[SSSD] [sssd PR#202][comment] T3315 infopipe group users master
URL: https://github.com/SSSD/sssd/pull/202 Title: #202: T3315 infopipe group users master celestian commented: """ The issue was that getent shows user test_user in test_group, but dbus call doesn't. How I did it is described in my description. But I don't know if it is still valid. It was some time ago. If I understand others comments right, it was try to fix method `org.freedesktop.sssd.infopipe.Groups.Group.UpdateMemberList()` """ See the full comment at https://github.com/SSSD/sssd/pull/202#issuecomment-318345349 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#214][comment] UTIL: Set udp_preference_limit=0 in krb5 snippet
URL: https://github.com/SSSD/sssd/pull/214 Title: #214: UTIL: Set udp_preference_limit=0 in krb5 snippet celestian commented: """ @fidencio Oh, I see -- now I understand what are you looking for. Maybe it is little confusing, there on github, that it is not visible that my patch is already updated/fixed. So there were another one patch before this one but it is not reachable from gtithub (nor from my local repo, I deleted it some times ago.) """ See the full comment at https://github.com/SSSD/sssd/pull/214#issuecomment-318318158 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#214][comment] UTIL: Set udp_preference_limit=0 in krb5 snippet
URL: https://github.com/SSSD/sssd/pull/214 Title: #214: UTIL: Set udp_preference_limit=0 in krb5 snippet celestian commented: """ @fidencio I am totally out of scope of this PR. I just assume that I addressed @frozencemetery 's comment from Mar 28. The conditional setting was subject of frozencemetery's comment. @fidencio, Is this sufficient answer for you? """ See the full comment at https://github.com/SSSD/sssd/pull/214#issuecomment-318288827 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#206][comment] IFP: Fix of names in GetUserGroups method
URL: https://github.com/SSSD/sssd/pull/206 Title: #206: IFP: Fix of names in GetUserGroups method celestian commented: """ Bump. """ See the full comment at https://github.com/SSSD/sssd/pull/206#issuecomment-293582645 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#202][comment] T3315 infopipe group users master
URL: https://github.com/SSSD/sssd/pull/202 Title: #202: T3315 infopipe group users master celestian commented: """ IMO, this patch set fix method org.freedesktop.sssd.infopipe.Groups.Group.UpdateMemberList() which you need call if you would like to see members of group. """ See the full comment at https://github.com/SSSD/sssd/pull/202#issuecomment-291151435 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#208][comment] IFP: Filter with * in Users.ListByName method
URL: https://github.com/SSSD/sssd/pull/208 Title: #208: IFP: Filter with * in Users.ListByName method celestian commented: """ CI passed: http://sssd-ci.duckdns.org/logs/job/67/31/summary.html """ See the full comment at https://github.com/SSSD/sssd/pull/208#issuecomment-291110759 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#208][comment] IFP: Filter with * in Users.ListByName method
URL: https://github.com/SSSD/sssd/pull/208 Title: #208: IFP: Filter with * in Users.ListByName method celestian commented: """ Yes. It is rebased now. This PR has to go before #211 IFP: Fix of limit = 0 (unlimited result). """ See the full comment at https://github.com/SSSD/sssd/pull/208#issuecomment-291064830 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#208][synchronized] IFP: Filter with * in Users.ListByName method
URL: https://github.com/SSSD/sssd/pull/208 Author: celestian Title: #208: IFP: Filter with * in Users.ListByName method Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/208/head:pr208 git checkout pr208 From 5ea6c195d63dd92ef37ada4827005c88aa787ad5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Thu, 23 Mar 2017 09:17:55 +0100 Subject: [PATCH] IFP: Filter with * in infopipe methods This patch fixes asterisk in filter of those methods: * org.freedesktop.sssd.infopipe.Users.ListByName * org.freedesktop.sssd.infopipe.Groups.ListByName * org.freedesktop.sssd.infopipe.Users.ListByDomainAndName In those cases, functions ifp_[users|groups]_list_copy() were called with NULL pointer. Resolves: https://pagure.io/SSSD/sssd/issue/3305 --- src/responder/ifp/ifp_groups.c | 26 +++--- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/src/responder/ifp/ifp_groups.c b/src/responder/ifp/ifp_groups.c index c568c62..5c126fc 100644 --- a/src/responder/ifp/ifp_groups.c +++ b/src/responder/ifp/ifp_groups.c @@ -307,12 +307,14 @@ static void ifp_groups_list_by_name_done(struct tevent_req *req) return; } -ret = ifp_groups_list_copy(list_ctx, result->ldb_result); -if (ret != EOK) { -error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, - "Failed to copy domain result"); -sbus_request_fail_and_finish(sbus_req, error); -return; +if (ret == EOK) { +ret = ifp_groups_list_copy(list_ctx, result->ldb_result); +if (ret != EOK) { +error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, + "Failed to copy domain result"); +sbus_request_fail_and_finish(sbus_req, error); +return; +} } list_ctx->dom = get_next_domain(list_ctx->dom, SSS_GND_DESCEND); @@ -394,11 +396,13 @@ static void ifp_groups_list_by_domain_and_name_done(struct tevent_req *req) goto done; } -ret = ifp_groups_list_copy(list_ctx, result->ldb_result); -if (ret != EOK) { -error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, - "Failed to copy domain result"); -goto done; +if (ret == EOK) { +ret = ifp_groups_list_copy(list_ctx, result->ldb_result); +if (ret != EOK) { +error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, + "Failed to copy domain result"); +goto done; +} } done: ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#218][synchronized] TEST: Adding krb5-libs to dependencies
URL: https://github.com/SSSD/sssd/pull/218 Author: celestian Title: #218: TEST: Adding krb5-libs to dependencies Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/218/head:pr218 git checkout pr218 From 09426863f867732d7414b0e25f443d672b51ce2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Thu, 30 Mar 2017 12:05:08 +0200 Subject: [PATCH] TEST: Adding krb5-libs to dependencies Resolves: https://pagure.io/SSSD/sssd/issue/3353 --- contrib/ci/deps.sh| 2 +- src/external/intgcheck.m4 | 7 +++ src/external/krb5.m4 | 8 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh index 4467e11..0c52712 100644 --- a/contrib/ci/deps.sh +++ b/contrib/ci/deps.sh @@ -45,7 +45,7 @@ if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then pyldb rpm-build uid_wrapper -python-requests +krb5-libs curl-devel krb5-server krb5-workstation diff --git a/src/external/intgcheck.m4 b/src/external/intgcheck.m4 index ac68b85..60df052 100644 --- a/src/external/intgcheck.m4 +++ b/src/external/intgcheck.m4 @@ -29,5 +29,12 @@ AC_DEFUN([SSS_ENABLE_INTGCHECK_REQS], [ SSS_INTGCHECK_REQ([HAVE_PYTEST], [pytest]) SSS_INTGCHECK_REQ([HAVE_PY2MOD_LDAP], [python-ldap]) SSS_INTGCHECK_REQ([HAVE_PY2MOD_LDAP], [pyldb]) +SSS_INTGCHECK_REQ([HAVE_KRB5KDC], [krb5kdc]) +SSS_INTGCHECK_REQ([HAVE_KDB5_UTIL], [kdb5_util]) +SSS_INTGCHECK_REQ([HAVE_KINIT], [kinit]) +SSS_INTGCHECK_REQ([HAVE_KVNO], [kvno]) +SSS_INTGCHECK_REQ([HAVE_KDESTROY], [kdestroy]) +SSS_INTGCHECK_REQ([HAVE_KSWITCH], [kswitch]) +SSS_INTGCHECK_REQ([HAVE_KLIST], [klist]) fi ]) diff --git a/src/external/krb5.m4 b/src/external/krb5.m4 index b844c2f..513b8a9 100644 --- a/src/external/krb5.m4 +++ b/src/external/krb5.m4 @@ -114,3 +114,11 @@ AM_COND_IF([BUILD_KRB5_LOCALAUTH_PLUGIN], CFLAGS=$SAVE_CFLAGS LIBS=$SAVE_LIBS + +AC_CHECK_PROG([HAVE_KRB5KDC], [krb5kdc], [yes], [no]) +AC_CHECK_PROG([HAVE_KDB5_UTIL], [kdb5_util], [yes], [no]) +AC_CHECK_PROG([HAVE_KINIT], [kinit], [yes], [no]) +AC_CHECK_PROG([HAVE_KVNO], [kvno], [yes], [no]) +AC_CHECK_PROG([HAVE_KDESTROY], [kdestroy], [yes], [no]) +AC_CHECK_PROG([HAVE_KSWITCH], [kswitch], [yes], [no]) +AC_CHECK_PROG([HAVE_KLIST], [klist], [yes], [no]) ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#218][comment] TEST: Adding krb5-libs to dependencies
URL: https://github.com/SSSD/sssd/pull/218 Title: #218: TEST: Adding krb5-libs to dependencies celestian commented: """ I see ``` install-deps: success 00:01:07 ci-install-deps.log autoreconf: success 00:00:34 ci-autoreconf.log DEBUG BUILD: ci-build-debug configure: failure 00:00:22 ci-build-debug/ci-configure.log FAILURE ``` Is it possible to see logs? Respectively, I tried to run the tests in our CI, but connection failed: ``` $ git push ci HEAD:master ssh_exchange_identification: Connection closed by remote host fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. ``` """ See the full comment at https://github.com/SSSD/sssd/pull/218#issuecomment-290628112 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#214][comment] UTIL: Set udp_preference_limit=0 in krb5 snippet
URL: https://github.com/SSSD/sssd/pull/214 Title: #214: UTIL: Set udp_preference_limit=0 in krb5 snippet celestian commented: """ I see ``` Warning: Permanently added '172.19.2.156' (ECDSA) to the list of known hosts. install-deps: success 00:01:07 ci-install-deps.log autoreconf: success 00:00:34 ci-autoreconf.log DEBUG BUILD: ci-build-debug configure: failure 00:00:22 ci-build-debug/ci-configure.log FAILURE ``` is it possible to look at logs? Respectively I tried to run the tests in our CI, but connection failed: ``` $ git push ci HEAD:master ssh_exchange_identification: Connection closed by remote host fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. ``` """ See the full comment at https://github.com/SSSD/sssd/pull/214#issuecomment-290627840 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#214][comment] UTIL: Set udp_preference_limit=0 in krb5 snippet
URL: https://github.com/SSSD/sssd/pull/214 Title: #214: UTIL: Set udp_preference_limit=0 in krb5 snippet celestian commented: """ I see ``` Warning: Permanently added '172.19.2.156' (ECDSA) to the list of known hosts. install-deps: success 00:01:07 ci-install-deps.log autoreconf: success 00:00:34 ci-autoreconf.log DEBUG BUILD: ci-build-debug configure: failure 00:00:22 ci-build-debug/ci-configure.log FAILURE ``` is it possible to look at logs? Respectively I tried to run the tests in our CI, but connection failed: ``` $ git push ci HEAD:master ssh_exchange_identification: Connection closed by remote host fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. ``` """ See the full comment at https://github.com/SSSD/sssd/pull/214#issuecomment-290627840 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#218][edited] TEST: Adding krb5-libs to dependencies
URL: https://github.com/SSSD/sssd/pull/218 Author: celestian Title: #218: TEST: Adding krb5-libs to dependencies Action: edited Changed field: title Original value: """ TEST: Adding krb5-kdc to dependencies """ ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#218][synchronized] TEST: Adding krb5-kdc to dependencies
URL: https://github.com/SSSD/sssd/pull/218 Author: celestian Title: #218: TEST: Adding krb5-kdc to dependencies Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/218/head:pr218 git checkout pr218 From 4c085a34a97bede4b32d6c880d1434d83c4deec7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Thu, 30 Mar 2017 12:05:08 +0200 Subject: [PATCH] TEST: Adding krb5-libs to dependencies Resolves: https://pagure.io/SSSD/sssd/issue/3353 --- contrib/ci/deps.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh index 4467e11..0c52712 100644 --- a/contrib/ci/deps.sh +++ b/contrib/ci/deps.sh @@ -45,7 +45,7 @@ if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then pyldb rpm-build uid_wrapper -python-requests +krb5-libs curl-devel krb5-server krb5-workstation ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#218][edited] TEST: Adding krb5-kdc to dependencies
URL: https://github.com/SSSD/sssd/pull/218 Author: celestian Title: #218: TEST: Adding krb5-kdc to dependencies Action: edited Changed field: title Original value: """ TEST: Adding paython-requests to dependencies """ ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#218][synchronized] TEST: Adding paython-requests to dependencies
URL: https://github.com/SSSD/sssd/pull/218 Author: celestian Title: #218: TEST: Adding paython-requests to dependencies Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/218/head:pr218 git checkout pr218 From 41e8d65437087625d6f1fa3b3eade89545aec45c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Thu, 30 Mar 2017 12:05:08 +0200 Subject: [PATCH] TEST: Adding krb5-kdc to dependencies Resolves: https://pagure.io/SSSD/sssd/issue/3353 --- contrib/ci/deps.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh index 4467e11..2ffb606 100644 --- a/contrib/ci/deps.sh +++ b/contrib/ci/deps.sh @@ -45,7 +45,7 @@ if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then pyldb rpm-build uid_wrapper -python-requests +krb5-kdc curl-devel krb5-server krb5-workstation ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#218][opened] TEST: Adding paython-requests to dependencies
URL: https://github.com/SSSD/sssd/pull/218 Author: celestian Title: #218: TEST: Adding paython-requests to dependencies Action: opened PR body: """ Resolves: https://pagure.io/SSSD/sssd/issue/3353 Note: I am not sure if this is the correct dependency which we were looking for. But it is needed anyway. If we need more don't hesitate to write me. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/218/head:pr218 git checkout pr218 From 8cf9aad8914e7a99a03eadfe1e4b09ac7fd98f30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Thu, 30 Mar 2017 12:05:08 +0200 Subject: [PATCH] TEST: Adding paython-requests to dependencies Resolves: https://pagure.io/SSSD/sssd/issue/3353 --- src/external/intgcheck.m4 | 1 + 1 file changed, 1 insertion(+) diff --git a/src/external/intgcheck.m4 b/src/external/intgcheck.m4 index ac68b85..e38401c 100644 --- a/src/external/intgcheck.m4 +++ b/src/external/intgcheck.m4 @@ -29,5 +29,6 @@ AC_DEFUN([SSS_ENABLE_INTGCHECK_REQS], [ SSS_INTGCHECK_REQ([HAVE_PYTEST], [pytest]) SSS_INTGCHECK_REQ([HAVE_PY2MOD_LDAP], [python-ldap]) SSS_INTGCHECK_REQ([HAVE_PY2MOD_LDAP], [pyldb]) +SSS_INTGCHECK_REQ([HAVE_PYT2MOD-REQUESTS], [python-requests]) fi ]) ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#214][opened] UTIL: Set udp_preference_limit=0 in krb5 snippet
URL: https://github.com/SSSD/sssd/pull/214 Author: celestian Title: #214: UTIL: Set udp_preference_limit=0 in krb5 snippet Action: opened PR body: """ We add udp_preference_limit = 0 to krb5 snippet. This option enable TCP connection before UDP, when sending a message to the KDC. Resolves: https://pagure.io/SSSD/sssd/issue/3254 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/214/head:pr214 git checkout pr214 From 7966c26378882d923cbd8d086300ea5aa356b1af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Tue, 28 Mar 2017 14:35:22 +0200 Subject: [PATCH] UTIL: Set udp_preference_limit=0 in krb5 snippet We add udp_preference_limit = 0 to krb5 snippet. This option enable TCP connection before UDP, when sending a message to the KDC. Resolves: https://pagure.io/SSSD/sssd/issue/3254 --- src/util/domain_info_utils.c | 25 + 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c index 6ef6bcf..87033c2 100644 --- a/src/util/domain_info_utils.c +++ b/src/util/domain_info_utils.c @@ -735,9 +735,15 @@ static errno_t sss_write_krb5_localauth_snippet(const char *path) #define KRB5_LIBDEFAUTLS_CONFIG \ "[libdefaults]\n" \ +" udp_preference_limit = 0\n" + +#define KRB5_LIBDEFAUTLS_CANONICAL_CONFIG \ +"[libdefaults]\n" \ +" udp_preference_limit = 0\n" \ " canonicalize = true\n" -static errno_t sss_write_krb5_libdefaults_snippet(const char *path) +static errno_t sss_write_krb5_libdefaults_snippet(const char *path, + bool canonicalize) { int ret; TALLOC_CTX *tmp_ctx = NULL; @@ -759,7 +765,12 @@ static errno_t sss_write_krb5_libdefaults_snippet(const char *path) DEBUG(SSSDBG_FUNC_DATA, "File for KRB5 kibdefaults configuration is [%s]\n", file_name); -ret = sss_write_krb5_snippet_common(file_name, KRB5_LIBDEFAUTLS_CONFIG); +if (canonicalize == true) { +ret = sss_write_krb5_snippet_common(file_name, +KRB5_LIBDEFAUTLS_CANONICAL_CONFIG); +} else { +ret = sss_write_krb5_snippet_common(file_name, KRB5_LIBDEFAUTLS_CONFIG); +} if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "sss_write_krb5_snippet_common failed.\n"); goto done; @@ -793,12 +804,10 @@ errno_t sss_write_krb5_conf_snippet(const char *path, bool canonicalize) goto done; } -if (canonicalize) { -ret = sss_write_krb5_libdefaults_snippet(path); -if (ret != EOK) { -DEBUG(SSSDBG_OP_FAILURE, "sss_write_krb5_libdefaults_snippet failed.\n"); -goto done; -} +ret = sss_write_krb5_libdefaults_snippet(path, canonicalize); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, "sss_write_krb5_libdefaults_snippet failed.\n"); +goto done; } ret = EOK; ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#211][comment] IFP: Fix of limit = 0 (unlimited result)
URL: https://github.com/SSSD/sssd/pull/211 Title: #211: IFP: Fix of limit = 0 (unlimited result) celestian commented: """ @lslebodn thanks, that's good point. I synced new version of the patch. """ See the full comment at https://github.com/SSSD/sssd/pull/211#issuecomment-289727876 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#211][synchronized] IFP: Fix of limit = 0 (unlimited result)
