Re: [SSSD] [PATCH] Add support for the EntryCacheNoWaitRefreshTimeout
On Fri, Aug 14, 2009 at 03:46:54PM -0400, Stephen Gallagher wrote:
This timeout specifies the lifetime of a cache entry before it is
updated out-of-band. When this timeout is hit, the request will
still complete from cache, but the SSSD will also go and update
the cached entry in the background to extend the life of the
cache entry and reduce the wait time of a future request.
Support for the EnumCacheNoWaitRefreshTimeout is still forthcoming, but
I wanted to get a formal review on this portion.
NACK. I think this patch indicates that nsssrv_cmd.c needs some
refactoring, please do this before adding more code.
More comments follow below.
bye,
Sumit
From c8d774ee2741c76c4c2a07bcae112924b0061e86 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher sgall...@redhat.com
Date: Fri, 14 Aug 2009 08:59:53 -0400
Subject: [PATCH] Add support for the EntryCacheNoWaitRefreshTimeout
This timeout specifies the lifetime of a cache entry before it is
updated out-of-band. When this timeout is hit, the request will
still complete from cache, but the SSSD will also go and update
the cached entry in the background to extend the life of the
cache entry and reduce the wait time of a future request.
---
server/examples/sssd.conf | 13 ++
server/man/sssd.conf.5.xml| 13 ++
server/responder/nss/nsssrv.c | 20
server/responder/nss/nsssrv.h |7 +-
server/responder/nss/nsssrv_cmd.c | 227
++---
5 files changed, 236 insertions(+), 44 deletions(-)
diff --git a/server/responder/nss/nsssrv.c b/server/responder/nss/nsssrv.c
index 456c629..6d7bf74 100644
--- a/server/responder/nss/nsssrv.c
+++ b/server/responder/nss/nsssrv.c
@@ -103,6 +103,26 @@ static int nss_get_config(struct nss_ctx *nctx,
nctx-neg_timeout);
if (ret != EOK) goto done;
+ret = confdb_get_int(cdb, nctx, NSS_SRV_CONFIG,
+ EnumCacheNoWaitRefreshTimeout, 0,
+ nctx-enum_cache_refresh_timeout);
+if (ret != EOK) goto done;
+if (nctx-enum_cache_refresh_timeout = nctx-enum_cache_timeout) {
+DEBUG(0,(Configuration error: EnumCacheNoWaitRefreshTimeout exceeds
+ EnumCacheTimeout. Disabling feature.\n));
+nctx-enum_cache_refresh_timeout = 0;
+}
+
+ret = confdb_get_int(cdb, nctx, NSS_SRV_CONFIG,
+ EntryCacheNoWaitRefreshTimeout, 0,
+ nctx-cache_refresh_timeout);
+if (ret != EOK) goto done;
+if (nctx-cache_refresh_timeout = nctx-cache_timeout) {
+DEBUG(0,(Configuration error: EntryCacheNoWaitRefreshTimeout
exceeds
+ EntryCacheTimeout. Disabling feature.\n));
+nctx-cache_refresh_timeout = 0;
+}
+
ret = confdb_get_string_as_list(cdb, tmpctx, NSS_SRV_CONFIG,
filterUsers, filter_list);
if (ret == ENOENT) filter_list = NULL;
I haven't check other timeouts so far, but I think it makes sense to
check if *_timeout 0.
diff --git a/server/responder/nss/nsssrv.h b/server/responder/nss/nsssrv.h
index 0d3124c..e756384 100644
--- a/server/responder/nss/nsssrv.h
+++ b/server/responder/nss/nsssrv.h
@@ -50,11 +50,14 @@ struct getent_ctx;
struct nss_ctx {
struct resp_ctx *rctx;
-int cache_timeout;
-int neg_timeout;
struct nss_nc_ctx *ncache;
+int neg_timeout;
+int cache_timeout;
int enum_cache_timeout;
+int cache_refresh_timeout;
+int enum_cache_refresh_timeout;
+
time_t last_user_enum;
time_t last_group_enum;
The *_timeout variables are use to compare against unsigned values. I
would prefer the *_timeout having a type of time_t or uint*.
diff --git a/server/responder/nss/nsssrv_cmd.c
b/server/responder/nss/nsssrv_cmd.c
index e8f178a..f00a423 100644
--- a/server/responder/nss/nsssrv_cmd.c
+++ b/server/responder/nss/nsssrv_cmd.c
@@ -273,12 +273,15 @@ static void nss_cmd_getpwnam_callback(void *ptr, int
status,
struct cli_ctx *cctx = cmdctx-cctx;
struct sss_domain_info *dom;
struct nss_ctx *nctx;
-int timeout;
+int timeout, refresh_timeout;
see above and http://freeipa.org/page/Coding_Style#Declaring .
+time_t now;
uint64_t lastUpdate;
uint8_t *body;
size_t blen;
bool call_provider = false;
bool neghit = false;
+bool need_callback = true;
+sss_dp_callback_t cb = NULL;
int ncret;
int ret;
@@ -296,16 +299,33 @@ static void nss_cmd_getpwnam_callback(void *ptr, int
status,
if (dctx-check_provider) {
switch (res-count) {
case 0:
+/* This is a cache miss. We need to get the updated user
information
+ * before returning it.
+ */
call_provider = true;
+need_callback = true;
break;
case 1:
timeout =
[SSSD] [PATCH] added missing hash_create which was remove by a previous patch
Hi,
commit c0f3393d4ab923e2eedab0fad88a864e2aae9fc9 removed a needed
hash_create. This patch adds it again.
bye,
Sumit
From 26584f63fdf4139c1d3bf6577e9dd26a5c2520ae Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Tue, 18 Aug 2009 11:57:50 +0200
Subject: [PATCH] added missing hash_create which was remove by a previous patch
---
server/responder/common/responder_dp.c | 19 ++-
1 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/server/responder/common/responder_dp.c
b/server/responder/common/responder_dp.c
index 076b154..604c419 100644
--- a/server/responder/common/responder_dp.c
+++ b/server/responder/common/responder_dp.c
@@ -190,11 +190,6 @@ int sss_dp_send_acct_req(struct resp_ctx *rctx, TALLOC_CTX
*memctx,
return EINVAL;
}
-tmp_ctx = talloc_new(NULL);
-if (!tmp_ctx) {
-return ENOMEM;
-}
-
switch (type) {
case SSS_DP_USER:
be_type = BE_REQ_USER;
@@ -209,6 +204,20 @@ int sss_dp_send_acct_req(struct resp_ctx *rctx, TALLOC_CTX
*memctx,
return EINVAL;
}
+if (dp_requests == NULL) {
+/* Create a hash table to handle queued update requests */
+ret = hash_create(10, dp_requests, NULL);
+if (ret != HASH_SUCCESS) {
+fprintf(stderr, cannot create hash table (%s)\n,
hash_error_string(ret));
+return EIO;
+}
+}
+
+tmp_ctx = talloc_new(NULL);
+if (!tmp_ctx) {
+return ENOMEM;
+}
+
key.type = HASH_KEY_STRING;
key.str = NULL;
--
1.6.2.5
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] use stored upn if available
Hi,
this is the last patch in the series to add the basic support for AD as
a server. With this patch the kerberos backend will use the user
principal name provided by the server to get the TGT. To make the client
side kerberos libraries happy the realm part is always made upper case.
bye,
Sumit
From 6bc7402f112d8ed612d0a8128e74459d4c072809 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Fri, 21 Aug 2009 12:08:31 +0200
Subject: [PATCH] use stored upn if available
If a user principle name (upn) can be found in sysdb the krb5
backend will use this otherwise is build as usern...@realm. It is
checked that the realm is upper case only.
---
server/providers/krb5/krb5_auth.c | 121 +++--
1 files changed, 101 insertions(+), 20 deletions(-)
diff --git a/server/providers/krb5/krb5_auth.c
b/server/providers/krb5/krb5_auth.c
index ffbfd7b..45bbe4c 100644
--- a/server/providers/krb5/krb5_auth.c
+++ b/server/providers/krb5/krb5_auth.c
@@ -31,6 +31,7 @@
#include unistd.h
#include fcntl.h
#include pwd.h
+#include ctype.h
#include security/pam_modules.h
@@ -40,6 +41,25 @@
#include krb5_plugin/sssd_krb5_locator_plugin.h
#include providers/krb5/krb5_auth.h
+#define REALM_SEPARATOR '@'
+
+static void make_realm_upper_case(const char *upn)
+{
+char *c;
+
+c = strchr(upn, REALM_SEPARATOR);
+if (c == NULL) {
+DEBUG(9, (No realm delimiter found in upn [%s].\n, upn));
+return;
+}
+
+while(*(++c) != '\0') {
+c[0] = toupper(*c);
+}
+
+return;
+}
+
static void fd_nonblocking(int fd) {
int flags;
@@ -77,13 +97,13 @@ static void krb5_cleanup(struct krb5_req *kr)
talloc_free(kr);
}
-static int krb5_setup(struct be_req *req, struct krb5_req **krb5_req)
+static int krb5_setup(struct be_req *req, const char *user_princ_str,
+ struct krb5_req **krb5_req)
{
struct krb5_req *kr = NULL;
struct krb5_ctx *krb5_ctx;
struct pam_data *pd;
krb5_error_code kerr = 0;
-char *user_princ_str = NULL;
pd = talloc_get_type(req-req_data, struct pam_data);
@@ -105,18 +125,6 @@ static int krb5_setup(struct be_req *req, struct krb5_req
**krb5_req)
goto failed;
}
-/* TODO: try to read user principal from id backend, use user + realm as a
- fallback */
-if (kr-pd-user != NULL krb5_ctx-realm != NULL) {
-user_princ_str = talloc_asprintf(kr, %...@%s, kr-pd-user,
- krb5_ctx-realm);
-}
-if (user_princ_str == NULL) {
-DEBUG(1, (talloc_asprintf failed.\n));
-kerr = ENOMEM;
-goto failed;
-}
-
kerr = krb5_parse_name(kr-ctx, user_princ_str, kr-princ);
if (kerr != 0) {
KRB5_DEBUG(1, kerr);
@@ -374,16 +382,16 @@ static ssize_t tgt_req_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx,
return state-len;
}
+static void get_user_upn_done(void *pvt, int err, struct ldb_result *res);
static void krb5_pam_handler_done(struct tevent_req *req);
static void krb5_pam_handler_cache_done(struct tevent_req *treq);
static void krb5_pam_handler(struct be_req *be_req)
{
-struct krb5_req *kr = NULL;
-struct tevent_req *req;
int ret;
struct pam_data *pd;
int pam_status=PAM_SYSTEM_ERR;
+const char **attrs;
pd = talloc_get_type(be_req-req_data, struct pam_data);
@@ -393,22 +401,95 @@ static void krb5_pam_handler(struct be_req *be_req)
goto done;
}
-ret = krb5_setup(be_req, kr);
+attrs = talloc_array(be_req, const char *, 2);
+if (attrs == NULL) {
+goto done;
+}
+
+attrs[0] = SYSDB_UPN;
+attrs[1] = NULL;
+
+ret = sysdb_get_user_attr(be_req, be_req-be_ctx-sysdb,
+ be_req-be_ctx-domain, pd-user, attrs,
+ get_user_upn_done, be_req);
+
+if (ret) {
+goto done;
+}
+
+return;
+
+done:
+pd-pam_status = pam_status;
+
+be_req-fn(be_req, pam_status, NULL);
+}
+
+static void get_user_upn_done(void *pvt, int err, struct ldb_result *res)
+{
+struct be_req *be_req = talloc_get_type(pvt, struct be_req);
+struct krb5_ctx *krb5_ctx;
+struct krb5_req *kr = NULL;
+struct tevent_req *req;
+int ret;
+struct pam_data *pd;
+int pam_status=PAM_SYSTEM_ERR;
+const char *upn = NULL;
+
+pd = talloc_get_type(be_req-req_data, struct pam_data);
+krb5_ctx = talloc_get_type(be_req-be_ctx-bet_info[BET_AUTH].pvt_bet_data,
+ struct krb5_ctx);
+
+if (err != LDB_SUCCESS) {
+DEBUG(5, (sysdb search for upn of user [%s] failed.\n, pd-user));
+goto failed;
+}
+
+switch (res-count) {
+case 0:
+DEBUG(5, (No upn for user [%s] found.\n, pd-user));
+break;
+
+case 1:
+upn = ldb_msg_find_attr_as_string(res-msgs[0], SYSDB_UPN, NULL);
+if (upn == NULL) {
+/* NOTE: this is a hack, works
Re: [SSSD] [PATCHES] make enumerations a background task
On Thu, Aug 27, 2009 at 09:21:55AM -0400, Simo Sorce wrote: On Thu, 2009-08-27 at 01:03 -0400, Simo Sorce wrote: This affects only the ldap driver. Enumerations are now a background task, on startup a full enumeration is performed. Then every 5 minutes (changeable default) only new/modified entries are retrieved. So after the first full pull the quantity of data that is pulled is limited, this is why I have not removed the large transaction yet. Next step is to change the group handling code into a 2 step process, or some group membership may be lost against server that allow nested groups via the member/memberof schema. 0001 simplify code, no need for a wrapper Forgot to fix the tests code in this one, attaching new patch. Simo. ACK, although it looks like you need both patches together to make it fly. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] check if gid attribute is empty
Hi,
this patch just makes sure that the LDAP backend does not die if the
group object returned by the LDAP server does not contain a gid. In a
previous patch I have sent the same fix for uid/gid in a returned user
object, but have forgotten the group object.
