[SSSD] Announcing ding-libs 0.6.1

2017-09-22 Thread Michal Židek 

A new version of ding-libs (0.6.1) was released today!

ding-libs, or "Ding is not GLib" is a a set of helpful libraries used by
projects such as SSSD or gss-proxy.

The tarball can be downloaded from:
https://releases.pagure.org/SSSD/ding-libs/

MD5 sum is:
141ffba92d7703b7efc2595971305de7

== Highlights ==
* libini: Length of values in INI files is no longer limited to
  PATH_MAX. The current limit is the amount of memory getline is
  able to allocate.

== Note for distribution packagers ==
   * API and ABI is backward compatible with last release (0.6.0)

== Detailed Changelog ==
Alexander Scheel (8):
  Fix build with TRACE_LEVEL
  Document use of basic regex in ini_config_augment
  INI: Fix ini_config parsing SEGVs
  INI: Tests for section/key name collisions
  INI: Prevent null return_cfg during augment
  INI: Add INI_MS_DETECT merge notifications
  INI: Extend INI_MS_DETECT to be non-exclusive
  INI: Test INI_MS_DETECT non-exclusive behavior

Lukas Slebodnik (10):
  BUILD: Fix linking of ini_augment_ut_check
  INI: Fix usage of buiddir in ini_augment_ut_check
  INI: Fix memory leaks in unit test test_ini_augment_empty_dir
  DHASH: Suppress gcc7 warning
  INI: Fix warning Walloc-size-larger-than
  Do not define _GNU_SOURCE
  COLLECTION: Remove unused macros
  INI: Fix doxygen comment for ini_errobj_create
  COLLECTION: Fix misused comma
  DHASH: Do not use c99 structure initialisation

Michal Židek (9):
  ini_augment: Use full path when reporting pattern mismatch
  DHASH: Add check based unit test
  GIT: Add commit template
  INI: Unit test for augmentation with empty dir
  INI: do not use readdir_r
  INI: Allow longer values then PATH_MAX
  INI: Add test for long values
  Bump version info
  Update versions before 0.6.1 release

Philip Prindeville (1):
  DHASH: Add new key type HASH_KEY_CONST_STRING
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#390][comment] NSS: Add option to disable memcache

2017-09-22 Thread mzidek-rh 
  URL: https://github.com/SSSD/sssd/pull/390
Title: #390: NSS: Add option to disable memcache

mzidek-rh commented:
"""
As for not putting this to upstream and only to the requested downstream 
distro, I do not like it. We may end up backporting it to future versions of 
that downstream distro as well (after rebases), which is IMO unnecessary burden 
for downstream maintainers. I do not think it is worth it just to avoid having 
this in upstream. In general, I would like to avoid "downstream only" patches 
as much as possible.

As for not documenting the option the same way as we do for the option to 
disable tls, I do not like this either, but if other developers agree with 
that, I am OK with it. The difference between the option to disable tls and 
this one is that disabling tls was added for testing purposes, while this one 
is added to support actual customer's use case and as such it should be IMO 
documented. But indeed, the current version of the man page is probably not 
stressing out enough how severe the performance impact of using this option is, 
so we can add a warning there.

I did not do any changes to the man page for now, the options are:
- do not document the option in man pages (Lukas likes)
- stress out that using it can have significant negative performance impact 
(Michal likes)

I would like to hear from other developers what they think the best approach is 
before I do any changes.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/390#issuecomment-331477185
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#393][comment] IFP: parse ping arguments in codegen

2017-09-22 Thread pbrezina 
  URL: https://github.com/SSSD/sssd/pull/393
Title: #393: IFP: parse ping arguments in codegen

pbrezina commented:
"""
On 09/22/2017 04:21 PM, lslebodn wrote:
> *@lslebodn* commented on this pull request.
>
> 
>
> In src/responder/ifp/ifp_iface.xml
> :
>
>> @@ -5,8 +5,8 @@
>   name="org.freedesktop.DBus.GLib.CSymbol"/>
>
>  
> -
> -
> +
> +
>
> It is just in case we want to have an example how to use |sssd.Rawhander|
> @pbrezina  it's up to you :-)

We still use it else where and keeping it just as an example is not a 
good enough reason to use it where it is not required. Lets go with this 
patch.


"""

See the full comment at 
https://github.com/SSSD/sssd/pull/393#issuecomment-331464395
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#389][+Pushed] sssd_client: add mutex protected call to the PAC responder

2017-09-22 Thread lslebodn 
  URL: https://github.com/SSSD/sssd/pull/389
Title: #389: sssd_client: add mutex protected call to the PAC responder

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#389][comment] sssd_client: add mutex protected call to the PAC responder

2017-09-22 Thread lslebodn 
  URL: https://github.com/SSSD/sssd/pull/389
Title: #389: sssd_client: add mutex protected call to the PAC responder

lslebodn commented:
"""
Thank you for comments.

master:
* 1f331476e7d33bb03cc35a2a9064ee1cc5bed6cf
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/389#issuecomment-331462263
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#389][closed] sssd_client: add mutex protected call to the PAC responder

2017-09-22 Thread lslebodn 
   URL: https://github.com/SSSD/sssd/pull/389
Author: sumit-bose
 Title: #389: sssd_client: add mutex protected call to the PAC responder
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/389/head:pr389
git checkout pr389
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#391][-Accepted] Use dbus-daemon in cwrap enviroment for test

2017-09-22 Thread lslebodn 
  URL: https://github.com/SSSD/sssd/pull/391
Title: #391: Use dbus-daemon in cwrap enviroment for test

Label: -Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#391][comment] Use dbus-daemon in cwrap enviroment for test

2017-09-22 Thread lslebodn 
  URL: https://github.com/SSSD/sssd/pull/391
Title: #391: Use dbus-daemon in cwrap enviroment for test

lslebodn commented:
"""
Test for ping introspection was added which was changed in different PR  #393
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/391#issuecomment-331460575
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#393][comment] IFP: parse ping arguments in codegen

