[SSSD] [sssd PR#76][comment] AD: Fix crash in AD subdomain reinit
URL: https://github.com/SSSD/sssd/pull/76 Title: #76: AD: Fix crash in AD subdomain reinit sumit-bose commented: """ PR #74 has the same fix and a similar forx for the IPA provider as well. I'm fine with revoking #74 if the fix for the IPA provider is added here as well. """ See the full comment at https://github.com/SSSD/sssd/pull/76#issuecomment-259349272 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#76][comment] AD: Fix crash in AD subdomain reinit
URL: https://github.com/SSSD/sssd/pull/76 Title: #76: AD: Fix crash in AD subdomain reinit celestian commented: """ ok to test """ See the full comment at https://github.com/SSSD/sssd/pull/76#issuecomment-259348408 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#76][comment] AD: Fix crash in AD subdomain reinit
URL: https://github.com/SSSD/sssd/pull/76 Title: #76: AD: Fix crash in AD subdomain reinit centos-ci commented: """ Can one of the admins verify this patch? """ See the full comment at https://github.com/SSSD/sssd/pull/76#issuecomment-259315383 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#76][comment] AD: Fix crash in AD subdomain reinit
URL: https://github.com/SSSD/sssd/pull/76 Title: #76: AD: Fix crash in AD subdomain reinit centos-ci commented: """ Can one of the admins verify this patch? """ See the full comment at https://github.com/SSSD/sssd/pull/76#issuecomment-259315385 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#75][comment] Add configuirable max payload size limit of a secret
URL: https://github.com/SSSD/sssd/pull/75 Title: #75: Add configuirable max payload size limit of a secret fidencio commented: """ Thanks for catching this, @lslebodn. I've ran the CI locally and it has passed. I was wondering what was my mistake and `git stash pop` gave me the answer. Patches have been updated. """ See the full comment at https://github.com/SSSD/sssd/pull/75#issuecomment-259200019 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#75][synchronized] Add configuirable max payload size limit of a secret
URL: https://github.com/SSSD/sssd/pull/75 Author: fidencio Title: #75: Add configuirable max payload size limit of a secret Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/75/head:pr75 git checkout pr75 From 9119622f6cd44b84261e99649437c3b524e8d51d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?=Date: Tue, 8 Nov 2016 16:39:48 +0100 Subject: [PATCH 1/2] SECRETS: Delete all secret stored during "max_secrets" test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Otherwise we will have an 507 error in case any secret is added by any of the tests that may be implemented in the future. Signed-off-by: Fabiano Fidêncio --- src/tests/intg/test_secrets.py | 4 1 file changed, 4 insertions(+) diff --git a/src/tests/intg/test_secrets.py b/src/tests/intg/test_secrets.py index 57b8f3f..09a91e0 100644 --- a/src/tests/intg/test_secrets.py +++ b/src/tests/intg/test_secrets.py @@ -151,6 +151,10 @@ def test_crd_ops(setup_for_secrets, secrets_cli): cli.set_secret(str(MAX_SECRETS), sec_value) assert str(err507.value).startswith("507") +# Delete all stored secrets used for max secrets tests +for x in xrange(MAX_SECRETS): +cli.del_secret(str(x)) + def test_containers(setup_for_secrets, secrets_cli): """ From b5b2cf8762f612f49c061e8967087e9f84736add Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 8 Nov 2016 16:46:21 +0100 Subject: [PATCH 2/2] SECRETS: Add configurable payload size limit of a secret MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves: https://fedorahosted.org/sssd/ticket/3169 Signed-off-by: Fabiano Fidêncio --- src/confdb/confdb.h| 1 + src/config/SSSDConfig/__init__.py.in | 1 + src/config/cfg_rules.ini | 1 + src/config/etc/sssd.api.conf | 1 + src/man/sssd-secrets.5.xml | 12 src/responder/secrets/local.c | 29 + src/responder/secrets/providers.c | 4 src/responder/secrets/secsrv.c | 13 + src/responder/secrets/secsrv.h | 1 + src/responder/secrets/secsrv_private.h | 1 + src/tests/intg/test_secrets.py | 15 +++ src/util/util_errors.c | 1 + src/util/util_errors.h | 1 + 13 files changed, 81 insertions(+) diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 2a1e581..12beaab 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -226,6 +226,7 @@ #define CONFDB_SEC_CONF_ENTRY "config/secrets" #define CONFDB_SEC_CONTAINERS_NEST_LEVEL "containers_nest_level" #define CONFDB_SEC_MAX_SECRETS "max_secrets" +#define CONFDB_SEC_MAX_PAYLOAD_SIZE "max_payload_size" struct confdb_ctx; diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 381ff95..be09e8f 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -123,6 +123,7 @@ option_strings = { 'provider': _('The provider where the secrets will be stored in'), 'containers_nest_level': _('The maximum allowed number of nested containers'), 'max_secrets': _('The maximum number of secrets that can be stored'), +'max_payload_size': _('The maximum payload size of a secret in kilobytes'), # secrets - proxy 'proxy_url': _('The URL Custodia server is listening on'), 'auth_type': _('The method to use when authenticating to a Custodia server'), diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index ec716b5..fcb7de9 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -231,6 +231,7 @@ option = description option = provider option = containers_nest_level option = max_secrets +option = max_payload_size # Secrets service - proxy option = proxy_url option = auth_type diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index be24bce..d591228 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -100,6 +100,7 @@ user_attributes = str, None, false provider = str, None, false containers_nest_level = int, None, false max_secrets = int, None, false +max_payload_size = int, None, false # Secrets service - proxy proxy_url = str, None, false auth_type = str, None, false diff --git a/src/man/sssd-secrets.5.xml b/src/man/sssd-secrets.5.xml index 7ec54c2..80e9c40 100644 --- a/src/man/sssd-secrets.5.xml +++ b/src/man/sssd-secrets.5.xml @@ -168,6 +168,18 @@ systemctl enable sssd-secrets.service + +max_payload_size (integer) + + +This option specifies the maximum payload size allowed for +
[SSSD] [sssd PR#75][synchronized] Add configuirable max payload size limit of a secret
URL: https://github.com/SSSD/sssd/pull/75 Author: fidencio Title: #75: Add configuirable max payload size limit of a secret Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/75/head:pr75 git checkout pr75 From 9119622f6cd44b84261e99649437c3b524e8d51d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?