sssd-devel January 2021

sssd-devel@lists.fedorahosted.org

4 participants
50 discussions

[sssd PR#5435][opened] whitespace_test: fix exclusion of debian directory
by deastoe 21 Apr '21

21 Apr '21

URL: https://github.com/SSSD/sssd/pull/5435 Author: deastoe Title: #5435: whitespace_test: fix exclusion of debian directory Action: opened PR body: """ These tests are supposed to ignore trailing whitespace in files in the debian directory. However this is not the case with the current exclude pattern and usage of `git grep`. Use --full-name with `git grep` to ensure its output is always relative to the repository root, rather than the current directory. Additionally remove the leading slash from the exclude pattern as this will never match the output. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5435/head:pr5435 git checkout pr5435

3 12

[sssd PR#5245][opened] RESOLV: Avoid DNS search to improve fail-over reaction
by thalman 16 Mar '21

16 Mar '21

URL: https://github.com/SSSD/sssd/pull/5245 Author: thalman Title: #5245: RESOLV: Avoid DNS search to improve fail-over reaction Action: opened PR body: """ In case of unreachable DNS server or invalid hostname sssd/c-ares tries to search in multiple domains based on the search directive in resolv.conf But the hostnames in config file are fully qualified and this just extends the time spent with DNS resolution. This patch set the c-ares library flags to avoid DNS search Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1608496 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5245/head:pr5245 git checkout pr5245

5 31

[sssd PR#5407][opened] kcm: check socket path loaded from configuration
by ikerexxe 19 Feb '21

19 Feb '21

URL: https://github.com/SSSD/sssd/pull/5407 Author: ikerexxe Title: #5407: kcm: check socket path loaded from configuration Action: opened PR body: """ There are three major execution flows for this change: 1. If kcm socket path is not defined in sssd configuration, then log it and fall back to the default location. 2. If kcm socket path is defined in sssd configuration but the location is invalid, then log it and fall back to the default location. 3. If kcm socket path is defined in sssd configuration and the location is valid, then use it. Apart from that some unit-tests have been implement to check that the changes work as expected. I wonder if the changes included in confdb_get_string() should be ported to all confdb_get_*() methods. Resolves: https://github.com/SSSD/sssd/issues/5406 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5407/head:pr5407 git checkout pr5407

4 49

[sssd PR#5485][opened] sudo: do not search by low usn value to improve performance
by pbrezina 12 Feb '21

12 Feb '21

URL: https://github.com/SSSD/sssd/pull/5485 Author: pbrezina Title: #5485: sudo: do not search by low usn value to improve performance Action: opened PR body: """ This is a follow up on these two commits. - 819d70ef6e6fa0e736ebd60a7f8a26f672927d57 - 6815844daa7701c76e31addbbdff74656cd30bea The first one improved the search filter little bit to achieve better performance, however it also changed the behavior: we started to search for `usn >= 1` in the filter if no usn number was known. This caused issues on OpenLDAP server which was fixed by the second patch. However, the fix was wrong and searching by this meaningfully low number can cause performance issues depending on how the filter is optimized and evaluated on the server. Now we omit the usn attribute from the filter if there is no meaningful value. How to test: 1. Setup LDAP with no sudo rules defined 2. Make sure that the LDAP server does not support USN or use the following diff to enforce modifyTimestamp (last USN is always available from rootDSE) ```diff diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c index 32c0144b9..c853e4dc1 100644 --- a/src/providers/ldap/sdap.c +++ b/src/providers/ldap/sdap.c @@ -1391,7 +1391,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx, last_usn_name = opts->gen_map[SDAP_AT_LAST_USN].name; entry_usn_name = opts->gen_map[SDAP_AT_ENTRY_USN].name; if (rootdse) { - if (last_usn_name) { + if (false) { ret = sysdb_attrs_get_string(rootdse, last_usn_name, &last_usn_value); if (ret != EOK) { @@ -1500,7 +1500,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx, } } - if (!last_usn_name) { + if (true) { DEBUG(SSSDBG_FUNC_DATA, "No known USN scheme is supported by this server!\n"); if (!entry_usn_name) { ``` 3. Run SSSD with sudo and check that smart refresh filter does not contain modifyTimestamp 4. Add new sudo rule, check that the filter does contain it after the rules is cached Resolves: https://github.com/SSSD/sssd/issues/5483 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5485/head:pr5485 git checkout pr5485

2 15

[sssd PR#5264][opened] Utils: White space replace with another character
by elkoniu 08 Feb '21