2017-09-22 Thread lslebodn 
  URL: https://github.com/SSSD/sssd/pull/393
Title: #393: IFP: parse ping arguments in codegen

lslebodn commented:
"""
This PR would break earlier version of version of #391, which is now updated
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/393#issuecomment-331460298
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#391][synchronized] Use dbus-daemon in cwrap enviroment for test

2017-09-22 Thread lslebodn 
   URL: https://github.com/SSSD/sssd/pull/391
Author: lslebodn
 Title: #391: Use dbus-daemon in cwrap enviroment for test
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/391/head:pr391
git checkout pr391
From 4da0ed0add8320ce03d2c0602cdcd77b8c77c7ca Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik 
Date: Wed, 20 Sep 2017 15:57:26 +0200
Subject: [PATCH 1/6] intg: Build with optimisations and debug symbols

We override CFLAGS for macro KCM_PEER_UID. Such change also remove
standard CFLAGS (-O2 -g) and therefore it was not possible to debug
processes in gdb unless environment variable CFLAGS was set.
But we should test optimized code by default and let developers
override default with environment variable CFLAGS and not vice versa.
---
 Makefile.am | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile.am b/Makefile.am
index f1f467100..1c0d1e7d5 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3585,7 +3585,7 @@ intgcheck-prepare:
 	--without-semanage \
 	--with-session-recording-shell=/bin/false \
 	$(INTGCHECK_CONFIGURE_FLAGS) \
-	CFLAGS="$$CFLAGS -DKCM_PEER_UID=$$(id -u)"; \
+	CFLAGS="-O2 -g $$CFLAGS -DKCM_PEER_UID=$$(id -u)"; \
 	$(MAKE) $(AM_MAKEFLAGS) ; \
 	: Force single-thread install to workaround concurrency issues; \
 	$(MAKE) $(AM_MAKEFLAGS) -j1 install; \

From 8c407c2c1c151742ca8115551dec9a6150febf5f Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik 
Date: Sat, 18 Mar 2017 15:47:43 +0100
Subject: [PATCH 2/6] intg: Do not prefer builddir in PATH

Binary files in builddir are shell wrapper for libtool
Therefore we should prefer files which are installed in $prefix
---
 src/tests/intg/Makefile.am | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index abf6237fc..0b2982785 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -75,7 +75,7 @@ intgcheck-installed: config.py passwd group
 	uid_wrapper=$$(pkg-config --libs uid_wrapper); \
 	PATH="$$(dirname -- $(SLAPD)):$$PATH" \
 	PATH="$(DESTDIR)$(sbindir):$(DESTDIR)$(bindir):$$PATH" \
-	PATH="$(abs_builddir):$(abs_srcdir):$$PATH" \
+	PATH="$$PATH:$(abs_builddir):$(abs_srcdir)" \
 	PYTHONPATH="$(abs_builddir):$(abs_srcdir)" \
 	LDB_MODULES_PATH="$(DESTDIR)$(ldblibdir)" \
 	NON_WRAPPED_UID=$$(id -u) \

From 70539429d9563c39056ea250f7d5ced58bb8abfd Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik 
Date: Wed, 20 Sep 2017 15:40:07 +0200
Subject: [PATCH 3/6] intg: Install configuration for dbus daemon

Resolves:
https://pagure.io/SSSD/sssd/issue/2823
---
 src/external/intgcheck.m4 |  2 +
 src/tests/intg/Makefile.am| 20 +++
 src/tests/intg/data/cwrap-dbus-system.conf.in | 83 +++
 3 files changed, 105 insertions(+)
 create mode 100644 src/tests/intg/data/cwrap-dbus-system.conf.in

diff --git a/src/external/intgcheck.m4 b/src/external/intgcheck.m4
index ac68b85dd..60a7bf306 100644
--- a/src/external/intgcheck.m4
+++ b/src/external/intgcheck.m4
@@ -31,3 +31,5 @@ AC_DEFUN([SSS_ENABLE_INTGCHECK_REQS], [
 SSS_INTGCHECK_REQ([HAVE_PY2MOD_LDAP], [pyldb])
 fi
 ])
+
+AM_CONDITIONAL([INTG_BUILD], [test x"$enable_intgcheck_reqs" = xyes])
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index 0b2982785..ffbfd1b1f 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -32,6 +32,25 @@ dist_noinst_DATA = \
 test_kcm.py \
 $(NULL)
 
+EXTRA_DIST = data/cwrap-dbus-system.conf.in
+
+dbussysconfdir = $(sysconfdir)/dbus-1
+dbusservicedir = $(datadir)/dbus-1/system-services
+
+if INTG_BUILD
+dist_dbussysconf_DATA = cwrap-dbus-system.conf
+
+install-data-hook:
+	$(MKDIR_P) $(DESTDIR)$(runstatedir)/dbus
+	$(MKDIR_P) $(DESTDIR)$(sysconfdir)/session.d
+
+endif
+
+cwrap-dbus-system.conf: data/cwrap-dbus-system.conf.in Makefile
+	$(SED) -e "s!@runstatedir[@]!$(runstatedir)!" \
+   -e "s!@dbusservicedir[@]!$(dbusservicedir)!" \
+   $< > $@
+
 config.py: config.py.m4
 	m4 -D "prefix=\`$(prefix)'" \
 	   -D "sysconfdir=\`$(sysconfdir)'" \
@@ -61,6 +80,7 @@ CLEANFILES=config.py config.pyc passwd group
 
 clean-local:
 	rm -Rf root
+	rm -f $(builddir)/cwrap-dbus-system.conf
 
 intgcheck-installed: config.py passwd group
 	pipepath="$(DESTDIR)$(pipepath)"; \
diff --git a/src/tests/intg/data/cwrap-dbus-system.conf.in b/src/tests/intg/data/cwrap-dbus-system.conf.in
new file mode 100644
index 0..7369054e7
--- /dev/null
+++ b/src/tests/intg/data/cwrap-dbus-system.conf.in
@@ -0,0 +1,83 @@
+
+
+
+
+http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd;>
+
+
+  
+  system
+
+  
+  
+
+
+  
+  
+
+  
+  
+  @dbusservicedir@
+
+
+  
+  @runstatedir@/dbus/messagebus.pid
+
+  
+  EXTERNAL
+
+  
+  unix:path=@runstatedir@/dbus/system_bus_socket
+  
+
+
+
+
+
+
+  
+

