date:20161108

[SSSD] [sssd PR#76][comment] AD: Fix crash in AD subdomain reinit

2016-11-08 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/76
Title: #76: AD: Fix crash in AD subdomain reinit

sumit-bose commented:
"""
PR #74 has the same fix and a similar forx for the IPA provider as well. I'm 
fine with revoking #74 if the fix for the IPA provider is added here as well.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/76#issuecomment-259349272
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#76][comment] AD: Fix crash in AD subdomain reinit

2016-11-08 Thread celestian

  URL: https://github.com/SSSD/sssd/pull/76
Title: #76: AD: Fix crash in AD subdomain reinit

celestian commented:
"""
ok to test
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/76#issuecomment-259348408
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#76][comment] AD: Fix crash in AD subdomain reinit

2016-11-08 Thread centos-ci

  URL: https://github.com/SSSD/sssd/pull/76
Title: #76: AD: Fix crash in AD subdomain reinit

centos-ci commented:
"""
Can one of the admins verify this patch?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/76#issuecomment-259315383
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#76][comment] AD: Fix crash in AD subdomain reinit

2016-11-08 Thread centos-ci

  URL: https://github.com/SSSD/sssd/pull/76
Title: #76: AD: Fix crash in AD subdomain reinit

centos-ci commented:
"""
Can one of the admins verify this patch?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/76#issuecomment-259315385
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#75][comment] Add configuirable max payload size limit of a secret

2016-11-08 Thread fidencio

  URL: https://github.com/SSSD/sssd/pull/75
Title: #75: Add configuirable max payload size limit of a secret

fidencio commented:
"""
Thanks for catching this, @lslebodn.
I've ran the CI locally and it has passed. I was wondering what was my mistake 
and `git stash pop` gave me the answer.

Patches have been updated.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/75#issuecomment-259200019
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#75][synchronized] Add configuirable max payload size limit of a secret

2016-11-08 Thread fidencio

   URL: https://github.com/SSSD/sssd/pull/75
Author: fidencio
 Title: #75: Add configuirable max payload size limit of a secret
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/75/head:pr75
git checkout pr75
From 9119622f6cd44b84261e99649437c3b524e8d51d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Tue, 8 Nov 2016 16:39:48 +0100
Subject: [PATCH 1/2] SECRETS: Delete all secret stored during "max_secrets"
 test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Otherwise we will have an 507 error in case any secret is added by any
of the tests that may be implemented in the future.

Signed-off-by: Fabiano Fidêncio 
---
 src/tests/intg/test_secrets.py | 4 
 1 file changed, 4 insertions(+)

diff --git a/src/tests/intg/test_secrets.py b/src/tests/intg/test_secrets.py
index 57b8f3f..09a91e0 100644
--- a/src/tests/intg/test_secrets.py
+++ b/src/tests/intg/test_secrets.py
@@ -151,6 +151,10 @@ def test_crd_ops(setup_for_secrets, secrets_cli):
 cli.set_secret(str(MAX_SECRETS), sec_value)
 assert str(err507.value).startswith("507")
 
+# Delete all stored secrets used for max secrets tests
+for x in xrange(MAX_SECRETS):
+cli.del_secret(str(x))
+
 
 def test_containers(setup_for_secrets, secrets_cli):
 """

From b5b2cf8762f612f49c061e8967087e9f84736add Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Tue, 8 Nov 2016 16:46:21 +0100
Subject: [PATCH 2/2] SECRETS: Add configurable payload size limit of a secret
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Resolves:
https://fedorahosted.org/sssd/ticket/3169

Signed-off-by: Fabiano Fidêncio 
---
 src/confdb/confdb.h|  1 +
 src/config/SSSDConfig/__init__.py.in   |  1 +
 src/config/cfg_rules.ini   |  1 +
 src/config/etc/sssd.api.conf   |  1 +
 src/man/sssd-secrets.5.xml | 12 
 src/responder/secrets/local.c  | 29 +
 src/responder/secrets/providers.c  |  4 
 src/responder/secrets/secsrv.c | 13 +
 src/responder/secrets/secsrv.h |  1 +
 src/responder/secrets/secsrv_private.h |  1 +
 src/tests/intg/test_secrets.py | 15 +++
 src/util/util_errors.c |  1 +
 src/util/util_errors.h |  1 +
 13 files changed, 81 insertions(+)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 2a1e581..12beaab 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -226,6 +226,7 @@
 #define CONFDB_SEC_CONF_ENTRY "config/secrets"
 #define CONFDB_SEC_CONTAINERS_NEST_LEVEL "containers_nest_level"
 #define CONFDB_SEC_MAX_SECRETS "max_secrets"
+#define CONFDB_SEC_MAX_PAYLOAD_SIZE "max_payload_size"
 
 
 struct confdb_ctx;
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 381ff95..be09e8f 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -123,6 +123,7 @@ option_strings = {
 'provider': _('The provider where the secrets will be stored in'),
 'containers_nest_level': _('The maximum allowed number of nested containers'),
 'max_secrets': _('The maximum number of secrets that can be stored'),
+'max_payload_size': _('The maximum payload size of a secret in kilobytes'),
 # secrets - proxy
 'proxy_url': _('The URL Custodia server is listening on'),
 'auth_type': _('The method to use when authenticating to a Custodia server'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index ec716b5..fcb7de9 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -231,6 +231,7 @@ option = description
 option = provider
 option = containers_nest_level
 option = max_secrets
+option = max_payload_size
 # Secrets service - proxy
 option = proxy_url
 option = auth_type
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index be24bce..d591228 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -100,6 +100,7 @@ user_attributes = str, None, false
 provider = str, None, false
 containers_nest_level = int, None, false
 max_secrets = int, None, false
+max_payload_size = int, None, false
 # Secrets service - proxy
 proxy_url = str, None, false
 auth_type = str, None, false
diff --git a/src/man/sssd-secrets.5.xml b/src/man/sssd-secrets.5.xml
index 7ec54c2..80e9c40 100644
--- a/src/man/sssd-secrets.5.xml
+++ b/src/man/sssd-secrets.5.xml
@@ -168,6 +168,18 @@ systemctl enable sssd-secrets.service
 
 
 
+
+max_payload_size (integer)
+
+
+This option specifies the maximum payload size allowed for
+

[SSSD] [sssd PR#75][synchronized] Add configuirable max payload size limit of a secret

2016-11-08 Thread fidencio

   URL: https://github.com/SSSD/sssd/pull/75
Author: fidencio
 Title: #75: Add configuirable max payload size limit of a secret
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/75/head:pr75
git checkout pr75
From 9119622f6cd44b84261e99649437c3b524e8d51d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Tue, 8 Nov 2016 16:39:48 +0100
Subject: [PATCH 1/2] SECRETS: Delete all secret stored during "max_secrets"
 test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Otherwise we will have an 507 error in case any secret is added by any
of the tests that may be implemented in the future.

