sssd-devel October 2018

sssd-devel@lists.fedorahosted.org

3 participants
50 discussions

[sssd PR#671][opened] PAM: use PKCS#11 URIs to restrict certificate selection
by sumit-bose 10 Oct '18

10 Oct '18

URL: https://github.com/SSSD/sssd/pull/671 Author: sumit-bose Title: #671: PAM: use PKCS#11 URIs to restrict certificate selection Action: opened PR body: """ With the new option 'p11_uri' to the PAM responder can be used to restrict the selection of certificates in p11_child with the help of a PKCS#11 URI. The implementation of for the NSS version of p11_child is not available in this PR. As you can see in the first patch the support for PKCS#11 URIs in NSS is limited and I have to talk to NSS developers first if this will change of if it would make more sense to use the PKCS#11 URI calls form libp11kit for the NSS version as well. To avoid rebase issues this PR is already on top of PR#668. Related to https://pagure.io/SSSD/sssd/issue/3814 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/671/head:pr671 git checkout pr671

2 4

[sssd PR#662][opened] doc: Add nsswitch.conf note to manpage
by thalman 08 Oct '18

08 Oct '18

URL: https://github.com/SSSD/sssd/pull/662 Author: thalman Title: #662: doc: Add nsswitch.conf note to manpage Action: opened PR body: """ We want to add note about nsswitch.conf configuration into sssd-files manpage. Resolves: https://pagure.io/SSSD/sssd/issue/3750 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/662/head:pr662 git checkout pr662

4 14

[sssd PR#665][opened] p11: handle multiple certs during auth with OpenSSL
by sumit-bose 08 Oct '18

08 Oct '18

URL: https://github.com/SSSD/sssd/pull/665 Author: sumit-bose Title: #665: p11: handle multiple certs during auth with OpenSSL Action: opened PR body: """ This patch adds missing code already available in the NSS version to select a certificate for authentication if multiple certificates are available on the Smartcard. A unit test to check this feature is added as well. Related to https://pagure.io/SSSD/sssd/issue/3489 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/665/head:pr665 git checkout pr665

2 8

[sssd PR#657][opened] be: use be_is_offline for the main domain when asking for domain status
by pbrezina 03 Oct '18

03 Oct '18

URL: https://github.com/SSSD/sssd/pull/657 Author: pbrezina Title: #657: be: use be_is_offline for the main domain when asking for domain status Action: opened PR body: """ The DOM_ACTIVE/INACTIVE flag is not used with the main domain as it is used only for subdomains. Resolves: https://pagure.io/SSSD/sssd/issue/3830 This is a regression in sbus2 patches. I filed a ticket [1] to make the usage of this flag consistent for all domains. I did not implement it as part of this patch because I expect some caveats there so I kept this patch simple. [1] https://pagure.io/SSSD/sssd/issue/3831 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/657/head:pr657 git checkout pr657

3 10

[sssd PR#663][opened] confdb: log an error when domain is misconfigured
by thalman 03 Oct '18

03 Oct '18

URL: https://github.com/SSSD/sssd/pull/663 Author: thalman Title: #663: confdb: log an error when domain is misconfigured Action: opened PR body: """ We need to inform user that there is misconfiguration and particular domain will not be started. Resolves: https://pagure.io/SSSD/sssd/issue/3827 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/663/head:pr663 git checkout pr663

3 6

[sssd PR#664][opened] pep8: Ignore W504 and W605 to silence warnings on Debian
by jhrozek 03 Oct '18

03 Oct '18

URL: https://github.com/SSSD/sssd/pull/664 Author: jhrozek Title: #664: pep8: Ignore W504 and W605 to silence warnings on Debian Action: opened PR body: """ This code: pkcs11_txt.write("library=libsoftokn3.so\nname=soft\n" + "parameters=configdir='sql:" + config.ABS_BUILDDIR + "/../test_CA/p11_nssdb' " + "dbSlotDescription='SSSD Test Slot' " + "dbTokenDescription='SSSD Test Token' " + "secmod='secmod.db' flags=readOnly)\n\n") pkcs11_txt.close() Was producing warnings such as: ./src/tests/intg/test_pam_responder.py:143:22: W504 line break after binary operator Even though it looks OK visually and conforms to pep8's written form. Additionaly, this regular expression compilation: Template = re.compile( ' *<template name="(\S+)">(.*?)</template>\r?\n?', re.MULTILINE | re.DOTALL ) Was producing a warning such as: ./src/sbus/codegen/sbus_Template.py:156:29: W605 invalid escape sequence '\S' Since the \S literal is part of a regular expression, let's suppress this warning as well. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/664/head:pr664 git checkout pr664

