Regarding sssd.conf syntax check, going thru dinglib
by amit kumar
Hello,
*Present **Behavior*:
# vim /usr/local/etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = LDAP
[domain/LDAP]
ldap_search_base = dc=example,dc=com
id_provider = ldap
*auth_provider = ldap9001 **<== '**sssctl config_check' does not
reports this 1*
ldap_uri = ldap://server.example.com
ldap_id_use_start_tls = True
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
*debug_level = tt **<== 'sssctl config_check' does not reports
this 2
**klala = 1 <== '**sssctl config_check' r**eports
thi*s 3
*My **Interpretation*:
sss_ini_call_validators_errobj() //sssd/src/util/sss_ini.c
ini_rules_read_from_file(rules_path, &rules_cfgobj);
//rules_path=/usr/share/sssd/cfg_rules.ini {All _keywords on left
side of __assignment__are rules_ which are _read from cfg_rules.ini_
fills in struct ini_cfgobj}
*Why sssd does**reports 3*? Because rule is not present in cfg_rules.ini
*Why sssd doe**s not report 1,2*? May be
- Because there is no such check in ding-lib about values of options.
- OR Check is broken. I also find
# cat /root/ding-libs-0.6.0/ini/ini.d/mysssd.conf
[service]
# Options available to all services
debug_level = int, None, false <=Now
what's this syntax. If it takes int, then is this broken.
Please throw some light...
--
Thanks
Amit Kumar
There are three ways to get something done:
(1) Do it yourself.
(2) Hire someone to do it for you.
(3) Forbid your kids to do it.
7 years
Data Provider is offline
by Michaël Van de Borne
Hi all,
So I have 2 Centos7 hosts, with same sssd and nsswitch configs.
One does find the users in IPA, and the other doesn't.
Looks like the Data Provider is offline.
I sent the SIGUSR2 signal to sssd which is supposed to bring him online.
Didn't help.
The hosts can resolve the IPA server hostname. SElinux is enforced.
Iptables is disabled.
here's my sssd.conf
[domain/vgt.vito.be]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = vgt.vito.be
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = epoddev8.vgt.vito.be
chpass_provider = ipa
ipa_server = _srv_, epoddev5.vgt.vito.be
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 7
[sssd]
services = nss, sudo, pam, ssh
domains = vgt.vito.be
[nss]
homedir_substring = /home
debug_level = 7
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
here's the log of sssd_nss.log
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [accept_fd_handler] (0x0400):
Client connected!
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0400):
Running command [17][SSS_NSS_GETPWNAM] with input [vdbornem].
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'vdbornem' matched without domain, user is vdbornem
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
Requesting info for [vdbornem] from [<ALL>]
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [nss_cmd_getpwnam_search]
(0x0100): Requesting info for [vdbornem(a)vgt.vito.be]
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [get_dp_name_and_id] (0x0400):
Not a LOCAL view, continuing with provided values.
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [sss_dp_issue_request] (0x0400):
Issuing request for [0x7f7ffd1d1880:1:vdbornem@vgt.vito.be@vgt.vito.be]
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [sss_dp_get_account_msg]
(0x0400): Creating request for
[vgt.vito.be][0x1][BE_REQ_USER][1][name=vdbornem@vgt.vito.be:-]
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [sss_dp_internal_get_send]
(0x0400): Entering request
[0x7f7ffd1d1880:1:vdbornem@vgt.vito.be@vgt.vito.be]
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The
Data Provider returned an error
[org.freedesktop.sssd.Error.DataProvider.Offline]
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [nss_cmd_getby_dp_callback]
(0x0040): Unable to get information from Data Provider
Error: 3, 5, Failed to get reply from Data Provider
Will try to return what we have in cache
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x7f7ffd1d1880:1:vdbornem@vgt.vito.be@vgt.vito.be]
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [client_recv] (0x0200): Client
disconnected!
Any ideas appreciated.
Thank you,
Cheers,
m.
7 years
[sssd PR#198][opened] secrets: support https in proxy provider
by pbrezina
URL: https://github.com/SSSD/sssd/pull/198
Author: pbrezina
Title: #198: secrets: support https in proxy provider
Action: opened
PR body:
"""
I had to switch to libcurl as a client in order to communicate properly over HTTPS protocol.
I added several new options that are necessary to initialize SSL (which certificates should
be used and whether to check hostname in server's certificate or not).