Signed-off-by: Fabiano Fidêncio 
---
 src/tests/intg/test_secrets.py | 4 
 1 file changed, 4 insertions(+)

diff --git a/src/tests/intg/test_secrets.py b/src/tests/intg/test_secrets.py
index 57b8f3f..09a91e0 100644
--- a/src/tests/intg/test_secrets.py
+++ b/src/tests/intg/test_secrets.py
@@ -151,6 +151,10 @@ def test_crd_ops(setup_for_secrets, secrets_cli):
 cli.set_secret(str(MAX_SECRETS), sec_value)
 assert str(err507.value).startswith("507")
 
+# Delete all stored secrets used for max secrets tests
+for x in xrange(MAX_SECRETS):
+cli.del_secret(str(x))
+
 
 def test_containers(setup_for_secrets, secrets_cli):
 """

From 69cb2280af07ed81faee2cd4117a4c0517951e6d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Tue, 8 Nov 2016 16:46:21 +0100
Subject: [PATCH 2/2] SECRETS: Add configurable payload size limit of a secret
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Resolves:
https://fedorahosted.org/sssd/ticket/3169

Signed-off-by: Fabiano Fidêncio 
---
 src/confdb/confdb.h|  1 +
 src/config/SSSDConfig/__init__.py.in   |  1 +
 src/config/cfg_rules.ini   |  1 +
 src/config/etc/sssd.api.conf   |  1 +
 src/man/sssd-secrets.5.xml | 12 
 src/responder/secrets/local.c  | 29 +
 src/responder/secrets/providers.c  |  4 
 src/responder/secrets/secsrv.c | 13 +
 src/responder/secrets/secsrv.h |  1 +
 src/responder/secrets/secsrv_private.h |  1 +
 src/tests/intg/test_secrets.py | 15 +++
 src/util/util_errors.h |  1 +
 12 files changed, 80 insertions(+)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 2a1e581..12beaab 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -226,6 +226,7 @@
 #define CONFDB_SEC_CONF_ENTRY "config/secrets"
 #define CONFDB_SEC_CONTAINERS_NEST_LEVEL "containers_nest_level"
 #define CONFDB_SEC_MAX_SECRETS "max_secrets"
+#define CONFDB_SEC_MAX_PAYLOAD_SIZE "max_payload_size"
 
 
 struct confdb_ctx;
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 381ff95..be09e8f 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -123,6 +123,7 @@ option_strings = {
 'provider': _('The provider where the secrets will be stored in'),
 'containers_nest_level': _('The maximum allowed number of nested containers'),
 'max_secrets': _('The maximum number of secrets that can be stored'),
+'max_payload_size': _('The maximum payload size of a secret in kilobytes'),
 # secrets - proxy
 'proxy_url': _('The URL Custodia server is listening on'),
 'auth_type': _('The method to use when authenticating to a Custodia server'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index ec716b5..fcb7de9 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -231,6 +231,7 @@ option = description
 option = provider
 option = containers_nest_level
 option = max_secrets
+option = max_payload_size
 # Secrets service - proxy
 option = proxy_url
 option = auth_type
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index be24bce..d591228 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -100,6 +100,7 @@ user_attributes = str, None, false
 provider = str, None, false
 containers_nest_level = int, None, false
 max_secrets = int, None, false
+max_payload_size = int, None, false
 # Secrets service - proxy
 proxy_url = str, None, false
 auth_type = str, None, false
diff --git a/src/man/sssd-secrets.5.xml b/src/man/sssd-secrets.5.xml
index 7ec54c2..80e9c40 100644
--- a/src/man/sssd-secrets.5.xml
+++ b/src/man/sssd-secrets.5.xml
@@ -168,6 +168,18 @@ systemctl enable sssd-secrets.service
 
 
 
+
+max_payload_size (integer)
+
+
+This option specifies the maximum payload size allowed for
+a secret payload in

[SSSD] [sssd PR#75][opened] Add configuirable max payload size limit of a secret

2016-11-08 Thread fidencio

   URL: https://github.com/SSSD/sssd/pull/75
Author: fidencio
 Title: #75: Add configuirable max payload size limit of a secret
Action: opened

PR body:
"""
This series may conflict with PR53[0]. So either one or another will
need to be rebased after the first one gets merged.

[0]: https://github.com/SSSD/sssd/pull/53
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/75/head:pr75
git checkout pr75
From eb66b635628a1c1131407dbd9ac4cbc7f76b176a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Tue, 8 Nov 2016 16:39:48 +0100
Subject: [PATCH 1/2] SECRETS: Delete all secret stored during "max_secrets"
 test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Otherwise we will have an 507 error in case any secret is added by any
of the tests that may be implemented in the future.

Signed-off-by: Fabiano Fidêncio 
---
 src/tests/intg/test_secrets.py | 4 
 1 file changed, 4 insertions(+)

diff --git a/src/tests/intg/test_secrets.py b/src/tests/intg/test_secrets.py
index 57b8f3f..09a91e0 100644
--- a/src/tests/intg/test_secrets.py
+++ b/src/tests/intg/test_secrets.py
@@ -151,6 +151,10 @@ def test_crd_ops(setup_for_secrets, secrets_cli):
 cli.set_secret(str(MAX_SECRETS), sec_value)
 assert str(err507.value).startswith("507")
 
+# Delete all stored secrets used for max secrets tests
+for x in xrange(MAX_SECRETS):
+cli.del_secret(str(x))
+
 
 def test_containers(setup_for_secrets, secrets_cli):
 """

From ddaf1d1ef55a14ddd4ea28502072c1fac9365fd2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Tue, 8 Nov 2016 16:46:21 +0100
Subject: [PATCH 2/2] SECRETS: Add configurable payload size limit of a secret
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Resolves:
https://fedorahosted.org/sssd/ticket/3169

Signed-off-by: Fabiano Fidêncio 
---
 src/confdb/confdb.h|  1 +
 src/config/SSSDConfig/__init__.py.in   |  1 +
 src/config/cfg_rules.ini   |  1 +
 src/config/etc/sssd.api.conf   |  1 +
 src/man/sssd-secrets.5.xml | 12 
 src/responder/secrets/local.c  | 29 +
 src/responder/secrets/providers.c  |  4 
 src/responder/secrets/secsrv.c | 13 +
 src/responder/secrets/secsrv.h |  1 +
 src/responder/secrets/secsrv_private.h |  1 +
 src/tests/intg/test_secrets.py | 15 +++
 src/util/util_errors.h |  1 +
 12 files changed, 80 insertions(+)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 2a1e581..12beaab 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -226,6 +226,7 @@
 #define CONFDB_SEC_CONF_ENTRY "config/secrets"
 #define CONFDB_SEC_CONTAINERS_NEST_LEVEL "containers_nest_level"
 #define CONFDB_SEC_MAX_SECRETS "max_secrets"
+#define CONFDB_SEC_MAX_PAYLOAD_SIZE "max_payload_size"
 
 
 struct confdb_ctx;
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 381ff95..be09e8f 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -123,6 +123,7 @@ option_strings = {
 'provider': _('The provider where the secrets will be stored in'),
 'containers_nest_level': _('The maximum allowed number of nested containers'),
 'max_secrets': _('The maximum number of secrets that can be stored'),
+'max_payload_size': _('The maximum payload size of a secret in kilobytes'),
 # secrets - proxy
 'proxy_url': _('The URL Custodia server is listening on'),
 'auth_type': _('The method to use when authenticating to a Custodia server'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index ec716b5..fcb7de9 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -231,6 +231,7 @@ option = description
 option = provider
 option = containers_nest_level
 option = max_secrets
+option = max_payload_size
 # Secrets service - proxy
 option = proxy_url
 option = auth_type
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index be24bce..d591228 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -100,6 +100,7 @@ user_attributes = str, None, false
 provider = str, None, false
 containers_nest_level = int, None, false
 max_secrets = int, None, false
+max_payload_size = int, None, false
 # Secrets service - proxy
 proxy_url = str, None, false
 auth_type = str, None, false
diff --git a/src/man/sssd-secrets.5.xml b/src/man/sssd-secrets.5.xml
index 7ec54c2..80e9c40 100644
--- a/src/man/sssd-secrets.5.xml
+++ b/src/man/sssd-secrets.5.xml
@@ -168,6 +168,18 @@ systemctl enable sssd-secrets.service
 
 
 
