sssd-devel October 2014

sssd-devel@lists.fedorahosted.org

16 participants
100 discussions

[PATCHES] Make nss responder aware of views and overrides
by Sumit Bose 20 Oct '14

20 Oct '14

Hi, this patches make the nss responder view aware. A number of new sysdb calls is added as drop in replacements from existing ones. I preferred this instead of modifying the existing ones to not break their usage in other places. But I think they are a good targets, together with the other user and group related sysdb calls, for a refactoring in an upcoming version. bye, Sumit

3 7

[PATCH] UTIL: Add a function to convert id_t from a number or a name
by Jakub Hrozek 17 Oct '14

17 Oct '14

Hi, attached is patch that implements a utility function to convert a number or a string into a uid_t. It must be attached atop my previous patches for server_setup.

2 6

[PATCH] Packaging fixes related to non-root SSSD
by Jakub Hrozek 17 Oct '14

17 Oct '14

Hi, attached are two patches that change the file ownership when SSSD runs as as a non-root user. Please see the commit messages for more details. I have one question -- is it wise to also set the permissions of directories we create when we "install -d" them? Or is this something typically done by the downstream?

1 1

[PATCH] UTIL: Always write capath
by Jakub Hrozek 16 Oct '14

16 Oct '14

I had this patch in my branch for a couple of days already so why not send it out.. In a remote session with a customer we discovered that it's beneficial for some scenarios to generate the capaths even on clients. The attached patch does exactly this.

2 2

[PATCHES] Add backend part of user views
by Sumit Bose 16 Oct '14

16 Oct '14

Hi, this patches contain the IPA provider part of https://fedorahosted.org/sssd/ticket/2375 as described in the FreeIPA design page http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust Patches 0001, 0006 and 0007 contain new sysdb interfaces for views and overrides. 0002 and 0003 refactor some already existing calls. 0004 adds the initial support for views and overrides and reads the view name for the client from the FreeIPA server or sets it to 'default' when running in ipa-server-mode. It adds some new options which currently misses man page entries and are not added to the python config API. I did this on purpose for the time being because I wanted to see first if the list is complete or if some options ca be dropped. 0005 adds the request to get a specific override from the FreeIPA server and finally in 0008 the overrides are read during a request and saves or applied. This patches must be applied on to of the extdom patch I send yesterday. To add and manage views and override on the server side please have a look at Tomas's patch set on the freeipa-devel list (https://www.redhat.com/archives/freeipa-devel/2014-September/msg00336.html) bye, Sumit

4 21

OTP design page updated
by Lukas Slebodnik 16 Oct '14

16 Oct '14

ehlo, New paragraph[1] was added to the section "Removing password with OTP factor from the PAM stack" in OTP design page. You can see newly added paragraph in diff[2] or in this mail. In sssd-1.12, we will remove the password from the PAM stack when OTP is used to make sure use-cases like gnome-keyring are not broken. We would need more time for implementation of heuristic and proper testing. Currently, the krb5_child returns that an OTP was used during authentication (details in function parse_krb5_child_response). This OTP flag is used just in the function krb5_auth_done. We will pass OTP flag to the pam responder (sssd_pam) and from pam responder to the pam client (pam_sss.so). If the pam client detects that OTP was used it will remove password from auth_token. LS [1] https://fedorahosted.org/sssd/wiki/DesignDocs/OTPRelatedImprovements#Removi… [2] https://fedorahosted.org/sssd/wiki/DesignDocs/OTPRelatedImprovements?action…

1 0

[PATCHES] LDAP: SID-Mapping - Store non-POSIX users in cache if they have a SID
by Pavel Reichl 15 Oct '14

15 Oct '14

Hello, please see attached patches. I have briefly discussed with Jakub how to handle saving users with uid 0 whether to resurrect sysdb_add_fake_user or modify existing fuctions for storing users. I decided to add wrapper function around existing ones to minimize changes in code which calls them. Thanks, Pavel Reichl

2 3

[PATCHES] nss: add SSS_NSS_GETORIGBYNAME request
by Sumit Bose 14 Oct '14

14 Oct '14

Hi, this patch adds a new interface to the nss responder which is similar to SSS_NSS_GETSIDBYNAME but can return more information about the given object than just the SID and which is not available with the POSIX interface as well. As mentioned in the commit messages the main use case is the extdom plugin on the FreeIPA server. bye, Sumit

4 7

[PATCH] add_v1_group_data: fix for empty members list
by Sumit Bose 14 Oct '14

14 Oct '14

Hi, this patch fixes and issue in the code handling the new extdom plugin version which was found by Pavel Březina. bye, Sumit

3 2

sss_get_domain_name: check for fq name first
by Pavel Březina 14 Oct '14

14 Oct '14

Hi, my recent patch "sysdb_get_user_attr: use fqn for subdomain users" kinda broke authentication (thx ab). The problem was that sysdb_get_user_attr is often called with fully qualified name and we basically ended up with "user@domain@domain" name. One solution would be to translate the name to fq format in IFP. Other would be to change the other places so they use just name without the domain part. But since sysdb_get_user_attr now calls sss_get_domain_name in the same way as other sysdb functions does I think the best solution here is to check the name format in this function and response as appropriate.

2 2

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel October 2014