URL: https://github.com/SSSD/sssd/pull/211 Author: celestian Title: #211: IFP: Fix of limit = 0 (unlimited result) Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/211/head:pr211 git checkout pr211 From c1aa2a7370e2265ce4ffa2636fa9f6a43577f439 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Tue, 28 Mar 2017 12:07:55 +0200 Subject: [PATCH] IFP: Fix of limit = 0 (unlimited result) If we set limit to 0 it means that result is unlimited. Internally we restrict number of result by allocation of result array. In unlimited case there was a bug and zero array was allocated. This fix allocates neccessary array when we know real result size. Resolves: https://pagure.io/SSSD/sssd/issue/3306 --- src/responder/ifp/ifpsrv_util.c | 9 + 1 file changed, 9 insertions(+) diff --git a/src/responder/ifp/ifpsrv_util.c b/src/responder/ifp/ifpsrv_util.c index 5866d30..c948d5a 100644 --- a/src/responder/ifp/ifpsrv_util.c +++ b/src/responder/ifp/ifpsrv_util.c @@ -314,6 +314,15 @@ size_t ifp_list_ctx_remaining_capacity(struct ifp_list_ctx *list_ctx, { size_t capacity = list_ctx->limit - list_ctx->path_count; +if (list_ctx->limit == 0) { +list_ctx->paths = talloc_zero_array(list_ctx, const char *, entries); +if (list_ctx->paths == NULL) { +DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n"); +return 0; +} +return entries; +} + if (capacity < entries) { DEBUG(SSSDBG_MINOR_FAILURE, "IFP list request has limit of %"PRIu32" entries but back end " ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#211][opened] IFP: Fix of limit = 0 (unlimited result)
URL: https://github.com/SSSD/sssd/pull/211 Author: celestian Title: #211: IFP: Fix of limit = 0 (unlimited result) Action: opened PR body: """ If we set limit to 0 it means that result is unlimited. Internally we restrict number of result by allocation of result array. In unlimited case there was a bug and zero array was allocated. This fix allocates neccessary array when we know real result size. Resolves: https://pagure.io/SSSD/sssd/issue/3306 How to test (this reproducer needs #208 "IFP: Filter with * in Users.ListByName method" applied) ``` systemctl daemon-reload sudo su -c "truncate -s0 /var/log/sssd/*.log" sudo su -c "rm -f /var/lib/sss/db/*" sudo su -c "rm -f /var/lib/sss/mc/*" sudo systemctl restart sssd.service sudo su -c "truncate -s0 /var/log/sssd/*.log" dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.ListByName \ string:"*" uint32:"0" dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Groups \ org.freedesktop.sssd.infopipe.Groups.ListByName \ string:"*" uint32:"100" dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.ListByDomainAndName \ string:"domain.cygnus" string:"*" uint32:"100" ``` """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/211/head:pr211 git checkout pr211 From 224546e19e6ac3007c6fd272bdea373ae04d8c3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Tue, 28 Mar 2017 09:11:22 +0200 Subject: [PATCH] IFP: Fix of limit = 0 (unlimited result) If we set limit to 0 it means that result is unlimited. Internally we restrict number of result by allocation of result array. In unlimited case there was a bug and zero array was allocated. This fix allocates neccessary array when we know real result size. Resolves: https://pagure.io/SSSD/sssd/issue/3306 --- src/responder/ifp/ifp_groups.c | 10 +- src/responder/ifp/ifp_users.c | 20 ++-- 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/src/responder/ifp/ifp_groups.c b/src/responder/ifp/ifp_groups.c index 94d1e84..166cfe7 100644 --- a/src/responder/ifp/ifp_groups.c +++ b/src/responder/ifp/ifp_groups.c @@ -86,7 +86,15 @@ static int ifp_groups_list_copy(struct ifp_list_ctx *list_ctx, { size_t copy_count, i; -copy_count = ifp_list_ctx_remaining_capacity(list_ctx, result->count); +if (list_ctx->limit == 0) { +list_ctx->paths = talloc_zero_array(list_ctx, const char *, result->count); +if (list_ctx->paths == NULL) { +return ENOMEM; +} +copy_count = result->count; +} else { +copy_count = ifp_list_ctx_remaining_capacity(list_ctx, result->count); +} for (i = 0; i < copy_count; i++) { list_ctx->paths[list_ctx->path_count + i] = \ diff --git a/src/responder/ifp/ifp_users.c b/src/responder/ifp/ifp_users.c index cc78300..76c9ac9 100644 --- a/src/responder/ifp/ifp_users.c +++ b/src/responder/ifp/ifp_users.c @@ -430,7 +430,15 @@ static int ifp_users_list_copy(struct ifp_list_ctx *list_ctx, { size_t copy_count, i; -copy_count = ifp_list_ctx_remaining_capacity(list_ctx, result->count); +if (list_ctx->limit == 0) { +list_ctx->paths = talloc_zero_array(list_ctx, const char *, result->count); +if (list_ctx->paths == NULL) { +return ENOMEM; +} +copy_count = result->count; +} else { +copy_count = ifp_list_ctx_remaining_capacity(list_ctx, result->count); +} for (i = 0; i < copy_count; i++) { list_ctx->paths[list_ctx->path_count + i] = \ @@ -892,7 +900,15 @@ static void ifp_users_list_by_domain_and_name_done(struct tevent_req *req) goto done; } -copy_count = ifp_list_ctx_remaining_capacity(list_ctx, result->count); +if (list_ctx->limit == 0) { +list_ctx->paths = talloc_zero_array(list_ctx, const char *, result->count); +if (list_ctx->paths == NULL) { +goto done; +} +copy_count = result->count; +} else { +copy_count = ifp_list_ctx_remaining_capacity(list_ctx, result->count); +} for (i = 0; i < copy_count; i++) { list_ctx->paths[i] = ifp_users_build_path_from_msg(list_ctx->paths, ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#208][synchronized] IFP: Filter with * in Users.ListByName method
URL: https://github.com/SSSD/sssd/pull/208 Author: celestian Title: #208: IFP: Filter with * in Users.ListByName method Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/208/head:pr208 git checkout pr208 From 799ee6a4fb9349e28bba1efeacb5a51ae8b4511c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Thu, 23 Mar 2017 09:17:55 +0100 Subject: [PATCH] IFP: Filter with * in infopipe methods This patch fixes asterisk in filter of those methods: * org.freedesktop.sssd.infopipe.Users.ListByName * org.freedesktop.sssd.infopipe.Groups.ListByName * org.freedesktop.sssd.infopipe.Users.ListByDomainAndName In those cases, functions ifp_[users|groups]_list_copy() were called with NULL pointer. Resolves: https://pagure.io/SSSD/sssd/issue/3305 --- src/responder/ifp/ifp_groups.c | 26 +++--- src/responder/ifp/ifp_users.c | 14 -- 2 files changed, 23 insertions(+), 17 deletions(-) diff --git a/src/responder/ifp/ifp_groups.c b/src/responder/ifp/ifp_groups.c index 94d1e84..fe3c641 100644 --- a/src/responder/ifp/ifp_groups.c +++ b/src/responder/ifp/ifp_groups.c @@ -302,12 +302,14 @@ static void ifp_groups_list_by_name_done(struct tevent_req *req) return; } -ret = ifp_groups_list_copy(list_ctx, result->ldb_result); -if (ret != EOK) { -error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, - "Failed to copy domain result"); -sbus_request_fail_and_finish(sbus_req, error); -return; +if (ret == EOK) { +ret = ifp_groups_list_copy(list_ctx, result->ldb_result); +if (ret != EOK) { +error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, + "Failed to copy domain result"); +sbus_request_fail_and_finish(sbus_req, error); +return; +} } list_ctx->dom = get_next_domain(list_ctx->dom, SSS_GND_DESCEND); @@ -388,11 +390,13 @@ static void ifp_groups_list_by_domain_and_name_done(struct tevent_req *req) goto done; } -ret = ifp_groups_list_copy(list_ctx, result->ldb_result); -if (ret != EOK) { -error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, - "Failed to copy domain result"); -goto done; +if (ret == EOK) { +ret = ifp_groups_list_copy(list_ctx, result->ldb_result); +if (ret != EOK) { +error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, + "Failed to copy domain result"); +goto done; +} } done: diff --git a/src/responder/ifp/ifp_users.c b/src/responder/ifp/ifp_users.c index cc78300..961a8fa 100644 --- a/src/responder/ifp/ifp_users.c +++ b/src/responder/ifp/ifp_users.c @@ -805,12 +805,14 @@ static void ifp_users_list_by_name_done(struct tevent_req *req) return; } -ret = ifp_users_list_copy(list_ctx, result->ldb_result); -if (ret != EOK) { -error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, - "Failed to copy domain result"); -sbus_request_fail_and_finish(sbus_req, error); -return; +if (ret == EOK) { +ret = ifp_users_list_copy(list_ctx, result->ldb_result); +if (ret != EOK) { +error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, + "Failed to copy domain result"); +sbus_request_fail_and_finish(sbus_req, error); +return; +} } list_ctx->dom = get_next_domain(list_ctx->dom, SSS_GND_DESCEND); ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#206][comment] IFP: Fix of names in GetUserGroups method
URL: https://github.com/SSSD/sssd/pull/206 Title: #206: IFP: Fix of names in GetUserGroups method celestian commented: """ Updated -- I just added "resolves" link to the commit message. """ See the full comment at https://github.com/SSSD/sssd/pull/206#issuecomment-288980755 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#206][synchronized] IFP: Fix of names in GetUserGroups method
URL: https://github.com/SSSD/sssd/pull/206 Author: celestian Title: #206: IFP: Fix of names in GetUserGroups method Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/206/head:pr206 git checkout pr206 From 09934cbda4fb740d33d37de75f4bb02d11d65057 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Wed, 22 Mar 2017 15:40:00 +0100 Subject: [PATCH] IFP: Fix of names in GetUserGroups method This patch adds code which chooses the right domain for creation of output group's name. Resolves: https://pagure.io/SSSD/sssd/issue/3268 --- src/responder/ifp/ifpsrv_cmd.c | 16 +--- src/util/usertools.c | 42 ++ src/util/util.h| 5 + 3 files changed, 60 insertions(+), 3 deletions(-) diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c index 07edcdd..d0df8d0 100644 --- a/src/responder/ifp/ifpsrv_cmd.c +++ b/src/responder/ifp/ifpsrv_cmd.c @@ -373,6 +373,8 @@ ifp_user_get_groups_reply(struct sss_domain_info *domain, const char *name; const char **groupnames; char *out_name; +struct sss_domain_info *recent_domain; +errno_t ret; /* one less, the first one is the user entry */ num = res->count - 1; @@ -396,9 +398,17 @@ ifp_user_get_groups_reply(struct sss_domain_info *domain, continue; } -if (domain->fqnames) { -groupnames[i] = sss_tc_fqname(groupnames, domain->names, - domain, out_name); +ret = sss_get_domain_by_name(groupnames, ireq->ifp_ctx->rctx->domains, + name, _domain); +if (ret != EOK) { +DEBUG(SSSDBG_MINOR_FAILURE, "sss_get_domain_by_name() failed " + "[%d]: %s\n", ret, sss_strerror(ret)); +continue; +} + +if (recent_domain->fqnames) { +groupnames[i] = sss_tc_fqname(groupnames, recent_domain->names, + recent_domain, out_name); if (out_name == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "sss_tc_fqname failed\n"); continue; diff --git a/src/util/usertools.c b/src/util/usertools.c index 7b87c56..f818c95 100644 --- a/src/util/usertools.c +++ b/src/util/usertools.c @@ -377,6 +377,48 @@ static struct sss_domain_info * match_any_domain_or_subdomain_name( return find_domain_by_name(dom, dmatch, true); } +int sss_get_domain_by_name(TALLOC_CTX *memctx, + struct sss_domain_info *domains, + const char *orig_fqname, + struct sss_domain_info **_domain) +{ +struct sss_domain_info *dom, *match = NULL; +char *dmatch, *nmatch; +TALLOC_CTX *tmp_ctx; +int ret; + +tmp_ctx = talloc_new(NULL); +if (tmp_ctx == NULL) { +return ENOMEM; +} + +for (dom = domains; dom != NULL; dom = get_next_domain(dom, 0)) { +ret = sss_parse_name(tmp_ctx, dom->names, orig_fqname, , ); +if (ret == EOK) { +if (dmatch != NULL) { +match = match_any_domain_or_subdomain_name (dom, dmatch); +if (match != NULL) { +DEBUG(SSSDBG_FUNC_DATA, "name '%s' matched expression for " +"domain '%s'\n", +orig_fqname, match->name); +break; +} +} +/* EINVAL is returned when name doesn't match */ +} else if (ret != EINVAL) { +goto done; +} +} + +*_domain = match; + +ret = EOK; +done: +talloc_free(tmp_ctx); + +return ret; +} + int sss_parse_name_for_domains(TALLOC_CTX *memctx, struct sss_domain_info *domains, const char *default_domain, diff --git a/src/util/util.h b/src/util/util.h index a2dc89b..e61138d 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -239,6 +239,11 @@ int sss_parse_name(TALLOC_CTX *memctx, struct sss_names_ctx *snctx, const char *orig, char **_domain, char **_name); +int sss_get_domain_by_name(TALLOC_CTX *memctx, + struct sss_domain_info *domains, + const char *orig_fqname, + struct sss_domain_info **_domain); + int sss_parse_name_for_domains(TALLOC_CTX *memctx, struct sss_domain_info *domains, const char *default_domain, ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#206][comment] IFP: Fix of names in GetUserGroups method
URL: https://github.com/SSSD/sssd/pull/206 Title: #206: IFP: Fix of names in GetUserGroups method celestian commented: """ How to test: We need setup sssd as client of FreeIPA server with AD trust. And we need add user from AD domain to FreeIPA group (ask me if you need help). ``` # Reset sssd and clear cache, logs systemctl daemon-reload sudo su -c "truncate -s0 /var/log/sssd/*.log" sudo su -c "rm -f /var/lib/sss/db/*" sudo su -c "rm -f /var/lib/sss/mc/*" sudo systemctl restart sssd.service # Update of necessary entities dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Groups \ org.freedesktop.sssd.infopipe.Groups.FindByName \ string: # it return dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ "" \ org.freedesktop.sssd.infopipe.Groups.Group.UpdateMemberList # Those two calls should have the same form of outpup groups id test_user@ad_domain | tr ',' '\n' dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserGroups \ string:test_user@ad_domain ``` """ See the full comment at https://github.com/SSSD/sssd/pull/206#issuecomment-288422804 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#206][opened] IFP: Fix of names in GetUserGroups method
URL: https://github.com/SSSD/sssd/pull/206 Author: celestian Title: #206: IFP: Fix of names in GetUserGroups method Action: opened PR body: """ This patch adds code which chooses the right domain for creation of output group's name. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/206/head:pr206 git checkout pr206 From bf43a6f01fd0592a29ab570ddfd3e9ba18c51dd8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Wed, 22 Mar 2017 15:40:00 +0100 Subject: [PATCH] IFP: Fix of names in GetUserGroups method This patch adds code which chooses the right domain for creation of output group's name. --- src/responder/ifp/ifpsrv_cmd.c | 16 +--- src/util/usertools.c | 42 ++ src/util/util.h| 5 + 3 files changed, 60 insertions(+), 3 deletions(-) diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c index 07edcdd..d0df8d0 100644 --- a/src/responder/ifp/ifpsrv_cmd.c +++ b/src/responder/ifp/ifpsrv_cmd.c @@ -373,6 +373,8 @@ ifp_user_get_groups_reply(struct sss_domain_info *domain, const char *name; const char **groupnames; char *out_name; +struct sss_domain_info *recent_domain; +errno_t ret; /* one less, the first one is the user entry */ num = res->count - 1; @@ -396,9 +398,17 @@ ifp_user_get_groups_reply(struct sss_domain_info *domain, continue; } -if (domain->fqnames) { -groupnames[i] = sss_tc_fqname(groupnames, domain->names, - domain, out_name); +ret = sss_get_domain_by_name(groupnames, ireq->ifp_ctx->rctx->domains, + name, _domain); +if (ret != EOK) { +DEBUG(SSSDBG_MINOR_FAILURE, "sss_get_domain_by_name() failed " + "[%d]: %s\n", ret, sss_strerror(ret)); +continue; +} + +if (recent_domain->fqnames) { +groupnames[i] = sss_tc_fqname(groupnames, recent_domain->names, + recent_domain, out_name); if (out_name == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "sss_tc_fqname failed\n"); continue; diff --git a/src/util/usertools.c b/src/util/usertools.c index 7b87c56..f818c95 100644 --- a/src/util/usertools.c +++ b/src/util/usertools.c @@ -377,6 +377,48 @@ static struct sss_domain_info * match_any_domain_or_subdomain_name( return find_domain_by_name(dom, dmatch, true); } +int sss_get_domain_by_name(TALLOC_CTX *memctx, + struct sss_domain_info *domains, + const char *orig_fqname, + struct sss_domain_info **_domain) +{ +struct sss_domain_info *dom, *match = NULL; +char *dmatch, *nmatch; +TALLOC_CTX *tmp_ctx; +int ret; + +tmp_ctx = talloc_new(NULL); +if (tmp_ctx == NULL) { +return ENOMEM; +} + +for (dom = domains; dom != NULL; dom = get_next_domain(dom, 0)) { +ret = sss_parse_name(tmp_ctx, dom->names, orig_fqname, , ); +if (ret == EOK) { +if (dmatch != NULL) { +match = match_any_domain_or_subdomain_name (dom, dmatch); +if (match != NULL) { +DEBUG(SSSDBG_FUNC_DATA, "name '%s' matched expression for " +"domain '%s'\n", +orig_fqname, match->name); +break; +} +} +/* EINVAL is returned when name doesn't match */ +} else if (ret != EINVAL) { +goto done; +} +} + +*_domain = match; + +ret = EOK; +done: +talloc_free(tmp_ctx); + +return ret; +} + int sss_parse_name_for_domains(TALLOC_CTX *memctx, struct sss_domain_info *domains, const char *default_domain, diff --git a/src/util/util.h b/src/util/util.h index a2dc89b..e61138d 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -239,6 +239,11 @@ int sss_parse_name(TALLOC_CTX *memctx, struct sss_names_ctx *snctx, const char *orig, char **_domain, char **_name); +int sss_get_domain_by_name(TALLOC_CTX *memctx, + struct sss_domain_info *domains, + const char *orig_fqname, + struct sss_domain_info **_domain); + int sss_parse_name_for_domains(TALLOC_CTX *memctx, struct sss_domain_info *domains, const char *default_domain, ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#202][opened] T3315 infopipe group users master