bye,
Sumit
From a9a1c7e26b919c2edb6fa64fbb4e7d9e243eb565 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Thu, 27 Aug 2009 14:05:36 +0200
Subject: [PATCH] check if gid attribute is empty
---
server/providers/ldap/sdap_async.c |6 ++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/server/providers/ldap/sdap_async.c
b/server/providers/ldap/sdap_async.c
index 4d74061..852c6d2 100644
--- a/server/providers/ldap/sdap_async.c
+++ b/server/providers/ldap/sdap_async.c
@@ -1151,6 +1151,12 @@ static struct tevent_req
*sdap_save_group_send(TALLOC_CTX *memctx,
ret = sysdb_attrs_get_el(state-attrs,
opts-group_map[SDAP_AT_GROUP_GID].sys_name, el);
if (ret) goto fail;
+if (el-num_values == 0) {
+DEBUG(1, (no gid provided for [%s] in domain [%s].\n,
+ state-name, dom-name));
+ret = EINVAL;
+goto fail;
+}
errno = 0;
l = strtol((const char *)el-values[0].data, NULL, 0);
if (errno) {
--
1.6.2.5
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [Freeipa-devel] [PATCH] add configure check for errno_t
On Thu, Aug 27, 2009 at 09:38:14AM -0400, Simo Sorce wrote: On Wed, 2009-08-26 at 13:25 +0200, Sumit Bose wrote: I have include the check in the sss_client directory, but I'm reluctant to add it to common, too. IMO the maintainers of the packages should decide if errno_t makes sense for them or not. A second argument would be that in most cases there is no private header file where the typedef can be added. Sumit, I can't do a successful build with this patch, it says errno_t is re-defined in sss_cli.h when parsing util.h Does it depend on other patches ? Can you check it again against current master ? ah, sorry, the new patch contains a protection against double inclusion of the typedef. bye, Sumit From f48fc08a67c2a67611547f509ad00a6ff35a35f2 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Wed, 26 Aug 2009 13:18:19 +0200 Subject: [PATCH] add configure check for errno_t --- server/configure.ac |2 ++ server/util/util.h |5 + sss_client/configure.ac |2 ++ sss_client/sss_cli.h|5 + 4 files changed, 14 insertions(+), 0 deletions(-) diff --git a/server/configure.ac b/server/configure.ac index d42f07e..071ad07 100644 --- a/server/configure.ac +++ b/server/configure.ac @@ -31,6 +31,8 @@ AM_CONDITIONAL([HAVE_GCC], [test $ac_cv_prog_gcc = yes]) AC_CHECK_HEADERS(stdint.h dlfcn.h) AC_CONFIG_HEADER(config.h) +AC_CHECK_TYPES([errno_t], [], [], [[#include errno.h]]) + m4_include([build_macros.m4]) BUILD_WITH_SHARED_BUILD_DIR diff --git a/server/util/util.h b/server/util/util.h index 8796529..f289f9c 100644 --- a/server/util/util.h +++ b/server/util/util.h @@ -15,6 +15,11 @@ #include tevent.h #include ldb.h +#ifndef HAVE_ERRNO_T +#define HAVE_ERRNO_T +typedef int errno_t; +#endif + extern const char *debug_prg_name; extern int debug_level; extern int debug_timestamps; diff --git a/sss_client/configure.ac b/sss_client/configure.ac index df16641..01c717d 100644 --- a/sss_client/configure.ac +++ b/sss_client/configure.ac @@ -13,6 +13,8 @@ AM_GNU_GETTEXT_VERSION([0.14]) AM_CONDITIONAL([HAVE_GCC], [test $ac_cv_prog_gcc = yes]) +AC_CHECK_TYPES([errno_t], [], [], [[#include errno.h]]) + m4_pattern_allow([AM_SILENT_RULES]) AM_SILENT_RULES diff --git a/sss_client/sss_cli.h b/sss_client/sss_cli.h index f1ccba9..7e0d4db 100644 --- a/sss_client/sss_cli.h +++ b/sss_client/sss_cli.h @@ -15,6 +15,11 @@ #include pwd.h #include grp.h +#ifndef HAVE_ERRNO_T +#define HAVE_ERRNO_T +typedef int errno_t; +#endif + #define SSS_NSS_PROTOCOL_VERSION 1 #define SSS_PAM_PROTOCOL_VERSION 2 -- 1.6.2.5 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Speed up NSS enumeration code
On Thu, Aug 27, 2009 at 01:58:15PM -0400, Simo Sorce wrote:
This patch should make the enumeration code ~ O(log n) instead of O(n)
On my system it brought enumeration down from 12s to 4s with the same
data set.
Although I haven't measured it I see a speed-up, too.
I have only one issue with sort_members. Can you rename it to something
like distribute_members_to_groups or scatter_members_to_groups? I think
sort_members is very misleading here.
bye,
Sumit
Simo.
--
Simo Sorce * Red Hat, Inc * New York
From ab7ab19462ca5ccbb3efcb283648eb699f756f43 Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Thu, 27 Aug 2009 13:52:54 -0400
Subject: [PATCH] Speed-up enumerations.
This patch reduces the time needed to enumerate groups of a midsized
domain from 12 seconds to 4.4
Optimizes enumerations by doing only 2 ldb searches and some ordering
instead of a number of searches proportional to the number of groups
---
server/db/sysdb.h|6 ++-
server/db/sysdb_search.c | 163
+-
2 files changed, 167 insertions(+), 2 deletions(-)
diff --git a/server/db/sysdb.h b/server/db/sysdb.h
index 2f01ea6..3d75f50 100644
--- a/server/db/sysdb.h
+++ b/server/db/sysdb.h
@@ -119,8 +119,12 @@
SYSDB_LAST_UPDATE, \
objectClass, \
NULL}
+#define SYSDB_GRENT_ATTRS {SYSDB_NAME, SYSDB_UIDNUM, SYSDB_MEMBEROF, \
+ SYSDB_LAST_UPDATE, \
+ objectClass, \
+ NULL}
-#define SYSDB_INITGR_ATTR memberof
+#define SYSDB_INITGR_ATTR SYSDB_MEMBEROF
#define SYSDB_INITGR_ATTRS {SYSDB_GIDNUM, SYSDB_LAST_UPDATE, \
objectClass, \
NULL}
diff --git a/server/db/sysdb_search.c b/server/db/sysdb_search.c
index a3fdb16..3837f45 100644
--- a/server/db/sysdb_search.c
+++ b/server/db/sysdb_search.c
@@ -35,6 +35,7 @@ struct sysdb_search_ctx {
struct sss_domain_info *domain;
+bool enumeration;
const char *expression;
sysdb_callback_t callback;
@@ -297,6 +298,8 @@ int sysdb_enumpwent(TALLOC_CTX *mem_ctx,
return ENOMEM;
}
+sctx-enumeration = true;
+
if (expression)
sctx-expression = expression;
else
@@ -384,6 +387,158 @@ static void get_members(struct sysdb_search_ctx *sctx)
}
}
+static void sort_members(struct sysdb_search_ctx *sctx);
+static void enum_members(struct sysdb_search_ctx *sctx)
+{
+static const char *attrs[] = SYSDB_GRENT_ATTRS;
+struct ldb_request *req;
+struct ldb_dn *dn;
+int ret;
+
+/* search for all users that have memberof set */
+sctx-expression = talloc_asprintf(sctx, SYSDB_GRNA2_FILTER, *);
+if (!sctx-expression) {
+return request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR);
+}
+
+dn = ldb_dn_new_fmt(sctx, sctx-ctx-ldb,
+SYSDB_TMPL_USER_BASE, sctx-domain-name);
+if (!dn) {
+return request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR);
+}
+
+sctx-gen_aux_fn = sort_members;
+
+ret = ldb_build_search_req(req, sctx-ctx-ldb, sctx,
+ dn, LDB_SCOPE_SUBTREE,
+ sctx-expression, attrs, NULL,
+ sctx, get_gen_callback,
+ NULL);
+if (ret != LDB_SUCCESS) {
+return request_ldberror(sctx, ret);
+}
+
+ret = ldb_request(sctx-ctx-ldb, req);
+if (ret != LDB_SUCCESS) {
+return request_ldberror(sctx, ret);
+}
+}
+
+static void sort_members(struct sysdb_search_ctx *sctx)
+{
+struct get_mem_ctx *gmctx;
+struct ldb_message **users;
+size_t num_users;
+size_t res_idx, grp_idx, i;
+const char *grp_dn;
+
+gmctx = sctx-gmctx;
+
+/* we have groups in gmctx-grps, and users in res-msgs
+ * now we need to create a new set where we have each group
+ * followed by pointers to its users */
+users = sctx-res-msgs;
+num_users = sctx-res-count;
+
+/* allocate initial storage all in one go */
+sctx-res-count = gmctx-num_grps + num_users;
+sctx-res-msgs = talloc_array(sctx-res, struct ldb_message *,
+ sctx-res-count + 1);
+if (!sctx-res-msgs) {
+return request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR);
+}
+
+res_idx = 0;
+for (grp_idx = 0; grp_idx gmctx-num_grps; grp_idx++) {
+
+/* store the group first */
+
+if (res_idx == sctx-res-count) {
+sctx-res-count += 10; /* allocate 10 at a time */
+sctx-res-msgs = talloc_realloc(sctx-res, sctx-res-msgs,
+ struct ldb_message *,
+ sctx-res-count + 1);
+if
[SSSD] [PATCH] send SSSD_REALM and SSSD_KDCIP environment to the client
Hi,
the environment variable which are send back by this patch are currently
needed in the user session of the client. When the DNS helper is
available and used by the kerberos locator plugin they can be removed.
bye,
Sumit
From 8cc4ea16832b5997bb74d20f12ef5d8505c05e73 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Wed, 26 Aug 2009 11:08:55 +0200
Subject: [PATCH] send SSSD_REALM and SSSD_KDCIP environment to the client
Currently the kerberos locator plugin needs these two variables to
be set to find a KDC which is configured in sssd but not in
/etc/krb5.conf.
---
server/providers/krb5/krb5_auth.c | 32 ++--
1 files changed, 30 insertions(+), 2 deletions(-)
diff --git a/server/providers/krb5/krb5_auth.c
b/server/providers/krb5/krb5_auth.c
index 39bc170..a03d566 100644
--- a/server/providers/krb5/krb5_auth.c
+++ b/server/providers/krb5/krb5_auth.c
@@ -74,7 +74,9 @@ static void krb5_cleanup(struct krb5_req *kr)
if (kr-ctx != NULL)
krb5_free_context(kr-ctx);
-talloc_free(kr);
+memset(kr, 0, sizeof(struct krb5_req));
+
+talloc_zfree(kr);
}
static int krb5_setup(struct be_req *req, const char *user_princ_str,
@@ -484,6 +486,7 @@ static void krb5_pam_handler_done(struct tevent_req *req)
struct krb5_req *kr = tevent_req_callback_data(req, struct krb5_req);
struct pam_data *pd = kr-pd;
struct be_req *be_req = kr-req;
+struct krb5_ctx *krb5_ctx = kr-krb5_ctx;
struct tgt_req_state *state = tevent_req_data(req, struct tgt_req_state);
int ret;
uint8_t *buf;
@@ -495,6 +498,7 @@ static void krb5_pam_handler_done(struct tevent_req *req)
int32_t *msg_len;
struct tevent_req *subreq = NULL;
char *password = NULL;
+char *env = NULL;
pd-pam_status = PAM_SYSTEM_ERR;
krb5_cleanup(kr);
@@ -529,7 +533,7 @@ static void krb5_pam_handler_done(struct tevent_req *req)
goto done;
}
-ret=pam_add_response(kr-pd, *msg_type, *msg_len, buf[p]);
+ret=pam_add_response(pd, *msg_type, *msg_len, buf[p]);
if (ret != EOK) {
DEBUG(1, (pam_add_response failed.\n));
goto done;
@@ -537,6 +541,30 @@ static void krb5_pam_handler_done(struct tevent_req *req)
pd-pam_status = *msg_status;
+if (pd-pam_status == PAM_SUCCESS pd-cmd == SSS_PAM_AUTHENTICATE) {
+env = talloc_asprintf(pd, %s=%s, SSSD_REALM, krb5_ctx-realm);
+if (env == NULL) {
+DEBUG(1, (talloc_asprintf failed.\n));
+goto done;
+}
+ret=pam_add_response(pd, PAM_ENV_ITEM, strlen(env)+1, (uint8_t *) env);
+if (ret != EOK) {
+DEBUG(1, (pam_add_response failed.\n));
+goto done;
+}
+
+env = talloc_asprintf(pd, %s=%s, SSSD_KDC, krb5_ctx-kdcip);
+if (env == NULL) {
+DEBUG(1, (talloc_asprintf failed.\n));
+goto done;
+}
+ret=pam_add_response(pd, PAM_ENV_ITEM, strlen(env)+1, (uint8_t *) env);
+if (ret != EOK) {
+DEBUG(1, (pam_add_response failed.\n));
+goto done;
+}
+}
+
if (pd-pam_status == PAM_SUCCESS
be_req-be_ctx-domain-cache_credentials == TRUE) {
password = talloc_size(be_req, pd-authtok_size + 1);
--
1.6.2.5
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] send SSSD_REALM and SSSD_KDCIP environment to the client
On Fri, Aug 28, 2009 at 12:16:51PM +0200, Sumit Bose wrote:
Hi,
the environment variable which are send back by this patch are currently
needed in the user session of the client. When the DNS helper is
available and used by the kerberos locator plugin they can be removed.
bye,
Sumit
sorry, the previous version depended on another not submitted patch.
This on will work with the current master.
bye,
Sumit
From f839a11fe0ced617fdae84d29228393aa0bc212f Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Wed, 26 Aug 2009 11:08:55 +0200
Subject: [PATCH] send SSSD_REALM and SSSD_KDCIP environment to the client
Currently the kerberos locator plugin needs these two variables to
be set to find a KDC which is configured in sssd but not in
/etc/krb5.conf.