=Date: Tue, 8 Nov 2016 16:39:48 +0100 Subject: [PATCH 1/2] SECRETS: Delete all secret stored during "max_secrets" test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Otherwise we will have an 507 error in case any secret is added by any of the tests that may be implemented in the future. Signed-off-by: Fabiano Fidêncio --- src/tests/intg/test_secrets.py | 4 1 file changed, 4 insertions(+) diff --git a/src/tests/intg/test_secrets.py b/src/tests/intg/test_secrets.py index 57b8f3f..09a91e0 100644 --- a/src/tests/intg/test_secrets.py +++ b/src/tests/intg/test_secrets.py @@ -151,6 +151,10 @@ def test_crd_ops(setup_for_secrets, secrets_cli): cli.set_secret(str(MAX_SECRETS), sec_value) assert str(err507.value).startswith("507") +# Delete all stored secrets used for max secrets tests +for x in xrange(MAX_SECRETS): +cli.del_secret(str(x)) + def test_containers(setup_for_secrets, secrets_cli): """ From 69cb2280af07ed81faee2cd4117a4c0517951e6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 8 Nov 2016 16:46:21 +0100 Subject: [PATCH 2/2] SECRETS: Add configurable payload size limit of a secret MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves: https://fedorahosted.org/sssd/ticket/3169 Signed-off-by: Fabiano Fidêncio --- src/confdb/confdb.h| 1 + src/config/SSSDConfig/__init__.py.in | 1 + src/config/cfg_rules.ini | 1 + src/config/etc/sssd.api.conf | 1 + src/man/sssd-secrets.5.xml | 12 src/responder/secrets/local.c | 29 + src/responder/secrets/providers.c | 4 src/responder/secrets/secsrv.c | 13 + src/responder/secrets/secsrv.h | 1 + src/responder/secrets/secsrv_private.h | 1 + src/tests/intg/test_secrets.py | 15 +++ src/util/util_errors.h | 1 + 12 files changed, 80 insertions(+) diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 2a1e581..12beaab 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -226,6 +226,7 @@ #define CONFDB_SEC_CONF_ENTRY "config/secrets" #define CONFDB_SEC_CONTAINERS_NEST_LEVEL "containers_nest_level" #define CONFDB_SEC_MAX_SECRETS "max_secrets" +#define CONFDB_SEC_MAX_PAYLOAD_SIZE "max_payload_size" struct confdb_ctx; diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 381ff95..be09e8f 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -123,6 +123,7 @@ option_strings = { 'provider': _('The provider where the secrets will be stored in'), 'containers_nest_level': _('The maximum allowed number of nested containers'), 'max_secrets': _('The maximum number of secrets that can be stored'), +'max_payload_size': _('The maximum payload size of a secret in kilobytes'), # secrets - proxy 'proxy_url': _('The URL Custodia server is listening on'), 'auth_type': _('The method to use when authenticating to a Custodia server'), diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index ec716b5..fcb7de9 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -231,6 +231,7 @@ option = description option = provider option = containers_nest_level option = max_secrets +option = max_payload_size # Secrets service - proxy option = proxy_url option = auth_type diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index be24bce..d591228 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -100,6 +100,7 @@ user_attributes = str, None, false provider = str, None, false containers_nest_level = int, None, false max_secrets = int, None, false +max_payload_size = int, None, false # Secrets service - proxy proxy_url = str, None, false auth_type = str, None, false diff --git a/src/man/sssd-secrets.5.xml b/src/man/sssd-secrets.5.xml index 7ec54c2..80e9c40 100644 --- a/src/man/sssd-secrets.5.xml +++ b/src/man/sssd-secrets.5.xml @@ -168,6 +168,18 @@ systemctl enable sssd-secrets.service + +max_payload_size (integer) + + +This option specifies the maximum payload size allowed for +a secret payload in
[SSSD] [sssd PR#75][opened] Add configuirable max payload size limit of a secret
URL: https://github.com/SSSD/sssd/pull/75 Author: fidencio Title: #75: Add configuirable max payload size limit of a secret Action: opened PR body: """ This series may conflict with PR53[0]. So either one or another will need to be rebased after the first one gets merged. [0]: https://github.com/SSSD/sssd/pull/53 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/75/head:pr75 git checkout pr75 From eb66b635628a1c1131407dbd9ac4cbc7f76b176a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?=Date: Tue, 8 Nov 2016 16:39:48 +0100 Subject: [PATCH 1/2] SECRETS: Delete all secret stored during "max_secrets" test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Otherwise we will have an 507 error in case any secret is added by any of the tests that may be implemented in the future. Signed-off-by: Fabiano Fidêncio --- src/tests/intg/test_secrets.py | 4 1 file changed, 4 insertions(+) diff --git a/src/tests/intg/test_secrets.py b/src/tests/intg/test_secrets.py index 57b8f3f..09a91e0 100644 --- a/src/tests/intg/test_secrets.py +++ b/src/tests/intg/test_secrets.py @@ -151,6 +151,10 @@ def test_crd_ops(setup_for_secrets, secrets_cli): cli.set_secret(str(MAX_SECRETS), sec_value) assert str(err507.value).startswith("507") +# Delete all stored secrets used for max secrets tests +for x in xrange(MAX_SECRETS): +cli.del_secret(str(x)) + def test_containers(setup_for_secrets, secrets_cli): """ From ddaf1d1ef55a14ddd4ea28502072c1fac9365fd2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 8 Nov 2016 16:46:21 +0100 Subject: [PATCH 2/2] SECRETS: Add configurable payload size limit of a secret MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves: https://fedorahosted.org/sssd/ticket/3169 Signed-off-by: Fabiano Fidêncio --- src/confdb/confdb.h| 1 + src/config/SSSDConfig/__init__.py.in | 1 + src/config/cfg_rules.ini | 1 + src/config/etc/sssd.api.conf | 1 + src/man/sssd-secrets.5.xml | 12 src/responder/secrets/local.c | 29 + src/responder/secrets/providers.c | 4 src/responder/secrets/secsrv.c | 13 + src/responder/secrets/secsrv.h | 1 + src/responder/secrets/secsrv_private.h | 1 + src/tests/intg/test_secrets.py | 15 +++ src/util/util_errors.h | 1 + 12 files changed, 80 insertions(+) diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 2a1e581..12beaab 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -226,6 +226,7 @@ #define CONFDB_SEC_CONF_ENTRY "config/secrets" #define CONFDB_SEC_CONTAINERS_NEST_LEVEL "containers_nest_level" #define CONFDB_SEC_MAX_SECRETS "max_secrets" +#define CONFDB_SEC_MAX_PAYLOAD_SIZE "max_payload_size" struct confdb_ctx; diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 381ff95..be09e8f 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -123,6 +123,7 @@ option_strings = { 'provider': _('The provider where the secrets will be stored in'), 'containers_nest_level': _('The maximum allowed number of nested containers'), 'max_secrets': _('The maximum number of secrets that can be stored'), +'max_payload_size': _('The maximum payload size of a secret in kilobytes'), # secrets - proxy 'proxy_url': _('The URL Custodia server is listening on'), 'auth_type': _('The method to use when authenticating to a Custodia server'), diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index ec716b5..fcb7de9 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -231,6 +231,7 @@ option = description option = provider option = containers_nest_level option = max_secrets +option = max_payload_size # Secrets service - proxy option = proxy_url option = auth_type diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index be24bce..d591228 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -100,6 +100,7 @@ user_attributes = str, None, false provider = str, None, false containers_nest_level = int, None, false max_secrets = int, None, false +max_payload_size = int, None, false # Secrets service - proxy proxy_url = str, None, false auth_type = str, None, false diff --git a/src/man/sssd-secrets.5.xml b/src/man/sssd-secrets.5.xml index 7ec54c2..80e9c40 100644 --- a/src/man/sssd-secrets.5.xml +++ b/src/man/sssd-secrets.5.xml @@ -168,6 +168,18 @@ systemctl enable sssd-secrets.service + +max_payload_size
[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache
