[SSSD] [sssd PR#965][opened] certmap: mention special regex characters in man page
URL: https://github.com/SSSD/sssd/pull/965 Author: sumit-bose Title: #965: certmap: mention special regex characters in man page Action: opened PR body: """ Since some of the matching rules use regular expressions some characters must be escaped so that they can be used a ordinary characters in the rules. Related to https://pagure.io/SSSD/sssd/issue/4127 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/965/head:pr965 git checkout pr965 From 228b21c253a6598c8a95f0cb56e9c6acf8bb8caa Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 12 Dec 2019 13:10:16 +0100 Subject: [PATCH] certmap: mention special regex characters in man page Since some of the matching rules use regular expressions some characters must be escaped so that they can be used a ordinary characters in the rules. Related to https://pagure.io/SSSD/sssd/issue/4127 --- src/man/sss-certmap.5.xml | 9 + 1 file changed, 9 insertions(+) diff --git a/src/man/sss-certmap.5.xml b/src/man/sss-certmap.5.xml index db258d14ab..10343625ef 100644 --- a/src/man/sss-certmap.5.xml +++ b/src/man/sss-certmap.5.xml @@ -92,6 +92,15 @@ Example: SUBJECT.*,DC=MY,DC=DOMAIN + +Please note that the characters "^.[$()|*+?{\" have a +special meaning in regular expressions and must be +escaped with the help of the '\' character so that they +are matched as ordinary characters. + + +Example: SUBJECT^CN=.* \(Admin\),DC=MY,DC=DOMAIN$ + ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#963][+Accepted] Backport recent CI changes to sssd-1-16
URL: https://github.com/SSSD/sssd/pull/963 Title: #963: Backport recent CI changes to sssd-1-16 Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#964][+Waiting for review] util/watchdog: fixed watchdog implementation
URL: https://github.com/SSSD/sssd/pull/964 Title: #964: util/watchdog: fixed watchdog implementation Label: +Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#963][comment] Backport recent CI changes to sssd-1-16
URL: https://github.com/SSSD/sssd/pull/963 Title: #963: Backport recent CI changes to sssd-1-16 alexey-tikhonov commented: """ Hi @mzidek-rh, I guess this doesn't need explicit review as this is clean backport? """ See the full comment at https://github.com/SSSD/sssd/pull/963#issuecomment-564979719 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#962][+Accepted] nss: use real primary gid if the value is overriden (sssd-1-16)
URL: https://github.com/SSSD/sssd/pull/962 Title: #962: nss: use real primary gid if the value is overriden (sssd-1-16) Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#963][comment] Backport recent CI changes to sssd-1-16
URL: https://github.com/SSSD/sssd/pull/963 Title: #963: Backport recent CI changes to sssd-1-16 mzidek-rh commented: """ @alexey-tikhonov I think it does not need additional review, I will just add accepted label to not forget to push it. """ See the full comment at https://github.com/SSSD/sssd/pull/963#issuecomment-565003436 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#962][comment] nss: use real primary gid if the value is overriden (sssd-1-16)
URL: https://github.com/SSSD/sssd/pull/962 Title: #962: nss: use real primary gid if the value is overriden (sssd-1-16) mzidek-rh commented: """ CI passed. Just adding accepted label so I do not forget to push it later. """ See the full comment at https://github.com/SSSD/sssd/pull/962#issuecomment-565004008 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#964][comment] util/watchdog: fixed watchdog implementation
URL: https://github.com/SSSD/sssd/pull/964 Title: #964: util/watchdog: fixed watchdog implementation alexey-tikhonov commented: """ RHEL7 CI fail is not relevant: ``` ==> client: Checking for updates to 'sssd-rhel-7-latest-client' client: Latest installed version: 20191204.01 client: Version constraints: client: Provider: libvirt There was an error while downloading the metadata for this box. The error message is shown below: The requested URL returned error: 404 Not Found ``` """ See the full comment at https://github.com/SSSD/sssd/pull/964#issuecomment-564976771 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#964][opened] util/watchdog: fixed watchdog implementation
