[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

[Lukas Slebodnik]

On (06/09/16 13:15), Petr Cech wrote:
>On 09/05/2016 02:31 PM, Fabiano Fidêncio wrote:
>> On Mon, Sep 5, 2016 at 11:59 AM, Fabiano Fidêncio  
>> wrote:
>> > Petr,
>> > 
>> > I went through your patches and in general they look good to me.
>> > However, I haven't done any tests yet with your patches (and I'll do
>> > it after lunch).
>> 
>> I've done some tests and I've been able to see the ldif changes in the
>> domain log. So, I assume it's working.
>> For sure it's a good improvement! Would be worth to link some
>> documentation about ldiff as it may be confusing for someone who is
>> not used to it.
>> 
>> I'll wait for a new version of the patches and go through them again.
>> 
>> I really would like to have someone's else opinion on this series.
>> 
>> > 
>> > Please, below you can see a few comments. Feel completely free to
>> > ignore the first one if you feel like doing it, it's just a minor :-)
>> > For the other comments, I'd like to understand a few changes you have done.
>> > 
>> > 
>> > Patch 0001: SYSDB: Adding message to inform which cache is used
>> > 
>> > About the following part of the patch:
>> > +static const char *get_attr_storage(int state_mask)
>> > +{
>> > +const char *storage = "";
>> > +
>> > +if (state_mask == SSS_SYSDB_BOTH_CACHE ) {
>> > +storage = "cache, ts_cache";
>> > +} else if (state_mask == SSS_SYSDB_TS_CACHE) {
>> > +storage = "ts_cache";
>> > +} else if (state_mask == SSS_SYSDB_CACHE) {
>> > +storage = "cache";
>> > +}
>> > +
>> > +return storage;
>> > +}
>> > 
>> > I personally don't like this kind of comparison done with flags. I'd
>> > go for something like: if ((state_mask & SSS_SYSDB_BOTH_CACHE) != 0)
>> > ...
>> > But this is a really minor and feel free to ignore it.
>> > 
>> > 
>> > Patch 0002: SYSDB: Adding message about reason why cache changed
>> > 
>> > LGTM
>> > 
>> > 
>> > Patch 0003: SYSDB: Adding wrappers for ldb_* operations
>> > 
>> > About the following parts of the patch:
>> > 
>> > On src/db/sysdb_ldb_wrapper.c
>> > 
>> > +#define ERR_FN_ENOMEM (-1 * ENOMEM)
>> > +#define ERR_FN_ENOENT (-1 * ENOENT)
>> > 
>> > Why? I failed to understand why you're doing this here.
>> > 
>> > +if (print_ctx == NULL) {
>> > +return -1;
>> > +return ERR_FN_ENOMEM;
>> > +}
>> > 
>> > I guess the return -1 is a leftover :-)
>> > 
>> > +if (print_ctx->ldif == NULL) {
>> > +return -2;
>> > +return ERR_FN_ENOENT;
>> > +}
>> > 
>> > I guess the return -2 is also a leftover :-)
>> > 
>> > +if (ret < 0) {
>> > +DEBUG(SSSDBG_MINOR_FAILURE, "ldb_ldif_write() failed with 
>> > [%d][%s].\n",
>> > +-1 * ret, sss_strerror(-1 * ret));
>> > +goto done;
>> > +}
>> > 
>> > And here again this dance multiplying by -1 that I don't understand
>> > the reason :-\
>> > 
>> > +done:
>> > +if (ldb_print_ctx != NULL && ldb_print_ctx->ldif != NULL) {
>> > +talloc_free(ldb_print_ctx->ldif);
>> > +}
>> > +talloc_free(ldb_print_ctx);
>> > 
>> > AFAIU talloc_free can gracefully handle NULL. Considering that's the
>> > case I'd just check for (if ldb_print_ctx != NULL)
>> > talloc_free(ldb_print_ctx->ldif);
>> > Considering it doesn't, we may have some issues on trying to free
>> > (ldb_print_ctx)
>> > 
>> > On src/db/sysdb_ldb_wrapper.h:
>> > 
>> > +int sss_ldb_rename(struct ldb_context *ldb,
>> > +   struct ldb_dn * olddn,
>> > +   struct ldb_dn *newdn);
>> > 
>> > Just a really minor codying style change here, remove the extra space
>> > between * and olddn: struct ldb_dn * olddn,  ->  struct ldb_dn *olddn,
>> > 
>> > 
>> > Patch0004: SYSDB: ldb_add --> sss_ldb_add in sysdb
>> > Patch0005: SYSDB: ldb_delete --> sss_ldb_delete in sysdb
>> > Patch0006: SYSDB: ldb_modify --> sss_ldb_modify in sysdb
>> > Patch0007: SYSDB: ldb_rename --> sss_ldb_rename in sysdb
>> > 
>> > LGTM
>> > 
>> > 
>> > Best Regards,
>> > --
>> > Fabiano Fidêncio
>
>Hello,
>
>
>there is new patch set attached.
>I replaced all ldb_* to new wrapper in whole code.
>
>Regards
>
>-- 
>Petr^4 Čech

