[PATCH] pam_sss: add ignore_unknown_user option
by Pete Fritchman
https://fedorahosted.org/sssd/ticket/2232
FreeBSD's openpam doesn't have a built in way of ignoring an unknown
user (e.g. treating PAM_USER_UNKNOWN as a pass for a required module,
like Linux's user_unknown=ignore tag), so there needs to be an
ignore_unknown_user flag built in to the PAM module. This patch makes
pam_sss return PAM_IGNORE instead of PAM_USER_UNKNOWN when
ignore_unknown_user is passed in from the PAM config. FWIW, this is
how pam_ldap works on FreeBSD with local accounts, too.
This patch allows us to keep pam_sss marked as required for the PAM
"account" facility (to enforce HBAC rules) but still allow local users
to log in.
jhrozek suggested posting the patch here for review, so thanks in
advance for looking it over!
--
petef
9 years, 10 months
[PATCH] DBus: Automatic pack/unpack of method handler arguments
by Stef Walter
Here's the next set of DBus patches. This implements automatic packing
and unpacking of arguments for method handlers.
This means adding a handler to a vtable is now type safe and checked by
the compiler. Type safe reply xxx_finish() are also generated. Together
these avoid the complexity and the pitfalls of building and parsing DBus
messages via varargs (such as dbus_bool_t != bool).
Handlers have their pack/unpack method handlers automatically generated
unless they have this annotation in their DBus XML definition:
<annotation name="org.freedesktop.sssd.RawHandler" value="true"/>
Only simple argument types, and arrays of them are supported. More
complex arguments can continue to be handled via the "RawHandler"
annotation. sbus_codegen will force you to add this annotation for
methods that have complex arguments. In later work we could add commit
for more complex, but common arguments such as dictionaries.
Because so many of the internal sssd DBus methods do strange things with
their arguments, I haven't migrated them to automatic packing and
unpacking of arguments. They are all now marked with the above
"RawHandler" annotation. At some point someone could pick through these
and see which ones are candidates for moving away from "RawHandler".
You can find this as a branch here:
https://github.com/stefwalter/sssd/commits/dbus-invoke
Cheers,
Stef
9 years, 10 months
Build Fixes
by Benjamin Franzke
Hi,
These two patches add missing CFLAGS/LIBS to Makefile.am:
[PATCH 1/2] BUILD: Link libsss_ad.so to sasl libs
[PATCH 2/2] BUILD: Use OPENLDAP_CFLAGS instead of LDAP_CFLAGS
This underlinking was noticed in make check (dlopen-test).
Note:
It failed for me since my openldap build had no sasl support,
which would otherwise have pulled in libsasl2.so.
Of course, that support should be in place, but the linking should still be
fixed.
BTW: It would propably be nice to have a configure check whether
openldap has sasl support, but it seems that would need a check if
ldap_sasl_interactive_bind returns LDAP_NOT_SUPPORTED.
Regards, Ben
9 years, 11 months
[PATCH] AD: LDAP component of GPO-based access control
by Yassir Elley
Hi,
The attached patch implements the LDAP component of the GPO-based access control project. For more details on the project, see https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration. The project is not yet complete, since the SMB component still needs to be implemented. However, this seems like a useful milestone to allow others to review the code. This is my first patch submission to the list, so any feedback is appreciated.
In order to exercise the code in your AD environment, you will need to link a GPO to the site, domain, or OUs, associated with the policy target (i.e. domain member computer). Since we are not yet retrieving any policy files (over SMB), there is no access control taking place yet, meaning that any policy settings can be used in the GPOs. The only way to determine what is going on is by examining the logs.