* Example SSSD configuration:
```
[secrets]
debug_level = 0x3ff0
[secrets/users/10001]
provider = proxy
proxy_url = https://custodia.pb:10443/secrets
auth_type = header
auth_header_name = REMOTE_USER
auth_header_value = mysecretkey
cacert = /home/pbrezina/Downloads/cer/custodia-ca.pem
cert = /home/pbrezina/Downloads/cer/custodia-client.pem
key = /home/pbrezina/Downloads/cer/custodia-client.key
verify_host = false
```
* Example custodia configuration (just modify default configuration, keeping the rest options intact):
```
[global]
server_version = "Secret/0.0.7"
debug = True
server_url = https://0.0.0.0:10443
tls_certfile = tests/ca/custodia-server.pem
tls_keyfile = tests/ca/custodia-server.key
tls_cafile = tests/ca/custodia-ca.pem
tls_verify_client = true
umask = 027
[auth:header]
handler = SimpleHeaderAuth
header = REMOTE_USER
value = mysecretkey
[authz:paths]
handler = SimplePathAuthz
paths = /.
```
* Download certificates and key to your client and you can use it like this
```shell
curl -v -H "Content-Type: application/json" -H "REMOTE_USER: mysecretkey" --unix-socket /var/run/secrets.socket -X POST http://localhost/secrets/mysecretkey/
curl -v -H "Content-Type: application/json" -H "REMOTE_USER: mysecretkey" --unix-socket /var/run/secrets.socket -X PUT http://localhost/secrets/mysecretkey/foo -d'{"type":"simple","value":"foosecret"}'
curl -v -H "Content-Type: application/json" -H "REMOTE_USER: mysecretkey" --unix-socket /var/run/secrets.socket -X POST http://localhost/secrets/mysecretkey/foo
curl -v -H "Content-Type: application/json" -H "REMOTE_USER: mysecretkey" --unix-socket /var/run/secrets.socket -X DELETE http://localhost/secrets/mysecretkey/foo
curl -v -H "Content-Type: application/json" -H "REMOTE_USER: mysecretkey" --unix-socket /var/run/secrets.socket -X DELETE http://localhost/secrets/mysecretkey/
```
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/198/head:pr198
git checkout pr198
7 years
[sssd PR#215][opened] Support for non-POSIX users and groups
by jhrozek
URL: https://github.com/SSSD/sssd/pull/215
Author: jhrozek
Title: #215: Support for non-POSIX users and groups
Action: opened
PR body:
"""
This PR implements https://pagure.io/SSSD/sssd/issue/3310
The goal is to enable application users through the Apache modules or
directly through the IFP interface and the PAM interface to authenticate
users.
To reproduce, you can add users w/o POSIX information like this to LDAP:
dn: uid=nonposix,cn=users,cn=accounts,dc=ipa,dc=test
displayName: new user
uid: nonposix
krbCanonicalName: nonposix(a)IPA.TEST
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: mepOriginEntry
initials: nu
sn: user
mail: nonposix(a)ipa.test
krbPrincipalName: nonposix(a)IPA.TEST
givenName: new
cn: new user
And optionally add the user to groups, like this:
dn: cn=npgr2,cn=groups,cn=accounts,dc=ipa,dc=test
objectClass: ipaobject
objectClass: top
objectClass: ipausergroup
objectClass: groupofnames
objectClass: nestedgroup
cn: npgr2
member: uid=nonposix,cn=users,cn=accounts,dc=ipa,dc=test
Then, the D-Bus calls like GetUserAttrs should resolve extra attributes
of the users, the groups the users are in should be resolvable as well.
In addition, PAM authentication should work against application domains
as long as the service invoking the PAM conversation is listed in the
'pam_app_services' option.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/215/head:pr215
git checkout pr215
7 years
[sssd PR#209][opened] IPA: lookup AD users by certificates on IPA clients
by sumit-bose
URL: https://github.com/SSSD/sssd/pull/209
Author: sumit-bose
Title: #209: IPA: lookup AD users by certificates on IPA clients
Action: opened
PR body:
"""
Get a list of users mapped to a certificate back from the IPA server, look
them up and store them together with the certificate used for the search as
mapped attribute to the cache.
Related to https://pagure.io/SSSD/sssd/issue/3050
This is another puzzle piece of looking up users by certificate, this time for
AD users on IPA clients. If you think it should not run under #3050 anymore
please let me know, then I'll open a new ticket.
It turned out that although most of the code was already there to lookup AD
users with the whole certificate it so far never worked, see 3rd patch. Even if
this is fixed the fixed from a0b1bfa76073d3ce3208e67e6d72bb92088edac5 is needed
on the IPA server side as well to allow the processing on reasonable sized
certificates.
Since it never worked it took the opportunity to replace the single user lookup
with a lookup which returns a list of user to support mapping a certificate to
multiple users. To test this the IPA server side must use the patch from
https://github.com/freeipa/freeipa/pull/644 to get the user list reply.
To test it the InfoPipe or python listbycert request can be used.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/209/head:pr209
git checkout pr209
7 years