>From 529b0d3009f8310b8257d5a69639a0fafa30140c Mon Sep 17 00:00:00 2001
>From: Petr Cech 
>Date: Tue, 16 Aug 2016 09:32:18 +0200
>Subject: [PATCH 1/7] SYSDB: Adding message to inform which cache is used
>
>Resolves:
>https://fedorahosted.org/sssd/ticket/3060
>---
> src/db/sysdb_ops.c | 32 
> 1 file changed, 32 insertions(+)
>
>diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
>index 
>5d9c9fb24a149f8215b3027dcb4b0e1a183e4b43..847b663bdb2ec31de3eb3b4c33e2b942145a4c42
> 100644
>--- a/src/db/sysdb_ops.c
>+++ b/src/db/sysdb_ops.c
>@@ -27,6 +27,12 @@
> #include "util/cert.h"
> #include 
> 
>+
>+#define SSS_SYSDB_NO_CACHE 0x0
>+#define SSS_SYSDB_CACHE 0x1
>+#define SSS_SYSDB_TS_CACHE 0x2
>+#define SSS_SYSDB_BOTH_CACHE (SSS_SYSDB_CACHE | 

[SSSD] [sssd PR#26] KRB5: Fixing FQ name of user in krb5_setup() (comment)

[jhrozek]

jhrozek commented on a pull request

"""
Why not do it the other way around and qualify all names in the mapping? That 
needs to be done only once unlike this approach that needs to unqualify the 
names every time they are used.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/26#issuecomment-247009644
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#26] KRB5: Fixing FQ name of user in krb5_setup() (+Changes requested)

[jhrozek]

celestian's pull request #26: "KRB5: Fixing FQ name of user in krb5_setup()" 
label *Changes requested* has been added

See the full pull-request at https://github.com/SSSD/sssd/pull/26
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#26] KRB5: Fixing FQ name of user in krb5_setup() (opened)

[celestian]

celestian's pull request #26: "KRB5: Fixing FQ name of user in krb5_setup()" 
was opened

PR body:
"""
This patch fixes creation of FQ username if krb5_map_user option
ise used.

Resolves:
https://fedorahosted.org/sssd/ticket/3188
"""

See the full pull-request at https://github.com/SSSD/sssd/pull/26
... or pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/26/head:pr26
git checkout pr26
From df941b967a035b0e9a653f11388f477d726446dc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Wed, 14 Sep 2016 09:00:06 -0400
Subject: [PATCH] KRB5: Fixing FQ name of user in krb5_setup()

This patch fixes creation of FQ username if krb5_map_user option
ise used.