[SSSD] [sssd PR#390][comment] NSS: Add option to disable memcache

2017-09-22 Thread lslebodn 
  URL: https://github.com/SSSD/sssd/pull/390
Title: #390: NSS: Add option to disable memcache

lslebodn commented:
"""
On (22/09/17 06:48), mzidek-rh wrote:
>@lslebodn I am not sure about that. Maybe we could document the fact that it 
>has significant performance impact? Retrospectively, I think we should do this 
>also for SSS_NSS_USE_MEMCACHE. It may be obvious to some people, but stressing 
>it out is better IMO.
>

SSS_NSS_USE_MEMCACHE is a different case. Because you intentionally disable it
per client. Disabling memcache globally on heavy load server (e.g. mailserver)
is like jumping from skyscraper without a parachute.

(I know what I am talking about https://pagure.io/SSSD/sssd/issue/3520)

Such misfeature should not have a place in upstream.
We should not repeat the same mistake as with allowing authentication without
tls. Ideal would be have this PR just as a downstream patch to make
one particular customer (with unreasonable request due to workarounds on top
of workarounds) happy.

LS

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/390#issuecomment-331454131
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#390][comment] NSS: Add option to disable memcache

2017-09-22 Thread mzidek-rh 
  URL: https://github.com/SSSD/sssd/pull/390
Title: #390: NSS: Add option to disable memcache

mzidek-rh commented:
"""
@lslebodn I am not sure about that. Maybe we could document the fact that it 
has significant performance impact? Retrospectively, I think we should do this 
also for SSS_NSS_USE_MEMCACHE. It may be obvious to some people, but stressing 
it out is better IMO.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/390#issuecomment-331451687
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#390][comment] NSS: Add option to disable memcache

2017-09-22 Thread lslebodn 
  URL: https://github.com/SSSD/sssd/pull/390
Title: #390: NSS: Add option to disable memcache

lslebodn commented:
"""
Moreover there should not be any evidence that such feature exist. This 
misfeature is even worse then disabling tls for authentication. 
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/390#issuecomment-331451258
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#390][+Changes requested] NSS: Add option to disable memcache

2017-09-22 Thread lslebodn 
  URL: https://github.com/SSSD/sssd/pull/390
Title: #390: NSS: Add option to disable memcache

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#390][-Accepted] NSS: Add option to disable memcache

2017-09-22 Thread lslebodn 
  URL: https://github.com/SSSD/sssd/pull/390
Title: #390: NSS: Add option to disable memcache

Label: -Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#390][comment] NSS: Add option to disable memcache

2017-09-22 Thread lslebodn 
  URL: https://github.com/SSSD/sssd/pull/390
Title: #390: NSS: Add option to disable memcache

lslebodn commented:
"""
Running sssd without memory cache is significant performance problem which 
should not be supported by upstream. Therefore it should not be documented. 
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/390#issuecomment-331450760
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#390][comment] NSS: Add option to disable memcache

2017-09-22 Thread pbrezina 
  URL: https://github.com/SSSD/sssd/pull/390
Title: #390: NSS: Add option to disable memcache

pbrezina commented:
"""
Ok then. Thank you for these arguments. Ack.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/390#issuecomment-331447961
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#390][+Accepted] NSS: Add option to disable memcache

2017-09-22 Thread pbrezina 
  URL: https://github.com/SSSD/sssd/pull/390
Title: #390: NSS: Add option to disable memcache

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#390][synchronized] NSS: Add option to disable memcache

2017-09-22 Thread mzidek-rh 
   URL: https://github.com/SSSD/sssd/pull/390
Author: mzidek-rh
 Title: #390: NSS: Add option to disable memcache
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/390/head:pr390
git checkout pr390
From 60326acc76b654308f9bc0bf266eb27acdaa3630 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Wed, 13 Sep 2017 12:53:08 +0200
Subject: [PATCH] NSS: Add option to disable memcache

Added option use_memcache to centrally disable memcache
for all clients without the need to specify SSS_NSS_USE_MEMCACHE=NO
environment variable.

Resolves:
https://pagure.io/SSSD/sssd/issue/3496
---
 src/confdb/confdb.h  |  1 +
 src/config/SSSDConfig/__init__.py.in |  1 +
 src/config/cfg_rules.ini |  1 +
 src/man/sssd.conf.5.xml  | 21 ++
 src/responder/nss/nsssrv.c   | 51 ++
 src/tests/intg/test_memory_cache.py  | 53 
 6 files changed, 111 insertions(+), 17 deletions(-)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index bcea99ae4..da7fdaed2 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -108,6 +108,7 @@
 #define CONFDB_NSS_SHELL_FALLBACK "shell_fallback"
 #define CONFDB_NSS_DEFAULT_SHELL "default_shell"
 #define CONFDB_MEMCACHE_TIMEOUT "memcache_timeout"
+#define CONFDB_NSS_USE_MEMCACHE "use_memcache"
 #define CONFDB_NSS_HOMEDIR_SUBSTRING "homedir_substring"
 #define CONFDB_DEFAULT_HOMEDIR_SUBSTRING "/home"
 
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 227f76180..76c5abe8b 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -85,6 +85,7 @@ option_strings = {
 'shell_fallback' : _('If a shell stored in central directory is allowed but not available, use this fallback'),
 'default_shell': _('Shell to use if the provider does not list one'),
 'memcache_timeout': _('How long will be in-memory cache records valid'),
+'use_memcache': _('Whether to use fast in-memory cache'),
 'user_attributes': _('List of user attributes the NSS responder is allowed to publish'),
 
