[PATCH] Allow more libldap debugging
by Jakub Hrozek
This patch should not be pushed to master, but I would like to get it
reviewed anyway.
It should be used to provide a custom build for users experiencing cases
where ldap_search_ext would block (c.f.
https://bugzilla.redhat.com/show_bug.cgi?id=728343)
For example:
export SSSD_DEBUG_LDAP_SEARCH="0xffff"
would set LDAP_DEBUG_ANY
The attached patch applies cleanly on the RHEL6.1 branch. I also have a
version that applies on master/1.5 if needed.
10 years, 10 months
[PATCH][PRELIMINARY] sudo: send username and uid while requesting default options
by Pavel Březina
https://fedorahosted.org/sssd/ticket/1239
[PATCH 1/2]
Finally removes EOK constant from sudo api header. It is not used in
the SUDO code so it does not require their changes.
[PATCH 2/2]
This does what is requested in the ticket. It seems to be very huge but
in fact it is mainly changing the variable. Basically I tried to get
rid of domain ctx where possible, leave it only in initgroups part and
use command ctx elsewhere.
The in-memory cache is not yet implemented, I want to discuss the
possible ways of doing it.
The basic problem is that we need to get the domain during the request
for default options. How will we do it? I think there are two options:
1. always try to perform the initgroups - find the domain and the check
the in-memory cache (which may be slow if the user is in the last
domain, but that will be probably handled as part of
https://fedorahosted.org/sssd/ticket/1126
2. store uid:username = domain in the in-memory cache (same cache as
results or a new one?)
This patch contains a modified version of sysdb_get_sudo_user_info()
where the uid is not mandatory. I want to replace this function with
sysdb_sudo_get_user_groups() (or make it generic and place it in
sysdb_ops?) because the groupnames are the only thing we don't know.
However this requires a modification of the data provider protocol as
well so I'm keeping it for later.
11 years, 2 months
[PATCHES][PRELIMINARY] sudo - new design
by Pavel Březina
Hello everybody,
here is the first set of patches for the new sudo clothes. [1]
As it does not touch the responder, I believe it does not require the
patches from the other preliminary sudo thread (already acked). However
it was written atop them.
[2/10]
This is the main change for the async processing of the sudo rules. It
make sdap_sudo_refresh_send() more generic by adding there two filters:
ldap_filter - used for search in the LDAP
sysdb_filter - used for a deletion of the rules from sysdb
This way we can have many different refresh styles without touching
this fundamental function.
From this patch further the provider will return an error to the
responder making it unusable.
[...]
The rest of the patches has a self-describing subject. Don't be afraid
of the count, these patches are very small :-)
The next set of patches is where the fun begin, so be patient :-)
[1] https://fedorahosted.org/sssd/wiki/DesignDocs/SUDOCachingRules
11 years, 3 months
[PATCH] Per-domain re_expression and full_name_format
by Stef Walter
In order to support the AD Domain\User style and the more usual kerberos
user@realm style, sssd needs per domain re_expression and
full_name_format options.
Attached is a rough patch implementing per domain qualified user names.
When discussing it on IRC we came up with the following plan: In order
to prevent conflicts between the regular expressions for different
domains, we parse with a domains regular expression and then check that
the resulting domain matches that domain's name.
It's not clear that we should support 'null-domains' in these regular
expressions and sss_parse_name_for_domains(). There's a TODO in the
patch to sort this out. It may be that we choose to have callers of
sss_parse_name_for_domains() which can accept unqualified user domains
use the full input string when parsing into a qualified name fails.
In other words, sss_parse_name_for_domains() would not support
returning a NULL *domain.
The global re_expression and full_name_format options remain as defaults
for the domains.
This patch is especially important for Samba integration. Samba only
allows Domain\User format, with the exception that the slash can be
replaced with another character.
Cheers,
Stef
11 years, 3 months
[PATCHES] Support for ghost users
by Jan Zelený
Hi,
I'm sending a patch set that removes support for fake user entries and add
ghost attribute instead:
#117:
Trivial patch that only adds the SYSDB_GHOST attribute
#118:
This is one of core patches which changes the behavior on LDAP provider when
querying for groups. Instead of creating fake user entries, it uses ghost hash
table for RFC230bis and SYSDB_GHOST attribute for RFC2307.
#119:
Couple of relatively small changes to adapt proxy provider to the change. I
haven't actually tested this but the code seems straightforward to me.
#120:
Modifications in sysdb:
- removed sysdb_add_fake_user()
- modified sysdb_add_user() to remove ghost entries for the user that is
currently added.
#121:
Memberof plugin modifications: the memberof plugin does all the work when it
comes to populating memberuid.
#122:
Include ghost members as well as memberuid members in results. Alternatively
this could be solved in memberof plugin but that would lead to duplicated
information - ghost attribute would be copied to memberuid. This approach
seems better to me.
#123:
This function is no longer necessary since fake user entries don't exist any
more.
#124:
sss_groupshow utility has been modified to be aware of SYSDB_GHOST
#125:
Various small changes in the code - basically nitpicking cleanup.