Resolves:
https://fedorahosted.org/sssd/ticket/3188
---
 src/providers/krb5/krb5_auth.c | 18 +++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index f0f2280..38dacd1 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -182,6 +182,7 @@ errno_t krb5_setup(TALLOC_CTX *mem_ctx,
 {
 struct krb5child_req *kr;
 const char *mapped_name;
+char *short_user_name;
 TALLOC_CTX *tmp_ctx;
 errno_t ret;
 
@@ -202,11 +203,22 @@ errno_t krb5_setup(TALLOC_CTX *mem_ctx,
 kr->pd = pd;
 kr->krb5_ctx = krb5_ctx;
 
-ret = get_krb_primary(krb5_ctx->name_to_primary,
-  pd->user, dom->case_sensitive, _name);
+/* The internal username is qualified, but we are only interested in
+ * the name part in get_krb_primary()
+ */
+ret = sss_parse_internal_fqname(tmp_ctx, pd->user, _user_name, NULL);
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE,
+  "Could not parse [%s] into name and "
+  "domain components, login might fail\n", pd->user);
+short_user_name = talloc_strdup(tmp_ctx, pd->user);
+}
+
+ret = get_krb_primary(krb5_ctx->name_to_primary, short_user_name,
+  dom->case_sensitive, _name);
 if (ret == EOK) {
 DEBUG(SSSDBG_TRACE_FUNC, "Setting mapped name to: %s\n", mapped_name);
-kr->user = mapped_name;
+kr->user = sss_create_internal_fqname(kr, mapped_name, dom->name);
 kr->kuserok_user = mapped_name;
 } else if (ret == ENOENT) {
 DEBUG(SSSDBG_TRACE_ALL, "No mapping for: %s\n", pd->user);
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#25] TESTS: Add integration tests for the proxy provider of sssd-secrets (comment)

[jhrozek]

jhrozek commented on a pull request

"""
btw here are CI tests on all supported systems: 
http://sssd-ci.duckdns.org/logs/job/53/41/summary.html
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/25#issuecomment-246998696
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] PROXY: Adding proxy_max_children option

[Lukas Slebodnik]

On (13/09/16 17:57), Petr Cech wrote:
>On 09/13/2016 04:27 PM, Lukas Slebodnik wrote:
>> On (13/09/16 16:24), Lukas Slebodnik wrote:
>> > On (13/09/16 14:11), Fabiano Fidêncio wrote:
>> > > On Mon, Sep 12, 2016 at 9:40 AM, Petr Cech  wrote:
>> > > > Bump.
>> > > > 
>> > > > 
>> > > > --
>> > > > Petr^4 Čech
>> > > > ___
>> > > > sssd-devel mailing list
>> > > > sssd-devel@lists.fedorahosted.org
>> > > > https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
>> > > 
>> > > Patch looks good and all the requested changed were done.
>> > > I haven't done any tests with the patch, but the changes themselves
>> > > look good to me.
>> > > 
>> > master:
>> > * aef0171e0bdc9a683958d69c7ee984fb10cd5de7
>> > 
>> > http://sssd-ci.duckdns.org/logs/job/53/30/summary.html
>> > 
>> Could you also prepare patch for 1.13 branch?
>
>Yes, see attachment, please.
>
sssd-1-13:
* 90c62a1b4bac450712bc5a194b793761329a1d3a

LS
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#20] sss_override fails to export (closed)

[jhrozek]

mzidek-rh's pull request #20: "sss_override fails to export" was closed

See the full pull-request at https://github.com/SSSD/sssd/pull/20
... or pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/20/head:pr20
git checkout pr20
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#11] SECRETS: Don't remove a container when it has children (+Accepted)

[jhrozek]

fidencio's pull request #11: "SECRETS: Don't remove a container when it has 
children" label *Accepted* has been added

See the full pull-request at https://github.com/SSSD/sssd/pull/11
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#11] SECRETS: Don't remove a container when it has children (comment)

[jhrozek]

jhrozek commented on a pull request

"""
The first patch was already pushed.

The second looks good to me visually and I wrote a simple patch to verify the 
fix:
https://github.com/jhrozek/sssd/commit/374eff89472a3181548495ed74deadaa690e921e
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/11#issuecomment-246967824
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#20] sss_override fails to export (+Pushed)

[pbrezina]

mzidek-rh's pull request #20: "sss_override fails to export" label *Pushed* has 
been added

See the full pull-request at https://github.com/SSSD/sssd/pull/20
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#20] sss_override fails to export (-Changes requested)

[pbrezina]

mzidek-rh's pull request #20: "sss_override fails to export" label *Changes 
requested* has been removed