URL: https://github.com/SSSD/sssd/pull/202 Author: celestian Title: #202: T3315 infopipe group users master Action: opened PR body: """ Reproducer is: ``` # PREPARING ipa user-add --first=Test --last=User --email=u...@test-domain.sssd test_user ipa group-add test_group # REPRODUCER systemctl daemon-reload sudo su -c "truncate -s0 /var/log/sssd/*.log" sudo su -c "rm -f /var/lib/sss/db/*" sudo su -c "rm -f /var/lib/sss/mc/*" sudo systemctl restart sssd.service ipa group-add-member --users=test_user test_group sss_cache -UG getent group test_group # getent show user test_user in test_group, but dbus call doesn't: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Groups \ org.freedesktop.sssd.infopipe.Groups.FindByName \ string:test_group # command above returns # We need to update group in cache because method "org.freedesktop.DBus.Properties.GetAll" # doesn't update records (<-- this should be better commented) dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ \ org.freedesktop.sssd.infopipe.Groups.Group.UpdateMemberList # --> this call doesn't work without patch "IFP: Parse ghost name in Group.UpdateMemberList" # after this call group is updated in cache and we can call: dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe \ \ org.freedesktop.DBus.Properties.GetAll \ string:"org.freedesktop.sssd.infopipe.Groups.Group" # We expect test_user in result users array. # CLEANING ipa group-del test_group ipa user-del test_user ``` """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/202/head:pr202 git checkout pr202 From 3560f62d331db55c903a394fbcb02351e896dee8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Thu, 16 Mar 2017 15:26:34 +0100 Subject: [PATCH 1/2] IFP: Parse ghost name in Group.UpdateMemberList Ghost users are stored in FQ name form in cache. The function cache_req_user_by_name_send() expects original name. Resolves: https://pagure.io/SSSD/sssd/issue/3315 --- src/responder/ifp/ifp_groups.c | 13 - 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/responder/ifp/ifp_groups.c b/src/responder/ifp/ifp_groups.c index 94d1e84..c66c0e8 100644 --- a/src/responder/ifp/ifp_groups.c +++ b/src/responder/ifp/ifp_groups.c @@ -592,6 +592,8 @@ errno_t resolv_ghosts_step(struct tevent_req *req) { struct resolv_ghosts_state *state; struct tevent_req *subreq; +const char *ghost_name; +errno_t ret; state = tevent_req_data(req, struct resolv_ghosts_state); @@ -599,10 +601,19 @@ errno_t resolv_ghosts_step(struct tevent_req *req) return EOK; } +ret = sss_parse_internal_fqname(state, state->ghosts[state->index], +_name, NULL); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, + "sss_parse_internal_fqname failed to split [%s].\n", + state->ghosts[state->index]); +return EINVAL; +} + subreq = cache_req_user_by_name_send(state, state->ev, state->ctx->rctx, state->ctx->rctx->ncache, 0, state->domain->name, - state->ghosts[state->index]); + ghost_name); if (subreq == NULL) { return ENOMEM; } From 0dd67527ec0aaf4c715f6f0edade8cf2de4ed101 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Wed, 15 Mar 2017 14:23:31 +0100 Subject: [PATCH 2/2] IFP: ldb_msg_find_element empty result fix Resolves: https://pagure.io/SSSD/sssd/issue/3315 --- src/responder/ifp/ifp_groups.c | 7 +-- 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/src/responder/ifp/ifp_groups.c b/src/responder/ifp/ifp_groups.c index c66c0e8..893abe8 100644 --- a/src/responder/ifp/ifp_groups.c +++ b/src/responder/ifp/ifp_groups.c @@ -561,12 +561,7 @@ static void resolv_ghosts_group_done(struct tevent_req *subreq) } el = ldb_msg_find_element(group, SYSDB_GHOST); -if (el == NULL) { -ret = ENOMEM; -goto done; -} - -if (el->num_values == 0) { +if (el == NULL || el->num_values == 0) { ret = EOK; goto done; } ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#194][comment] config-check: Message when sssd.conf is missing
URL: https://github.com/SSSD/sssd/pull/194 Title: #194: config-check: Message when sssd.conf is missing celestian commented: """ LGTM and I pushed it to CI test. """ See the full comment at https://github.com/SSSD/sssd/pull/194#issuecomment-286474277 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#153][-Changes requested] sss_cache: User/groups invalidation in domain cache
URL: https://github.com/SSSD/sssd/pull/153 Title: #153: sss_cache: User/groups invalidation in domain cache Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#153][comment] sss_cache: User/groups invalidation in domain cache
URL: https://github.com/SSSD/sssd/pull/153 Title: #153: sss_cache: User/groups invalidation in domain cache celestian commented: """ New version uploaded. Thanks for review. """ See the full comment at https://github.com/SSSD/sssd/pull/153#issuecomment-284703683 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#153][synchronized] sss_cache: User/groups invalidation in domain cache
URL: https://github.com/SSSD/sssd/pull/153 Author: celestian Title: #153: sss_cache: User/groups invalidation in domain cache Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/153/head:pr153 git checkout pr153 From c77ab6e55d3427e7473984f90dc4b75504381987 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Tue, 14 Feb 2017 12:07:19 +0100 Subject: [PATCH] sss_cache: User/groups invalidation in domain cache When a group/users are invalidated from sss_cache, the group/user information in domain and timestamps cache are inconsistent with regard to dataExpireTimestamp attribute. This patch fixes the problem by explicitly invalidating the domain cache's entry when the timestamp cache entry is invalidated by sss_cache call. There is one new function: * sysdb_invalidate_cache_entry() provided for this purpose and used only in sss_cache utility. Resolves: https://fedorahosted.org/sssd/ticket/3164 --- src/db/sysdb.h | 9 ++ src/db/sysdb_ops.c | 65 ++ src/tests/intg/sssd_ldb.py | 11 +++ src/tests/intg/test_ts_cache.py | 70 - src/tools/sss_cache.c | 26 +++ 5 files changed, 173 insertions(+), 8 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 809ca35..f23805a 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -874,6 +874,15 @@ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb, struct sysdb_attrs *attrs, int mod_op); +/* User/group invalidation of cache by direct writing to persistent cache + * WARNING: This function can cause performance issue!! + * is_user = true --> user invalidation + * is_user = false --> group invalidation + */ +int sysdb_invalidate_cache_entry(struct sss_domain_info *domain, + const char *name, + bool is_user); + /* Replace user attrs */ int sysdb_set_user_attr(struct sss_domain_info *domain, const char *name, diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index 7f6c127..c842409 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -5006,3 +5006,68 @@ errno_t sysdb_mark_entry_as_expired_ldb_val(struct sss_domain_info *dom, talloc_free(tmp_ctx); return ret; } + +/* User/group invalidation of cache by direct writing to persistent cache + * WARNING: This function can cause performance issue!! + * is_user = true --> user invalidation + * is_user = false --> group invalidation + */ +int sysdb_invalidate_cache_entry(struct sss_domain_info *domain, + const char *name, + bool is_user) +{ +TALLOC_CTX *tmp_ctx; +struct sysdb_ctx *sysdb = domain->sysdb; +struct ldb_dn *entry_dn = NULL; +struct sysdb_attrs *attrs = NULL; +errno_t ret; + +tmp_ctx = talloc_new(NULL); +if (!tmp_ctx) { +return ENOMEM; +} + +if (is_user == true) { +entry_dn = sysdb_user_dn(tmp_ctx, domain, name); +} else { +entry_dn = sysdb_group_dn(tmp_ctx, domain, name); +} + +if (entry_dn == NULL) { +ret = ENOMEM; +goto done; +} + +attrs = sysdb_new_attrs(tmp_ctx); +if (attrs == NULL) { +DEBUG(SSSDBG_MINOR_FAILURE, "Could not create sysdb attributes\n"); +ret = ENOMEM; +goto done; +} + +ret = sysdb_attrs_add_time_t(attrs, SYSDB_CACHE_EXPIRE, 1); +if (ret != EOK) { +DEBUG(SSSDBG_MINOR_FAILURE, + "Could not add expiration time to attributes\n"); +goto done; +} + +ret = sysdb_set_cache_entry_attr(sysdb->ldb, entry_dn, + attrs, SYSDB_MOD_REP); +if (ret != EOK) { +DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot set attrs for %s, %d [%s]\n", + ldb_dn_get_linearized(entry_dn), ret, sss_strerror(ret)); +goto done; +} + +DEBUG(SSSDBG_FUNC_DATA, + "Cache entry [%s] has been invalidated.\n", + ldb_dn_get_linearized(entry_dn)); + +ret = EOK; + +done: +talloc_zfree(tmp_ctx); +return ret; +} diff --git a/src/tests/intg/sssd_ldb.py b/src/tests/intg/sssd_ldb.py index 399ec8a..7c6a5f4 100644 --- a/src/tests/intg/sssd_ldb.py +++ b/src/tests/intg/sssd_ldb.py @@ -19,6 +19,7 @@ import os import ldb import config +import subprocess class CacheType(object): @@ -83,3 +84,13 @@ def get_entry_attr(self, cache_type, entry_type, name, domain, attr): return None return res.msgs[0].get(attr).get(0) + +def invalidate_entry(self, name, entry_type, domain): +dbconn = self._get_dbconn(CacheType.timestamps) + +m = ldb.Message() +m.dn = ldb.Dn(dbconn, self._b
[SSSD] [sssd PR#170][comment] PROXY: Remove duplicit users from group
URL: https://github.com/SSSD/sssd/pull/170 Title: #170: PROXY: Remove duplicit users from group celestian commented: """ So, @lslebodn and me looked at how to test this patch. Unfortunately we found out that proxy code uses ```nss_files_getgrnam_r``` which is not mocked by ```libnss_wrapper```. The reviewer could inspire there: ``` Configuration: # cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam domains = shadowutils debug_level = 0x0 [nss] filter_groups = root filter_users = root debug_level = 0x0 [pam] offline_credentials_expiration = 365 debug_level = 0x0 [domain/shadowutils] id_provider = proxy proxy_lib_name = files auth_provider = proxy proxy_pam_target = sssd-shadowutils proxy_fast_alias = True debug_level = 0x0 # cat /etc/nsswitch.conf [...] passwd: files sss shadow: files sss group: sss Preparation: useradd test_user groupadd test_group usermod -a -G test_group test_user # And manualy add test_user to /etc/group to test_group again, so it looks like: # [...] # test_group:x:1001:test_user,test_user Reproducer: systemctl stop sssd rm -fR /var/lib/sss/db/*.ldb systemctl start sssd truncate -s0 /var/log/sssd/*.log getent group test_group ``` """ See the full comment at https://github.com/SSSD/sssd/pull/170#issuecomment-283878254 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#153][-Changes requested] sss_cache: User/groups invalidation in domain cache
URL: https://github.com/SSSD/sssd/pull/153 Title: #153: sss_cache: User/groups invalidation in domain cache Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#153][comment] sss_cache: User/groups invalidation in domain cache
URL: https://github.com/SSSD/sssd/pull/153 Title: #153: sss_cache: User/groups invalidation in domain cache celestian commented: """ I updated the patch. 1. The issue with enum is addressed. 1. I added function ```sysdb_invalidate_cache_entry()``` to sysdb API and removed the specific two functions provided earlier. It is needed because I use internal sysdb function, namely ```sysdb_set_cache_entry_attr```. """ See the full comment at https://github.com/SSSD/sssd/pull/153#issuecomment-283332627 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#170][comment] PROXY: Remove duplicit users from group
URL: https://github.com/SSSD/sssd/pull/170 Title: #170: PROXY: Remove duplicit users from group celestian commented: """ There is the first version of patch. I would like to ask @jhrozek or @lslebodn if our cwrap tests has capability to test this patch. I need ```/etc/group``` with duplicit users for testing it. Or is there better way? Anyway I appreciate any comments to patch. """ See the full comment at https://github.com/SSSD/sssd/pull/170#issuecomment-282772139 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#170][opened] PROXY: Remove duplicit users from group
URL: https://github.com/SSSD/sssd/pull/170 Author: celestian Title: #170: PROXY: Remove duplicit users from group Action: opened PR body: """ It is possible to have duplicit members in local files (/etc/group). This patch removes duplicity in groups in proxy provider. Resolves: https://fedorahosted.org/sssd/ticket/3314 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/170/head:pr170 git checkout pr170 From 69f298ec9f0acfcf994871a815b8396d84c42ae4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Mon, 27 Feb 2017 17:21:14 +0100 Subject: [PATCH] PROXY: Remove duplicit users from group It is possible to have duplicit members in local files (/etc/group). This patch removes duplicity in groups in proxy provider. Resolves: https://fedorahosted.org/sssd/ticket/3314 --- src/providers/proxy/proxy_id.c | 153 +++-- 1 file changed, 149 insertions(+), 4 deletions(-) diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c index 9b83f7a..9e0ab21 100644 --- a/src/providers/proxy/proxy_id.c +++ b/src/providers/proxy/proxy_id.c @@ -22,6 +22,7 @@ along with this program. If not, see <http://www.gnu.org/licenses/>. */ +#include #include "config.h" #include "util/sss_format.h" @@ -574,6 +575,143 @@ static int enum_users(TALLOC_CTX *mem_ctx, } while(0) +static errno_t remove_duplicit_group_members(TALLOC_CTX *mem_ctx, + struct group *orig_grp, + struct group **_grp) +{ +TALLOC_CTX *tmp_ctx; +hash_table_t *member_tbl = NULL; +struct hash_iter_context_t *iter; +hash_entry_t *entry; +hash_key_t key; +hash_value_t value; +struct group *grp; +size_t orig_member_count= 0; +size_t member_count= 0; +size_t i; +errno_t ret; + +tmp_ctx = talloc_new(NULL); +if (tmp_ctx == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "talloc failed.\n"); +return ENOMEM; +} + +if (orig_grp->gr_mem == NULL) { +ret = ENOENT; +goto done; +} + +for (i=0; orig_grp->gr_mem[i] != NULL; i++) { +orig_member_count++; +} + +if (orig_member_count == 0) { +ret = ENOENT; +goto done; +} + +ret = sss_hash_create(tmp_ctx, orig_member_count, _tbl); +if (ret != HASH_SUCCESS) { +DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create hash table.\n"); +ret = ENOMEM; +goto done; +} + +for (i=0; orig_grp->gr_mem[i] != NULL; i++) { +key.type = HASH_KEY_STRING; +key.str = talloc_strdup(member_tbl, orig_grp->gr_mem[i]); +if (key.str == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); +ret = ENOMEM; +goto done; +} + +value.type = HASH_VALUE_PTR; +value.ptr = talloc_strdup(member_tbl, orig_grp->gr_mem[i]); +if (key.str == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); +ret = ENOMEM; +goto done; +} + +ret = hash_enter(member_tbl, , ); +if (ret != HASH_SUCCESS) { +talloc_free(key.str); +ret = ENOMEM; +goto done; +} +} + +member_count = hash_count(member_tbl); +if (member_count == 0) { +ret = ENOENT; +goto done; +} + +grp = talloc(mem_ctx, struct group); +if (grp == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "talloc failed.\n"); +ret = ENOMEM; +goto done; +} + +grp->gr_mem = talloc_zero_array(grp, char *, member_count + 1); +if (grp->gr_mem == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n"); +ret = ENOMEM; +goto done; +} + +iter = new_hash_iter_context(member_tbl); +if (iter == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "new_hash_iter_context failed.\n"); +ret = EINVAL; +goto done; +} + +i = 0; +while ((entry = iter->next(iter)) != NULL) { +grp->gr_mem[i] = talloc_strdup(grp, entry->key.str); +if (grp->gr_mem[i] == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); +ret = ENOMEM; +goto done; +} +i++; +} +grp->gr_mem[i] = NULL; + +grp->gr_gid = orig_grp->gr_gid; + +grp->gr_name = talloc_strdup(grp, orig_grp->gr_name); +if (grp->gr_name == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); +ret = ENOMEM; +goto done; +} + +grp->gr_passwd = talloc_strdup(grp, orig_grp->gr_passwd); +if (grp->gr_passwd == NULL) { +DEBUG(SSSDBG_OP_FAILURE, &quo
[SSSD] [sssd PR#153][comment] sss_cache: User/groups invalidation in domain cache
URL: https://github.com/SSSD/sssd/pull/153 Title: #153: sss_cache: User/groups invalidation in domain cache celestian commented: """ New version pushed. CI passed: http://sssd-ci.duckdns.org/logs/job/63/02/summary.html """ See the full comment at https://github.com/SSSD/sssd/pull/153#issuecomment-281270670 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#153][synchronized] sss_cache: User/groups invalidation in domain cache
