[PATCHES] Sig handlers cleanups
by Simo Sorce
While checking if our custom signal handlers properly handle errno, I
stumbled on a few cleanups, they are attached.
turns out our few signal hanlders are errno safe, and tevent signal
handling function is also fine.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
8 years, 8 months
[PATCH] krb5: Check return value of sss_krb5_princ_realm
by Lukas Slebodnik
ehlo,
yet another warning from clang static analyser.
sss_krb5_princ_realm set output parameter realm to NULL and len to 0
in case of failure. Clang static analysers repoted warning
"Null pointer passed as an argument to a 'nonnull' parameter"
in function match_principal. It was possible, that realm_name with value NULL
could be used in strncmp.
Function sss_krb5_princ_realm is used on other places for printing(formatting)
realm_name and NULL can be safely used as a argument for printf-like
functions.
Patch is attached.
LS
8 years, 10 months
[PATCH] allowed_shells: using wildcard for any shell
by Denis Kutin
Dear friends,
Using sssd, for a long time, I have come across with a problem recently,
which I would like to solve with your help.
I provide centralized authentication and authorization service for a huge
heterogeneous network. And in my case it would be "nice and easy" if sssd
used only shells(5). I believe this mechanism is sufficient for
identification of an allowed shell.
I take a liberty to offer you this tiny patch, which will let use wildcard
(*) in param allowed_shells in sssd.conf
What do you think about it?
--
Denis Kutin
8 years, 11 months
[PATCHES] Enable sending DEBUG logs to journald
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All of these patches require Nikolai's "DEBUG Macro Refactoring v3"
patches to be applied first.
Patch 0001: Allow debug_fn to process __FILE__ and __LINE__
In preparation for enabling journald support for the DEBUG logs, we
will need to be able to pass in certain additional arguments that will
be required, specifically the code file and line number.
We will be able to optionally enable this in the file-based logs as well
if we so choose, but for right now we will avoid breaking the log
format on disk.
Patch 0002: Enable sending structured debug logs to journald
We are now able to send structured debug logs to journald, tagged with
the code file, line number and domain that the log pertains to. To
enable this functionality, SSSD must be configured at build-time with
- --with-syslog=journald and must be launched without -f/--debug-to-files
This behavior is nearly identical to how SSSD will function today on a
systemd-based system if --debug-to-files is disabled, since it will
redirect stdout and stderr into journald. This patch merely enhances
the situation to send structured logs instead of simple string messages.
Patch 0003: BUILD: Build with journald support by default on Fedora
The journal provided by systemd gives us structured logging
capabilities that we should be taking advantage of.
Note: this patch explicitly does not change the systemd unit file for
SSSD. Right now, an administrator will need to manually remove the
'-f' from ExecStart in the unit file to send debug logs to journald. I
suspect we'll want to discuss this before we make it the default. This
patch DOES change the default for sss_log messages to use
sd_journal_send() instead of straight log() for those messages that we
traditionally sent to the syslog (such as login events). This is code
that has been in place for some time now, but has not been the default
because we hadn't build with --with-syslog=journald.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlK0v0QACgkQeiVVYja6o6NwxgCfWnU4IbYyJPXxPe83zWjjsCHt
cG8AnitRgM9CAUjHM2ofYg3TgcUxCyCC
=Fara
-----END PGP SIGNATURE-----
9 years, 2 months
[PATCH] LDAP: Try all attributes when saving an entry
by Jakub Hrozek
Hi,
this bug was reported on #sssd by a user. He was running some flavor of
IBM Tivoli where the entries only had an "ID", not separate "UID" and
"GID". But due to a bug in sssd he couldn't use the same value for both,
this configuration:
ldap_user_uid_number = idAttribute
ldap_user_gid_number = idAttribute
only saved the ID into UID and left GID empty. It appears we have a long
standing bug in sdap_parse where we only consider first match. If this
patch is accepted, I would also like to refactor sdap_parse in master
because currently it is a 250-lines long function with multiple
branches..
9 years, 2 months
[PATCH] pam_sss: add ignore_unknown_user option
by Pete Fritchman
https://fedorahosted.org/sssd/ticket/2232
FreeBSD's openpam doesn't have a built in way of ignoring an unknown
user (e.g. treating PAM_USER_UNKNOWN as a pass for a required module,
like Linux's user_unknown=ignore tag), so there needs to be an
ignore_unknown_user flag built in to the PAM module. This patch makes
pam_sss return PAM_IGNORE instead of PAM_USER_UNKNOWN when
ignore_unknown_user is passed in from the PAM config. FWIW, this is
how pam_ldap works on FreeBSD with local accounts, too.
This patch allows us to keep pam_sss marked as required for the PAM
"account" facility (to enforce HBAC rules) but still allow local users
to log in.
jhrozek suggested posting the patch here for review, so thanks in
advance for looking it over!
--
petef
9 years, 3 months
Build Fixes
by Benjamin Franzke
Hi,
These two patches add missing CFLAGS/LIBS to Makefile.am:
[PATCH 1/2] BUILD: Link libsss_ad.so to sasl libs
[PATCH 2/2] BUILD: Use OPENLDAP_CFLAGS instead of LDAP_CFLAGS
This underlinking was noticed in make check (dlopen-test).
Note:
It failed for me since my openldap build had no sasl support,
which would otherwise have pulled in libsasl2.so.
Of course, that support should be in place, but the linking should still be
fixed.
BTW: It would propably be nice to have a configure check whether
openldap has sasl support, but it seems that would need a check if
ldap_sasl_interactive_bind returns LDAP_NOT_SUPPORTED.
Regards, Ben
9 years, 4 months