See the full pull-request at https://github.com/SSSD/sssd/pull/20
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#25] TESTS: Add integration tests for the proxy provider of sssd-secrets (opened)

[jhrozek]

jhrozek's pull request #25: "TESTS: Add integration tests for the proxy 
provider of sssd-secrets" was opened

PR body:
"""
Execrcies the basic operations of the sssd-secrets responder and can be
used as a basis to add more tests.
"""

See the full pull-request at https://github.com/SSSD/sssd/pull/25
... or pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/25/head:pr25
git checkout pr25
From 5be3820f25b0eb30f3bd63538a3900cf51f7ae21 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Mon, 8 Aug 2016 17:49:05 +0200
Subject: [PATCH] TESTS: Add integration tests for the sssd-secrets local
 provider

Resolves:
https://fedorahosted.org/sssd/ticket/3054

Implements a simple HTTP client and uses it to talk to the sssd-secrets
responder. Only the local provider is tested at the moment.
---
 contrib/ci/deps.sh |   2 +
 src/tests/intg/Makefile.am |   5 ++
 src/tests/intg/config.py.m4|   3 +
 src/tests/intg/secrets.py  | 141 
 src/tests/intg/test_secrets.py | 142 +
 5 files changed, 293 insertions(+)
 create mode 100644 src/tests/intg/secrets.py
 create mode 100644 src/tests/intg/test_secrets.py

diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh
index 1a94e3d..9a7098c 100644
--- a/contrib/ci/deps.sh
+++ b/contrib/ci/deps.sh
@@ -45,6 +45,7 @@ if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then
 pyldb
 rpm-build
 uid_wrapper
+python-requests
 )
 _DEPS_LIST_SPEC=`
 sed -e 's/@PACKAGE_VERSION@/0/g' \
@@ -114,6 +115,7 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then
 python-pytest
 python-ldap
 python-ldb
+python-requests
 ldap-utils
 slapd
 systemtap-sdt-dev
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index 75422a4..1e08ead 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -16,6 +16,8 @@ dist_noinst_DATA = \
 test_memory_cache.py \
 test_ts_cache.py \
 test_netgroup.py \
+secrets.py \
+test_secrets.py \
 $(NULL)
 
 config.py: config.py.m4
@@ -25,6 +27,9 @@ config.py: config.py.m4
 	   -D "pidpath=\`$(pidpath)'" \
 	   -D "logpath=\`$(logpath)'" \
 	   -D "mcpath=\`$(mcpath)'" \
+	   -D "secdbpath=\`$(secdbpath)'" \
+	   -D "libexecpath=\`$(libexecdir)'" \
+	   -D "runstatedir=\`$(runstatedir)'" \
 	   $< > $@
 
 root:
diff --git a/src/tests/intg/config.py.m4 b/src/tests/intg/config.py.m4
index 77aa47b..65e17e5 100644
--- a/src/tests/intg/config.py.m4
+++ b/src/tests/intg/config.py.m4
@@ -12,3 +12,6 @@ PID_PATH= "pidpath"
 PIDFILE_PATH= PID_PATH + "/sssd.pid"
 LOG_PATH= "logpath"
 MCACHE_PATH = "mcpath"
+SECDB_PATH  = "secdbpath"
+LIBEXEC_PATH= "libexecpath"
+RUNSTATEDIR = "runstatedir"
diff --git a/src/tests/intg/secrets.py b/src/tests/intg/secrets.py
new file mode 100644
index 000..f4ebbe0
--- /dev/null
+++ b/src/tests/intg/secrets.py
@@ -0,0 +1,141 @@
+#
+# Secrets responder test client
+#
+# Copyright (c) 2016 Red Hat, Inc.
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see .
+#
+
+import logging
+import socket
+import requests
+
+from requests.adapters import HTTPAdapter
+from requests.packages.urllib3.connection import HTTPConnection
+from requests.packages.urllib3.connectionpool import HTTPConnectionPool
+from requests.compat import quote, unquote, urlparse
+
+logger = logging.getLogger(__name__)
+
+
+class HTTPUnixConnection(HTTPConnection):
+def __init__(self, host, timeout=60, **kwargs):
+# pylint: disable=bad-super-call
+super(HTTPConnection, self).__init__('localhost')
+self.unix_socket = host
+self.timeout = timeout
+
+def connect(self):
+s = socket.socket(family=socket.AF_UNIX)
+s.settimeout(self.timeout)
+s.connect(self.unix_socket)
+self.sock = s
+
+
+class HTTPUnixConnectionPool(HTTPConnectionPool):
+scheme = 'http+unix'
+ConnectionCls = HTTPUnixConnection
+
+
+class HTTPUnixAdapter(HTTPAdapter):
+def get_connection(self, url, proxies=None):
+# proxies, silently ignored
+path = unquote(urlparse(url).netloc)
+return HTTPUnixConnectionPool(path)
+
+
+class SecretsHttpClient(object):
+secrets_sock_path = '/var/run/secrets.socket'
+secrets_container = 'secrets'
+
+   

