[PATCH] Allow more libldap debugging
by Jakub Hrozek
This patch should not be pushed to master, but I would like to get it
reviewed anyway.
It should be used to provide a custom build for users experiencing cases
where ldap_search_ext would block (c.f.
https://bugzilla.redhat.com/show_bug.cgi?id=728343)
For example:
export SSSD_DEBUG_LDAP_SEARCH="0xffff"
would set LDAP_DEBUG_ANY
The attached patch applies cleanly on the RHEL6.1 branch. I also have a
version that applies on master/1.5 if needed.
11 years
[PATCH][PRELIMINARY] sudo: send username and uid while requesting default options
by Pavel Březina
https://fedorahosted.org/sssd/ticket/1239
[PATCH 1/2]
Finally removes EOK constant from sudo api header. It is not used in
the SUDO code so it does not require their changes.
[PATCH 2/2]
This does what is requested in the ticket. It seems to be very huge but
in fact it is mainly changing the variable. Basically I tried to get
rid of domain ctx where possible, leave it only in initgroups part and
use command ctx elsewhere.
The in-memory cache is not yet implemented, I want to discuss the
possible ways of doing it.
The basic problem is that we need to get the domain during the request
for default options. How will we do it? I think there are two options:
1. always try to perform the initgroups - find the domain and the check
the in-memory cache (which may be slow if the user is in the last
domain, but that will be probably handled as part of
https://fedorahosted.org/sssd/ticket/1126
2. store uid:username = domain in the in-memory cache (same cache as
results or a new one?)
This patch contains a modified version of sysdb_get_sudo_user_info()
where the uid is not mandatory. I want to replace this function with
sysdb_sudo_get_user_groups() (or make it generic and place it in
sysdb_ops?) because the groupnames are the only thing we don't know.
However this requires a modification of the data provider protocol as
well so I'm keeping it for later.
11 years, 4 months
Support for subdomains - stage 1
by Jan Zelený
Hi guys,
it took me and Sumit some time but we finally have completed the first stage
of support for subdomains. I'm sending all patches in attachment.
This stage has basic support for subdomains but some pieces like PAC support
are left out. We agreed that those can wait for the second stage which depends
on some server side changes that are not ready yet. We'll keep you posted.
Please note that patches depend on Sumit's previous idmap library patch. I'll
get that reviewed either today or tomorrow.
#0001
All sysdby routines that are used in later patches
#0002
Responder routines for asking provider for a list of supported subdomains
#0003
The routine responder_get_domain is modified to look for subdomains as well
when looking for the correct domain descriptor
#0004
If a request for fully qualified entity (user/group) comes to the responder
and its domain has not been found, it updates its list of domains and
supported subdomains in each domain. To update the list, a get_domains call is
sent to each provider.
#0005
Create a list of all domains and subdomains when the first request after start
comes in. To create the list, a get_domains call is sent to each provider.
#0006
Check sub-domains in nss_cmd_get{pwuid|grgid}_search()
#0007
Basic infrastructure for handling get_subdomains requests in providers.
#0008
Add the infrastructure in IPA provider which fetches a list of handled
subdomains from server and stores in in sysdb.
#0009
Currently the connections to the data provider use the same name as the
domain. With sub-domains the name of the sub-domain cannot be used to find the
right data provider connection, hence we store the name of the connection in a
new member.
#0010
Support for subdomain name given to provider when calling get_account_info
#0011
New ID-related config options for subdomains, these have to be present because
IPA provider doesn't provide these values and defaults need to be implemented.
Having defaults on the responder level didn't seem right since the policy
might differ for each domain.
#0012
The routine expand_homedir_template is now used on more place, therefore it
was convenient to move it to util code.
#0013
s2n extended LDAP operation - this is used to ask IPA server for entities from
supported subdomains
#0014
Extend IPA ID provider toi support fetching information for entities within
subdomains
#0015
Support for routing PAM request from reponder to the right provider. Similar
case as patches #3-#6 in NSS responder but much more simple.
#0016
Basic support (or rather un-support) for subdomains in auth providers.
Basically it's designed to acknowledge that the request is not for the main
domain but for subdomain and in that case it supports only SSS_PAM_ACCT_MGMT
and returns error otherwise. Note that similar thing as the IPA backend change
in last hunk is probably not necessary for krb5 backend since when using it,
there will be no subdomains for that domain.
#0017
Support providing sysdb context and domain info per request, not per backend
context. This is necessary for the next patches.
#0018
Accept be_req instead of be_ctx in access providers. Together with the
previous patch, this is needed for the next one.
#0019
Detect if the authorization request came for a user in subdomain and if yes,
replace the original backend-wide sysdb context and domain info with their
subdomain specific replacements.
#0020
Use request-wide sysdb context and domain info instead of their backend-wide
counterparts in HBAC.
That's all folks, have fun reviewing :)
Thanks and bye,
Jan and Sumit
11 years, 7 months
[PATCH] Canonicalize user aliases in the proxy provider
by Jakub Hrozek
https://fedorahosted.org/sssd/ticket/1249
The patch also reduces code duplication between several error handling
switch/case statements and fixes a bug in get_initgr where we would try
to cancel a transaction immediately after committing it.
Do we also want to canonicalize group names in a similar fashion? To be
honest, downloading the whole group twice just for the sake of
determining the correct group name seems a little too much to me..
11 years, 7 months
[PATCH] Install all docs
by Pavel Březina
I've noticed that hbac_doc and libsss_sudo_doc is created during 'make
docs' but not installed nor cleaned afterwards.
This patch fixes it. It will treat every directory in SSSD_DOCS as a
documentation and automatically (un)install it.
11 years, 7 months
pick up "EXTERNAL MECH" identity to log in
by Olivier
Hello there
Not sure that this is feasable nor that this is the right place
to submit this question but I think it is.
I use sssd to deal with authentication on my linux boxes :
OK
I also know how to use external SASL_MECH to bind my
ldap server : I have produced and install a certificate with
an appropriate subject and signed it by a CA that is known
by my ldap server. Like this, I can bind the server over TLS
with my identity and without providing any passwd.
$ ldapsearch -ZZ uid=olivier
SASL/EXTERNAL authentication started
SASL username: 0.9.2342.19200300.100.1.1=guillard,ou=staff,dc=example,dc=fr
SASL SSF: 0
...response...
Right : nothing new.
I was now wondering if there would have any way to annonce
my certificate using the "external SASL_MECH" mechanism
over a login process to a linux box (let say using ssh), so that
pam would not ask me to type a "login" and a "password" to
log in ?
Don't hesitate to fire if my question is stupid.
Thanks,
---
Olivier
PS, to rephrase that : I'm looking for a way to use a personnal key
to login without having to provide a password. ssh keys are not
the right solution because I would need to install the public key
in every authorized_key on my network ( I would like a centralized
solution ).
I also found this :
http://code.google.com/p/openssh-lpk/
But I don't want to patch ssh if possible since I highly prefere to
use standard tools provided as much as possible
I'm on RedHat6
11 years, 8 months