---
server/providers/krb5/krb5_auth.c | 33 +++--
1 files changed, 31 insertions(+), 2 deletions(-)
diff --git a/server/providers/krb5/krb5_auth.c
b/server/providers/krb5/krb5_auth.c
index 39bc170..b1fe47a 100644
--- a/server/providers/krb5/krb5_auth.c
+++ b/server/providers/krb5/krb5_auth.c
@@ -74,7 +74,9 @@ static void krb5_cleanup(struct krb5_req *kr)
if (kr-ctx != NULL)
krb5_free_context(kr-ctx);
-talloc_free(kr);
+memset(kr, 0, sizeof(struct krb5_req));
+
+talloc_zfree(kr);
}
static int krb5_setup(struct be_req *req, const char *user_princ_str,
@@ -98,6 +100,7 @@ static int krb5_setup(struct be_req *req, const char
*user_princ_str,
kr-pd = pd;
kr-req = req;
+kr-krb5_ctx = krb5_ctx;
kerr = krb5_init_context(kr-ctx);
if (kerr != 0) {
@@ -484,6 +487,7 @@ static void krb5_pam_handler_done(struct tevent_req *req)
struct krb5_req *kr = tevent_req_callback_data(req, struct krb5_req);
struct pam_data *pd = kr-pd;
struct be_req *be_req = kr-req;
+struct krb5_ctx *krb5_ctx = kr-krb5_ctx;
struct tgt_req_state *state = tevent_req_data(req, struct tgt_req_state);
int ret;
uint8_t *buf;
@@ -495,6 +499,7 @@ static void krb5_pam_handler_done(struct tevent_req *req)
int32_t *msg_len;
struct tevent_req *subreq = NULL;
char *password = NULL;
+char *env = NULL;
pd-pam_status = PAM_SYSTEM_ERR;
krb5_cleanup(kr);
@@ -529,7 +534,7 @@ static void krb5_pam_handler_done(struct tevent_req *req)
goto done;
}
-ret=pam_add_response(kr-pd, *msg_type, *msg_len, buf[p]);
+ret=pam_add_response(pd, *msg_type, *msg_len, buf[p]);
if (ret != EOK) {
DEBUG(1, (pam_add_response failed.\n));
goto done;
@@ -537,6 +542,30 @@ static void krb5_pam_handler_done(struct tevent_req *req)
pd-pam_status = *msg_status;
+if (pd-pam_status == PAM_SUCCESS pd-cmd == SSS_PAM_AUTHENTICATE) {
+env = talloc_asprintf(pd, %s=%s, SSSD_REALM, krb5_ctx-realm);
+if (env == NULL) {
+DEBUG(1, (talloc_asprintf failed.\n));
+goto done;
+}
+ret=pam_add_response(pd, PAM_ENV_ITEM, strlen(env)+1, (uint8_t *) env);
+if (ret != EOK) {
+DEBUG(1, (pam_add_response failed.\n));
+goto done;
+}
+
+env = talloc_asprintf(pd, %s=%s, SSSD_KDC, krb5_ctx-kdcip);
+if (env == NULL) {
+DEBUG(1, (talloc_asprintf failed.\n));
+goto done;
+}
+ret=pam_add_response(pd, PAM_ENV_ITEM, strlen(env)+1, (uint8_t *) env);
+if (ret != EOK) {
+DEBUG(1, (pam_add_response failed.\n));
+goto done;
+}
+}
+
if (pd-pam_status == PAM_SUCCESS
be_req-be_ctx-domain-cache_credentials == TRUE) {
password = talloc_size(be_req, pd-authtok_size + 1);
--
1.6.2.5
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] fix internal order of ldap user mapping options
Hi,
a previous patch added a new attribute and also changed the internal
order of the existing attributes. This patch changes the numbering of
the attributes to match the new order.
bye,
Sumit
From a4e1484f0dc9297f9c609196e4356e97d244ad14 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Fri, 28 Aug 2009 13:40:29 +0200
Subject: [PATCH] fix internal order of ldap user mapping options
---
server/providers/ldap/sdap.h |8
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/server/providers/ldap/sdap.h b/server/providers/ldap/sdap.h
index 42af68f..0145091 100644
--- a/server/providers/ldap/sdap.h
+++ b/server/providers/ldap/sdap.h
@@ -99,10 +99,10 @@ enum sdap_result {
#define SDAP_AT_USER_GECOS 5
#define SDAP_AT_USER_HOME 6
#define SDAP_AT_USER_SHELL 7
-#define SDAP_AT_USER_UUID 8
-#define SDAP_AT_USER_PRINC 9
-#define SDAP_AT_USER_FULLNAME 10
-#define SDAP_AT_USER_MEMBEROF 11
+#define SDAP_AT_USER_PRINC 8
+#define SDAP_AT_USER_FULLNAME 9
+#define SDAP_AT_USER_MEMBEROF 10
+#define SDAP_AT_USER_UUID 11
#define SDAP_AT_USER_MODSTAMP 12
#define SDAP_OPTS_USER 13 /* attrs counter */
--
1.6.2.5
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] remove the concept of a backend name
Hi,
I just wanted to change the the prefix of the log messages of the
backends from [sssd[be[ID_PROVIDER_NAME]]] to [sssd[be[DOMAIN_NAME]]].
Then I wondered why we need to store the name of the id provider at all
and as a result I removed it.
Now the backends identify themselves with the domain name. Maybe in a
next step the D-BUS client registration calls can be simplified by using
only a single id field instead of a name and a domain field.
While most of the patch is related to the identification of the
backend to the data provider the expansion of 'provider=files' is
affected, too. So tests which uses 'provider=files' might fail if I have
messed up the expansion.
bye,
Sumit
From 79ffba6e5d1ee01fe8474aacaec412e9387a85df Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Wed, 2 Sep 2009 12:21:55 +0200
Subject: [PATCH] remove the concept of a backend name
The data provider backends stored a name value besides the domain
name to identify themselves to the data provider. This was the name
of the id provider. Currently the backends can have different
providers for id, authentication etc. So the name may be missleading.
Also when there are more domains with the same id provider the name
is not enough to identify the backend but the domain name is. As a
consequence the backend name is removed completely and only the
domain name is used for identification.
---
server/monitor/monitor.c|4 +-
server/providers/data_provider.c| 19 ++
server/providers/data_provider_be.c | 48 ++
server/providers/dp_backend.h |1 -
4 files changed, 41 insertions(+), 31 deletions(-)
diff --git a/server/monitor/monitor.c b/server/monitor/monitor.c
index 67e5b6e..893de9b 100644
--- a/server/monitor/monitor.c
+++ b/server/monitor/monitor.c
@@ -1040,10 +1040,10 @@ static int get_provider_config(struct mt_ctx *ctx,
const char *name,
/* if there are no custom commands, build a default one */
if (!svc-command) {
svc-command = talloc_asprintf(svc,
-%s/sssd_be -d %d%s --provider %s --domain %s,
+%s/sssd_be -d %d%s --domain %s,
SSSD_LIBEXEC_PATH, debug_level,
(debug_timestamps? --debug-timestamps:),
-svc-provider, svc-name);
+svc-name);
if (!svc-command) {
talloc_free(svc);
return ENOMEM;
diff --git a/server/providers/data_provider.c b/server/providers/data_provider.c
index 4cb39bf..f8efcc8 100644
--- a/server/providers/data_provider.c
+++ b/server/providers/data_provider.c
@@ -64,7 +64,6 @@ struct dp_client {
struct dp_backend {
struct dp_backend *prev;
struct dp_backend *next;
-char *name;
char *domain;
struct dp_client *dpcli;
};
@@ -282,9 +281,8 @@ static int client_registration(DBusMessage *message,
return ENOMEM;
}
-dpbe-name = talloc_strdup(dpbe, cli_name);
dpbe-domain = talloc_strdup(dpbe, cli_domain);
-if (!dpbe-name || !dpbe-domain) {
+if (!dpbe-domain) {
DEBUG(0, (Out of memory!\n));
sbus_disconnect(conn);
return ENOMEM;
@@ -294,8 +292,7 @@ static int client_registration(DBusMessage *message,
DLIST_ADD(dpcli-dpctx-be_list, dpbe);
-DEBUG(4, (Added Backend client [%s], for domain [%s]\n,
- dpbe-name, dpbe-domain));
+DEBUG(4, (Added Backend client for domain [%s]\n, dpbe-domain));
talloc_set_destructor((TALLOC_CTX *)dpbe, dp_backend_destructor);
break;
@@ -398,9 +395,9 @@ static void be_got_account_info(DBusPendingCall *pending,
void *data)
goto done;
}
-DEBUG(4, (Got reply (%u, %u, %s) from %s(%s)\n,
+DEBUG(4, (Got reply (%u, %u, %s) from (%s)\n,
(unsigned int)err_maj, (unsigned int)err_min, err_msg,
- bereq-be-name, bereq-be-domain));
+ bereq-be-domain));
break;
@@ -712,8 +709,8 @@ static void be_got_pam_reply(DBusPendingCall *pending, void
*data)
goto done;
}
-DEBUG(4, (Got reply (%d, %s) from %s(%s)\n, pd-pam_status,
pd-domain,
- bereq-be-name, bereq-be-domain));
+DEBUG(4, (Got reply (%d, %s) from (%s)\n, pd-pam_status, pd-domain,
+ bereq-be-domain));
break;
@@ -909,8 +906,8 @@ static int dp_backend_destructor(void *ctx)
struct dp_backend *dpbe = talloc_get_type(ctx, struct dp_backend);
if (dpbe-dpcli dpbe-dpcli-dpctx dpbe-dpcli-dpctx-be_list) {
DLIST_REMOVE(dpbe-dpcli-dpctx-be_list, dpbe);
-DEBUG(4, (Removed Backend client [%s], for domain [%s]\n,
- dpbe-name, dpbe-domain));
+DEBUG(4, (Removed Backend client for domain [%s]\n,
+ dpbe-domain));
}
return 0
Re: [SSSD] [PATCH] honour enumerate in ldap backend
On Tue, Sep 01, 2009 at 04:35:14PM -0400, Simo Sorce wrote: On Tue, 2009-09-01 at 16:33 -0400, Simo Sorce wrote: When enumerate is set to flse we don't return entries on an enumerating getent but we still run the enumeration task. Obey the enumerate flag and don't start the task if it is set to false. Simo. Works better with the actual patch :-) ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Fix proxy enumerations with newer tevent
On Tue, Sep 01, 2009 at 04:36:26PM -0400, Simo Sorce wrote: newer tevent versions (correctly) fail if loops are nested. fix the code to never nest loops. Simo. If during a enumeration an uid/gid is found which is not in the range, the whole transaction is canceled and nothing is cached. Is this expected? bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] fix libdbus configure check
Hi, this patch adds some autotols cleanups. bye, Sumit From 9775390adcaa7ad42f78930d9ffa5bbadb85cff5 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 7 Sep 2009 18:06:21 +0200 Subject: [PATCH] fix libdbus configure check - remove unneeded CFLAGS component - do not leak LDFLAGS used by configure check to final Makefile --- server/Makefile.am |1 - server/configure.ac |2 ++ 2 files changed, 2 insertions(+), 1 deletions(-) diff --git a/server/Makefile.am b/server/Makefile.am index 12ec4b1..e1f7f3b 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -110,7 +110,6 @@ DHASH_LIBS = \ AM_CPPFLAGS = -Wall \ -Iinclude \ -I.. \ --I$(DBUS_CFLAGS) \ -I$(srcdir)/include \ -Iinclude \ -I. \ diff --git a/server/configure.ac b/server/configure.ac index 3ecd0c3..8e7ea0b 100644 --- a/server/configure.ac +++ b/server/configure.ac @@ -65,10 +65,12 @@ m4_include([util/signal.m4]) PKG_CHECK_MODULES([DBUS],[dbus-1]) if test x$has_dbus != xno; then +SAFE_LDFLAGS=$LDFLAGS LDFLAGS=$DBUS_LIBS AC_CHECK_FUNC([dbus_watch_get_unix_fd], AC_DEFINE([HAVE_DBUS_WATCH_GET_UNIX_FD], [1], [Define if dbus_watch_get_unix_fd exists])) +LDFLAGS=$SAFE_LDFLAGS fi PKG_CHECK_MODULES([NSS],[nss]) -- 1.6.2.5 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] initialize sockaddr_in structure
Hi,
valgrind told me that the sockaddr_in structure might be used
uninitialized. This patch fixes this and adds some debugging messages I
found useful to follow the usage of the plugin.