08 Feb '21

URL: https://github.com/SSSD/sssd/pull/5264 Author: elkoniu Title: #5264: Utils: White space replace with another character Action: opened PR body: """ Function responsible for replacing white space has wrong log levels set. It can create false positive critical error messages broadcasted across the system without any real reason. This patch adjusts those log levels to be on the debug level rather than criticar error level. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1818671 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5264/head:pr5264 git checkout pr5264

3 7

[sssd PR#5365][opened] Translations update from Weblate
by weblate 05 Feb '21

05 Feb '21

URL: https://github.com/SSSD/sssd/pull/5365 Author: weblate Title: #5365: Translations update from Weblate Action: opened PR body: """ Translations update from [Weblate](https://translate.fedoraproject.org/projects/sssd/sssd-master/) for SSSD/sssd. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5365/head:pr5365 git checkout pr5365

2 10

[sssd PR#5474][opened] spec: synchronize with Fedora 34 spec file
by pbrezina 05 Feb '21

05 Feb '21

URL: https://github.com/SSSD/sssd/pull/5474 Author: pbrezina Title: #5474: spec: synchronize with Fedora 34 spec file Action: opened PR body: """ The upstream spec file is out of sync with what we use in Fedora. This copies current Fedora 34 (rawhide) spec file to bring new features in. It also removes things that we do not need anymore. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5474/head:pr5474 git checkout pr5474

3 44

[sssd PR#5477][opened] DEBUG: Use () in program identifier instead of []
by sigv 05 Feb '21

05 Feb '21

URL: https://github.com/SSSD/sssd/pull/5477 Author: sigv Title: #5477: DEBUG: Use () in program identifier instead of [] Action: opened PR body: """ SYSLOG_IDENTIFIER should not use square brackets "[]" as a separator. As per the informational RFC 3164, square brackets in the TAG portion represent the process ID (PID). If Journald is forwarded to Syslog and written in line with RFC 3164, the resulting lines would have contained TAG as: - `sssd[sudo][1234]: ` - `sssd[be[EXAMPLE.COM]][1235]: ` This change replaces those respectively with - `sssd(sudo)[1234]: ` - `sssd(be(EXAMPLE.COM))[1235]: ` This still allows parsing the SYSLOG_IDENTIFIER, if so preferred, while complying with RFC 3164 at the same time. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5477/head:pr5477 git checkout pr5477

5 39

[sssd PR#5484][opened] sudo: do not search by low usn value to improve performance
by pbrezina 29 Jan '21

29 Jan '21

URL: https://github.com/SSSD/sssd/pull/5484 Author: pbrezina Title: #5484: sudo: do not search by low usn value to improve performance Action: opened PR body: """ This is a follow up on these two commits. - 819d70ef6e6fa0e736ebd60a7f8a26f672927d57 - 6815844daa7701c76e31addbbdff74656cd30bea The first one improved the search filter little bit to achieve better performance, however it also changed the behavior: we started to search for `usn >= 1` in the filter if no usn number was known. This caused issues on OpenLDAP server which was fixed by the second patch. However, the fix was wrong and searching by this meaningfully low number can cause performance issues depending on how the filter is optimized and evaluated on the server. No we omit the usn attribute from the filter if there is no meaningful value. How to test: 1. Setup LDAP with no sudo rules defined 2. Make sure that the LDAP server does not support USN or use the following diff to enforce modifyTimestamp (last USN is always available from rootDSE) ```diff diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c index 32c0144b9..c853e4dc1 100644 --- a/src/providers/ldap/sdap.c +++ b/src/providers/ldap/sdap.c @@ -1391,7 +1391,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx, last_usn_name = opts->gen_map[SDAP_AT_LAST_USN].name; entry_usn_name = opts->gen_map[SDAP_AT_ENTRY_USN].name; if (rootdse) { - if (last_usn_name) { + if (false) { ret = sysdb_attrs_get_string(rootdse, last_usn_name, &last_usn_value); if (ret != EOK) { @@ -1500,7 +1500,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx, } } - if (!last_usn_name) { + if (true) { DEBUG(SSSDBG_FUNC_DATA, "No known USN scheme is supported by this server!\n"); if (!entry_usn_name) { ``` 3. Run SSSD with sudo and check that smart refresh filter does not contain modifyTimestamp 4. Add new sudo rule, check that the filter does contain it after the rules is cached Resolves: https://github.com/SSSD/sssd/issues/5483 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5484/head:pr5484 git checkout pr5484

2 3

[sssd PR#5268][opened] proxy_child hardening
by alexey-tikhonov 29 Jan '21

29 Jan '21

URL: https://github.com/SSSD/sssd/pull/5268 Author: alexey-tikhonov Title: #5268: proxy_child hardening Action: opened PR body: """ Fixes #3730 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5268/head:pr5268 git checkout pr5268

4 32

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel January 2021