URL: https://github.com/SSSD/sssd/pull/153 Author: celestian Title: #153: sss_cache: User/groups invalidation in domain cache Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/153/head:pr153 git checkout pr153 From c5a91d643ad7cfe017f99012b04355dccc0468de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Tue, 14 Feb 2017 12:07:19 +0100 Subject: [PATCH] sss_cache: User/groups invalidation in domain cache When a group/users are invalidated from sss_cache, the group/user information in domain and timestamps cache are inconsistent with regard to dataExpireTimestamp attribute. This patch fixes the problem by explicitly invalidating the domain cache's entry when the timestamp cache entry is invalidated by sss_cache call. There are two new functions: * sysdb_invalidate_user_cache_entry() * sysdb_invalidate_group_cache_entry() provided for this purpose and used only in sss_cache utility. Resolves: https://fedorahosted.org/sssd/ticket/3164 --- src/db/sysdb.h | 7 src/db/sysdb_ops.c | 82 + src/tests/intg/sssd_ldb.py | 11 ++ src/tests/intg/test_ts_cache.py | 70 +++ src/tools/sss_cache.c | 6 +++ 5 files changed, 168 insertions(+), 8 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 809ca35..dcff84f 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -868,6 +868,13 @@ int sysdb_search_netgroup_by_name(TALLOC_CTX *mem_ctx, const char **attrs, struct ldb_message **msg); +/* Invalidate user entry in domain cache */ +int sysdb_invalidate_user_cache_entry(struct sss_domain_info *domain, + const char *name); + +/* Invalidate group entry in domain cache */ +int sysdb_invalidate_group_cache_entry(struct sss_domain_info *domain, + const char *name); /* Replace entry attrs */ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb, struct ldb_dn *entry_dn, diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index 7f6c127..14c3275 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -5006,3 +5006,85 @@ errno_t sysdb_mark_entry_as_expired_ldb_val(struct sss_domain_info *dom, talloc_free(tmp_ctx); return ret; } + +enum sysdb_entry_type { +TYPE_USER=0, +TYPE_GROUP +}; + +static int sysdb_invalidate_cache_entry(struct sss_domain_info *domain, +const char *name, +enum sysdb_entry_type entry_type) +{ +TALLOC_CTX *tmp_ctx; +struct sysdb_ctx *sysdb = domain->sysdb; +struct ldb_dn *entry_dn = NULL; +struct sysdb_attrs *attrs = NULL; +errno_t ret; + +tmp_ctx = talloc_new(NULL); +if (!tmp_ctx) { +return ENOMEM; +} + +switch (entry_type) { +case TYPE_USER: +entry_dn = sysdb_user_dn(tmp_ctx, domain, name); +break; +case TYPE_GROUP: +entry_dn = sysdb_group_dn(tmp_ctx, domain, name); +break; +default: +DEBUG(SSSDBG_MINOR_FAILURE, "Wrong sysdb_entry_type.\n"); +} + +if (entry_dn == NULL) { +ret = ENOMEM; +goto done; +} + +attrs = sysdb_new_attrs(tmp_ctx); +if (attrs == NULL) { +DEBUG(SSSDBG_MINOR_FAILURE, "Could not create sysdb attributes\n"); +ret = ENOMEM; +goto done; +} + +ret = sysdb_attrs_add_time_t(attrs, SYSDB_CACHE_EXPIRE, 1); +if (ret != EOK) { +DEBUG(SSSDBG_MINOR_FAILURE, + "Could not add expiration time to attributes\n"); +goto done; +} + +ret = sysdb_set_cache_entry_attr(sysdb->ldb, entry_dn, + attrs, SYSDB_MOD_REP); +if (ret != EOK) { +DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot set attrs for %s, %d [%s]\n", + ldb_dn_get_linearized(entry_dn), ret, sss_strerror(ret)); +goto done; +} + +DEBUG(SSSDBG_FUNC_DATA, + "Cache entry [%s] has been invalidated.\n", + ldb_dn_get_linearized(entry_dn)); + +ret = EOK; + +done: +talloc_zfree(tmp_ctx); +return ret; +} + +int sysdb_invalidate_user_cache_entry(struct sss_domain_info *domain, + const char *name) +{ +return sysdb_invalidate_cache_entry(domain, name, TYPE_USER); +} + +int sysdb_invalidate_group_cache_entry(struct sss_domain_info *domain, + const char *name) +{ +return sysdb_invalidate_cache_entry(domain, name, TYPE_GROUP); +} diff --git a/src/tests/intg/sssd_ldb.py b/src/tests/intg/sssd_ldb.py index 399ec8a..7c6a5f4 100644 --- a/src/tests/intg/sssd_ldb.py +++ b/src/t
[SSSD] [sssd PR#153][comment] sss_cache: User/groups invalidation in domain cache
URL: https://github.com/SSSD/sssd/pull/153 Title: #153: sss_cache: User/groups invalidation in domain cache celestian commented: """ New version pushed, but CI said "NO": http://sssd-ci.duckdns.org/logs/job/62/98/summary.html """ See the full comment at https://github.com/SSSD/sssd/pull/153#issuecomment-281071243 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#153][synchronized] sss_cache: User/groups invalidation in domain cache
URL: https://github.com/SSSD/sssd/pull/153 Author: celestian Title: #153: sss_cache: User/groups invalidation in domain cache Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/153/head:pr153 git checkout pr153 From 1c548d58b57c5ea51f65b02894ef5096f1bdb77b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Tue, 14 Feb 2017 12:07:19 +0100 Subject: [PATCH] sss_cache: User/groups invalidation in domain cache When a group/users are invalidated from sss_cache, the group/user information in domain and timestamps cache are inconsistent with regard to dataExpireTimestamp attribute. This patch fixes the problem by explicitly invalidating the domain cache's entry when the timestamp cache entry is invalidated by sss_cache call. There are two new functions: * sysdb_invalidate_user_cache_entry() * sysdb_invalidate_group_cache_entry() provided for this purpose and used only in sss_cache utility. Resolves: https://fedorahosted.org/sssd/ticket/3164 --- src/db/sysdb.h | 7 src/db/sysdb_ops.c | 82 + src/tests/intg/sssd_ldb.py | 18 + src/tests/intg/test_ts_cache.py | 68 ++ src/tools/sss_cache.c | 6 +++ 5 files changed, 173 insertions(+), 8 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 809ca35..dcff84f 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -868,6 +868,13 @@ int sysdb_search_netgroup_by_name(TALLOC_CTX *mem_ctx, const char **attrs, struct ldb_message **msg); +/* Invalidate user entry in domain cache */ +int sysdb_invalidate_user_cache_entry(struct sss_domain_info *domain, + const char *name); + +/* Invalidate group entry in domain cache */ +int sysdb_invalidate_group_cache_entry(struct sss_domain_info *domain, + const char *name); /* Replace entry attrs */ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb, struct ldb_dn *entry_dn, diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index 7f6c127..14c3275 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -5006,3 +5006,85 @@ errno_t sysdb_mark_entry_as_expired_ldb_val(struct sss_domain_info *dom, talloc_free(tmp_ctx); return ret; } + +enum sysdb_entry_type { +TYPE_USER=0, +TYPE_GROUP +}; + +static int sysdb_invalidate_cache_entry(struct sss_domain_info *domain, +const char *name, +enum sysdb_entry_type entry_type) +{ +TALLOC_CTX *tmp_ctx; +struct sysdb_ctx *sysdb = domain->sysdb; +struct ldb_dn *entry_dn = NULL; +struct sysdb_attrs *attrs = NULL; +errno_t ret; + +tmp_ctx = talloc_new(NULL); +if (!tmp_ctx) { +return ENOMEM; +} + +switch (entry_type) { +case TYPE_USER: +entry_dn = sysdb_user_dn(tmp_ctx, domain, name); +break; +case TYPE_GROUP: +entry_dn = sysdb_group_dn(tmp_ctx, domain, name); +break; +default: +DEBUG(SSSDBG_MINOR_FAILURE, "Wrong sysdb_entry_type.\n"); +} + +if (entry_dn == NULL) { +ret = ENOMEM; +goto done; +} + +attrs = sysdb_new_attrs(tmp_ctx); +if (attrs == NULL) { +DEBUG(SSSDBG_MINOR_FAILURE, "Could not create sysdb attributes\n"); +ret = ENOMEM; +goto done; +} + +ret = sysdb_attrs_add_time_t(attrs, SYSDB_CACHE_EXPIRE, 1); +if (ret != EOK) { +DEBUG(SSSDBG_MINOR_FAILURE, + "Could not add expiration time to attributes\n"); +goto done; +} + +ret = sysdb_set_cache_entry_attr(sysdb->ldb, entry_dn, + attrs, SYSDB_MOD_REP); +if (ret != EOK) { +DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot set attrs for %s, %d [%s]\n", + ldb_dn_get_linearized(entry_dn), ret, sss_strerror(ret)); +goto done; +} + +DEBUG(SSSDBG_FUNC_DATA, + "Cache entry [%s] has been invalidated.\n", + ldb_dn_get_linearized(entry_dn)); + +ret = EOK; + +done: +talloc_zfree(tmp_ctx); +return ret; +} + +int sysdb_invalidate_user_cache_entry(struct sss_domain_info *domain, + const char *name) +{ +return sysdb_invalidate_cache_entry(domain, name, TYPE_USER); +} + +int sysdb_invalidate_group_cache_entry(struct sss_domain_info *domain, + const char *name) +{ +return sysdb_invalidate_cache_entry(domain, name, TYPE_GROUP); +} diff --git a/src/tests/intg/sssd_ldb.py b/src/tests/intg/sssd_ldb.py index 399ec8a..8058d46 100644 --- a/src/tests/intg/sssd_ldb.py +++ b/src/t
[SSSD] [sssd PR#158][opened] IPA_SUDO: Unused value fix
URL: https://github.com/SSSD/sssd/pull/158 Author: celestian Title: #158: IPA_SUDO: Unused value fix Action: opened PR body: """ Unused value was immediately overwritten. Resolves: https://fedorahosted.org/sssd/ticket/3309 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/158/head:pr158 git checkout pr158 From fb8ebb9f24bbf92175409418a28dd12b0b9c310e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Thu, 16 Feb 2017 13:57:09 +0100 Subject: [PATCH] IPA_SUDO: Unused value fix Unused value was immediately overwritten. Resolves: https://fedorahosted.org/sssd/ticket/3309 --- src/providers/ipa/ipa_sudo_conversion.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c index 05d863c..f6d17d8 100644 --- a/src/providers/ipa/ipa_sudo_conversion.c +++ b/src/providers/ipa/ipa_sudo_conversion.c @@ -956,7 +956,6 @@ convert_attributes(struct ipa_sudo_conv *conv, value = table[i].conv_fn(tmp_ctx, conv, values[j], _entry); if (value == NULL) { if (skip_entry) { -ret = ENOENT; continue; } else { ret = ENOMEM; ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#153][comment] sss_cache: User/groups invalidation in domain cache
URL: https://github.com/SSSD/sssd/pull/153 Title: #153: sss_cache: User/groups invalidation in domain cache celestian commented: """ The are results from our CI http://sssd-ci.duckdns.org/logs/job/62/90/summary.html How we can see this patch fails on test_ts_cache.py integration test, namely: ``` test_group_2307bis_update_same_modstamp FAILED test_group_2307bis_update_same_attrs FAILED test_group_2307_update_same_modstamp FAILED test_group_2307_update_same_attrs FAILED test_user_update_same_modstamp FAILED test_user_update_same_attrs FAILED ``` The reason is that there is used sss_cache internally on those tests. I am not sure if request in https://fedorahosted.org/sssd/ticket/3164 is really good idea. The timestamp cache is important for high performance, so those tests cover essential part of this functionality. If we really would like to have "user/groups invalidation in domain cache" I would like discuss those broken tests with @jhrozek to be sure that I will not break the logic of tests. (I will talk to @jhrozek on Monday.) """ See the full comment at https://github.com/SSSD/sssd/pull/153#issuecomment-280316726 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#153][comment] sss_cache: User/groups invalidation in domain cache
URL: https://github.com/SSSD/sssd/pull/153 Title: #153: sss_cache: User/groups invalidation in domain cache celestian commented: """ Fixed patch is pushed. I sent it to our CI and I will share the result. """ See the full comment at https://github.com/SSSD/sssd/pull/153#issuecomment-280025798 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#153][synchronized] sss_cache: User/groups invalidation in domain cache
URL: https://github.com/SSSD/sssd/pull/153 Author: celestian Title: #153: sss_cache: User/groups invalidation in domain cache Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/153/head:pr153 git checkout pr153 From c57806eba2005014cce3d8c28d91c0143b867170 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Tue, 14 Feb 2017 12:07:19 +0100 Subject: [PATCH] sss_cache: User/groups invalidation in domain cache When a group/users are invalidated from sss_cache, the group/user information in domain and timestamps cache are inconsistent with regard to dataExpireTimestamp attribute. This patch fixes it. So if you use sss_cache for invalidating user/groups the information in domain and timestamp cache is the same. Resolves: https://fedorahosted.org/sssd/ticket/314 --- src/db/sysdb.h| 7 + src/db/sysdb_ops.c| 80 +++ src/tools/sss_cache.c | 6 3 files changed, 93 insertions(+) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 809ca35..dcff84f 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -868,6 +868,13 @@ int sysdb_search_netgroup_by_name(TALLOC_CTX *mem_ctx, const char **attrs, struct ldb_message **msg); +/* Invalidate user entry in domain cache */ +int sysdb_invalidate_user_cache_entry(struct sss_domain_info *domain, + const char *name); + +/* Invalidate group entry in domain cache */ +int sysdb_invalidate_group_cache_entry(struct sss_domain_info *domain, + const char *name); /* Replace entry attrs */ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb, struct ldb_dn *entry_dn, diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index 7f6c127..aafaa2a 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -5006,3 +5006,83 @@ errno_t sysdb_mark_entry_as_expired_ldb_val(struct sss_domain_info *dom, talloc_free(tmp_ctx); return ret; } + +enum sysdb_entry_type { +TYPE_USER=0, +TYPE_GROUP +}; + +static int sysdb_invalidate_cache_entry(struct sss_domain_info *domain, +const char *name, +int entry_type) +{ +TALLOC_CTX *tmp_ctx; +struct sysdb_ctx *sysdb = domain->sysdb; +struct ldb_dn *entry_dn = NULL; +struct sysdb_attrs *attrs = NULL; +bool sysdb_write = true; +errno_t ret; + +tmp_ctx = talloc_new(NULL); +if (!tmp_ctx) { +return ENOMEM; +} + +switch (entry_type) { +case TYPE_USER: +entry_dn = sysdb_user_dn(tmp_ctx, domain, name); +break; +case TYPE_GROUP: +entry_dn = sysdb_group_dn(tmp_ctx, domain, name); +break; +default: +DEBUG(SSSDBG_MINOR_FAILURE, "Wrong sysdb_entry_type.\n"); +} +if (entry_dn == NULL) { +ret = ENOMEM; +goto done; +} + +attrs = sysdb_new_attrs(tmp_ctx); +if (attrs == NULL) { +DEBUG(SSSDBG_MINOR_FAILURE, "Could not create sysdb attributes\n"); +ret = ENOMEM; +goto done; +} + +ret = sysdb_attrs_add_time_t(attrs, SYSDB_CACHE_EXPIRE, 1); +if (ret != EOK) { +DEBUG(SSSDBG_MINOR_FAILURE, + "Could not add expiration time to attributes\n"); +ret = ENOMEM; +goto done; +} + +ret = sysdb_set_cache_entry_attr(sysdb->ldb, entry_dn, + attrs, SYSDB_MOD_REP); +if (ret != EOK) { +DEBUG(SSSDBG_MINOR_FAILURE, "Cannot set attrs for %s, %d [%s]\n", +ldb_dn_get_linearized(entry_dn), +ret, sss_strerror(ret)); +goto done; +} + +DEBUG(SSSDBG_FUNC_DATA, "Cache entry [%s] has been invalidated.\n", +ldb_dn_get_linearized(entry_dn)); + +done: +talloc_zfree(tmp_ctx); +return ret; +} + +int sysdb_invalidate_user_cache_entry(struct sss_domain_info *domain, + const char *name) +{ +return sysdb_invalidate_cache_entry(domain, name, TYPE_USER); +} + +int sysdb_invalidate_group_cache_entry(struct sss_domain_info *domain, + const char *name) +{ +return sysdb_invalidate_cache_entry(domain, name, TYPE_GROUP); +} diff --git a/src/tools/sss_cache.c b/src/tools/sss_cache.c index f1d0893..42f3b54 100644 --- a/src/tools/sss_cache.c +++ b/src/tools/sss_cache.c @@ -533,10 +533,16 @@ static errno_t invalidate_entry(TALLOC_CTX *ctx, ret = sysdb_set_user_attr(domain, name, sys_attrs, SYSDB_MOD_REP); +if (ret != EOK) break; + +
[SSSD] [sssd PR#153][comment] sss_cache: User/groups invalidation in domain cache
URL: https://github.com/SSSD/sssd/pull/153 Title: #153: sss_cache: User/groups invalidation in domain cache celestian commented: """ So, dnf repositories work again. I am able to test the functionality of my patch set. Unfortunately it doesnt work. I will fix it. """ See the full comment at https://github.com/SSSD/sssd/pull/153#issuecomment-279707593 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#153][+Changes requested] sss_cache: User/groups invalidation in domain cache
URL: https://github.com/SSSD/sssd/pull/153 Title: #153: sss_cache: User/groups invalidation in domain cache Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#153][comment] sss_cache: User/groups invalidation in domain cache
URL: https://github.com/SSSD/sssd/pull/153 Title: #153: sss_cache: User/groups invalidation in domain cache celestian commented: """ FYI http://sssd-ci.duckdns.org/logs/job/62/59/summary.html """ See the full comment at https://github.com/SSSD/sssd/pull/153#issuecomment-279693430 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#153][comment] sss_cache: User/groups invalidation in domain cache
URL: https://github.com/SSSD/sssd/pull/153 Title: #153: sss_cache: User/groups invalidation in domain cache celestian commented: """ I pushed new version (#2). I addressed Lukáš's comment. Now it works only for sss_cache case. In detail, I added functions ``` sysdb_invalidate_user_cache_entry() sysdb_invalidate_group_cache_entry() ``` which invalidates the entries in domain cache. And it is added to sss_cache. Unfortunately I am not able to test it in this moment (due to broken dnf repositories). But I would like if you look at this new solution. """ See the full comment at https://github.com/SSSD/sssd/pull/153#issuecomment-279680975 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#153][comment] sss_cache: User/groups invalidation in domain cache
URL: https://github.com/SSSD/sssd/pull/153 Title: #153: sss_cache: User/groups invalidation in domain cache celestian commented: """ I pushed new version (#2). I addressed Lukáš's comment. Now it works only for sss_cache case. In detail, I added functions ``` sysdb_invalidate_user_cache_entry() sysdb_invalidate_group_cache_entry() ``` which invalidates the entries in domain cache. And it is added to sss_cache. Unfortunately I am not able to test it in this moment (due to broken dnf repositories). But I would like if you look at this new solution. """ See the full comment at https://github.com/SSSD/sssd/pull/153#issuecomment-279680975 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#153][edited] sss_cache: User/groups invalidation in domain cache
URL: https://github.com/SSSD/sssd/pull/153 Author: celestian Title: #153: sss_cache: User/groups invalidation in domain cache Action: edited Changed field: title Original value: """ SYSDB: Changing dataExpireTimestamp in domain cache """ ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#153][synchronized] SYSDB: Changing dataExpireTimestamp in domain cache
