[sssd PR#237][opened] providers: Move hostid from ipa to sdap
by hvenev
URL: https://github.com/SSSD/sssd/pull/237
Author: hvenev
Title: #237: providers: Move hostid from ipa to sdap
Action: opened
PR body:
"""
This just makes sss_ssh_knownhostsproxy work. There is no support for hostgroups (although hostgroups in `ipa` should continue working).
I've been using this for a few days with the `ldap` and `krb5` providers and I haven't noticed any regressions. I haven't tested `ipa` and `ad` but all tests seem to pass.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/237/head:pr237
git checkout pr237
6 years, 2 months
[sssd PR#379][opened] CI: Enable pep8 check
by fidencio
URL: https://github.com/SSSD/sssd/pull/379
Author: fidencio
Title: #379: CI: Enable pep8 check
Action: opened
PR body:
"""
As said by the commit log, this PR enables pep8 check in our CI.
I really would appreciate to hear @lslebodn's feedback on the patch itself, so I can revisit the commit dropped by @jhrozek that fixes all pep8 warnings and have it added to this series.
Anyways, the feedback I'm looking for is basically: Is this patch desired? Is this the right approach? If not, what would you suggest?
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/379/head:pr379
git checkout pr379
6 years, 4 months
[sssd PR#275][opened] Implement access verification by rhost using ldap_access_order rhost option
by akamensky
URL: https://github.com/SSSD/sssd/pull/275
Author: akamensky
Title: #275: Implement access verification by rhost using ldap_access_order rhost option
Action: opened
PR body:
"""
TL;DR - this is to implement functionality similar to both of `sshd_config:AllowUsers` and of `PAM's own rhost verification`.
This was asked in IRC and [mailing list](https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedor... (with little follow up in both). The reasoning behind implementation can be seen in linked mailing list thread.
Current PR provides basic functionality of comparing rhost (from pam) with values stored in LDAP. To enable this set `ldap_access_order = rhost` and `ldap_user_authorized_rhost = <ldap_field_name| default: rhost>` in sssd.conf.
It _currently*_ provides similar rule evaluation as currently it works for host based authentication.
TODO:
- [ ] Finalize logic of using DNS/rDNS for rules validation (currently working on basic idea how it should work - any help here?)
- [ ] Implement use of DNS/rDNS (with optional switch to enable/disable)
- [ ] Documentation
- [ ] Test coverage (didn't see test coverage for host auth, so is it needed?)
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/275/head:pr275
git checkout pr275
6 years, 6 months
[sssd PR#374][opened] IPA: Add threshold for sudo command and command group searches
by justin-stephenson
URL: https://github.com/SSSD/sssd/pull/374
Author: justin-stephenson
Title: #374: IPA: Add threshold for sudo command and command group searches
Action: opened
PR body:
"""
In large IPA environments where a high number of sudo commands and command groups are used, retrieval of sudo data can lead to SSSD constructing an overly large search filter which is not handled well on the ns-slapd side.
This PR implements a threshold by adding the `ipa_sudo_command_threshold` option(defaults to 50) which is used to prevent the large search filter from being created, an idea similar to https://github.com/SSSD/sssd/pull/319
Additionally, a commit was added to rename the **sudo_threshold** option to **sudo_rules_threshold**. This can be dropped if it seems unnecessary but I thought I would add it.
This can be reproduced by adding more sudo commands/command groups than the defined `ipa_sudo_command_threshold` in sssd.conf and checking the search filter used in the domain log or dirsrv access logs. If the threshold is not exceeded, the searches will still include the sudo command groups and command groups in the search filter.
I tested this on both the IPA server and IPA client by verifying sudo commands work as expected when the threshold is exceeded for IPA and AD trust users, and `sudo -l` command is the same as before the patch.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/374/head:pr374
git checkout pr374
6 years, 6 months