[sssd PR#5407][opened] kcm: check socket path loaded from configuration
by ikerexxe
URL: https://github.com/SSSD/sssd/pull/5407
Author: ikerexxe
Title: #5407: kcm: check socket path loaded from configuration
Action: opened
PR body:
"""
There are three major execution flows for this change:
1. If kcm socket path is not defined in sssd configuration, then log it and fall back to the default location.
2. If kcm socket path is defined in sssd configuration but the location is invalid, then log it and fall back to the default location.
3. If kcm socket path is defined in sssd configuration and the location is valid, then use it.
Apart from that some unit-tests have been implement to check that the changes work as expected.
I wonder if the changes included in confdb_get_string() should be ported to all confdb_get_*() methods.
Resolves: https://github.com/SSSD/sssd/issues/5406
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5407/head:pr5407
git checkout pr5407
3 years, 2 months
[sssd PR#5485][opened] sudo: do not search by low usn value to improve performance
by pbrezina
URL: https://github.com/SSSD/sssd/pull/5485
Author: pbrezina
Title: #5485: sudo: do not search by low usn value to improve performance
Action: opened
PR body:
"""
This is a follow up on these two commits.
- 819d70ef6e6fa0e736ebd60a7f8a26f672927d57
- 6815844daa7701c76e31addbbdff74656cd30bea
The first one improved the search filter little bit to achieve better
performance, however it also changed the behavior: we started to search
for `usn >= 1` in the filter if no usn number was known.
This caused issues on OpenLDAP server which was fixed by the second patch.
However, the fix was wrong and searching by this meaningfully low number
can cause performance issues depending on how the filter is optimized and
evaluated on the server.
Now we omit the usn attribute from the filter if there is no meaningful value.
How to test:
1. Setup LDAP with no sudo rules defined
2. Make sure that the LDAP server does not support USN or use the following diff
to enforce modifyTimestamp (last USN is always available from rootDSE)
```diff
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index 32c0144b9..c853e4dc1 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -1391,7 +1391,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
last_usn_name = opts->gen_map[SDAP_AT_LAST_USN].name;
entry_usn_name = opts->gen_map[SDAP_AT_ENTRY_USN].name;
if (rootdse) {
- if (last_usn_name) {
+ if (false) {
ret = sysdb_attrs_get_string(rootdse,
last_usn_name, &last_usn_value);
if (ret != EOK) {
@@ -1500,7 +1500,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
}
}
- if (!last_usn_name) {
+ if (true) {
DEBUG(SSSDBG_FUNC_DATA,
"No known USN scheme is supported by this server!\n");
if (!entry_usn_name) {
```
3. Run SSSD with sudo and check that smart refresh filter does not contain modifyTimestamp
4. Add new sudo rule, check that the filter does contain it after the rules is cached
Resolves: https://github.com/SSSD/sssd/issues/5483
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5485/head:pr5485
git checkout pr5485
3 years, 2 months
[sssd PR#5477][opened] DEBUG: Use () in program identifier instead of []
by sigv
URL: https://github.com/SSSD/sssd/pull/5477
Author: sigv
Title: #5477: DEBUG: Use () in program identifier instead of []
Action: opened
PR body:
"""
SYSLOG_IDENTIFIER should not use square brackets "[]" as a separator. As per the informational RFC 3164, square brackets in the TAG portion represent the process ID (PID).
If Journald is forwarded to Syslog and written in line with RFC 3164, the resulting lines would have contained TAG as:
- `sssd[sudo][1234]: `
- `sssd[be[EXAMPLE.COM]][1235]: `
This change replaces those respectively with
- `sssd(sudo)[1234]: `
- `sssd(be(EXAMPLE.COM))[1235]: `
This still allows parsing the SYSLOG_IDENTIFIER, if so preferred, while complying with RFC 3164 at the same time.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5477/head:pr5477
git checkout pr5477
3 years, 2 months
[sssd PR#5484][opened] sudo: do not search by low usn value to improve performance
by pbrezina
URL: https://github.com/SSSD/sssd/pull/5484
Author: pbrezina
Title: #5484: sudo: do not search by low usn value to improve performance
Action: opened
PR body:
"""
This is a follow up on these two commits.
- 819d70ef6e6fa0e736ebd60a7f8a26f672927d57
- 6815844daa7701c76e31addbbdff74656cd30bea
The first one improved the search filter little bit to achieve better
performance, however it also changed the behavior: we started to search
for `usn >= 1` in the filter if no usn number was known.
This caused issues on OpenLDAP server which was fixed by the second patch.
However, the fix was wrong and searching by this meaningfully low number
can cause performance issues depending on how the filter is optimized and
evaluated on the server.
No we omit the usn attribute from the filter if there is no meaningful value.
How to test:
1. Setup LDAP with no sudo rules defined
2. Make sure that the LDAP server does not support USN or use the following diff
to enforce modifyTimestamp (last USN is always available from rootDSE)
```diff
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index 32c0144b9..c853e4dc1 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -1391,7 +1391,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
last_usn_name = opts->gen_map[SDAP_AT_LAST_USN].name;
entry_usn_name = opts->gen_map[SDAP_AT_ENTRY_USN].name;
if (rootdse) {
- if (last_usn_name) {
+ if (false) {
ret = sysdb_attrs_get_string(rootdse,
last_usn_name, &last_usn_value);
if (ret != EOK) {
@@ -1500,7 +1500,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
}
}
- if (!last_usn_name) {
+ if (true) {
DEBUG(SSSDBG_FUNC_DATA,
"No known USN scheme is supported by this server!\n");
if (!entry_usn_name) {
```
3. Run SSSD with sudo and check that smart refresh filter does not contain modifyTimestamp
4. Add new sudo rule, check that the filter does contain it after the rules is cached
Resolves: https://github.com/SSSD/sssd/issues/5483
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5484/head:pr5484
git checkout pr5484
3 years, 2 months