date:20170314

[SSSD] [sssd PR#194][comment] config-check: Message when sssd.conf is missing

2017-03-14 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/194
Title: #194: config-check: Message when sssd.conf is missing

jhrozek commented:
"""
if this patch is already written and you'd ack it otherwise then yes.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/194#issuecomment-286547773
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#194][comment] config-check: Message when sssd.conf is missing

2017-03-14 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/194
Title: #194: config-check: Message when sssd.conf is missing

lslebodn commented:
"""
BTW; I've just realized that missing configuration file is not a problem since 
commit  a4837791f62283079e7be4b17efb769be8b2dfd1.

@jhrozek Do we want this patch just in 1.14?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/194#issuecomment-286534579
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#187][synchronized] Add support to lookup for users/groups in subdomains just by the user shortname

2017-03-14 Thread fidencio

   URL: https://github.com/SSSD/sssd/pull/187
Author: fidencio
 Title: #187: Add support to lookup for users/groups in subdomains just by the 
user shortname
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/187/head:pr187
git checkout pr187
From 909e93ca67632abc0b93b1592dcede865ab5e14f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Wed, 1 Mar 2017 08:34:57 +
Subject: [PATCH 1/5] CACHE_REQ: Descend into subdomains on lookups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Let's make all plugins, but the "host_by_name", to descend into the
subdomains on lookups.

This patch basically prepares the field for the coming up patches that
will allow group/user resolution in all domains (or a subset of the
domains) to be possible by only using the short names without the domain
component.

The "host_by_name" plugin was not changed as it's a specific IPA plugin
and won't find anything on its subdomains.

Related:
https://pagure.io/SSSD/sssd/issue/3001

Signed-off-by: Fabiano Fidêncio 
---
 src/responder/common/cache_req/plugins/cache_req_enum_svc.c   | 2 +-
 src/responder/common/cache_req/plugins/cache_req_group_by_filter.c| 2 +-
 src/responder/common/cache_req/plugins/cache_req_group_by_name.c  | 2 +-
 src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c | 2 +-
 src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c   | 2 +-
 src/responder/common/cache_req/plugins/cache_req_object_by_name.c | 2 +-
 src/responder/common/cache_req/plugins/cache_req_svc_by_name.c| 2 +-
 src/responder/common/cache_req/plugins/cache_req_svc_by_port.c| 2 +-
 src/responder/common/cache_req/plugins/cache_req_user_by_filter.c | 2 +-
 src/responder/common/cache_req/plugins/cache_req_user_by_name.c   | 2 +-
 10 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/src/responder/common/cache_req/plugins/cache_req_enum_svc.c b/src/responder/common/cache_req/plugins/cache_req_enum_svc.c
index 2c4917c..28dea33 100644
--- a/src/responder/common/cache_req/plugins/cache_req_enum_svc.c
+++ b/src/responder/common/cache_req/plugins/cache_req_enum_svc.c
@@ -68,7 +68,7 @@ const struct cache_req_plugin cache_req_enum_svc = {
 .allow_missing_fqn = true,
 .allow_switch_to_upn = false,
 .upn_equivalent = CACHE_REQ_SENTINEL,
-.get_next_domain_flags = 0,
+.get_next_domain_flags = SSS_GND_DESCEND,
 
 .is_well_known_fn = NULL,
 .prepare_domain_data_fn = NULL,
diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c b/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c
index 88e1137..6ce6ae0 100644
--- a/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c
+++ b/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c
@@ -123,7 +123,7 @@ const struct cache_req_plugin cache_req_group_by_filter = {
 .allow_missing_fqn = false,
 .allow_switch_to_upn = false,
 .upn_equivalent = CACHE_REQ_SENTINEL,
-.get_next_domain_flags = 0,
+.get_next_domain_flags = SSS_GND_DESCEND,
 
 .is_well_known_fn = NULL,
 .prepare_domain_data_fn = cache_req_group_by_filter_prepare_domain_data,
diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_name.c b/src/responder/common/cache_req/plugins/cache_req_group_by_name.c
index be1eb9b..af6f23c 100644
--- a/src/responder/common/cache_req/plugins/cache_req_group_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_group_by_name.c
@@ -186,7 +186,7 @@ const struct cache_req_plugin cache_req_group_by_name = {
 .allow_missing_fqn = false,
 .allow_switch_to_upn = false,
 .upn_equivalent = CACHE_REQ_SENTINEL,
-.get_next_domain_flags = 0,
+.get_next_domain_flags = SSS_GND_DESCEND,
 
 .is_well_known_fn = NULL,
 .prepare_domain_data_fn = cache_req_group_by_name_prepare_domain_data,
diff --git a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c
index 10fb67c..307b65a 100644
--- a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c
@@ -201,7 +201,7 @@ const struct cache_req_plugin cache_req_initgroups_by_name = {
 .allow_missing_fqn = false,
 .allow_switch_to_upn = true,
 .upn_equivalent = CACHE_REQ_INITGROUPS_BY_UPN,
-.get_next_domain_flags = 0,
+.get_next_domain_flags = SSS_GND_DESCEND,
 
 .is_well_known_fn = NULL,
 .prepare_domain_data_fn = cache_req_initgroups_by_name_prepare_domain_data,
diff --git a/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c b/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c
index bc6fc9a..e49d6d8 100644
---

[SSSD] [sssd PR#195][opened] UTIL: Typo in comment

2017-03-14 Thread mzidek-rh

   URL: https://github.com/SSSD/sssd/pull/195
Author: mzidek-rh
 Title: #195: UTIL: Typo in comment
Action: opened

PR body:
"""
I hope this patch makes it to the rebase. I do not understand how people were 
even able to use SSSD without it. Someone with deep knowledge of SSSD internals 
should start the review immediately.
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/195/head:pr195
git checkout pr195
From 47a005f7d49929bb65ee9f0d43f07194cac2c97c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Tue, 14 Mar 2017 18:20:43 +0100
Subject: [PATCH] UTIL: Typo in comment

---
 src/util/safe-format-string.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/util/safe-format-string.h b/src/util/safe-format-string.h
index 2f4796d..fdebcf9 100644
--- a/src/util/safe-format-string.h
+++ b/src/util/safe-format-string.h
@@ -42,7 +42,7 @@
  * Features:
  * - Only string 's' fields are supported
  * - All the varargs should be strings, followed by a NULL argument
- * - Both positional '%$1s' and non-positional '%s' are supported
+ * - Both positional '%1$s' and non-positional '%s' are supported
  * - Field widths '%8s' work as expected
  * - Precision '%.8s' works, but precision cannot be read from a field
  * - Left alignment flag is supported '%-8s'.
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#194][comment] config-check: Message when sssd.conf is missing

2017-03-14 Thread mzidek-rh

  URL: https://github.com/SSSD/sssd/pull/194
Title: #194: config-check: Message when sssd.conf is missing

mzidek-rh commented:
"""
On 03/14/2017 06:08 PM, lslebodn wrote:
> *@lslebodn* commented on this pull request.
>
> 
>
> In src/tools/sssctl/sssctl_config.c
> :
>
>> @@ -63,7 +63,10 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline,
>
>  /* Open config file */
>  ret = sss_ini_config_file_open(init_data, SSSD_CONFIG_FILE);
> -if (ret != EOK) {
> +if (ret == ENOENT) {
> +ERROR("File "SSSD_CONFIG_FILE" does not exist.\n");
>
> Sorry for nitpicking but it is not very user-friendly for translators.
> On other places we use |"%1$s"|. Check src/tools/sss_useradd.c

Thanks for catching this. I did not realize that.

>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> , or
> mute the thread
> .
>

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/194#issuecomment-286494143
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#194][comment] config-check: Message when sssd.conf is missing

2017-03-14 Thread mzidek-rh

  URL: https://github.com/SSSD/sssd/pull/194
Title: #194: config-check: Message when sssd.conf is missing

mzidek-rh commented:
"""
New version attached.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/194#issuecomment-286493411
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#194][synchronized] config-check: Message when sssd.conf is missing

2017-03-14 Thread mzidek-rh

   URL: https://github.com/SSSD/sssd/pull/194
Author: mzidek-rh
 Title: #194: config-check: Message when sssd.conf is missing
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/194/head:pr194
git checkout pr194
From c55f0a898c0f97d2886defb8b78bcd4c540f4683 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Tue, 14 Mar 2017 15:43:41 +0100
Subject: [PATCH] config-check: Message when sssd.conf is missing

sssctl config-check should print a message for user
if no sssd.conf was found.