 # [pam]
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index f3d30b9b3..b02002b75 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -90,6 +90,7 @@ option = shell_fallback
 option = default_shell
 option = get_domains_timeout
 option = memcache_timeout
+option = use_memcache
 
 [rule/allowed_pam_options]
 validator = ini_allowed_options
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 11496341d..cc7434068 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -988,6 +988,27 @@ fallback_homedir = /home/%u
 
 
 
+use_memcache (bool)
+
+
+Whether to use in-memory cache to improve
+performance. If this option is set to False
+the in-memory cache is not used and the
+environment variable SSS_NSS_USE_MEMCACHE
+is ignored.
+
+
+Default: True
+
+
+NOTE: If this option is set to true and the
+environment variable SSS_NSS_USE_MEMCACHE is
+set to "NO", client applications will not use
+the fast in-memory cache.
+
+
+
+
 user_attributes (string)
 
 
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
index d67b9fac8..b3449685a 100644
--- a/src/responder/nss/nsssrv.c
+++ b/src/responder/nss/nsssrv.c
@@ -264,6 +264,7 @@ int nss_process_init(TALLOC_CTX *mem_ctx,
 int ret, max_retries;
 enum idmap_error_code err;
 int fd_limit;
+bool use_memcache;
 
 nss_cmds = get_nss_cmds();
 
@@ -351,26 +352,42 @@ int nss_process_init(TALLOC_CTX *mem_ctx,
 goto fail;
 }
 
-/* TODO: read cache sizes from configuration */
-ret = sss_mmap_cache_init(nctx, "passwd", SSS_MC_PASSWD,
-  SSS_MC_CACHE_ELEMENTS, (time_t)memcache_timeout,
-  >pwd_mc_ctx);
-if (ret) {
-DEBUG(SSSDBG_CRIT_FAILURE, "passwd mmap cache is DISABLED\n");
-}
 
-ret = sss_mmap_cache_init(nctx, "group", SSS_MC_GROUP,
-  SSS_MC_CACHE_ELEMENTS, (time_t)memcache_timeout,
-  >grp_mc_ctx);
-if (ret) {
-DEBUG(SSSDBG_CRIT_FAILURE, "group mmap cache is DISABLED\n");
+ret =

[SSSD] [sssd PR#390][comment] NSS: Add option to disable memcache

2017-09-22 Thread mzidek-rh 
  URL: https://github.com/SSSD/sssd/pull/390
Title: #390: NSS: Add option to disable memcache

mzidek-rh commented:
"""
Updated the man page to use wording that @pbrezina suggested.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/390#issuecomment-331420300
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#390][comment] NSS: Add option to disable memcache

2017-09-22 Thread mzidek-rh 
  URL: https://github.com/SSSD/sssd/pull/390
Title: #390: NSS: Add option to disable memcache

mzidek-rh commented:
"""
@fidencio I did not notice your comment before. But I do agree :)
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/390#issuecomment-331418180
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#390][comment] NSS: Add option to disable memcache

2017-09-22 Thread mzidek-rh 
  URL: https://github.com/SSSD/sssd/pull/390
Title: #390: NSS: Add option to disable memcache

mzidek-rh commented:
"""
@pbrezina That would not be a good idea IMO. If the administrator decides that 
the memcache should be disabled, then the client applications should not be 
able to override it. Also we would have to refactor how SSS_NSS_USE_MEMCACHE 
works, because currently we just check in the client code if it is set to 'NO' 
and we skip the memcache if it is (anything else means it is enabled). With the 
way you suggested it, we would also have to check for 'YES' and 'not defined' 
which IMO complicates the whole thing.

Also note that by doing it the way you mentioned, we would not be able to just 
'not initialize' the memcache for use_memcache=False and we would need to read 
the option from client side to decide what to do. Which again is a complication 
(an unnecessary one IMO) of client code.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/390#issuecomment-331417906
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#390][comment] NSS: Add option to disable memcache

2017-09-22 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/390
Title: #390: NSS: Add option to disable memcache

fidencio commented:
"""
@pbrezina, @mzidek-rh:
Although I do believe that Pavel's suggestion is reasonable, I can see some 
problems with that, which I will try to describe below:
- option and env-var are evaluated in different parts of the code: I see this 
as a possible limitation for @pbrezina's suggestion, although it could be 
changed;
- env-var is only checked for NO: In case we want it to have priority, we have 
to have the code changed in a way that we also would evaluate YES and "NOT 
PRESENT" and based on this we could decide whether to use or not the memcache
- having two methods for doing the very same thing is not so nice (as then we 
start dealing with priorities): So, here is more like a question than a 
suggestion ... can't we just use this option from 2.0 (where we'll be breaking 
compats anyways)?

Enough "bla bla bla"  so, summing up I guess @mzidek-rh's approach is 
simpler while also being functional. So, I'd go for it, at least till some 
customer complains about the approach.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/390#issuecomment-331416745
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

2017-09-22 Thread Sumit Bose 
On Thu, Sep 21, 2017 at 01:07:23PM -0400, Simo Sorce wrote:
> On Thu, 2017-09-21 at 17:56 +0200, Sumit Bose wrote:
> > On Thu, Sep 21, 2017 at 11:23:20AM -0400, Simo Sorce wrote:
> > > On Thu, 2017-09-21 at 16:52 +0200, Lukas Slebodnik wrote:
> > > > Here you are.
> > > > local master: kvm-02-guest11.testrelm.test
> > > > replica: bkr-hv01-guest19.testrelm.test
> > > > 
> > > > [root@kvm-02-guest11 ~]# cat /etc/krb5.conf
> > > > includedir /etc/krb5.conf.d/
> > > > includedir /var/lib/sss/pubconf/krb5.include.d/
> > > > 
> > > > [logging]
> > > >  default = FILE:/var/log/krb5libs.log
> > > >  kdc = FILE:/var/log/krb5kdc.log
> > > >  admin_server = FILE:/var/log/kadmind.log
> > > > 
> > > > [libdefaults]
> > > >  default_realm = TESTRELM.TEST
> > > >  dns_lookup_realm = false
> > > >  dns_lookup_kdc = true
> > > 
> > > This  sounds wrong on a master
> > 
> > no, you need this to find any AD DC in a trusted forest.
> 
> Shouldn't SSSD do that for us via proper site discovery ?

yes, this is planned to some extent but you still have a chicken-egg
problem during 'ipa trust-add'.

