URL: https://github.com/SSSD/sssd/pull/174 Author: sumit-bose Title: #174: One certificate for multiple users Action: opened
PR body: """ This is the first set of patches related to https://pagure.io/SSSD/sssd/issue/3050 to allow to authenticate as different users with a single certificate.
Besides the needed changes for cache_req and PAM it include 2 new InfoPipe methods ListByCertificate and FindByNameAndCertificate to list all accounts mapped to a certificate and check if a certificates can be used to authenticate to a given account.
To test e.g. with FreeIPA just add the certificate not only to a single user but to other users as well. """
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/174/head:pr174 git checkout pr174
URL: https://github.com/SSSD/sssd/pull/174 Author: sumit-bose Title: #174: One certificate for multiple users Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/174/head:pr174 git checkout pr174
URL: https://github.com/SSSD/sssd/pull/174 Title: #174: One certificate for multiple users
Label: +Changes requested
URL: https://github.com/SSSD/sssd/pull/174 Author: sumit-bose Title: #174: One certificate for multiple users Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/174/head:pr174 git checkout pr174
URL: https://github.com/SSSD/sssd/pull/174 Title: #174: One certificate for multiple users
sumit-bose commented: """ I pushed a new version with already fixes the first two of Jakub's comments. """
See the full comment at https://github.com/SSSD/sssd/pull/174#issuecomment-284689713
URL: https://github.com/SSSD/sssd/pull/174 Title: #174: One certificate for multiple users
jhrozek commented: """ Thank you for the new version, infortunately now I'm seeing a crash when I list two users who have the same certificate. This is the backtrace: ```` Program received signal SIGSEGV, Segmentation fault. ldb_msg_find_element (msg=0x0, attr_name=0x7f0ab99a6b87 "objectClass") at ../common/ldb_msg.c:51 51 for (i=0;i<msg->num_elements;i++) { (gdb) bt #0 ldb_msg_find_element (msg=0x0, attr_name=0x7f0ab99a6b87 "objectClass") at ../common/ldb_msg.c:51 #1 0x00007f0ac16557e9 in ldb_msg_find_ldb_val (msg=<optimized out>, attr_name=<optimized out>) at ../common/ldb_msg.c:399 #2 0x00007f0ac1655cc9 in ldb_msg_find_attr_as_string (msg=<optimized out>, attr_name=<optimized out>, default_value=0x0) at ../common/ldb_msg.c:584 #3 0x00007f0ab99577cb in ipa_id_get_account_info_orig_done (subreq=0x0) at /sssd/src/providers/ipa/ipa_id.c:759 #4 0x00007f0ab8deada0 in sdap_handle_acct_req_done (subreq=0x0) at /sssd/src/providers/ldap/ldap_id.c:1614 #5 0x00007f0ab8de894f in users_get_done (subreq=0x0) at /sssd/src/providers/ldap/ldap_id.c:596 #6 0x00007f0ab8e0b359 in sdap_get_users_done (subreq=0x7c7950) at /sssd/src/providers/ldap/sdap_async_users.c:955 #7 0x00007f0ab8e0ae00 in sdap_search_user_process (subreq=0x0) at /sssd/src/providers/ldap/sdap_async_users.c:815 #8 0x00007f0ab8e04928 in generic_ext_search_handler (subreq=0x0, opts=0x76b5f0) at /sssd/src/providers/ldap/sdap_async.c:1689 #9 0x00007f0ab8e04c86 in sdap_get_and_parse_generic_done (subreq=0x7caf50) at /sssd/src/providers/ldap/sdap_async.c:1797 #10 0x00007f0ab8e043fb in sdap_get_generic_op_finished (op=0x777510, reply=0x790a30, error=0, pvt=0x7caf50) at /sssd/src/providers/ldap/sdap_async.c:1579 #11 0x00007f0ab8e00618 in sdap_process_message (ev=0x736c30, sh=0x780bb0, msg=0x7aa2c0) at /sssd/src/providers/ldap/sdap_async.c:353 #12 0x00007f0ab8e00197 in sdap_process_result (ev=0x736c30, pvt=0x780bb0) at /sssd/src/providers/ldap/sdap_async.c:197 #13 0x00007f0ab8dffe5a in sdap_ldap_next_result (ev=0x736c30, te=0x7904b0, tv=..., pvt=0x780bb0) at /sssd/src/providers/ldap/sdap_async.c:145 #14 0x00007f0abdf52500 in tevent_common_loop_timer_delay (ev=ev@entry=0x736c30) at ../tevent_timed.c:341 #15 0x00007f0abdf53519 in epoll_event_loop_once (ev=0x736c30, location=<optimized out>) at ../tevent_epoll.c:915 #16 0x00007f0abdf51c07 in std_event_loop_once (ev=0x736c30, location=0x7f0ac1d1226d "/sssd/src/util/server.c:718") at ../tevent_standard.c:114 #17 0x00007f0abdf4dabd in _tevent_loop_once (ev=ev@entry=0x736c30, location=location@entry=0x7f0ac1d1226d "/sssd/src/util/server.c:718") at ../tevent.c:680 #18 0x00007f0abdf4dceb in tevent_common_loop_wait (ev=0x736c30, location=0x7f0ac1d1226d "/sssd/src/util/server.c:718") at ../tevent.c:803 #19 0x00007f0abdf51ba7 in std_event_loop_wait (ev=0x736c30, location=0x7f0ac1d1226d "/sssd/src/util/server.c:718") at ../tevent_standard.c:145 #20 0x00007f0ac1ceb3cb in server_loop (main_ctx=0x7380c0) at /sssd/src/util/server.c:718 #21 0x00000000004093ba in main (argc=8, argv=0x7fff69b11de8) at /sssd/src/providers/data_provider_be.c:588 (gdb) frame 3 #3 0x00007f0ab99577cb in ipa_id_get_account_info_orig_done (subreq=0x0) at /sssd/src/providers/ipa/ipa_id.c:759 759 class = ldb_msg_find_attr_as_string(state->obj_msg, SYSDB_OBJECTCLASS, (gdb) p state->obj_msg $1 = (struct ldb_message *) 0x0 ````
And I ran: # dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat cert.pem)" uint32:100
"""
See the full comment at https://github.com/SSSD/sssd/pull/174#issuecomment-285014108
URL: https://github.com/SSSD/sssd/pull/174 Title: #174: One certificate for multiple users
jhrozek commented: """ Thank you for the new version, infortunately now I'm seeing a crash when I list two users who have the same certificate. This is the backtrace: ```` Program received signal SIGSEGV, Segmentation fault. ldb_msg_find_element (msg=0x0, attr_name=0x7f0ab99a6b87 "objectClass") at ../common/ldb_msg.c:51 51 for (i=0;i<msg->num_elements;i++) { (gdb) bt #0 ldb_msg_find_element (msg=0x0, attr_name=0x7f0ab99a6b87 "objectClass") at ../common/ldb_msg.c:51 #1 0x00007f0ac16557e9 in ldb_msg_find_ldb_val (msg=<optimized out>, attr_name=<optimized out>) at ../common/ldb_msg.c:399 #2 0x00007f0ac1655cc9 in ldb_msg_find_attr_as_string (msg=<optimized out>, attr_name=<optimized out>, default_value=0x0) at ../common/ldb_msg.c:584 #3 0x00007f0ab99577cb in ipa_id_get_account_info_orig_done (subreq=0x0) at /sssd/src/providers/ipa/ipa_id.c:759 #4 0x00007f0ab8deada0 in sdap_handle_acct_req_done (subreq=0x0) at /sssd/src/providers/ldap/ldap_id.c:1614 #5 0x00007f0ab8de894f in users_get_done (subreq=0x0) at /sssd/src/providers/ldap/ldap_id.c:596 #6 0x00007f0ab8e0b359 in sdap_get_users_done (subreq=0x7c7950) at /sssd/src/providers/ldap/sdap_async_users.c:955 #7 0x00007f0ab8e0ae00 in sdap_search_user_process (subreq=0x0) at /sssd/src/providers/ldap/sdap_async_users.c:815 #8 0x00007f0ab8e04928 in generic_ext_search_handler (subreq=0x0, opts=0x76b5f0) at /sssd/src/providers/ldap/sdap_async.c:1689 #9 0x00007f0ab8e04c86 in sdap_get_and_parse_generic_done (subreq=0x7caf50) at /sssd/src/providers/ldap/sdap_async.c:1797 #10 0x00007f0ab8e043fb in sdap_get_generic_op_finished (op=0x777510, reply=0x790a30, error=0, pvt=0x7caf50) at /sssd/src/providers/ldap/sdap_async.c:1579 #11 0x00007f0ab8e00618 in sdap_process_message (ev=0x736c30, sh=0x780bb0, msg=0x7aa2c0) at /sssd/src/providers/ldap/sdap_async.c:353 #12 0x00007f0ab8e00197 in sdap_process_result (ev=0x736c30, pvt=0x780bb0) at /sssd/src/providers/ldap/sdap_async.c:197 #13 0x00007f0ab8dffe5a in sdap_ldap_next_result (ev=0x736c30, te=0x7904b0, tv=..., pvt=0x780bb0) at /sssd/src/providers/ldap/sdap_async.c:145 #14 0x00007f0abdf52500 in tevent_common_loop_timer_delay (ev=ev@entry=0x736c30) at ../tevent_timed.c:341 #15 0x00007f0abdf53519 in epoll_event_loop_once (ev=0x736c30, location=<optimized out>) at ../tevent_epoll.c:915 #16 0x00007f0abdf51c07 in std_event_loop_once (ev=0x736c30, location=0x7f0ac1d1226d "/sssd/src/util/server.c:718") at ../tevent_standard.c:114 #17 0x00007f0abdf4dabd in _tevent_loop_once (ev=ev@entry=0x736c30, location=location@entry=0x7f0ac1d1226d "/sssd/src/util/server.c:718") at ../tevent.c:680 #18 0x00007f0abdf4dceb in tevent_common_loop_wait (ev=0x736c30, location=0x7f0ac1d1226d "/sssd/src/util/server.c:718") at ../tevent.c:803 #19 0x00007f0abdf51ba7 in std_event_loop_wait (ev=0x736c30, location=0x7f0ac1d1226d "/sssd/src/util/server.c:718") at ../tevent_standard.c:145 #20 0x00007f0ac1ceb3cb in server_loop (main_ctx=0x7380c0) at /sssd/src/util/server.c:718 #21 0x00000000004093ba in main (argc=8, argv=0x7fff69b11de8) at /sssd/src/providers/data_provider_be.c:588 (gdb) frame 3 #3 0x00007f0ab99577cb in ipa_id_get_account_info_orig_done (subreq=0x0) at /sssd/src/providers/ipa/ipa_id.c:759 759 class = ldb_msg_find_attr_as_string(state->obj_msg, SYSDB_OBJECTCLASS, (gdb) p state->obj_msg $1 = (struct ldb_message *) 0x0 ````
And I ran: # dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat cert.pem)" uint32:100
"""
See the full comment at https://github.com/SSSD/sssd/pull/174#issuecomment-285014108
URL: https://github.com/SSSD/sssd/pull/174 Author: sumit-bose Title: #174: One certificate for multiple users Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/174/head:pr174 git checkout pr174
URL: https://github.com/SSSD/sssd/pull/174 Title: #174: One certificate for multiple users
sumit-bose commented: """ Thank you for testing. The code looking up overrides for IPA users was not prepared to handle multiple results. I added a patch to handle this at least for lookups by certificate. Wildcard lookups via InfoPipe currently just error out here, i.e. the objects are saved but the check if an override exists is skipped. I guess this should be fixed sooner or later as well. """
See the full comment at https://github.com/SSSD/sssd/pull/174#issuecomment-285338944
URL: https://github.com/SSSD/sssd/pull/174 Title: #174: One certificate for multiple users
Label: -Changes requested
URL: https://github.com/SSSD/sssd/pull/174 Title: #174: One certificate for multiple users
jhrozek commented: """ On Thu, Mar 09, 2017 at 04:30:48AM -0800, sumit-bose wrote:
Thank you for testing. The code looking up overrides for IPA users was not prepared to handle multiple results. I added a patch to handle this at least for lookups by certificate. Wildcard lookups via InfoPipe currently just error out here, i.e. the objects are saved but the check if an override exists is skipped. I guess this should be fixed sooner or later as well.
OK, with this version I'm no longer seeing a crash, but I'm still seeing the issue described in https://pagure.io/SSSD/sssd/issue/3321
FindByNameAndCertificate works fine and I have no other comments for the code.
The overrides patch looks fine to me code-wise but I didn't run many tests so far..
Do you think we should be fixing #3321 as part of this patch?
@pbrezina do you have any thoughts about the GND_DESCEND question earlier?
"""
See the full comment at https://github.com/SSSD/sssd/pull/174#issuecomment-285498215
URL: https://github.com/SSSD/sssd/pull/174 Title: #174: One certificate for multiple users
sumit-bose commented: """
Do you think we should be fixing #3321 as part of this patch?