URL: https://github.com/SSSD/sssd/pull/153 Author: celestian Title: #153: SYSDB: Changing dataExpireTimestamp in domain cache Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/153/head:pr153 git checkout pr153 From e7fbe957500d3e4d528f09c1dae089808108c2ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Tue, 14 Feb 2017 12:07:19 +0100 Subject: [PATCH] sss_cache: User/groups invalidation in domain cache When a group/users are invalidated from sss_cache, the group/user information in domain and timestamps cache are inconsistent with regard to dataExpireTimestamp attribute. This patch fixes it. So if you use sss_cache for invalidating user/groups the information in domain and timestamp cache is the same. Resolves: https://fedorahosted.org/sssd/ticket/314 --- src/db/sysdb.h| 7 + src/db/sysdb_ops.c| 82 +++ src/tools/sss_cache.c | 6 3 files changed, 95 insertions(+) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 809ca35..dcff84f 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -868,6 +868,13 @@ int sysdb_search_netgroup_by_name(TALLOC_CTX *mem_ctx, const char **attrs, struct ldb_message **msg); +/* Invalidate user entry in domain cache */ +int sysdb_invalidate_user_cache_entry(struct sss_domain_info *domain, + const char *name); + +/* Invalidate group entry in domain cache */ +int sysdb_invalidate_group_cache_entry(struct sss_domain_info *domain, + const char *name); /* Replace entry attrs */ int sysdb_set_entry_attr(struct sysdb_ctx *sysdb, struct ldb_dn *entry_dn, diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index 7f6c127..741b270 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -5006,3 +5006,85 @@ errno_t sysdb_mark_entry_as_expired_ldb_val(struct sss_domain_info *dom, talloc_free(tmp_ctx); return ret; } + +enum sysdb_entry_type { +TYPE_USER=0, +TYPE_GROUP +}; + +static int sysdb_invalidate_cache_entry(struct sss_domain_info *domain, +const char *name, +int entry_type) +{ +TALLOC_CTX *tmp_ctx; +struct sysdb_ctx *sysdb = domain->sysdb; +struct ldb_dn *entry_dn = NULL; +struct sysdb_attrs *attrs = NULL; +bool sysdb_write = true; +errno_t ret; + +tmp_ctx = talloc_new(NULL); +if (!tmp_ctx) { +return ENOMEM; +} + +switch (entry_type) { +case TYPE_USER: +entry_dn = sysdb_user_dn(tmp_ctx, domain, name); +break; +case TYPE_GROUP: +entry_dn = sysdb_group_dn(tmp_ctx, domain, name); +break; +default: +DEBUG(SSSDBG_MINOR_FAILURE, "Wrong sysdb_entry_type.\n"); +} +if (entry_dn == NULL) { +ret = ENOMEM; +goto done; +} + +attrs = sysdb_new_attrs(tmp_ctx); +if (attrs == NULL) { +DEBUG(SSSDBG_MINOR_FAILURE, "Could not create sysdb attributes\n"); +ret = ENOMEM; +goto done; +} + +ret = sysdb_attrs_add_time_t(attrs, SYSDB_CACHE_EXPIRE, 1); +if (ret != EOK) { +DEBUG(SSSDBG_MINOR_FAILURE, + "Could not add expiration time to attributes\n"); +ret = ENOMEM; +goto done; +} + +sysdb_write = sysdb_entry_attrs_diff(sysdb, entry_dn, attrs, SYSDB_MOD_REP); +if (sysdb_write == true) { +ret = sysdb_set_cache_entry_attr(sysdb->ldb, entry_dn, + attrs, SYSDB_MOD_REP); +if (ret != EOK) { +DEBUG(SSSDBG_MINOR_FAILURE, "Cannot set attrs for %s, %d [%s]\n", +ldb_dn_get_linearized(entry_dn), +ret, sss_strerror(ret)); +} else { +DEBUG(SSSDBG_FUNC_DATA, "Cache entry [%s] has been invalidated.\n", +ldb_dn_get_linearized(entry_dn)); +} +} + +done: +talloc_zfree(tmp_ctx); +return ret; +} + +int sysdb_invalidate_user_cache_entry(struct sss_domain_info *domain, + const char *name) +{ +return sysdb_invalidate_cache_entry(domain, name, TYPE_USER); +} + +int sysdb_invalidate_group_cache_entry(struct sss_domain_info *domain, + const char *name) +{ +return sysdb_invalidate_cache_entry(domain, name, TYPE_GROUP); +} diff --git a/src/tools/sss_cache.c b/src/tools/sss_cache.c index f1d0893..42f3b54 100644 --- a/src/tools/sss_cache.c +++ b/src/tools/sss_cache.c @@ -533,10 +533,16 @@ static errno_t invalidate_entry(TALLOC_CTX *ctx,
[SSSD] [sssd PR#153][comment] SYSDB: Changing dataExpireTimestamp in domain cache
URL: https://github.com/SSSD/sssd/pull/153 Title: #153: SYSDB: Changing dataExpireTimestamp in domain cache celestian commented: """ Thanks for comments. In my opinion it would be better to have the same value of dataExpireTimestamp only if we use sss_cache. The question is whether it could be confusing. """ See the full comment at https://github.com/SSSD/sssd/pull/153#issuecomment-279628799 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#153][opened] SYSDB: Changing dataExpireTimestamp in domain cache
URL: https://github.com/SSSD/sssd/pull/153 Author: celestian Title: #153: SYSDB: Changing dataExpireTimestamp in domain cache Action: opened PR body: """ When a group/users are invalidated from sss cache, the group/user information in Domain (cache_LDAP.ldb) and timestamps cache are inconsistent with regard to dataExpireTimestamp attribute. This patch fixes it. Resolves: https://fedorahosted.org/sssd/ticket/3164 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/153/head:pr153 git checkout pr153 From fa5807447ead3f8ef0d3d91a6bf1f1bb869f93bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Mon, 13 Feb 2017 15:15:42 +0100 Subject: [PATCH] SYSDB: Changing dataExpiretimestamp in domain cache When a group/users are invalidated from sss cache, the group/user information in Domain (cache_LDAP.ldb) and timestamps cache are inconsistent with regard to dataExpireTimestamp attribute. This patch fixes it. Resolves: https://fedorahosted.org/sssd/ticket/3164 --- src/db/sysdb.c | 7 +-- src/tests/cmocka/test_sysdb_ts_cache.c | 10 ++ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/src/db/sysdb.c b/src/db/sysdb.c index 5160e3d..7dafc45 100644 --- a/src/db/sysdb.c +++ b/src/db/sysdb.c @@ -1863,8 +1863,11 @@ static bool sysdb_ldb_msg_difference(struct ldb_dn *entry_dn, * If some values already exist and ldb_add is not permissive, * ldb will throw an error, but that's not our job to check.. */ -if (is_ts_cache_attr(mod_msg_el->name) == false) { -/* We can ignore changes to timestamp attributes */ +if (is_ts_cache_attr(mod_msg_el->name) == false || +strcmp(mod_msg_el->name, SYSDB_CACHE_EXPIRE) == 0 ) { +/* We can ignore changes to timestamp attributes but + * we cannot ignore changes to SYSDB_CACHE_EXPIRE attribute + */ DEBUG(SSSDBG_TRACE_INTERNAL, "Replaced/extended attr [%s] of entry [%s]\n", mod_msg_el->name, ldb_dn_get_linearized(entry_dn)); diff --git a/src/tests/cmocka/test_sysdb_ts_cache.c b/src/tests/cmocka/test_sysdb_ts_cache.c index f5aab73..fcf0c21 100644 --- a/src/tests/cmocka/test_sysdb_ts_cache.c +++ b/src/tests/cmocka/test_sysdb_ts_cache.c @@ -423,7 +423,8 @@ static void test_sysdb_group_update(void **state) /* Update with different modifyTimestamp but same attrs as previously * saved to the timestamp cache. We should detect the 'real' attributes - * are the same and only bump the timestamp cache + * are the same and only bump the timestamp cache and timestamp in domain + * cache */ talloc_free(group_attrs); group_attrs = create_modstamp_attrs(test_ctx, TEST_MODSTAMP_2); @@ -439,8 +440,8 @@ static void test_sysdb_group_update(void **state) get_gr_timestamp_attrs(test_ctx, TEST_GROUP_NAME, _expire_sysdb, _expire_ts); -assert_int_equal(cache_expire_sysdb, TEST_CACHE_TIMEOUT + TEST_NOW_2); assert_int_equal(cache_expire_ts, TEST_CACHE_TIMEOUT + TEST_NOW_4); +assert_int_equal(cache_expire_sysdb, cache_expire_ts); /* Update with different modifyTimestamp and different attrs (add a * member as a real-world example). Both caches must be updated. */ @@ -979,7 +980,8 @@ static void test_sysdb_user_update(void **state) /* Update with different modifyTimestamp but same attrs as previously * saved to the timestamp cache. We should detect the 'real' attributes - * are the same and only bump the timestamp cache + * are the same and only bump the timestamp cache and timestamp in domain + * cache */ talloc_free(user_attrs); user_attrs = create_modstamp_attrs(test_ctx, TEST_MODSTAMP_2); @@ -994,8 +996,8 @@ static void test_sysdb_user_update(void **state) get_pw_timestamp_attrs(test_ctx, TEST_USER_NAME, _expire_sysdb, _expire_ts); -assert_int_equal(cache_expire_sysdb, TEST_CACHE_TIMEOUT + TEST_NOW_2); assert_int_equal(cache_expire_ts, TEST_CACHE_TIMEOUT + TEST_NOW_4); +assert_int_equal(cache_expire_sysdb, cache_expire_ts); /* Update with different modifyTimestamp and different attrs (change * the shell as a real-world example). Both caches must be updated. */ ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#153][synchronized] SYSDB: Changing dataExpireTimestamp in domain cache
URL: https://github.com/SSSD/sssd/pull/153 Author: celestian Title: #153: SYSDB: Changing dataExpireTimestamp in domain cache Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/153/head:pr153 git checkout pr153 From af48a76076f83606fd2e374abafd51fa18e13605 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Mon, 13 Feb 2017 15:15:42 +0100 Subject: [PATCH] SYSDB: Changing dataExpireTimestamp in domain cache When a group/users are invalidated from sss cache, the group/user information in Domain (cache_LDAP.ldb) and timestamps cache are inconsistent with regard to dataExpireTimestamp attribute. This patch fixes it. Resolves: https://fedorahosted.org/sssd/ticket/3164 --- src/db/sysdb.c | 7 +-- src/tests/cmocka/test_sysdb_ts_cache.c | 10 ++ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/src/db/sysdb.c b/src/db/sysdb.c index 5160e3d..7dafc45 100644 --- a/src/db/sysdb.c +++ b/src/db/sysdb.c @@ -1863,8 +1863,11 @@ static bool sysdb_ldb_msg_difference(struct ldb_dn *entry_dn, * If some values already exist and ldb_add is not permissive, * ldb will throw an error, but that's not our job to check.. */ -if (is_ts_cache_attr(mod_msg_el->name) == false) { -/* We can ignore changes to timestamp attributes */ +if (is_ts_cache_attr(mod_msg_el->name) == false || +strcmp(mod_msg_el->name, SYSDB_CACHE_EXPIRE) == 0 ) { +/* We can ignore changes to timestamp attributes but + * we cannot ignore changes to SYSDB_CACHE_EXPIRE attribute + */ DEBUG(SSSDBG_TRACE_INTERNAL, "Replaced/extended attr [%s] of entry [%s]\n", mod_msg_el->name, ldb_dn_get_linearized(entry_dn)); diff --git a/src/tests/cmocka/test_sysdb_ts_cache.c b/src/tests/cmocka/test_sysdb_ts_cache.c index f5aab73..fcf0c21 100644 --- a/src/tests/cmocka/test_sysdb_ts_cache.c +++ b/src/tests/cmocka/test_sysdb_ts_cache.c @@ -423,7 +423,8 @@ static void test_sysdb_group_update(void **state) /* Update with different modifyTimestamp but same attrs as previously * saved to the timestamp cache. We should detect the 'real' attributes - * are the same and only bump the timestamp cache + * are the same and only bump the timestamp cache and timestamp in domain + * cache */ talloc_free(group_attrs); group_attrs = create_modstamp_attrs(test_ctx, TEST_MODSTAMP_2); @@ -439,8 +440,8 @@ static void test_sysdb_group_update(void **state) get_gr_timestamp_attrs(test_ctx, TEST_GROUP_NAME, _expire_sysdb, _expire_ts); -assert_int_equal(cache_expire_sysdb, TEST_CACHE_TIMEOUT + TEST_NOW_2); assert_int_equal(cache_expire_ts, TEST_CACHE_TIMEOUT + TEST_NOW_4); +assert_int_equal(cache_expire_sysdb, cache_expire_ts); /* Update with different modifyTimestamp and different attrs (add a * member as a real-world example). Both caches must be updated. */ @@ -979,7 +980,8 @@ static void test_sysdb_user_update(void **state) /* Update with different modifyTimestamp but same attrs as previously * saved to the timestamp cache. We should detect the 'real' attributes - * are the same and only bump the timestamp cache + * are the same and only bump the timestamp cache and timestamp in domain + * cache */ talloc_free(user_attrs); user_attrs = create_modstamp_attrs(test_ctx, TEST_MODSTAMP_2); @@ -994,8 +996,8 @@ static void test_sysdb_user_update(void **state) get_pw_timestamp_attrs(test_ctx, TEST_USER_NAME, _expire_sysdb, _expire_ts); -assert_int_equal(cache_expire_sysdb, TEST_CACHE_TIMEOUT + TEST_NOW_2); assert_int_equal(cache_expire_ts, TEST_CACHE_TIMEOUT + TEST_NOW_4); +assert_int_equal(cache_expire_sysdb, cache_expire_ts); /* Update with different modifyTimestamp and different attrs (change * the shell as a real-world example). Both caches must be updated. */ ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#85][comment] SYSDB: Removing of sysdb_try_to_find_expected_dn()
URL: https://github.com/SSSD/sssd/pull/85 Title: #85: SYSDB: Removing of sysdb_try_to_find_expected_dn() celestian commented: """ bump """ See the full comment at https://github.com/SSSD/sssd/pull/85#issuecomment-276602905 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#85][comment] SYSDB: Removing of sysdb_try_to_find_expected_dn()
URL: https://github.com/SSSD/sssd/pull/85 Title: #85: SYSDB: Removing of sysdb_try_to_find_expected_dn() celestian commented: """ New version is pushed. Thanks, @sumit-bose """ See the full comment at https://github.com/SSSD/sssd/pull/85#issuecomment-274036719 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#85][-Changes requested] SYSDB: Removing of sysdb_try_to_find_expected_dn()
URL: https://github.com/SSSD/sssd/pull/85 Title: #85: SYSDB: Removing of sysdb_try_to_find_expected_dn() Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#85][synchronized] SYSDB: Removing of sysdb_try_to_find_expected_dn()
URL: https://github.com/SSSD/sssd/pull/85 Author: celestian Title: #85: SYSDB: Removing of sysdb_try_to_find_expected_dn() Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/85/head:pr85 git checkout pr85 From 04ef9e4852cc74c2b942d0b48f23ea3130dd27a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Thu, 19 Jan 2017 12:51:27 +0100 Subject: [PATCH 1/4] LDAP: Better logging message --- src/providers/ldap/sdap.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c index dc7d5e0..eb460d9 100644 --- a/src/providers/ldap/sdap.c +++ b/src/providers/ldap/sdap.c @@ -1691,7 +1691,8 @@ static bool sdap_object_in_domain(struct sdap_options *opts, sdmatch = sdap_domain_get_by_dn(opts, original_dn); if (sdmatch == NULL) { DEBUG(SSSDBG_FUNC_DATA, - "The group has no original DN, assuming our domain\n"); + "The original DN of the group cannot " + "be related to any search base\n"); return true; } From df8eb16cc9b3427df3857fd10caf48d444e8ffdd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Wed, 4 Jan 2017 15:33:30 +0100 Subject: [PATCH 2/4] SYSDB: Removing of sysdb_try_to_find_expected_dn() Currently in order to match multiple LDAP search results we use two different functions - we have sysdb_try_to_find_expected_dn() but also sdap_object_in_domain(). This patch removes sysdb_try_to_find_expected_dn() and add new sdap_search_initgr_user_in_batch() based on sdap_object_in_domain(). This function covers necessary logic. Resolves: https://fedorahosted.org/sssd/ticket/3230 --- src/db/sysdb.h | 6 - src/db/sysdb_subdomains.c | 332 - src/providers/ldap/sdap.c | 6 +- src/providers/ldap/sdap.h | 4 + src/providers/ldap/sdap_async_initgroups.c | 28 ++- src/tests/cmocka/test_sysdb_subdomains.c | 104 - 6 files changed, 30 insertions(+), 450 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 407a197..ae3ff35 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -1309,10 +1309,4 @@ errno_t sysdb_handle_original_uuid(const char *orig_name, struct sysdb_attrs *dest_attrs, const char *dest_name); -errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom, - const char *domain_component_name, - const char *ldap_search_base, - struct sysdb_attrs **usr_attrs, - size_t count, - struct sysdb_attrs **exp_usr); #endif /* __SYS_DB_H__ */ diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c index 7801404..1f43bfc 100644 --- a/src/db/sysdb_subdomains.c +++ b/src/db/sysdb_subdomains.c @@ -1144,335 +1144,3 @@ errno_t sysdb_subdomain_delete(struct sysdb_ctx *sysdb, const char *name) talloc_free(tmp_ctx); return ret; } - -static errno_t match_cn_users(TALLOC_CTX *tmp_ctx, - struct sysdb_attrs **usr_attrs, - size_t count, - const char *dom_basedn, - struct sysdb_attrs **_result) -{ -errno_t ret; -const char *orig_dn; -size_t dn_len; -struct sysdb_attrs *result = NULL; -const char *result_dn_str = NULL; -char *cn_users_basedn; -size_t cn_users_basedn_len; - -cn_users_basedn = talloc_asprintf(tmp_ctx, "%s%s", "cn=users,", dom_basedn); -if (cn_users_basedn == NULL) { -ret = ENOMEM; -goto done; -} -cn_users_basedn_len = strlen(cn_users_basedn); -DEBUG(SSSDBG_TRACE_ALL, "cn=users baseDN is [%s].\n", cn_users_basedn); - -for (size_t c = 0; c < count; c++) { -ret = sysdb_attrs_get_string(usr_attrs[c], SYSDB_ORIG_DN, _dn); -if (ret != EOK) { -DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); -goto done; -} -dn_len = strlen(orig_dn); - -if (dn_len > cn_users_basedn_len -&& strcasecmp(orig_dn + (dn_len - cn_users_basedn_len), - cn_users_basedn) == 0) { -DEBUG(SSSDBG_TRACE_ALL, - "Found matching dn [%s].\n", orig_dn); -if (result != NULL) { -DEBUG(SSSDBG_OP_FAILURE, - "Found 2 matching DN [%s] and [%s], expecting only 1.\n", - result_dn_str, orig_dn); -ret = EINVAL; -goto done; -}
[SSSD] [sssd PR#85][comment] SYSDB: Removing of sysdb_try_to_find_expected_dn()
URL: https://github.com/SSSD/sssd/pull/85 Title: #85: SYSDB: Removing of sysdb_try_to_find_expected_dn() celestian commented: """ I pushed new version of the patch set. I addressed @sumit-bose notes, I hope in right manner. Unfortunately ```test_user_is_from_another_domain()``` doesn't work in expected way. My opinion is that user from another_domain shouldn't be selected. I would like to test negative case. I found out that function ```sdap_domain_get_by_dn()``` doesn't return right domain even other_domain is in ```opts```. """ See the full comment at https://github.com/SSSD/sssd/pull/85#issuecomment-273763997 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#85][synchronized] SYSDB: Removing of sysdb_try_to_find_expected_dn()