+
+max_payload_size

[SSSD] Re: [PATCH SET] SYSDB: Adding message to inform about cache

2016-11-08 Thread Lukas Slebodnik

On (07/11/16 14:42), Petr Cech wrote:
>Hi all,
>
>after chat with Lukas I attached only first two patches. Author of the third
>one is Lukas and I am not sure if he is finished. (There was question of
>LD_PRELOAD.)
>
>Regards
>
>-- 
>Petr^4 Čech

>From c67ccc872eb5dacc98f626c10740424cef205334 Mon Sep 17 00:00:00 2001
>From: Petr Cech 
>Date: Tue, 16 Aug 2016 09:32:18 +0200
>Subject: [PATCH 1/3] SYSDB: Adding message to inform which cache is used
>
>Resolves:
>https://fedorahosted.org/sssd/ticket/3060
>---
ACK

>From 1f4e5b03442ea87a117c54a30550fbc357ff10a7 Mon Sep 17 00:00:00 2001
>From: Petr Cech 
>Date: Tue, 16 Aug 2016 09:33:46 +0200
>Subject: [PATCH 2/3] SYSDB: Adding message about reason why cache changed
>
>Resolves:
>https://fedorahosted.org/sssd/ticket/3060
>---
> src/db/sysdb.c | 24 
> 1 file changed, 20 insertions(+), 4 deletions(-)
>
ACK

http://sssd-ci.duckdns.org/logs/job/56/52/summary.html

LS
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)

2016-11-08 Thread celestian

   URL: https://github.com/SSSD/sssd/pull/39
Author: celestian
 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13)
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/39/head:pr39
git checkout pr39
From d83eb122f75ff1204cfdac6d5bc1ec138056 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Wed, 12 Oct 2016 16:48:38 +0200
Subject: [PATCH] SYSDB: Adding lowercase sudoUser form

If domain is not case sensitive we add lowercase form of usernames
to sudoUser attributes. So we actually able to apply sudoRule on
user Administrator@... with login admnistrator@...

Resolves:
https://fedorahosted.org/sssd/ticket/3203
(cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645)
---
 src/db/sysdb_sudo.c | 63 +
 1 file changed, 63 insertions(+)

diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index 76116ab..ecf350f 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -801,6 +801,64 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule,
 return EOK;
 }
 
+static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain,
+struct sysdb_attrs *rule)
+{
+TALLOC_CTX *tmp_ctx;
+const char **users = NULL;
+const char *lowered = NULL;
+errno_t ret;
+
+if (domain->case_sensitive == true || rule == NULL) {
+return EOK;
+}
+
+tmp_ctx = talloc_new(NULL);
+if (tmp_ctx == NULL) {
+return ENOMEM;
+}
+
+ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx,
+   );
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n",
+SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
+goto done;
+}
+if (users == NULL) {
+ret =  EOK;
+goto done;
+}
+
+for (int i = 0; users[i] != NULL; i++) {
+lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]);
+if (lowered == NULL) {
+DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
+ret = ENOMEM;
+goto done;
+}
+
+if (strcmp(users[i], lowered) == 0) {
+/* It protects us from adding duplicate. */
+continue;
+}
+
+ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered);
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE,
+  "Unable to add %s attribute [%d]: %s\n",
+  SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
+goto done;
+}
+}
+
+ret = EOK;
+
+done:
+talloc_zfree(tmp_ctx);
+return ret;
+}
+
 static errno_t
 sysdb_sudo_store_rule(struct sss_domain_info *domain,
   struct sysdb_attrs *rule,
@@ -817,6 +875,11 @@ sysdb_sudo_store_rule(struct sss_domain_info *domain,
 
 DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", name);
 
+ret = sysdb_sudo_add_lowered_users(domain, rule);
+if (ret != EOK) {
+return ret;
+}
+
 ret = sysdb_sudo_add_sss_attrs(rule, name, cache_timeout, now);
 if (ret != EOK) {
 return ret;
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#53][comment] Fixes in the config API related to secrets responder

2016-11-08 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/53
Title: #53: Fixes in the config API related to secrets responder

lslebodn commented:
"""
On (08/11/16 05:15), fidencio wrote:
>@jhrozek:
>For the first patch the tests are correct. @lslebodn also complained that 
>[secrets/users/] could be a valid case in the way the code is in git right now 
>and it's also fixed by my patch. In any case, seems that we don't allow any 
>config section to end with "/".
>
>For the second test, I guess that good tests are adding configuration options 
>that are only allowed for [secrets] into the [secrets/users/123] section and 
>vice-versa.
>
>Example of a config that should fail:
>```
>[secrets]
>proxy_url = foo
>
>[secrets/users/123]
>timeout = 10
>```
>
>Example of a config that should not fail:
>```
>[secrets]
>debug_level = 9
>
>[secrets/users/123]
>proxy_url = foo
>```
>@lslebodn, does it make sense for you?
>
I am fine with the 1st patch. But I am not very familiar with
the secrets code therefore It would take me much more time to review
2nd patch. I prefer if @jhrozek could review it.

LS

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/53#issuecomment-259138537
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#65][comment] Fixing of nitpicks

2016-11-08 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/65
Title: #65: Fixing of nitpicks

lslebodn commented:
"""
On (08/11/16 05:26), celestian wrote:
>celestian commented on this pull request.
>> @@ -269,6 +269,10 @@ static void 
>> rdp_message_send_and_reply_done(DBusPendingCall *pending,
> sbus_req = talloc_get_type(ptr, struct sbus_request);
> 
> ret = rdp_process_pending_call(sbus_req, pending, );
>+if (ret != EOK) {
>+/* Something bad happened. Just kill the request. */
>+goto done;
>+}
> if (reply == NULL) {
>
>I don't insist on the patch ```RESPONDER: Adding of return value checking```.
>
The patch is not absolutelly wrong.
But following check for NULL is redundant.

As I previously wrote, we should be consistent.
We shoudl either check `ret != EOK` after each invovation of
`rdp_process_pending_call` or we should check `reply == NULL`.

Ask @pbrezina why he wrote the code in such way.

LS

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/65#issuecomment-259138069
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)

2016-11-08 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/39
Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13)

jhrozek commented:
"""
On Tue, Nov 08, 2016 at 05:06:41AM -0800, celestian wrote:
> Yes, the second patch explicitly qualifies the names. I don't know if there 
> is possibility to add wrong domain to the given user name this way. That's 
> the question.
> 
> The reason for doing this is that  function ```sudosrv_get_user()``` ask for 
> that type of name. How you can see:
> ```
> # grep 'administrator' *.log
> 
> # sssd_scorpion.domain.log:
> [be_get_account_info] (0x0200): Got request for 
> [0x3][BE_REQ_INITGROUPS][1][name=administrator]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with 
> [(&(sAMAccountName=administrator)(objectclass=user)(objectSID=*))][DC=scorpion,DC=domain].
> [pam_print_data] (0x0100): ruser: administrator@scorpion.domain
> [sssd[be[scorpion.domain]]] [pam_print_data] (0x0100): ruser: 
> administrator@scorpion.domain
> 
> # sssd_sudo.log:
> [sss_parse_name_for_domains] (0x0200): name 'administrator@scorpion.domain' 
> matched expression for domain 'scorpion.domain', user is administrator
> [sss_parse_name_for_domains] (0x0200): name 'administrator@scorpion.domain' 
> matched expression for domain 'scorpion.domain', user is administrator
> [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for 
> [administrator] from [scorpion.domain]
> [sss_ncache_check_str] (0x2000): Checking negative cache for 
> [NCE/USER/scorpion.domain/administrator]
> [sudosrv_get_user] (0x0200): Requesting info about 
> [administrator@scorpion.domain]
> [sudosrv_get_user] (0x0400): Returning info for user 
> [administrator@scorpion.domain]

This is only how the DEBUG messages are formatted:
122 DEBUG(SSSDBG_FUNC_DATA, "Requesting info about [%s@%s]\n",
123   name, dom->name);

and:

243 DEBUG(SSSDBG_TRACE_FUNC, "Returning info for user [%s@%s]\n",
244   cmd_ctx->username, dctx->domain->name); 

In the cache I can see both administra...@win.trust.test and
administrator. But do we need the qualified name? Why?

