sssd-devel March 2012

sssd-devel@lists.fedorahosted.org

21 participants
80 discussions

[PATCH] Allow more libldap debugging
by Jakub Hrozek 28 Nov '12

28 Nov '12

This patch should not be pushed to master, but I would like to get it reviewed anyway. It should be used to provide a custom build for users experiencing cases where ldap_search_ext would block (c.f. https://bugzilla.redhat.com/show_bug.cgi?id=728343) For example: export SSSD_DEBUG_LDAP_SEARCH="0xffff" would set LDAP_DEBUG_ANY The attached patch applies cleanly on the RHEL6.1 branch. I also have a version that applies on master/1.5 if needed.

4 7

[PATCH][PRELIMINARY] sudo: send username and uid while requesting default options
by Pavel Březina 24 Jul '12

24 Jul '12

https://fedorahosted.org/sssd/ticket/1239 [PATCH 1/2] Finally removes EOK constant from sudo api header. It is not used in the SUDO code so it does not require their changes. [PATCH 2/2] This does what is requested in the ticket. It seems to be very huge but in fact it is mainly changing the variable. Basically I tried to get rid of domain ctx where possible, leave it only in initgroups part and use command ctx elsewhere. The in-memory cache is not yet implemented, I want to discuss the possible ways of doing it. The basic problem is that we need to get the domain during the request for default options. How will we do it? I think there are two options: 1. always try to perform the initgroups - find the domain and the check the in-memory cache (which may be slow if the user is in the last domain, but that will be probably handled as part of https://fedorahosted.org/sssd/ticket/1126 2. store uid:username = domain in the in-memory cache (same cache as results or a new one?) This patch contains a modified version of sysdb_get_sudo_user_info() where the uid is not mandatory. I want to replace this function with sysdb_sudo_get_user_groups() (or make it generic and place it in sysdb_ops?) because the groupnames are the only thing we don't know. However this requires a modification of the data provider protocol as well so I'm keeping it for later.

4 32

Support for subdomains - stage 1
by Jan Zelený 24 Apr '12

24 Apr '12

Hi guys, it took me and Sumit some time but we finally have completed the first stage of support for subdomains. I'm sending all patches in attachment. This stage has basic support for subdomains but some pieces like PAC support are left out. We agreed that those can wait for the second stage which depends on some server side changes that are not ready yet. We'll keep you posted. Please note that patches depend on Sumit's previous idmap library patch. I'll get that reviewed either today or tomorrow. #0001 All sysdby routines that are used in later patches #0002 Responder routines for asking provider for a list of supported subdomains #0003 The routine responder_get_domain is modified to look for subdomains as well when looking for the correct domain descriptor #0004 If a request for fully qualified entity (user/group) comes to the responder and its domain has not been found, it updates its list of domains and supported subdomains in each domain. To update the list, a get_domains call is sent to each provider. #0005 Create a list of all domains and subdomains when the first request after start comes in. To create the list, a get_domains call is sent to each provider. #0006 Check sub-domains in nss_cmd_get{pwuid|grgid}_search() #0007 Basic infrastructure for handling get_subdomains requests in providers. #0008 Add the infrastructure in IPA provider which fetches a list of handled subdomains from server and stores in in sysdb. #0009 Currently the connections to the data provider use the same name as the domain. With sub-domains the name of the sub-domain cannot be used to find the right data provider connection, hence we store the name of the connection in a new member. #0010 Support for subdomain name given to provider when calling get_account_info #0011 New ID-related config options for subdomains, these have to be present because IPA provider doesn't provide these values and defaults need to be implemented. Having defaults on the responder level didn't seem right since the policy might differ for each domain. #0012 The routine expand_homedir_template is now used on more place, therefore it was convenient to move it to util code. #0013 s2n extended LDAP operation - this is used to ask IPA server for entities from supported subdomains #0014 Extend IPA ID provider toi support fetching information for entities within subdomains #0015 Support for routing PAM request from reponder to the right provider. Similar case as patches #3-#6 in NSS responder but much more simple. #0016 Basic support (or rather un-support) for subdomains in auth providers. Basically it's designed to acknowledge that the request is not for the main domain but for subdomain and in that case it supports only SSS_PAM_ACCT_MGMT and returns error otherwise. Note that similar thing as the IPA backend change in last hunk is probably not necessary for krb5 backend since when using it, there will be no subdomains for that domain. #0017 Support providing sysdb context and domain info per request, not per backend context. This is necessary for the next patches. #0018 Accept be_req instead of be_ctx in access providers. Together with the previous patch, this is needed for the next one. #0019 Detect if the authorization request came for a user in subdomain and if yes, replace the original backend-wide sysdb context and domain info with their subdomain specific replacements. #0020 Use request-wide sysdb context and domain info instead of their backend-wide counterparts in HBAC. That's all folks, have fun reviewing :) Thanks and bye, Jan and Sumit

