[sssd PR#601][opened] sbus: integrate sssd with sbus2
by pbrezina
URL: https://github.com/SSSD/sssd/pull/601
Author: pbrezina
Title: #601: sbus: integrate sssd with sbus2
Action: opened
PR body:
"""
Hi folks,
this is a really large patch set and I have now idea how to review it.
I know that Jakub tried to review the proof of concept, but he have not
managed to finish it so far. It is not in human power to review it all
so hard testing should be done.
I consider the code itself and the integration with sssd finished. I will
push only bug fixes and review issues now. This first version does not
run through make check so far because some tests needs to be altered,
this however does not prevent manual testing and reviewing.
I tried to make the changes small at first while running old and new sbus
in parallel, but it was too hard as the changes were too much interconnected.
Therefore each patch modifies one area, but completely and sssd will not build.
There are new libraries, each in pair. Each pair consist of asynchronous
(used inside sssd) and synchronous (used inside tools; sssctl) versions of API.
- libsss_sbus, libsss_sbus_sync: sbus interface
- libsss_iface, libsss_iface_sync: internal sssd interface, used for internal communication
- libifp_iface, libifp_iface_sync: infopipe interface
At this point, changes are mostly one to one. We still have separate server for monitor and
backends. We still do not use signals, even though it is possible. I will file separate
tickets with ideas how to improve our api further and we can work together after
this patch set is tested and merged.
I did my best with manual testing but I doubt I run all the scenarious. Especially, I want
to ask @sbose to test ifp smartcard API and @fidencio to test Fleet Commander integration
(the one dbus call in ipa code).
Thank you.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/601/head:pr601
git checkout pr601
5 years, 8 months
RFC: 2.0 release notes
by Jakub Hrozek
Hi,
we’re about to release 2.0. Here are my draft release notes:
SSSD 2.0.0
===========
Highlights
----------
This release removes or deprecates functionality from SSSD, therefore the SSSD
team decided it was time to bump the major version number. The sssd-1-16
branch will be still supported (most probably even as a LTM branch) so that
users who rely on any of the removed features can either migrate or ask for
the features to be readded.
Except for the removed features, this release contains a reworked internal IPC
and a new default storage back end for the KCM responder.
Removed features
^^^^^^^^^^^^^^^^
* The Python API for managing users and groups in local domains
(`id_provider=local`) was removed completely. The interface
had been packaged as module called `pysss.local`
* The LDAP provider had a special-case branch for evaluating group
memberships with the RFC2307bis schema when group nesting was
explicitly disabled. This codepath was adding needless additional
complexity for little performance gain and was rarely used.
* The `ldap_groups_use_matching_rule_in_chain` and
`ldap_initgroups_use_matching_rule_in_chain` options and the code that
evaluated them was removed. Neither of these options provided
a significant performance benefit and the code implementing
these options was complex and rarely used.
Deprecated features
^^^^^^^^^^^^^^^^^^^
* The local provider (`id_provider=local`) and the command line
tools to manage users and groups in the local domains, such as
`sss_useradd` is not built by default anymore. There is a configure-time
switch `--enable-local-domain` you can use to re-enable the local
domain support. However, upstream would like to remove the local
domain completely in a future release.
* The `sssd_secrets`` responder is not packaged by default. The responder
was meant to provide a REST API to access user secrets as well as
a proxy to Custodia servers, but as Custodia development all but
stopped and the local secrets handling so far didn't gain traction,
we decided to not enable this code by default. This also means that the
default SSSD configuration no longer requires libcurl and http-parser.
Changed default settings
^^^^^^^^^^^^^^^^^^^^^^^^
* The `ldap_sudo_include_regexp` option changed its default value
from `true` to `false`. This means that wild cards in the `sudoHost`
LDAP attribute are no longer supported by default. The reason we
changed the default was that the wildcard was costly to evaluate
on the LDAP server side and at the same time rarely used.
New features
^^^^^^^^^^^^
* The KCM responder has a new back end to store credential caches
in a local database. This new back end is enabled by default and
actually uses the same storage as the `sssd-secrets` responder had used,
so the switch from sssd-secrets to this new back end should be
completely seamless. The `sssd-secrets` socket is no longer required for
KCM to operate.
Packaging Changes
-----------------
* The `sss_useradd`, `sss_userdel`, `sss_usermod`, `sss_groupadd`,
`sss_groupdel`, `sss_groupshow` and `sss_groupmod` binaries and their
manual pages are no longer packaged by default unless
`--enable-local-provider` is selected.
* The sssd_secrets responder is no longer packaged by default unless
`--enable-secrets-responder` is selected.
* The new internal IPC mechanism uses several private libraries that
need to be packaged - `libsss_sbus.so`, `libsss_sbus_sync.so`, `libsss_iface.so`,
`libsss_iface_sync.so`, `libifp_iface.so` and `libifp_iface_sync.so`
* The new KCM ccache back end relies on a private library
`libsss_secrets.so` that must be packaged in case either the KCM responder
or the secrets responder are enabled.
Documentation Changes
---------------------
* The `ldap_groups_use_matching_rule_in_chain` and
`ldap_initgroups_use_matching_rule_in_chain` options were removed.
* The `ldap_sudo_include_regexp` option changed its default value
from `true` to `false`.
Tickets Fixed
-------------
To be generated
Detailed Changelog
------------------
To be generated
5 years, 8 months
[sssd PR#637][opened] Relicense GPLv2 only files as GPLv3+
by jhrozek
URL: https://github.com/SSSD/sssd/pull/637
Author: jhrozek
Title: #637: Relicense GPLv2 only files as GPLv3+
Action: opened
PR body:
"""
This patchset is seemingly large, but only the license blobs were in fact changed. There is one patch per changed file.
In most cases, we should be totally fine as everyone who touched the file was a RH employee and RH owns the copyright and at the same time, the work was original, not a derivative of some original v2 only work.
There are two exceptions:
- there was an outside contributor who fixed some typos. I contacted him and Rene Genz kindly agreed to use v3+
- ipachangeconf.py was based on authconfig code. But since the authconfig code itself is v2+, there v2 only blob was a mistake in the first place.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/637/head:pr637
git checkout pr637
5 years, 8 months