Resolves:
https://pagure.io/SSSD/sssd/issue/3330
---
 src/tools/sssctl/sssctl_config.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/tools/sssctl/sssctl_config.c b/src/tools/sssctl/sssctl_config.c
index 630df3c..7e3ebf5 100644
--- a/src/tools/sssctl/sssctl_config.c
+++ b/src/tools/sssctl/sssctl_config.c
@@ -63,7 +63,10 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline,
 
 /* Open config file */
 ret = sss_ini_config_file_open(init_data, SSSD_CONFIG_FILE);
-if (ret != EOK) {
+if (ret == ENOENT) {
+ERROR("File %1$s does not exist.\n", SSSD_CONFIG_FILE);
+goto done;
+} else if (ret != EOK) {
 DEBUG(SSSDBG_TRACE_FUNC,
   "sss_ini_config_file_open failed: %s [%d]\n",
   sss_strerror(ret),
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#194][comment] config-check: Message when sssd.conf is missing

2017-03-14 Thread mzidek-rh

  URL: https://github.com/SSSD/sssd/pull/194
Title: #194: config-check: Message when sssd.conf is missing

mzidek-rh commented:
"""
I agree with the comments. See new version pushed.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/194#issuecomment-286488429
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#194][synchronized] config-check: Message when sssd.conf is missing

2017-03-14 Thread mzidek-rh

   URL: https://github.com/SSSD/sssd/pull/194
Author: mzidek-rh
 Title: #194: config-check: Message when sssd.conf is missing
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/194/head:pr194
git checkout pr194
From de84760db61c618ef75c65111f86041471b78ddd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Tue, 14 Mar 2017 15:43:41 +0100
Subject: [PATCH] config-check: Message when sssd.conf is missing

sssctl config-check should print a message for user
if no sssd.conf was found.

Resolves:
https://pagure.io/SSSD/sssd/issue/3330
---
 src/tools/sssctl/sssctl_config.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/tools/sssctl/sssctl_config.c b/src/tools/sssctl/sssctl_config.c
index 630df3c..510e1c0 100644
--- a/src/tools/sssctl/sssctl_config.c
+++ b/src/tools/sssctl/sssctl_config.c
@@ -63,7 +63,10 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline,
 
 /* Open config file */
 ret = sss_ini_config_file_open(init_data, SSSD_CONFIG_FILE);
-if (ret != EOK) {
+if (ret == ENOENT) {
+ERROR("File "SSSD_CONFIG_FILE" does not exist.\n");
+goto done;
+} else if (ret != EOK) {
 DEBUG(SSSDBG_TRACE_FUNC,
   "sss_ini_config_file_open failed: %s [%d]\n",
   sss_strerror(ret),
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#194][comment] config-check: Message when sssd.conf is missing

2017-03-14 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/194
Title: #194: config-check: Message when sssd.conf is missing

lslebodn commented:
"""
There are few inline comments
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/194#issuecomment-286485973
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#187][+Changes requested] Add support to lookup for users/groups in subdomains just by the user shortname

2017-03-14 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/187
Title: #187: Add support to lookup for users/groups in subdomains just by the 
user shortname

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#194][synchronized] config-check: Message when sssd.conf is missing

2017-03-14 Thread mzidek-rh

   URL: https://github.com/SSSD/sssd/pull/194
Author: mzidek-rh
 Title: #194: config-check: Message when sssd.conf is missing
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/194/head:pr194
git checkout pr194
From 2c8793ee2d5fb981337bf65b0096bc7c97ef9cad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Tue, 14 Mar 2017 15:43:41 +0100
Subject: [PATCH] config-check: Message when sssd.conf is missing

sssctl config-check should print a message for user
if no sssd.conf was found.

Resolves:
https://pagure.io/SSSD/sssd/issue/3330
---
 src/tools/sssctl/sssctl_config.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/tools/sssctl/sssctl_config.c b/src/tools/sssctl/sssctl_config.c
index 630df3c..1a7daa1 100644
--- a/src/tools/sssctl/sssctl_config.c
+++ b/src/tools/sssctl/sssctl_config.c
@@ -64,6 +64,9 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline,
 /* Open config file */
 ret = sss_ini_config_file_open(init_data, SSSD_CONFIG_FILE);
 if (ret != EOK) {
+if (ret == ENOENT) {
+ERROR("SSSD configuration file does not exist.\n");
+}
 DEBUG(SSSDBG_TRACE_FUNC,
   "sss_ini_config_file_open failed: %s [%d]\n",
   sss_strerror(ret),
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#194][comment] config-check: Message when sssd.conf is missing

2017-03-14 Thread celestian

  URL: https://github.com/SSSD/sssd/pull/194
Title: #194: config-check: Message when sssd.conf is missing

celestian commented:
"""
LGTM  and I pushed it to CI test.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/194#issuecomment-286474277
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#194][comment] config-check: Message when sssd.conf is missing

2017-03-14 Thread mzidek-rh

  URL: https://github.com/SSSD/sssd/pull/194
Title: #194: config-check: Message when sssd.conf is missing

mzidek-rh commented:
"""
To test just remove the sssd.conf file and do sssctl config-check.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/194#issuecomment-286467249
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#194][opened] config-check: Message when sssd.conf is missing

2017-03-14 Thread mzidek-rh

   URL: https://github.com/SSSD/sssd/pull/194
Author: mzidek-rh
 Title: #194: config-check: Message when sssd.conf is missing
Action: opened

PR body:
"""
sssctl config-check should print a message for user
if no sssd.conf was found.

Resolves:
https://pagure.io/SSSD/sssd/issue/3330
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/194/head:pr194
git checkout pr194
From bc275a55aa03619167eb71a8275f1f8c194573ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Tue, 14 Mar 2017 15:43:41 +0100
Subject: [PATCH] config-check: Message when sssd.conf is missing

sssctl config-check should print a message for user
if no sssd.conf was found.

Resolves:
https://pagure.io/SSSD/sssd/issue/3330
---
 src/tools/sssctl/sssctl_config.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/tools/sssctl/sssctl_config.c b/src/tools/sssctl/sssctl_config.c
index 630df3c..1a7daa1 100644
--- a/src/tools/sssctl/sssctl_config.c
+++ b/src/tools/sssctl/sssctl_config.c
@@ -64,6 +64,9 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline,
 /* Open config file */
 ret = sss_ini_config_file_open(init_data, SSSD_CONFIG_FILE);
 if (ret != EOK) {
+if (ret == ENOENT) {
+ERROR("SSSD configuration file does not exist.\n");
+}
 DEBUG(SSSDBG_TRACE_FUNC,
   "sss_ini_config_file_open failed: %s [%d]\n",
   sss_strerror(ret),
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#152][+Pushed] Add a tevent wrapper around libcurl's asynchronous interface

2017-03-14 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/152
Title: #152: Add a tevent wrapper around libcurl's asynchronous interface

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#152][comment] Add a tevent wrapper around libcurl's asynchronous interface

2017-03-14 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/152
Title: #152: Add a tevent wrapper around libcurl's asynchronous interface

lslebodn commented:
"""
master:

* 91b0592cdab22915dff27ceae6d8e49c608aea4a
* ca90f2102a43a3d49a2ef26610d7b4ff3062a823
* 321ca28277cbf9882769537fd4c0dfaea224c86e
* 9a9b5e115b079751422be22fd252c0b283611c62
* cab319e2db4b3d85dcadbfdf4c88939df103892e
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/152#issuecomment-286407564
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#152][closed] Add a tevent wrapper around libcurl's asynchronous interface

2017-03-14 Thread lslebodn

   URL: https://github.com/SSSD/sssd/pull/152
Author: jhrozek
 Title: #152: Add a tevent wrapper around libcurl's asynchronous interface
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/152/head:pr152
git checkout pr152
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#152][comment] Add a tevent wrapper around libcurl's asynchronous interface

2017-03-14 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/152
Title: #152: Add a tevent wrapper around libcurl's asynchronous interface

pbrezina commented:
"""
On 03/14/2017 12:19 PM, Jakub Hrozek wrote:
> On Tue, Mar 14, 2017 at 03:22:19AM -0700, Pavel Březina wrote:
>> The changes looks good, although I would say that disabling `Expect:
>> 100-continue` is not the way to go in a long-term.
>
> Would you prefer if this wasn't directly in the tcurl layer, but only in
> the callers to keep the tcurl layer generic?

No, given the use case we can keep it there.

>
>> I believe the problem lies
>> in `secrets` responder that does not handle this properly. I agree
> that the
>> responder is not supposed to be a full HTTP server, however given the fact
>> that this is default behavior of `libcurl` we should implement it (later).
>
> Right, so the purpose of the Expect 100: Continue is to send the request
> without the (potentially large) POST data, let the server validate the
> request and if it's invalid, let it reply with an error code. If the
> request is valid, let it send 100: Continue which triggers sending the
> data to the server.
>
> Which is why there was the potential timeout, libcurl was waiting for
> the 100: continue which never came..

Yes. And because libcurl will be used by users in their programs to 
communicate with secrets responder we should document it for the moment 
and fix it in some future version.