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/39#issuecomment-259134748
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#65][comment] Fixing of nitpicks

2016-11-08 Thread celestian

  URL: https://github.com/SSSD/sssd/pull/65
Title: #65: Fixing of nitpicks

celestian commented:
"""
```UTIL: Removing of never read value```
```
@@ -1104,7 +1104,6 @@ bool sss_krb5_realm_has_proxy(const char *realm)
 
 kerr = profile_get_values(profile, profile_path, );
 if (kerr == PROF_NO_RELATION || kerr == PROF_NO_SECTION) {
-kerr = 0;
 goto done;
```
How @jhrozek said above false is right returning value. Proposed patch is about 
removing of ```kerr = 0``` because it is not read anywhere.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/65#issuecomment-259134075
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#53][comment] Fixes in the config API related to secrets responder

2016-11-08 Thread fidencio

  URL: https://github.com/SSSD/sssd/pull/53
Title: #53: Fixes in the config API related to secrets responder

fidencio commented:
"""
@jhrozek:
For the first patch the tests are correct. @lslebodn also complained that 
[secrets/users/] could be a valid case in the way the code is in git right now 
and it's also fixed by my patch. In any case, seems that we don't allow any 
config section to end with "/".

For the second test, I guess that good tests are adding configuration options 
that are only allowed for [secrets] into the [secrets/users/123] section and 
vice-versa.

Example of a config that should fail:
```
[secrets]
proxy_url = foo

[secrets/users/123]
timeout = 10
```

Example of a config that should not fail:
```
[secrets]
debug_level = 9

[secrets/users/123]
proxy_url = foo
```
@lslebodn, does it make sense for you?

@jhrozek: and I really would like to be sure that the options that I put into 
secrets section in the second patch are **only** valid for that section or 
whether those options should be inherited and also allowed to 
[secrets/users/123]
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/53#issuecomment-259133301
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#53][synchronized] Fixes in the config API related to secrets responder

2016-11-08 Thread fidencio

   URL: https://github.com/SSSD/sssd/pull/53
Author: fidencio
 Title: #53: Fixes in the config API related to secrets responder
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/53/head:pr53
git checkout pr53
From 01a07663269bd7abd32581b611480ad61bf2805f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Mon, 17 Oct 2016 17:07:56 +0200
Subject: [PATCH 1/2] SECRETS: Fix secrets rule in the allowed sections
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We have been matching an invalid subsection of the secrets' section,
like:
[secrets/users/]

Let's ensure that we only match the following cases:
[secrets]
[secrets/users/[0-9]+]

Signed-off-by: Fabiano Fidêncio 
---
 src/config/cfg_rules.ini | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index ec716b5..24937c9 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -8,7 +8,7 @@ section = autofs
 section = ssh
 section = pac
 section = ifp
-section_re = ^secrets\(/users/\([0-9]\+\)\?\)\?$
+section_re = ^secrets\(/users/[0-9]\+\)\?$
 section_re = ^domain/.*$
 
 [rule/allowed_sssd_options]
@@ -213,7 +213,7 @@ option = user_attributes
 
 [rule/allowed_sec_options]
 validator = ini_allowed_options
-section_re = ^secrets\(/users/\([0-9]\+\)\?\)\?$
+section_re = ^secrets\(/users/[0-9]\+\)\?$
 
 option = timeout
 option = debug

From 206764d85dabbf1a0cf1d2d00cdcc2b71492fcd6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Mon, 17 Oct 2016 18:58:50 +0200
Subject: [PATCH 2/2] SECRETS: Add allowed_sec_users_options
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

There are options (the proxying related ones) that only apply to the
secrets' subsections. In order to make config API able to catch those,
let's create a new section called allowed_sec_users_options) and move
there these proxying options.

Signed-off-by: Fabiano Fidêncio 
---
 src/config/cfg_rules.ini | 13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 24937c9..8a5290e 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -8,7 +8,8 @@ section = autofs
 section = ssh
 section = pac
 section = ifp
-section_re = ^secrets\(/users/[0-9]\+\)\?$
+section = secrets
+section_re = ^secrets/users/[0-9]\+$
 section_re = ^domain/.*$
 
 [rule/allowed_sssd_options]
@@ -211,9 +212,10 @@ option = description
 option = allowed_uids
 option = user_attributes
 
+# Secrets service
 [rule/allowed_sec_options]
 validator = ini_allowed_options
-section_re = ^secrets\(/users/[0-9]\+\)\?$
+section_re = ^secrets$
 
 option = timeout
 option = debug
@@ -226,11 +228,14 @@ option = reconnection_retries
 option = fd_limit
 option = client_idle_timeout
 option = description
-
-# Secrets service
 option = provider
 option = containers_nest_level
 option = max_secrets
+
+[rule/allowed_sec_users_options]
+validator = ini_allowed_options
+section_re = ^secrets/users/[0-9]\+$
+
 # Secrets service - proxy
 option = proxy_url
 option = auth_type
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)

2016-11-08 Thread celestian

  URL: https://github.com/SSSD/sssd/pull/39
Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13)

celestian commented:
"""
Yes, the second patch explicitly qualifies the names. I don't know if there is 
possibility to add wrong domain to the given user name this way. That's the 
question.

The reason for doing this is that  function ```sudosrv_get_user()``` ask for 
that type of name. How you can see:
```
# grep 'administrator' *.log

# sssd_scorpion.domain.log:
[be_get_account_info] (0x0200): Got request for 
[0x3][BE_REQ_INITGROUPS][1][name=administrator]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with 
[(&(sAMAccountName=administrator)(objectclass=user)(objectSID=*))][DC=scorpion,DC=domain].
[pam_print_data] (0x0100): ruser: administrator@scorpion.domain
[sssd[be[scorpion.domain]]] [pam_print_data] (0x0100): ruser: 
administrator@scorpion.domain