URL: https://github.com/SSSD/sssd/pull/85 Author: celestian Title: #85: SYSDB: Removing of sysdb_try_to_find_expected_dn() Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/85/head:pr85 git checkout pr85 From 04ef9e4852cc74c2b942d0b48f23ea3130dd27a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Thu, 19 Jan 2017 12:51:27 +0100 Subject: [PATCH 1/4] LDAP: Better logging message --- src/providers/ldap/sdap.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c index dc7d5e0..eb460d9 100644 --- a/src/providers/ldap/sdap.c +++ b/src/providers/ldap/sdap.c @@ -1691,7 +1691,8 @@ static bool sdap_object_in_domain(struct sdap_options *opts, sdmatch = sdap_domain_get_by_dn(opts, original_dn); if (sdmatch == NULL) { DEBUG(SSSDBG_FUNC_DATA, - "The group has no original DN, assuming our domain\n"); + "The original DN of the group cannot " + "be related to any search base\n"); return true; } From df8eb16cc9b3427df3857fd10caf48d444e8ffdd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Wed, 4 Jan 2017 15:33:30 +0100 Subject: [PATCH 2/4] SYSDB: Removing of sysdb_try_to_find_expected_dn() Currently in order to match multiple LDAP search results we use two different functions - we have sysdb_try_to_find_expected_dn() but also sdap_object_in_domain(). This patch removes sysdb_try_to_find_expected_dn() and add new sdap_search_initgr_user_in_batch() based on sdap_object_in_domain(). This function covers necessary logic. Resolves: https://fedorahosted.org/sssd/ticket/3230 --- src/db/sysdb.h | 6 - src/db/sysdb_subdomains.c | 332 - src/providers/ldap/sdap.c | 6 +- src/providers/ldap/sdap.h | 4 + src/providers/ldap/sdap_async_initgroups.c | 28 ++- src/tests/cmocka/test_sysdb_subdomains.c | 104 - 6 files changed, 30 insertions(+), 450 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 407a197..ae3ff35 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -1309,10 +1309,4 @@ errno_t sysdb_handle_original_uuid(const char *orig_name, struct sysdb_attrs *dest_attrs, const char *dest_name); -errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom, - const char *domain_component_name, - const char *ldap_search_base, - struct sysdb_attrs **usr_attrs, - size_t count, - struct sysdb_attrs **exp_usr); #endif /* __SYS_DB_H__ */ diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c index 7801404..1f43bfc 100644 --- a/src/db/sysdb_subdomains.c +++ b/src/db/sysdb_subdomains.c @@ -1144,335 +1144,3 @@ errno_t sysdb_subdomain_delete(struct sysdb_ctx *sysdb, const char *name) talloc_free(tmp_ctx); return ret; } - -static errno_t match_cn_users(TALLOC_CTX *tmp_ctx, - struct sysdb_attrs **usr_attrs, - size_t count, - const char *dom_basedn, - struct sysdb_attrs **_result) -{ -errno_t ret; -const char *orig_dn; -size_t dn_len; -struct sysdb_attrs *result = NULL; -const char *result_dn_str = NULL; -char *cn_users_basedn; -size_t cn_users_basedn_len; - -cn_users_basedn = talloc_asprintf(tmp_ctx, "%s%s", "cn=users,", dom_basedn); -if (cn_users_basedn == NULL) { -ret = ENOMEM; -goto done; -} -cn_users_basedn_len = strlen(cn_users_basedn); -DEBUG(SSSDBG_TRACE_ALL, "cn=users baseDN is [%s].\n", cn_users_basedn); - -for (size_t c = 0; c < count; c++) { -ret = sysdb_attrs_get_string(usr_attrs[c], SYSDB_ORIG_DN, _dn); -if (ret != EOK) { -DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); -goto done; -} -dn_len = strlen(orig_dn); - -if (dn_len > cn_users_basedn_len -&& strcasecmp(orig_dn + (dn_len - cn_users_basedn_len), - cn_users_basedn) == 0) { -DEBUG(SSSDBG_TRACE_ALL, - "Found matching dn [%s].\n", orig_dn); -if (result != NULL) { -DEBUG(SSSDBG_OP_FAILURE, - "Found 2 matching DN [%s] and [%s], expecting only 1.\n", - result_dn_str, orig_dn); -ret = EINVAL; -goto done; -}
[SSSD] [sssd PR#85][comment] SYSDB: Removing of sysdb_try_to_find_expected_dn()
URL: https://github.com/SSSD/sssd/pull/85 Title: #85: SYSDB: Removing of sysdb_try_to_find_expected_dn() celestian commented: """ I pushed new version. Let me update the situation: There are three commits: ``` [1] SYSDB: Removing of sysdb_try_to_find_expected_dn() [2] TEST: create_multidom_test_ctx() extending [3] TESTS: Tests for sdap_search_initgr_user_in_batch ``` The patch [1] is refactor which is requested by https://fedorahosted.org/sssd/ticket/3230. The patch [2] extends function create_multidom_test_ctx(). We need different search bases so there is array of params instead of one set of params. The patch [3] adds tests for [1]. The core of [1] is new function sdap_search_initgr_user_in_batch() which calls sdap_object_in_domain() internally. We can see three tests in [3]: ``` a) test_user_is_on_batch b) test_user_is_from_subdomain c) test_user_is_from_another_domain ``` The tests a), b) works how expected. The test c) doesn't work. I am afraid we have bug on https://github.com/SSSD/sssd/blob/master/src/providers/ldap/sdap.c#L1695 In my opinion, there should be: ``` sdmatch = sdap_domain_get_by_dn(opts, original_dn); if (sdmatch == NULL) { DEBUG(SSSDBG_FUNC_DATA, "The group has no original DN, assuming our domain\n"); return false; } ``` What do you think about it, @jhrozek? Or anybody else? """ See the full comment at https://github.com/SSSD/sssd/pull/85#issuecomment-272900707 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#85][synchronized] SYSDB: Removing of sysdb_try_to_find_expected_dn()
URL: https://github.com/SSSD/sssd/pull/85 Author: celestian Title: #85: SYSDB: Removing of sysdb_try_to_find_expected_dn() Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/85/head:pr85 git checkout pr85 From f2aff7002cf62fe6487d0b6065c0c14359040891 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Wed, 4 Jan 2017 15:33:30 +0100 Subject: [PATCH 1/3] SYSDB: Removing of sysdb_try_to_find_expected_dn() Currently in order to match multiple LDAP search results we use two different functions - we have sysdb_try_to_find_expected_dn() but also sdap_object_in_domain(). This patch removes sysdb_try_to_find_expected_dn() and add new sdap_search_initgr_user_in_batch() based on sdap_object_in_domain(). This function covers necessary logic. Resolves: https://fedorahosted.org/sssd/ticket/3230 --- src/db/sysdb.h | 6 - src/db/sysdb_subdomains.c | 332 - src/providers/ldap/sdap.c | 6 +- src/providers/ldap/sdap.h | 4 + src/providers/ldap/sdap_async_initgroups.c | 28 ++- src/tests/cmocka/test_sysdb_subdomains.c | 104 - 6 files changed, 30 insertions(+), 450 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 407a197..ae3ff35 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -1309,10 +1309,4 @@ errno_t sysdb_handle_original_uuid(const char *orig_name, struct sysdb_attrs *dest_attrs, const char *dest_name); -errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom, - const char *domain_component_name, - const char *ldap_search_base, - struct sysdb_attrs **usr_attrs, - size_t count, - struct sysdb_attrs **exp_usr); #endif /* __SYS_DB_H__ */ diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c index 7801404..1f43bfc 100644 --- a/src/db/sysdb_subdomains.c +++ b/src/db/sysdb_subdomains.c @@ -1144,335 +1144,3 @@ errno_t sysdb_subdomain_delete(struct sysdb_ctx *sysdb, const char *name) talloc_free(tmp_ctx); return ret; } - -static errno_t match_cn_users(TALLOC_CTX *tmp_ctx, - struct sysdb_attrs **usr_attrs, - size_t count, - const char *dom_basedn, - struct sysdb_attrs **_result) -{ -errno_t ret; -const char *orig_dn; -size_t dn_len; -struct sysdb_attrs *result = NULL; -const char *result_dn_str = NULL; -char *cn_users_basedn; -size_t cn_users_basedn_len; - -cn_users_basedn = talloc_asprintf(tmp_ctx, "%s%s", "cn=users,", dom_basedn); -if (cn_users_basedn == NULL) { -ret = ENOMEM; -goto done; -} -cn_users_basedn_len = strlen(cn_users_basedn); -DEBUG(SSSDBG_TRACE_ALL, "cn=users baseDN is [%s].\n", cn_users_basedn); - -for (size_t c = 0; c < count; c++) { -ret = sysdb_attrs_get_string(usr_attrs[c], SYSDB_ORIG_DN, _dn); -if (ret != EOK) { -DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); -goto done; -} -dn_len = strlen(orig_dn); - -if (dn_len > cn_users_basedn_len -&& strcasecmp(orig_dn + (dn_len - cn_users_basedn_len), - cn_users_basedn) == 0) { -DEBUG(SSSDBG_TRACE_ALL, - "Found matching dn [%s].\n", orig_dn); -if (result != NULL) { -DEBUG(SSSDBG_OP_FAILURE, - "Found 2 matching DN [%s] and [%s], expecting only 1.\n", - result_dn_str, orig_dn); -ret = EINVAL; -goto done; -} -result = usr_attrs[c]; -result_dn_str = orig_dn; -} -} - -ret = EOK; -done: -*_result = result; -return ret; -} - -static errno_t match_non_dc_comp(TALLOC_CTX *tmp_ctx, - struct sss_domain_info *dom, - struct sysdb_attrs **usr_attrs, - size_t count, - struct ldb_dn *ldb_basedn, - const char *basedn, - const char *domain_component_name, - struct sysdb_attrs **_result) -{ -errno_t ret; -const char *orig_dn; -size_t orig_dn_len; -size_t basedn_len; -struct ldb_context *ldb_ctx; -struct ldb_dn *ldb_orig_dn; -int dn_comp_num; -int basedn_comp_num; -const char *component_name; -struct s
[SSSD] [sssd PR#125][closed] RESPONDER: Adding of return value checking
URL: https://github.com/SSSD/sssd/pull/125 Author: celestian Title: #125: RESPONDER: Adding of return value checking Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/125/head:pr125 git checkout pr125 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#125][comment] RESPONDER: Adding of return value checking
URL: https://github.com/SSSD/sssd/pull/125 Title: #125: RESPONDER: Adding of return value checking celestian commented: """ Oh yes, I came too late :( Closing this pull request. """ See the full comment at https://github.com/SSSD/sssd/pull/125#issuecomment-272802068 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#125][opened] RESPONDER: Adding of return value checking
URL: https://github.com/SSSD/sssd/pull/125 Author: celestian Title: #125: RESPONDER: Adding of return value checking Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/125/head:pr125 git checkout pr125 From 7fb288b1835c55ad0522c2c119eb0fa2395db838 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Mon, 16 Jan 2017 09:08:33 +0100 Subject: [PATCH] RESPONDER: Adding of return value checking --- src/responder/autofs/autofssrv_cmd.c | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c index 0878707..15c0729 100644 --- a/src/responder/autofs/autofssrv_cmd.c +++ b/src/responder/autofs/autofssrv_cmd.c @@ -320,7 +320,12 @@ static void sss_autofs_cmd_setautomntent_done(struct tevent_req *req) if (reqret == ENOENT) { DEBUG(SSSDBG_TRACE_FUNC, "setautomntent did not find requested map\n"); /* Notify the caller that this entry wasn't found */ -sss_cmd_empty_packet(pctx->creq->out); +ret = sss_cmd_empty_packet(pctx->creq->out); +if (ret != EOK) { +DEBUG(SSSDBG_CRIT_FAILURE, "Couldn't empty the packet\n"); +talloc_free(cmdctx); +return; +} } else { DEBUG(SSSDBG_TRACE_FUNC, "setautomntent found data\n"); ret = sss_packet_grow(pctx->creq->out, 2*sizeof(uint32_t)); ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#85][comment] SYSDB: Removing of sysdb_try_to_find_expected_dn()
URL: https://github.com/SSSD/sssd/pull/85 Title: #85: SYSDB: Removing of sysdb_try_to_find_expected_dn() celestian commented: """ There is new version if somebody would like to look how I fight. The positive test case ```test_user_is_on_batch``` is ready, the negative test case ```test_user_is_on_batch``` needs changes in env. setup (it is copied from the first case). """ See the full comment at https://github.com/SSSD/sssd/pull/85#issuecomment-272460868 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#85][synchronized] SYSDB: Removing of sysdb_try_to_find_expected_dn()
URL: https://github.com/SSSD/sssd/pull/85 Author: celestian Title: #85: SYSDB: Removing of sysdb_try_to_find_expected_dn() Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/85/head:pr85 git checkout pr85 From f2aff7002cf62fe6487d0b6065c0c14359040891 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Wed, 4 Jan 2017 15:33:30 +0100 Subject: [PATCH 1/3] SYSDB: Removing of sysdb_try_to_find_expected_dn() Currently in order to match multiple LDAP search results we use two different functions - we have sysdb_try_to_find_expected_dn() but also sdap_object_in_domain(). This patch removes sysdb_try_to_find_expected_dn() and add new sdap_search_initgr_user_in_batch() based on sdap_object_in_domain(). This function covers necessary logic. Resolves: https://fedorahosted.org/sssd/ticket/3230 --- src/db/sysdb.h | 6 - src/db/sysdb_subdomains.c | 332 - src/providers/ldap/sdap.c | 6 +- src/providers/ldap/sdap.h | 4 + src/providers/ldap/sdap_async_initgroups.c | 28 ++- src/tests/cmocka/test_sysdb_subdomains.c | 104 - 6 files changed, 30 insertions(+), 450 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 407a197..ae3ff35 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -1309,10 +1309,4 @@ errno_t sysdb_handle_original_uuid(const char *orig_name, struct sysdb_attrs *dest_attrs, const char *dest_name); -errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom, - const char *domain_component_name, - const char *ldap_search_base, - struct sysdb_attrs **usr_attrs, - size_t count, - struct sysdb_attrs **exp_usr); #endif /* __SYS_DB_H__ */ diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c index 7801404..1f43bfc 100644 --- a/src/db/sysdb_subdomains.c +++ b/src/db/sysdb_subdomains.c @@ -1144,335 +1144,3 @@ errno_t sysdb_subdomain_delete(struct sysdb_ctx *sysdb, const char *name) talloc_free(tmp_ctx); return ret; } - -static errno_t match_cn_users(TALLOC_CTX *tmp_ctx, - struct sysdb_attrs **usr_attrs, - size_t count, - const char *dom_basedn, - struct sysdb_attrs **_result) -{ -errno_t ret; -const char *orig_dn; -size_t dn_len; -struct sysdb_attrs *result = NULL; -const char *result_dn_str = NULL; -char *cn_users_basedn; -size_t cn_users_basedn_len; - -cn_users_basedn = talloc_asprintf(tmp_ctx, "%s%s", "cn=users,", dom_basedn); -if (cn_users_basedn == NULL) { -ret = ENOMEM; -goto done; -} -cn_users_basedn_len = strlen(cn_users_basedn); -DEBUG(SSSDBG_TRACE_ALL, "cn=users baseDN is [%s].\n", cn_users_basedn); - -for (size_t c = 0; c < count; c++) { -ret = sysdb_attrs_get_string(usr_attrs[c], SYSDB_ORIG_DN, _dn); -if (ret != EOK) { -DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); -goto done; -} -dn_len = strlen(orig_dn); - -if (dn_len > cn_users_basedn_len -&& strcasecmp(orig_dn + (dn_len - cn_users_basedn_len), - cn_users_basedn) == 0) { -DEBUG(SSSDBG_TRACE_ALL, - "Found matching dn [%s].\n", orig_dn); -if (result != NULL) { -DEBUG(SSSDBG_OP_FAILURE, - "Found 2 matching DN [%s] and [%s], expecting only 1.\n", - result_dn_str, orig_dn); -ret = EINVAL; -goto done; -} -result = usr_attrs[c]; -result_dn_str = orig_dn; -} -} - -ret = EOK; -done: -*_result = result; -return ret; -} - -static errno_t match_non_dc_comp(TALLOC_CTX *tmp_ctx, - struct sss_domain_info *dom, - struct sysdb_attrs **usr_attrs, - size_t count, - struct ldb_dn *ldb_basedn, - const char *basedn, - const char *domain_component_name, - struct sysdb_attrs **_result) -{ -errno_t ret; -const char *orig_dn; -size_t orig_dn_len; -size_t basedn_len; -struct ldb_context *ldb_ctx; -struct ldb_dn *ldb_orig_dn; -int dn_comp_num; -int basedn_comp_num; -const char *component_name; -struct s
[SSSD] [sssd PR#85][comment] SYSDB: Removing of sysdb_try_to_find_expected_dn()
URL: https://github.com/SSSD/sssd/pull/85 Title: #85: SYSDB: Removing of sysdb_try_to_find_expected_dn() celestian commented: """ Solved, thanks to @lslebodn . I will prepare new version. """ See the full comment at https://github.com/SSSD/sssd/pull/85#issuecomment-271581697 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#85][comment] SYSDB: Removing of sysdb_try_to_find_expected_dn()
URL: https://github.com/SSSD/sssd/pull/85 Title: #85: SYSDB: Removing of sysdb_try_to_find_expected_dn() celestian commented: """ WIP of tests added. I have issue with proeprly setting up test environment. This call (at line 95): ``` test_ctx->initgr_state->opts = mock_sdap_options_ldap(... ``` doesn't prepare valid options. Could anybody help me, please? """ See the full comment at https://github.com/SSSD/sssd/pull/85#issuecomment-271571357 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#85][synchronized] SYSDB: Removing of sysdb_try_to_find_expected_dn()