But see my other email, I think there might be an issue or at least
unexpected behavior with our usage of the admin_server option in
/etc/krb5.conf.

bye,
Sumit

> 
> Simo.
> 
> > bye,
> > Sumit
> > 
> > > 
> > > Simo.
> > > 
> > > -- 
> > > Simo Sorce
> > > Sr. Principal Software Engineer
> > > Red Hat, Inc
> > > 
> 
> -- 
> Simo Sorce
> Sr. Principal Software Engineer
> Red Hat, Inc
> 
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#390][comment] NSS: Add option to disable memcache

2017-09-22 Thread pbrezina 
  URL: https://github.com/SSSD/sssd/pull/390
Title: #390: NSS: Add option to disable memcache

pbrezina commented:
"""
I made slight changes:
```
+
+Whether to use in-memory cache to improve
+performance. If this option is set to False the 
in-memory cache is not used and
+the environment variable SSS_NSS_USE_MEMCACHE
+is ignored.
+
+
+Default: True
+
+
+NOTE: If this option is set to true and the 
environment variable
+SSS_NSS_USE_MEMCACHE is set to "NO", client
+applications will not use the fast in-memory
+cache.
```

Although I would prefer that the environment variable will always override the 
configuration option. I.e. if it is false and env.var. is set to yes, than 
memory cache will be used. Opinions?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/390#issuecomment-331409260
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#390][comment] NSS: Add option to disable memcache

2017-09-22 Thread mzidek-rh 
  URL: https://github.com/SSSD/sssd/pull/390
Title: #390: NSS: Add option to disable memcache

mzidek-rh commented:
"""
@pbrezina Thank you for the comments. If the cache is disabled centrally using 
the use_memcache option, client applications can not use it regardless of 
SSS_NSS_USE_MEMCACHE env variable. If the memcache is enabled on SSSD side, 
then the client applications can use SSS_NSS_USE_MEMCACHE=NO to override it.

I added one sentence to the description to make it more clear. Tell me if it is 
enough.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/390#issuecomment-331406516
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#390][synchronized] NSS: Add option to disable memcache

2017-09-22 Thread mzidek-rh 
   URL: https://github.com/SSSD/sssd/pull/390
Author: mzidek-rh
 Title: #390: NSS: Add option to disable memcache
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/390/head:pr390
git checkout pr390
From 4c9925d07cd1383a0805339f0cfee7be2fd2829e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Wed, 13 Sep 2017 12:53:08 +0200
Subject: [PATCH] NSS: Add option to disable memcache

Added option use_memcache to centrally disable memcache
for all clients without the need to specify SSS_NSS_USE_MEMCACHE=NO
environment variable.

Resolves:
https://pagure.io/SSSD/sssd/issue/3496
---
 src/confdb/confdb.h  |  1 +
 src/config/SSSDConfig/__init__.py.in |  1 +
 src/config/cfg_rules.ini |  1 +
 src/man/sssd.conf.5.xml  | 20 ++
 src/responder/nss/nsssrv.c   | 51 ++
 src/tests/intg/test_memory_cache.py  | 53 
 6 files changed, 110 insertions(+), 17 deletions(-)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index bcea99ae4..da7fdaed2 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -108,6 +108,7 @@
 #define CONFDB_NSS_SHELL_FALLBACK "shell_fallback"
 #define CONFDB_NSS_DEFAULT_SHELL "default_shell"
 #define CONFDB_MEMCACHE_TIMEOUT "memcache_timeout"
+#define CONFDB_NSS_USE_MEMCACHE "use_memcache"
 #define CONFDB_NSS_HOMEDIR_SUBSTRING "homedir_substring"
 #define CONFDB_DEFAULT_HOMEDIR_SUBSTRING "/home"
 
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 227f76180..76c5abe8b 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -85,6 +85,7 @@ option_strings = {
 'shell_fallback' : _('If a shell stored in central directory is allowed but not available, use this fallback'),
 'default_shell': _('Shell to use if the provider does not list one'),
 'memcache_timeout': _('How long will be in-memory cache records valid'),
+'use_memcache': _('Whether to use fast in-memory cache'),
 'user_attributes': _('List of user attributes the NSS responder is allowed to publish'),
 
 # [pam]
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index f3d30b9b3..b02002b75 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -90,6 +90,7 @@ option = shell_fallback
 option = default_shell
 option = get_domains_timeout
 option = memcache_timeout
+option = use_memcache
 
 [rule/allowed_pam_options]
 validator = ini_allowed_options
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 11496341d..f992622d3 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -988,6 +988,26 @@ fallback_homedir = /home/%u
 
 
 
+use_memcache (bool)
+
+
+Whether to use in-memory cache to improve
+performance. If this option is set to False,
+the environment variable SSS_NSS_USE_MEMCACHE
+is ignored.
+
+
+Default: True
+
+
+NOTE: If the environment variable
+SSS_NSS_USE_MEMCACHE is set to "NO", client
+applications will not use the fast in-memory
+cache.
+
+
+
+
 user_attributes (string)
 