bye,
Sumit
From be17f8cefb0b2485fde334d60eddd3dababa1fb1 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Tue, 8 Sep 2009 10:56:33 +0200
Subject: [PATCH] initialize sockaddr_in structure
---
server/krb5_plugin/sssd_krb5_locator_plugin.c | 10 ++
1 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/server/krb5_plugin/sssd_krb5_locator_plugin.c
b/server/krb5_plugin/sssd_krb5_locator_plugin.c
index 699cad4..62f5f72 100644
--- a/server/krb5_plugin/sssd_krb5_locator_plugin.c
+++ b/server/krb5_plugin/sssd_krb5_locator_plugin.c
@@ -21,6 +21,10 @@ krb5_error_code sssd_krb5_locator_init(krb5_context context,
struct sssd_ctx *ctx;
char *dummy;
+#ifdef KRB5_PLUGIN_DEBUG
+fprintf(stderr,sssd_krb5_locator_init called\n);
+#endif
+
ctx = calloc(1,sizeof(struct sssd_ctx));
if (ctx == NULL) return ENOMEM;
@@ -51,6 +55,10 @@ void sssd_krb5_locator_close(void *private_data)
{
struct sssd_ctx *ctx;
+#ifdef KRB5_PLUGIN_DEBUG
+fprintf(stderr,sssd_krb5_locator_close called\n);
+#endif
+
if (private_data == NULL) return;
ctx = (struct sssd_ctx *) private_data;
@@ -73,6 +81,8 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
struct sockaddr_in addr;
struct sssd_ctx *ctx;
+memset(addr, 0, sizeof(struct sockaddr_in));
+
if (private_data == NULL) return KRB5_PLUGIN_NO_HANDLE;
ctx = (struct sssd_ctx *) private_data;
--
1.6.2.5
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] Unpleasant warnings
I can see only two warnings: On Fri, Sep 04, 2009 at 07:32:40PM -0400, Dmitri Pal wrote: Steve, I ran a build today and saw some unpleasant warnings especially about the uninitialized variables. ../../server/providers/ldap/sdap_async.c: In function 'sdap_get_users_save_done': ../../server/providers/ldap/sdap_async.c:1427: warning: 'timestamp' may be used uninitialized in this function Although the code takes care that timestamp is properly initialized I've add a '= NULL' to suppress the warning. ../../server/db/sysdb.c: In function ‘sysdb_init’: ../../server/db/sysdb.c:597: warning: ‘path’ may be used uninitialized in this function ../../server/tools/sss_useradd.c: In function ‘main’: ../../server/tools/sss_useradd.c:386: warning: assignment discards qualifiers from pointer target type ../../server/tools/sss_useradd.c:424: warning: ‘ret’ is used uninitialized in this function ../../server/tools/sss_usermod.c: In function ‘main’: ../../server/tools/sss_usermod.c:437: warning: assignment discards qualifiers from pointer target type ../../server/tools/sss_groupmod.c: In function ‘main’: ../../server/tools/sss_groupmod.c:373: warning: assignment discards qualifiers from pointer target type ../../server/responder/nss/nsssrv_cmd.c: In function ‘fill_grent’: ../../server/responder/nss/nsssrv_cmd.c:1371: warning: ‘i’ may be used uninitialized in this function The value of count might have an unexpected value, but in this case fill_grent will return an error, too. I cannot see the other warnings, what compiler options and code revision are you using? bye, Sumit From 08b9b713d3da341c161b1bd6505d9f3968b84f6b Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Tue, 8 Sep 2009 12:08:39 +0200 Subject: [PATCH] fix two possible uninitialized values --- server/providers/ldap/sdap_async.c |2 +- server/responder/nss/nsssrv_cmd.c |3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/server/providers/ldap/sdap_async.c b/server/providers/ldap/sdap_async.c index e13fba3..550cb9d 100644 --- a/server/providers/ldap/sdap_async.c +++ b/server/providers/ldap/sdap_async.c @@ -1424,7 +1424,7 @@ static void sdap_get_users_save_done(struct tevent_req *subreq) struct tevent_req); struct sdap_get_users_state *state = tevent_req_data(req, struct sdap_get_users_state); -char *timestamp; +char *timestamp = NULL; int ret; ret = sdap_save_user_recv(subreq, state, timestamp); diff --git a/server/responder/nss/nsssrv_cmd.c b/server/responder/nss/nsssrv_cmd.c index 88749e9..6bbfede 100644 --- a/server/responder/nss/nsssrv_cmd.c +++ b/server/responder/nss/nsssrv_cmd.c @@ -1368,7 +1368,8 @@ static int fill_grent(struct sss_packet *packet, size_t nsize; size_t delim; size_t dom_len; -int i, ret, num, memnum; +int i = 0; +int ret, num, memnum; size_t rzero, rsize; bool add_domain = dom-fqnames; const char *domain = dom-name; -- 1.6.2.5 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Split database file to one per domain
On Fri, Sep 04, 2009 at 06:02:09PM -0400, Simo Sorce wrote: Hello list. So far we have been using a single database file for all our caches as well as for the local domain. Initially I used a single database because I thought we could optimize some search queries when it came to enumerations. That didn't prove true and in effect we are doing always separate searches for different domains (in fact the patch was rather simple to write from this pov as no searches needed to be touched at all). Using a single database file for all domains is otherwise a disadvantage. From a pure security point of view each backend has now it's own database and cannot screw up other domains data. Each domain access its backend separately so there is less contention when you want to start a transaction. The various files are clearly separated, so you can easily just delete all the ones named cache-NAME.ldb and not risk deleting the persistent data in sssd.ldb The patch includes also upgrade routines to automatically backup and convert the old file into split files, so switching to the new code is painless. All the code was converted to handle the new list of database structures. One part that felt odd was the sss_tools. They should really only operate on the 'local' domain and nothing else. So attaches is also a patch that basically reverts most of the changes and just opens the 'local' database instead. I have not merged them in a single patch because I didn't want to mix format changes with functional changes and because apparently we may want to be a bit more radical and eliminate also the shadow-utils handling at the same time. I have tested the change and the upgrade as well as starting from scratch and all seem to work properly. The patches apply and compile cleanly and are working for me. I have done some very limited upgrade tests and they worked, too. On the downside, make check fails, but so far I don't know why, there might be a problem on my side. Please find my comments further down in the code, but most of them can be addressed by later patches. So, ACK, if you remove the tabs from the patch. bye, Sumit Simo. -- Simo Sorce * Red Hat, Inc * New York From 00ed861e0b8c05cbd54b04d7b99ced8d790231f6 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Thu, 3 Sep 2009 19:29:41 -0400 Subject: [PATCH 1/2] Split database in multiple files The special persistent local database retains the original name. All other backends now have their own cache-NAME.ldb file. --- server/Makefile.am |1 + server/confdb/confdb.c | 52 ++- server/confdb/confdb.h |2 - server/confdb/confdb_private.h |2 + server/db/sysdb.c | 770 +++- I think it would make sense to split sysdb.c to sysdb.c, sysdb_init.c sysdb_upgrade.c or something similar server/db/sysdb.h | 18 +- server/db/sysdb_private.h | 28 +- server/monitor/monitor.c | 17 +- server/providers/data_provider_be.c|4 +- server/responder/common/responder.h|2 +- server/responder/common/responder_common.c |4 +- server/responder/nss/nsssrv_cmd.c | 205 +++- server/responder/pam/pam_LOCAL_domain.c|8 +- server/responder/pam/pamsrv_cache.c|9 +- server/responder/pam/pamsrv_cmd.c | 29 +- server/tests/sysdb-tests.c |5 +- server/tools/sss_groupadd.c| 10 +- server/tools/sss_groupdel.c| 12 +- server/tools/sss_groupmod.c| 18 +- server/tools/sss_useradd.c | 16 +- server/tools/sss_userdel.c | 12 +- server/tools/sss_usermod.c | 18 +- server/tools/tools_util.c |4 +- server/tools/tools_util.h |3 +- server/util/backup_file.c | 119 + server/util/util.h |3 + 26 files changed, 1137 insertions(+), 234 deletions(-) create mode 100644 server/util/backup_file.c diff --git a/server/Makefile.am b/server/Makefile.am index 12ec4b1..a56cf01 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -160,6 +160,7 @@ SSSD_UTIL_OBJ = \ util/server.c \ util/signal.c \ util/usertools.c \ + util/backup_file.c \ TAB $(SSSD_DEBUG_OBJ) SSSD_RESPONDER_OBJ = \ . --- a/server/db/sysdb.c +++ b/server/db/sysdb.c @@ -565,6 +565,7 @@ void sysdb_operation_done(struct sysdb_handle *handle) /* =Initialization */ +#if 0 static int sysdb_read_var(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb, const char *name, @@ -587,123 +588,28 @@ static
[SSSD] [PATCH] more fixes for older libpcre versions
Hi,
older versions of libpcre only support the Python naming style,
?Pname, for subpatterns. This patch changes our default pattern and
adds some hints about this.
bye,
Sumit
From d5730a503f6d923c1cc21b27d7693a496e13e054 Mon Sep 17 00:00:00 2001
From: sbose sb...@sles10.site
Date: Wed, 9 Sep 2009 12:10:53 +0200
Subject: [PATCH] more fixes for older libpcre versions
- older version of libpcre only support the Python syntax (?Pname)
for named subpatterns
---
server/man/sssd.conf.5.xml |7 ++-
server/util/usertools.c|6 --
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/server/man/sssd.conf.5.xml b/server/man/sssd.conf.5.xml
index f4cb87a..b64899a 100644
--- a/server/man/sssd.conf.5.xml
+++ b/server/man/sssd.conf.5.xml
@@ -133,7 +133,7 @@
containing user name and domain into these
components.
/para
para
-Default:
quote(?lt;namegt;[...@]+)@?(?lt;domaingt;[...@]*$)/quote
+Default:
quote(?Plt;namegt;[...@]+)@?(?Plt;domaingt;[...@]*$)/quote
which translates to the name is everything up to
the
quote@/quote sign, the domain everything after
that
/para
@@ -144,6 +144,11 @@
libpcre version 7 or higher can support non-unique
named subpatterns.
/para
+para
+PLEASE NOTE ALSO: older version of libpcre only
+support the Python syntax (?Plt;namegt;) to label
+subpatterns.
+/para
/listitem
/varlistentry
varlistentry
diff --git a/server/util/usertools.c b/server/util/usertools.c
index 2134839..e4e941a 100644
--- a/server/util/usertools.c
+++ b/server/util/usertools.c
@@ -64,16 +64,18 @@ int sss_names_init(TALLOC_CTX *mem_ctx, struct confdb_ctx
*cdb, struct sss_names
if (!ctx-re_pattern) {
ctx-re_pattern = talloc_strdup(ctx,
-(?name[...@]+)@?(?domain[...@]*$));
+(?Pname[...@]+)@?(?Pdomain[...@]*$));
if (!ctx-re_pattern) {
ret = ENOMEM;
goto done;
}
#ifdef HAVE_LIBPCRE_LESSER_THAN_7
+} else {
DEBUG(2, (This binary was build with a version of libpcre that does
not support non-unique named subpatterns.\n));
DEBUG(2, (Please make sure that your pattern [%s] only contains
- subpatterns with a unique name.\n, ctx-re_pattern));
+ subpatterns with a unique name and uses
+ the Python syntax (?Pname).\n, ctx-re_pattern));
#endif
}
--
1.6.2.5
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] Cleanups for library linking
Hi, I think the LDAP provider should link agains a LDAP library. So far it only worked, because sssd_be exports all symbols and links against libldb which links against libldap. bye, Sumit From 911e1f245e00b95621d1d21e43c688e8973ceb12 Mon Sep 17 00:00:00 2001 From: sbose sb...@sles10.site Date: Wed, 9 Sep 2009 12:14:07 +0200 Subject: [PATCH] Cleanups for library linking - remove unused PAM_LIBS from LDAP and Kerberos provider - add OPENLDAP_LIBS to LDAP provider --- server/Makefile.am |3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) diff --git a/server/Makefile.am b/server/Makefile.am index e7885b3..27ac01d 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -374,7 +374,7 @@ libsss_ldap_la_CFLAGS = \ $(AM_CFLAGS) \ $(LDAP_CFLAGS) libsss_ldap_la_LIBADD = \ -$(PAM_LIBS) +$(OPENLDAP_LIBS) libsss_ldap_la_LDFLAGS = \ -version-info 1:0:0 \ -module @@ -396,7 +396,6 @@ libsss_krb5_la_CFLAGS = \ $(AM_CFLAGS) \ $(KRB5_CFLAGS) libsss_krb5_la_LIBADD = \ -$(PAM_LIBS) \ $(KRB5_LIBS) libsss_krb5_la_LDFLAGS = \ -version-info 1:0:0 \ -- 1.6.2.5 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Add support for the EntryCacheNoWaitRefreshTimeout
On Wed, Sep 09, 2009 at 08:25:19AM -0400, Stephen Gallagher wrote: On 09/09/2009 07:50 AM, Sumit Bose wrote: On Tue, Sep 08, 2009 at 08:32:55PM -0400, Stephen Gallagher wrote: I have refactored nsssrv_cmd.c and created a new patch for the EntryCacheNoWaitRefreshTimeout. I have created a new function, check_cache() which is a common entry point for getpwnam, getpwuid, getgrnam and getgrgid to examine whether the cache is still valid. Addressing other points from the review inline below. On 08/17/2009 11:19 AM, Sumit Bose wrote: On Fri, Aug 14, 2009 at 03:46:54PM -0400, Stephen Gallagher wrote: This timeout specifies the lifetime of a cache entry before it is updated out-of-band. When this timeout is hit, the request will still complete from cache, but the SSSD will also go and update the cached entry in the background to extend the life of the cache entry and reduce the wait time of a future request. Support for the EnumCacheNoWaitRefreshTimeout is still forthcoming, but I wanted to get a formal review on this portion. NACK. I think this patch indicates that nsssrv_cmd.c needs some refactoring, please do this before adding more code. Done. Works for me, but can you add a man page entry for EnumCacheNoWaitRefreshTimeout ? bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel Whoops, forgot to add those to the commit. New patch 0002 attached (patch 0001 unaffected) Thanks. ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Add support for the EntryCacheNoWaitRefreshTimeout