# sssd_sudo.log:
[sss_parse_name_for_domains] (0x0200): name 'administrator@scorpion.domain' 
matched expression for domain 'scorpion.domain', user is administrator
[sss_parse_name_for_domains] (0x0200): name 'administrator@scorpion.domain' 
matched expression for domain 'scorpion.domain', user is administrator
[sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for 
[administrator] from [scorpion.domain]
[sss_ncache_check_str] (0x2000): Checking negative cache for 
[NCE/USER/scorpion.domain/administrator]
[sudosrv_get_user] (0x0200): Requesting info about 
[administrator@scorpion.domain]
[sudosrv_get_user] (0x0400): Returning info for user 
[administrator@scorpion.domain]
[sss_parse_name_for_domains] (0x0200): name 'administrator@scorpion.domain' 
matched expression for domain 'scorpion.domain', user is administrator
[sss_parse_name_for_domains] (0x0200): name 'administrator@scorpion.domain' 
matched expression for domain 'scorpion.domain', user is administrator
[sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [administrator] 
from [scorpion.domain]
[sss_ncache_check_str] (0x2000): Checking negative cache for 
[NCE/USER/scorpion.domain/administrator]
[sudosrv_get_user] (0x0200): Requesting info about 
[administrator@scorpion.domain]
[sudosrv_get_user] (0x0400): Returning info for user 
[administrator@scorpion.domain]
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for 
[administrator@scorpion.domain]
```
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/39#issuecomment-259131495
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#73][closed] AD_PROVIDER: Enabled subdomains (1.13)

2016-11-08 Thread lslebodn

   URL: https://github.com/SSSD/sssd/pull/73
Author: celestian
 Title: #73: AD_PROVIDER: Enabled subdomains (1.13)
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/73/head:pr73
git checkout pr73
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#73][+Pushed] AD_PROVIDER: Enabled subdomains (1.13)

2016-11-08 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/73
Title: #73: AD_PROVIDER: Enabled subdomains (1.13)

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)

2016-11-08 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/39
Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13)

jhrozek commented:
"""
On Tue, Nov 08, 2016 at 04:13:43AM -0800, celestian wrote:
> I pushed new version, only one difference -- I fix cherry-pick pointer.
> The patch works without ```sudoUserAlias``` but it still adds fq names to 
> sudoUser.
> Is it OK? Is there way how to avoid fq names?

Well, the second patch explicitly qualifies the names, is there a reason
to qualify them?

btw I haven't tested this patchset at all yet, do the qualified names
work at all?

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/39#issuecomment-259122246
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#73][comment] AD_PROVIDER: Enabled subdomains (1.13)

2016-11-08 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/73
Title: #73: AD_PROVIDER: Enabled subdomains (1.13)

lslebodn commented:
"""
On (08/11/16 03:06), Jakub Hrozek wrote:
>I tested the patches with a setup that consists of three domains 
>(win.trust.test, child.win.trust.test and sibling.win.trust.test). The patch 
>works good, I tested by disabling the global catalog to make sure the 
>connections always hit the AD DC in that particular domain and inspected the 
>subdomains objectclass in the cache.
>
>I also checked for memory errors in valgrind.
>
>Since all my tests passed, ACK to this patch.
>
sssd-1-13:
* efba0221c407af832727da26fa45c7aa326c89b9
* 7c7781a6632dc46d73567bf90ba1d0bf1c0e4a17
* 5c9e24c1558c782d2f1bf89724043769953e202d
* 854d6513ac5d1b2ba666d6b120e702081bbb1633

LS

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/73#issuecomment-259122034
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)

2016-11-08 Thread celestian

  URL: https://github.com/SSSD/sssd/pull/39
Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13)

celestian commented:
"""
I pushed new version, only one difference -- I fix cherry-pick pointer.
The patch works without ```sudoUserAlias``` but it still adds fq names to 
sudoUser.
Is it OK? Is there way how to avoid fq names?

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/39#issuecomment-259121334
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)

2016-11-08 Thread celestian

   URL: https://github.com/SSSD/sssd/pull/39
Author: celestian
 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13)
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/39/head:pr39
git checkout pr39
From 92c5b11f1c17454a5b258f3776224124a808af3c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Wed, 12 Oct 2016 16:48:38 +0200
Subject: [PATCH 1/2] SYSDB: Adding lowercase sudoUser form

If domain is not case sensitive we add lowercase form of usernames
to sudoUser attributes. So we actually able to apply sudoRule on
user Administrator@... with login admnistrator@...

Resolves:
https://fedorahosted.org/sssd/ticket/3203
(cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645)
---
 src/db/sysdb_sudo.c | 63 +
 1 file changed, 63 insertions(+)

diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index 76116ab..ecf350f 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -801,6 +801,64 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule,
 return EOK;
 }
 
+static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain,
+struct sysdb_attrs *rule)
+{
+TALLOC_CTX *tmp_ctx;
+const char **users = NULL;
+const char *lowered = NULL;
+errno_t ret;
+
+if (domain->case_sensitive == true || rule == NULL) {
+return EOK;
+}
+
+tmp_ctx = talloc_new(NULL);
+if (tmp_ctx == NULL) {
+return ENOMEM;
+}
+
+ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx,
+   );
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n",
+SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
+goto done;
+}
+if (users == NULL) {
+ret =  EOK;
+goto done;
+}
+
+for (int i = 0; users[i] != NULL; i++) {
+lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]);
+if (lowered == NULL) {
+DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
+ret = ENOMEM;
+goto done;
+}
+
+if (strcmp(users[i], lowered) == 0) {
+/* It protects us from adding duplicate. */
+continue;
+}
+
+ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered);
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE,
+  "Unable to add %s attribute [%d]: %s\n",
+  SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
+goto done;
+}
+}
+
+ret = EOK;
+
+done:
+talloc_zfree(tmp_ctx);
+return ret;
+}
+
 static errno_t
 sysdb_sudo_store_rule(struct sss_domain_info *domain,
   struct sysdb_attrs *rule,
@@ -817,6 +875,11 @@ sysdb_sudo_store_rule(struct sss_domain_info *domain,
 
 DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", name);
 
+ret = sysdb_sudo_add_lowered_users(domain, rule);
+if (ret != EOK) {
+return ret;
+}
+
 ret = sysdb_sudo_add_sss_attrs(rule, name, cache_timeout, now);
 if (ret != EOK) {
 return ret;

From d521c43a46689730ad92c5bdfa13a69590c66307 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Tue, 18 Oct 2016 10:01:43 +0200
Subject: [PATCH 2/2] SYSDB: Adding fq user names to cached sudoRules

This patch adds fg user names to sudoUser attribute of
cached sudoRules.

Resolves:
https://fedorahosted.org/sssd/ticket/3203
---
 src/db/sysdb_sudo.c | 55 +
 1 file changed, 55 insertions(+)

diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index ecf350f..3c37f9b 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -801,6 +801,56 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule,
 return EOK;
 }
 
+static errno_t sysdb_sudo_add_fq_users(struct sss_domain_info *domain,
+   struct sysdb_attrs *rule)
+{
+TALLOC_CTX *tmp_ctx;
+const char **users = NULL;
+const char *fqname = NULL;
+errno_t ret;
+
+tmp_ctx = talloc_new(NULL);
+if (tmp_ctx == NULL) {
+return ENOMEM;
+}
+
+ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx,
+   );
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n",
+SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
+goto done;
+}
+if (users == NULL) {
+ret =  EOK;
+goto done;
+}
+
+for (int i = 0; users[i] != NULL; i++) {
+fqname = sss_tc_fqname(tmp_ctx, domain->names, domain, users[i]);
+if (fqname == NULL) {
+DEBUG(SSSDBG_OP_FAILURE, "Could not create fgname.\n");
+ret = ENOMEM;
+

[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)

2016-11-08 Thread celestian

  URL: https://github.com/SSSD/sssd/pull/39
Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13)

celestian commented:
"""
Since we have patch set for 1.15 pushed I will prepare proper cherry picking.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/39#issuecomment-259118455