On (07/11/16 14:42), Petr Cech wrote: >Hi all, > >after chat with Lukas I attached only first two patches. Author of the third >one is Lukas and I am not sure if he is finished. (There was question of >LD_PRELOAD.) > >Regards > >-- >Petr^4 Čech >From c67ccc872eb5dacc98f626c10740424cef205334 Mon Sep 17 00:00:00 2001 >From: Petr Cech>Date: Tue, 16 Aug 2016 09:32:18 +0200 >Subject: [PATCH 1/3] SYSDB: Adding message to inform which cache is used > >Resolves: >https://fedorahosted.org/sssd/ticket/3060 >--- ACK >From 1f4e5b03442ea87a117c54a30550fbc357ff10a7 Mon Sep 17 00:00:00 2001 >From: Petr Cech >Date: Tue, 16 Aug 2016 09:33:46 +0200 >Subject: [PATCH 2/3] SYSDB: Adding message about reason why cache changed > >Resolves: >https://fedorahosted.org/sssd/ticket/3060 >--- > src/db/sysdb.c | 24 > 1 file changed, 20 insertions(+), 4 deletions(-) > ACK http://sssd-ci.duckdns.org/logs/job/56/52/summary.html LS ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Author: celestian Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/39/head:pr39 git checkout pr39 From d83eb122f75ff1204cfdac6d5bc1ec138056 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?=Date: Wed, 12 Oct 2016 16:48:38 +0200 Subject: [PATCH] SYSDB: Adding lowercase sudoUser form If domain is not case sensitive we add lowercase form of usernames to sudoUser attributes. So we actually able to apply sudoRule on user Administrator@... with login admnistrator@... Resolves: https://fedorahosted.org/sssd/ticket/3203 (cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645) --- src/db/sysdb_sudo.c | 63 + 1 file changed, 63 insertions(+) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 76116ab..ecf350f 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -801,6 +801,64 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule, return EOK; } +static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain, +struct sysdb_attrs *rule) +{ +TALLOC_CTX *tmp_ctx; +const char **users = NULL; +const char *lowered = NULL; +errno_t ret; + +if (domain->case_sensitive == true || rule == NULL) { +return EOK; +} + +tmp_ctx = talloc_new(NULL); +if (tmp_ctx == NULL) { +return ENOMEM; +} + +ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx, + ); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n", +SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +goto done; +} +if (users == NULL) { +ret = EOK; +goto done; +} + +for (int i = 0; users[i] != NULL; i++) { +lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]); +if (lowered == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n"); +ret = ENOMEM; +goto done; +} + +if (strcmp(users[i], lowered) == 0) { +/* It protects us from adding duplicate. */ +continue; +} + +ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, + "Unable to add %s attribute [%d]: %s\n", + SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +goto done; +} +} + +ret = EOK; + +done: +talloc_zfree(tmp_ctx); +return ret; +} + static errno_t sysdb_sudo_store_rule(struct sss_domain_info *domain, struct sysdb_attrs *rule, @@ -817,6 +875,11 @@ sysdb_sudo_store_rule(struct sss_domain_info *domain, DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", name); +ret = sysdb_sudo_add_lowered_users(domain, rule); +if (ret != EOK) { +return ret; +} + ret = sysdb_sudo_add_sss_attrs(rule, name, cache_timeout, now); if (ret != EOK) { return ret; ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#53][comment] Fixes in the config API related to secrets responder
URL: https://github.com/SSSD/sssd/pull/53 Title: #53: Fixes in the config API related to secrets responder lslebodn commented: """ On (08/11/16 05:15), fidencio wrote: >@jhrozek: >For the first patch the tests are correct. @lslebodn also complained that >[secrets/users/] could be a valid case in the way the code is in git right now >and it's also fixed by my patch. In any case, seems that we don't allow any >config section to end with "/". > >For the second test, I guess that good tests are adding configuration options >that are only allowed for [secrets] into the [secrets/users/123] section and >vice-versa. > >Example of a config that should fail: >``` >[secrets] >proxy_url = foo > >[secrets/users/123] >timeout = 10 >``` > >Example of a config that should not fail: >``` >[secrets] >debug_level = 9 > >[secrets/users/123] >proxy_url = foo >``` >@lslebodn, does it make sense for you? > I am fine with the 1st patch. But I am not very familiar with the secrets code therefore It would take me much more time to review 2nd patch. I prefer if @jhrozek could review it. LS """ See the full comment at https://github.com/SSSD/sssd/pull/53#issuecomment-259138537 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#65][comment] Fixing of nitpicks
URL: https://github.com/SSSD/sssd/pull/65 Title: #65: Fixing of nitpicks lslebodn commented: """ On (08/11/16 05:26), celestian wrote: >celestian commented on this pull request. >> @@ -269,6 +269,10 @@ static void >> rdp_message_send_and_reply_done(DBusPendingCall *pending, > sbus_req = talloc_get_type(ptr, struct sbus_request); > > ret = rdp_process_pending_call(sbus_req, pending, ); >+if (ret != EOK) { >+/* Something bad happened. Just kill the request. */ >+goto done; >+} > if (reply == NULL) { > >I don't insist on the patch ```RESPONDER: Adding of return value checking```. > The patch is not absolutelly wrong. But following check for NULL is redundant. As I previously wrote, we should be consistent. We shoudl either check `ret != EOK` after each invovation of `rdp_process_pending_call` or we should check `reply == NULL`. Ask @pbrezina why he wrote the code in such way. LS """ See the full comment at https://github.com/SSSD/sssd/pull/65#issuecomment-259138069 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) jhrozek commented: """ On Tue, Nov 08, 2016 at 05:06:41AM -0800, celestian wrote: > Yes, the second patch explicitly qualifies the names. I don't know if there > is possibility to add wrong domain to the given user name this way. That's > the question. > > The reason for doing this is that function ```sudosrv_get_user()``` ask for > that type of name. How you can see: > ``` > # grep 'administrator' *.log > > # sssd_scorpion.domain.log: > [be_get_account_info] (0x0200): Got request for > [0x3][BE_REQ_INITGROUPS][1][name=administrator] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(sAMAccountName=administrator)(objectclass=user)(objectSID=*))][DC=scorpion,DC=domain]. > [pam_print_data] (0x0100): ruser: administrator@scorpion.domain > [sssd[be[scorpion.domain]]] [pam_print_data] (0x0100): ruser: > administrator@scorpion.domain > > # sssd_sudo.log: > [sss_parse_name_for_domains] (0x0200): name 'administrator@scorpion.domain' > matched expression for domain 'scorpion.domain', user is administrator > [sss_parse_name_for_domains] (0x0200): name 'administrator@scorpion.domain' > matched expression for domain 'scorpion.domain', user is administrator > [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for > [administrator] from [scorpion.domain] > [sss_ncache_check_str] (0x2000): Checking negative cache for > [NCE/USER/scorpion.domain/administrator] > [sudosrv_get_user] (0x0200): Requesting info about > [administrator@scorpion.domain] > [sudosrv_get_user] (0x0400): Returning info for user > [administrator@scorpion.domain] This is only how the DEBUG messages are formatted: 122 DEBUG(SSSDBG_FUNC_DATA, "Requesting info about [%s@%s]\n", 123 name, dom->name); and: 243 DEBUG(SSSDBG_TRACE_FUNC, "Returning info for user [%s@%s]\n", 244 cmd_ctx->username, dctx->domain->name); In the cache I can see both administra...@win.trust.test and administrator. But do we need the qualified name? Why? """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-259134748 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#65][comment] Fixing of nitpicks