On Tue, Sep 08, 2009 at 08:32:55PM -0400, Stephen Gallagher wrote: I have refactored nsssrv_cmd.c and created a new patch for the EntryCacheNoWaitRefreshTimeout. I have created a new function, check_cache() which is a common entry point for getpwnam, getpwuid, getgrnam and getgrgid to examine whether the cache is still valid. Addressing other points from the review inline below. On 08/17/2009 11:19 AM, Sumit Bose wrote: On Fri, Aug 14, 2009 at 03:46:54PM -0400, Stephen Gallagher wrote: This timeout specifies the lifetime of a cache entry before it is updated out-of-band. When this timeout is hit, the request will still complete from cache, but the SSSD will also go and update the cached entry in the background to extend the life of the cache entry and reduce the wait time of a future request. Support for the EnumCacheNoWaitRefreshTimeout is still forthcoming, but I wanted to get a formal review on this portion. NACK. I think this patch indicates that nsssrv_cmd.c needs some refactoring, please do this before adding more code. Done. hmm, I must force myself not to use debugging option while testing patches ... I have seen this one: responder/nss/nsssrv_cmd.c: In function 'nss_cmd_getgrnam_callback': responder/nss/nsssrv_cmd.c:1728: warning: unused variable 'cache_ctx' bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Add support for the EntryCacheNoWaitRefreshTimeout
On Wed, Sep 09, 2009 at 08:58:54AM -0400, Stephen Gallagher wrote: On 09/09/2009 08:46 AM, Sumit Bose wrote: On Tue, Sep 08, 2009 at 08:32:55PM -0400, Stephen Gallagher wrote: I have refactored nsssrv_cmd.c and created a new patch for the EntryCacheNoWaitRefreshTimeout. I have created a new function, check_cache() which is a common entry point for getpwnam, getpwuid, getgrnam and getgrgid to examine whether the cache is still valid. Addressing other points from the review inline below. On 08/17/2009 11:19 AM, Sumit Bose wrote: On Fri, Aug 14, 2009 at 03:46:54PM -0400, Stephen Gallagher wrote: This timeout specifies the lifetime of a cache entry before it is updated out-of-band. When this timeout is hit, the request will still complete from cache, but the SSSD will also go and update the cached entry in the background to extend the life of the cache entry and reduce the wait time of a future request. Support for the EnumCacheNoWaitRefreshTimeout is still forthcoming, but I wanted to get a formal review on this portion. NACK. I think this patch indicates that nsssrv_cmd.c needs some refactoring, please do this before adding more code. Done. hmm, I must force myself not to use debugging option while testing patches ... I have seen this one: responder/nss/nsssrv_cmd.c: In function 'nss_cmd_getgrnam_callback': responder/nss/nsssrv_cmd.c:1728: warning: unused variable 'cache_ctx' bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel Thought I had removed all of those. That was in there for when I originally thought I would need to return something from check_cache to the caller. New patches attached. ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Let the PAM client send its PID
On Fri, Sep 11, 2009 at 09:07:01AM -0400, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/11/2009 06:13 AM, Sumit Bose wrote: Hi, with this patch the client sends its PID to sssd. This is at least needed by the krb5 provider if the client PID should be part of the credential cache file. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel I'm not a huge fan of the assignment in extract_uint32_t. Isn't *var = (uint32_t)body[*c]); the same, or does that throw typecast warnings? no, this is not the same, this takes the byte a body[*c] and cast it to uint32_t, because body is uint8_t. If the latter, then I'd prefer that it at least be written as: *var = *(uint32_t *)body[*c]; Using array notation gives an implication I don't like. Same comment about array notation use in add_uint32_t_item. My preference would be *var = *(uint32_t *)(body + *c); but the other notation was used in the code before I started using it in the PAM related parts. I think it would make sense to agree on a notation and change the whole code. Would you mind filing a bug? Also, don't we need to bump the protocol version if we're adding new mandatory arguments? Good point. Shall we make it mandatory? Currently it is only needed if you want to have the pid in your ccache file (which is not the default). bye, Sumit - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkqqS3EACgkQeiVVYja6o6OvvQCgpCdn9uc8XsrMPdgJFPxIxgqa BZkAn3dr6mYITlsKRG04KKFyjENzpXbK =wKnD -END PGP SIGNATURE- ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Let the PAM client send its PID
On Fri, Sep 11, 2009 at 05:46:24PM -0400, Simo Sorce wrote: On Fri, 2009-09-11 at 17:10 +0200, Sumit Bose wrote: Most of items are not mandatory at the protocol level. If e.g. the remote host is not known to the client it is not sent to the server and the server complains if he really needs it, e.g. the user name. I haven't put a check like 'if cli_pid==0 do not send to the server' because as getpid(2) says These functions are always successful.. On the server side cli_pid is 0 if the client does not send a PID item. I think the way it currently works is the way your are expecting it to work. Will the unpacking function work is the client doesn't send the pid at all (ie it is an older client ?). Yes, it will work. This was one of the main ideas why I have changed the original protocol some time ago. Every item has an identifier. So it is always clear for the unpacking function what the next item will be. If one item is missing, it is just left empty (NULL,0) on the server side. bye, Sumit If not we probably need to bump up the protocol version so that communication will fail much earlier and with clearer errors. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Let the PAM client send its PID
On Sat, Sep 12, 2009 at 09:02:34PM -0400, Simo Sorce wrote: On Sat, 2009-09-12 at 10:11 +0200, Sumit Bose wrote: On Fri, Sep 11, 2009 at 05:46:24PM -0400, Simo Sorce wrote: On Fri, 2009-09-11 at 17:10 +0200, Sumit Bose wrote: Most of items are not mandatory at the protocol level. If e.g. the remote host is not known to the client it is not sent to the server and the server complains if he really needs it, e.g. the user name. I haven't put a check like 'if cli_pid==0 do not send to the server' because as getpid(2) says These functions are always successful.. On the server side cli_pid is 0 if the client does not send a PID item. I think the way it currently works is the way your are expecting it to work. Will the unpacking function work is the client doesn't send the pid at all (ie it is an older client ?). Yes, it will work. This was one of the main ideas why I have changed the original protocol some time ago. Every item has an identifier. So it is always clear for the unpacking function what the next item will be. If one item is missing, it is just left empty (NULL,0) on the server side. Oh I know the items are recognized by our code, but I am not sure that dbus_message_get_args() is as forgiving. Or does it just stop getting args when it sees DBUS_TYPE_INVALID even if there are more in the actual message ? Internally the cli_pid is always send, even if it is 0. Nevertheless, selfNACK I have forgotten to put the size of the cli_pid into the protocol. This might look a bit redundant, but if you have an older server and a newer client the server does not know about the cli_pid item and how large it might be. With the size it can jump to the next item on the wire and continue working with items it knows about. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Make basic options typed
On Mon, Sep 14, 2009 at 08:03:14AM -0400, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/13/2009 10:38 AM, Simo Sorce wrote: This patch finally allows us to define the type for basic options. It uses a union to store different types, and an enum to list the allowed types. It also provides for helper functions that always check the type to safely retrieve data, or scream loudly if we messed up. This allowed me to remove all but 1 special option that was a duplicate made only to avoid converting from string to int every time we needed to get an option. The only remaining special case is the schema type, because that is a special string to special number transaltion. But these kind of options (another is tls_reqcert) are rare enough that we can avoid trying to make special handlers for them too. Currently there are 4 types supported: string, blob, number, boolean. String has 2 subtypes, const and non const, but they are not enforced (you can assign a const string and then re-read it as non-const). But this is not really a problem, as values are always copied in the init functions, furthermore, although you can get values as non-const they should always be regarded a immutable strings as the value returned is the actual string saved in the option, so changing it, means changing the configuration. I think we can later take this code and make it generic in the provider backend code, so that all backends can use it. It should be easy enough to do. Simo. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel Nack. Generates a segfault running getent passwd u...@ldap I cannot reproduce this with my setup, but providers/ldap/ldap_id.c:982: warning: 'ldap_id_cleanup_done' defined but not used and there are some typos in the title and description of the patch. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Make offline status backend global
On Mon, Sep 14, 2009 at 11:30:44AM -0400, Simo Sorce wrote: On Mon, 2009-09-14 at 07:48 -0400, Stephen Gallagher wrote: Just a nitpick, but why did you replace sbus_conn_send_reply() in be_check_online with sbus_get_connection and dbus_connection_send()? They are functionally identical. (except that sbus_conn_send_reply() can get the connection in one fewer stack frame, since it can access the sbus_connection object directly) I merged together what previously was an async request. It was only asking the id provider about offline status. Since now the offline status is directly accessible by the dp_provider_be.c there is no need to make a request to any provider, we directly return the answer to dp. (this call is not used by anything anyway so far but we were planning to use it to force a backend to go offline so it will come handy later on). Assuming I'm reading this correctly, we're talking about considering a single backend process as being online or offline as a whole. Why is this dependent only on the ID provider for the backend? It isn't, attached new patch that add be_mark_offline() calls also to the auth backends. Shouldn't we consider that if the authentication module or password change modules are offline that we are offline? yes, should be fixed in the new patch, now. Furthermore, even if the ID provider is offline, if we have cached user information that allows us to initiate a connection to a still-live authentication provider, isn't that perfectly reasonable? No, also because this is just an initial patch to start building infrastructure. If you remember we discussed the idea or allowing the monitor to put a backend forcibly offline, in that case all providers must respect this. Further more during auth we want to always refresh users, so if the id part is not available we can as well auth from the cached password (if caching passwords is allowed). This infrastructure is also need for DNS discovery later, where we want a central place to tell a specific server is unreachable. In any case I would rather put the infrastructure in place now, and tweak specific behaviors later. I'd argue that if any ONE of the modules was the ultimate determinator of online/offline status, it should be authentication rather than identification. Nope the auth module contacts the servers more rarely than the id backend (auths are rare compared to requests to get id information), so normally the ID backend is more qualified. In any case I am not going to make any provider king, all of them should be able to signal that servers are unreachable. Code itself is sensible, so this is a Nack until you can convince me that the approach itself is right. Let's see if the new patch and explanations are enough :) Simo. I agree, this patch is a good starting point and we can add fine tuning later. ACK. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] added child timeout handler
Hi,
this patch adds a timeout handling for the kerberos children. If a child
needs omre then krb5auth_timeout seconds to send a response it is killed
and the baclend is marked offline.
bye,
Sumit
From 4104863d945c66e947f47af6cde9141646bf51ce Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Mon, 14 Sep 2009 19:35:14 +0200
Subject: [PATCH] added child timeout handler
---
server/man/sssd-krb5.5.xml| 14 ++
server/providers/krb5/krb5_auth.c | 93 ++--
server/providers/krb5/krb5_auth.h |3 +
3 files changed, 104 insertions(+), 6 deletions(-)
diff --git a/server/man/sssd-krb5.5.xml b/server/man/sssd-krb5.5.xml
index 4b26c02..234b194 100644
--- a/server/man/sssd-krb5.5.xml
+++ b/server/man/sssd-krb5.5.xml
@@ -162,6 +162,20 @@
/listitem
/varlistentry
+varlistentry
+termkrb5auth_timeout (integer)/term
+listitem
+para
+Timeout in seconds after an online authentication
or
+change password request is aborted. If possible the
+authentication request is continued offline.
