September 2016 - sssd-devel - Fedora Mailing-Lists

[sssd PR#21] IFP: expose user and group unique IDs through DBus (opened)

by fidencio

tequeter's pull request #21: "IFP: expose user and group unique IDs through DBus" was opened PR body: """ This adds a uniqueID property on User and Group InfoPipe objects. It has a useful value on AD- and IPA-backed domains. For Active Directory, this is the GUID. """ See the full pull-request at https://github.com/SSSD/sssd/pull/21 ... or pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/21/head:pr21 git checkout pr21

5 years, 10 months

1
21
0 / 0

[PATCH] ssh: skip invalid certificates

by Sumit Bose

Hi, currently the code which generates ssh key from the public keys in the user certificates fails if one certificate cannot be validated and terminates the whole request. It is of course valid that the user entry might contain certificates which SSSD cannot validate and since we just won't generate a ssh-key in this case SSSD should just skip those entires and return ssh-keys for every valid certificate. You can test the patch even without a real certificate by e.g. adding a ssh-key to an IPA user object. Then 'sss_ssh_authorizedkeys username' should return this key. If you now add some random data the the userCertificate object of the same user, call 'sss_cache -E' and call 'sss_ssh_authorizedkeys username' again, you get nothing because the random data cannot be validated and hence the whole request is aborted. With the attached patch sss_ssh_authorizedkeys should return the ssh-key again. bye, Sumit

5 years, 10 months

3
7
0 / 0

[sssd PR#29][opened] tests: Add a regression test for upstream ticket #3131

by fidencio

URL: https://github.com/SSSD/sssd/pull/29 Author: jhrozek Title: #29: tests: Add a regression test for upstream ticket #3131 Action: opened PR body: """ Tests that running two duplicate SRV resolution queries succeeds and returns a valid host name. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/29/head:pr29 git checkout pr29

5 years, 10 months

1
11
0 / 0

[sssd PR#12] failover: proceed normally when no new server is found (opened)

by fidencio

pbrezina's pull request #12: "failover: proceed normally when no new server is found" was opened PR body: """ https://fedorahosted.org/sssd/ticket/3131 I couldn't reproduce manually so I used the second patch as a by-code reproducer. If you apply the patch then sssd will try to resolve meta server twice simultaneously and triggering the problematic code path. You can search for RESOLV SRV DONE in logs. """ See the full pull-request at https://github.com/SSSD/sssd/pull/12 ... or pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/12/head:pr12 git checkout pr12

5 years, 10 months

1
8
0 / 0

[PATCH] Remove double semicolon at the end of line

by Lukas Slebodnik

ehlo, simple patch attached + shell based unit test. LS

5 years, 10 months

2
2
0 / 0

[sssd PR#4][+Changes requested] Added small tweaks to enable SSSD to be compiled with the musl libc

by fidencio

URL: https://github.com/SSSD/sssd/pull/4 Title: #4: Added small tweaks to enable SSSD to be compiled with the musl libc Label: +Changes requested

5 years, 10 months

1
0
0 / 0

[PATCH] Fix offline resolution of autofs maps and netgroups

by Jakub Hrozek

Hi, to reproduce the netgroups failure: * getent netgroup testngr # to verify the netgroup is there * sss_cache -E * pkill -USR1 sssd # make sssd go offline * getent netgroup testngr to reproduce the autofs maps failure: * automount -m # to verify the maps are there * pkill -USR1 sssd # make sssd go offline * automount -m # to verify the maps are there Before the patches, neither offline lookup would return the expected results. Both lookups should return results with the patches.

5 years, 10 months

3
7
0 / 0

[sssd PR#25] TESTS: Add integration tests for the proxy provider of sssd-secrets (opened)

by fidencio

jhrozek's pull request #25: "TESTS: Add integration tests for the proxy provider of sssd-secrets" was opened PR body: """ Execrcies the basic operations of the sssd-secrets responder and can be used as a basis to add more tests. """ See the full pull-request at https://github.com/SSSD/sssd/pull/25 ... or pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/25/head:pr25 git checkout pr25

5 years, 10 months

2
40
0 / 0

[sssd PR#28][opened] PAM: call free only when memory is expected to be allocated

by fidencio

URL: https://github.com/SSSD/sssd/pull/28 Author: sumit-bose Title: #28: PAM: call free only when memory is expected to be allocated Action: opened PR body: """ This fixes a potential double-free found by Coverity which was introduced by PR #17. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/28/head:pr28 git checkout pr28