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)

2016-11-08 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/39
Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13)

pbrezina commented:
"""
So what is the current plan here?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/39#issuecomment-259118986
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#69][comment] krb5: Use command line arguments instead env vars for krb5_child

2016-11-08 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/69
Title: #69: krb5: Use command line arguments instead env vars for krb5_child

lslebodn commented:
"""
On (08/11/16 03:33), celestian wrote:
>Code looks good to me. CI tests passed:
>http://sssd-ci.duckdns.org/logs/job/56/34/summary.html
>
>=> ACK
just FYI.
This code is not tested in upstream integration tests.

So implication does not work here :-)

LS

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/69#issuecomment-259114989
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#69][+Accepted] krb5: Use command line arguments instead env vars for krb5_child

2016-11-08 Thread celestian

  URL: https://github.com/SSSD/sssd/pull/69
Title: #69: krb5: Use command line arguments instead env vars for krb5_child

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#69][comment] krb5: Use command line arguments instead env vars for krb5_child

2016-11-08 Thread celestian

  URL: https://github.com/SSSD/sssd/pull/69
Title: #69: krb5: Use command line arguments instead env vars for krb5_child

celestian commented:
"""
Code looks good to me. CI tests passed:
http://sssd-ci.duckdns.org/logs/job/56/34/summary.html

=> ACK
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/69#issuecomment-259113969
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#43][-Accepted] RESPONDER: Enable sudoRule in case insen. domains (1.15)

2016-11-08 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/43
Title: #43: RESPONDER: Enable sudoRule in case insen. domains (1.15)

Label: -Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#43][+Pushed] RESPONDER: Enable sudoRule in case insen. domains (1.15)

2016-11-08 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/43
Title: #43: RESPONDER: Enable sudoRule in case insen. domains (1.15)

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#43][closed] RESPONDER: Enable sudoRule in case insen. domains (1.15)

2016-11-08 Thread jhrozek

   URL: https://github.com/SSSD/sssd/pull/43
Author: celestian
 Title: #43: RESPONDER: Enable sudoRule in case insen. domains (1.15)
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/43/head:pr43
git checkout pr43
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#43][comment] RESPONDER: Enable sudoRule in case insen. domains (1.15)

2016-11-08 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/43
Title: #43: RESPONDER: Enable sudoRule in case insen. domains (1.15)

jhrozek commented:
"""
master:
f4a1046bb88d7a0ab3617e49ae94bfa849d10645
23637e2fd2b1fe42bdd2335893a11ac8016f56bc
sssd-1-14:
143b1dcbbe865a139616a22b139e19bd772e46f0
88239b7f17f599aefa88a8a31c2d0ea44b766c87
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/43#issuecomment-259112827
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#73][+Accepted] AD_PROVIDER: Enabled subdomains (1.13)

2016-11-08 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/73
Title: #73: AD_PROVIDER: Enabled subdomains (1.13)

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#74][opened] IPA/AD: check auth ctx before using it

2016-11-08 Thread sumit-bose

   URL: https://github.com/SSSD/sssd/pull/74
Author: sumit-bose
 Title: #74: IPA/AD: check auth ctx before using it
Action: opened

PR body:
"""
In e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483 a feature was introduced to
set the 'canonicalize' option in the system-wide Kerberos configuration
according to the settings in SSSD if the AD or IPA provider were used.
Unfortunately the patch implied that the auth provider is the same as
the id provider which might not always be the case. A different auth
provider caused a crash in the backend which is fixed by this patch.

Resolves https://fedorahosted.org/sssd/ticket/3234

I tried to add an integration test to see if SSSD can start with a mixed
configuration but the AD provider tries to set some SASL parameters which
requires e.g. an existing keytab which is afaik currently not available in the
integration test. Since this issue it easy to reproduce manually (start SSSD
with id_provder=ad and auth_provider=krb5) I hope it is acceptable that an
integration test can be added later when the infrastructure for AD provider
tests is available?
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/74/head:pr74
git checkout pr74
From ca62775b3e6ad1bb4212476a8b6a413e13a9b6ed Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Tue, 8 Nov 2016 11:51:57 +0100
Subject: [PATCH] IPA/AD: check auth ctx before using it

In e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483 a feature was introduced to
set the 'canonicalize' option in the system-wide Kerberos configuration
according to the settings in SSSD if the AD or IPA provider were used.
Unfortunately the patch implied that the auth provider is the same as
the id provider which might not always be the case. A different auth
provider caused a crash in the backend which is fixed by this patch.

Resolves https://fedorahosted.org/sssd/ticket/3234
---
 src/providers/ad/ad_subdomains.c   | 13 +++--
 src/providers/ipa/ipa_subdomains.c | 20 +---
 2 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 52bf536..5e57d21 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -618,14 +618,23 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx)
 {
 const char *path;
 errno_t ret;
-bool canonicalize;
+bool canonicalize = false;
 
 path = dp_opt_get_string(subdoms_ctx->ad_id_ctx->ad_options->basic,
  AD_KRB5_CONFD_PATH);
 
-canonicalize = dp_opt_get_bool(
+if (subdoms_ctx->ad_id_ctx->ad_options->auth_ctx != NULL
+&& subdoms_ctx->ad_id_ctx->ad_options->auth_ctx->opts != NULL) {
+canonicalize = dp_opt_get_bool(
  subdoms_ctx->ad_id_ctx->ad_options->auth_ctx->opts,
  KRB5_CANONICALIZE);
+} else {
+DEBUG(SSSDBG_CONF_SETTINGS, "Auth provider data is not available, "
+"most probably because the auth provider "
+"is not 'ad'. Kerberos configuration "
+"snippet to set the 'canonicalize' option "
+"will not be created.\n");
+}
 
 ret = sss_write_krb5_conf_snippet(path, canonicalize);
 if (ret != EOK) {
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index 8653e3f..b2e96b2 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -73,16 +73,30 @@ static errno_t
 ipa_subdom_reinit(struct ipa_subdomains_ctx *ctx)
 {
 errno_t ret;
+bool canonicalize = false;
 
 DEBUG(SSSDBG_TRACE_INTERNAL,
   "Re-initializing domain %s\n", ctx->be_ctx->domain->name);
 
+if (ctx->ipa_id_ctx->ipa_options->auth_ctx != NULL
+  && ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx != NULL
+  && ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts != NULL
+   ) {
+canonicalize = dp_opt_get_bool(
+ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts,
+KRB5_CANONICALIZE);
+} else {
+DEBUG(SSSDBG_CONF_SETTINGS, "Auth provider data is not available, "
+"most probably because the auth provider "
+"is not 'ipa'. Kerberos configuration "
+"snippet to set the 'canonicalize' option "
+"will not be created.\n");
+}
+
 ret = sss_write_krb5_conf_snippet(
   dp_opt_get_string(ctx->ipa_id_ctx->ipa_options->basic,
 IPA_KRB5_CONFD_PATH),
-  dp_opt_get_bool(
-ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts,
-

[SSSD] Re: Design discussion: Fleet Commander integration

2016-11-08 Thread Fabiano Fidêncio

On Fri, Oct 7, 2016 at 10:22 AM, Jakub Hrozek  wrote:
> On Thu, Oct 06, 2016 at 06:38:23PM +0200, Sumit Bose wrote:
>> On Thu, Oct 06, 2016 at 04:41:10PM +0200, Jakub Hrozek wrote:
>> > Hi,
>> >
>> > with Alexander's help, I wrote up a design page about how SSSD should
>> > read Fleet Commander data from IPA and present them to the FC client
>> > component. The SSSD part is described here:
>> > https://fedorahosted.org/sssd/wiki/DesignDocs/FleetCommanderIntegration
>> > and the IPA part is here:
>> > 
>> > https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki
>> >
>> > For convenience, I copied the SSSD wiki page below. Comments are welcome!
>> >
>>
>> ...
>>
>> >
>> >  Looking up the Fleet Commander profiles and storing the JSON profile 
>> > data 
>> > Since the first implementation will only fetch rules that are linked to
>> > this host and the user in question, the SSSD's session provider will issue