+/para
+para
+Default: 15
+/para
+/listitem
+/varlistentry
+
/variablelist
/para
/refsect1
diff --git a/server/providers/krb5/krb5_auth.c
b/server/providers/krb5/krb5_auth.c
index 0fb74dd..03e7903 100644
--- a/server/providers/krb5/krb5_auth.c
+++ b/server/providers/krb5/krb5_auth.c
@@ -158,13 +158,73 @@ static void fd_nonblocking(int fd) {
return;
}
-static void krb5_cleanup(struct krb5child_req *kr)
+static void krb5_child_timeout(struct tevent_context *ev,
+ struct tevent_timer *te,
+ struct timeval tv, void *pvt)
{
-if (kr == NULL) return;
+struct krb5child_req *kr = talloc_get_type(pvt, struct krb5child_req);
+struct be_req *be_req = kr-req;
+struct pam_data *pd = kr-pd;
+int ret;
-memset(kr, 0, sizeof(struct krb5child_req));
+if (kr-timeout_handler == NULL) {
+return;
+}
+
+DEBUG(9, (timeout for child [%d] reached.\n, kr-child_pid));
+
+ret = kill(kr-child_pid, SIGKILL);
+if (ret == -1) {
+DEBUG(1, (kill failed [%d][%s].\n, errno, strerror(errno)));
+}
talloc_zfree(kr);
+
+pd-pam_status = PAM_AUTHINFO_UNAVAIL;
+be_mark_offline(be_req-be_ctx);
+
+be_req-fn(be_req, pd-pam_status, NULL);
+}
+
+static errno_t activate_child_timeout_handler(struct krb5child_req *kr)
+{
+struct timeval tv;
+
+tv = tevent_timeval_current();
+tv = tevent_timeval_add(tv, kr-krb5_ctx-auth_timeout, 0);
+kr-timeout_handler = tevent_add_timer(kr-req-be_ctx-ev, kr, tv,
+ krb5_child_timeout, kr);
+if (kr-timeout_handler == NULL) {
+DEBUG(1, (tevent_add_timer failed.\n));
+return ENOMEM;
+}
+
+return EOK;
+}
+
+static int krb5_cleanup(void *ptr)
+{
+int ret;
+struct krb5child_req *kr = talloc_get_type(ptr, struct krb5child_req);
+
+if (kr == NULL) return EOK;
+
+if (kr-read_from_child_fd != -1) {
+ret = close(kr-read_from_child_fd);
+if (ret != EOK) {
+DEBUG(1, (close failed [%d][%s].\n, errno, strerror(errno)));
+}
+}
+if (kr-write_to_child_fd != -1) {
+ret = close(kr-write_to_child_fd);
+if (ret != EOK) {
+DEBUG(1, (close failed [%d][%s].\n, errno, strerror(errno)));
+}
+}
+
+memset(kr, 0, sizeof(struct krb5child_req));
+
+return EOK;
}
static errno_t krb5_setup(struct be_req *req, struct krb5child_req **krb5_req,
@@ -186,6 +246,9 @@ static errno_t krb5_setup(struct be_req *req, struct
krb5child_req **krb5_req,
err = ENOMEM;
goto failed;
}
+kr-read_from_child_fd = -1;
+kr-write_to_child_fd = -1;
+talloc_set_destructor((TALLOC_CTX *) kr, krb5_cleanup);
kr-pd = pd;
kr-req = req;
@@ -204,7 +267,7 @@ static errno_t krb5_setup(struct be_req *req, struct
krb5child_req **krb5_req,
return EOK;
failed:
-krb5_cleanup(kr);
+talloc_zfree(kr);
return err;
}
@@ -310,6 +373,11 @@ static errno_t fork_child(struct krb5child_req *kr)
fd_nonblocking(kr-read_from_child_fd);
fd_nonblocking(kr-write_to_child_fd);
+err = activate_child_timeout_handler(kr);
+if (err != EOK) {
+DEBUG(1, (activate_child_timeout_handler failed.\n));
+}
+
} else { /* error */
err = errno;
DEBUG(1, (fork failed [%d][%s].\n, errno, strerror(errno)));
@@ -430,6 +498,7 @@ static struct tevent_req *handle_child_send(TALLOC_CTX
*mem_ctx, struct tevent_c
ret = write(kr-write_to_child_fd, buf
Re: [SSSD] [PATCH] Send debug messages to logfile
On Thu, Sep 24, 2009 at 11:56:00AM +0200, Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/23/2009 07:16 PM, Jakub Hrozek wrote: Introduces a new option --debug-to-files which makes SSSD output its debug information to a file instead of stderr, which is still the default. Also introduces a new confdb option debug_to_files which does the same, but can be specified per-service in the config file. The logfiles are stored in /var/log/sssd by default. I also removed two lines in Makefile.am that still referenced shadow-utils, don't think it warrants a separate patch. Jakub I accidentally sent a patch from branch with the confdb 2.0 changes, so it did not apply cleanly. Resending. Hi, is it possible to open the debug file earlier in server_setup to catch all messages from server_setup? bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] declare hostip only in debug mode
Hi, this patch suppresses a compiler warning when KRB5_PLUGIN_DEBUG is not set, which is the common case. bye, Sumit From bc6076e2cf15cfe63afee133921063a12a611eec Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Thu, 24 Sep 2009 14:28:33 +0200 Subject: [PATCH] declare hostip only in debug mode --- server/krb5_plugin/sssd_krb5_locator_plugin.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/server/krb5_plugin/sssd_krb5_locator_plugin.c b/server/krb5_plugin/sssd_krb5_locator_plugin.c index 82ab8e9..18e47c4 100644 --- a/server/krb5_plugin/sssd_krb5_locator_plugin.c +++ b/server/krb5_plugin/sssd_krb5_locator_plugin.c @@ -117,12 +117,12 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data, int ret; struct addrinfo *ai; struct sssd_ctx *ctx; -char hostip[NI_MAXHOST]; if (private_data == NULL) return KRB5_PLUGIN_NO_HANDLE; ctx = (struct sssd_ctx *) private_data; #ifdef KRB5_PLUGIN_DEBUG +char hostip[NI_MAXHOST]; fprintf(stderr,sssd_realm[%s] requested realm[%s] family[%d] socktype[%d] locate_service[%d]\n, ctx-sssd_realm, realm, family, socktype, svc); -- 1.6.2.5 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] declare hostip only in debug mode
On Thu, Sep 24, 2009 at 09:09:04AM -0400, Simo Sorce wrote: On Thu, 2009-09-24 at 14:39 +0200, Sumit Bose wrote: Hi, this patch suppresses a compiler warning when KRB5_PLUGIN_DEBUG is not set, which is the common case. Sumit, would it be possible to use an env variable to control debug instead of a compile time define ? That would solve it more neatly and also make it simple to activate debugging at will. Simo. Thanks, very nice idea. I will set it automatically if the debug level of the Kerberos provider is 5 or higher and anyone is free to set it explicit when needed. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] toggle debug output of sssd_krb5_locator_plugin with an environment variable [was: [PATCH] declare hostip only in debug mode]
On Thu, Sep 24, 2009 at 03:21:49PM +0200, Sumit Bose wrote:
On Thu, Sep 24, 2009 at 09:09:04AM -0400, Simo Sorce wrote:
On Thu, 2009-09-24 at 14:39 +0200, Sumit Bose wrote:
Hi,
this patch suppresses a compiler warning when KRB5_PLUGIN_DEBUG is not
set, which is the common case.
Sumit,
would it be possible to use an env variable to control debug instead of
a compile time define ? That would solve it more neatly and also make it
simple to activate debugging at will.
Simo.
Thanks, very nice idea. I will set it automatically if the debug level
of the Kerberos provider is 5 or higher and anyone is free to set it
explicit when needed.
ok, I have only implemented the explicit way so far, because the
other way might interfere with to debug_to_files scheme.
A man page for the locator plugin will be in another patch I will sent
soon.
bye,
Sumit
From 1f4a55686ab0e3b9b30dccc266e422d0e6a538a9 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Thu, 24 Sep 2009 14:28:33 +0200
Subject: [PATCH] toggle debug output of sssd_krb5_locator_plugin with an
environment variable
---
server/krb5_plugin/sssd_krb5_locator_plugin.c | 91 +++--
1 files changed, 55 insertions(+), 36 deletions(-)
diff --git a/server/krb5_plugin/sssd_krb5_locator_plugin.c
b/server/krb5_plugin/sssd_krb5_locator_plugin.c
index 82ab8e9..7ccdb3f 100644
--- a/server/krb5_plugin/sssd_krb5_locator_plugin.c
+++ b/server/krb5_plugin/sssd_krb5_locator_plugin.c
@@ -17,7 +17,7 @@
You should have received a copy of the GNU General Public License
along with this program. If not, see http://www.gnu.org/licenses/.
*/
-
+#define _GNU_SOURCE
#include sys/socket.h
#include netinet/in.h
#include arpa/inet.h
@@ -33,11 +33,40 @@
#include providers/krb5/krb5_auth.h
+#define SSSD_KRB5_LOCATOR_DEBUG SSSD_KRB5_LOCATOR_DEBUG
+#define DEBUG_KEY [sssd_krb5_locator]
+#define DEBUG(body) do { \
+if (ctx-debug) { \
+debug_fn body; \
+} \
+} while(0);
+
struct sssd_ctx {
char *sssd_realm;
struct addrinfo *sssd_kdc_addrinfo;
+bool debug;
};
+void debug_fn(const char *format, ...)
+{
+va_list ap;
+char *s = NULL;
+int ret;
+
+va_start(ap, format);
+
+ret = vasprintf(s, format, ap);
+if (ret 0) {
+/* ENOMEM */
+return;
+}
+
+va_end(ap);
+
+fprintf(stderr, DEBUG_KEY %s, s);
+free(s);
+}
+
krb5_error_code sssd_krb5_locator_init(krb5_context context,
void **private_data)
{
@@ -45,14 +74,17 @@ krb5_error_code sssd_krb5_locator_init(krb5_context context,
const char *dummy;
int ret;
-
-#ifdef KRB5_PLUGIN_DEBUG
-fprintf(stderr,sssd_krb5_locator_init called\n);
-#endif
-
ctx = calloc(1,sizeof(struct sssd_ctx));
if (ctx == NULL) return ENOMEM;
+dummy = getenv(SSSD_KRB5_LOCATOR_DEBUG);
+if (dummy == NULL) {
+ctx-debug = false;
+} else {
+ctx-debug = true;
+DEBUG((sssd_krb5_locator_init called\n));
+}
+
dummy = getenv(SSSD_KRB5_REALM);
if (dummy == NULL) goto failed;
ctx-sssd_realm = strdup(dummy);
@@ -63,14 +95,10 @@ krb5_error_code sssd_krb5_locator_init(krb5_context context,
ret = getaddrinfo(dummy, kerberos, NULL, ctx-sssd_kdc_addrinfo);
if (ret != 0) {
-#ifdef KRB5_PLUGIN_DEBUG
-fprintf(stderr,getaddrinfo failed [%d][%s].\n, ret,
- gai_strerror(ret));
+DEBUG((getaddrinfo failed [%d][%s].\n, ret, gai_strerror(ret)));
if (ret == EAI_SYSTEM) {
-fprintf(stderr,getaddrinfo failed [%d][%s].\n, errno,
- strerror(errno));
+DEBUG((getaddrinfo failed [%d][%s].\n, errno, strerror(errno)));
}
-#endif
goto failed;
}
@@ -91,13 +119,11 @@ void sssd_krb5_locator_close(void *private_data)
{
struct sssd_ctx *ctx;
-#ifdef KRB5_PLUGIN_DEBUG
-fprintf(stderr,sssd_krb5_locator_close called\n);
-#endif
-
if (private_data == NULL) return;
ctx = (struct sssd_ctx *) private_data;
+DEBUG((sssd_krb5_locator_close called\n));
+
freeaddrinfo(ctx-sssd_kdc_addrinfo);
free(ctx-sssd_realm);
free(ctx);
@@ -122,11 +148,9 @@ krb5_error_code sssd_krb5_locator_lookup(void
*private_data,
if (private_data == NULL) return KRB5_PLUGIN_NO_HANDLE;
ctx = (struct sssd_ctx *) private_data;
-#ifdef KRB5_PLUGIN_DEBUG
-fprintf(stderr,sssd_realm[%s] requested realm[%s] family[%d]
- socktype[%d] locate_service[%d]\n,
- ctx-sssd_realm, realm, family, socktype, svc);
-#endif
+DEBUG((sssd_realm[%s] requested realm[%s] family[%d] socktype[%d]
+ locate_service[%d]\n, ctx-sssd_realm, realm, family, socktype,
+ svc));
switch (svc) {
case locate_service_kdc:
@@ -161,33 +185,28 @@ krb5_error_code
[SSSD] [PATCH] add defines for large file support to standard CFLAGS
Hi, this patch fixes a compiler warning about the redefinition of SIZEOF_OFF_T on 32bit systems. It's not very elegant, but I don't know of a portable way to check if python was compiles with large file support. If anyone knows, please enlighten me. It might be possible the this patch leads to problems on systems where python was compiled without large file support, but I think most will have it. bye, Sumit From d28d33218bad200da3781921e1a98a095660121a Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Fri, 25 Sep 2009 17:12:06 +0200 Subject: [PATCH] add defines for large file support to standard CFLAGS - this fixes a compiler warning about the redefinition of SIZEOF_OFF_T in the python bindings, because python is compiled with large file support. --- server/configure.ac |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/server/configure.ac b/server/configure.ac index 03d2885..422429b 100644 --- a/server/configure.ac +++ b/server/configure.ac @@ -14,6 +14,8 @@ AC_DEFUN([SMB_ENABLE], [echo -n ]) AC_INIT([sss_daemon], m4_esyscmd([cat ../VERSION |head -n1 | tr -d '\n']), [sssd-de...@lists.fedorahosted.org]) +CFLAGS=$CFLAGS -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE + AC_CONFIG_SRCDIR([conf_macros.m4]) AC_CONFIG_AUX_DIR([build]) -- 1.6.2.5 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] remove krb5_try_simple_upn option and make it a default fallback [was: [PATCH] extend sssd-krb5 man page]
On Fri, Sep 25, 2009 at 09:40:49AM -0400, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/25/2009 09:09 AM, Sumit Bose wrote: Hi, this patch to the sssd-krb5 man page should clarify how the krb5 provider will find the right UPN. This hopefully fixes #204. Please fell free to correct any grammar or spelling mistakes. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel Just a few minor nitpicks. 1) Please rebase atop the current master. I'd rewrite the following paragraph: The Kerberos 5 authentication backend does not contain an identity provider. But some useful information can only be delivered by an identity provider, e.g. the User's Principle Name (UPN). If the identity provider knows the UPN, e.g. this is the case in Active Directory or FreeIPA domains, it can be saved in commandsssd's/command internal cache and used by the Kerberos 5 authentication backend. Please refer to the man page of the used identity provider to see how to configure this. as The Kerberos 5 authentication backend does not contain an identity provider and must be paired with one in order to function properly (for example, id_provider = ldap). Some information required by the Kerberos 5 authentication backend must be provider by the identity provider, such as the user's Kerberos Principal Name (UPN). The configuration of the identity provider should have an entry to specify the UPN. Please refer to the man page for the applicable identity provider for details on how to configure this. Under krb5try_simple_upn, please change an User Principal Name to a User Principal Name. I'd also recommend that the last sentence read: In this case, SSSD will construct a UPN using the format replaceableusername/replaceable@replaceablekrb5_realm/replaceable After some discussion it became clear that it might be easier to drop the krb5try_simple_upn option at all and make the logic behind a default fallback if the UPN cannot be found in sysdb. This patch does exacly that. Stephen's comments are included in the updated man page. bye, Sumit From 0467eec9839acc9260d40b8e8b8497320def1b4d Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Fri, 25 Sep 2009 17:35:56 +0200 Subject: [PATCH] remove krb5_try_simple_upn option and make it a default fallback --- server/confdb/confdb.h|1 - server/man/sssd-krb5.5.xml| 30 -- server/providers/krb5/krb5_auth.c |9 + server/providers/krb5/krb5_auth.h |1 - 4 files changed, 17 insertions(+), 24 deletions(-) diff --git a/server/confdb/confdb.h b/server/confdb/confdb.h index eef9a26..8f64be4 100644 --- a/server/confdb/confdb.h +++ b/server/confdb/confdb.h @@ -100,7 +100,6 @@ #define CONFDB_KRB5_REALM krb5_realm #define CONFDB_KRB5_CCACHEDIR krb5_ccachedir #define CONFDB_KRB5_CCNAME_TMPL krb5_ccname_template -#define CONFDB_KRB5_TRY_SIMPLE_UPN krb5_try_simple_upn #define CONFDB_KRB5_CHANGEPW_PRINC krb5_changepw_principle #define CONFDB_KRB5_AUTH_TIMEOUT krb5_auth_timeout diff --git a/server/man/sssd-krb5.5.xml b/server/man/sssd-krb5.5.xml index 4de8991..0a46779 100644 --- a/server/man/sssd-krb5.5.xml +++ b/server/man/sssd-krb5.5.xml @@ -32,6 +32,22 @@ manvolnum5/manvolnum /citerefentry manual page /para +para +The Kerberos 5 authentication backend does not contain an identity +provider and must be paired with one in order to function properly (for +example, id_provider = ldap). Some information required by the Kerberos +5 authentication backend must be provider by the identity provider, such +as the user's Kerberos Principal Name (UPN). The configuration of the +identity provider should have an entry to specify the UPN. Please refer +to the man page for the applicable identity provider for details on how +to configure this. +/para +para +In the case where the UPN is not available in the identity backend +commandsssd/command will construct a UPN using the format + replaceableusername/replaceable@replaceablekrb5_realm/replaceable. +/para + /refsect1 refsect1 id='file-format' @@ -64,20 +80,6 @@ /varlistentry varlistentry -termkrb5_try_simple_upn (boolean)/term -listitem -para -Set this option to 'true' -if an User Principle Name (UPN) cannot be found in sysdb -and you want to use an UPN like 'usern...@realm
[SSSD] [PATCH] update sysdb tests to new config file version
Hi,
this patch should make sysdb tests happy again.