"""

See the full comment at 
https://github.com/SSSD/sssd/pull/152#issuecomment-286401298
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#154][-Accepted] Confront caches first

2017-03-14 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/154
Title: #154: Confront caches first

Label: -Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#154][comment] Confront caches first

2017-03-14 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/154
Title: #154: Confront caches first

jhrozek commented:
"""
606015a4f71d8ee809347188667d268f73110483
8bb6680637ead03e24a38d15ec5265d11a920a1d
9286d0d4143bcb4e36b91022107e307998122bbb
7cd226414c7bcdd32f05416df64ebda3ac869bd7
828fe7528fbe6971701d16aed87ba12dd91da55f
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/154#issuecomment-286395764
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#154][+Pushed] Confront caches first

2017-03-14 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/154
Title: #154: Confront caches first

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#154][closed] Confront caches first

2017-03-14 Thread jhrozek

   URL: https://github.com/SSSD/sssd/pull/154
Author: fidencio
 Title: #154: Confront caches first
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/154/head:pr154
git checkout pr154
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#186][comment] Subdomain config

2017-03-14 Thread mzidek-rh

  URL: https://github.com/SSSD/sssd/pull/186
Title: #186: Subdomain config

mzidek-rh commented:
"""
Ok, I added the ad_server, ad_site and ad_backup_server to this patchset (it is 
only 14 lines and the testing is almost the same, so i guess it makes sense).

I also updated the MAN page patch to include these options.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/186#issuecomment-286395594
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#186][synchronized] Subdomain config

2017-03-14 Thread mzidek-rh

   URL: https://github.com/SSSD/sssd/pull/186
Author: mzidek-rh
 Title: #186: Subdomain config
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/186/head:pr186
git checkout pr186
From 546b3153d9ecd1082dd879a38853db9e6d61bfe5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Wed, 1 Mar 2017 13:57:52 +0100
Subject: [PATCH 1/4] data_provider: Fix typo in DEBUG message

---
 src/providers/ipa/ipa_subdomains_server.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
index 50f0619..ddd66bf 100644
--- a/src/providers/ipa/ipa_subdomains_server.c
+++ b/src/providers/ipa/ipa_subdomains_server.c
@@ -231,7 +231,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
 ret = dp_opt_set_string(ad_options->id->basic, SDAP_USER_EXTRA_ATTRS,
 extra_attrs);
 if (ret != EOK) {
-DEBUG(SSSDBG_OP_FAILURE, "dp_opt_get_string failed.\n");
+DEBUG(SSSDBG_OP_FAILURE, "dp_opt_set_string failed.\n");
 talloc_free(ad_options);
 return ret;
 }

From e03d02e540a039b61dbfeb967f58845151379a50 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Thu, 2 Mar 2017 02:47:11 +0100
Subject: [PATCH 2/4] SUBDOMAINS: Configurable search bases

Added new trusted domain section in the
sssd.conf were the search bases for the
trusted domain can be specified.

Resolves:
https://pagure.io/SSSD/sssd/issue/2599
---
 src/providers/ad/ad_common.c  | 274 ++
 src/providers/ad/ad_common.h  |  22 ++-
 src/providers/ad/ad_subdomains.c  |  13 +-
 src/providers/ipa/ipa_subdomains_server.c |  37 +++-
 src/tests/cmocka/test_ad_common.c |  52 +++---
 5 files changed, 250 insertions(+), 148 deletions(-)

diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index 9a6fece..ec952d3 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -33,6 +33,13 @@ errno_t ad_set_search_bases(struct sdap_options *id_opts);
 static errno_t ad_set_sdap_options(struct ad_options *ad_opts,
struct sdap_options *id_opts);
 
+char *create_subdom_conf_path(TALLOC_CTX *mem_ctx,
+  const char *conf_path,
+  const char *subdom_name)
+{
+return talloc_asprintf(mem_ctx, "%s/%s", conf_path, subdom_name);
+}
+
 static struct sdap_options *
 ad_create_default_sdap_options(TALLOC_CTX *mem_ctx)
 {
@@ -107,8 +114,119 @@ ad_create_default_sdap_options(TALLOC_CTX *mem_ctx)
 return NULL;
 }
 
+static errno_t
+ad_create_sdap_options(TALLOC_CTX *mem_ctx,
+   struct confdb_ctx *cdb,
+   const char *conf_path,
+   struct sdap_options **_id_opts)
+{
+struct sdap_options *id_opts;
+errno_t ret = EOK;
+
+if (cdb == NULL || conf_path == NULL) {
+/* Fallback to defaults if there is no confdb */
+id_opts = ad_create_default_sdap_options(mem_ctx);
+if (id_opts == NULL) {
+DEBUG(SSSDBG_CRIT_FAILURE,
+  "Failed to initialize default sdap options\n");
+ret = EIO;
+}
+/* Nothing to do without cdb */
+goto done;
+}
+
+id_opts = talloc_zero(mem_ctx, struct sdap_options);
+if (!id_opts) {
+ret = ENOMEM;
+goto done;
+}
+
+ret = dp_get_options(id_opts, cdb, conf_path,
+ ad_def_ldap_opts,
+ SDAP_OPTS_BASIC,
+ _opts->basic);
+if (ret != EOK) {
+goto done;
+}
+
+/* Get sdap option maps */
+
+/* General Attribute Map */
+ret = sdap_get_map(id_opts,
+   cdb, conf_path,
+   ad_2008r2_attr_map,
+   SDAP_AT_GENERAL,
+   _opts->gen_map);
+if (ret != EOK) {
+goto done;
+}
+
+/* User map */
+ret = sdap_get_map(id_opts,
+   cdb, conf_path,
+   ad_2008r2_user_map,
+   SDAP_OPTS_USER,
+   _opts->user_map);
+if (ret != EOK) {
+goto done;
+}
+
+ret = sdap_extend_map_with_list(id_opts, id_opts,
+SDAP_USER_EXTRA_ATTRS,
+id_opts->user_map,
+SDAP_OPTS_USER,
+_opts->user_map,
+_opts->user_map_cnt);
+if (ret != EOK) {
+goto done;
+}
+
+/* Group map */
+ret = sdap_get_map(id_opts,
+   cdb, conf_path,
+   ad_2008r2_group_map,
+   SDAP_OPTS_GROUP,
+

[SSSD] [sssd PR#152][comment] Add a tevent wrapper around libcurl's asynchronous interface

2017-03-14 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/152
Title: #152: Add a tevent wrapper around libcurl's asynchronous interface

jhrozek commented:
"""
On Tue, Mar 14, 2017 at 03:31:45AM -0700, lslebodn wrote:
> BTW `util/sss_iobuf.h` includes itself
> 
> following diff fixes it
> ```
> diff --git a/src/tests/cmocka/test_iobuf.c b/src/tests/cmocka/test_iobuf.c
> index eaee966e5..489cc2c5d 100644
> --- a/src/tests/cmocka/test_iobuf.c
> +++ b/src/tests/cmocka/test_iobuf.c
> @@ -29,6 +29,7 @@
>  #include 
>  
>  #include "util/sss_iobuf.h"
> +#include "util/util.h"
>  
>  static void test_sss_iobuf_read(void **state)
>  {
> diff --git a/src/util/sss_iobuf.h b/src/util/sss_iobuf.h
> index e546d5996..eae357a40 100644
> --- a/src/util/sss_iobuf.h
> +++ b/src/util/sss_iobuf.h
> @@ -5,8 +5,9 @@
>  #include 
>  #include 
>  
> -#include "util/util.h"
> -#include "util/sss_iobuf.h"
> +#include "util/util_errors.h"
> +
> +struct sss_iobuf;
>  
>  /*
>   * @brief Allocate an empty IO buffer

Thanks, merged.

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/152#issuecomment-286392967
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#152][comment] Add a tevent wrapper around libcurl's asynchronous interface

2017-03-14 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/152
Title: #152: Add a tevent wrapper around libcurl's asynchronous interface