URL: https://github.com/SSSD/sssd/pull/85 Author: celestian Title: #85: SYSDB: Removing of sysdb_try_to_find_expected_dn() Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/85/head:pr85 git checkout pr85 From f2aff7002cf62fe6487d0b6065c0c14359040891 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Wed, 4 Jan 2017 15:33:30 +0100 Subject: [PATCH 1/2] SYSDB: Removing of sysdb_try_to_find_expected_dn() Currently in order to match multiple LDAP search results we use two different functions - we have sysdb_try_to_find_expected_dn() but also sdap_object_in_domain(). This patch removes sysdb_try_to_find_expected_dn() and add new sdap_search_initgr_user_in_batch() based on sdap_object_in_domain(). This function covers necessary logic. Resolves: https://fedorahosted.org/sssd/ticket/3230 --- src/db/sysdb.h | 6 - src/db/sysdb_subdomains.c | 332 - src/providers/ldap/sdap.c | 6 +- src/providers/ldap/sdap.h | 4 + src/providers/ldap/sdap_async_initgroups.c | 28 ++- src/tests/cmocka/test_sysdb_subdomains.c | 104 - 6 files changed, 30 insertions(+), 450 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 407a197..ae3ff35 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -1309,10 +1309,4 @@ errno_t sysdb_handle_original_uuid(const char *orig_name, struct sysdb_attrs *dest_attrs, const char *dest_name); -errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom, - const char *domain_component_name, - const char *ldap_search_base, - struct sysdb_attrs **usr_attrs, - size_t count, - struct sysdb_attrs **exp_usr); #endif /* __SYS_DB_H__ */ diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c index 7801404..1f43bfc 100644 --- a/src/db/sysdb_subdomains.c +++ b/src/db/sysdb_subdomains.c @@ -1144,335 +1144,3 @@ errno_t sysdb_subdomain_delete(struct sysdb_ctx *sysdb, const char *name) talloc_free(tmp_ctx); return ret; } - -static errno_t match_cn_users(TALLOC_CTX *tmp_ctx, - struct sysdb_attrs **usr_attrs, - size_t count, - const char *dom_basedn, - struct sysdb_attrs **_result) -{ -errno_t ret; -const char *orig_dn; -size_t dn_len; -struct sysdb_attrs *result = NULL; -const char *result_dn_str = NULL; -char *cn_users_basedn; -size_t cn_users_basedn_len; - -cn_users_basedn = talloc_asprintf(tmp_ctx, "%s%s", "cn=users,", dom_basedn); -if (cn_users_basedn == NULL) { -ret = ENOMEM; -goto done; -} -cn_users_basedn_len = strlen(cn_users_basedn); -DEBUG(SSSDBG_TRACE_ALL, "cn=users baseDN is [%s].\n", cn_users_basedn); - -for (size_t c = 0; c < count; c++) { -ret = sysdb_attrs_get_string(usr_attrs[c], SYSDB_ORIG_DN, _dn); -if (ret != EOK) { -DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); -goto done; -} -dn_len = strlen(orig_dn); - -if (dn_len > cn_users_basedn_len -&& strcasecmp(orig_dn + (dn_len - cn_users_basedn_len), - cn_users_basedn) == 0) { -DEBUG(SSSDBG_TRACE_ALL, - "Found matching dn [%s].\n", orig_dn); -if (result != NULL) { -DEBUG(SSSDBG_OP_FAILURE, - "Found 2 matching DN [%s] and [%s], expecting only 1.\n", - result_dn_str, orig_dn); -ret = EINVAL; -goto done; -} -result = usr_attrs[c]; -result_dn_str = orig_dn; -} -} - -ret = EOK; -done: -*_result = result; -return ret; -} - -static errno_t match_non_dc_comp(TALLOC_CTX *tmp_ctx, - struct sss_domain_info *dom, - struct sysdb_attrs **usr_attrs, - size_t count, - struct ldb_dn *ldb_basedn, - const char *basedn, - const char *domain_component_name, - struct sysdb_attrs **_result) -{ -errno_t ret; -const char *orig_dn; -size_t orig_dn_len; -size_t basedn_len; -struct ldb_context *ldb_ctx; -struct ldb_dn *ldb_orig_dn; -int dn_comp_num; -int basedn_comp_num; -const char *component_name; -struct s
[SSSD] [sssd PR#93][+Accepted] SSH: Use default_domain_suffix for users' authorized keys
URL: https://github.com/SSSD/sssd/pull/93 Title: #93: SSH: Use default_domain_suffix for users' authorized keys Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#93][comment] SSH: Use default_domain_suffix for users' authorized keys
URL: https://github.com/SSSD/sssd/pull/93 Title: #93: SSH: Use default_domain_suffix for users' authorized keys celestian commented: """ Code LGTM. CI: http://sssd-ci.duckdns.org/logs/job/57/87/summary.html There is a failure on test ```test_sanity_rfc2307``` -- I think it is not connected to your patch. ACK """ See the full comment at https://github.com/SSSD/sssd/pull/93#issuecomment-263249860 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#85][+Changes requested] SYSDB: Removing of sysdb_try_to_find_expected_dn()
URL: https://github.com/SSSD/sssd/pull/85 Title: #85: SYSDB: Removing of sysdb_try_to_find_expected_dn() Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#85][comment] SYSDB: Removing of sysdb_try_to_find_expected_dn()
URL: https://github.com/SSSD/sssd/pull/85 Title: #85: SYSDB: Removing of sysdb_try_to_find_expected_dn() celestian commented: """ So, I will rewrite tests for sysdb_try_to_find_expected_dn() to suitable form for sdap_object_in_domain(). """ See the full comment at https://github.com/SSSD/sssd/pull/85#issuecomment-263226837 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) celestian commented: """ Squashed version pushed. """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-262694326 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Author: celestian Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/39/head:pr39 git checkout pr39 From 40ecde220e26109b81c9be5676b4c8ef4084de03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Wed, 12 Oct 2016 16:48:38 +0200 Subject: [PATCH] SYSDB: Adding lowercase sudoUser form If domain is not case sensitive we add lowercase form of usernames to sudoUser attributes. So we actually able to apply sudoRule on user Administrator@... with login admnistrator@... This patch is squashed with Resolves: https://fedorahosted.org/sssd/ticket/3203 (cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645) Squashed with: SYSDB: Fixing of sudorule without a sudoUser This patch solved a regression caused by the recent patches to lowercase sudoUser -- in case sudoUser is missing completely, we abort the processing of this rule and all others. With this patch, we return ERR_MALFORMED_ENTRY and gracefully skip the malformed rule instead. Resolves: https://fedorahosted.org/sssd/ticket/3241 Reviewed-by: Jakub Hrozek <jhro...@redhat.com> (cherry picked from commit 7e23edbaa7a6bbd0b461d5792535896b6a77928b) --- src/db/sysdb_sudo.c| 110 - src/db/sysdb_sudo.h| 7 +- src/responder/sudo/sudosrv_get_sudorules.c | 15 ++-- 3 files changed, 122 insertions(+), 10 deletions(-) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 76116ab..de1e8da 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -216,9 +216,9 @@ errno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx, } errno_t -sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, - uid_t uid, char **groupnames, unsigned int flags, - char **_filter) +sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, char **aliases, + uid_t uid, char **groupnames, bool case_sensitive_domain, + unsigned int flags, char **_filter) { TALLOC_CTX *tmp_ctx = NULL; char *filter = NULL; @@ -258,6 +258,15 @@ sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, SYSDB_SUDO_CACHE_AT_USER, sanitized); NULL_CHECK(specific_filter, ret, done); + +if (case_sensitive_domain == false) { +for (i = 0; aliases[i] != NULL; i++) { +specific_filter = talloc_asprintf_append(specific_filter, "(%s=%s)", + SYSDB_SUDO_CACHE_AT_USER, + aliases[i]); +NULL_CHECK(specific_filter, ret, done); +} +} } if ((flags & SYSDB_SUDO_FILTER_UID) && (uid != 0)) { @@ -320,6 +329,7 @@ errno_t sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, const char *username, uid_t *_uid, + char ***_aliases, char ***groupnames) { TALLOC_CTX *tmp_ctx; @@ -327,15 +337,19 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, struct ldb_message *msg; struct ldb_message *group_msg = NULL; char **sysdb_groupnames = NULL; +char **sysdb_aliases = NULL; const char *primary_group = NULL; struct ldb_message_element *groups; +struct ldb_message_element *aliases; uid_t uid = 0; gid_t gid = 0; size_t num_groups = 0; +size_t num_aliases = 0; int i; const char *attrs[] = { SYSDB_MEMBEROF, SYSDB_GIDNUM, SYSDB_UIDNUM, +SYSDB_NAME_ALIAS, NULL }; const char *group_attrs[] = { SYSDB_NAME, NULL }; @@ -358,6 +372,24 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, } } +aliases = ldb_msg_find_element(msg, SYSDB_NAME_ALIAS); +if (!aliases || aliases->num_values == 0) { +/* No nameAlias for this user in sysdb currently */ +sysdb_aliases = NULL; +num_aliases = 0; +} else { +num_aliases = aliases->num_values; +sysdb_aliases = talloc_array(tmp_ctx, char *, num_aliases + 1); +NULL_CHECK(sysdb_aliases, ret, done); + +for (i = 0; i < aliases->num_values; i++) { +sysdb_aliases[i] = talloc_strdup(sysdb_aliases, + (const char *)aliases->values[i].data); +NULL_CHECK(sysdb_aliases[i], ret, done); +} +sysdb_aliases[aliases->num_values] = NULL; +} + /* res
[SSSD] [sssd PR#39][-Changes requested] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][-Changes requested] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) celestian commented: """ I pushed new version. The patch is the same plus I added back-ported patch from #80 (with cerry-pick tag). """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-262557829 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Author: celestian Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/39/head:pr39 git checkout pr39 From dbba27272c8ab358dbf6dea8adfedfe9d511c36d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Wed, 12 Oct 2016 16:48:38 +0200 Subject: [PATCH 1/2] SYSDB: Adding lowercase sudoUser form If domain is not case sensitive we add lowercase form of usernames to sudoUser attributes. So we actually able to apply sudoRule on user Administrator@... with login admnistrator@... Resolves: https://fedorahosted.org/sssd/ticket/3203 (cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645) --- src/db/sysdb_sudo.c| 105 - src/db/sysdb_sudo.h| 7 +- src/responder/sudo/sudosrv_get_sudorules.c | 15 +++-- 3 files changed, 117 insertions(+), 10 deletions(-) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 76116ab..39a6558 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -216,9 +216,9 @@ errno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx, } errno_t -sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, - uid_t uid, char **groupnames, unsigned int flags, - char **_filter) +sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, char **aliases, + uid_t uid, char **groupnames, bool case_sensitive_domain, + unsigned int flags, char **_filter) { TALLOC_CTX *tmp_ctx = NULL; char *filter = NULL; @@ -258,6 +258,15 @@ sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, SYSDB_SUDO_CACHE_AT_USER, sanitized); NULL_CHECK(specific_filter, ret, done); + +if (case_sensitive_domain == false) { +for (i = 0; aliases[i] != NULL; i++) { +specific_filter = talloc_asprintf_append(specific_filter, "(%s=%s)", + SYSDB_SUDO_CACHE_AT_USER, + aliases[i]); +NULL_CHECK(specific_filter, ret, done); +} +} } if ((flags & SYSDB_SUDO_FILTER_UID) && (uid != 0)) { @@ -320,6 +329,7 @@ errno_t sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, const char *username, uid_t *_uid, + char ***_aliases, char ***groupnames) { TALLOC_CTX *tmp_ctx; @@ -327,15 +337,19 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, struct ldb_message *msg; struct ldb_message *group_msg = NULL; char **sysdb_groupnames = NULL; +char **sysdb_aliases = NULL; const char *primary_group = NULL; struct ldb_message_element *groups; +struct ldb_message_element *aliases; uid_t uid = 0; gid_t gid = 0; size_t num_groups = 0; +size_t num_aliases = 0; int i; const char *attrs[] = { SYSDB_MEMBEROF, SYSDB_GIDNUM, SYSDB_UIDNUM, +SYSDB_NAME_ALIAS, NULL }; const char *group_attrs[] = { SYSDB_NAME, NULL }; @@ -358,6 +372,24 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, } } +aliases = ldb_msg_find_element(msg, SYSDB_NAME_ALIAS); +if (!aliases || aliases->num_values == 0) { +/* No nameAlias for this user in sysdb currently */ +sysdb_aliases = NULL; +num_aliases = 0; +} else { +num_aliases = aliases->num_values; +sysdb_aliases = talloc_array(tmp_ctx, char *, num_aliases + 1); +NULL_CHECK(sysdb_aliases, ret, done); + +for (i = 0; i < aliases->num_values; i++) { +sysdb_aliases[i] = talloc_strdup(sysdb_aliases, + (const char *)aliases->values[i].data); +NULL_CHECK(sysdb_aliases[i], ret, done); +} +sysdb_aliases[aliases->num_values] = NULL; +} + /* resolve secondary groups */ if (groupnames != NULL) { groups = ldb_msg_find_element(msg, SYSDB_MEMBEROF); @@ -421,6 +453,10 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, *_uid = uid; } +if (sysdb_aliases != NULL) { +*_aliases = talloc_steal(mem_ctx, sysdb_aliases); +} + if (groupnames != NULL) { *groupnames = talloc_steal(mem_ctx, sysdb_groupnames); } @@ -801,6 +837,64 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule, return EOK; } +static errno_t sysdb
[SSSD] [sssd PR#85][comment] SYSDB: Removing of sysdb_try_to_find_expected_dn()
URL: https://github.com/SSSD/sssd/pull/85 Title: #85: SYSDB: Removing of sysdb_try_to_find_expected_dn() celestian commented: """ Reproducer: We need AD domain and it's AD subdomain. If we type in SSSD box connected to AD domain: ``` id Administrator@ ``` it resolves between Administrator@ and Administrator@ """ See the full comment at https://github.com/SSSD/sssd/pull/85#issuecomment-262537432 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#85][opened] SYSDB: Removing of sysdb_try_to_find_expected_dn()
URL: https://github.com/SSSD/sssd/pull/85 Author: celestian Title: #85: SYSDB: Removing of sysdb_try_to_find_expected_dn() Action: opened PR body: """ Currently in order to match multiple LDAP search results we use two different functions - we have sysdb_try_to_find_expected_dn() but also sdap_object_in_domain(). This patch removes sysdb_try_to_find_expected_dn() and add new sdap_search_initgr_user_in_batch() based on sdap_object_in_domain(). This function covers necessary logic. Resolves: https://fedorahosted.org/sssd/ticket/3230 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/85/head:pr85 git checkout pr85 From f26af5f1bb37015554864beed13dba0be87daaff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Wed, 23 Nov 2016 15:48:47 +0100 Subject: [PATCH] SYSDB: Removing of sysdb_try_to_find_expected_dn() Currently in order to match multiple LDAP search results we use two different functions - we have sysdb_try_to_find_expected_dn() but also sdap_object_in_domain(). This patch removes sysdb_try_to_find_expected_dn() and add new sdap_search_initgr_user_in_batch() based on sdap_object_in_domain(). This function covers necessary logic. Resolves: https://fedorahosted.org/sssd/ticket/3230 --- src/db/sysdb.h | 6 - src/db/sysdb_subdomains.c | 332 - src/providers/ldap/sdap.c | 6 +- src/providers/ldap/sdap.h | 4 + src/providers/ldap/sdap_async_initgroups.c | 28 ++- src/tests/cmocka/test_sysdb_subdomains.c | 104 - 6 files changed, 30 insertions(+), 450 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 5dedd97..3b592d6 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -1295,10 +1295,4 @@ errno_t sysdb_handle_original_uuid(const char *orig_name, struct sysdb_attrs *dest_attrs, const char *dest_name); -errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom, - const char *domain_component_name, - const char *ldap_search_base, - struct sysdb_attrs **usr_attrs, - size_t count, - struct sysdb_attrs **exp_usr); #endif /* __SYS_DB_H__ */ diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c index 7801404..1f43bfc 100644 --- a/src/db/sysdb_subdomains.c +++ b/src/db/sysdb_subdomains.c @@ -1144,335 +1144,3 @@ errno_t sysdb_subdomain_delete(struct sysdb_ctx *sysdb, const char *name) talloc_free(tmp_ctx); return ret; } - -static errno_t match_cn_users(TALLOC_CTX *tmp_ctx, - struct sysdb_attrs **usr_attrs, - size_t count, - const char *dom_basedn, - struct sysdb_attrs **_result) -{ -errno_t ret; -const char *orig_dn; -size_t dn_len; -struct sysdb_attrs *result = NULL; -const char *result_dn_str = NULL; -char *cn_users_basedn; -size_t cn_users_basedn_len; - -cn_users_basedn = talloc_asprintf(tmp_ctx, "%s%s", "cn=users,", dom_basedn); -if (cn_users_basedn == NULL) { -ret = ENOMEM; -goto done; -} -cn_users_basedn_len = strlen(cn_users_basedn); -DEBUG(SSSDBG_TRACE_ALL, "cn=users baseDN is [%s].\n", cn_users_basedn); - -for (size_t c = 0; c < count; c++) { -ret = sysdb_attrs_get_string(usr_attrs[c], SYSDB_ORIG_DN, _dn); -if (ret != EOK) { -DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); -goto done; -} -dn_len = strlen(orig_dn); - -if (dn_len > cn_users_basedn_len -&& strcasecmp(orig_dn + (dn_len - cn_users_basedn_len), - cn_users_basedn) == 0) { -DEBUG(SSSDBG_TRACE_ALL, - "Found matching dn [%s].\n", orig_dn); -if (result != NULL) { -DEBUG(SSSDBG_OP_FAILURE, - "Found 2 matching DN [%s] and [%s], expecting only 1.\n", - result_dn_str, orig_dn); -ret = EINVAL; -goto done; -} -result = usr_attrs[c]; -result_dn_str = orig_dn; -} -} - -ret = EOK; -done: -*_result = result; -return ret; -} - -static errno_t match_non_dc_comp(TALLOC_CTX *tmp_ctx, - struct sss_domain_info *dom, - struct sysdb_attrs **usr_attrs, - size_t count, - struct ldb_dn *ldb_basedn, -
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) celestian commented: """ Thanks for CR. After pushing it is important to cherry pick #80 as well. """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-262524310 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#70][comment] check_duplicate: check name member before using it
