[sssd PR#268][opened] pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT
by sumit-bose
URL: https://github.com/SSSD/sssd/pull/268
Author: sumit-bose
Title: #268: pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT
Action: opened
PR body:
"""
This patchset got lost when I prepared the certificate mapping patch set.
Applications like gdm with enabled Smartcard support will try to determine the
user based on data from the certificate or expected that it is done for them
and hence do not prompt for a user name. If a certificate is mapped to multiple
accounts this cannot work because it is not clear which account should be used.
In this case a 'user name hint' must be given by the user to help the
application to find the right user.
To get a consistent user experience while still only prompt for a PIN in
environments where a certificate is uniquely mapped to only a single user IPA
offers the 'ipa certmapconfig-mod --promptusername=BOOL' command to switch
'user name hinting' on or off.
To test the behavior 'sssctl user-checks' can be used.
/etc/pam.d/smartcart-auth should be configured for SSSD and like:
...
auth required pam_env.so
auth sufficient pam_sss.so allow_missing_name
auth required pam_deny.so
...
If now a Smartcard in inserted where the certificate is mapped to multiple
users you will see:
user:
action: auth
service: gdm-smartcard
testing pam_authenticate
PIN for AD.DEVEL Admin (OpenSC Card)
User name hint:
pam_authenticate for user []: Authentication failure
PAM Environment:
- PKCS11_LOGIN_TOKEN_NAME=AD.DEVEL Admin (OpenSC Card)
if no user name hint is given and
user:
action: auth
service: gdm-smartcard
testing pam_authenticate
PIN for AD.DEVEL Admin (OpenSC Card)
User name hint: scuser
pam_authenticate for user [scuser]: Success
PAM Environment:
- PKCS11_LOGIN_TOKEN_NAME=AD.DEVEL Admin (OpenSC Card)
if a suitable user name hint was given.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/268/head:pr268
git checkout pr268
6 years, 10 months
[sssd PR#226][opened] Config check regex
by mzidek-rh
URL: https://github.com/SSSD/sssd/pull/226
Author: mzidek-rh
Title: #226: Config check regex
Action: opened
PR body:
"""
Some updates for src/config/cfg_rules.ini
The most controversial is the third patch. It removes the special rule for application domains and only uses the rule for normal domains in both application and normal domains. The reason is that the validator ini_allowed_options checks all sections that match the regex in section_re and allows only listed options. This is done for all rules that use that validator *separately and there is not 'include' directive or anything like that. So we can either duplicate all the options from domain section or allow the one mistake where the inherit_from used in normal domain section will be undetected. I am more in favor of the second option, because adding inherit_from by mistake is unlikely and the rules look better this way.
However it would be good to enhance the libini to add solution for this by introducing the ability to somehow merger the rules.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/226/head:pr226
git checkout pr226
6 years, 10 months
[sssd PR#290][opened] SECRETS: Fix warning Wpointer-bool-conversion
by lslebodn
URL: https://github.com/SSSD/sssd/pull/290
Author: lslebodn
Title: #290: SECRETS: Fix warning Wpointer-bool-conversion
Action: opened
PR body:
"""
I was playing with clang after a longer period and found this issue
Debug messages would always say that verify_peer and verify_host
are enabled. Even though they would be explicitly disabled.
src/responder/secrets/proxy.c:143:18: error:
address of 'cfg->verify_peer' will always evaluate to
'true' [-Werror,-Wpointer-bool-conversion]
(&cfg->verify_peer ? "true" : "false"));
~~~~~^~~~~~~~~~~ ~
src/util/debug.h:108:32: note: expanded from macro 'DEBUG'
format, ##__VA_ARGS__); \
^~~~~~~~~~~
src/responder/secrets/proxy.c:149:18: error:
address of 'cfg->verify_host' will always evaluate to
'true' [-Werror,-Wpointer-bool-conversion]
(&cfg->verify_host ? "true" : "false"));
~~~~~^~~~~~~~~~~ ~
src/util/debug.h:108:32: note: expanded from macro 'DEBUG'
format, ##__VA_ARGS__); \
^~~~~~~~~~~
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/290/head:pr290
git checkout pr290
6 years, 10 months
[sssd PR#267][opened] IFP: Resolve group names from GIDs if required
by jhrozek
URL: https://github.com/SSSD/sssd/pull/267
Author: jhrozek
Title: #267: IFP: Resolve group names from GIDs if required
Action: opened
PR body:
"""
Resolves:
https://pagure.io/SSSD/sssd/issue/3392
The AD provider only converts SIDs to GIDs during initgroups to improve
performance. But this is not sufficient for the
org.freedesktop.sssd.infopipe.GetUserGroups method, which needs to return
names.