5 years, 10 months

1
4
0 / 0

[PATCHES] p11: add no_verification option

by Sumit Bose

Hi, the following 3 patches are related to the Smartcard authentication feature but imo can be tested even without having one. The first patch just adds some missing pieces. The second adds a new 'no_verification' switch to the 'certificate_verification' option, which is already tested by the unit tests. The third adds two new OCSP related switches. With OCSP a certificate can be validates online by talking to a server which is listed in the certificate. Of course it might not always be possible to directly talk to this server. We already have the 'no_ocsp' switch to disable OCSP completely. The two new switches allow SSSD to talk to a different server or a proxy. To see how it is working you can do to following: - call 'make check' to build and rung all the tests - call './pam-srv-tests' to run the PAM responder tests but do not let it complete but stop it with CTRL-C. This is needed to create the test nss database in /dev/shm/tp_pam_srv_tests-test_pam_srv/, it can be created differently but this way it is most easy :-) - add a OCSP signing cert with echo "MIIDaTCCAlGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEuREVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA5MjMxMTI2MjBaFw0xNzA5MTIxMTI2MjBaMC0xEjAQBgNVBAoMCUlQQS5ERVZFTDEXMBUGA1UEAwwOT0NTUCBTdWJzeXN0ZW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDEXVzkTN9R03+hvAbkiCYqdKKe7Nr0YDlchny+IsJl5cYiFBtWqiVJK5N0L6uCS9bVBtuG7y9Vv1TJrv2U8hqjXYZFM6HzYwwmbE2tv1Yyx0dQyYiYTT0nVyXPrXDJe0PFdYTsAlw7C54wZuBsdDADUTA1ThAP22Z6Zy+UyQFtlqEfCErvHK+VolCfkTJ4dYlQb5x7Gs6fEmLbnaGpJXW1JnRzMZ4hM+/mV3xSsjFuYwwoFCHG6GQu/LJgosBX9M+OMavMOO/AzeUlHfUoyMUNn0iNeiDqeYPBCNf4czK0CpeJdE4qBBgu0vSfC0mzjKRuFQEAUuBGxGE+2BP09uXAgMBAAGjgYwwgYkwHwYDVR0jBBgwFoAU0aLh2me2OKzMbu3zckJNNu3Hd1swDgYDVR0PAQH/BAQDAgHGMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAYYlaHR0cDovL2lwYS1kZXZlbC5pcGEuZGV2ZWw6ODAvY2Evb2NzcDATBgNVHSUEDDAKBggrBgEFBQcDCTANBgkqhkiG9w0BAQsFAAOCAQEAAJzUjm39nsMlxc0ivEm77PN9ZFFWIfY6fOteNpJnOADlOatkXKq6PTFS0lRo/53HjYvmvrjnUTYHK3hmRlDvwr+49UqhSkKai8v6PSS4jYJplETME032OwGL17qCjoX2yU55Ovm3CIamUNNOSIvMBbS7HB0EBe/KHMhme5+Uhtfgjql9B9ihuwT1U3vXQP+cavxe37PJOCUuuATLyd0GX+Islkq2v1pEKX0dsXhMpDwLOYLqckBZHOoAKEo2VYZN0P1KZZkJd4kQHGsADYfuIrLACwzLxlEWmCIq4AOwpYtkMSx85DgT6lW3ECgfbFYVVUzqHUuTiogEsgJ0kouCJw==" | base64 -d | certutil -A -d sql:/dev/shm/tp_pam_srv_tests-test_pam_srv -t TC,TC,TC -n ocsp_cert the NSS library call check this certificate first before trying to connect to the OCSP responder, so a valid one with the right key usage must be added to make NSS try to reach the new OCSP responder - call strace -s 128 -f -esend .libs/lt-p11_child --debug-microseconds=1 --debug-timestamps=1 --debug-to-stderr --debug-level=10 --pre --nssdb sql:/dev/shm/tp_pam_srv_tests-test_pam_srv where you should see lines like send(7, "\313D\1\0\0\1\0\0\0\0\0\0\6ipa-ca\3ipa\5devel\0\0\1\0\1", 34, MSG_NOSIGNAL) = 34 from the DNS lookups for ipa-ca.ipa.devel which is the OCSP server from the ticket - call strace -s 128 -f -esend ./p11_child --debug-microseconds=1 --debug-timestamps=1 --debug-to-stderr --debug-level=10 --pre --nssdb sql:/dev/shm/tp_pam_srv_tests-test_pam_srv --verify 'ocsp_default_responder=http://oooo.cccc.ssss.pppp:80,ocsp_default_responder_signing_cert=ocsp_cert' where you should now see lines like send(7, "yO\1\0\0\1\0\0\0\0\0\0\4oooo\4cccc\4ssss\4pppp\0\0\1\0\1", 37, MSG_NOSIGNAL) = 37 from the DNS lookups for the OCSP responder from the command line. Of course all the validations will fail with "Certificate [SSSD Test Token:Server-Cert][CN=ipa-devel.ipa.devel,O=IPA.DEVEL] not valid [-8071], skipping" because none of the OCSP responders are available but I think this test is sufficient to see that the patch is working as expected. bye, Sumit

5 years, 10 months

3
11
0 / 0

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel September 2016