 
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
index d67b9fac8..b3449685a 100644
--- a/src/responder/nss/nsssrv.c
+++ b/src/responder/nss/nsssrv.c
@@ -264,6 +264,7 @@ int nss_process_init(TALLOC_CTX *mem_ctx,
 int ret, max_retries;
 enum idmap_error_code err;
 int fd_limit;
+bool use_memcache;
 
 nss_cmds = get_nss_cmds();
 
@@ -351,26 +352,42 @@ int nss_process_init(TALLOC_CTX *mem_ctx,
 goto fail;
 }
 
-/* TODO: read cache sizes from configuration */
-ret = sss_mmap_cache_init(nctx, "passwd", SSS_MC_PASSWD,
-  SSS_MC_CACHE_ELEMENTS, (time_t)memcache_timeout,
-  >pwd_mc_ctx);
-if (ret) {
-DEBUG(SSSDBG_CRIT_FAILURE, "passwd mmap cache is DISABLED\n");
-}
 
-ret = sss_mmap_cache_init(nctx, "group", SSS_MC_GROUP,
-  SSS_MC_CACHE_ELEMENTS, (time_t)memcache_timeout,
-  >grp_mc_ctx);
-if (ret) {
-DEBUG(SSSDBG_CRIT_FAILURE, "group mmap cache is DISABLED\n");
+ret = confdb_get_bool(nctx->rctx->cdb,
+  CONFDB_NSS_CONF_ENTRY,
+

[SSSD] [sssd PR#378][comment] [RFC] Use GNULIB's compiler warning code

2017-09-22 Thread pbrezina 
  URL: https://github.com/SSSD/sssd/pull/378
Title: #378: [RFC] Use GNULIB's compiler warning code

pbrezina commented:
"""
@fidencio  I'm not Jakub but just file a ticket for those warnings and lets 
move on with this one. It's been opened a year ago, you deserve it :-)
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/378#issuecomment-331397433
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#374][+Changes requested] IPA: Add threshold for sudo command and command group searches

2017-09-22 Thread pbrezina 
  URL: https://github.com/SSSD/sssd/pull/374
Title: #374: IPA: Add threshold for sudo command and command group searches

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#374][comment] IPA: Add threshold for sudo command and command group searches

2017-09-22 Thread pbrezina 
  URL: https://github.com/SSSD/sssd/pull/374
Title: #374: IPA: Add threshold for sudo command and command group searches

pbrezina commented:
"""
I agree with Summit with both case. Case I also ask you to move the 
thresholding logic

```c
+if (ipa_sudo_cmds_exceed_threshold(state->conv, state->cmd_threshold)) {
+DEBUG(SSSDBG_TRACE_FUNC,
+  "Command threshold [%d] exceeded, retrieving all sudo 
commands\n",
+  state->cmd_threshold);
+filter = talloc_asprintf(state, "(objectClass=%s)",
+ state->map_cmd->name);
+} else {
+filter = ipa_sudo_conv_cmd_filter(state, state->conv);
+}
```
inside the conversion functions (`ipa_sudo_conv_cmd_filter`, 
ipa_sudo_conv_cmdgoup_filter)?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/374#issuecomment-331395398
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: PRs priorities for this release

2017-09-22 Thread Sumit Bose 
On Thu, Sep 21, 2017 at 11:23:42PM +0200, Fabiano Fidêncio wrote:
> People,
> 
> We have 27 PRs opened by the moment I'm writing this email and I'd
> like to have a clear idea which ones are the *must* have for our next
> release.
> 
...
> - Add support for ActiveDirectory's logonHorous restrictions
> (https://github.com/SSSD/sssd/pull/269)
>   This PR comes from an external contributor and as far as I
> understood there's still some work to be done. So, should be postponed
> to the next release

I think it can be postponed. Nevertheless, unfortunately we are giving
mixed messages to the contributor about where to code should be placed.
Jakub and Simo preferred to move it to the AD provider because the
attribute is basically used only by AD. I on the other hand suggested to
keep it in the general LDAP code together with other AD related legacy
options.

So to get further here I think we should agree on what we want first.

...
> 
> - IPA: Add threshold for sudo command and command group searches
> (https://github.com/SSSD/sssd/pull/374)
>Does it have some bugzilla linked? I guess it would be nice to be
> reviewed and pushed for this release.
> 

I added two general comments and talked with Pavel about who will do the
review.

bye,
Sumit

> 
> So, can we have an agreement that we're going to focus on reviewing:
> - Fix group renaming issue when "id_provider = ldap" is set
> (https://github.com/SSSD/sssd/pull/128)
> - provider: Move hostid from ipa to sdap 
> (https://github.com/SSSD/sssd/pull/237)
> - Add support for ActiveDirectory's logonHorous restrictions
> (https://github.com/SSSD/sssd/pull/269)
> - Merge sss_cache and sss_debuglevel into sssctl
> (https://github.com/SSSD/sssd/pull/274)
> - Implement access verification by rhost using ldap_access_order rhost
> option (https://github.com/SSSD/sssd/pull/275)
> - IPA: Add threshold for sudo command and command group searches
> (https://github.com/SSSD/sssd/pull/374)
> - sssd_client: add mutex protected call to the PAC responder
> (https://github.com/SSSD/sssd/pull/389)
> - GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found
> 
> And also, do we agree that the bugs mentioned above are the material
> for this release and pretty much anything else that is already opened?
> 
> Best Regards,
> --
> Fabiano Fidêncio
> ___
> sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
> To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#374][comment] IPA: Add threshold for sudo command and command group searches

2017-09-22 Thread sumit-bose 
  URL: https://github.com/SSSD/sssd/pull/374
Title: #374: IPA: Add threshold for sudo command and command group searches

sumit-bose commented:
"""
@justin-stephenson, I wonder if 'sudo_threshold' can be used for the commands 
as well or if there is a specific use case which requires to be able to set the 
threshold for rules and commands differently?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/374#issuecomment-331389632
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#391][comment] Use dbus-daemon in cwrap enviroment for test

