related to patch 0001. 0026--INI-Exposing-functions.patch <- Make some internal functions reusable There is also patch 27. It is a piece of new functionality. It is a preview. Please see the comment before reviewing it. Do I need to split it into multiple patches or it is Ok as is? It is pretty big but all changes are in one file and logically related. The UNIT test is missing so I am not claiming it actually works as expected. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/

4 30

[PATCH 0/4]: Actual memory cache implementation
by Simo Sorce 19 Mar '12

19 Mar '12

>From [PATCH 0/0] A shared memory cache to perform better: 0/4: Actual memory cache implementation These is the bulk of the work, these patches are still a bit rough at the edges, grep for FIXMEs and TODOs and you'll see some plumbing (for example configure options in sssd to set expiration time and cache sizes are missing and are still harcoded). Simo. -- Simo Sorce * Red Hat, Inc * New York

4 21

[PATCH] Keep sysdb context in domain info struct
by Sumit Bose 29 Feb '12

29 Feb '12

Hi, a few days ago I send a draft patch where the sysdb context is stored in the domain info struct. I created a patch which is a bot more conservative than the last one and included the comments by Simo (added a destructor and don't unconditionally add the context all the time). This patch will make the handling of sub-domains much easier, because now only the domain info struct for the sub-domains needs to be up-to-date. bye, Sumit

3 7

sssd 1.7.x on Fedora 16 ?
by Marco Pizzoli 07 Feb '12

07 Feb '12

Hi again, What if I wish to play with sssd 1.7 on Fedora 16? Are rpms available somewhere? I only find those for Fedora 17 rawhide. Thanks in advance, again Marco -- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison

4 8

[PATCH] SUDO: Introduce a new configure option --with-sudo
by Jakub Hrozek 04 Feb '12

04 Feb '12

We will want to set this option (but perhaps not --enable-all-experimental-features) for F17 to be able to build the sudo library. https://fedorahosted.org/sssd/ticket/1145 At the time being the option is also turned on when --enable-all-experimental-features is specified. The second patch does the refactoring mentioned in #1145 - just moves code around so that there are no #ifdefs in the main part of LDAP code.

2 10

[PATCH] SUDO Integration - sudo_timed option for responder
by Pavel Březina 04 Feb '12

04 Feb '12

https://fedorahosted.org/sssd/ticket/1116 Adds option 'sudo_timed' to responder.

4 13

Re: [SSSD] SUDO Integration - in-memory cache
by Jakub Hrozek 02 Feb '12

02 Feb '12

Resending, hopefully the mailman issues are gone now.. On Fri, Jan 27, 2012 at 11:39:17AM +0100, Jakub Hrozek wrote: > On Thu, Jan 26, 2012 at 04:35:04PM +0100, Pavel Březina wrote: > > Dne 25.1.2012 20:50, Jakub Hrozek napsal(a): > > >On Wed, Jan 25, 2012 at 08:44:40PM +0100, Jakub Hrozek wrote: > > >>On Tue, Jan 24, 2012 at 03:10:32PM +0100, Pavel Březina wrote: > > >>>https://fedorahosted.org/sssd/ticket/1111 > > >>> > > >>>Requires cn=defaults patches. > > >>> > > >>>Please note, that the new sudo responder option (cache_timeout) will > > >>>be added to SSSDConfig.py as a part of #1144. > > >> > > >>Nack, > > >> > > >>Please name the new option "sudo_cache_timeout" to avoid name-clash with > > >>the general cache timeout. Cache timeouts are being separated in 1.8 > > >>anyway. > > > > Done. > > > > >>Nitpick: sudosrc_cache.c has the diacritics in your surname mangled. > > > > I don't know how that happened, I hope that it is alright this time. > > > > >>I would prefer to have a different prefix than res_ in struct > > >>sudo_cache_entry. I realize that res is a common name used for > > >>sysdb_attrs but that's largely used as a shorthand for "result". Simply > > >>using "rules" and "num_rules" would be nicer. > > > > Done. > > > > >>The way FQDN-only domains are skipped is different from the > > >>"cn=defaults" patch (and I prefer that approach). In this patch, > > >>only the first domain is checked for being FQDN-only, > > > > I'm sorry, I don't follow. Could you provide me some more information? > > However, I've corrected a bug in sudosrv_cache_lookup() where I was > > passing dctx->domain instead of domain as a parameter. It is fixed > > in this patch. > > > > > > I think it would > > >>be better to move the check into the loop, or (and that probably better) > > >>move the cache into sudosrv_get_rules(). > > > > Are you getting at this situation? > > - We have domains A and B > > - User x@B > > - x@B calls 'sudo cmd' which stores rules for this user into sysdb > > and into in-memory cache > > - we create user x@A > > - x@A uses sudo but it would use the rules for x@B until the > > in-memory cache is expired > > > > Your solution would certainly work for this situation but there > > wouldn't be the need of in-memory cache anymore, we can use just > > sysdb. > > > > The purpose of having in-memory cache is for the sudo request to be > > as fast as possible. And I would like to point out that it is still > > just a cache - and cache doesn't have to be necessary current. > > > > >>Also please remove the FIXME from sudosrv_get_rules(). > > > > Thank you. I've also removed the other cache related FIXME, because > > I believe it is sorted out this way. Please, correct me if I'm > > wrong. > > > > > > >One more thing - the new option needs to be documented in man pages and > > >settable by the configAPI. > > > > Unfortunately it is not that simple. This affects the config tests > > as it requires support of a new responder in the tests. It will be > > done in #1144. > > > > Thank you for the review. > > > > I should have bring this up sooner but I this it is much cleaner that > the entries are deleted with a tevent timer after their TTL is over than > checking if they are valid when reading them from the hash. > > The cache logic can then be reduced to looking up an entry in the hash. > > Check out pam_initgr_cache_remove() for an example.

