[sssd PR#616][opened] become_user: add supplementary groups so ad provider can access keytab
by asheplyakov
URL: https://github.com/SSSD/sssd/pull/616
Author: asheplyakov
Title: #616: become_user: add supplementary groups so ad provider can access keytab
Action: opened
PR body:
"""
For security reasons one might want to run providers as a non-privileged
user (say, _sssd). However some providers (in particular ad) might need
an access to restricted (non world-readable) files (for instance,
/etc/krb5.keytab). One of the possible ways to solve the problem is to
- add a special group (for instance, _keytab)
- set the owner:group of the file in question to root:_keytab
- set the permissions of the file in question to 640
- make the _sssd user a member of the _keytab group
For this to work become_user should assign supplementary groups, which
is what this patch does.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/616/head:pr616
git checkout pr616
3 years, 2 months
[sssd PR#5251][opened] [wip] subdomains: allow to inherit case_sensitive=Preserving
by pbrezina
URL: https://github.com/SSSD/sssd/pull/5251
Author: pbrezina
Title: #5251: [wip] subdomains: allow to inherit case_sensitive=Preserving
Action: opened
PR body:
"""
The first patch is just man page update to reflect current state.
I think it makes sense to be able to show subdomain names in
their original casing. Patches 2-3 make it work for AD provider.
Patch 4 makes it work for IPA provider. There is apparantely a bug
in winbind, but there is no link the any bugzilla so I do not know
if it was already fixed. The commit is four years old. This patch
requires case_sensitive=Preserving to be set also on the server,
otherwise it does not work. It can be enabled without the server setting
but we need to make nss_cmd_getpwnam_ex (and other _ex commands) to
always return case preserving name. So before I continue the work
I'd like to ask @sumit-bose if we can do it like this.
Resolves:
https://github.com/SSSD/sssd/issues/5250
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5251/head:pr5251
git checkout pr5251
3 years, 2 months
[sssd PR#5470][opened] pam: refresh certificate maps at the end of initial domains lookup
by sumit-bose
URL: https://github.com/SSSD/sssd/pull/5470
Author: sumit-bose
Title: #5470: pam: refresh certificate maps at the end of initial domains lookup
Action: opened
PR body:
"""
During startup SSSD's responders send a getDomains request to all backends
to refresh some domain related needed by the responders.
The PAM responder specifically needs the certificate mapping and matching
rules when Smartcard authentication is enable. Currently the rules are not
refreshed at the end of the initial request but the code assumed that the
related structures are initialized after the request finished.
To avoid a race condition this patch adds a callback to the end of the
request to make sure the rules are properly refreshed even if they are
already initialized before.
Resolves: https://github.com/SSSD/sssd/issues/5469
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5470/head:pr5470
git checkout pr5470
3 years, 2 months
userCertificate in integration tests.
by Per-Erik Persson
Looking thru the testcode and older entries in the mailinglist there seems
to be no easy way to push a certificate for a testuser via the LDAP
connection with Python.
Using the openldap client is the only option I can think of.
Are there any better ideas out there?
3 years, 2 months