In summary, the code currently does the following:
1. Determines the DN of the policy target (e.g. "cn=f20-laptop,OU=West,OU=Sales,DC=foo,DC=com")
2. Calculates the list of SOM DNs (Site, Domain and OUs) associated with the policy target DN
3. Retrieves various LDAP attributes from each SOM DN in order to populate a list of GPLinks (i.e. GPO DN plus GPO Options)
4. Creates a prioritized list of GPO DNs based on SOM Priority, Link Order, and GPO Options
5. Retrieves various LDAP attributes from each GPO DN in order to populate a list of candidate GPOs
6. Converts the candidate list to a filtered list, by removing any GPO that has a DACL which denies the policy target permission to apply the GPO
7. It is this filtered list that will be sent to the Short-Lived GPO Child process, which will make the necessary blocking SMB calls
Regards,
Yassir.
9 years, 11 months
[PATCH] BUILD: Link libsss_krb5_common.so to libkeyutils.so
by Benjamin Franzke
Hi List,
The symbol add_key is used by
src/providers/krb5/krb5_delayed_online_authentication.c
which is part of libsss_krb5_common.so
Fixes following error:
[sssd[be[default]]] [load_backend_module]
(0x0010): Unable to load ad module with path
(/usr/lib64/sssd/libsss_ad.so), error:
/usr/lib64/sssd/libsss_krb5_common.so: undefined symbol: add_key
-lkeyutils was passed to the libraries libsss_{krb5,ipa,ad}.so,
but when compiling with -Wl,--as-needed this flag will be ignored,
since it is not used directly. So it was unavailable to
libsss_krb5_common.so which actually needs it.
This patch removes $(KEYUTILS_LIBS) from those libraries and adds it to
libsss_krb5_common.so
Maybe libsss_krb5_common.so should be added to dlopen-tests?
But then other libraries and functions are needed as well,
which it currently inherits from libsss_{krb5,ipa,ad}.so.
BTW: are these common libraries (i mean ldap too) convenience build
libraries, or to save disk space?
If they're just for convencience maybe they should not be installed?
Regards, Ben
9 years, 12 months
Design Discussion: D-Bus responder
by Pavel Březina
https://fedorahosted.org/sssd/wiki/DesignDocs/DBusResponder
Hi,
I couldn't find the original thread so I'm starting a new one. I would
like us to agree on best practice of naming methods. The current design
is somewhat inconsistent, since it uses e.g. FindUserByName(name) and
GetDomain(name) for obtaining one object path by name.
I'm proposing the following convention:
* List<class>() returning array of object paths, no arguments
- ListUsers
- ListDomains
* Find<class><condition>(arg1, ...) returning array of object paths
- FindUsersByName(filter)
- FindGroupsByName(filter)
* Get<class><condition>(arg1, ...) returning single object path
- GetUserById(id)
- GetDomainByName(name)
9 years, 12 months
NSS: disable midpoint refresh for netgroups if ptask refresh is enabled
by Pavel Reichl
Hello,
please see attached patches.
patch #1 - disable midpoint refresh for netgroups if ptask refresh is
enabled
The rest of patches solves some minor problems that occurred while I
was working on 1st patch:
patch #2 - fixes sysdb_getnetgr to return ENOENT as is as is expected in
code
patch #3 - first check return value then access output parameter
patch #4 - some minor code style improvements, some lines over 80
columns, IMO strange indentation of string constants - feel free to
NACK.
Bye,
Pavel Reichl
10 years
[PATCH] DBus: Refactor how requests are handled
by Stef Walter
Here's the next patchset for refactoring the DBus support in sssd.
This patch set reorganizes how handlers handle requests. At center stage
is 'struct sbus_request' which is a talloc context valid for the
duration of the DBus requests.
There are also various sbus_request_xxx_finish() methods which reply to
the caller and cleanup the request.
The next set of patches (after this one) have the support for
automatically invoking type-safe handlers and build off of this
patchset. That said, even on this own, these changes result in lots of
cleanup and some code savings.
Patch 0001 fixes portability bugs.
I've added some test cases for the sbus code that has changed.
However since there are no automatic tests for much of the monitor and
data provider methods, I would recommend lots of smoke testing for these
patches.
If you prefer to access this as a branch, see:
https://github.com/stefwalter/sssd/tree/dbus-request
To see the later work that builds off of this:
https://github.com/stefwalter/sssd/tree/dbus-invoke
Cheers,
Stef
10 years