URL: https://github.com/SSSD/sssd/pull/65 Title: #65: Fixing of nitpicks celestian commented: """ ```UTIL: Removing of never read value``` ``` @@ -1104,7 +1104,6 @@ bool sss_krb5_realm_has_proxy(const char *realm) kerr = profile_get_values(profile, profile_path, ); if (kerr == PROF_NO_RELATION || kerr == PROF_NO_SECTION) { -kerr = 0; goto done; ``` How @jhrozek said above false is right returning value. Proposed patch is about removing of ```kerr = 0``` because it is not read anywhere. """ See the full comment at https://github.com/SSSD/sssd/pull/65#issuecomment-259134075 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#53][comment] Fixes in the config API related to secrets responder
URL: https://github.com/SSSD/sssd/pull/53 Title: #53: Fixes in the config API related to secrets responder fidencio commented: """ @jhrozek: For the first patch the tests are correct. @lslebodn also complained that [secrets/users/] could be a valid case in the way the code is in git right now and it's also fixed by my patch. In any case, seems that we don't allow any config section to end with "/". For the second test, I guess that good tests are adding configuration options that are only allowed for [secrets] into the [secrets/users/123] section and vice-versa. Example of a config that should fail: ``` [secrets] proxy_url = foo [secrets/users/123] timeout = 10 ``` Example of a config that should not fail: ``` [secrets] debug_level = 9 [secrets/users/123] proxy_url = foo ``` @lslebodn, does it make sense for you? @jhrozek: and I really would like to be sure that the options that I put into secrets section in the second patch are **only** valid for that section or whether those options should be inherited and also allowed to [secrets/users/123] """ See the full comment at https://github.com/SSSD/sssd/pull/53#issuecomment-259133301 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#53][synchronized] Fixes in the config API related to secrets responder
URL: https://github.com/SSSD/sssd/pull/53 Author: fidencio Title: #53: Fixes in the config API related to secrets responder Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/53/head:pr53 git checkout pr53 From 01a07663269bd7abd32581b611480ad61bf2805f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?=Date: Mon, 17 Oct 2016 17:07:56 +0200 Subject: [PATCH 1/2] SECRETS: Fix secrets rule in the allowed sections MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We have been matching an invalid subsection of the secrets' section, like: [secrets/users/] Let's ensure that we only match the following cases: [secrets] [secrets/users/[0-9]+] Signed-off-by: Fabiano Fidêncio --- src/config/cfg_rules.ini | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index ec716b5..24937c9 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -8,7 +8,7 @@ section = autofs section = ssh section = pac section = ifp -section_re = ^secrets\(/users/\([0-9]\+\)\?\)\?$ +section_re = ^secrets\(/users/[0-9]\+\)\?$ section_re = ^domain/.*$ [rule/allowed_sssd_options] @@ -213,7 +213,7 @@ option = user_attributes [rule/allowed_sec_options] validator = ini_allowed_options -section_re = ^secrets\(/users/\([0-9]\+\)\?\)\?$ +section_re = ^secrets\(/users/[0-9]\+\)\?$ option = timeout option = debug From 206764d85dabbf1a0cf1d2d00cdcc2b71492fcd6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 17 Oct 2016 18:58:50 +0200 Subject: [PATCH 2/2] SECRETS: Add allowed_sec_users_options MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There are options (the proxying related ones) that only apply to the secrets' subsections. In order to make config API able to catch those, let's create a new section called allowed_sec_users_options) and move there these proxying options. Signed-off-by: Fabiano Fidêncio --- src/config/cfg_rules.ini | 13 + 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 24937c9..8a5290e 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -8,7 +8,8 @@ section = autofs section = ssh section = pac section = ifp -section_re = ^secrets\(/users/[0-9]\+\)\?$ +section = secrets +section_re = ^secrets/users/[0-9]\+$ section_re = ^domain/.*$ [rule/allowed_sssd_options] @@ -211,9 +212,10 @@ option = description option = allowed_uids option = user_attributes +# Secrets service [rule/allowed_sec_options] validator = ini_allowed_options -section_re = ^secrets\(/users/[0-9]\+\)\?$ +section_re = ^secrets$ option = timeout option = debug @@ -226,11 +228,14 @@ option = reconnection_retries option = fd_limit option = client_idle_timeout option = description - -# Secrets service option = provider option = containers_nest_level option = max_secrets + +[rule/allowed_sec_users_options] +validator = ini_allowed_options +section_re = ^secrets/users/[0-9]\+$ + # Secrets service - proxy option = proxy_url option = auth_type ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) celestian commented: """ Yes, the second patch explicitly qualifies the names. I don't know if there is possibility to add wrong domain to the given user name this way. That's the question. The reason for doing this is that function ```sudosrv_get_user()``` ask for that type of name. How you can see: ``` # grep 'administrator' *.log # sssd_scorpion.domain.log: [be_get_account_info] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=administrator] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=administrator)(objectclass=user)(objectSID=*))][DC=scorpion,DC=domain]. [pam_print_data] (0x0100): ruser: administrator@scorpion.domain [sssd[be[scorpion.domain]]] [pam_print_data] (0x0100): ruser: administrator@scorpion.domain # sssd_sudo.log: [sss_parse_name_for_domains] (0x0200): name 'administrator@scorpion.domain' matched expression for domain 'scorpion.domain', user is administrator [sss_parse_name_for_domains] (0x0200): name 'administrator@scorpion.domain' matched expression for domain 'scorpion.domain', user is administrator [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [administrator] from [scorpion.domain] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/scorpion.domain/administrator] [sudosrv_get_user] (0x0200): Requesting info about [administrator@scorpion.domain] [sudosrv_get_user] (0x0400): Returning info for user [administrator@scorpion.domain] [sss_parse_name_for_domains] (0x0200): name 'administrator@scorpion.domain' matched expression for domain 'scorpion.domain', user is administrator [sss_parse_name_for_domains] (0x0200): name 'administrator@scorpion.domain' matched expression for domain 'scorpion.domain', user is administrator [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [administrator] from [scorpion.domain] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/scorpion.domain/administrator] [sudosrv_get_user] (0x0200): Requesting info about [administrator@scorpion.domain] [sudosrv_get_user] (0x0400): Returning info for user [administrator@scorpion.domain] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [administrator@scorpion.domain] ``` """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-259131495 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#73][closed] AD_PROVIDER: Enabled subdomains (1.13)
URL: https://github.com/SSSD/sssd/pull/73 Author: celestian Title: #73: AD_PROVIDER: Enabled subdomains (1.13) Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/73/head:pr73 git checkout pr73 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#73][+Pushed] AD_PROVIDER: Enabled subdomains (1.13)
URL: https://github.com/SSSD/sssd/pull/73 Title: #73: AD_PROVIDER: Enabled subdomains (1.13) Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) jhrozek commented: """ On Tue, Nov 08, 2016 at 04:13:43AM -0800, celestian wrote: > I pushed new version, only one difference -- I fix cherry-pick pointer. > The patch works without ```sudoUserAlias``` but it still adds fq names to > sudoUser. > Is it OK? Is there way how to avoid fq names? Well, the second patch explicitly qualifies the names, is there a reason to qualify them? btw I haven't tested this patchset at all yet, do the qualified names work at all? """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-259122246 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#73][comment] AD_PROVIDER: Enabled subdomains (1.13)