URL: https://github.com/SSSD/sssd/pull/70 Title: #70: check_duplicate: check name member before using it celestian commented: """ @lslebodn, Lukas, are you satisfied by Sumit's explanation? """ See the full comment at https://github.com/SSSD/sssd/pull/70#issuecomment-261941593 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) celestian commented: """ So, I pushed new version. Now ```sysdb_get_sudo_filter()``` uses ```nameAlias``` values. (And after pushing #80 I will cherry-pick it to 1.13 too.) """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-261940320 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][-Changes requested] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Author: celestian Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/39/head:pr39 git checkout pr39 From dbba27272c8ab358dbf6dea8adfedfe9d511c36d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Wed, 12 Oct 2016 16:48:38 +0200 Subject: [PATCH] SYSDB: Adding lowercase sudoUser form If domain is not case sensitive we add lowercase form of usernames to sudoUser attributes. So we actually able to apply sudoRule on user Administrator@... with login admnistrator@... Resolves: https://fedorahosted.org/sssd/ticket/3203 (cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645) --- src/db/sysdb_sudo.c| 105 - src/db/sysdb_sudo.h| 7 +- src/responder/sudo/sudosrv_get_sudorules.c | 15 +++-- 3 files changed, 117 insertions(+), 10 deletions(-) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 76116ab..39a6558 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -216,9 +216,9 @@ errno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx, } errno_t -sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, - uid_t uid, char **groupnames, unsigned int flags, - char **_filter) +sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, char **aliases, + uid_t uid, char **groupnames, bool case_sensitive_domain, + unsigned int flags, char **_filter) { TALLOC_CTX *tmp_ctx = NULL; char *filter = NULL; @@ -258,6 +258,15 @@ sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, SYSDB_SUDO_CACHE_AT_USER, sanitized); NULL_CHECK(specific_filter, ret, done); + +if (case_sensitive_domain == false) { +for (i = 0; aliases[i] != NULL; i++) { +specific_filter = talloc_asprintf_append(specific_filter, "(%s=%s)", + SYSDB_SUDO_CACHE_AT_USER, + aliases[i]); +NULL_CHECK(specific_filter, ret, done); +} +} } if ((flags & SYSDB_SUDO_FILTER_UID) && (uid != 0)) { @@ -320,6 +329,7 @@ errno_t sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, const char *username, uid_t *_uid, + char ***_aliases, char ***groupnames) { TALLOC_CTX *tmp_ctx; @@ -327,15 +337,19 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, struct ldb_message *msg; struct ldb_message *group_msg = NULL; char **sysdb_groupnames = NULL; +char **sysdb_aliases = NULL; const char *primary_group = NULL; struct ldb_message_element *groups; +struct ldb_message_element *aliases; uid_t uid = 0; gid_t gid = 0; size_t num_groups = 0; +size_t num_aliases = 0; int i; const char *attrs[] = { SYSDB_MEMBEROF, SYSDB_GIDNUM, SYSDB_UIDNUM, +SYSDB_NAME_ALIAS, NULL }; const char *group_attrs[] = { SYSDB_NAME, NULL }; @@ -358,6 +372,24 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, } } +aliases = ldb_msg_find_element(msg, SYSDB_NAME_ALIAS); +if (!aliases || aliases->num_values == 0) { +/* No nameAlias for this user in sysdb currently */ +sysdb_aliases = NULL; +num_aliases = 0; +} else { +num_aliases = aliases->num_values; +sysdb_aliases = talloc_array(tmp_ctx, char *, num_aliases + 1); +NULL_CHECK(sysdb_aliases, ret, done); + +for (i = 0; i < aliases->num_values; i++) { +sysdb_aliases[i] = talloc_strdup(sysdb_aliases, + (const char *)aliases->values[i].data); +NULL_CHECK(sysdb_aliases[i], ret, done); +} +sysdb_aliases[aliases->num_values] = NULL; +} + /* resolve secondary groups */ if (groupnames != NULL) { groups = ldb_msg_find_element(msg, SYSDB_MEMBEROF); @@ -421,6 +453,10 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, *_uid = uid; } +if (sysdb_aliases != NULL) { +*_aliases = talloc_steal(mem_ctx, sysdb_aliases); +} + if (groupnames != NULL) { *groupnames = talloc_steal(mem_ctx, sysdb_groupnames); } @@ -801,6 +837,64 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule, return EOK; } +static errno_t sysdb_sudo_ad
[SSSD] [sssd PR#80][edited] SYSDB: Fixing of sudorule without a sudoUser
URL: https://github.com/SSSD/sssd/pull/80 Author: celestian Title: #80: SYSDB: Fixing of sudorule without a sudoUser Action: edited Changed field: title Original value: """ SYSDB: Sudorule without a sudoUser returns EINVAL """ ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#80][comment] SYSDB: Sudorule without a sudoUser returns EINVAL
URL: https://github.com/SSSD/sssd/pull/80 Title: #80: SYSDB: Sudorule without a sudoUser returns EINVAL celestian commented: """ New version pushed. """ See the full comment at https://github.com/SSSD/sssd/pull/80#issuecomment-261919172 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#80][synchronized] SYSDB: Sudorule without a sudoUser returns EINVAL
URL: https://github.com/SSSD/sssd/pull/80 Author: celestian Title: #80: SYSDB: Sudorule without a sudoUser returns EINVAL Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/80/head:pr80 git checkout pr80 From f8706ec4e199f6db3d56f59542eea741dd35d551 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Wed, 16 Nov 2016 10:09:18 +0100 Subject: [PATCH] SYSDB: Fixinf of sudorule without a sudoUser This patch solved a regression caused by the recent patches to lowercase sudoUser -- in case sudoUser is missing completely, we abort the processing of this rule and all others. With this patch, we return ERR_MALFORMED_ENTRY and gracefully skip the malformed rule instead. Resolves: https://fedorahosted.org/sssd/ticket/3241 --- src/db/sysdb_sudo.c | 5 + 1 file changed, 5 insertions(+) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 4bd93ff..f5160f1 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -874,6 +874,7 @@ static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain, if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n", SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +ret = ERR_MALFORMED_ENTRY; goto done; } @@ -977,6 +978,10 @@ sysdb_sudo_store(struct sss_domain_info *domain, /* Multiple CNs are error on server side, we can just ignore this * rule and save the others. Loud debug message is in logs. */ continue; +} else if (ret == ERR_MALFORMED_ENTRY) { +/* Attribute SYSDB_SUDO_CACHE_AT_USER is missing but we can + * continue with next sudoRule. */ +continue; } else if (ret != EOK) { goto done; } ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#80][opened] SYSDB: Sudorule without a sudoUser returns EINVAL
URL: https://github.com/SSSD/sssd/pull/80 Author: celestian Title: #80: SYSDB: Sudorule without a sudoUser returns EINVAL Action: opened PR body: """ This patch solved a regression caused by the recent patches to lowercase sudoUser -- in case sudoUser is missing completely, we abort the processing of this rule and all others. With this patch, we return EINVAL and gracefully skip the malgormed rule instead. Resolves: https://fedorahosted.org/sssd/ticket/3241 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/80/head:pr80 git checkout pr80 From 8877575954842bb2dfcf545b79a3db3ee06521a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Wed, 16 Nov 2016 10:09:18 +0100 Subject: [PATCH] SYSDB: Sudorule without a sudoUser returns EINVAL This patch solved a regression caused by the recent patches to lowercase sudoUser -- in case sudoUser is missing completely, we abort the processing of this rule and all others. With this patch, we return EINVAL and gracefully skip the malgormed rule instead. Resolves: https://fedorahosted.org/sssd/ticket/3241 --- src/db/sysdb_sudo.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 4bd93ff..0a59e89 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -874,6 +874,7 @@ static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain, if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n", SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +ret = EINVAL; goto done; } ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) celestian commented: """ I am afraid there is the same issue as in https://fedorahosted.org/sssd/ticket/3241. The patch will be added soon. """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-260886546 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][+Changes requested] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) celestian commented: """ We discussed this issue with @jhrozek. I misunderstood the case -- the right is -- user is ```Administrator```, the sudoRule is written for user ```administrator``` on case insensitive domain (typically AD). Now we can see in logs proper filter: ``` [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=Administrator)(sudoUser=administrator)... ``` And the sudoRule is: ``` dn: name=lessrule,cn=sudorules,cn=custom,cn=scorpion.domain,cn=sysdb cn: lessrule dataExpireTimestamp: 1479136324 entryUSN: 90154 name: lessrule objectClass: sudoRule originalDN: CN=lessrule,OU=sudoers,DC=scorpion,DC=domain sudoCommand: /usr/bin/less sudoHost: ALL sudoUser: administrator distinguishedName: name=lessrule,cn=sudorules,cn=custom,cn=scorpion.domain,cn= sysdb ``` I slightly changed the patch, new version is pushed. """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-260339114 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Author: celestian Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/39/head:pr39 git checkout pr39 From b268ea119a295ad20c7270ae7d0a5fc6bbcc04ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Wed, 12 Oct 2016 16:48:38 +0200 Subject: [PATCH] SYSDB: Adding lowercase sudoUser form If domain is not case sensitive we add lowercase form of usernames to sudoUser attributes. So we actually able to apply sudoRule on user Administrator@... with login admnistrator@... Resolves: https://fedorahosted.org/sssd/ticket/3203 (cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645) --- src/db/sysdb_sudo.c| 89 +- src/db/sysdb_sudo.h| 4 +- src/responder/sudo/sudosrv_get_sudorules.c | 2 +- 3 files changed, 90 insertions(+), 5 deletions(-) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 76116ab..6368c64 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -217,13 +217,14 @@ errno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx, errno_t sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, - uid_t uid, char **groupnames, unsigned int flags, - char **_filter) + uid_t uid, char **groupnames, bool case_sensitive_domain, + unsigned int flags, char **_filter) { TALLOC_CTX *tmp_ctx = NULL; char *filter = NULL; char *specific_filter = NULL; char *sanitized = NULL; +const char *lowered = NULL; time_t now; errno_t ret; int i; @@ -258,6 +259,27 @@ sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, SYSDB_SUDO_CACHE_AT_USER, sanitized); NULL_CHECK(specific_filter, ret, done); + +if (case_sensitive_domain == false) { +lowered = sss_tc_utf8_str_tolower(tmp_ctx, username); +if (lowered == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n"); +ret = ENOMEM; +goto done; +} + +if (strcmp(username, lowered) != 0) { +ret = sss_filter_sanitize(tmp_ctx, lowered, ); +if (ret != EOK) { +goto done; +} + +specific_filter = talloc_asprintf_append(specific_filter, "(%s=%s)", + SYSDB_SUDO_CACHE_AT_USER, + sanitized); +NULL_CHECK(specific_filter, ret, done); +} +} } if ((flags & SYSDB_SUDO_FILTER_UID) && (uid != 0)) { @@ -801,6 +823,64 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule, return EOK; } +static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain, +struct sysdb_attrs *rule) +{ +TALLOC_CTX *tmp_ctx; +const char **users = NULL; +const char *lowered = NULL; +errno_t ret; + +if (domain->case_sensitive == true || rule == NULL) { +return EOK; +} + +tmp_ctx = talloc_new(NULL); +if (tmp_ctx == NULL) { +return ENOMEM; +} + +ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx, + ); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n", +SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +goto done; +} +if (users == NULL) { +ret = EOK; +goto done; +} + +for (int i = 0; users[i] != NULL; i++) { +lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]); +if (lowered == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n"); +ret = ENOMEM; +goto done; +} + +if (strcmp(users[i], lowered) == 0) { +/* It protects us from adding duplicate. */ +continue; +} + +ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, + "Unable to add %s attribute [%d]: %s\n", + SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +goto done; +} +} + +ret = EOK; + +done: +talloc_zfree(tmp_ctx); +return ret; +} + static errno_t sysdb_sudo_store_rule(struct sss_domain_info *domain, struct sysdb_attrs *rule, @@ -817,6 +897,11 @@ sysdb_sudo_store_rule(struct sss_domain_info *domain,
[SSSD] [sssd PR#65][comment] Fixing of nitpicks
URL: https://github.com/SSSD/sssd/pull/65 Title: #65: Fixing of nitpicks celestian commented: """ OK, I prefer checking of return value. So I pushed new version. I kept ```EIO``` error code for corrupted result. """ See the full comment at https://github.com/SSSD/sssd/pull/65#issuecomment-260325605 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#65][synchronized] Fixing of nitpicks
URL: https://github.com/SSSD/sssd/pull/65 Author: celestian Title: #65: Fixing of nitpicks Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/65/head:pr65 git checkout pr65 From 714c0b000c7c4197644ba11fd0ba8e64a6262c9f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Mon, 24 Oct 2016 16:14:58 +0200 Subject: [PATCH 1/2] RESPONDER: Adding of return value checking --- src/responder/common/data_provider/rdp_message.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/responder/common/data_provider/rdp_message.c b/src/responder/common/data_provider/rdp_message.c index 6ad2ba0..22127ac 100644 --- a/src/responder/common/data_provider/rdp_message.c +++ b/src/responder/common/data_provider/rdp_message.c @@ -269,7 +269,7 @@ static void rdp_message_send_and_reply_done(DBusPendingCall *pending, sbus_req = talloc_get_type(ptr, struct sbus_request); ret = rdp_process_pending_call(sbus_req, pending, ); -if (reply == NULL) { +if (ret != EOK) { /* Something bad happened. Just kill the request. */ ret = EIO; goto done; From 27282131f3cad3284b5d3dec2b6f183668b43adf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Mon, 24 Oct 2016 16:20:22 +0200 Subject: [PATCH 2/2] UTIL: Removing of never read value --- src/util/sss_krb5.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c index 2d2dfc4..4808a77 100644 --- a/src/util/sss_krb5.c +++ b/src/util/sss_krb5.c @@ -1104,7 +1104,6 @@ bool sss_krb5_realm_has_proxy(const char *realm) kerr = profile_get_values(profile, profile_path, ); if (kerr == PROF_NO_RELATION || kerr == PROF_NO_SECTION) { -kerr = 0; goto done; } else if (kerr != 0) { DEBUG(SSSDBG_OP_FAILURE, "profile_get_values failed.\n"); ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#78][comment] ipa: Nested netgroups do not work
URL: https://github.com/SSSD/sssd/pull/78 Title: #78: ipa: Nested netgroups do not work celestian commented: """ Code LGTM. CI passed: http://sssd-ci.duckdns.org/logs/job/56/99/summary.html And I tested it manually: ``` Setup FreeIPA server and do the following: 1. create two netgroups - ng1, ng2 2. add user1 to ng1 3. add user2 to ng2 4. add ng2 to ng1 (make ng2 member of ng1) 5. run command: $ getent netgroup ng1 Wrong output: you do not see netgroup members Correct output: You shoudl see all members of ng1 and ng2 ``` @jhrozek , I give conitional ACK to this patch if downstream tests passed. """ See the full comment at https://github.com/SSSD/sssd/pull/78#issuecomment-259938864 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) celestian commented: """ I am sure this is enough. Maybe it is not the most direct solution. I try to explain it: We have user ```Administrator```, sysdb record looks like (minor items missed): ``` dn: name=Administrator,cn=users,cn=scorpion.domain,cn=sysdb fullName: Administrator gecos: Administrator gidNumber: 342400513 name: Administrator objectClass: user uidNumber: 342400500 objectSIDString: S-1-5-21-2022941956-2492201804-3493196904-500 uniqueID: c153af46-809a-41a0-baa6-de76b587e061 originalDN: CN=Administrator,CN=Users,DC=scorpion,DC=domain entryUSN: 69662 nameAlias: administrator ``` And we have ```lessrule```: ``` dn: name=lessrule,cn=sudorules,cn=custom,cn=scorpion.domain,cn=sysdb cn: lessrule dataExpireTimestamp: 1478853348 entryUSN: 45204 name: lessrule objectClass: sudoRule originalDN: CN=lessrule,OU=sudoers,DC=scorpion,DC=domain sudoCommand: /usr/bin/less sudoHost: ALL sudoUser: Administrator sudoUser: administrator distinguishedName: name=lessrule,cn=sudorules,cn=custom,cn=scorpion.domain,cn= sysdb ``` If we look at ```/var/log/secure```: ``` Nov 11 08:02:59 client sudo: pam_sss(sudo:auth): authentication success; logname=administrator uid=342400500 euid=0 tty=/dev/pts/2 ruser=administrator rhost= user=administrator Nov 11 08:02:59 client sudo: administrator : TTY=pts/2 ; PWD=/home/administrator@scorpion.domain ; USER=root ; COMMAND=/bin/less /etc/resolv.conf Nov 11 08:02:59 client sudo: pam_systemd(sudo:session): Cannot create session: Already running in a session Nov 11 08:02:59 client sudo: pam_unix(sudo:session): session opened for user root by administrator(uid=0) ``` I understand that it is searched by the correct name, but sudo finally accepts a name with lowercase letters. If I remove lowercase name from ```sudoRule``` it doesn't work anymore. I wonder if it is a way to make sudo to work with original login name. """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-259897355 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#74][comment] IPA/AD: check auth ctx before using it
URL: https://github.com/SSSD/sssd/pull/74 Title: #74: IPA/AD: check auth ctx before using it celestian commented: """ I wrote comment to https://fedorahosted.org/sssd/ticket/2818 and I closed https://fedorahosted.org/sssd/ticket/3238. """ See the full comment at https://github.com/SSSD/sssd/pull/74#issuecomment-259671320 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org