[PATCH] Ghost user related fixes to the memberof plugin
by Jakub Hrozek
Hi,
this thread obsoletes the previous memberof related threads into a single one
to make it easier for the reviewers to apply the patches without having to
guess the dependencies. The patches should apply cleanly on origin/master. In
addition to bringing all the patches together, this set also addresses some
of Simo's concerns, in particular the ghost users are better explained in
the big comment blocks above each major memberof operation.
The patches implement the missing operations of the memberof plugin
related to ghost users - delete and modify. The mod operation is given
some special care because not only we need to propagate the modification
to parent groups, but we also need to retain the inherited ghost attributes.
The intent is to fix issues such as #1652. Most patches also include
unit tests to make sure we don't break existing memberof plugin
functionality.
More information is in the patches themselves or in the commit messages.
10 years, 3 months
[PATCH 0/5] [REV.1] Properly invalidate mmap cache data
by Simo Sorce
This revision will address the segfault occurring with cold caches.
I fixed 2 aspects.
1) I fixed the actual segfault where it was occurring by simply returning early
from the function if gnum = 0, because in that case there are no groups we can
invalidate anyways.
2) I now check and return short in the provider code if initgroups return both 0
results and 1 result, because in that case it means that the user either does
not exist at all or it is there but memberships have never been filled in so
again there is really nothing to check in NSS.
The rest is unchanged.
Simo Sorce (5):
mmap cache: public functions to invalidate records
Hook to perform a mmap cache update from sssd_nss
Hook for mmap cache update on initgroup calls
Add backchannel NSS provider query on initgr calls
Always append rctx as private data
src/providers/data_provider.h | 7 +
src/providers/data_provider_be.c | 165 ++++++++++++++++++++++++++
src/responder/common/responder_common.c | 2 +-
src/responder/nss/nsssrv.c | 68 +++++++++++
src/responder/nss/nsssrv_cmd.c | 191 +++++++++++++++++++++++++++++++
src/responder/nss/nsssrv_mmap_cache.c | 125 ++++++++++++++++++++
src/responder/nss/nsssrv_mmap_cache.h | 10 ++
src/responder/nss/nsssrv_private.h | 6 +
8 files changed, 573 insertions(+), 1 deletions(-)
10 years, 3 months
[PATCH 0/5] Properly invalidate mmap cache data
by Simo Sorce
At login time we force a remote initgroups call to make sure the user's group
memberships are fully up to date. However we were not updating the mmap
cache data so some groups may persist there with invalid data if they changed
and were not yet expired in the cache.
This patch set implements a callbacj mechanism so that when a provider receives
a initgr call request it records the list of groups (by gid) available before
the online refresh then before returning it sends the data to the NSS provider
so it can verify if anything changed.
If something changed the NSS provider will invalidate all groups in the mmap
cache and will let the normal getpw/getgr calls re-populate the cache later.
Note that any other changes in the cache happen only if the mmap cache is
already expired, so there is no need to invalidate the mmap cache in any other
situation at the moment.
Addresses:
https://fedorahosted.org/sssd/ticket/1671
Simo Sorce (5):
mmap cache: public functions to invalidate records
Hook to perform a mmap cache update from sssd_nss
Hook for mmap cache update on initgroup calls
Add backchannel NSS provider query on initgr calls
Always append rctx as private data
src/providers/data_provider.h | 7 +
src/providers/data_provider_be.c | 163 +++++++++++++++++++++++++++
src/responder/common/responder_common.c | 2 +-
src/responder/nss/nsssrv.c | 68 +++++++++++
src/responder/nss/nsssrv_cmd.c | 187 +++++++++++++++++++++++++++++++
src/responder/nss/nsssrv_mmap_cache.c | 125 +++++++++++++++++++++
src/responder/nss/nsssrv_mmap_cache.h | 10 ++
src/responder/nss/nsssrv_private.h | 6 +
8 files changed, 567 insertions(+), 1 deletions(-)
10 years, 3 months
[PATCH] MEMBEROF: Implement delete operation for ghost users
by Jakub Hrozek
https://fedorahosted.org/sssd/ticket/1668
The memberof plugin did only expand the ghost users attribute to
parents when adding a nested group, but didn't implement the reverse
operation.
This bug resulted in users being reported as group members even
after the direct parent went away as the expanded ghost attributes were
never removed from the parent entry.
There seems to be a lot of similarlity between memberuid and ghost
attributes in the memberof plugin. Maybe the code would benefit from
soem more generic functions? But given the time contrainst, I would
prefer the refactoring to happend post-1.9.3.
10 years, 3 months
How to tune the failover mecanism ?
by Olivier
Hello everyone,
I use sssd to authenticate users on redhat boxes,
as a layer between pam and my ldap serverS.
User ldap accounts are announced but 3 replicated
(open)ldap servers.
I have declared my 3 servers in sssd.conf:
ldap_uri: ldap://ldap1.example.fr,ldap://ldap2.example.fr,ldap://ldap3.example.fr
That works, but I would like now to better tune the
sssd failover and cache function offered by sssd,
and I'm a bit stuck.
Questions :
1- about the failover mecanism, I read in sssd-ldap man page :
" If the resolution attempt succeeds, the back end tries to connect to
a service on this machine.
If the service connection attempt fails, then only this particular
service is considered offline and
the back end automatically switches over to the next service."
I there any way to tune the "timeout" after which the bakend considers
that the attempt
to connect to a server has failed and therefore that it's time to try
the next one ?
2- I'm a bit stuck to configure the behaviour of the boxes with regard to
sssd cache (in anthother word, I have not perfectly understood under
which condition sssd returns cached information rather than querying
ldap and how to tune that).
Intuitively, I would something like the sssd cache for an entry to be returned
rather than querying ldap if :
-> the cache was "recently" refreshed for that entry ( not sur what I
should mean
by "recently" )
-> no ldap server respond (I suspect that this would be tuned with
"ldap_search_timeout" ?)
Any help from anyone ?
Thanks,
---
Olivier
10 years, 3 months
[PATCH 0/5] Rev 3: Fix various tevent_req style and naming issues
by Simo Sorce
This revision should address all concerns raised by Pavel for code that I
actually changed from the original. For patch 1 a calrification I can't
make was asked. I 'fixed' the code as I realized I copied a debug statement
wrapped in an if statement that wasn't in the original code I move around,
so I simply dropped it (the statement is still present but later on in another
part of the code, where it remains from the original code).
For patch for I completely changed approach and simplified the code even more by
removing the switch statement completely, Thanks Pavel, that code looks even
better to me now :)
Simo Sorce (5):
Fix tevent_req style for krb5_auth
Fix ipa_subdomain_id names and tevent_req style
Fix tevent_req style for get_netgroup in ipa_id
Streamline ipa_account_info handler
Use an entry type mask macro to filter entry types
src/providers/data_provider.h | 1 +
src/providers/ipa/ipa_id.c | 294 +++++++--------
src/providers/ipa/ipa_id.h | 10 +-
src/providers/ipa/ipa_subdomains_id.c | 75 ++---
src/providers/krb5/krb5_access.c | 6 +-
src/providers/krb5/krb5_auth.c | 683 ++++++++++++++++-----------------
src/providers/krb5/krb5_auth.h | 6 +-
src/providers/krb5/krb5_wait_queue.c | 12 +-
src/providers/ldap/ldap_id.c | 2 +-
src/providers/proxy/proxy_id.c | 2 +-
10 files changed, 505 insertions(+), 586 deletions(-)
10 years, 3 months