URL: https://github.com/SSSD/sssd/pull/695
Author: pbrezina
Title: #695: sss_iface: prevent from using invalid names that start with digits
Action: opened
PR body:
"""
From:
https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-n…
- Bus names that start with a colon (':') character are unique connection names. Other bus names are called well-known bus names.
- Bus names are composed of 1 or more elements separated by a period ('.') character. All elements must contain at least one character.
- Each element must only contain the ASCII characters "[A-Z][a-z][0-9]_-", with "-" discouraged in new bus names. Only elements that are part of a unique connection name may begin with a digit, elements in other bus names must not begin with a digit.
- Bus names must contain at least one '.' (period) character (and thus at least two elements).
- Bus names must not begin with a '.' (period) character.
- Bus names must not exceed the maximum name length (255).
Resolves:
https://pagure.io/SSSD/sssd/issue/3872
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/695/head:pr695
git checkout pr695
URL: https://github.com/SSSD/sssd/pull/700
Author: jhrozek
Title: #700: LDAP: Only authenticate the auth connection if we need to look up user information
Action: opened
PR body:
"""
Related: https://pagure.io/SSSD/sssd/issue/3451
Commit add72860c7a7a2c418f4d8b6790b5caeaf7dfb7b initially addressed #3451
by using the full sdap_cli_connect() request during LDAP authentication.
This was a good idea as it addressed the case where the authentication
connection must also look up some user information (typically with
id_provider=proxy where you don't know the DN to bind as during
authentication), but this approach also broke the use-case of
id_provider=ldap and auth_provider=ldap with ldap_sasl_auth=gssapi.
This is because (for reason I don't know) AD doesn't like if you use both
GSSAPI and startTLS on the same connection. But the code would force TLS
during the authentication as a general measure to not transmit passwords in
the clear, but then, the connection would also see that
ldap_sasl_auth=gssapi is set and also bind with GSSAPI.
This patch checks if the user DN is already known and if yes, then doesn't
authenticate the connection as the connection will then only be used for
the user simple bind.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/700/head:pr700
git checkout pr700
URL: https://github.com/SSSD/sssd/pull/644
Author: joeFischetti
Title: #644: When multiple UIDs exist, use the username provided by the user as the first lookup
Action: opened
PR body:
"""
The current state of the code has no way of determining the "correct" UID to use when there are multiple values. If there are multiple values, and the RDN doesn't match, this update checks the UID's returned against the username that was provided by the user at the prompt. If that matches, it's used. If that doesn't match, it falls back to the existing code.
Example:
My ldap record includes multiple uid values, ["genericemployee1", "itstaff1"]
I need access to machines as "itstaff1". "genericemployee1" is used as an identifier in other systems/services.
If I log in with "itstaff1" at the prompt, and my ldap lookup with filter (uid=itstaff1) is successful, the array of UID's are checked against "itstaff1" and that's what *_primary is set to.
With the current code, if I try to log in with "itstaff1" at the prompt, I'm actually logged into the system as "genericemployee1". Based on the order that the values are returned... some other staff are logged into their "genericemployee" or the "itstaff" accounts.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/644/head:pr644
git checkout pr644
URL: https://github.com/SSSD/sssd/pull/698
Author: sumit-bose
Title: #698: Add support for EC keys
Action: opened
PR body:
"""
This patch set adds support for elliptic curve (EC) keys to p11_child and the
ssh key extraction code.
Related to https://pagure.io/SSSD/sssd/issue/3887
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/698/head:pr698
git checkout pr698
URL: https://github.com/SSSD/sssd/pull/697
Author: jhrozek
Title: #697: RESPONDER: Log failures from bind() and listen()
Action: opened
PR body:
"""
We've seen reports from users where SSSD (for a reason which is not known
at the moment) couldn't bind to the created socket. This patch just logs
the errno which should help in debugging issues like that in the future.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/697/head:pr697
git checkout pr697
URL: https://github.com/SSSD/sssd/pull/694
Author: thalman
Title: #694: SSSCTL: user-show says that user is expired
Action: opened
PR body:
"""
sssctl user-show says that user is expired if the user comes from files
provider. This is ok because files user's expiration time is always set
to 0 but we should print a better, less confusing message.
The same change apply to groups.
Resolves:
https://pagure.io/SSSD/sssd/issue/3858
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/694/head:pr694
git checkout pr694
URL: https://github.com/SSSD/sssd/pull/686
Author: pbrezina
Title: #686: nss: use enumeration context as talloc parent for cache req result
Action: opened
PR body:
"""
Otherwise we end up with memory leak since the result is never freed.
Resolves:
https://pagure.io/SSSD/sssd/issue/3870
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/686/head:pr686
git checkout pr686