tmraz pushed to authconfig (master). "make the cacertdir setup more sane (#1203024) (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Fri Mar 27 17:34:38 UTC 2015
>From 446e70ce657ae0fd88a85021bedb2027ff5dc018 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz at fedoraproject.org>
Date: Fri, 27 Mar 2015 18:34:29 +0100
Subject: make the cacertdir setup more sane (#1203024)
- support sssd prompting non-local users for password (#1195817)
diff --git a/authconfig-6.2.10-cacertdir.patch b/authconfig-6.2.10-cacertdir.patch
new file mode 100644
index 0000000..c6dd030
--- /dev/null
+++ b/authconfig-6.2.10-cacertdir.patch
@@ -0,0 +1,63 @@
+# HG changeset patch
+# User Tomas Mraz <tmraz at redhat.com>
+# Date 1427468671 -3600
+# Fri Mar 27 16:04:31 2015 +0100
+# Node ID 8dd359bfc32e9473251571486ef0a29d1c4167a4
+# Parent 1686f4a66f7cd306bd827274970de09a892bfd9e
+Make the ldapCacertDir follow the openldap default.
+
+diff -r 1686f4a66f7c -r 8dd359bfc32e authinfo.py
+--- a/authinfo.py Tue Mar 03 10:24:52 2015 +0100
++++ b/authinfo.py Fri Mar 27 16:04:31 2015 +0100
+@@ -116,7 +116,7 @@
+ PATH_WINBIND_NET = "/usr/bin/net"
+ PATH_IPA_CLIENT_INSTALL = "/usr/sbin/ipa-client-install"
+
+-PATH_LDAP_CACERTS = "/etc/openldap/cacerts"
++PATH_LDAP_CACERTS = "/etc/openldap/certs"
+ LDAP_CACERT_DOWNLOADED = "authconfig_downloaded.pem"
+
+ PATH_CONFIG_BACKUPS = "/var/lib/authconfig"
+@@ -1627,7 +1627,6 @@
+
+ # Read LDAP setup from /etc/ldap.conf.
+ def readLDAP(self, ref):
+- self.ldapCacertDir = PATH_LDAP_CACERTS
+ # Open the file. Bail if it's not there or there's some problem
+ # reading it.
+ try:
+@@ -1675,10 +1674,16 @@
+ if value:
+ self.setParam("ldapSchema", value, ref)
+ continue
++ value = matchKey(line, "tls_cacertdir")
++ if value:
++ self.setParam("ldapCacertDir", value, ref)
++ continue
+ # We'll pull MD5/DES crypt ("pam_password") from the config
+ # file, or from the pam_unix PAM config lines.
+
+ self.ldapServer = self.ldapHostsToURIs(cleanList(self.ldapServer), False)
++ if not self.ldapCacertDir:
++ self.ldapCacertDir = PATH_LDAP_CACERTS
+ f.close()
+ return True
+
+@@ -4444,7 +4449,7 @@
+ self.uninstallIPA()
+
+ def testLDAPCACerts(self):
+- if self.enableLDAP or self.enableLDAPAuth:
++ if self.enableLDAP or self.enableLDAPAuth or self.ldapCacertURL:
+ try:
+ os.stat(self.ldapCacertDir)
+ except OSError as err:
+@@ -4456,7 +4461,7 @@
+
+ def rehashLDAPCACerts(self):
+ if ((self.enableLDAP or self.enableLDAPAuth) and
+- (self.enableLDAPS or 'ldaps:' in self.ldapServer)):
++ (self.enableLDAPS or 'ldaps:' in self.ldapServer)) or self.ldapCacertURL:
+ os.system("/usr/sbin/cacertdir_rehash " + self.ldapCacertDir)
+
+ def downloadLDAPCACert(self):
diff --git a/authconfig-6.2.10-sssdprompting.patch b/authconfig-6.2.10-sssdprompting.patch
new file mode 100644
index 0000000..335fab6
--- /dev/null
+++ b/authconfig-6.2.10-sssdprompting.patch
@@ -0,0 +1,70 @@
+# HG changeset patch
+# User Tomas Mraz <tmraz at redhat.com>
+# Date 1427477516 -3600
+# Fri Mar 27 18:31:56 2015 +0100
+# Node ID 8c4cdeb97a91c7b959234eccc6ad216691529c3d
+# Parent 93a10a7118a58f3fe0d8d8f7c4e81fed57f29c15
+Support pam_sss.so prompting for password for non-local users.
+
+See bug 1195817
+
+diff -r 93a10a7118a5 -r 8c4cdeb97a91 authinfo.py
+--- a/authinfo.py Fri Mar 27 16:16:53 2015 +0100
++++ b/authinfo.py Fri Mar 27 18:31:56 2015 +0100
+@@ -136,6 +136,7 @@
+ LOGIC_SKIPNEXT = "[success=1 default=ignore]"
+ LOGIC_SKIPNEXT3 = "[success=3 default=ignore]"
+ LOGIC_ALWAYS_SKIP = "[default=1]"
++LOGIC_SKIPNEXT_ON_FAILURE = "[default=1 success=ok]"
+
+ # Snip off line terminators and final whitespace from a passed-in string.