URL: https://github.com/SSSD/sssd/pull/964 Author: alexey-tikhonov Title: #964: util/watchdog: fixed watchdog implementation Action: opened PR body: """ In case watchdog detected locked process and this process was parent process it just sent SIGTERM to the whole group of processes, including itself. This handling was wrong: generic `server_setup()` installs custom libtevent handler for SIGTERM signal so this signal is only processed in the context of tevent mainloop. But if tevent mainloop is stuck (exactly the case that triggers WD) then event is not processed and this made watchdog useless. `watchdog_handler()` and `watchdog_detect_timeshift()` were amended to do unconditional `_exit()` after optionally sending a signal to the group. Resolves: https://pagure.io/SSSD/sssd/issue/4089 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/964/head:pr964 git checkout pr964 From 28f26a3f74f8008dc769962fd2059b104eb9d6f3 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Wed, 11 Dec 2019 18:42:49 +0100 Subject: [PATCH] util/watchdog: fixed watchdog implementation In case watchdog detected locked process and this process was parent process it just sent SIGTERM to the whole group of processes, including itself. This handling was wrong: generic `server_setup()` installs custom libtevent handler for SIGTERM signal so this signal is only processed in the context of tevent mainloop. But if tevent mainloop is stuck (exactly the case that triggers WD) then event is not processed and this made watchdog useless. `watchdog_handler()` and `watchdog_detect_timeshift()` were amended to do unconditional `_exit()` after optionally sending a signal to the group. Resolves: https://pagure.io/SSSD/sssd/issue/4089 --- src/util/util_watchdog.c | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c index a07275b19c..38c2482710 100644 --- a/src/util/util_watchdog.c +++ b/src/util/util_watchdog.c @@ -54,9 +54,8 @@ static void watchdog_detect_timeshift(void) if (write(watchdog_ctx.pipefd[1], "1", 1) != 1) { if (getpid() == getpgrp()) { kill(-getpgrp(), SIGTERM); -} else { -_exit(1); } +_exit(1); } } } @@ -75,9 +74,8 @@ static void watchdog_handler(int sig) if (__sync_add_and_fetch(_ctx.ticks, 1) > WATCHDOG_MAX_TICKS) { if (getpid() == getpgrp()) { kill(-getpgrp(), SIGTERM); -} else { -_exit(1); } +_exit(1); } } ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#964][+branch: sssd-1-16] util/watchdog: fixed watchdog implementation
URL: https://github.com/SSSD/sssd/pull/964 Title: #964: util/watchdog: fixed watchdog implementation Label: +branch: sssd-1-16 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#964][+Accepted] util/watchdog: fixed watchdog implementation
URL: https://github.com/SSSD/sssd/pull/964 Title: #964: util/watchdog: fixed watchdog implementation Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#966][opened] ad: add ad_use_ldaps
URL: https://github.com/SSSD/sssd/pull/966 Author: sumit-bose Title: #966: ad: add ad_use_ldaps Action: opened PR body: """ With this new boolean option the AD provider should only use the LDAPS port 636 and the Global Catalog port 3629 which is TLS protected as well. Related to https://pagure.io/SSSD/sssd/issue/4131 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/966/head:pr966 git checkout pr966 From 3dadb248440f2e7a02c68049001f848459dd1bdf Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 26 Sep 2019 20:24:34 +0200 Subject: [PATCH 1/4] ad: allow booleans for ad_inherit_opts_if_needed() Currently ad_inherit_opts_if_needed() can only handle strings. With this patch it can handle boolean options as well. Related to https://pagure.io/SSSD/sssd/issue/4131 --- src/providers/ad/ad_common.c | 23 --- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index 5540066d4e..600e3ceb2c 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -1479,9 +1479,26 @@ errno_t