August 2012 - sssd-devel - Fedora Mailing-Lists

by Transifex

Hello sssd, this is Transifex at https://www.transifex.com. A new announcement has been posted from project 'SSSD': ## Restoring String Freeze for SSSD 1.9.0 As of now, the SSSD is again in string freeze for the SSSD 1.9.0 upstream release. We will be accepting translations until the release date which has been rescheduled for September 14th. Thank you in advance for your contributions! - To view the announcement in Transifex, please visit the following link: http://www.transifex.com/projects/p/sssd/announcement/2887/ Always at your service. -- Transifex -- Open Translation Platform To change your notification settings, please visit your profile page at https://www.transifex.com/notices/.

11 years, 8 months

1
0
0 / 0

A security bug in 1.9.0 beta6 (CVE-2012-3462)

by Jakub Hrozek

================= A security bug in 1.9.0 beta6 =============== = = Subject: HBAC rules ignored if SELinux processing = is enabled = = CVE ID#: CVE-2012-3462 = = Summary: A flaw in the SSSD's access-provider = logic causes the result of the HBAC = rule processing to be ignored in the = event that the access-provider is = also handling the setup of the user's = SELinux user context. = = = = Impact: moderate = = Affects default = configuration: yes (IPA provider only) = = Introduced with: 1.9.0 beta6 = =============================================================== ==== DESCRIPTION ==== The latest development release of the SSSD is vulnerable to a security bug. When the SSSD is configured as an IPA client and the access provider is also handling the evaluation of user's SELinux user context, the result of Host Based Access Control rules is ignored. We decided not to release a full release, for two reasons: * the number of users running the beta is very small. Furthermore, the beta releases are not fully tested and suitable for production anyway * the next release - 1.9.0 RC1 is coming very soon. It is tentatively scheduled for 2012-08-23 ==== WORKAROUND ==== If you don't rely on the evaluation of user's SELinux user context, you can turn off their processing by setting: selinux_provider = none in the sssd.conf config file. That would cause the correct access control code to be returned to the PAM service. ==== PATCH AVAILABILITY ==== The patch is available at: http://git.fedorahosted.org/cgit/sssd.git/commit/?id=ffcf27b0b773b580289d...

11 years, 8 months

1
0
0 / 0

[PATCH] MAN: Improve description of ldap_*_search_base options

by Stephen Gallagher

It was ambiguous that these options supported the new multiple search base format, as well as the search filters.

11 years, 8 months

2
1
0 / 0

[PATCH] When ldap_group_nesting_level was reached, the LDAP provider, tried to link group members with groups outside nesting, limit.

by Michal Židek

Now, the groups outside nesting limit are skipped. The patch is attached. https://fedorahosted.org/sssd/ticket/1194 Michal

11 years, 8 months

5
8
0 / 0

[PATCH] Document entry_cache_autofs_timeout

by Jakub Hrozek

When discussing the autofs feature on #sssd with tibbs, we found out that the timeout was not documented at all..

11 years, 8 months

2
2
0 / 0

[PATCH] remove duplicate reference to sss_obfuscate in seealso manpage section

by Nick Guay

SSIA

11 years, 8 months

3
3
0 / 0

[PATCH] MAN: Fix minor typo in ldap_search_base section

by Stephen Gallagher

Simple, one-character grammatical correction to sneak in before string freeze.

11 years, 8 months

2
2
0 / 0

Review of the realmd dbus interface

by Stef Walter

Are any of you interested in reviewing the realmd DBus interface, and making sure I'm not screwing up in an obvious way? By the time Fedora 18 releases I'd like to have this interface be stable. Obviously new properties and methods can be added later, but I'd like to try and not change the current properties and methods (and their semantics) after that point. Even if another project (like sssd) ends up re-implementing the interfaces, it would be nice if we manage to keep them stable so callers don't have to change. Documentation: http://www.freedesktop.org/software/realmd/docs/index.html Source: http://cgit.freedesktop.org/realmd/realmd/tree/dbus/org.freedesktop.realm... The interfaces are used to discover/enroll/unenroll realms/domains and manage login policy. Things to keep in mind: * There are multiple providers like samba-ad, sssd-ad, sssd-ipa, at different object paths. And a single provider combining them all at a top level object path. This way it's easy to discover using any provider with one operation, or get all the realms. * Multiple realm objects can be returned from a discovery for the same actual realm. These are ordered by relevance, and most callers would choose the first realm returned from a discovery. But more advanced callers can choose a realm based on the implementation (ie: winbind vs. sssd). Anyway. Thank you in advance for any time spent on looking this over. I appreciate it. Cheers, Stef

11 years, 8 months

1
0
0 / 0

[PATCH] Don't use server after SRV data collapsed

by Jakub Hrozek

Collapsing servers previsouly expanded from a SRV query leads to a small window where we use memory that was already freed. I originally suspected this was the cause for the failover crash we've been seeing lately, but I was wrong. I'll keep looking.

11 years, 8 months

2
2
0 / 0

[PATCH] If the same server is in both primary and secondary server, list, we must only add it to the primary list.

by Michal Židek

This patch solves 2 things mentioned in ticket 1463. a) If the same server is in both primary and secondary server list, we must only add it to the primary list. b) SRV resolution for backup servers should not be permitted. It now prints error message if the sssd.conf is configured that way. https://fedorahosted.org/sssd/ticket/1463 The patch is attached. Thanks Michal

11 years, 8 months

3
6
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel August 2012