[PATCH] Minor man page patches
by Jakub Hrozek
Hi,
attached are three man page patches.
[PATCH 1/3] MAN: clarify the default access provider for AD
https://fedorahosted.org/sssd/ticket/1965
After we added a section that clarified what access_provider=ad did,
some users were confused and thought that "ad" was also the default
access provider if "id_provider=ad" was specified.
[PATCH 2/3] MAN: IP addresss does not work when used for ad_server
https://fedorahosted.org/sssd/ticket/1998
Currently using IP address as value of ad_server is not supported, so
the man pages should not mention that as an option.
[PATCH 3/3] MAN: Clarify the min_id/max_id limits further
https://fedorahosted.org/sssd/ticket/2005
Some users were confused by our description of min_id/max_id and thought
the limits only applied to returning entries from the NSS responder.
However, the limits are actually enforced on the back end side, so the
entries are not even saved to cache.
10 years, 8 months
[PATCH] LDAP: Fix crash when processing nested groups
by Jakub Hrozek
https://fedorahosted.org/sssd/ticket/1932
There is a rather strange workaround in the nested groups processing
code that calls tevent_req_post outside _send(). However, it broke in
certain situations where the tevent_req_call resulted in req being freed,
which freed state by extension and then the subsequent _post call was a
use-after-free. This patch saves the two variables used outside state so
that it's safe to use them even after the callback.
10 years, 8 months
[PATCH] Two minor enhancements on using the negative cache in the PAM responder
by Jakub Hrozek
Hi,
Yassir who was going through the PAM code recently pointed out two
strange issues with the PAM responder's usage of negative cache. Please
see the attached patches for more details, but simplified version is:
1) The negative cache was only ever checked for domainless searches
2) The negative cache was only checked, never set
I don't think this is a pressing issue because in most occasions, the
negative cache would be hit by the application calling getpwnam() and so
the PAM responder would not be called at all, but I think the code
should at least be consistent.
The alternative is of course to stop using negative cache in the PAM
respnder completely, but I think it has some benefit if the application
would only call the PAM conversation.
10 years, 8 months
[PATCH] Add script make_srpm.sh to dist tarball.
by Lukas Slebodnik
ehlo,
Simple script make_srpm.sh was added to git repo few weeks ago.
With this script, source rpm file can be created without installed sssd build
dependencies. I forgot to add this file to Makefile.am and therefore
this script is not bundled to tarball.
Simple patch attached.
LS
10 years, 8 months
[PATCH] fix GSSAPI integrity detection for AD servers
by Simo Sorce
This patch (hopefully) fixes an interop issues with AD servers where
they fail to realize the connection is indeed integrity protected.
It's a bit of a hack as we need to work around openldap initialization
of cyrus sasl libraries. But it should work unitl we get openldap
libraries to expose SASL_CB_GETOPT to us.
Ticket:
https://fedorahosted.org/sssd/ticket/2040
Simo.
--
Simo Sorce * Red Hat, Inc * New York
10 years, 8 months