URL: https://github.com/SSSD/sssd/pull/73 Title: #73: AD_PROVIDER: Enabled subdomains (1.13) lslebodn commented: """ On (08/11/16 03:06), Jakub Hrozek wrote: >I tested the patches with a setup that consists of three domains >(win.trust.test, child.win.trust.test and sibling.win.trust.test). The patch >works good, I tested by disabling the global catalog to make sure the >connections always hit the AD DC in that particular domain and inspected the >subdomains objectclass in the cache. > >I also checked for memory errors in valgrind. > >Since all my tests passed, ACK to this patch. > sssd-1-13: * efba0221c407af832727da26fa45c7aa326c89b9 * 7c7781a6632dc46d73567bf90ba1d0bf1c0e4a17 * 5c9e24c1558c782d2f1bf89724043769953e202d * 854d6513ac5d1b2ba666d6b120e702081bbb1633 LS """ See the full comment at https://github.com/SSSD/sssd/pull/73#issuecomment-259122034 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) celestian commented: """ I pushed new version, only one difference -- I fix cherry-pick pointer. The patch works without ```sudoUserAlias``` but it still adds fq names to sudoUser. Is it OK? Is there way how to avoid fq names? """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-259121334 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Author: celestian Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/39/head:pr39 git checkout pr39 From 92c5b11f1c17454a5b258f3776224124a808af3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?=Date: Wed, 12 Oct 2016 16:48:38 +0200 Subject: [PATCH 1/2] SYSDB: Adding lowercase sudoUser form If domain is not case sensitive we add lowercase form of usernames to sudoUser attributes. So we actually able to apply sudoRule on user Administrator@... with login admnistrator@... Resolves: https://fedorahosted.org/sssd/ticket/3203 (cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645) --- src/db/sysdb_sudo.c | 63 + 1 file changed, 63 insertions(+) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 76116ab..ecf350f 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -801,6 +801,64 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule, return EOK; } +static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain, +struct sysdb_attrs *rule) +{ +TALLOC_CTX *tmp_ctx; +const char **users = NULL; +const char *lowered = NULL; +errno_t ret; + +if (domain->case_sensitive == true || rule == NULL) { +return EOK; +} + +tmp_ctx = talloc_new(NULL); +if (tmp_ctx == NULL) { +return ENOMEM; +} + +ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx, + ); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n", +SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +goto done; +} +if (users == NULL) { +ret = EOK; +goto done; +} + +for (int i = 0; users[i] != NULL; i++) { +lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]); +if (lowered == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n"); +ret = ENOMEM; +goto done; +} + +if (strcmp(users[i], lowered) == 0) { +/* It protects us from adding duplicate. */ +continue; +} + +ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, + "Unable to add %s attribute [%d]: %s\n", + SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +goto done; +} +} + +ret = EOK; + +done: +talloc_zfree(tmp_ctx); +return ret; +} + static errno_t sysdb_sudo_store_rule(struct sss_domain_info *domain, struct sysdb_attrs *rule, @@ -817,6 +875,11 @@ sysdb_sudo_store_rule(struct sss_domain_info *domain, DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", name); +ret = sysdb_sudo_add_lowered_users(domain, rule); +if (ret != EOK) { +return ret; +} + ret = sysdb_sudo_add_sss_attrs(rule, name, cache_timeout, now); if (ret != EOK) { return ret; From d521c43a46689730ad92c5bdfa13a69590c66307 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= Date: Tue, 18 Oct 2016 10:01:43 +0200 Subject: [PATCH 2/2] SYSDB: Adding fq user names to cached sudoRules This patch adds fg user names to sudoUser attribute of cached sudoRules. Resolves: https://fedorahosted.org/sssd/ticket/3203 --- src/db/sysdb_sudo.c | 55 + 1 file changed, 55 insertions(+) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index ecf350f..3c37f9b 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -801,6 +801,56 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule, return EOK; } +static errno_t sysdb_sudo_add_fq_users(struct sss_domain_info *domain, + struct sysdb_attrs *rule) +{ +TALLOC_CTX *tmp_ctx; +const char **users = NULL; +const char *fqname = NULL; +errno_t ret; + +tmp_ctx = talloc_new(NULL); +if (tmp_ctx == NULL) { +return ENOMEM; +} + +ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx, + ); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n", +SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +goto done; +} +if (users == NULL) { +ret = EOK; +goto done; +} + +for (int i = 0; users[i] != NULL; i++) { +fqname = sss_tc_fqname(tmp_ctx, domain->names, domain, users[i]); +if (fqname == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "Could not create fgname.\n"); +ret = ENOMEM; +
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) celestian commented: """ Since we have patch set for 1.15 pushed I will prepare proper cherry picking. """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-259118455 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) pbrezina commented: """ So what is the current plan here? """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-259118986 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#69][comment] krb5: Use command line arguments instead env vars for krb5_child
URL: https://github.com/SSSD/sssd/pull/69 Title: #69: krb5: Use command line arguments instead env vars for krb5_child lslebodn commented: """ On (08/11/16 03:33), celestian wrote: >Code looks good to me. CI tests passed: >http://sssd-ci.duckdns.org/logs/job/56/34/summary.html > >=> ACK just FYI. This code is not tested in upstream integration tests. So implication does not work here :-) LS """ See the full comment at https://github.com/SSSD/sssd/pull/69#issuecomment-259114989 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#69][+Accepted] krb5: Use command line arguments instead env vars for krb5_child
URL: https://github.com/SSSD/sssd/pull/69 Title: #69: krb5: Use command line arguments instead env vars for krb5_child Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#69][comment] krb5: Use command line arguments instead env vars for krb5_child
URL: https://github.com/SSSD/sssd/pull/69 Title: #69: krb5: Use command line arguments instead env vars for krb5_child celestian commented: """ Code looks good to me. CI tests passed: http://sssd-ci.duckdns.org/logs/job/56/34/summary.html => ACK """ See the full comment at https://github.com/SSSD/sssd/pull/69#issuecomment-259113969 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#43][-Accepted] RESPONDER: Enable sudoRule in case insen. domains (1.15)
URL: https://github.com/SSSD/sssd/pull/43 Title: #43: RESPONDER: Enable sudoRule in case insen. domains (1.15) Label: -Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#43][+Pushed] RESPONDER: Enable sudoRule in case insen. domains (1.15)
URL: https://github.com/SSSD/sssd/pull/43 Title: #43: RESPONDER: Enable sudoRule in case insen. domains (1.15) Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#43][closed] RESPONDER: Enable sudoRule in case insen. domains (1.15)