3 8

[sssd PR#666][opened] ci: add http-parser-devel for Fedora
by sumit-bose 03 Oct '18

03 Oct '18

URL: https://github.com/SSSD/sssd/pull/666 Author: sumit-bose Title: #666: ci: add http-parser-devel for Fedora Action: opened PR body: """ After adding a new CI worker the CI run failed because http_parser.h was not found. Instead of adding http-parser-devel to the worker host directly I think it makes more sense to add it to the list of required packages at least for Fedora. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/666/head:pr666 git checkout pr666

2 4

[sssd PR#658][opened] pytest: Test case for sudo: search with lower cased name for case insensitive domains
by mrniranjan 01 Oct '18

01 Oct '18

URL: https://github.com/SSSD/sssd/pull/658 Author: mrniranjan Title: #658: pytest: Test case for sudo: search with lower cased name for case insensitive domains Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/658/head:pr658 git checkout pr658

4 26

[sssd PR#660][opened] doc: remove local provider reference from manpages
by thalman 01 Oct '18

01 Oct '18

URL: https://github.com/SSSD/sssd/pull/660 Author: thalman Title: #660: doc: remove local provider reference from manpages Action: opened PR body: """ Introduce new condition for documentation build. Related part of documentation is excluded, if build is done without local provider. Resolves https://pagure.io/SSSD/sssd/issue/3826 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/660/head:pr660 git checkout pr660

3 8

RFC: Setting ignore_group_members=true by default
by Jakub Hrozek 01 Oct '18

01 Oct '18

Hi, this proposal might be controversial, but I think a little discussion wouldn’t hurt :-) tl;dr: I propose we switch the default value of ignore_group_members from False to True by default For anyone not intimate with SSSD options, this would appear all groups to be effectivelly empty. The effect that the end user sees is that the group resolution is very fast, because only the group object, not the members have to be processed. As part of my dayjob, I’m involved in triaging RH customer cases and many of them are about performance. Ignoring the group members is quite often the first step and quite a few people are using that in production. The reason I’m proposing this is that many calls, like getgr* issued by different command line utilities (id, ls -l, …) typically only care about the GID-to-name translation. At the same time, the list of group members is both inaccurate (because we stop at a deep enough group nesting) and really not needed except for an admin to quickly see what members belong to a group. For access control, what is really used is the result of initgroups/getgroupslist. This is the call where we care about precision, because the list of groups the user is a member of can only be set during login. But getgr* returns the list of users who are members of a group and is not really required to be precise. Returning the full list of group members from getgr* by default is very time consuming and inefficient. While we did a lot of work on the SSSD side to speed things up, like using the timestamps cache and only actually save something to the database when the object changes and we have even more ideas floating around (e.g. don’t parse the whole LDAPResult at once, but use a lazy parsing and return the attributes on demand), just fetching the large group objects and traversing the group hierarchy is bound to be very expensive. Even if SSSD is smart and throws away the data it doesn’t need without a lot of processing, the directory server side will incur a heavy load when returning the group members. In an ideal world, I would prefer to follow up on a suggestion made by some Suse engineers several years ago (I’m sorry I can no longer find the link nor do I remember their names..) which was to add a getgrnam2/getgrgid2 call to libc, which would only provide the GID-to-name translation and patch popular applications in distributions to use that instead of getgrnam/gegrgid. But this is such an uphill battle that I don’t think it’s very realistic to implement. Of course, we would have to both document and make it obvious from the debug logs why are SSSD groups coming back empty, but I think the performance benefit would outweight the confusion. For some additional details and discussion, please see e.g. https://pagure.io/389-ds-base/issue/49951

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel October 2018