[PATCH] Don't use srcdir with tests
by Jakub Hrozek
Without this patch I can't build SSSD for rawhide as new autoconf
versions error out when $(srcdir) is used in TESTS:
Makefile.am:149: error: using '$(srcdir)' in TESTS is currently broken:
'$(srcdir)/src/config/SSSDConfigTest.py'
parallel-tests: installing 'build/test-driver'
Makefile.am:149: error: using '$(srcdir)' in TESTS is currently broken:
'$(srcdir)/src/tests/pyhbac-test.py'
Makefile.am:149: error: using '$(srcdir)' in TESTS is currently broken:
'$(srcdir)/src/tests/pysss_murmur-test.py'
Not using srcdir is OK as the GNU manual states:
"Automake ensures that each file listed in TESTS is built before it is
run; you can list both source and derived programs (or scripts) in
TESTS; the generated rule will look both in srcdir and .."
This is an excerpt from:
http://www.gnu.org/software/automake/manual/automake.html#Scripts_002dbas...
10 years, 5 months
[PATCH] Split the providers into separate subpackages
by Jakub Hrozek
Hi,
the attached patch splits the previously monolithic sssd package into
sssd-common that contains the deamon and the responders and per-provider
packages such as sssd-ldap or sssd-ipa.
This split would benefit two parties:
1) security auditors who are often trying to find the smallest package
set including dependencies needed for the package to function. They
would be able to i.e. install sssd-ldap and not bother about
sssd-ipa or sssd-ad pulling in more dependencies.
2) 3rd party programs such as realmd or authconfig that would only
be able to require or install on demand the needed packages.
The patch addresses https://fedorahosted.org/sssd/ticket/1510 and must b
applied on the two specfile patches I sent earlier (the thread subject
included libsss_sudo).
10 years, 6 months
Ticket #1376 -- Add support for suppressing group members
by Paul B. Henson
I'm attaching an initial draft of the implementation of
ignore_group_members per ticket #1376. I still need to update the
documentation (and some python code in SSSDConfig it looks like), but
functionality wise this prevents ldap from requesting the member
attribute and sssd from returning any cached members that might be left
in the local db. As this is my first attempt at working with sssd, I
wanted to get early feedback in case I'm doing something silly ;).
Also, regarding the comment on the ticket:
"The trickiest piece of this functionality would be ensuring that we
don't delete existing member/memberOf linkages from the cache during
group lookups that were put there by previous initgroups() requests.
Thus, when this option is in play, member/memberOf should only be
managed by initgroups() calls."
My understanding of this is that an initgroups call will set up some
state in the cache regarding members of groups, and a getgrnam or
getgrgid call that skips retrieving the member attribute will wipe these
out of the cache. However, it's also my understanding that *every*
initgroups call hits ldap directly to make sure stale data isn't used
for authorization purposes. If so, why do we care that the data in the
cache, which isn't going to be used, gets wiped out? When
ignore_group_members is enabled, the only thing that cares about group
members is initgroups, correct?
Thanks...
10 years, 6 months
RFC: dropping upstream support of RHEL5 starting with 1.10
by Jakub Hrozek
Hi,
many new features rely on library APIs and features that are only available
in recent versions of SSSD dependencies. As a result, the code often needs
#ifdefs and special branches in order to at least compile or run on RHEL5.
So far we've been doing nightly builds also for RHEL5 and fixing issues
as we were finding them. But recently we are considering dropping support
for RHEL5 -- it is causing some engineering effort and at the same time
the audience is probably very limited. If you are running super-stable
enterprise distribution, chances are you are not all that interested in
the latest and possibly very unstable SSSD version.
The proposal would be to keep building and supporting the 1.9.x branch
for RHEL5 and switch to using RHEL6 as the oldest supported release
starting from the 1.10 upstream version. Of course we would still accept
patches from any potential contributors.
Any objections against the plan?
10 years, 7 months