jhrozek commented:
"""
On Tue, Mar 14, 2017 at 03:29:17AM -0700, lslebodn wrote:
> On (14/03/17 01:34), Jakub Hrozek wrote:
> >I squashed one last trivial change that just checks the return value of the 
> >option set:
> >```
> >diff --git a/src/util/tev_curl.c b/src/util/tev_curl.c
> >index b966a78..233ad2c 100644
> >--- a/src/util/tev_curl.c
> >+++ b/src/util/tev_curl.c
> >@@ -832,6 +832,12 @@ static errno_t tcurl_set_options(struct 
> >tcurl_http_state *state,
> > crv = curl_easy_setopt(state->http_handle,
> >CURLOPT_INFILESIZE_LARGE,
> >sss_iobuf_get_size(state->inbuf));
> 
> gcc on my machine complains that last argument has wrong type
> 
> ```
> In function ‘tcurl_set_options’,
> inlined from ‘tcurl_http_send’ at src/util/tev_curl.c:625:9:
> src/util/tev_curl.c:835:15: error: call to ‘_curl_easy_setopt_err_curl_off_t’ 
> declared with attribute warning: curl_easy_setopt expects a curl_off_t 
> argument for this option [-Werror]
>  crv = curl_easy_setopt(state->http_handle,
>^~~~
> cc1: all warnings being treated as errors
> ```
> 
> I am not sure whether you have `/usr/include/curl/typecheck-gcc.h` on your
> machine. I have curl-7.53.1-3.fc26.
> 
> 
> >+if (crv != CURLE_OK) {
> >+DEBUG(SSSDBG_OP_FAILURE,
> >+  "Failed to set CURLOPT_INFILESIZE_LARGE [%d]: %s\n",
> >+  crv, curl_easy_strerror(crv));
> >+return EIO;
> >+}
> > 
> > ret = tcurl_set_read_options(state);
> > if (ret != EOK) {
> >```
> 
> But there are few more warnings
> In function ‘handle_curlmsg_done’,
> inlined from ‘process_curl_activity.isra.0’ at src/util/tev_curl.c:252:13:
> src/util/tev_curl.c:208:11: error: call to ‘_curl_easy_getinfo_err_string’ 
> declared with attribute warning: curl_easy_getinfo expects a pointer to 'char 
> *' for this info [-Werror]
>  crv = curl_easy_getinfo(easy_handle, CURLINFO_PRIVATE, );
>^
> src/util/tev_curl.c:234:11: error: call to ‘_curl_easy_getinfo_err_long’ 
> declared with attribute warning: curl_easy_getinfo expects a pointer to long 
> for this info [-Werror]
>  crv = curl_easy_getinfo(easy_handle, CURLINFO_RESPONSE_CODE, 
> >http_code);
>^
> 
> 
> and here is a diff which suppress warnings for me. Not sure whether it is
> the best solution.
> ```
> diff --git a/src/util/tev_curl.c b/src/util/tev_curl.c
> index 233ad2c49..ea9987e68 100644
> --- a/src/util/tev_curl.c
> +++ b/src/util/tev_curl.c
> @@ -94,7 +94,7 @@ struct tcurl_http_state {
>  
>  /* Output data */
>  struct sss_iobuf *outbuf;
> -int http_code;
> +long http_code;
>  };
>  
>  static errno_t curl_code2errno(CURLcode crv)
> @@ -205,7 +205,7 @@ static void handle_curlmsg_done(CURLMsg *message)
>  }
>  }
>  
> -crv = curl_easy_getinfo(easy_handle, CURLINFO_PRIVATE, );
> +crv = curl_easy_getinfo(easy_handle, CURLINFO_PRIVATE, (void *));
>  if (crv != CURLE_OK) {
>  DEBUG(SSSDBG_CRIT_FAILURE,
>"Cannot get CURLINFO_PRIVATE [%d]: %s\n",
> @@ -831,7 +831,7 @@ static errno_t tcurl_set_options(struct tcurl_http_state 
> *state,
>  /* Causes libcurl to add a sane Content-Length header */
>  crv = curl_easy_setopt(state->http_handle,
> CURLOPT_INFILESIZE_LARGE,
> -   sss_iobuf_get_size(state->inbuf));
> +   (curl_off_t)sss_iobuf_get_size(state->inbuf));
>  if (crv != CURLE_OK) {
>  DEBUG(SSSDBG_OP_FAILURE,
>"Failed to set CURLOPT_INFILESIZE_LARGE [%d]: %s\n",
> ```

I think this is fine. Thanks, merged.

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/152#issuecomment-286392933
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#152][comment] Add a tevent wrapper around libcurl's asynchronous interface

2017-03-14 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/152
Title: #152: Add a tevent wrapper around libcurl's asynchronous interface

jhrozek commented:
"""
On Tue, Mar 14, 2017 at 03:22:19AM -0700, Pavel Březina wrote:
> The changes looks good, although I would say that disabling `Expect:
> 100-continue` is not the way to go in a long-term.

Would you prefer if this wasn't directly in the tcurl layer, but only in
the callers to keep the tcurl layer generic?

> I believe the problem lies
> in `secrets` responder that does not handle this properly. I agree that the
> responder is not supposed to be a full HTTP server, however given the fact
> that this is default behavior of `libcurl` we should implement it (later).

Right, so the purpose of the Expect 100: Continue is to send the request
without the (potentially large) POST data, let the server validate the
request and if it's invalid, let it reply with an error code. If the
request is valid, let it send 100: Continue which triggers sending the
data to the server.

Which is why there was the potential timeout, libcurl was waiting for
the 100: continue which never came..

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/152#issuecomment-286392184
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#192][comment] Add certificate mapping library

2017-03-14 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/192
Title: #192: Add certificate mapping library

lslebodn commented:
"""
There is a valgring error in unit test.
```
==11568== Invalid read of size 1
==11568==at 0x4C32CC4: strcmp (vg_replace_strmem.c:842)
==11568==by 0x50412EA: _assert_string_equal (in 
/usr/lib64/libcmocka.so.0.4.0)
==11568==by 0x401F3E: test_sss_cert_get_content_2 (test_certmap.c:815)
==11568==by 0x5041968: ??? (in /usr/lib64/libcmocka.so.0.4.0)
==11568==by 0x5042250: _cmocka_run_group_tests (in 
/usr/lib64/libcmocka.so.0.4.0)
==11568==by 0x401631: main (test_certmap.c:1305)
==11568==  Address 0xb9deaee is 0 bytes after a block of size 110 alloc'd
==11568==at 0x4C2EB1B: malloc (vg_replace_malloc.c:299)
==11568==by 0x5AFF26E: _talloc_memdup (in /usr/lib64/libtalloc.so.2.1.9)
==11568==by 0x5D1380F: add_string_other_name_to_san_list 
(sss_cert_content_nss.c:434)
==11568==by 0x5D1380F: get_san (sss_cert_content_nss.c:790)
==11568==by 0x5D142AC: sss_cert_get_content (sss_cert_content_nss.c:986)
==11568==by 0x401B0A: test_sss_cert_get_content_2 (test_certmap.c:758)
==11568==by 0x5041968: ??? (in /usr/lib64/libcmocka.so.0.4.0)
==11568==by 0x5042250: _cmocka_run_group_tests (in 
/usr/lib64/libcmocka.so.0.4.0)
==11568==by 0x401631: main (test_certmap.c:1305)
==11568==
```

I think taht problem is in uni test; because it tries to compare
`item->bin_val` with a string. But IIUC `bin_val` is not null terminated.
We should use `assert_memory_equal`

+ there are few warnins reported by static analyzers
```
Error: NULL_RETURNS (CWE-476): [#def1]
sssd-1.15.2/src/db/sysdb_certmap.c:149: var_assigned: Assigning: "el->values" = 
null return value from "_talloc_zero_array".
sssd-1.15.2/src/db/sysdb_certmap.c:152: dereference: Dereferencing a null 
pointer "el->values".
#  150|   
#  151|   for (c = 0; certmap->domains[c] != NULL; c++) {
#  152|-> el->values[c].data = (uint8_t *) talloc_strdup(el->values,
#  153|  
certmap->domains[c]);
#  154|   if (el->values[c].data == NULL) {


Error: NULL_RETURNS (CWE-476): [#def4]
sssd-1.15.2/src/lib/certmap/sss_cert_content_nss.c:892: var_assigned: 
Assigning: "current" = null return value from "CERT_GetNextGeneralName".
sssd-1.15.2/src/lib/certmap/sss_cert_content_nss.c:788: dereference: 
Dereferencing a null pointer "current".
#  786|   current = name_list;
#  787|   do {
#  788|-> switch (current->type) {
#  789|   case certOtherName:
#  790|   ret = add_string_other_name_to_san_list(mem_ctx,

Error: PW.SET_BUT_NOT_USED: [#def5]
sssd-1.15.2/src/lib/certmap/sss_cert_content_nss.c:923: set_but_not_used: 
variable "parameters" was set but never used
#  921|   SECItem der_item;
#  922|   NSSInitContext *nss_ctx;
#  923|-> NSSInitParameters parameters = { 0 };
#  924|   parameters.length =  sizeof (parameters);
#  925|   


Error: CHECKED_RETURN (CWE-252): [#def6]
sssd-1.15.2/src/lib/certmap/sss_cert_content_nss.c:1003: check_return: Calling 
"NSS_ShutdownContext" without checking return value (as is done elsewhere 2 out 
of 3 times).
sssd-1.15.2/src/p11_child/p11_child_nss.c:486: example_assign: Example 1: 
Assigning: "rv" = return value from "NSS_ShutdownContext(nss_ctx)".
sssd-1.15.2/src/p11_child/p11_child_nss.c:487: example_checked: Example 1 
(cont.): "rv" has its value checked in "rv != SECSuccess".
sssd-1.15.2/src/util/cert/nss/cert.c:404: example_assign: Example 2: Assigning: 
"rv" = return value from "NSS_ShutdownContext(nss_ctx)".
sssd-1.15.2/src/util/cert/nss/cert.c:405: example_checked: Example 2 (cont.): 
"rv" has its value checked in "rv != SECSuccess".
# 1001|   
# 1002|   CERT_DestroyCertificate(cert);
# 1003|-> NSS_ShutdownContext(nss_ctx);
# 1004|   
# 1005|   if (ret == EOK) {

Error: CLANG_WARNING: [#def11]
sssd-1.15.2/src/lib/certmap/sss_certmap.c:586:9: warning: Function call 
argument is an uninitialized value
#talloc_free(exp);
#^
/usr/include/talloc.h:228:26: note: expanded from macro 'talloc_free'
##define talloc_free(ctx) _talloc_free(ctx, __location__)
# ^
sssd-1.15.2/src/lib/certmap/sss_certmap.c:906:9: note: Assuming '_filter' is 
not equal to null
#if (_filter == NULL || _domains == NULL) {
#^~~
sssd-1.15.2/src/lib/certmap/sss_certmap.c:906:9: note: Left side of '||' is 
false
sssd-1.15.2/src/lib/certmap/sss_certmap.c:906:28: note: Assuming '_domains' is 
not equal to null
#if (_filter == NULL || _domains == NULL) {
#   ^~~~
sssd-1.15.2/src/lib/certmap/sss_certmap.c:906:5: note: Taking false branch
#if (_filter == NULL || _domains == NULL) {
#^
sssd-1.15.2/src/lib/certmap/sss_certmap.c:911:9: note: Assuming 'ret' is equal 
to 0
#if (ret != 0) {
#^~~~
sssd-1.15.2/src/lib/certmap/sss_certmap.c:911:5: note:

[SSSD] [sssd PR#152][comment] Add a tevent wrapper around libcurl's asynchronous interface

2017-03-14 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/152
Title: #152: Add a tevent wrapper around libcurl's asynchronous interface

lslebodn commented:
"""
BTW `util/sss_iobuf.h` includes itself

following diff fixes it
```
diff --git a/src/tests/cmocka/test_iobuf.c b/src/tests/cmocka/test_iobuf.c
index eaee966e5..489cc2c5d 100644
--- a/src/tests/cmocka/test_iobuf.c
+++ b/src/tests/cmocka/test_iobuf.c
@@ -29,6 +29,7 @@
 #include 
 