bye,
Sumit
From cd13b1e84e8b9f972851e07857d6a547c6077677 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Mon, 28 Sep 2009 16:58:31 +0200
Subject: [PATCH] update sysdb tests to new config file version
---
server/tests/sysdb-tests.c |8
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/server/tests/sysdb-tests.c b/server/tests/sysdb-tests.c
index 424393c..8b4cc75 100644
--- a/server/tests/sysdb-tests.c
+++ b/server/tests/sysdb-tests.c
@@ -90,7 +90,7 @@ static int setup_sysdb_tests(struct sysdb_test_ctx **ctx)
val[0] = LOCAL;
ret = confdb_add_param(test_ctx-confdb, true,
- config/domains, domains, val);
+ config/sssd, domains, val);
if (ret != EOK) {
fail(Could not initialize domains placeholder);
talloc_free(test_ctx);
@@ -99,7 +99,7 @@ static int setup_sysdb_tests(struct sysdb_test_ctx **ctx)
val[0] = local;
ret = confdb_add_param(test_ctx-confdb, true,
- config/domains/LOCAL, provider, val);
+ config/domain/LOCAL, id_provider, val);
if (ret != EOK) {
fail(Could not initialize provider);
talloc_free(test_ctx);
@@ -108,7 +108,7 @@ static int setup_sysdb_tests(struct sysdb_test_ctx **ctx)
val[0] = TRUE;
ret = confdb_add_param(test_ctx-confdb, true,
- config/domains/LOCAL, magicPrivateGroups, val);
+ config/domain/LOCAL, magicPrivateGroups, val);
if (ret != EOK) {
fail(Could not initialize LOCAL domain);
talloc_free(test_ctx);
@@ -117,7 +117,7 @@ static int setup_sysdb_tests(struct sysdb_test_ctx **ctx)
val[0] = TRUE;
ret = confdb_add_param(test_ctx-confdb, true,
- config/domains/LOCAL, enumerate, val);
+ config/domain/LOCAL, enumerate, val);
if (ret != EOK) {
fail(Could not initialize LOCAL domain);
talloc_free(test_ctx);
--
1.6.2.5
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Add config_from_fd() to ini_config
On Mon, Sep 28, 2009 at 02:50:30PM -0400, Stephen Gallagher wrote: On 09/28/2009 01:46 PM, Dmitri Pal wrote: Stephen Gallagher wrote: On 09/28/2009 09:55 AM, Simo Sorce wrote: On Mon, 2009-09-28 at 09:38 -0400, Stephen Gallagher wrote: The SSSD needs a config_from_fd() variant of the config_from_file() call so that we can preopen a config file and perform some verification on it before parsing it. The config_from_fd() call is used to avoid race conditions between testing the file and reading it in. Note: the *_from_fd() functions still require the config file name for internal information. This does not imply that it is used to open the file. I think it is better not to require a file name, and, internally, just use something like dummy or a random string like the process pid etc.. This way there is no risk that someone may accidentally change the code later to re-open the file or something like that, if that is done it will immediately break when it tries to open dummy (hopefully :-) Simo. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel New version does not require the file name for the _from_fd() functions. It will create a string dummy_fd to use for the config file name internally. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel Nack: Had an IRC conversation with Steven: dpal sgallagh, why do you need dummy thing dpal sgallagh, I would have done it differently dpal I mean the internal layers sgallagh dpal: I added the dummy thing so that there was always a unique identifier at the top level of the collection sgallagh dpal: If you would like to recommend an alternative approach, please nack the patch and provide suggestions. I'm all ears :) dpal sgallagh, then this is something that the app should pass in together with fd dpal if the app opened the file it should say how to name it sgallagh dpal: Look at the history, I did that at first and it was nacked. sgallagh s/history/email thread/ dpal I have seen Simo's comment but I do not think we are talking about same thing sgallagh dpal: Perhaps you can clarify, then? dpal The filename is used in the low level function in only one place besides the opening the file - to name the collection sgallagh right sgallagh So I just gave it the name dummy_fd if it was opened as an fd instead of directly opening a file path. dpal It is done in the error list only dpal It is done for error reporting purpose dpal You do not want to return error list back to caller with text errors parsing dymmy_123 dpal sgallagh, the only value of having the file name in the error list is to report back the error in the file. * sgallagh nods dpal sgallagh, If the caller handles the file it should name it or there should be no name in this case sgallagh Well, that seems like a convincing-enough argument to negate simo's nack, honestly. dpal and a generic name instead sgallagh Neither of us were really sure if the name was ever used, or if it was just there to be available to the caller sgallagh dpal: Do you want me to just change it from dummy_fd to file descriptor fd instead? dpal sgallagh, more of then I would always pass two things into ini_to_collection sgallagh dpal: Or put back the interface to let it be specified dpal sgallagh, let me finish dpal sgallagh, move the fopen/fdopen out of the ini_to_collection dpal Pass in the ready to use FILE *file and the string for naming the source dpal Then wrap the new implementation of the function with function that just open the file and sends down the filename as a source string. dpal The new other function would instead do the fdopen using passed in file descriptor and will send down passed in string to name the source sgallagh dpal: That still doesn't explain the fd case. If we're calling config_from_fd(), are you saying that we need to also pass the filename? dpal sgallagh, I say you need to name the source in some way so that you can report the error dpal sgallagh, it was logical to use filename as name of the source in case of file dpal It is not clear to me what would be the best name of the source if you are using a FD sgallagh dpal: I think I'd prefer to leave the interface as-is and change the dummy_fd to the more readable file descriptor fd sgallagh dpal: I'll make the changes under the hood as you've suggested dpal This does not help the caller sgallagh dpal: what do you mean? dpal He does not know what this fd means sgallagh dpal: He has to. He's the one who passed it in dpal sgallagh, I am
Re: [SSSD] [PATCH] add utility call check_and_open_readonly
On Fri, Oct 02, 2009 at 03:20:33PM -0400, Stephen Gallagher wrote: On 09/28/2009 03:05 PM, Sumit Bose wrote: On Mon, Sep 28, 2009 at 02:51:11PM -0400, Stephen Gallagher wrote: On 09/28/2009 01:52 PM, Stephen Gallagher wrote: On 09/28/2009 12:24 PM, Stephen Gallagher wrote: On 09/28/2009 11:49 AM, Sumit Bose wrote: Hi, with the patch the config file is only read if it is - a regular file - owner and group are 0 (root) - file permissions are 600 This patch depends on the config_from_fd patch currently under review. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel Nack. As discussed on IRC, the lstat is redundant. All of the necessary file-type checks can be performed with the fstat, with no risk of race condition. Per conversation on IRC, this patch is approved. I didn't realize at first that we want to exclude symlinks as well from the SSSD. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel Updated Sumit's patch to use the new interface. ACK (is this a self-ACK?) bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel After a bit of thought, I realized that the code in confdb_init_db needed to be reordered a bit. If the permissions on the file changed, but not its contents, we would never detect it, because we were checking whether the modification time has changed first. Changing file permissions only does not update the modification time, so until the file actually had new data written into it, it would have happily kept loading a potentially world-readable config file. I've now moved the check_and_open_readonly() call to the beginning of the confdb_init_db routine and converted the modification time stat() to an fstat() on the returned file descriptor. Please re-review. Although I cannot follow the argument I think it is a good idea to move check_and_open_readonly() to the top, ACK. I have updated the sssd.conf man page a the check_and_open_readonly() tests in [PATCH] more documentation and test for sssd.conf, please review. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] Add handling of expired passwords
Hi,
with the three attached patches pam_sss can handle expired kerberos passwords:
- 0001: kerberos provider returns PAM_AUTHTOK_EXPIRED if KDC returns
KRB5KDC_ERR_KEY_EXP
- 0002: some refactoring of pam_sss
- 0003: query the user for a new password if sssd returns
PAM_AUTHTOK_EXPIRED
All this happens during the pam authentication phase and not as often
seen during the pam account management phase. For this reason I used
PAM_AUTHTOK_EXPIRED instead of PAM_NEW_AUTHTOK_REQD, which is used by
pam_sm_acct_mgmt().
I have two questions about the user experience:
- currently PAM_AUTHTOK_EXPIRED is returned if the password is expired
regardless of the supplied password is correct or not. Would it be
better to return a different error if the password is wrong?
- currently the pam_sss only asks the new password, because the
current/old password is already known. Typically pam modules are
asking for the current password for a second time (because the
password is not know anymore) and the for the new one. I think this
behaviour if often irritation people. Which version shall we use?
bye,
Sumit
From bc5f929826a656562a9fa2b8f8d82da97604ec9c Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Fri, 2 Oct 2009 13:50:20 +0200
Subject: [PATCH 1/3] handle expired password during authentication
---
server/providers/krb5/krb5_child.c | 12 ++--
1 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/server/providers/krb5/krb5_child.c
b/server/providers/krb5/krb5_child.c
index 6f69840..ef38d48 100644
--- a/server/providers/krb5/krb5_child.c
+++ b/server/providers/krb5/krb5_child.c
@@ -359,14 +359,22 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr)
}
kerr = get_and_save_tgt(kr, pass_str);
+
memset(pass_str, 0, kr-pd-authtok_size);
talloc_zfree(pass_str);
memset(kr-pd-authtok, 0, kr-pd-authtok_size);
if (kerr != 0) {
KRB5_DEBUG(1, kerr);
-if (kerr == KRB5_KDC_UNREACH) {
-pam_status = PAM_AUTHINFO_UNAVAIL;
+switch (kerr) {
+case KRB5_KDC_UNREACH:
+pam_status = PAM_AUTHINFO_UNAVAIL;
+break;
+case KRB5KDC_ERR_KEY_EXP:
+pam_status = PAM_AUTHTOK_EXPIRED;
+break;
+default:
+pam_status = PAM_SYSTEM_ERR;
}
}
--
1.6.2.5
From b0b64abda4b6e106bc2c5d664510814ab49fa072 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Fri, 2 Oct 2009 16:03:02 +0200
Subject: [PATCH 2/3] move password handling into subroutines
---
sss_client/pam_sss.c | 188 +++---
1 files changed, 117 insertions(+), 71 deletions(-)
diff --git a/sss_client/pam_sss.c b/sss_client/pam_sss.c
index 9a1d441..eec25ab 100644
--- a/sss_client/pam_sss.c
+++ b/sss_client/pam_sss.c
@@ -651,6 +651,111 @@ static void eval_argv(pam_handle_t *pamh, int argc, const
char **argv,
return;
}
+static int get_authtok_for_authentication(pam_handle_t *pamh,
+ struct pam_items *pi,
+ uint32_t flags)
+{
+int ret;
+
+if (flags FLAGS_USE_FIRST_PASS) {
+pi-pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
+pi-pam_authtok = strdup(pi-pamstack_authtok);
+if (pi-pam_authtok == NULL) {
+D((option use_first_pass set, but no password found));
+return PAM_BUF_ERR;
+}
+pi-pam_authtok_size = strlen(pi-pam_authtok);
+} else {
+ret = prompt_password(pamh, pi);
+if (ret != PAM_SUCCESS) {
+D((failed to get password from user));
+return ret;
+}
+
+if (flags FLAGS_FORWARD_PASS) {
+ret = pam_set_item(pamh, PAM_AUTHTOK, pi-pam_authtok);
+if (ret != PAM_SUCCESS) {
+D((Failed to set PAM_AUTHTOK [%s],
+ authtok may not be available for other modules,
+ pam_strerror(pamh,ret)));
+}
+}
+}
+
+return PAM_SUCCESS;
+}
+
+static int get_authtok_for_password_change(pam_handle_t *pamh,
+ struct pam_items *pi,
+ uint32_t flags,
+ int pam_flags)
+{
+int ret;
+
+/* we query for the old password during PAM_PRELIM_CHECK to make
+ * pam_sss work e.g. with pam_cracklib */
+if (pam_flags PAM_PRELIM_CHECK) {
+if (getuid() != 0 !(flags FLAGS_USE_FIRST_PASS)) {
+ret = prompt_password(pamh, pi);
+if (ret != PAM_SUCCESS) {
+D((failed to get password from user));
+return ret;
+}
+
+ret = pam_set_item(pamh, PAM_OLDAUTHTOK, pi-pam_authtok);
+if (ret != PAM_SUCCESS) {
+D((Failed to set PAM_OLDAUTHTOK [%s
[SSSD] [PATCH] remove redundant talloc_free
Hi, this patch is a fix for bug #213. The reason for the bug is a double free during the call of the sdap timeout handler. bye, Sumit From da74240dd2d521d479327351ef2931aacfa9b3ac Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 5 Oct 2009 09:38:29 +0200 Subject: [PATCH] remove redundant talloc_free - this patch should fix bug #213, a double free in the sdap timeout handler --- server/providers/ldap/sdap_async.c |3 --- 1 files changed, 0 insertions(+), 3 deletions(-) diff --git a/server/providers/ldap/sdap_async.c b/server/providers/ldap/sdap_async.c index c3ca53e..f68a31c 100644 --- a/server/providers/ldap/sdap_async.c +++ b/server/providers/ldap/sdap_async.c @@ -390,9 +390,6 @@ static void sdap_op_timeout(struct tevent_req *req) /* signal the caller that we have a timeout */ op-callback(op, NULL, ETIMEDOUT, op-data); - -/* send back to the server an abandon (see destructor) and free the op */ -talloc_free(op); } static int sdap_op_add(TALLOC_CTX *memctx, struct tevent_context *ev, -- 1.6.2.5 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Add handling of expired passwords
On Mon, Oct 05, 2009 at 10:45:04AM -0400, Simo Sorce wrote: On Mon, 2009-10-05 at 14:06 +0200, Sumit Bose wrote: On Mon, Oct 05, 2009 at 06:48:14AM -0400, Simo Sorce wrote: On Mon, 2009-10-05 at 10:45 +0200, Sumit Bose wrote: - currently PAM_AUTHTOK_EXPIRED is returned if the password is expired regardless of the supplied password is correct or not. Would it be better to return a different error if the password is wrong? We should return an auth error if the password is wrong I guess (assuming we know at the same that the password is wrong and the real password is expired). We shouldn't expose to the casual attacker that the password is expired. This is fixed in the new version of 0001 by trying to get a change password ticket. Uhmm I didn't realize the KDC always send the information back no matter what password is used. This is just public information then so perhaps we should just pass it back as is ... So technically I ack 0001 but we may want to use the previous version anyway, what do you think ? I asked Jenny for a third opinion and she vote for the second version, i.e. returning the wrong password error. bye, Sumit - currently the pam_sss only asks the new password, because the current/old password is already known. Typically pam modules are asking for the current password for a second time (because the password is not know anymore) and the for the new one. I think this behaviour if often irritation people. Which version shall we use? Not sure, but as long as wee keep password change requests within the auth module we can avoid asking for the current password once again, the user just provided it, asking for it again adds nothing to the security of the operation. I have a questions though (haven't looked at the patch yet). Do you send back any message to the user before asking for the new password ? Now a message is send to the user in the new version of 0003. 0002 is unchanged. ack 2 and 3 Simo. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] add support for server side LDAP password policies
Hi,
this patch add support for server side password policies to the LDAP
provider. If the server supports password policies a expired password
can be detected. Please note that currently IPA does not support LDAP
password policies.
