[SSSD] [sssd PR#965][opened] certmap: mention special regex characters in man page
URL: https://github.com/SSSD/sssd/pull/965
Author: sumit-bose
Title: #965: certmap: mention special regex characters in man page
Action: opened
PR body:
"""
Since some of the matching rules use regular expressions some characters
must be escaped so that they can be used a ordinary characters in the
rules.
Related to https://pagure.io/SSSD/sssd/issue/4127
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/965/head:pr965
git checkout pr965
From 228b21c253a6598c8a95f0cb56e9c6acf8bb8caa Mon Sep 17 00:00:00 2001
From: Sumit Bose
Date: Thu, 12 Dec 2019 13:10:16 +0100
Subject: [PATCH] certmap: mention special regex characters in man page
Since some of the matching rules use regular expressions some characters
must be escaped so that they can be used a ordinary characters in the
rules.
Related to https://pagure.io/SSSD/sssd/issue/4127
---
src/man/sss-certmap.5.xml | 9 +
1 file changed, 9 insertions(+)
diff --git a/src/man/sss-certmap.5.xml b/src/man/sss-certmap.5.xml
index db258d14ab..10343625ef 100644
--- a/src/man/sss-certmap.5.xml
+++ b/src/man/sss-certmap.5.xml
@@ -92,6 +92,15 @@
Example: SUBJECT.*,DC=MY,DC=DOMAIN
+
+Please note that the characters "^.[$()|*+?{\" have a
+special meaning in regular expressions and must be
+escaped with the help of the '\' character so that they
+are matched as ordinary characters.
+
+
+Example: SUBJECT^CN=.* \(Admin\),DC=MY,DC=DOMAIN$
+
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#963][+Accepted] Backport recent CI changes to sssd-1-16
URL: https://github.com/SSSD/sssd/pull/963 Title: #963: Backport recent CI changes to sssd-1-16 Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#964][+Waiting for review] util/watchdog: fixed watchdog implementation
URL: https://github.com/SSSD/sssd/pull/964 Title: #964: util/watchdog: fixed watchdog implementation Label: +Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#963][comment] Backport recent CI changes to sssd-1-16
URL: https://github.com/SSSD/sssd/pull/963 Title: #963: Backport recent CI changes to sssd-1-16 alexey-tikhonov commented: """ Hi @mzidek-rh, I guess this doesn't need explicit review as this is clean backport? """ See the full comment at https://github.com/SSSD/sssd/pull/963#issuecomment-564979719 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#962][+Accepted] nss: use real primary gid if the value is overriden (sssd-1-16)
URL: https://github.com/SSSD/sssd/pull/962 Title: #962: nss: use real primary gid if the value is overriden (sssd-1-16) Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#963][comment] Backport recent CI changes to sssd-1-16
URL: https://github.com/SSSD/sssd/pull/963 Title: #963: Backport recent CI changes to sssd-1-16 mzidek-rh commented: """ @alexey-tikhonov I think it does not need additional review, I will just add accepted label to not forget to push it. """ See the full comment at https://github.com/SSSD/sssd/pull/963#issuecomment-565003436 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#962][comment] nss: use real primary gid if the value is overriden (sssd-1-16)
URL: https://github.com/SSSD/sssd/pull/962 Title: #962: nss: use real primary gid if the value is overriden (sssd-1-16) mzidek-rh commented: """ CI passed. Just adding accepted label so I do not forget to push it later. """ See the full comment at https://github.com/SSSD/sssd/pull/962#issuecomment-565004008 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#964][comment] util/watchdog: fixed watchdog implementation
URL: https://github.com/SSSD/sssd/pull/964 Title: #964: util/watchdog: fixed watchdog implementation alexey-tikhonov commented: """ RHEL7 CI fail is not relevant: ``` ==> client: Checking for updates to 'sssd-rhel-7-latest-client' client: Latest installed version: 20191204.01 client: Version constraints: client: Provider: libvirt There was an error while downloading the metadata for this box. The error message is shown below: The requested URL returned error: 404 Not Found ``` """ See the full comment at https://github.com/SSSD/sssd/pull/964#issuecomment-564976771 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#964][opened] util/watchdog: fixed watchdog implementation
URL: https://github.com/SSSD/sssd/pull/964
Author: alexey-tikhonov
Title: #964: util/watchdog: fixed watchdog implementation
Action: opened
PR body:
"""
In case watchdog detected locked process and this process was parent
process it just sent SIGTERM to the whole group of processes, including
itself.