URL: https://github.com/SSSD/sssd/pull/43 Author: celestian Title: #43: RESPONDER: Enable sudoRule in case insen. domains (1.15) Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/43/head:pr43 git checkout pr43 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#43][comment] RESPONDER: Enable sudoRule in case insen. domains (1.15)
URL: https://github.com/SSSD/sssd/pull/43 Title: #43: RESPONDER: Enable sudoRule in case insen. domains (1.15) jhrozek commented: """ master: f4a1046bb88d7a0ab3617e49ae94bfa849d10645 23637e2fd2b1fe42bdd2335893a11ac8016f56bc sssd-1-14: 143b1dcbbe865a139616a22b139e19bd772e46f0 88239b7f17f599aefa88a8a31c2d0ea44b766c87 """ See the full comment at https://github.com/SSSD/sssd/pull/43#issuecomment-259112827 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#73][+Accepted] AD_PROVIDER: Enabled subdomains (1.13)
URL: https://github.com/SSSD/sssd/pull/73 Title: #73: AD_PROVIDER: Enabled subdomains (1.13) Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#74][opened] IPA/AD: check auth ctx before using it
URL: https://github.com/SSSD/sssd/pull/74 Author: sumit-bose Title: #74: IPA/AD: check auth ctx before using it Action: opened PR body: """ In e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483 a feature was introduced to set the 'canonicalize' option in the system-wide Kerberos configuration according to the settings in SSSD if the AD or IPA provider were used. Unfortunately the patch implied that the auth provider is the same as the id provider which might not always be the case. A different auth provider caused a crash in the backend which is fixed by this patch. Resolves https://fedorahosted.org/sssd/ticket/3234 I tried to add an integration test to see if SSSD can start with a mixed configuration but the AD provider tries to set some SASL parameters which requires e.g. an existing keytab which is afaik currently not available in the integration test. Since this issue it easy to reproduce manually (start SSSD with id_provder=ad and auth_provider=krb5) I hope it is acceptable that an integration test can be added later when the infrastructure for AD provider tests is available? """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/74/head:pr74 git checkout pr74 From ca62775b3e6ad1bb4212476a8b6a413e13a9b6ed Mon Sep 17 00:00:00 2001 From: Sumit BoseDate: Tue, 8 Nov 2016 11:51:57 +0100 Subject: [PATCH] IPA/AD: check auth ctx before using it In e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483 a feature was introduced to set the 'canonicalize' option in the system-wide Kerberos configuration according to the settings in SSSD if the AD or IPA provider were used. Unfortunately the patch implied that the auth provider is the same as the id provider which might not always be the case. A different auth provider caused a crash in the backend which is fixed by this patch. Resolves https://fedorahosted.org/sssd/ticket/3234 --- src/providers/ad/ad_subdomains.c | 13 +++-- src/providers/ipa/ipa_subdomains.c | 20 +--- 2 files changed, 28 insertions(+), 5 deletions(-) diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index 52bf536..5e57d21 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -618,14 +618,23 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx) { const char *path; errno_t ret; -bool canonicalize; +bool canonicalize = false; path = dp_opt_get_string(subdoms_ctx->ad_id_ctx->ad_options->basic, AD_KRB5_CONFD_PATH); -canonicalize = dp_opt_get_bool( +if (subdoms_ctx->ad_id_ctx->ad_options->auth_ctx != NULL +&& subdoms_ctx->ad_id_ctx->ad_options->auth_ctx->opts != NULL) { +canonicalize = dp_opt_get_bool( subdoms_ctx->ad_id_ctx->ad_options->auth_ctx->opts, KRB5_CANONICALIZE); +} else { +DEBUG(SSSDBG_CONF_SETTINGS, "Auth provider data is not available, " +"most probably because the auth provider " +"is not 'ad'. Kerberos configuration " +"snippet to set the 'canonicalize' option " +"will not be created.\n"); +} ret = sss_write_krb5_conf_snippet(path, canonicalize); if (ret != EOK) { diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c index 8653e3f..b2e96b2 100644 --- a/src/providers/ipa/ipa_subdomains.c +++ b/src/providers/ipa/ipa_subdomains.c @@ -73,16 +73,30 @@ static errno_t ipa_subdom_reinit(struct ipa_subdomains_ctx *ctx) { errno_t ret; +bool canonicalize = false; DEBUG(SSSDBG_TRACE_INTERNAL, "Re-initializing domain %s\n", ctx->be_ctx->domain->name); +if (ctx->ipa_id_ctx->ipa_options->auth_ctx != NULL + && ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx != NULL + && ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts != NULL + ) { +canonicalize = dp_opt_get_bool( +ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts, +KRB5_CANONICALIZE); +} else { +DEBUG(SSSDBG_CONF_SETTINGS, "Auth provider data is not available, " +"most probably because the auth provider " +"is not 'ipa'. Kerberos configuration " +"snippet to set the 'canonicalize' option " +"will not be created.\n"); +} + ret = sss_write_krb5_conf_snippet( dp_opt_get_string(ctx->ipa_id_ctx->ipa_options->basic, IPA_KRB5_CONFD_PATH), - dp_opt_get_bool( -ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts, -
[SSSD] Re: Design discussion: Fleet Commander integration
On Fri, Oct 7, 2016 at 10:22 AM, Jakub Hrozekwrote: > On Thu, Oct 06, 2016 at 06:38:23PM +0200, Sumit Bose wrote: >> On Thu, Oct 06, 2016 at 04:41:10PM +0200, Jakub Hrozek wrote: >> > Hi, >> > >> > with Alexander's help, I wrote up a design page about how SSSD should >> > read Fleet Commander data from IPA and present them to the FC client >> > component. The SSSD part is described here: >> > https://fedorahosted.org/sssd/wiki/DesignDocs/FleetCommanderIntegration >> > and the IPA part is here: >> > >> > https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki >> > >> > For convenience, I copied the SSSD wiki page below. Comments are welcome! >> > >> >> ... >> >> > >> > Looking up the Fleet Commander profiles and storing the JSON profile >> > data >> > Since the first implementation will only fetch rules that are linked to >> > this host and the user in question, the SSSD's session provider will issue >> > an LDAP search along these lines: >> > {{{ >> > >> > (&(objectclass=ipadeskprofilerule)(memberHost=my_fqdn_or_my_host_group)(memberUser=user_login_or_group)) >> > }}} >> > >> > All host groups the IPA client is a member of must be included in the >> > `memberHost` part of the filter. Additionally, all user groups must be >> > included in the `memberUser` part of the filter. Since in most cases, >> > the user's groups will be resolved during the login, we will only issue >> > an initgroups request in case the user's initgroups are expired already >> > to cover cases where the sessions provider was invoked separately. >> >> I wonder if it would be more efficient to read all profiles which apply >> to the host in a single run store them in the cache and do the remaining >> part of the processing locally? Iirc this is what we do with HBAC rules >> and there might be a chance to reuse some of the HBAC code but just look >> for objectclass ipadeskprofilerule instead of ipahbacrule? >> >> Since there are host and user categories mentioned on the server side >> design page I guess the underlying objectclass is ipaAssociation and >> because of this it makes even more sense to reuse as much of the HBAC >> lookup code as possible. > > Yes, of course you are right, fetching the per-host data is almost always > a good idea. I changed the wiki page: > > https://fedorahosted.org/sssd/wiki/DesignDocs/FleetCommanderIntegration?action=diff=3_version=1 Since I started working on this a few changes have been done in the Design (and I've talked to Jakub on IRC about those all the time). In case anyone is interested, here are the changes: https://fedorahosted.org/sssd/wiki/DesignDocs/FleetCommanderIntegration?action=diff=7_version=3 Best Regards, -- Fabiano Fidêncio ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#71][comment] MONITOR: Do not set up watchdog for monitor