[SSSD] [sssd PR#24] MAN: Add a manpage for the sssd-secrets responder (opened)

[jhrozek]

jhrozek's pull request #24: "MAN: Add a manpage for the sssd-secrets responder" 
was opened

PR body:
"""
The manpage lists the options and adds API examples.
"""

See the full pull-request at https://github.com/SSSD/sssd/pull/24
... or pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/24/head:pr24
git checkout pr24
From a4440e685c21e1882217f4b624f20df079b88238 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Mon, 8 Aug 2016 17:48:51 +0200
Subject: [PATCH] MAN: sssd-secrets documentation

Resolves:
https://fedorahosted.org/sssd/ticket/3053

Documents the API and the purpose of the sssd-secrets responder.
---
 contrib/sssd.spec.in |   1 +
 src/man/Makefile.am  |   9 +-
 src/man/po/po4a.cfg  |   1 +
 src/man/sssd-secrets.5.xml   | 420 +++
 src/sysv/systemd/sssd-secrets.service.in |   1 +
 src/sysv/systemd/sssd-secrets.socket.in  |   1 +
 6 files changed, 432 insertions(+), 1 deletion(-)
 create mode 100644 src/man/sssd-secrets.5.xml

diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 1f79ca7..a4daaf9 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -818,6 +818,7 @@ done
 %{_mandir}/man5/sssd.conf.5*
 %{_mandir}/man5/sssd-simple.5*
 %{_mandir}/man5/sssd-sudo.5*
+%{_mandir}/man5/sssd-secrets.5*
 %{_mandir}/man5/sss_rpcidmapd.5*
 %{_mandir}/man8/sssd.8*
 %{_mandir}/man8/sss_cache.8*
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index cd23b02..5e41d3a 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -24,12 +24,15 @@ endif
 if BUILD_IFP
 IFP_CONDS = ;with_ifp
 endif
+if BUILD_SECRETS
+SEC_CONDS = ;with_secrets
+endif
 if GPO_DEFAULT_ENFORCING
 GPO_CONDS = ;gpo_default_enforcing
 else
 GPO_CONDS = ;gpo_default_permissive
 endif
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SEC_CONDS)
 