ad_inherit_opts_if_needed(struct dp_option *parent_opts, const char *parent_val = NULL; char *dummy = NULL; char *option_list[2] = { NULL, NULL }; - -parent_val = dp_opt_get_cstring(parent_opts, opt_id); -if (parent_val != NULL) { +bool is_default = true; + +switch (parent_opts[opt_id].type) { +case DP_OPT_STRING: +parent_val = dp_opt_get_cstring(parent_opts, opt_id); +break; +case DP_OPT_BOOL: +/* For booleans it is hard to say if the option is set or not since + * both possible values are valid ones. So we check if the value is + * different from the default and skip if it is the default. In this + * case the sub-domain option would either be the default as well or + * manully set and in both cases we do not have to change it. */ +is_default = (parent_opts[opt_id].val.boolean +== parent_opts[opt_id].def_val.boolean); +break; +default: +DEBUG(SSSDBG_TRACE_FUNC, "Unsupported type, skipping.\n"); +} + +if (parent_val != NULL || !is_default) { ret = confdb_get_string(cdb, NULL, subdom_conf_path, parent_opts[opt_id].opt_name, NULL, ); if (ret != EOK) { From 33c8757087b8649926e53cf494e2a775ad100302 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 26 Sep 2019 20:27:09 +0200 Subject: [PATCH 2/4] ad: add ad_use_ldaps With this new boolean option the AD provider should only use the LDAPS port 636 and the Global Catalog port 3629 which is TLS protected as well. Related to https://pagure.io/SSSD/sssd/issue/4131 --- src/config/SSSDConfig/__init__.py.in | 1 + src/config/cfg_rules.ini | 1 + src/config/etc/sssd.api.d/sssd-ad.conf| 1 + src/man/sssd-ad.5.xml | 20 +++ src/providers/ad/ad_common.c | 24 +++ src/providers/ad/ad_common.h | 8 +++- src/providers/ad/ad_init.c| 8 +++- src/providers/ad/ad_opts.c| 1 + src/providers/ad/ad_srv.c | 16 --- src/providers/ad/ad_srv.h | 3 ++- src/providers/ad/ad_subdomains.c | 21 ++-- src/providers/ipa/ipa_subdomains_server.c | 4 ++-- 12 files changed, 94 insertions(+), 14 deletions(-) diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 92e6141170..6c2a1ce441 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -253,6 +253,7 @@ option_strings = { 'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'), 'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'), 'ad_update_samba_machine_account_password' : _('Whether to update the machine account password in the Samba database'), +'ad_use_ldaps' : _('Use LDAPS port for LDAP and Global Catalog requests'), # [provider/krb5] 'krb5_kdcip' : _('Kerberos server address'), diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index f7c1d4ce2c..478ca9eb43 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -465,6 +465,7 @@ option = ad_maximum_machine_account_password_age option = ad_server option = ad_site option = ad_update_samba_machine_account_password +option = ad_use_ldaps # IPA provider specific options option = ipa_anchor_uuid diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf index 33f040c8e6..51cdad536e 100644 --- a/src/config/etc/sssd.api.d/sssd-ad.conf +++ b/src/config/etc/sssd.api.d/sssd-ad.conf @@ -21,6 +21,7 @@ ad_site = str, None, false
[SSSD] [sssd PR#964][-Waiting for review] util/watchdog: fixed watchdog implementation
URL: https://github.com/SSSD/sssd/pull/964 Title: #964: util/watchdog: fixed watchdog implementation Label: -Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#958][comment] ldap_child: do not try PKINIT
URL: https://github.com/SSSD/sssd/pull/958 Title: #958: ldap_child: do not try PKINIT alexey-tikhonov commented: """ Hi @sumit-bose, Patch LGTM, I have only one really minor nitpick. Covscan is clean. Results of manual verification are as expected. If you prefer to not address my nitpick, please let me know and I will mark PR accepted as is. """ See the full comment at https://github.com/SSSD/sssd/pull/958#issuecomment-565199767 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#958][-Waiting for review] ldap_child: do not try PKINIT
URL: https://github.com/SSSD/sssd/pull/958 Title: #958: ldap_child: do not try PKINIT Label: -Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org