sssd-devel May 2017

sssd-devel@lists.fedorahosted.org

9 participants
73 discussions

[sssd PR#268][opened] pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT
by sumit-bose 01 Jun '17

01 Jun '17

URL: https://github.com/SSSD/sssd/pull/268 Author: sumit-bose Title: #268: pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT Action: opened PR body: """ This patchset got lost when I prepared the certificate mapping patch set. Applications like gdm with enabled Smartcard support will try to determine the user based on data from the certificate or expected that it is done for them and hence do not prompt for a user name. If a certificate is mapped to multiple accounts this cannot work because it is not clear which account should be used. In this case a 'user name hint' must be given by the user to help the application to find the right user. To get a consistent user experience while still only prompt for a PIN in environments where a certificate is uniquely mapped to only a single user IPA offers the 'ipa certmapconfig-mod --promptusername=BOOL' command to switch 'user name hinting' on or off. To test the behavior 'sssctl user-checks' can be used. /etc/pam.d/smartcart-auth should be configured for SSSD and like: ... auth required pam_env.so auth sufficient pam_sss.so allow_missing_name auth required pam_deny.so ... If now a Smartcard in inserted where the certificate is mapped to multiple users you will see: user: action: auth service: gdm-smartcard testing pam_authenticate PIN for AD.DEVEL Admin (OpenSC Card) User name hint: pam_authenticate for user []: Authentication failure PAM Environment: - PKCS11_LOGIN_TOKEN_NAME=AD.DEVEL Admin (OpenSC Card) if no user name hint is given and user: action: auth service: gdm-smartcard testing pam_authenticate PIN for AD.DEVEL Admin (OpenSC Card) User name hint: scuser pam_authenticate for user [scuser]: Success PAM Environment: - PKCS11_LOGIN_TOKEN_NAME=AD.DEVEL Admin (OpenSC Card) if a suitable user name hint was given. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/268/head:pr268 git checkout pr268

5 24

[sssd PR#292][opened] Test config check
by lslebodn 01 Jun '17

01 Jun '17

URL: https://github.com/SSSD/sssd/pull/292 Author: lslebodn Title: #292: Test config check Action: opened PR body: """ I found few issues in test_config_check when I back-ported them to 1.14 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/292/head:pr292 git checkout pr292

2 7

[sssd PR#226][opened] Config check regex
by mzidek-rh 31 May '17

31 May '17

URL: https://github.com/SSSD/sssd/pull/226 Author: mzidek-rh Title: #226: Config check regex Action: opened PR body: """ Some updates for src/config/cfg_rules.ini The most controversial is the third patch. It removes the special rule for application domains and only uses the rule for normal domains in both application and normal domains. The reason is that the validator ini_allowed_options checks all sections that match the regex in section_re and allows only listed options. This is done for all rules that use that validator *separately and there is not 'include' directive or anything like that. So we can either duplicate all the options from domain section or allow the one mistake where the inherit_from used in normal domain section will be undetected. I am more in favor of the second option, because adding inherit_from by mistake is unlikely and the rules look better this way. However it would be good to enhance the libini to add solution for this by introducing the ability to somehow merger the rules. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/226/head:pr226 git checkout pr226

2 28

[sssd PR#291][opened] BUILD: Improve error messages for optional dependencies
by lslebodn 31 May '17

31 May '17

URL: https://github.com/SSSD/sssd/pull/291 Author: lslebodn Title: #291: BUILD: Improve error messages for optional dependencies Action: opened PR body: """ sssd-kcm is enabled by default and build failed in case of `configure --without-secrets` due to missing dependency on libjansson. It should fail at configure time. Patch also improve hints for missing optional dependencies """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/291/head:pr291 git checkout pr291

2 5

[sssd PR#290][opened] SECRETS: Fix warning Wpointer-bool-conversion
by lslebodn 31 May '17

31 May '17

URL: https://github.com/SSSD/sssd/pull/290 Author: lslebodn Title: #290: SECRETS: Fix warning Wpointer-bool-conversion Action: opened PR body: """ I was playing with clang after a longer period and found this issue Debug messages would always say that verify_peer and verify_host are enabled. Even though they would be explicitly disabled. src/responder/secrets/proxy.c:143:18: error: address of 'cfg->verify_peer' will always evaluate to 'true' [-Werror,-Wpointer-bool-conversion] (&cfg->verify_peer ? "true" : "false")); ~~~~~^~~~~~~~~~~ ~ src/util/debug.h:108:32: note: expanded from macro 'DEBUG' format, ##__VA_ARGS__); \ ^~~~~~~~~~~ src/responder/secrets/proxy.c:149:18: error: address of 'cfg->verify_host' will always evaluate to 'true' [-Werror,-Wpointer-bool-conversion] (&cfg->verify_host ? "true" : "false")); ~~~~~^~~~~~~~~~~ ~ src/util/debug.h:108:32: note: expanded from macro 'DEBUG' format, ##__VA_ARGS__); \ ^~~~~~~~~~~ """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/290/head:pr290 git checkout pr290

