sssd-devel October 2017

sssd-devel@lists.fedorahosted.org

11 participants
66 discussions

[sssd PR#415][opened] Revert "IPA: Only generate kdcinfo files on clients"
by lslebodn 19 Oct '17

19 Oct '17

URL: https://github.com/SSSD/sssd/pull/415 Author: lslebodn Title: #415: Revert "IPA: Only generate kdcinfo files on clients" Action: opened PR body: """ This reverts commit a309525cc47da726461aec1f238165c17aade2a6. Even though original patch was correct it is better to revert it becuse otherwise we hit a bug in MIT krb5 when fallback to admin_server if kpasswd_server is not set does not work. And it would take some time to propagate krb5 fix to downstream distributions. https://bugzilla.redhat.com/show_bug.cgi?id=1498347 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/415/head:pr415 git checkout pr415

3 6

[sssd PR#275][opened] Implement access verification by rhost using ldap_access_order rhost option
by akamensky 19 Oct '17

19 Oct '17

URL: https://github.com/SSSD/sssd/pull/275 Author: akamensky Title: #275: Implement access verification by rhost using ldap_access_order rhost option Action: opened PR body: """ TL;DR - this is to implement functionality similar to both of `sshd_config:AllowUsers` and of `PAM's own rhost verification`. This was asked in IRC and [mailing list](https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorah… (with little follow up in both). The reasoning behind implementation can be seen in linked mailing list thread. Current PR provides basic functionality of comparing rhost (from pam) with values stored in LDAP. To enable this set `ldap_access_order = rhost` and `ldap_user_authorized_rhost = <ldap_field_name| default: rhost>` in sssd.conf. It _currently*_ provides similar rule evaluation as currently it works for host based authentication. TODO: - [ ] Finalize logic of using DNS/rDNS for rules validation (currently working on basic idea how it should work - any help here?) - [ ] Implement use of DNS/rDNS (with optional switch to enable/disable) - [ ] Documentation - [ ] Test coverage (didn't see test coverage for host auth, so is it needed?) """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/275/head:pr275 git checkout pr275

6 44

[sssd PR#374][opened] IPA: Add threshold for sudo command and command group searches
by justin-stephenson 19 Oct '17

19 Oct '17

URL: https://github.com/SSSD/sssd/pull/374 Author: justin-stephenson Title: #374: IPA: Add threshold for sudo command and command group searches Action: opened PR body: """ In large IPA environments where a high number of sudo commands and command groups are used, retrieval of sudo data can lead to SSSD constructing an overly large search filter which is not handled well on the ns-slapd side. This PR implements a threshold by adding the `ipa_sudo_command_threshold` option(defaults to 50) which is used to prevent the large search filter from being created, an idea similar to https://github.com/SSSD/sssd/pull/319 Additionally, a commit was added to rename the **sudo_threshold** option to **sudo_rules_threshold**. This can be dropped if it seems unnecessary but I thought I would add it. This can be reproduced by adding more sudo commands/command groups than the defined `ipa_sudo_command_threshold` in sssd.conf and checking the search filter used in the domain log or dirsrv access logs. If the threshold is not exceeded, the searches will still include the sudo command groups and command groups in the search filter. I tested this on both the IPA server and IPA client by verifying sudo commands work as expected when the threshold is exceeded for IPA and AD trust users, and `sudo -l` command is the same as before the patch. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/374/head:pr374 git checkout pr374

6 25

[sssd PR#409][opened] sss_client: refactor internal timeout handling
by sumit-bose 19 Oct '17

19 Oct '17

URL: https://github.com/SSSD/sssd/pull/409 Author: sumit-bose Title: #409: sss_client: refactor internal timeout handling Action: opened PR body: """ This patch adds a timeout option to the internal client calls so that the timeout is not hard-coded anymore in the low level poll() calls but can be set by the caller with sss_nss_make_request_timeout(). Since the old timeout value is not changed by this patch there is no functional change expected. Related to https://pagure.io/SSSD/sssd/issue/2478 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/409/head:pr409 git checkout pr409

4 12

[sssd PR#404][opened] Log to syslog whether the DP is online or offline
by fidencio 18 Oct '17

18 Oct '17

URL: https://github.com/SSSD/sssd/pull/404 Author: fidencio Title: #404: Log to syslog whether the DP is online or offline Action: opened PR body: """ This PR is supposed to cover a small bit of https://pagure.io/SSSD/sssd/issue/3155 and log to syslog whether the DP is online or offline. Hopefully by logging this to syslog it'll help admins to find out those issues in a simpler way as nowadays they'd have to enable the logs, search for this info there ... which is not exactly handy. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/404/head:pr404 git checkout pr404