2017-09-22 Thread pbrezina 
  URL: https://github.com/SSSD/sssd/pull/391
Title: #391: Use dbus-daemon in cwrap enviroment for test

pbrezina commented:
"""
I opened https://github.com/SSSD/sssd/pull/393 to change ping to codegen 
arguments parsing.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/391#issuecomment-331389408
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#393][opened] IFP: parse ping arguments in codegen

2017-09-22 Thread pbrezina 
   URL: https://github.com/SSSD/sssd/pull/393
Author: pbrezina
 Title: #393: IFP: parse ping arguments in codegen
Action: opened

PR body:
"""
None
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/393/head:pr393
git checkout pr393
From 044c893b05b297f4f21f33e4d214cc68018c960b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= 
Date: Fri, 22 Sep 2017 10:47:30 +0200
Subject: [PATCH] IFP: parse ping arguments in codegen

---
 src/responder/ifp/ifp_iface.xml |  4 ++--
 src/responder/ifp/ifp_iface_generated.c | 25 ---
 src/responder/ifp/ifp_iface_generated.h |  5 -
 src/responder/ifp/ifp_private.h |  4 +---
 src/responder/ifp/ifpsrv_cmd.c  | 35 +++--
 5 files changed, 40 insertions(+), 33 deletions(-)

diff --git a/src/responder/ifp/ifp_iface.xml b/src/responder/ifp/ifp_iface.xml
index ce071bb99..39385e866 100644
--- a/src/responder/ifp/ifp_iface.xml
+++ b/src/responder/ifp/ifp_iface.xml
@@ -5,8 +5,8 @@
 
 
 
-
-
+
+
 
 
 
diff --git a/src/responder/ifp/ifp_iface_generated.c b/src/responder/ifp/ifp_iface_generated.c
index 15339698f..6943e38e3 100644
--- a/src/responder/ifp/ifp_iface_generated.c
+++ b/src/responder/ifp/ifp_iface_generated.c
@@ -24,6 +24,25 @@ static int invoke_ss_method(struct sbus_request *dbus_req, void *function_ptr);
 /* invokes a handler with a 'ssu' DBus signature */
 static int invoke_ssu_method(struct sbus_request *dbus_req, void *function_ptr);
 
+/* arguments for org.freedesktop.sssd.infopipe.Ping */
+const struct sbus_arg_meta iface_ifp_Ping__in[] = {
+{ "ping", "s" },
+{ NULL, }
+};
+
+/* arguments for org.freedesktop.sssd.infopipe.Ping */
+const struct sbus_arg_meta iface_ifp_Ping__out[] = {
+{ "pong", "s" },
+{ NULL, }
+};
+
+int iface_ifp_Ping_finish(struct sbus_request *req, const char *arg_pong)
+{
+   return sbus_request_return_and_finish(req,
+ DBUS_TYPE_STRING, _pong,
+ DBUS_TYPE_INVALID);
+}
+
 /* arguments for org.freedesktop.sssd.infopipe.ListComponents */
 const struct sbus_arg_meta iface_ifp_ListComponents__out[] = {
 { "components", "ao" },
@@ -182,10 +201,10 @@ int iface_ifp_ListDomains_finish(struct sbus_request *req, const char *arg_domai
 const struct sbus_method_meta iface_ifp__methods[] = {
 {
 "Ping", /* name */
-NULL, /* no in_args */
-NULL, /* no out_args */
+iface_ifp_Ping__in,
+iface_ifp_Ping__out,
 offsetof(struct iface_ifp, Ping),
-NULL, /* no invoker */
+invoke_s_method,
 },
 {
 "ListComponents", /* name */
diff --git a/src/responder/ifp/ifp_iface_generated.h b/src/responder/ifp/ifp_iface_generated.h
index 3dd4355e6..30752bf06 100644
--- a/src/responder/ifp/ifp_iface_generated.h
+++ b/src/responder/ifp/ifp_iface_generated.h
@@ -130,7 +130,7 @@
 /* vtable for org.freedesktop.sssd.infopipe */
 struct iface_ifp {
 struct sbus_vtable vtable; /* derive from sbus_vtable */
-sbus_msg_handler_fn Ping;
+int (*Ping)(struct sbus_request *req, void *data, const char *arg_ping);
 int (*ListComponents)(struct sbus_request *req, void *data);
 int (*ListResponders)(struct sbus_request *req, void *data);
 int (*ListBackends)(struct sbus_request *req, void *data);
@@ -143,6 +143,9 @@ struct iface_ifp {
 int (*ListDomains)(struct sbus_request *req, void *data);
 };
 
+/* finish function for Ping */
+int iface_ifp_Ping_finish(struct sbus_request *req, const char *arg_pong);
+
 /* finish function for ListComponents */
 int iface_ifp_ListComponents_finish(struct sbus_request *req, const char *arg_components[], int len_components);
 
diff --git a/src/responder/ifp/ifp_private.h b/src/responder/ifp/ifp_private.h
index ed1b63ad6..13455bbf7 100644
--- a/src/responder/ifp/ifp_private.h
+++ b/src/responder/ifp/ifp_private.h
@@ -48,9 +48,7 @@ errno_t ifp_register_sbus_interface(struct sbus_connection *conn,
 
 void ifp_register_nodes(struct ifp_ctx *ctx, struct sbus_connection *conn);
 
-/* This is a throwaway method to ease the review of the patch.
- * It will be removed later */
-int ifp_ping(struct sbus_request *dbus_req, void *data);
+int ifp_ping(struct sbus_request *dbus_req, void *data, const char *ping);
 
 int ifp_user_get_attr(struct sbus_request *dbus_req, void *data);
 
diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c
index fc9161e82..38932b7cd 100644
--- a/src/responder/ifp/ifpsrv_cmd.c
+++ b/src/responder/ifp/ifpsrv_cmd.c
@@ -673,20 +673,17 @@ struct cli_protocol_version *register_cli_protocol_version(void)
 return ssh_cli_protocol_version;
 }
 
-/* This is a throwaway method to ease the review of the patch.
- * It will be removed later */
-int ifp_ping(struct sbus_request *dbus_req,

[SSSD] [sssd PR#275][synchronized] Implement access verification by rhost using ldap_access_order rhost option

2017-09-22 Thread akamensky 
   URL: https://github.com/SSSD/sssd/pull/275
Author: akamensky
 Title: #275: Implement access verification by rhost using ldap_access_order 
rhost option
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/275/head:pr275
git checkout pr275
From dfad3dddc0ea9a14faf7cc66527f9c875937792d Mon Sep 17 00:00:00 2001
From: Alexey Kamenskiy 
Date: Fri, 22 Sep 2017 16:42:41 +0800
Subject: [PATCH] Patch for issue #3458

This patch implements verification of pam_rhost against
rules stored in LDAP entry of a user.