We need to resolve the GIDs to names ourselves in that method. In the ticket,
@fidencio suggested that solving this might be easier in the cache_req
module. We should discuss if this alternative approach makes sense or not,
but since I already had these patches, we might as well discuss that in
this PR.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/267/head:pr267
git checkout pr267
6 years, 10 months
[sssd PR#287][opened] SSSDConfig: Handle integer parsing more leniently
by lslebodn
URL: https://github.com/SSSD/sssd/pull/287
Author: lslebodn
Title: #287: SSSDConfig: Handle integer parsing more leniently
Action: opened
PR body:
"""
debug_level is usually defined as decimal value <= 10
or as a hexadecimal value which is used as a bitmask
Parsing of hexadecimal value was partially fixed by commit
7fac271ccebb84743c39f553eb5ec013cf1d10aa but only for
sssd domains. It was not fixed for sssd services.
File "/usr/share/authconfig/authinfo.py", line 3142, in writeSSSDPAM
pam = self.sssdConfig.get_service('pam')
File "/usr/lib/python3.6/site-packages/SSSDConfig/__init__.py", line 1620, in get_service
service.set_option(opt['name'], opt['value'])
File "/usr/lib/python3.6/site-packages/SSSDConfig/__init__.py", line 932, in set_option
(option_schema[0], optionname, type(value)))
TypeError: Expected <class 'int'> for debug_level, received <class 'str'>
Resolves:
https://pagure.io/SSSD/sssd/issue/341
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/287/head:pr287
git checkout pr287
6 years, 10 months
Build for RHEL7
by Joseph Fischetti
Hi,
I'll start by saying that much of the documentation seems to have been lost/moved after the project got moved off of fedorahosted.org. The only way I was able to get to the build instructions were via the wayback machine (https://web.archive.org/web/20170103042748/https://fedorahosted.org/sssd/...). In addition, I'm not a full time developer.
We have an LDAP server, and due to reasons out of my control from a time long long before me, our uid field contains multiple entries. When users log on, if their uid isn't matched to the rdn value, sssd defaults to using the first entry (which you all know). This doesn't work for us because we can't predict (or change) the order of the values, though we'd like to make sure a certain uid is always used.
The uid that we use internally is of a certain format (we prepend certain characters based on classification). I've rewritten one of the functions in sysdb.c to check for a uid that matches the format before defaulting to the first one. I've compiled/tested it on fedora 25 and it works as intended. i.e. Users are able to log in with their intended uid regardless of its order in LDAP. However, we use RHEL7. I can't build directly on a rhel7 machine because there's a large list of dependencies that can't be resolved. The list is below.
Could someone help point me in the direction that I need to go to solve this? I'm not asking for code to be rewritten (I've already done that), I'm just looking for help building it on another flavor. I'd like to build an RPM that can be easily loaded onto new rhel7 vm's as we create them. I have the epel7 repo enabled, fwiw. I had thought many of these packages would be available there.
cifs-utils-devel, jansson-devel, libcollection-devel, libdhash-devel >= 0.4.2, libini_config-devel >= 1.1, libldb-devel, libnfsidmap-devel, libnl3-devel, libsemanage-devel, libsmbclient-devel, libtalloc-devel, libtdb-devel, libtevent-devel, python3-devel, samba4-devel
6 years, 10 months