 #include "util/sss_iobuf.h"
+#include "util/util.h"
 
 static void test_sss_iobuf_read(void **state)
 {
diff --git a/src/util/sss_iobuf.h b/src/util/sss_iobuf.h
index e546d5996..eae357a40 100644
--- a/src/util/sss_iobuf.h
+++ b/src/util/sss_iobuf.h
@@ -5,8 +5,9 @@
 #include 
 #include 
 
-#include "util/util.h"
-#include "util/sss_iobuf.h"
+#include "util/util_errors.h"
+
+struct sss_iobuf;
 
 /*
  * @brief Allocate an empty IO buffer
```

LS

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/152#issuecomment-286381815
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: [sssd PR#152][comment] Add a tevent wrapper around libcurl's asynchronous interface

2017-03-14 Thread Lukas Slebodnik

On (14/03/17 11:25), Lukas Slebodnik wrote:
>On (14/03/17 09:34), jhrozek wrote:
>>  URL: https://github.com/SSSD/sssd/pull/152
>>Title: #152: Add a tevent wrapper around libcurl's asynchronous interface
>>
>>jhrozek commented:
>>"""
>>I squashed one last trivial change that just checks the return value of the 
>>option set:
>>```
>>diff --git a/src/util/tev_curl.c b/src/util/tev_curl.c
>>index b966a78..233ad2c 100644
>>--- a/src/util/tev_curl.c
>>+++ b/src/util/tev_curl.c
>>@@ -832,6 +832,12 @@ static errno_t tcurl_set_options(struct tcurl_http_state 
>>*state,
>> crv = curl_easy_setopt(state->http_handle,
>>CURLOPT_INFILESIZE_LARGE,
>>sss_iobuf_get_size(state->inbuf));
>gcc on my machine complains that last argument has wrong type
>
Ahh, again replied to wrong thread.

LS
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: Design discussion: Support for non-POSIX users and groups

2017-03-14 Thread Simo Sorce

On Mon, 2017-03-06 at 14:49 +0100, Jakub Hrozek wrote:
>     [sssd]
> >     domains = appdomain.test, posixdomain.test
> >     services = ifp, pam, nss
> > 
> >     [pam]
> >     application_services = sss_test
> > 
> >     [ifp]
> >     user_attributes = +phone
> > 
> >     [domain/appdomain.test]
> >     id_provider = ldap
> >     ldap_uri = ldap://server.test
> >     domain_type = application
> >     ldap_user_extra_attrs = phone:telephoneNumber
> > 
> >     [domain/posixdomain.test]
> >     id_provider = ldap
> >     ldap_uri = ldap://server.test

Jakub,
I am thinking we may want to make some things here slightly different.

Instead of calling them all domains, and having to sort out the
differences later, I am thinking we may want to define a completely new
 section type called "application", this will allow us to
"inherit" configuration from domain for compactness when both posix and
non-posix are needed from the same domain.

Example:

[sssd]
  domains = domain.test
  services = ifp, pam, nss

[pam]
  application_services = sss_test

[ifp]
  user_attributes = +phone

[domain/domain.test]
  id_provider = ldap
  ldap_uri = ldap://server.test

[application/domain.test]
  inherit_from = domain/domain.test
  ldap_user_extra_attrs = phone:telephoneNumber

The idea is that the application domain inherits most of its parameters
from the posix domain references (if any is referenced).
If no difference between application domain and posix domain is needed
then the application domain section could be almost completely empty
(win).

I am not sure if we need to explicitly list application domains in the
sssd or PAM sections, or if we should just automatically have them available by 
the simple fact they have been defined. One thing we may want though is to have 
an option that explicitly maps application domains to specific "services", for 
both PAM and IFP at the same time (given it makes no sense to do that 
independently and both need to be on the same page for this).

So move to a new section and modify the application_services parameter
to take tuples:
  [applications]
application_services = apache:domain.test myapp:other.dom \
   otherapp:domain.test,other.dom,third.dom \
   fooapp:ALL

The other option may be to list what services each application domain
will be made available to in the application domain definition itself:

  [application/domain.test]
available_for = ALL

  [application/other.dom]
available_for = apache, otherapp, fooapp

  [application/third.dom]
available_for = otherapp

I think the problem will be to find the right balance to make it simple
to configure which apps can get to which domains, the main trick being
that we should not make application domains available to things like
ssh, gdm, login by default because then NSS would fail later on and
we'd waste time.
Also we need to be careful in never attempting double authentication
(both to the posix domain and then again via application domain for any single 
app, as we may cause premature account locks that way). So perhaps explicitly 
listing services is always needed after all, and when a service is listed then 
only the specific list of application domains is considered for that service 
and nothing else.

Just a few ideas to be able to better control what app does what.
I am not sure we need different query types in the protocol either,
because the above configuration will make it pretty clear what apps should get 
from the IFP, and backends will be of the appropriate type already so when you 
contact one they already know what they should return in their cache.

Hope this makes sense and complements the design rather than disrupt
it, it does complement it in my mind :-)

Simo.
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: [sssd PR#152][comment] Add a tevent wrapper around libcurl's asynchronous interface

2017-03-14 Thread Lukas Slebodnik

On (14/03/17 09:34), jhrozek wrote:
>  URL: https://github.com/SSSD/sssd/pull/152
>Title: #152: Add a tevent wrapper around libcurl's asynchronous interface
>
>jhrozek commented:
>"""
>I squashed one last trivial change that just checks the return value of the 
>option set:
>```
>diff --git a/src/util/tev_curl.c b/src/util/tev_curl.c
>index b966a78..233ad2c 100644
>--- a/src/util/tev_curl.c
>+++ b/src/util/tev_curl.c
>@@ -832,6 +832,12 @@ static errno_t tcurl_set_options(struct tcurl_http_state 
>*state,
> crv = curl_easy_setopt(state->http_handle,
>CURLOPT_INFILESIZE_LARGE,
>sss_iobuf_get_size(state->inbuf));
gcc on my machine complains that last argument has wrong type

```
In function ‘tcurl_set_options’,
inlined from ‘tcurl_http_send’ at src/util/tev_curl.c:625:9:
src/util/tev_curl.c:835:15: error: call to ‘_curl_easy_setopt_err_curl_off_t’ 
declared with attribute warning: curl_easy_setopt expects a curl_off_t argument 
for this option [-Werror]
 crv = curl_easy_setopt(state->http_handle,
   ^~~~
cc1: all warnings being treated as errors
```

I am not sure whether you have `/usr/include/curl/typecheck-gcc.h` on your
machine. I have curl-7.53.1-3.fc26.


>+if (crv != CURLE_OK) {
>+DEBUG(SSSDBG_OP_FAILURE,
>+  "Failed to set CURLOPT_INFILESIZE_LARGE [%d]: %s\n",
>+  crv, curl_easy_strerror(crv));
>+return EIO;
>+}


But there are few more warnings
In function ‘handle_curlmsg_done’,
inlined from ‘process_curl_activity.isra.0’ at src/util/tev_curl.c:252:13:
src/util/tev_curl.c:208:11: error: call to ‘_curl_easy_getinfo_err_string’ 
declared with attribute warning: curl_easy_getinfo expects a pointer to 'char 
*' for this info [-Werror]
 crv = curl_easy_getinfo(easy_handle, CURLINFO_PRIVATE, );
   ^
src/util/tev_curl.c:234:11: error: call to ‘_curl_easy_getinfo_err_long’ 
declared with attribute warning: curl_easy_getinfo expects a pointer to long 
for this info [-Werror]
 crv = curl_easy_getinfo(easy_handle, CURLINFO_RESPONSE_CODE, 
>http_code);
   ^


and here is a diff which suppress warnings for me. Not sure whether it is
the best solution.
```
diff --git a/src/util/tev_curl.c b/src/util/tev_curl.c
index 233ad2c49..ea9987e68 100644
--- a/src/util/tev_curl.c
+++ b/src/util/tev_curl.c
@@ -94,7 +94,7 @@ struct tcurl_http_state {
 