2 5

[sssd PR#281][opened] ldap: handle certmap errors gracefully
by sumit-bose 31 May '17

31 May '17

URL: https://github.com/SSSD/sssd/pull/281 Author: sumit-bose Title: #281: ldap: handle certmap errors gracefully Action: opened PR body: """ Currently the LDAP user lookup request errors out if e.g. there is no matching rule for a certificate. This might cause the related domain to go offline. With this patch the request returns that no user was found for the given certificate but overall result is that the request finishes successfully. Resolves https://pagure.io/SSSD/sssd/issue/3405 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/281/head:pr281 git checkout pr281

3 10

[sssd PR#267][opened] IFP: Resolve group names from GIDs if required
by jhrozek 31 May '17

31 May '17

URL: https://github.com/SSSD/sssd/pull/267 Author: jhrozek Title: #267: IFP: Resolve group names from GIDs if required Action: opened PR body: """ Resolves: https://pagure.io/SSSD/sssd/issue/3392 The AD provider only converts SIDs to GIDs during initgroups to improve performance. But this is not sufficient for the org.freedesktop.sssd.infopipe.GetUserGroups method, which needs to return names. We need to resolve the GIDs to names ourselves in that method. In the ticket, @fidencio suggested that solving this might be easier in the cache_req module. We should discuss if this alternative approach makes sense or not, but since I already had these patches, we might as well discuss that in this PR. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/267/head:pr267 git checkout pr267

3 13

[sssd PR#288][opened] Fix several pep8 issues in the integration tests.
by jhrozek 29 May '17

29 May '17

URL: https://github.com/SSSD/sssd/pull/288 Author: jhrozek Title: #288: Fix several pep8 issues in the integration tests. Action: opened PR body: """ Mostly these are my fault, I think they were introduced while accomodating review comments.. CI: http://sssd-ci.duckdns.org/logs/job/70/32/summary.html """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/288/head:pr288 git checkout pr288

3 12

[sssd PR#287][opened] SSSDConfig: Handle integer parsing more leniently
by lslebodn 29 May '17

29 May '17

URL: https://github.com/SSSD/sssd/pull/287 Author: lslebodn Title: #287: SSSDConfig: Handle integer parsing more leniently Action: opened PR body: """ debug_level is usually defined as decimal value <= 10 or as a hexadecimal value which is used as a bitmask Parsing of hexadecimal value was partially fixed by commit 7fac271ccebb84743c39f553eb5ec013cf1d10aa but only for sssd domains. It was not fixed for sssd services. File "/usr/share/authconfig/authinfo.py", line 3142, in writeSSSDPAM pam = self.sssdConfig.get_service('pam') File "/usr/lib/python3.6/site-packages/SSSDConfig/__init__.py", line 1620, in get_service service.set_option(opt['name'], opt['value']) File "/usr/lib/python3.6/site-packages/SSSDConfig/__init__.py", line 932, in set_option (option_schema[0], optionname, type(value))) TypeError: Expected <class 'int'> for debug_level, received <class 'str'> Resolves: https://pagure.io/SSSD/sssd/issue/341 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/287/head:pr287 git checkout pr287

2 5

Build for RHEL7
by Joseph Fischetti 26 May '17

26 May '17

Hi, I'll start by saying that much of the documentation seems to have been lost/moved after the project got moved off of fedorahosted.org. The only way I was able to get to the build instructions were via the wayback machine (https://web.archive.org/web/20170103042748/https://fedorahosted.org/sssd/wi…) In addition, I'm not a full time developer. We have an LDAP server, and due to reasons out of my control from a time long long before me, our uid field contains multiple entries. When users log on, if their uid isn't matched to the rdn value, sssd defaults to using the first entry (which you all know). This doesn't work for us because we can't predict (or change) the order of the values, though we'd like to make sure a certain uid is always used. The uid that we use internally is of a certain format (we prepend certain characters based on classification). I've rewritten one of the functions in sysdb.c to check for a uid that matches the format before defaulting to the first one. I've compiled/tested it on fedora 25 and it works as intended. i.e. Users are able to log in with their intended uid regardless of its order in LDAP. However, we use RHEL7. I can't build directly on a rhel7 machine because there's a large list of dependencies that can't be resolved. The list is below. Could someone help point me in the direction that I need to go to solve this? I'm not asking for code to be rewritten (I've already done that), I'm just looking for help building it on another flavor. I'd like to build an RPM that can be easily loaded onto new rhel7 vm's as we create them. I have the epel7 repo enabled, fwiw. I had thought many of these packages would be available there. cifs-utils-devel, jansson-devel, libcollection-devel, libdhash-devel >= 0.4.2, libini_config-devel >= 1.1, libldb-devel, libnfsidmap-devel, libnl3-devel, libsemanage-devel, libsmbclient-devel, libtalloc-devel, libtdb-devel, libtevent-devel, python3-devel, samba4-devel

3 7

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel May 2017