Thanks
Jan
11 years, 4 months
[PATCH] Assorted fixed found by the clang static analyzer
by Jakub Hrozek
I scanned the SSSD source code with the clang static analyzer and found
a number of issues. Patches are attached -- I think that most of them
are OK to just include in master. Patches #1, #13 and #16 may be
something that we want to include sooner.
Because the clang analyzer is freely available in Fedora, I think it would
make sense to run a scan at least before a release.
Developers can also run the clang tool themselves - I'll add info how
into our Developers page.
11 years, 4 months
[PATCHES] Add support for ID-mapping with Active Directory domains
by Stephen Gallagher
These patches are built atop Sumit's recent patch "Allow different SID
representations in libidmap". I added the manpage as a single patch near
the end because it was just too much trouble to do it piecemeal
throughout the set. This patch series went through numerous iterations,
so some of the patches may be slightly out of order. Please review as a
whole. The patches themselves are separated primarily the way they are
to make reviewing easier. Some have notes below to guide the reviewer to
changes that may have been revised later but were nontrivial to rewrite
history for.
Patch 0001: Add objectSID config option
This patch adds an option to specify the objectSID attribute on the LDAP
server, for use when performing ID-mapping
Patch 0002: Add option to enable id-mapping
Patch 0003: Add sysdb routines for storing ID maps in the cache
Patch 0004: Add helper routines to the LDAP provider for ID mapping
This contains the meat of the ID-mapping algorithm. See the manpage in
Patch 0020 for full details.
Patch 0005: Add options for configuring range settings
Patch 0006: LDAP: Initialize ID mapping when configured
Patch 0007: Do ID-mapped lookups for users
Note: this patch contains a bit of code that has been refactored by the
end of the patchset (specifically it references binary_to_dom_sid() and
dom_sid_to_string()). I didn't bother rewriting this particular bit of
history because it's replaced entirely by Patch 0016 anyway (which uses
the correct functions from Sumit's patch).
Patch 0008: Add an autorid compatibility mode
Autorid assigns slices as first-come-first-served. This will force the
LDAP ID-mapping to behave the same way.
Patch 0009: Add a feature to guarantee that a single "default" domain is
always assigned to slice 0, regardless of hashing. This can be used to
extend autorid compatibility mode.
Patch 0010: Helper routine to get the domain SID portion from a user or
group objectSID
Patch 0011: Allow us to auto-provision a new domain when we see one for
the first time.
Note: this gets turned into its own function in Patch 0018 for reuse in
groups and initgroups.
Patch 0012: Look up mapped users by UID
Patch 0013: Look up mapped groups by name
Patch 0014: Look up mapped groups by GID
Patch 0015: Map the user's primaryGID. ActiveDirectory stores only the
RID of the primary group, so we extract the domain SID from the user SID
and then convert the group ID from that.
Patch 0016: Common routine to convert an LDAP blob of the objectSID into
a UNIX ID.
Patch 0017: Hack to ensure that uidNumber and gidNumber are not deleted
when we save users and groups.
Patch 0018: Convert the auto-provisioning code into a common routine,
rather than copying it everywhere.
Patch 0019: Handle cases where we have an unmappable ID (such as
special-case SIDs) for a group membership. In these cases, we'll treat
the groups as non-POSIX so we can safely continue.
Patch 0020: (Hopefully) comprehensive manpage on the ID-mapping feature.
It's separated into its own include file so that it will be possible to
import it into the manpage for the AD provider when that is available.
11 years, 5 months
[PATCH] SSH: Add dp_get_host_send to common responder code
by Jakub Hrozek
[PATCH] Rename split_service_name_filter
The function was used outside services code which was confusing due to
its name. This patch renames it to sound more netrual.
[PATCH] SSH: Add dp_get_host_send to common responder code
Instead of using account_info request, creates a new ssh specific
request. This improves code readability and will make the code more
flexible in the future.
https://fedorahosted.org/sssd/ticket/1176
11 years, 5 months
Anyone managed to join F17 to Active Directory?
by Ondrej Valousek
I am just trying to 'net ads join' in order to fill up my /etc/krb5.keytab database.
The join works fine, but something got screw up because:
[root@dorado3 ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
...
2 DORADO3$(a)DUBLIN.AD.S3GROUP.COM
2 DORADO3$(a)DUBLIN.AD.S3GROUP.COM
2 DORADO3$(a)DUBLIN.AD.S3GROUP.COM
[root@dorado3 ~]# kinit -k "DORADO3$"
kinit: Generic preauthentication failure while getting initial credentials
-> so sssd will not function, either.
Did anyone make it working? My DC is running Win2008.
Thanks,
Ondrej
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s).
Please direct any additional queries to: communications(a)s3group.com.
Thank You.
Silicon and Software Systems Limited. Registered in Ireland no. 378073.
Registered Office: South County Business Park, Leopardstown, Dublin 18
11 years, 5 months
[PATCH] Allow different SID representations in libidmap
by Sumit Bose
Hi,
this patch extends the functionality of libidmap by allow more kind of
SID representations, especially the binary format which is used e.g. to
store SIDs in AD.
I have added tests for all new functions, but mostly they only test the
positve case and do not try to break anything with invalid inputs. Fell
free to add more :-)
bye,
Sumit
11 years, 5 months