This handling was wrong: generic `server_setup()` installs custom
libtevent handler for SIGTERM signal so this signal is only processed
in the context of tevent mainloop. But if tevent mainloop is stuck
(exactly the case that triggers WD) then event is not processed
and this made watchdog useless.
`watchdog_handler()` and `watchdog_detect_timeshift()` were amended to do
unconditional `_exit()` after optionally sending a signal to the group.
Resolves: https://pagure.io/SSSD/sssd/issue/4089
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/964/head:pr964
git checkout pr964
From 28f26a3f74f8008dc769962fd2059b104eb9d6f3 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov
Date: Wed, 11 Dec 2019 18:42:49 +0100
Subject: [PATCH] util/watchdog: fixed watchdog implementation
In case watchdog detected locked process and this process was parent
process it just sent SIGTERM to the whole group of processes, including
itself.
This handling was wrong: generic `server_setup()` installs custom
libtevent handler for SIGTERM signal so this signal is only processed
in the context of tevent mainloop. But if tevent mainloop is stuck
(exactly the case that triggers WD) then event is not processed
and this made watchdog useless.
`watchdog_handler()` and `watchdog_detect_timeshift()` were amended to do
unconditional `_exit()` after optionally sending a signal to the group.
Resolves: https://pagure.io/SSSD/sssd/issue/4089
---
src/util/util_watchdog.c | 6 ++
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c
index a07275b19c..38c2482710 100644
--- a/src/util/util_watchdog.c
+++ b/src/util/util_watchdog.c
@@ -54,9 +54,8 @@ static void watchdog_detect_timeshift(void)
if (write(watchdog_ctx.pipefd[1], "1", 1) != 1) {
if (getpid() == getpgrp()) {
kill(-getpgrp(), SIGTERM);
-} else {
-_exit(1);
}
+_exit(1);
}
}
}
@@ -75,9 +74,8 @@ static void watchdog_handler(int sig)
if (__sync_add_and_fetch(_ctx.ticks, 1) > WATCHDOG_MAX_TICKS) {
if (getpid() == getpgrp()) {
kill(-getpgrp(), SIGTERM);
-} else {
-_exit(1);
}
+_exit(1);
}
}
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#964][+branch: sssd-1-16] util/watchdog: fixed watchdog implementation
URL: https://github.com/SSSD/sssd/pull/964 Title: #964: util/watchdog: fixed watchdog implementation Label: +branch: sssd-1-16 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#964][+Accepted] util/watchdog: fixed watchdog implementation
URL: https://github.com/SSSD/sssd/pull/964 Title: #964: util/watchdog: fixed watchdog implementation Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#966][opened] ad: add ad_use_ldaps
URL: https://github.com/SSSD/sssd/pull/966
Author: sumit-bose
Title: #966: ad: add ad_use_ldaps
Action: opened
PR body:
"""
With this new boolean option the AD provider should only use the LDAPS port
636 and the Global Catalog port 3629 which is TLS protected as well.
Related to https://pagure.io/SSSD/sssd/issue/4131
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/966/head:pr966
git checkout pr966
From 3dadb248440f2e7a02c68049001f848459dd1bdf Mon Sep 17 00:00:00 2001
From: Sumit Bose
Date: Thu, 26 Sep 2019 20:24:34 +0200
Subject: [PATCH 1/4] ad: allow booleans for ad_inherit_opts_if_needed()
Currently ad_inherit_opts_if_needed() can only handle strings. With this
patch it can handle boolean options as well.