1 1

[PATCHES][PRELIMINARY] Support of SELinux user maps in SSSD
by Jan Zelený 02 Feb '12

02 Feb '12

Hi, I'm sending all patches implementing support for SELinux user maps. Some support patches are included as well. #0001: Implemented support for multiple search bases in HBAC rules and services. As discussed before, this is not strictly needed, but I did it anyway to unify the approach to multiple search bases. Just a reminder: the plan is to use these structures and then limit maximal number of search bases to 1 since there is no support in IPA server for more bases anyway. #0002: This fixes minor regression brought by my previous patch which is already pushed (multiple search bases in IPA hosts). #0003: Add generic routines to retrieve IPA configuration object. These routines will be used in other parts of the code. #0004: Rewrite retrieval of password migration flag from IPA config to user previously implemented generic IPA config interface. #0005: Some sysdb netgroup attributes will be used in SELinux user maps. They will also have the same semantics, therefore they should be renamed and then re- used. #0006: Some sysdb routines for SELinux support. Please note that some routines are written in very generic way - I'd like to use them also elsewhere in the current code, perhaps as a part of some sysdb refactoring. #0007: Utility functions for SELinux map matching against information about current user and host. #0008: SELinux user maps support in IPA provider. Also generig data provider related code is here. I'm considering splitting this patch in two or three. Let me know your opinion. #0009: Responder support of SELinux user maps - retrieve all applicable maps from sysbd and create content of the user mapping file /etc/selinux/<policy>/logins/<usernale> #0010: Get the file content from PAM responder and write it to the file. I'm not completely sure whether or not to implement some kind of locking to prevent possible race conditions when reading/writing to this file. Thanks in advance for the review. Any advices how to improve the code will be appreciated. Jan

2 5

SUDO: provide manual pages
by Jakub Hrozek 01 Feb '12

01 Feb '12

Unfortunately Pavel did not have enough time to finish all the sudo related tickets that would change strings and therefore must be done in time for 1.7.9. I've been pulling patches from his personal git tree, finishing and polishing them up as appropriate. Attached are two patches that build sudo-related manual pages. https://fedorahosted.org/sssd/ticket/1109 [PATCH 1/2] SUDO Integration - manual page This is Pavel's original patch. I just removed documentation on one option that is not yet in master and squashed it into the appropriate patch that I will send for review later. [PATCH 2/2] Include sudo manual pages only conditionally Sudo is still an experimental feature. We don't want to document it for builds that do not include the sudo feature. I used the "profiling" feature of DocBook to achieve that: http://www.sagehill.net/docbookxsl/Profiling.html Each subsequent experimental feature would then just add a new CONDS+= to the Makefile and mark the optional section with the standard DocBook "condition" parameter. The patch also marks the sections in the man page as experimental.

2 5

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel January 2012