4 31

[sssd PR#406][opened] IPA: sanitize name in override search filter
by sumit-bose 18 Oct '17

18 Oct '17

URL: https://github.com/SSSD/sssd/pull/406 Author: sumit-bose Title: #406: IPA: sanitize name in override search filter Action: opened PR body: """ Resolves https://pagure.io/SSSD/sssd/issue/3545 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/406/head:pr406 git checkout pr406

3 9

Which tickets do we need to close before the release of the next upstream version?
by Jakub Hrozek 17 Oct '17

17 Oct '17

Hi, Because of downstream deadline, we need to release the next SSSD tarball by the end of next week, or on the beginning of the next one at latest. And the 1.16.0 milestone is still really big and there are still tickets in 1.15.4, so I'm trying to trim 1.16.0 and merge it with 1.15.4, because realistically, I don't think we have another choice. Here's what I propose should *stay* in 1.16.0. Any other tickets should be moved to 1.16.1: - https://pagure.io/SSSD/sssd/issue/3507 - Long search filters are created during IPA sudo command + command group retrieval - there is a PR which pbrezina is assigned to. Let's keep the ticket for now, if the PR can't be reviewed in time, we will move the ticket. Downstreams can always patch their tarball - https://pagure.io/SSSD/sssd/issue/3496 - [RFE] Add a configuration option to SSSD to disable the memory cache - there is a PR already, let's review it - https://pagure.io/SSSD/sssd/issue/1872 - [RFE] Support User Private Groups for main domains, too - there is a PR already, let's review it - https://pagure.io/SSSD/sssd/issue/3503 - Do not index objectclass, add and index objectcategory instead - this is WIP, there was already a PR at one point - https://pagure.io/SSSD/sssd/issue/2653 - Group renaming issue when "id_provider = ldap" is set. - there is a PR already and a test, let's review both - https://pagure.io/SSSD/sssd/issue/2727 - Add a memcache for SID-by-id lookups - Sumit indicated that this is WIP, but we can move the ticket to 1.16.1 if the PR doesn't make the cut - https://pagure.io/SSSD/sssd/issue/3468 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests - I'm working on this now - https://pagure.io/SSSD/sssd/issue/3307 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Fabiano is working on this - https://pagure.io/SSSD/sssd/issue/3265 - [RFE] sssd should remember DNS sites from first search - I'd like to have this ticket fixed for the next release and per discussion with Pavel, it's not a lot of work either - https://pagure.io/SSSD/sssd/issue/3264 - [RFE] Make 2FA prompting configurable - same as above At the same time, I would like to change the "Milestone" tag of all bugs that were fixed in 1.15.4 to 1.16.0 and do not release another 1.15.x version at all, but go straight to 1.16.0. And finally, all the unfished tickets in 1.15.4 would be moved to 1.16.1 and at the same time triaged, because there are some tickets that can be closed or moved to a future milestone completely. Opinions?

2 5

[sssd PR#373][opened] intg: Add sanity tests for pysss_nss_idmap
by lslebodn 16 Oct '17

16 Oct '17

URL: https://github.com/SSSD/sssd/pull/373 Author: lslebodn Title: #373: intg: Add sanity tests for pysss_nss_idmap Action: opened PR body: """ Such simple test takes just 10 seconds and covers following regressions. https://pagure.io/SSSD/sssd/issue/3283 https://pagure.io/SSSD/sssd/issue/3284 https://pagure.io/SSSD/sssd/issue/3485 https://pagure.io/SSSD/sssd/issue/3491 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/373/head:pr373 git checkout pr373

4 43

Re: [SSSD-users] Re: A security bug in SSSD 1.12 and later (CVE-2017-12173)
by Lukas Slebodnik 13 Oct '17

13 Oct '17

On (13/10/17 08:00), Lachlan Musicman wrote: >CentOS 7, 1.15.3 - thank you all! > Done LS

1 0

[sssd PR#375][opened] sssd-1.13 Backported patches for ticket 3505
by lslebodn 13 Oct '17

13 Oct '17

URL: https://github.com/SSSD/sssd/pull/375 Author: lslebodn Title: #375: sssd-1.13 Backported patches for ticket 3505 Action: opened PR body: """ I would appreciate testing with latest 1.13 branch because it was already reviewed as part of 1.14.1 release """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/375/head:pr375 git checkout pr375

2 6

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel October 2017