 /* Output data */
 struct sss_iobuf *outbuf;
-int http_code;
+long http_code;
 };
 
 static errno_t curl_code2errno(CURLcode crv)
@@ -205,7 +205,7 @@ static void handle_curlmsg_done(CURLMsg *message)
 }
 }
 
-crv = curl_easy_getinfo(easy_handle, CURLINFO_PRIVATE, );
+crv = curl_easy_getinfo(easy_handle, CURLINFO_PRIVATE, (void *));
 if (crv != CURLE_OK) {
 DEBUG(SSSDBG_CRIT_FAILURE,
   "Cannot get CURLINFO_PRIVATE [%d]: %s\n",
@@ -831,7 +831,7 @@ static errno_t tcurl_set_options(struct tcurl_http_state 
*state,
 /* Causes libcurl to add a sane Content-Length header */
 crv = curl_easy_setopt(state->http_handle,
CURLOPT_INFILESIZE_LARGE,
-   sss_iobuf_get_size(state->inbuf));
+   (curl_off_t)sss_iobuf_get_size(state->inbuf));
 if (crv != CURLE_OK) {
 DEBUG(SSSDBG_OP_FAILURE,
   "Failed to set CURLOPT_INFILESIZE_LARGE [%d]: %s\n",
```
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#152][comment] Add a tevent wrapper around libcurl's asynchronous interface

2017-03-14 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/152
Title: #152: Add a tevent wrapper around libcurl's asynchronous interface

pbrezina commented:
"""
The changes looks good, although I would say that disabling `Expect: 
100-continue` is not the way to go in a long-term. I believe the problem lies 
in `secrets` responder that does not handle this properly. I agree that the 
responder is not supposed to be a full HTTP server, however given the fact that 
this is default behavior of `libcurl` we should implement it (later).

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/152#issuecomment-286379622
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#154][comment] Confront caches first

2017-03-14 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/154
Title: #154: Confront caches first

jhrozek commented:
"""
I knew there's a reason for me to send a CI as well, because mine passed :-)

http://sssd-ci.duckdns.org/logs/job/64/74/summary.html
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/154#issuecomment-286375262
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: Design discussion: Support for non-POSIX users and groups

2017-03-14 Thread Simo Sorce

On Wed, 2017-03-08 at 11:39 +0100, Jakub Hrozek wrote:
> On Wed, Mar 08, 2017 at 10:45:32AM +0100, Pavel Březina wrote:
> > On 03/07/2017 03:11 PM, Jakub Hrozek wrote:
> > > On Tue, Mar 07, 2017 at 02:31:27PM +0100, Pavel Březina wrote:
> > > > On 03/07/2017 01:33 PM, Jakub Hrozek wrote:
> > > > > On Tue, Mar 07, 2017 at 01:18:36PM +0100, Pavel Březina
> > > > > wrote:
> > > > > > On 03/07/2017 01:16 PM, Pavel Březina wrote:
> > > > > > > On 03/06/2017 02:49 PM, Jakub Hrozek wrote:
> > > > > > > > Hi,
> > > > > > > > 
> > > > > > > > I prepared a design page for a new feature about
> > > > > > > > fetching and
> > > > > > > > authenticating non-POSIX users:
> > > > > > > > https://docs.pagure.org/SSSD.sssd/design_pages/non_
> > > > > > > > posix_support.html
> > > > > > > > 
> > > > > > > > For your convenience, I'm also copying the .rst text
> > > > > > > > below:
> > > > > > > > 
> > > > > > > > Support for non-POSIX users and groups
> > > > > > > > ==
> > > > > > > > 
> > > > > > > > Related ticket(s):
> > > > > > > > --
> > > > > > > > https://pagure.io/SSSD/sssd/issue/3310
> > > > > > > 
> > > > > > > I find this document quite hard to understand, so I want
> > > > > > > to ensure I get
> > > > > > > it right:
> > > > > > > 
> > > > > > > 1) You can't have one domain that return both posix and
> > > > > > > non-posix users.
> > > > > > > 2) PAM is allowed to login a non-posix users for given
> > > > > > > services.
> > > > > > > 3) If CACHE_REQ_APP is used, non-posix domains are
> > > > > > > searched first then
> > > > > > > posix domains.
> > > > > > > 4) If CACHE_REQ_POSIX is used, non-posix domains are
> > > > > > > skipped.
> > > > > > > 5) Non-posix domains require fully qualified name.
> > > > > > > 6) Posix users return only posix groups membership.
> > > > > > > 7) Non-posix users return both posix and non-posix
> > > > > > > membership.
> > > > > > 
> > > > > > And
> > > > > > 8) You can have two users, one posix, one non-posix with
> > > > > > the same name.
> > > > > 
> > > > > In theory yes, but I don't think this would be too common. In
> > > > > general
> > > > > you could have two entries, one with objectclass user, the
> > > > > other with
> > > > > objectclass posixUser where each domain would use a different
> > > > > attribute
> > > > > for the username. But even so, I think the current scheme
> > > > > would protect
> > > > > us against these strange setups.
> > > > 
> > > > If find this rather complicated at least from what we talked
> > > > about on irc.
> > > > If I recall correctly, we leaned in a way that we always
> > > > download the user
> > > > whether it is posix or not and then let the caller decide if it
> > > > should be
> > > > returned by sssd. I.e.
> > > > 
> > > > if !non_posix_users_enabled(domain) then
> > > >    download only posix users
> > > > else
> > > >    download user even if it is non posix
> > > > 
> > > > In NSS (and other posix responders) we would return ENOENT for
> > > > non-posix
> > > > users. In IFP we would not care (or care if we change API to
> > > > select).
> > > > 
> > > > This wouldn't require the domain separation. What were the
> > > > reasons to not
> > > > use this approach?
> > > 
> > > The conflicts between different 'views'. Consider the case where
> > > an IFP
> > > user would request the groups of a user who is a member of both
> > > POSIX and
> > > non-POSIX groups. Then, a second later, the NSS responder calls
> > > initgroups.
> > > 
> > > What does the initgroups POSIX call on the back end level do with
> > > the
> > > non-POSIX groups, especially the leaf ones? Does it remove them?
> > > Do we
> > > add logic to ignore the non-POSIX groups? How do we tell if the
> > > groups
> > > were removed from the server if the searches match only the POSIX
> > > data
> > > in the second request?
> > 
> > In this approach, backend is supposed to always download both posix
> > and
> > non-posix users. Backend should not be aware about posix attributes
> > at all.
> > Responder should decide whether non-posix users should be removed
> > from the
> > result (not from the cache) or not.
> 
> This would be hugely inefficient and e.g. logins would take forever.

Inefficiency is secondary, the problem is that you would very quickly
get requests to have different filters for posix users and non-posix
users, and you end up adding a ton of options for the two distinct
cases. It is better if the users (and groups) for an application have
the filters required for that application and exactly only those
filters, or you'll pretty quickly have to add filtering both in the
backend and in the NSS frontend and the code becomes super-complicated
== tons of bugs and regressions.

If applications want their own view they get their special domain and
then everything can be tweaked as wanted w/o impacting the underlying
system users and their domain settings.

Simo.

[SSSD] [sssd PR#154][comment] Confront caches first

2017-03-14 Thread fidencio

  URL: https://github.com/SSSD/sssd/pull/154
Title: #154: Confront caches first

fidencio commented:
"""
CI: http://sssd-ci.duckdns.org/logs/job/64/75/summary.html

There's a failure on f25 mock build but it's not related to this series.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/154#issuecomment-286372830
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#193][opened] UTIL: Use max 15 characters for AD host UPN

2017-03-14 Thread lslebodn

   URL: https://github.com/SSSD/sssd/pull/193
Author: lslebodn
 Title: #193: UTIL: Use max 15 characters for AD host UPN
Action: opened

PR body:
"""
We do not want to use host principal with AD
"host/name.domain@domain.tld" becasue it does not work.
We need to use correct user principal for AD hosts. And we cannot
rely all fallback "*$" becuase of other principals in keytab.

Resolves:
https://pagure.io/SSSD/sssd/issue/3329
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/193/head:pr193
git checkout pr193
From c3f310ecd25624e31b0d011a32493415903c8628 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik 
Date: Tue, 14 Mar 2017 10:34:00 +0100
Subject: [PATCH] UTIL: Use max 15 characters for AD host UPN

We do not want to use host principal with AD
"host/name.domain@domain.tld" becasue it does not work.
We need to use correct user principal for AD hosts. And we cannot
rely all fallback "*$" becuase of other principals in keytab.

Resolves:
https://pagure.io/SSSD/sssd/issue/3329
---
 src/util/sss_krb5.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
index 4808a77..0ab5b61 100644
--- a/src/util/sss_krb5.c
+++ b/src/util/sss_krb5.c
@@ -50,7 +50,7 @@ sss_krb5_get_primary(TALLOC_CTX *mem_ctx,
 *c = toupper(*c);
 }
 
-primary = talloc_asprintf(mem_ctx, "%s$", shortname);
+primary = talloc_asprintf(mem_ctx, ".15%s$", shortname);
 talloc_free(shortname);
 return primary;
 }
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#152][comment] Add a tevent wrapper around libcurl's asynchronous interface

2017-03-14 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/152
Title: #152: Add a tevent wrapper around libcurl's asynchronous interface

jhrozek commented:
"""
I squashed one last trivial change that just checks the return value of the 
option set:
```
diff --git a/src/util/tev_curl.c b/src/util/tev_curl.c
index b966a78..233ad2c 100644
--- a/src/util/tev_curl.c
+++ b/src/util/tev_curl.c
@@ -832,6 +832,12 @@ static errno_t tcurl_set_options(struct tcurl_http_state 
*state,
 crv = curl_easy_setopt(state->http_handle,
CURLOPT_INFILESIZE_LARGE,
sss_iobuf_get_size(state->inbuf));
+if (crv != CURLE_OK) {
+DEBUG(SSSDBG_OP_FAILURE,
+  "Failed to set CURLOPT_INFILESIZE_LARGE [%d]: %s\n",
+  crv, curl_easy_strerror(crv));
+return EIO;
+}
 