If you agree I would prefer to fix this with the next series of patches with I will send for https://pagure.io/SSSD/sssd/issue/3050. """
See the full comment at https://github.com/SSSD/sssd/pull/174#issuecomment-285609242
URL: https://github.com/SSSD/sssd/pull/174 Title: #174: One certificate for multiple users
jhrozek commented: """ On Fri, Mar 10, 2017 at 12:34:40AM -0800, sumit-bose wrote:
Do you think we should be fixing #3321 as part of this patch?
If you agree I would prefer to fix this with the next series of patches with I will send for https://pagure.io/SSSD/sssd/issue/3050.
Sure, we have a ticket so I'm not worried about forgetting about that and it's a bug in new functionality, so no existing users would be annoyed. I'm just trying to list things we need to fix or track before we push the patches :)
So the last remaining question is about the GND_DESCEND detail..
"""
See the full comment at https://github.com/SSSD/sssd/pull/174#issuecomment-285616865
URL: https://github.com/SSSD/sssd/pull/174 Title: #174: One certificate for multiple users
jhrozek commented: """
On 10 Mar 2017, at 10:52, Pavel Březina notifications@github.com wrote:
@pbrezina commented on this pull request.
In src/responder/ifp/ifp_users.c https://github.com/SSSD/sssd/pull/174#discussion_r105363567:
"user [%d]: %s\n", ret, sss_strerror(ret));
sbus_request_fail_and_finish(sbus_req, error);return;- }
- if (ret == EOK) {
ret = ifp_users_list_copy(list_ctx, result->ldb_result);if (ret != EOK) {error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL,"Failed to copy domain result");sbus_request_fail_and_finish(sbus_req, error);return;}- }
- list_ctx->dom = get_next_domain(list_ctx->dom, SSS_GND_DESCEND);
The intention here is to gather result from all domains, right? I implemented search_all_domains plugin option for enumeration use case to allow cache_req to not stop on the first domain with result but get result from all domains.This can be used in ifp_users_list_by_name instead of iteration, we just need to switch the filter plugins to this.
We can also use it for the method implemented here. cache_req needs small work though to allow override plugin settings in similar way Fabiano did for PAM responder (cache_req_data_set_bypass_cache).
Ok, @sbose, please let me know if you’d like to change that now or later. I’m fine either way.
"""
See the full comment at https://github.com/SSSD/sssd/pull/174#issuecomment-285644338
URL: https://github.com/SSSD/sssd/pull/174 Title: #174: One certificate for multiple users
sumit-bose commented: """ If you agree I would prefer to change this later so I can test the changes carefully. """
See the full comment at https://github.com/SSSD/sssd/pull/174#issuecomment-285654010
URL: https://github.com/SSSD/sssd/pull/174 Title: #174: One certificate for multiple users
jhrozek commented: """ On Fri, Mar 10, 2017 at 04:11:29AM -0800, sumit-bose wrote:
If you agree I would prefer to change this later so I can test the changes carefully.
Sure, I also prefer this. I'll just file a ticket so that we don't forget, put it into 1.15.3 where we keep the cleanup tickets, run CI and coverity and then push these patches..
"""
See the full comment at https://github.com/SSSD/sssd/pull/174#issuecomment-285668024
URL: https://github.com/SSSD/sssd/pull/174 Title: #174: One certificate for multiple users
Label: +Accepted
URL: https://github.com/SSSD/sssd/pull/174 Title: #174: One certificate for multiple users
Label: +Pushed
URL: https://github.com/SSSD/sssd/pull/174 Author: sumit-bose Title: #174: One certificate for multiple users Action: closed
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/174/head:pr174 git checkout pr174
URL: https://github.com/SSSD/sssd/pull/174 Title: #174: One certificate for multiple users
lslebodn commented: """ On (10/03/17 07:16), Jakub Hrozek wrote:
jhrozek approved this pull request.
master: * 3fd8ea55d59f29725ab32bdaf5b98ffaae7fbf9d * 7aadfa5454e436e4c36ede00434ff9687a6c48e2 * 16c9d63d96ce8dc7517ae16502e9ec72d6a58d6c * ef55b0e470a8fbcf6e6d0a55883145e02a907842 * 861dbe0794739a1c93a5bed00913c7442a2bdac9 * 2b80496ceedc498f7e13ebaf3e1eaa9d894b8cb9 * ba926c98b7ae605077a09ba7135e05257de62a0f
LS
"""
See the full comment at https://github.com/SSSD/sssd/pull/174#issuecomment-285788546
sssd-devel@lists.fedorahosted.org
-
jhrozek -
lslebodn
-
sumit-bose