URL: https://github.com/SSSD/sssd/pull/71 Title: #71: MONITOR: Do not set up watchdog for monitor jhrozek commented: """ master: fbe6644aa28d93f492434950680c5618eb567712 sssd-1-14: 2d88a121918e800b266d018d43dad9bd374b10a7 """ See the full comment at https://github.com/SSSD/sssd/pull/71#issuecomment-259093656 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#71][closed] MONITOR: Do not set up watchdog for monitor
URL: https://github.com/SSSD/sssd/pull/71 Author: jhrozek Title: #71: MONITOR: Do not set up watchdog for monitor Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/71/head:pr71 git checkout pr71 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#71][+Pushed] MONITOR: Do not set up watchdog for monitor
URL: https://github.com/SSSD/sssd/pull/71 Title: #71: MONITOR: Do not set up watchdog for monitor Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#43][comment] RESPONDER: Enable sudoRule in case insen. domains (1.15)
URL: https://github.com/SSSD/sssd/pull/43 Title: #43: RESPONDER: Enable sudoRule in case insen. domains (1.15) pbrezina commented: """ Ok, I'm fine with this patch due to the indexing issue. """ See the full comment at https://github.com/SSSD/sssd/pull/43#issuecomment-259093311 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#70][comment] check_duplicate: check name member before using it
URL: https://github.com/SSSD/sssd/pull/70 Title: #70: check_duplicate: check name member before using it sumit-bose commented: """ @lslebodn, the patch adds a new unit-test test_extra_opts_empty_name() which covers the crash. What would be the benefit of checking it in the integration tests as well? """ See the full comment at https://github.com/SSSD/sssd/pull/70#issuecomment-259091650 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: [PATCHES] views: properly override group member names - 1.13 backport
On (08/11/16 10:19), Lukas Slebodnik wrote: >On (24/10/16 16:59), Sumit Bose wrote: >>Hi, >> >>please find attached a backport to 1.13 of the given patch set including >>fixes from Lukas. >> >>It's intention is to fix https://fedorahosted.org/sssd/ticket/3118 / >>https://bugzilla.redhat.com/show_bug.cgi?id=1367802 without introducing >>a new patch. As a side-effect the issue with missing overriden names >>from group members is fixed as well. But since the patches touches >>various parts of the group lookup code it should be carefully tested for >>regressions. >> >ACK > >http://sssd-ci.duckdns.org/logs/job/56/38/summary.html > sssd-1-13: * 55fc0bb19e6205af13828a98592b283d3b6d24e0 * 19ba10fcc7dbdfdd7a238fa94f57605cf16fc28e * 8e19dce22b286f1f815cba7150149ab249a62854 * 5d64343d5ffed9cb42184eb30e5bf1871d8196d5 * ce714745ad28dfb6dcfd9f8f8983e492661a6e2f * 3bea6818a3432a349a9901a84fd517c052b19f69 LS ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#71][comment] MONITOR: Do not set up watchdog for monitor
URL: https://github.com/SSSD/sssd/pull/71 Title: #71: MONITOR: Do not set up watchdog for monitor lslebodn commented: """ ACK LS """ See the full comment at https://github.com/SSSD/sssd/pull/71#issuecomment-259090619 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#70][-Accepted] check_duplicate: check name member before using it
URL: https://github.com/SSSD/sssd/pull/70 Title: #70: check_duplicate: check name member before using it Label: -Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#70][comment] check_duplicate: check name member before using it
URL: https://github.com/SSSD/sssd/pull/70 Title: #70: check_duplicate: check name member before using it lslebodn commented: """ I would appreciate integration test for the crash. Feel free to extend `test_extra_attribute_already_exists` or create new one. """ See the full comment at https://github.com/SSSD/sssd/pull/70#issuecomment-259087435 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#70][+Changes requested] check_duplicate: check name member before using it
URL: https://github.com/SSSD/sssd/pull/70 Title: #70: check_duplicate: check name member before using it Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] about letting the responder choose the sysdb optimization level
Hi, I would like to ask for opinions about: https://fedorahosted.org/sssd/ticket/3126 The basic idea is that the responder would choose what kind of optimization would the back end perform when saving the sysdb entries. Requests that just return information might choose to optimize very aggressively (using modifyTimestamp) and requests that actually authenticate or authorize the user might choose to not optimize at all to avoid issues like the ones we saw with virtual attributes that don't bump the modifyTimestamp attribute at all. On the responder side, this is quite easy, just send an additional flag during the responder request. It's the provider part I'm not so sure about, because there the optimizations are performed at the sysdb level. So far I can only think about extending sysdb_transaction_start() (or providing sysdb_opt_transaction_start and letting the old sysdb_transaction_start default to no optimization) which would internally keep track of the active transaction and the optimization we want to perform. Since only sssd_be is the cache writer and there is only one cache per domain. Additionally, we would have to keep the transaction optimization level around in some context until the request bubbles from the data provider handler to actually saving the transaction. I don't I hope this won't be too messy, but since the requests are asynchronous, so far I don't see any way around it. The only thing that might be less messy in the long term is to provide a bit more generic structure ("request status") that would so far only include the optimization level and later might be extended to include e.g. intermediate data. But on the other hand, I'm not sure I have thought about passing the data between requests hard enough to design this properly. Should I? Any other opinions? Thoughts? ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#70][+Accepted] check_duplicate: check name member before using it
URL: https://github.com/SSSD/sssd/pull/70 Title: #70: check_duplicate: check name member before using it Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#70][comment] check_duplicate: check name member before using it
URL: https://github.com/SSSD/sssd/pull/70 Title: #70: check_duplicate: check name member before using it celestian commented: """ I tested manually with IPA provider. It works and I was informed about attribute colision: ``` [sdap_extend_map] (0x0010): Attribute entryUSN (abc in LDAP) is already used by SSSD, please choose a different cache name ``` CI tests passed: http://sssd-ci.duckdns.org/logs/job/56/33/summary.html => ACK """ See the full comment at https://github.com/SSSD/sssd/pull/70#issuecomment-259085686 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: [PATCHES] views: properly override group member names - 1.13 backport