2017-09-22: Fixed potential issue with pam_rhost being NULL
and when pam_rhost is empty (local access)
---
 src/config/SSSDConfig/__init__.py.in |  1 +
 src/config/cfg_rules.ini |  1 +
 src/config/etc/sssd.api.d/sssd-ldap.conf |  1 +
 src/db/sysdb.h   |  1 +
 src/man/sssd-ldap.5.xml  | 32 +++
 src/providers/ad/ad_opts.c   |  1 +
 src/providers/ipa/ipa_opts.c |  1 +
 src/providers/ldap/ldap_init.c   |  2 +
 src/providers/ldap/ldap_opts.c   |  3 ++
 src/providers/ldap/sdap.h|  1 +
 src/providers/ldap/sdap_access.c | 68 
 src/providers/ldap/sdap_access.h |  2 +
 12 files changed, 114 insertions(+)

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index cd844ce2b..72e554549 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -343,6 +343,7 @@ option_strings = {
 'ldap_user_shadow_flag' : _('shadowFlag attribute'),
 'ldap_user_authorized_service' : _('Attribute listing authorized PAM services'),
 'ldap_user_authorized_host' : _('Attribute listing authorized server hosts'),
+'ldap_user_authorized_rhost' : _('Attribute listing authorized server rhosts'),
 'ldap_user_krb_last_pwd_change' : _('krbLastPwdChange attribute'),
 'ldap_user_krb_password_expiration' : _('krbPasswordExpiration attribute'),
 'ldap_pwd_attribute' : _('Attribute indicating that server side password policies are active'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 464346771..19e8c6678 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -658,6 +658,7 @@ option = ldap_uri
 option = ldap_user_ad_account_expires
 option = ldap_user_ad_user_account_control
 option = ldap_user_authorized_host
+option = ldap_user_authorized_rhost
 option = ldap_user_authorized_service
 option = ldap_user_auth_type
 option = ldap_user_certificate
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index c2ad3463d..65b6407f6 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -76,6 +76,7 @@ ldap_user_krb_last_pwd_change = str, None, false
 ldap_user_krb_password_expiration = str, None, false
 ldap_user_authorized_service = str, None, false
 ldap_user_authorized_host = str, None, false
+ldap_user_authorized_rhost = str, None, false
 ldap_pwd_attribute = str, None, false
 ldap_user_ad_account_expires = str, None, false
 ldap_user_ad_user_account_control = str, None, false
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 21d6cf4fc..aa6146423 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -102,6 +102,7 @@
 
 #define SYSDB_AUTHORIZED_SERVICE "authorizedService"
 #define SYSDB_AUTHORIZED_HOST "authorizedHost"
+#define SYSDB_AUTHORIZED_RHOST "authorizedRHost"
 
 #define SYSDB_NETGROUP_TRIPLE "netgroupTriple"
 #define SYSDB_ORIG_NETGROUP_MEMBER "originalMemberNisNetgroup"
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 739ae15c3..8f6f90895 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -830,6 +830,34 @@
 
 
 
+ldap_user_authorized_rhost (string)
+
+
+If access_provider=ldap and
+ldap_access_order=rhost, SSSD will use the presence
+of the rhost attribute in the user's LDAP entry to
+determine access privilege. Similarly to host
+verification process.
+
+
+An explicit deny (!rhost) is resolved first. Second,
+SSSD searches for explicit allow (rhost) and finally
+for allow_all (*).
+
+
+Please note that the ldap_access_order
+configuration option must
+include rhost in order for the
+ldap_user_authorized_rhost option
+to work.
+

[SSSD] [sssd PR#374][comment] IPA: Add threshold for sudo command and command group searches

2017-09-22 Thread sumit-bose 
  URL: https://github.com/SSSD/sssd/pull/374
Title: #374: IPA: Add threshold for sudo command and command group searches

sumit-bose commented:
"""
@justin-stephenson, I think the rename patch should be dropped because the 
original patch introducing 'sudo_threshold' is already published in some Fedora 
releases.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/374#issuecomment-331388083
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#391][+Accepted] Use dbus-daemon in cwrap enviroment for test

2017-09-22 Thread pbrezina 
  URL: https://github.com/SSSD/sssd/pull/391
Title: #391: Use dbus-daemon in cwrap enviroment for test

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#391][comment] Use dbus-daemon in cwrap enviroment for test

2017-09-22 Thread pbrezina 
  URL: https://github.com/SSSD/sssd/pull/391
Title: #391: Use dbus-daemon in cwrap enviroment for test

pbrezina commented:
"""
Ack.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/391#issuecomment-331386571
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#391][comment] Use dbus-daemon in cwrap enviroment for test

2017-09-22 Thread pbrezina 
  URL: https://github.com/SSSD/sssd/pull/391
Title: #391: Use dbus-daemon in cwrap enviroment for test

pbrezina commented:
"""
```xml




```

Parameters for ping method are parsed manually, therefore it is not shown in 
the introspection. But it can be parsed by the codegen without any troubles so 
it is just a historic relic.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/391#issuecomment-331379883
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org