5 37

[PATCH] Canonicalize user aliases in the proxy provider
by Jakub Hrozek 20 Apr '12

20 Apr '12

https://fedorahosted.org/sssd/ticket/1249 The patch also reduces code duplication between several error handling switch/case statements and fixes a bug in get_initgr where we would try to cancel a transaction immediately after committing it. Do we also want to canonicalize group names in a similar fashion? To be honest, downloading the whole group twice just for the sake of determining the correct group name seems a little too much to me..

2 6

[PATCH] Two manual pages fixes
by Marco Pizzoli 20 Apr '12

20 Apr '12

As I reported on the mailing list: - sssd.conf man page does not include "autofs" and "ssh" as supported services. https://fedorahosted.org/sssd/ticket/1183 - sssd-ldap.conf man page should have "not set" instead of "none" as a default for the directive ldap_sasl_mech. https://fedorahosted.org/sssd/ticket/1180 Considered these are my first patches, I ask you to report to me everything I made wrong or possibly-doable-better so I can improve for future patches :-) Thanks Marco

5 13

[PATCH] Install all docs
by Pavel Březina 20 Apr '12

20 Apr '12

I've noticed that hbac_doc and libsss_sudo_doc is created during 'make docs' but not installed nor cleaned afterwards. This patch fixes it. It will treat every directory in SSSD_DOCS as a documentation and automatically (un)install it.

2 7

[PATCH] sudo api: return only errno in sss_sudo_make_request()
by Pavel Březina 18 Apr '12

18 Apr '12

https://fedorahosted.org/sssd/ticket/1233 As Jakub suggested, I changed sss_sudo_make_request() to return only errno code, instead of errno and sss_status. I hope this will make the Coverity happy.

3 7

pick up "EXTERNAL MECH" identity to log in
by Olivier 11 Apr '12

11 Apr '12

Hello there Not sure that this is feasable nor that this is the right place to submit this question but I think it is. I use sssd to deal with authentication on my linux boxes : OK I also know how to use external SASL_MECH to bind my ldap server : I have produced and install a certificate with an appropriate subject and signed it by a CA that is known by my ldap server. Like this, I can bind the server over TLS with my identity and without providing any passwd. $ ldapsearch -ZZ uid=olivier SASL/EXTERNAL authentication started SASL username: 0.9.2342.19200300.100.1.1=guillard,ou=staff,dc=example,dc=fr SASL SSF: 0 ...response... Right : nothing new. I was now wondering if there would have any way to annonce my certificate using the "external SASL_MECH" mechanism over a login process to a linux box (let say using ssh), so that pam would not ask me to type a "login" and a "password" to log in ? Don't hesitate to fire if my question is stupid. Thanks, --- Olivier PS, to rephrase that : I'm looking for a way to use a personnal key to login without having to provide a password. ssh keys are not the right solution because I would need to install the public key in every authorized_key on my network ( I would like a centralized solution ). I also found this : http://code.google.com/p/openssh-lpk/ But I don't want to patch ssh if possible since I highly prefere to use standard tools provided as much as possible I'm on RedHat6

3 3

[PATCH] Catch cases where D-Bus connection is NULL
by Jakub Hrozek 05 Apr '12

05 Apr '12

https://fedorahosted.org/sssd/ticket/1270 Is there a better way to proactively detect that there is no D-Bus connection when a request comes in? The attached patch is more of a band-aid for cases where the back end is not running at all but a request comes in anyway.

3 2

[PATCH] Use the correct options counter
by Jakub Hrozek 05 Apr '12

05 Apr '12

https://fedorahosted.org/sssd/ticket/1282 This patch applies on top of the 1.8 branch only. The same bug was already fixed in master in an unrelated commit.

3 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel March 2012