>> > an LDAP search along these lines:
>> > {{{
>> > 
>> > (&(objectclass=ipadeskprofilerule)(memberHost=my_fqdn_or_my_host_group)(memberUser=user_login_or_group))
>> > }}}
>> >
>> > All host groups the IPA client is a member of must be included in the
>> > `memberHost` part of the filter. Additionally, all user groups must be
>> > included in the `memberUser` part of the filter. Since in most cases,
>> > the user's groups will be resolved during the login, we will only issue
>> > an initgroups request in case the user's initgroups are expired already
>> > to cover cases where the sessions provider was invoked separately.
>>
>> I wonder if it would be more efficient to read all profiles which apply
>> to the host in a single run store them in the cache and do the remaining
>> part of the processing locally? Iirc this is what we do with HBAC rules
>> and there might be a chance to reuse some of the HBAC code but just look
>> for objectclass ipadeskprofilerule instead of ipahbacrule?
>>
>> Since there are host and user categories mentioned on the server side
>> design page I guess the underlying objectclass is ipaAssociation and
>> because of this it makes even more sense to reuse as much of the HBAC
>> lookup code as possible.
>
> Yes, of course you are right, fetching the per-host data is almost always
> a good idea. I changed the wiki page:
> 
> https://fedorahosted.org/sssd/wiki/DesignDocs/FleetCommanderIntegration?action=diff=3_version=1

Since I started working on this a few changes have been done in the
Design (and I've talked to Jakub on IRC about those all the time).
In case anyone is interested, here are the changes:
https://fedorahosted.org/sssd/wiki/DesignDocs/FleetCommanderIntegration?action=diff=7_version=3

Best Regards,
--
Fabiano Fidêncio
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#71][comment] MONITOR: Do not set up watchdog for monitor

2016-11-08 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/71
Title: #71: MONITOR: Do not set up watchdog for monitor

jhrozek commented:
"""
master: fbe6644aa28d93f492434950680c5618eb567712
sssd-1-14: 2d88a121918e800b266d018d43dad9bd374b10a7
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/71#issuecomment-259093656
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#71][closed] MONITOR: Do not set up watchdog for monitor

2016-11-08 Thread jhrozek

   URL: https://github.com/SSSD/sssd/pull/71
Author: jhrozek
 Title: #71: MONITOR: Do not set up watchdog for monitor
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/71/head:pr71
git checkout pr71
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#71][+Pushed] MONITOR: Do not set up watchdog for monitor

2016-11-08 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/71
Title: #71: MONITOR: Do not set up watchdog for monitor

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#43][comment] RESPONDER: Enable sudoRule in case insen. domains (1.15)

2016-11-08 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/43
Title: #43: RESPONDER: Enable sudoRule in case insen. domains (1.15)

pbrezina commented:
"""
Ok, I'm fine with this patch due to the indexing issue.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/43#issuecomment-259093311
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#70][comment] check_duplicate: check name member before using it

2016-11-08 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/70
Title: #70: check_duplicate: check name member before using it

sumit-bose commented:
"""
@lslebodn, the patch adds a new unit-test test_extra_opts_empty_name() which 
covers the crash. What would be the benefit of checking it in the integration 
tests as well?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/70#issuecomment-259091650
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: [PATCHES] views: properly override group member names - 1.13 backport

2016-11-08 Thread Lukas Slebodnik

On (08/11/16 10:19), Lukas Slebodnik wrote:
>On (24/10/16 16:59), Sumit Bose wrote:
>>Hi,
>>
>>please find attached a backport to 1.13 of the given patch set including
>>fixes from Lukas.
>>
>>It's intention is to fix https://fedorahosted.org/sssd/ticket/3118 /
>>https://bugzilla.redhat.com/show_bug.cgi?id=1367802 without introducing
>>a new patch. As a side-effect the issue with missing overriden names
>>from group members is fixed as well. But since the patches touches
>>various parts of the group lookup code it should be carefully tested for
>>regressions.
>>
>ACK
>
>http://sssd-ci.duckdns.org/logs/job/56/38/summary.html
>
sssd-1-13:
* 55fc0bb19e6205af13828a98592b283d3b6d24e0
* 19ba10fcc7dbdfdd7a238fa94f57605cf16fc28e
* 8e19dce22b286f1f815cba7150149ab249a62854
* 5d64343d5ffed9cb42184eb30e5bf1871d8196d5
* ce714745ad28dfb6dcfd9f8f8983e492661a6e2f
* 3bea6818a3432a349a9901a84fd517c052b19f69

LS
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#71][comment] MONITOR: Do not set up watchdog for monitor

2016-11-08 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/71
Title: #71: MONITOR: Do not set up watchdog for monitor

lslebodn commented:
"""
ACK

LS

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/71#issuecomment-259090619
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#70][-Accepted] check_duplicate: check name member before using it

2016-11-08 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/70
Title: #70: check_duplicate: check name member before using it

Label: -Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#70][comment] check_duplicate: check name member before using it

2016-11-08 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/70
Title: #70: check_duplicate: check name member before using it

lslebodn commented:
"""
I would appreciate integration test for the crash.
Feel free to extend `test_extra_attribute_already_exists` or create new one.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/70#issuecomment-259087435
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#70][+Changes requested] check_duplicate: check name member before using it

2016-11-08 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/70
Title: #70: check_duplicate: check name member before using it

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] about letting the responder choose the sysdb optimization level

2016-11-08 Thread Jakub Hrozek

Hi,

I would like to ask for opinions about:
https://fedorahosted.org/sssd/ticket/3126

The basic idea is that the responder would choose what kind of optimization
would the back end perform when saving the sysdb entries.  Requests that
just return information might choose to optimize very aggressively (using
modifyTimestamp) and requests that actually authenticate or authorize the
user might choose to not optimize at all to avoid issues like the ones we saw
with virtual attributes that don't bump the modifyTimestamp attribute at all.

On the responder side, this is quite easy, just send an additional flag
during the responder request. It's the provider part I'm not so sure
about, because there the optimizations are performed at the sysdb level.

So far I can only think about extending sysdb_transaction_start() (or
providing sysdb_opt_transaction_start and letting the old
sysdb_transaction_start default to no optimization) which would
internally keep track of the active transaction and the optimization we
want to perform. Since only sssd_be is the cache writer and there is
only one cache per domain.

Additionally, we would have to keep the transaction optimization level around
in some context until the request bubbles from the data provider handler to
actually saving the transaction. I don't I hope this won't be too messy, but
since the requests are asynchronous, so far I don't see any way around
it. The only thing that might be less messy in the long term is to provide
a bit more generic structure ("request status") that would so far only
include the optimization level and later might be extended to include
e.g. intermediate data. But on the other hand, I'm not sure I have
thought about passing the data between requests hard enough to design
this properly. Should I?

Any other opinions? Thoughts?
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#70][+Accepted] check_duplicate: check name member before using it

2016-11-08 Thread celestian

  URL: https://github.com/SSSD/sssd/pull/70
Title: #70: check_duplicate: check name member before using it

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#70][comment] check_duplicate: check name member before using it

2016-11-08 Thread celestian

  URL: https://github.com/SSSD/sssd/pull/70