On (24/10/16 16:59), Sumit Bose wrote: >Hi, > >please find attached a backport to 1.13 of the given patch set including >fixes from Lukas. > >It's intention is to fix https://fedorahosted.org/sssd/ticket/3118 / >https://bugzilla.redhat.com/show_bug.cgi?id=1367802 without introducing >a new patch. As a side-effect the issue with missing overriden names >from group members is fixed as well. But since the patches touches >various parts of the group lookup code it should be carefully tested for >regressions. > ACK http://sssd-ci.duckdns.org/logs/job/56/38/summary.html LS ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: [PATCHES] views: properly override group member names
On Tue, Nov 08, 2016 at 08:14:20AM +0100, Lukas Slebodnik wrote: > On (26/07/16 22:05), Sumit Bose wrote: > >On Tue, Jul 26, 2016 at 06:06:48PM +0200, Jakub Hrozek wrote: > >> On Tue, Jul 26, 2016 at 05:25:11PM +0200, Jakub Hrozek wrote: > >> > On Tue, Jul 26, 2016 at 01:51:56PM +0200, Sumit Bose wrote: > >> > > > > The third patch adds a sysdb call to recursively resolve all > >> > > > > user-members of a group. Since the groups in SSSD's cache are > >> > > > > hierarchically organized the member attribute only contains direct > >> > > > > user and group members. To get all users the group members must be > >> > > > > resolved recursively. > >> > > > > >> > > > Would dereferencing memberof:top-level-group yield different results? > >> > > > >> > > It worked in my testing but I have to admit that I'm not sure if it can > >> > > be used reliable all the time, i.e. is independent of all the different > >> > > lookup sequences you can have with nested groups. If you are sure it is > >> > > reliable, the call can be simplified. > >> > > >> > This is how memberof is supposed to work. I haven't tested all > >> > scenarios either (if there are some corner cases you'd like me to test, > >> > just let me know), but if there are differences, I would say these would > >> > be bugs in the memberof plugin and should be fixed. > >> > >> btw the patches seem to work fine, I tested getent passwd on an > >> overriden user, getent group on a group this user is a memberof (both an > >> AD group and an IPA group with an external group in it) and id of this > >> user. > >> > >> All lookups show the expected data. Coverity is clean and CI passed. > >> > >> Therefore provisional ACK - the only remaining point remains the recursive > >> member vs. memberof part. I don't mind accepting the patch as-is now, > >> if we agree to open a ticket and switch to memberof later in 1.14. > > > >Please have a look at attached patch, it replaces the recursive member > >based lookup by a (memberof=group_dn) search. It works well for me in > >some basic tests. > > > >bye, > >Sumit > > > > >From ee8ebcec8062d75e98da796b291973fd96d45b1c Mon Sep 17 00:00:00 2001 > >From: Sumit Bose> >Date: Tue, 26 Jul 2016 21:30:41 +0200 > >Subject: [PATCH] sysdb_get_user_members_recursively: use memberof search > > > >--- > > src/db/sysdb_ops.c | 181 > > > > src/tests/cmocka/test_nss_srv.c | 30 +++ > > 2 files changed, 33 insertions(+), 178 deletions(-) > > > Jakub, > > is there a reason why this patch has not been pushed to master yet? Please see the earlier replies in this thread. We agreed with Sumit to squash this patch into the previous ones, so if you take a look at 17bfd9f69251781140e4b2b55ffeb649d7a79e86 it already uses memberof search. ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#73][-Changes requested] AD_PROVIDER: Enabled subdomains (1.13)
URL: https://github.com/SSSD/sssd/pull/73 Title: #73: AD_PROVIDER: Enabled subdomains (1.13) Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#73][comment] AD_PROVIDER: Enabled subdomains (1.13)
URL: https://github.com/SSSD/sssd/pull/73 Title: #73: AD_PROVIDER: Enabled subdomains (1.13) celestian commented: """ I pushed new version with ```(cherry picked from commit...``` (It is done manually) """ See the full comment at https://github.com/SSSD/sssd/pull/73#issuecomment-259075858 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#73][synchronized] AD_PROVIDER: Enabled subdomains (1.13)
URL: https://github.com/SSSD/sssd/pull/73 Author: celestian Title: #73: AD_PROVIDER: Enabled subdomains (1.13) Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/73/head:pr73 git checkout pr73 From 6c22ced196f0b230c7e830a7f60bf607c262b0dd Mon Sep 17 00:00:00 2001 From: Petr CechDate: Fri, 13 May 2016 05:21:07 -0400 Subject: [PATCH 1/4] AD_PROVIDER: Add ad_enabled_domains option Resolves: https://fedorahosted.org/sssd/ticket/2828 (cherry picked from commit d6342c92c226becbdd254f90a0005b8c00c300dc) --- src/config/SSSDConfig/__init__.py.in | 1 + src/config/etc/sssd.api.d/sssd-ad.conf | 1 + src/man/sssd-ad.5.xml | 27 +++ src/providers/ad/ad_common.h | 1 + src/providers/ad/ad_opts.c | 1 + 5 files changed, 31 insertions(+) diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index ae9f973..11c290b 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -185,6 +185,7 @@ option_strings = { # [provider/ad] 'ad_domain' : _('Active Directory domain'), +'ad_enabled_domains' : _('Enabled Active Directory domains'), 'ad_server' : _('Active Directory server address'), 'ad_backup_server' : _('Active Directory backup server address'), 'ad_hostname' : _('Active Directory client hostname'), diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf index 23006d2..0d16387 100644 --- a/src/config/etc/sssd.api.d/sssd-ad.conf +++ b/src/config/etc/sssd.api.d/sssd-ad.conf @@ -1,5 +1,6 @@ [provider/ad] ad_domain = str, None, false +ad_enabled_domains = str, None, false ad_server = str, None, false ad_backup_server = str, None, false ad_hostname = str, None, false diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 54a4b56..d7d7651 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -114,6 +114,33 @@ ldap_id_mapping = False +ad_enabled_domains (string) + + +A comma-separated list of enabled Active Directory domains. +If provided, SSSD will ignore any domains not listed in this +option. If left unset, all domains from the AD forest will +be available. + + +For proper operation, this option must be specified in all +lower-case and as the fully qualified domain name of the +Active Directory domain. For example: + +ad_enabled_domains = sales.example.com, eng.example.com + + + +The short domain name (also known as the NetBIOS or the flat +name) will be autodetected by SSSD. + + +Default: Not set + + + + + ad_server, ad_backup_server (string) diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h index c795a41..2f5f3a4 100644 --- a/src/providers/ad/ad_common.h +++ b/src/providers/ad/ad_common.h @@ -42,6 +42,7 @@ struct ad_options; enum ad_basic_opt { AD_DOMAIN = 0, +AD_ENABLED_DOMAINS, AD_SERVER, AD_BACKUP_SERVER, AD_HOSTNAME, diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c index 15024ad..aefcaaf 100644 --- a/src/providers/ad/ad_opts.c +++ b/src/providers/ad/ad_opts.c @@ -28,6 +28,7 @@ struct dp_option ad_basic_opts[] = { { "ad_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, +{ "ad_enabled_domains", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ad_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ad_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ad_hostname", DP_OPT_STRING, NULL_STRING, NULL_STRING }, From f4f38d22ca23735b119dcdbed411da9ecf602b0e Mon Sep 17 00:00:00 2001 From: Petr Cech Date: Tue, 21 Jun 2016 08:34:15 +0200 Subject: [PATCH 2/4] AD_PROVIDER: Initializing of ad_enabled_domains We add ad_enabled_domains into ad_subdomains_ctx. Resolves: https://fedorahosted.org/sssd/ticket/2828 (cherry picked from commit a82baf596bac1fdac6addca6419d8992111a8aa2) --- src/providers/ad/ad_subdomains.c | 81 1 file changed, 81 insertions(+) diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index f7e7e62..c74e494 100644 --- a/src/providers/ad/ad_subdomains.c +++