 
 #Special Rules:
@@ -70,6 +73,10 @@ if BUILD_IFP
 man_MANS += sssd-ifp.5
 endif
 
+if BUILD_SECRETS
+man_MANS += sssd-secrets.5
+endif
+
 if BUILD_NFS_IDMAP
 man_MANS += sss_rpcidmapd.5
 endif
diff --git a/src/man/po/po4a.cfg b/src/man/po/po4a.cfg
index 2a51731..a673556 100644
--- a/src/man/po/po4a.cfg
+++ b/src/man/po/po4a.cfg
@@ -28,6 +28,7 @@
 [type:docbook] sss_ssh_knownhostsproxy.1.xml $lang:$(builddir)/$lang/sss_ssh_knownhostsproxy.1.xml
 [type:docbook] idmap_sss.8.xml $lang:$(builddir)/$lang/idmap_sss.8.xml
 [type:docbook] sssctl.8.xml $lang:$(builddir)/$lang/sssctl.8.xml
+[type:docbook] sssd-secrets.5.xml $lang:$(builddir)/$lang/sssd-secrets.5.xml
 [type:docbook] include/service_discovery.xml $lang:$(builddir)/$lang/include/service_discovery.xml opt:"-k 0"
 [type:docbook] include/upstream.xml $lang:$(builddir)/$lang/include/upstream.xml opt:"-k 0"
 [type:docbook] include/failover.xml $lang:$(builddir)/$lang/include/failover.xml opt:"-k 0"
diff --git a/src/man/sssd-secrets.5.xml b/src/man/sssd-secrets.5.xml
new file mode 100644
index 000..2e7afba
--- /dev/null
+++ b/src/man/sssd-secrets.5.xml
@@ -0,0 +1,420 @@
+
+http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd;>
+
+SSSD Manual pages
+
+http://www.w3.org/2001/XInclude; href="include/upstream.xml" />
+
+
+sssd-secrets
+5
+File Formats and Conventions
+
+
+
+sssd-secrets
+SSSD Secrets responder
+
+
+
+DESCRIPTION
+
+This manual page describes the configuration of the Secrets responder
+for
+
+sssd
+8
+.
+For a detailed syntax reference, refer to the FILE FORMAT section of the
+
+sssd.conf
+5
+ manual page.
+
+
+ Many system and user applications need to store secrets
+ such as passwords or service keys and have no good way to
+ properly deal with them. The simple approach is to embed
+ these secrets into configuration files potentially ending up
+ exposing sensitive key material to backups, config management
+ system and in general making it harder to secure data.
+ 
+ 
+ The https://github.com/latchset/custodia;>custodia
+ project was born to deal with this problem in cloud like
+ environments, but we found the idea compelling even at a
+ single system level. As a security service, SSSD is ideal to
+ host this capability while offering the same API via a Unix
+ Socket. This will make it possible to use local calls and have
+ them transparently routed to a local or a remote key management
+ store like IPA Vault for storage, escrow and recovery.
+ 
+ 

[SSSD] [sssd PR#22] LDAP: Return partial results from adminlimit exceeded (comment)

[jhrozek]

jhrozek commented on a pull request

"""
* master: 3319d964721396c07daba383ded6aaaf33ed6e3b
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/22#issuecomment-246954357
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#22] LDAP: Return partial results from adminlimit exceeded (closed)

[jhrozek]

jhrozek's pull request #22: "LDAP: Return partial results from adminlimit 
exceeded" was closed

See the full pull-request at https://github.com/SSSD/sssd/pull/22
... or pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/22/head:pr22
git checkout pr22
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#22] LDAP: Return partial results from adminlimit exceeded (+Pushed)

[jhrozek]

jhrozek's pull request #22: "LDAP: Return partial results from adminlimit 
exceeded" label *Pushed* has been added

See the full pull-request at https://github.com/SSSD/sssd/pull/22
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#22] LDAP: Return partial results from adminlimit exceeded (-Accepted)

[jhrozek]

jhrozek's pull request #22: "LDAP: Return partial results from adminlimit 
exceeded" label *Accepted* has been removed

See the full pull-request at https://github.com/SSSD/sssd/pull/22
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#22] LDAP: Return partial results from adminlimit exceeded (comment)

[jhrozek]

jhrozek commented on a pull request

"""
On Tue, Sep 13, 2016 at 01:33:49AM -0700, mzidek-rh wrote:
> Makes sense, but I would prefer to add new "else if" branch with 
> ADMINLIMIT_EXCEEDED specific debug message.
> 
> It would also make sense to change the SDAP_SRCH_FLG_SIZELIMIT_SILENT into 
> something more generic, like SDAP_SRCH_FLG_SILENT because we want to use it 
> for both of these cases.

I agree with both, please send a separate patch (at least you'll have
npatch++), but I need to apply a fix to downstream now..

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/22#issuecomment-246952366
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#11] SECRETS: Don't remove a container when it has children (-Changes requested)

[fidencio]

fidencio's pull request #11: "SECRETS: Don't remove a container when it has 
children" label *Changes requested* has been removed

See the full pull-request at https://github.com/SSSD/sssd/pull/11
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org