Title: #70: check_duplicate: check name member before using it

celestian commented:
"""
I tested manually with IPA provider. It works and I was informed about 
attribute colision:
```
[sdap_extend_map] (0x0010): Attribute entryUSN (abc in LDAP) is already used by 
SSSD, please choose a different cache name
```
CI tests passed:
http://sssd-ci.duckdns.org/logs/job/56/33/summary.html

=> ACK
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/70#issuecomment-259085686
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: [PATCHES] views: properly override group member names - 1.13 backport

2016-11-08 Thread Lukas Slebodnik

On (24/10/16 16:59), Sumit Bose wrote:
>Hi,
>
>please find attached a backport to 1.13 of the given patch set including
>fixes from Lukas.
>
>It's intention is to fix https://fedorahosted.org/sssd/ticket/3118 /
>https://bugzilla.redhat.com/show_bug.cgi?id=1367802 without introducing
>a new patch. As a side-effect the issue with missing overriden names
>from group members is fixed as well. But since the patches touches
>various parts of the group lookup code it should be carefully tested for
>regressions.
>
ACK

http://sssd-ci.duckdns.org/logs/job/56/38/summary.html

LS
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: [PATCHES] views: properly override group member names

2016-11-08 Thread Jakub Hrozek

On Tue, Nov 08, 2016 at 08:14:20AM +0100, Lukas Slebodnik wrote:
> On (26/07/16 22:05), Sumit Bose wrote:
> >On Tue, Jul 26, 2016 at 06:06:48PM +0200, Jakub Hrozek wrote:
> >> On Tue, Jul 26, 2016 at 05:25:11PM +0200, Jakub Hrozek wrote:
> >> > On Tue, Jul 26, 2016 at 01:51:56PM +0200, Sumit Bose wrote:
> >> > > > > The third patch adds a sysdb call to recursively resolve all
> >> > > > > user-members of a group. Since the groups in SSSD's cache are
> >> > > > > hierarchically organized the member attribute only contains direct
> >> > > > > user and group members. To get all users the group members must be
> >> > > > > resolved recursively.
> >> > > > 
> >> > > > Would dereferencing memberof:top-level-group yield different results?
> >> > > 
> >> > > It worked in my testing but I have to admit that I'm not sure if it can
> >> > > be used reliable all the time, i.e. is independent of all the different
> >> > > lookup sequences you can have with nested groups. If you are sure it is
> >> > > reliable, the call can be simplified.
> >> > 
> >> > This is how memberof is supposed to work. I haven't tested all
> >> > scenarios either (if there are some corner cases you'd like me to test,
> >> > just let me know), but if there are differences, I would say these would
> >> > be bugs in the memberof plugin and should be fixed.
> >> 
> >> btw the patches seem to work fine, I tested getent passwd on an
> >> overriden user, getent group on a group this user is a memberof (both an
> >> AD group and an IPA group with an external group in it) and id of this
> >> user.
> >> 
> >> All lookups show the expected data. Coverity is clean and CI passed.
> >> 
> >> Therefore provisional ACK - the only remaining point remains the recursive
> >> member vs. memberof part. I don't mind accepting the patch as-is now,
> >> if we agree to open a ticket and switch to memberof later in 1.14.
> >
> >Please have a look at attached patch, it replaces the recursive member
> >based lookup by a (memberof=group_dn) search. It works well for me in
> >some basic tests.
> >
> >bye,
> >Sumit
> >
> 
> >From ee8ebcec8062d75e98da796b291973fd96d45b1c Mon Sep 17 00:00:00 2001
> >From: Sumit Bose 
> >Date: Tue, 26 Jul 2016 21:30:41 +0200
> >Subject: [PATCH] sysdb_get_user_members_recursively: use memberof search
> >
> >---
> > src/db/sysdb_ops.c  | 181 
> > 
> > src/tests/cmocka/test_nss_srv.c |  30 +++
> > 2 files changed, 33 insertions(+), 178 deletions(-)
> >
> Jakub,
> 
> is there a reason why this patch has not been pushed to master yet?

Please see the earlier replies in this thread. We agreed with Sumit to
squash this patch into the previous ones, so if you take a look at
17bfd9f69251781140e4b2b55ffeb649d7a79e86 it already uses memberof
search.
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#73][-Changes requested] AD_PROVIDER: Enabled subdomains (1.13)

2016-11-08 Thread celestian

  URL: https://github.com/SSSD/sssd/pull/73
Title: #73: AD_PROVIDER: Enabled subdomains (1.13)

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#73][comment] AD_PROVIDER: Enabled subdomains (1.13)

2016-11-08 Thread celestian

  URL: https://github.com/SSSD/sssd/pull/73
Title: #73: AD_PROVIDER: Enabled subdomains (1.13)

celestian commented:
"""
I pushed new version with ```(cherry picked from commit...```
(It is done manually)
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/73#issuecomment-259075858
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#73][synchronized] AD_PROVIDER: Enabled subdomains (1.13)

2016-11-08 Thread celestian

   URL: https://github.com/SSSD/sssd/pull/73
Author: celestian
 Title: #73: AD_PROVIDER: Enabled subdomains (1.13)
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/73/head:pr73
git checkout pr73
From 6c22ced196f0b230c7e830a7f60bf607c262b0dd Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Fri, 13 May 2016 05:21:07 -0400
Subject: [PATCH 1/4] AD_PROVIDER: Add ad_enabled_domains option

Resolves:
https://fedorahosted.org/sssd/ticket/2828

(cherry picked from commit d6342c92c226becbdd254f90a0005b8c00c300dc)
---
 src/config/SSSDConfig/__init__.py.in   |  1 +
 src/config/etc/sssd.api.d/sssd-ad.conf |  1 +
 src/man/sssd-ad.5.xml  | 27 +++
 src/providers/ad/ad_common.h   |  1 +
 src/providers/ad/ad_opts.c |  1 +
 5 files changed, 31 insertions(+)

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index ae9f973..11c290b 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -185,6 +185,7 @@ option_strings = {
 
 # [provider/ad]
 'ad_domain' : _('Active Directory domain'),
+'ad_enabled_domains' : _('Enabled Active Directory domains'),
 'ad_server' : _('Active Directory server address'),
 'ad_backup_server' : _('Active Directory backup server address'),
 'ad_hostname' : _('Active Directory client hostname'),
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 23006d2..0d16387 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -1,5 +1,6 @@
 [provider/ad]
 ad_domain = str, None, false
+ad_enabled_domains = str, None, false
 ad_server = str, None, false
 ad_backup_server = str, None, false
 ad_hostname = str, None, false
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 54a4b56..d7d7651 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -114,6 +114,33 @@ ldap_id_mapping = False
 
 
 
+ad_enabled_domains (string)
+
+
+A comma-separated list of enabled Active Directory domains.
+If provided, SSSD will ignore any domains not listed in this
+option. If left unset, all domains from the AD forest will
+be available.
+
+
+For proper operation, this option must be specified in all
+lower-case and as the fully qualified domain name of the
+Active Directory domain. For example:
+
+ad_enabled_domains = sales.example.com, eng.example.com
+
+
+
+The short domain name (also known as the NetBIOS or the flat
+name) will be autodetected by SSSD.
+
+
+Default: Not set
+
+
+
+
+
 ad_server, ad_backup_server (string)
 
 
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index c795a41..2f5f3a4 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -42,6 +42,7 @@ struct ad_options;
 
 enum ad_basic_opt {
 AD_DOMAIN = 0,
+AD_ENABLED_DOMAINS,
 AD_SERVER,
 AD_BACKUP_SERVER,
 AD_HOSTNAME,
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
index 15024ad..aefcaaf 100644
--- a/src/providers/ad/ad_opts.c
+++ b/src/providers/ad/ad_opts.c
@@ -28,6 +28,7 @@
 
 struct dp_option ad_basic_opts[] = {
 { "ad_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+{ "ad_enabled_domains", DP_OPT_STRING, NULL_STRING, NULL_STRING },
 { "ad_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
 { "ad_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
 { "ad_hostname", DP_OPT_STRING, NULL_STRING, NULL_STRING },

From f4f38d22ca23735b119dcdbed411da9ecf602b0e Mon Sep 17 00:00:00 2001
From: Petr Cech 
Date: Tue, 21 Jun 2016 08:34:15 +0200
Subject: [PATCH 2/4] AD_PROVIDER: Initializing of ad_enabled_domains

We add ad_enabled_domains into ad_subdomains_ctx.

Resolves:
https://fedorahosted.org/sssd/ticket/2828

(cherry picked from commit a82baf596bac1fdac6addca6419d8992111a8aa2)
---
 src/providers/ad/ad_subdomains.c | 81 
 1 file changed, 81 insertions(+)

diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index f7e7e62..c74e494 100644
--- a/src/providers/ad/ad_subdomains.c
+++

53 matches

Mail list logo