 ret = tcurl_set_read_options(state);
 if (ret != EOK) {
```
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/152#issuecomment-286354583
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#152][synchronized] Add a tevent wrapper around libcurl's asynchronous interface

2017-03-14 Thread jhrozek

   URL: https://github.com/SSSD/sssd/pull/152
Author: jhrozek
 Title: #152: Add a tevent wrapper around libcurl's asynchronous interface
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/152/head:pr152
git checkout pr152
From 864b17964ab812020754a1434f6893d253fb861e Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Fri, 23 Sep 2016 13:41:53 +0200
Subject: [PATCH 1/5] UTIL: Add a new macro SAFEALIGN_MEMCPY_CHECK

We will use it later in the KCM server
---
 src/util/util_safealign.h | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/src/util/util_safealign.h b/src/util/util_safealign.h
index a2cd4dd..0d9a579 100644
--- a/src/util/util_safealign.h
+++ b/src/util/util_safealign.h
@@ -124,6 +124,12 @@ safealign_memcpy(void *dest, const void *src, size_t n, size_t *counter)
 safealign_memcpy(dest, CV_MACRO_val, sizeof(char) * length, pctr); \
 } while(0)
 
+#define SAFEALIGN_MEMCPY_CHECK(dest, src, srclen, len, pctr) do { \
+if ((*(pctr) + srclen) > (len) || \
+SIZE_T_OVERFLOW(*(pctr), srclen)) { return EINVAL; } \
+safealign_memcpy(dest, src, srclen, pctr); \
+} while(0)
+
 /* Aliases for backward compatibility. */
 #define SAFEALIGN_SET_VALUE SAFEALIGN_SETMEM_VALUE
 #define SAFEALIGN_SET_INT64 SAFEALIGN_SETMEM_INT64

From 14734c8100d61613a263133240115a9c7a970475 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Tue, 20 Sep 2016 18:46:40 +0200
Subject: [PATCH 2/5] UTIL: Add a generic iobuf module

The KCM responder reads bytes and writes bytes from a buffer of bytes.
Instead of letting the caller deal with low-level handling using the
SAFEALIGN macros, this patch adds a new iobuf.c module with more
high-level functions.

The core is a iobuf struct that keeps track of the buffer, its total
capacity and a current read or write position.

There are helper function to read or write a generic buffer with a set
length. Later, we will also add convenience functions to read C data
types using the SAFEALIGN macros.
---
 Makefile.am   |  22 +
 src/tests/cmocka/test_iobuf.c | 194 +++
 src/util/sss_iobuf.c  | 204 ++
 src/util/sss_iobuf.h  | 117 
 4 files changed, 537 insertions(+)
 create mode 100644 src/tests/cmocka/test_iobuf.c
 create mode 100644 src/util/sss_iobuf.c
 create mode 100644 src/util/sss_iobuf.h

diff --git a/Makefile.am b/Makefile.am
index 34da1f0..450f07c 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -277,6 +277,7 @@ if HAVE_CMOCKA
 test_ipa_dn \
 simple-access-tests \
 krb5_common_test \
+test_iobuf \
 $(NULL)
 
 if HAVE_LIBRESOLV
@@ -657,6 +658,7 @@ dist_noinst_HEADERS = \
 src/util/util_sss_idmap.h \
 src/util/util_creds.h \
 src/util/inotify.h \
+src/util/sss_iobuf.h \
 src/monitor/monitor.h \
 src/monitor/monitor_interfaces.h \
 src/monitor/monitor_iface_generated.h \
@@ -1839,6 +1841,7 @@ krb5_utils_tests_SOURCES = \
 src/providers/krb5/krb5_common.c \
 src/providers/krb5/krb5_opts.c \
 src/util/sss_krb5.c \
+src/util/sss_iobuf.c \
 src/providers/data_provider_fo.c \
 src/providers/data_provider_opts.c \
 src/providers/data_provider_callbacks.c \
@@ -2114,6 +2117,7 @@ krb5_child_test_SOURCES = \
 src/providers/krb5/krb5_common.c \
 src/providers/krb5/krb5_opts.c \
 src/util/sss_krb5.c \
+src/util/sss_iobuf.c \
 src/providers/data_provider_fo.c \
 src/providers/data_provider_opts.c \
 src/providers/data_provider_callbacks.c \
@@ -2785,6 +2789,7 @@ test_copy_ccache_SOURCES = \
 src/tests/cmocka/test_copy_ccache.c \
 src/providers/krb5/krb5_ccache.c \
 src/util/sss_krb5.c \
+src/util/sss_iobuf.c \
 $(NULL)
 test_copy_ccache_CFLAGS = \
 $(AM_CFLAGS) \
@@ -2803,6 +2808,7 @@ test_copy_keytab_SOURCES = \
 src/tests/cmocka/test_copy_keytab.c \
 src/providers/krb5/krb5_keytab.c \
 src/util/sss_krb5.c \
+src/util/sss_iobuf.c \
 $(NULL)
 test_copy_keytab_CFLAGS = \
 $(AM_CFLAGS) \
@@ -3165,6 +3171,19 @@ test_ipa_dn_LDADD = \
 libsss_test_common.la \
 $(NULL)
 
+test_iobuf_SOURCES = \
+src/util/sss_iobuf.c \
+src/tests/cmocka/test_iobuf.c \
+$(NULL)
+test_iobuf_CFLAGS = \
+$(AM_CFLAGS) \
+$(NULL)
+test_iobuf_LDADD = \
+$(CMOCKA_LIBS) \
+$(SSSD_LIBS) \
+$(NULL)
+
+
 EXTRA_simple_access_tests_DEPENDENCIES = \
 $(ldblib_LTLIBRARIES)
 simple_access_tests_SOURCES = \
@@ -3497,6 +3516,7 @@ libsss_krb5_common_la_SOURCES = \
 src/providers/krb5/krb5_init_shared.c \
 src/providers/krb5/krb5_ccache.c \
 src/util/sss_krb5.c \
+src/util/sss_iobuf.c \
 src/util/become_user.c \
 $(NULL)
 libsss_krb5_common_la_CFLAGS = \
@@ -3726,6 +3746,7 @@ krb5_child_SOURCES = \
 src/providers/dp_pam_data_util.c \

[SSSD] [sssd PR#154][comment] Confront caches first

2017-03-14 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/154
Title: #154: Confront caches first

jhrozek commented:
"""
retest this please
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/154#issuecomment-286352432
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#154][comment] Confront caches first

2017-03-14 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/154
Title: #154: Confront caches first

jhrozek commented:
"""
oops, I also submitted to the internal CI, I guess more checks don't hurt. let 
me reschedule the centos CI though to see if there was just a fluke
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/154#issuecomment-286352399
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#154][comment] Confront caches first

2017-03-14 Thread fidencio

  URL: https://github.com/SSSD/sssd/pull/154
Title: #154: Confront caches first

fidencio commented:
"""
I'm running our internal CI and I'll post the link when it passes.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/154#issuecomment-286351873
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#154][comment] Confront caches first

2017-03-14 Thread fidencio

  URL: https://github.com/SSSD/sssd/pull/154
Title: #154: Confront caches first

fidencio commented:
"""
@jhrozek, pushed a new version.

Here's the diff in order to make your review easier:

```
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 6e54b72..c05b1ce 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -88,7 +88,7 @@
 #define CONFDB_RESPONDER_LOCAL_NEG_TIMEOUT "local_negative_timeout"
 #define CONFDB_RESPONDER_IDLE_TIMEOUT "responder_idle_timeout"
 #define CONFDB_RESPONDER_IDLE_DEFAULT_TIMEOUT 300
-#define CONFDB_RESPONDER_CONFRONT_CACHES_FIRST "confront_caches_first"
+#define CONFDB_RESPONDER_CACHE_FIRST "cache_first"
 
 /* NSS */
 #define CONFDB_NSS_CONF_ENTRY "config/nss"
diff --git a/src/config/SSSDConfig/__init__.py.in 
b/src/config/SSSDConfig/__init__.py.in
index 0cb8ef3..03a1a43 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -51,7 +51,7 @@ option_strings = {
 'fd_limit' : _('The number of file descriptors that may be opened by this 
responder'),
 'client_idle_timeout' : _('Idle time before automatic disconnection of a 
client'),
 'responder_idle_timeout' : _('Idle time before automatic shutdown of the 
responder'),
-'confront_caches_first': _('Always query all the caches before querying 
the Data Providers'),
+'cache_first': _('Always query all the caches before querying the Data 
Providers'),
 
 # [sssd]
 'services' : _('SSSD Services to start'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index b6d3a18..457a6f0 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -309,7 +309,7 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
 'fd_limit',
 'client_idle_timeout',
 'responder_idle_timeout',
-'confront_caches_first',
+'cache_first',
 'description',
 'certificate_verification',
 'override_space',
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 78e62b3..c287328 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -59,7 +59,7 @@ option = fd_limit
 option = client_idle_timeout
 option = description
 option = responder_idle_timeout
-option = confront_caches_first
+option = cache_first
 
 # Name service
 option = user_attributes
@@ -98,7 +98,7 @@ option = fd_limit
 option = client_idle_timeout
 option = description
 option = responder_idle_timeout
-option = confront_caches_first
+option = cache_first
 
 # Authentication service
 option = offline_credentials_expiration
@@ -133,7 +133,7 @@ option = fd_limit
 option = client_idle_timeout
 option = description
 option = responder_idle_timeout
-option = confront_caches_first
+option = cache_first
 
 # sudo service
 option = sudo_timed
@@ -155,7 +155,7 @@ option = fd_limit
 option = client_idle_timeout
 option = description
 option = responder_idle_timeout
-option = confront_caches_first
+option = cache_first
 
 # autofs service
 option = autofs_negative_timeout
@@ -176,7 +176,7 @@ option = fd_limit
 option = client_idle_timeout
 option = description
 option = responder_idle_timeout
-option = confront_caches_first
+option = cache_first
 
 # ssh service
 option = ssh_hash_known_hosts
@@ -199,7 +199,7 @@ option = fd_limit
 option = client_idle_timeout
 option = description
 option = responder_idle_timeout
-option = confront_caches_first
+option = cache_first
 
 # PAC responder
 option = allowed_uids
@@ -221,7 +221,7 @@ option = fd_limit
 option = client_idle_timeout
 option = description
 option = responder_idle_timeout
-option = confront_caches_first
+option = cache_first
 
 # InfoPipe responder
 option = allowed_uids
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index a786483..08cecf0 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -14,7 +14,7 @@ reconnection_retries = int, None, false
 fd_limit = int, None, false
 client_idle_timeout = int, None, false
 responder_idle_timeout = int, None, false
-confront_caches_first = int, None, false
+cache_first = int, None, false
 description = str, None, false
 
 [sssd]
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 429d896..e179964 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -663,7 +663,7 @@
 
 
 
-confront_caches_first
+cache_first
 
 
 This option specifies whether the responder should
diff --git a/src/responder/common/cache_req/cache_req.c 
b/src/responder/common/cache_req/cache_req.c
index efbce5e..aca150d 100644
--- a/src/responder/common/cache_req/cache_req.c
+++ b/src/responder/common/cache_req/cache_req.c
@@ -118,7 +118,7 @@ cache_req_create(TALLOC_CTX *mem_ctx,
 return NULL;
 }
 
-cr->confront_caches_first =

[SSSD] [sssd PR#154][synchronized] Confront caches first

2017-03-14 Thread fidencio

   URL: https://github.com/SSSD/sssd/pull/154
Author: fidencio
 Title: #154: Confront caches first
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/154/head:pr154
git checkout pr154
From ff1115950cd32887c191292a999a43840e9e96e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= 
Date: Fri, 10 Mar 2017 10:27:14 +0100
Subject: [PATCH 1/5] CACHE_REQ: Make cache_req_{create_and_,}add_result() more
 generic
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This patch is preparing the field for coming up patches where this
function will be re-used. In order to do so, let's remove the dependency
for tevent states on both cache_req_create_and_add_result() and
cache_req_add_result().

Related:
https://pagure.io/sssd/sssd/issue/3001

Reviewed-by: Fabiano Fidêncio 
---
 src/responder/common/cache_req/cache_req.c | 53 +++---
 1 file changed, 34 insertions(+), 19 deletions(-)

diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
index 16429c6..ac91927 100644
--- a/src/responder/common/cache_req/cache_req.c
+++ b/src/responder/common/cache_req/cache_req.c
@@ -321,8 +321,11 @@ struct cache_req_state {
 bool dp_success;
 };
 
-static errno_t cache_req_add_result(struct cache_req_state *state,
-struct cache_req_result *new);
+static errno_t
+cache_req_add_result(TALLOC_CTX *mem_ctx,
+ struct cache_req_result *new_result,
+ struct cache_req_result ***_results,
+ size_t *_num_results);
 
 static errno_t cache_req_process_input(TALLOC_CTX *mem_ctx,
struct tevent_req *req,
@@ -370,7 +373,8 @@ struct tevent_req *cache_req_send(TALLOC_CTX *mem_ctx,
 
 ret = cache_req_is_well_known_object(state, cr, );
 if (ret == EOK) {
-ret = cache_req_add_result(state, result);
+ret = cache_req_add_result(state, result, >results,
+   >num_results);
 goto done;
 } else if (ret != ENOENT) {
 goto done;
@@ -588,49 +592,56 @@ static errno_t cache_req_next_domain(struct tevent_req *req)
 }
 
 static errno_t
-cache_req_add_result(struct cache_req_state *state,
- struct cache_req_result *new)
+cache_req_add_result(TALLOC_CTX *mem_ctx,
+ struct cache_req_result *new_result,
+ struct cache_req_result ***_results,
+ size_t *_num_results)
 {
-struct cache_req_result **results = state->results;
+struct cache_req_result **results = *_results;
 size_t index;
 size_t count;
 
 /* Make space for new results. */
-index = state->num_results;
-count = state->num_results + 1;
+index = *_num_results;
+count = *_num_results + 1;
 
-results = talloc_realloc(state, results, struct cache_req_result *, count + 1);
+results = talloc_realloc(mem_ctx, results, struct cache_req_result *,
+ count + 1);
 if (results == NULL) {
 return ENOMEM;
 }
 
-results[index] = talloc_steal(results, new);
+results[index] = talloc_steal(results, new_result);
 results[index + 1] = NULL;
-state->results = results;
-state->num_results = count;
+
+*_results = results;
+*_num_results = count;
 
 return EOK;
 }
 
 static errno_t
-cache_req_create_and_add_result(struct cache_req_state *state,
+cache_req_create_and_add_result(TALLOC_CTX *mem_ctx,
+struct cache_req *cr,
 struct sss_domain_info *domain,
 struct ldb_result *ldb_result,
-const char *name)
+const char *name,
+struct cache_req_result ***_results,
+size_t *_num_results)
 {
 struct cache_req_result *item;
 errno_t ret;
 
-CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, state->cr,
+CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr,
 "Found %u entries in domain %s\n",
 ldb_result->count, domain->name);
 
-item = cache_req_create_result(state, domain, ldb_result, name, NULL);
+item = cache_req_create_result(mem_ctx, domain, ldb_result, name, NULL);
 if (item == NULL) {
 return ENOMEM;
 }
 
-ret = cache_req_add_result(state, item);
+ret = cache_req_add_result(mem_ctx, item, _results, _num_results);
 if (ret != EOK) {
 talloc_free(item);
 }
@@ -658,9 +669,13 @@ static void cache_req_done(struct tevent_req *subreq)
 switch (ret) {
 case EOK:
 /* We got some data from this search. Save it. */
-ret = cache_req_create_and_add_result(state, state->selected_domain,
+ret =

[SSSD] [sssd PR#154][comment] Confront caches first

2017-03-14 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/154
Title: #154: Confront caches first

jhrozek commented:
"""
I vote for `cache_first` :)
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/154#issuecomment-286345259
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

46 matches

Mail list logo