Related to https://pagure.io/SSSD/sssd/issue/4131
---
src/providers/ad/ad_common.c | 23 ---
1 file changed, 20 insertions(+), 3 deletions(-)
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index 5540066d4e..600e3ceb2c 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -1479,9 +1479,26 @@ errno_t ad_inherit_opts_if_needed(struct dp_option *parent_opts,
const char *parent_val = NULL;
char *dummy = NULL;
char *option_list[2] = { NULL, NULL };
-
-parent_val = dp_opt_get_cstring(parent_opts, opt_id);
-if (parent_val != NULL) {
+bool is_default = true;
+
+switch (parent_opts[opt_id].type) {
+case DP_OPT_STRING:
+parent_val = dp_opt_get_cstring(parent_opts, opt_id);
+break;
+case DP_OPT_BOOL:
+/* For booleans it is hard to say if the option is set or not since
+ * both possible values are valid ones. So we check if the value is
+ * different from the default and skip if it is the default. In this
+ * case the sub-domain option would either be the default as well or
+ * manully set and in both cases we do not have to change it. */
+is_default = (parent_opts[opt_id].val.boolean
+== parent_opts[opt_id].def_val.boolean);
+break;
+default:
+DEBUG(SSSDBG_TRACE_FUNC, "Unsupported type, skipping.\n");
+}
+
+if (parent_val != NULL || !is_default) {
ret = confdb_get_string(cdb, NULL, subdom_conf_path,
parent_opts[opt_id].opt_name, NULL, );
if (ret != EOK) {
From 33c8757087b8649926e53cf494e2a775ad100302 Mon Sep 17 00:00:00 2001
From: Sumit Bose
Date: Thu, 26 Sep 2019 20:27:09 +0200
Subject: [PATCH 2/4] ad: add ad_use_ldaps
With this new boolean option the AD provider should only use the LDAPS
port 636 and the Global Catalog port 3629 which is TLS protected as
well.
Related to https://pagure.io/SSSD/sssd/issue/4131
---
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.d/sssd-ad.conf| 1 +
src/man/sssd-ad.5.xml | 20 +++
src/providers/ad/ad_common.c | 24 +++
src/providers/ad/ad_common.h | 8 +++-
src/providers/ad/ad_init.c| 8 +++-
src/providers/ad/ad_opts.c| 1 +
src/providers/ad/ad_srv.c | 16 ---
src/providers/ad/ad_srv.h | 3 ++-
src/providers/ad/ad_subdomains.c | 21 ++--
src/providers/ipa/ipa_subdomains_server.c | 4 ++--
12 files changed, 94 insertions(+), 14 deletions(-)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 92e6141170..6c2a1ce441 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -253,6 +253,7 @@ option_strings = {
'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'),
'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'),
'ad_update_samba_machine_account_password' : _('Whether to update the machine account password in the Samba database'),
+'ad_use_ldaps' : _('Use LDAPS port for LDAP and Global Catalog requests'),
# [provider/krb5]
'krb5_kdcip' : _('Kerberos server address'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index f7c1d4ce2c..478ca9eb43 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -465,6 +465,7 @@ option = ad_maximum_machine_account_password_age
option = ad_server
option = ad_site
option = ad_update_samba_machine_account_password
+option = ad_use_ldaps
# IPA provider specific options
option = ipa_anchor_uuid
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 33f040c8e6..51cdad536e 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -21,6 +21,7 @@ ad_site = str, None, false
[SSSD] [sssd PR#964][-Waiting for review] util/watchdog: fixed watchdog implementation
URL: https://github.com/SSSD/sssd/pull/964 Title: #964: util/watchdog: fixed watchdog implementation Label: -Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#958][comment] ldap_child: do not try PKINIT
URL: https://github.com/SSSD/sssd/pull/958 Title: #958: ldap_child: do not try PKINIT alexey-tikhonov commented: """ Hi @sumit-bose, Patch LGTM, I have only one really minor nitpick. Covscan is clean. Results of manual verification are as expected. If you prefer to not address my nitpick, please let me know and I will mark PR accepted as is. """ See the full comment at https://github.com/SSSD/sssd/pull/958#issuecomment-565199767 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#958][-Waiting for review] ldap_child: do not try PKINIT
URL: https://github.com/SSSD/sssd/pull/958 Title: #958: ldap_child: do not try PKINIT Label: -Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