+ def snipString(s):
+@@ -464,6 +465,8 @@
+ "permit", []],
+ [False, AUTH, LOGIC_SUFFICIENT,
+ "fprintd", []],
++ [False, AUTH, LOGIC_SKIPNEXT_ON_FAILURE,
++ "localuser", []],
+ [True, AUTH, LOGIC_SUFFICIENT,
+ "unix", argv_unix_auth],
+ [False, AUTH, LOGIC_REQUISITE,
+@@ -587,6 +590,8 @@
+ "env", []],
+ [False, AUTH, LOGIC_REQUIRED,
+ "deny", []],
++ [False, AUTH, LOGIC_SKIPNEXT_ON_FAILURE,
++ "localuser", []],
+ [True, AUTH, LOGIC_SUFFICIENT,
+ "unix", argv_unix_auth],
+ [False, AUTH, LOGIC_REQUISITE,
+@@ -3814,6 +3819,10 @@
+ argv = module[ARGV][0:] # shallow copy
+ argv[1] = self.uidMin
+ args = " ".join(argv)
++ # do not continue to following modules if authentication fails
++ if name == "unix" and stack == "auth" and (self.enableSSSDAuth or
++ self.implicitSSSDAuth or self.enableIPAv2) and (not self.enableNIS):
++ logic = LOGIC_FORCE_PKCS11 # make it or break it logic
+ # use oddjob_mkhomedir if available
+ if name == "mkhomedir" and os.access("%s/pam_%s.so"
+ % (AUTH_MODULE_DIR, "oddjob_mkhomedir"), os.X_OK):
+@@ -3841,6 +3850,8 @@
+ args = self.mkhomedirArgs
+ if name == "systemd":
+ args = self.systemdArgs
++ if name == "sss" and stack == "auth" and not self.enableNIS:
++ args = "forward_pass"
+ if not args and module[ARGV]:
+ args = " ".join(module[ARGV])
+ if name == "winbind" and self.winbindOffline and stack != "password":
+@@ -3945,7 +3956,9 @@
+ (self.enablePasswdQC and module[NAME] == "passwdqc") or
+ (self.enableWinbindAuth and module[NAME] == "winbind") or
+ ((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and module[NAME] == "sss") or
+- (self.enableLocAuthorize and module[NAME] == "localuser") or
++ ((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and
++ (not self.enableNIS) and module[NAME] == "localuser" and module[STACK] == AUTH) or
++ (self.enableLocAuthorize and module[NAME] == "localuser" and module[STACK] == ACCOUNT) or
+ (self.enablePAMAccess and module[NAME] == "access") or
+ (self.enableMkHomeDir and module[NAME] == "mkhomedir") or
+ (not self.enableSysNetAuth and module[STACK] == AUTH and
diff --git a/authconfig.spec b/authconfig.spec
index b8ea984..b659029 100644
--- a/authconfig.spec
+++ b/authconfig.spec
@@ -1,7 +1,7 @@
Summary: Command line tool for setting up authentication from network services
Name: authconfig
Version: 6.2.10
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2+
ExclusiveOS: Linux
Group: System Environment/Base
@@ -9,6 +9,8 @@ URL: https://fedorahosted.org/authconfig
Source: https://fedorahosted.org/releases/a/u/%{name}/%{name}-%{version}.tar.bz2
Patch1: authconfig-6.2.6-gdm-nolastlog.patch
Patch2: authconfig-6.2.10-python23.patch
+Patch3: authconfig-6.2.10-cacertdir.patch
+Patch4: authconfig-6.2.10-sssdprompting.patch
Requires: newt-python3, pam >= 0.99.10.0, libpwquality > 0.9
Requires: python3-sssdconfig
Conflicts: pam_krb5 < 1.49, samba-common < 3.0, samba-client < 3.0
@@ -45,6 +47,8 @@ authentication schemes.
%setup -q -n %{name}-%{version}
%patch1 -p1 -b .nolastlog
%patch2 -p1 -b .python23
+%patch3 -p1 -b .cacertdir
+%patch4 -p1 -b .sssdprompting
rm -rf %{py3dir}
cp -a . %{py3dir}
@@ -139,6 +143,10 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
%{_datadir}/icons/hicolor/256x256/apps/system-config-authentication.*
%changelog
+* Fri Mar 27 2015 Tomáš Mráz <tmraz at redhat.com> - 6.2.10-4
+- make the cacertdir setup more sane (#1203024)
+- support sssd prompting non-local users for password (#1195817)
+
* Tue Mar 3 2015 Tomáš Mráz <tmraz at redhat.com> - 6.2.10-3
- add python-sssdconfig requires
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/authconfig.git/commit/?h=master&id=446e70ce657ae0fd88a85021bedb2027ff5dc018
More information about the scm-commits
mailing list