As a next step I will add support for the client side evaluation of LDAP
attributes indicating an expired password
bye,
Sumit
From 316291baf060097d37579c675e06a9194e42c251 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Wed, 7 Oct 2009 18:15:27 +0200
Subject: [PATCH] add support for server side LDAP password policies
- password policy request controls are send during bind and change
password extended operation
- the response control is evaluated to see if the password is expired
or will expire, soon
---
server/providers/ldap/ldap_auth.c |4 +
server/providers/ldap/sdap.h |3 +-
server/providers/ldap/sdap_async.c | 129 +---
3 files changed, 125 insertions(+), 11 deletions(-)
diff --git a/server/providers/ldap/ldap_auth.c
b/server/providers/ldap/ldap_auth.c
index b1667c4..487fb07 100644
--- a/server/providers/ldap/ldap_auth.c
+++ b/server/providers/ldap/ldap_auth.c
@@ -404,6 +404,7 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
switch (result) {
case SDAP_AUTH_SUCCESS:
+case SDAP_AUTH_PW_EXPIRED:
DEBUG(7, (user [%s] successfully authenticated.\n, state-dn));
subreq = sdap_exop_modify_passwd_send(state,
state-breq-be_ctx-ev,
@@ -541,6 +542,9 @@ static void sdap_pam_auth_done(struct tevent_req *req)
case SDAP_UNAVAIL:
state-pd-pam_status = PAM_AUTHINFO_UNAVAIL;
break;
+case SDAP_AUTH_PW_EXPIRED:
+state-pd-pam_status = PAM_AUTHTOK_EXPIRED;
+break;
default:
state-pd-pam_status = PAM_SYSTEM_ERR;
}
diff --git a/server/providers/ldap/sdap.h b/server/providers/ldap/sdap.h
index cb98668..92771de 100644
--- a/server/providers/ldap/sdap.h
+++ b/server/providers/ldap/sdap.h
@@ -66,7 +66,8 @@ enum sdap_result {
SDAP_RETRY,
SDAP_ERROR,
SDAP_AUTH_SUCCESS,
-SDAP_AUTH_FAILED
+SDAP_AUTH_FAILED,
+SDAP_AUTH_PW_EXPIRED
};
enum sdap_basic_opt {
diff --git a/server/providers/ldap/sdap_async.c
b/server/providers/ldap/sdap_async.c
index f68a31c..6fd2837 100644
--- a/server/providers/ldap/sdap_async.c
+++ b/server/providers/ldap/sdap_async.c
@@ -28,6 +28,8 @@
#define REALM_SEPARATOR '@'
+#define LDAP_X_SSSD_PASSWORD_EXPIRED 0x555D
+
static void make_realm_upper_case(const char *upn)
{
char *c;
@@ -658,6 +660,7 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX
*memctx,
int ret = EOK;
int msgid;
int ldap_err;
+LDAPControl *request_controls[2];
req = tevent_req_create(memctx, state, struct simple_bind_state);
if (!req) return NULL;
@@ -673,10 +676,19 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX
*memctx,
state-user_dn = user_dn;
state-pw = pw;
+ret = ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST, 0, NULL, 0,
+ request_controls[0]);
+if (ret != LDAP_SUCCESS) {
+DEBUG(1, (ldap_control_create failed.\n));
+goto fail;
+}
+request_controls[1] = NULL;
+
DEBUG(4, (Executing simple bind as: %s\n, state-user_dn));
ret = ldap_sasl_bind(state-sh-ldap, state-user_dn, LDAP_SASL_SIMPLE,
- state-pw, NULL, NULL, msgid);
+ state-pw, request_controls, NULL, msgid);
+ldap_control_free(request_controls[0]);
if (ret == -1 || msgid == -1) {
ret = ldap_get_option(state-sh-ldap,
LDAP_OPT_RESULT_CODE, ldap_err);
@@ -727,6 +739,11 @@ static void simple_bind_done(struct sdap_op *op,
struct simple_bind_state);
char *errmsg;
int ret;
+LDAPControl **response_controls;
+int c;
+ber_int_t pp_grace;
+ber_int_t pp_expire;
+LDAPPasswordPolicyError pp_error;
if (error) {
tevent_req_error(req, error);
@@ -736,17 +753,57 @@ static void simple_bind_done(struct sdap_op *op,
state-reply = talloc_steal(state, reply);
ret = ldap_parse_result(state-sh-ldap, state-reply-msg,
-state-result, NULL, errmsg, NULL, NULL, 0);
+state-result, NULL, errmsg, NULL,
+response_controls, 0);
if (ret != LDAP_SUCCESS) {
DEBUG(2, (ldap_parse_result failed (%d)\n, state-op-msgid));
-tevent_req_error(req, EIO);
-return;
+ret = EIO;
+goto done;
+}
+
+if (response_controls == NULL) {
+DEBUG(5, (Server returned no controls.\n));
+} else {
+for (c = 0; response_controls[c] != NULL; c++) {
+DEBUG(9, (Server returned control [%s].\n,
+ response_controls[c]-ldctl_oid
[SSSD] [PATCH] add description of chpass_provider option to sssd.conf man page
Hi, this patch adds an explanation of the chpass_provider option to the sssd.conf man page. bye, Sumit From a2aa152c86bb4b470ac2b451aa8f90866f7ec1df Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Thu, 8 Oct 2009 09:58:11 +0200 Subject: [PATCH] add description of chpass_provider option to sssd.conf man page --- server/man/sssd.conf.5.xml | 30 ++ 1 files changed, 30 insertions(+), 0 deletions(-) diff --git a/server/man/sssd.conf.5.xml b/server/man/sssd.conf.5.xml index 59f249d..7946ed4 100644 --- a/server/man/sssd.conf.5.xml +++ b/server/man/sssd.conf.5.xml @@ -512,6 +512,36 @@ /para /listitem /varlistentry +varlistentry +termchpass_provider (string)/term +listitem +para +The provider which should handle change password +operations for the domain. +Supported change password providers are: +/para +para +quoteldap/quote to change a password stored +in a LDAP server. See +citerefentry +refentrytitlesssd-ldap/refentrytitle +manvolnum5/manvolnum +/citerefentry for more information on configuring LDAP. +/para +para +quotekrb5/quote to change the Kerberos +password. See +citerefentry +refentrytitlesssd-krb5/refentrytitle +manvolnum5/manvolnum +/citerefentry for more information on configuring Kerberos. +/para +para +quoteproxy/quote for relaying password changes +to some other PAM target. +/para +/listitem +/varlistentry /variablelist /para -- 1.6.2.5 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] LDAP provider needs to link against krb libraries
On Mon, Oct 12, 2009 at 12:20:37PM +0200, Ralf Haferkamp wrote: Hi, since the LDAP provider does calls into the krb5 libs it should also be linked against them :). Attached patch should fix that. -- regards, Ralf Obviously correct. ACK Thanks. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] fix a wrong argument to unpack_buffer
Hi,
Martin was so nice to point me to a bug introduced by the short read
patch. This patch should fix it.
bye,
Sumit
From 190ac953255966ad49d915f9ce6741543a3fa824 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Mon, 12 Oct 2009 12:13:36 +0200
Subject: [PATCH] fix a wrong argument to unpack_buffer
- the patch to handle short read introduced a new variable len to
store the amount of data read. Instead of using this variable
unpack_buffer was called with the old variable ret. Thanks to
mn...@redhat.com for finding this.
- this patch also fixes a potential error when the message size is
equal to the buffer size.
---
server/providers/krb5/krb5_child.c | 58 ---
1 files changed, 40 insertions(+), 18 deletions(-)
diff --git a/server/providers/krb5/krb5_child.c
b/server/providers/krb5/krb5_child.c
index 7649406..9b1be9c 100644
--- a/server/providers/krb5/krb5_child.c
+++ b/server/providers/krb5/krb5_child.c
@@ -419,49 +419,71 @@ sendresponse:
return EOK;
}
+uint8_t *copy_buffer_and_add_zero(TALLOC_CTX *mem_ctx, const uint8_t *src,
size_t len)
+{
+uint8_t *str;
+
+str = talloc_size(mem_ctx, len + 1);
+if (str == NULL) {
+DEBUG(1, (talloc_size failed.\n));
+return NULL;
+}
+memcpy(str, src, len);
+str[len] = '\0';
+
+return str;
+}
+
static errno_t unpack_buffer(uint8_t *buf, size_t size, struct pam_data *pd,
char **ccname)
{
size_t p = 0;
uint32_t *len;
-uint8_t *str;
+if ((p + sizeof(uint32_t)) size) return EINVAL;
len = ((uint32_t *)(buf+p));
pd-cmd = *len;
p += sizeof(uint32_t);
+if ((p + sizeof(uint32_t)) size) return EINVAL;
len = ((uint32_t *)(buf+p));
p += sizeof(uint32_t);
-str = talloc_memdup(pd, buf+p, sizeof(char) * (*len + 1));
-if (str == NULL) return ENOMEM;
-str[*len] = '\0';
-pd-upn = (char *) str;
+
+if ((p + *len ) size) return EINVAL;
+pd-upn = (char *) copy_buffer_and_add_zero(pd, buf+p,
+sizeof(char) * (*len));
+if (pd-upn == NULL) return ENOMEM;
p += *len;
+if ((p + sizeof(uint32_t)) size) return EINVAL;
len = ((uint32_t *)(buf+p));
p += sizeof(uint32_t);
-str = talloc_memdup(pd, buf+p, sizeof(char) * (*len + 1));
-if (str == NULL) return ENOMEM;
-str[*len] = '\0';
-*ccname = (char *) str;
+
+if ((p + *len ) size) return EINVAL;
+*ccname = (char *) copy_buffer_and_add_zero(pd, buf+p,
+sizeof(char) * (*len));
+if (*ccname == NULL) return ENOMEM;
p += *len;
+if ((p + sizeof(uint32_t)) size) return EINVAL;
len = ((uint32_t *)(buf+p));
p += sizeof(uint32_t);
-str = talloc_memdup(pd, buf+p, sizeof(char) * (*len + 1));
-if (str == NULL) return ENOMEM;
-str[*len] = '\0';
-pd-authtok = str;
+
+if ((p + *len) size) return EINVAL;
+pd-authtok = copy_buffer_and_add_zero(pd, buf+p, sizeof(char) * (*len));
+if (pd-authtok == NULL) return ENOMEM;
pd-authtok_size = *len + 1;
p += *len;
if (pd-cmd == SSS_PAM_CHAUTHTOK) {
+if ((p + sizeof(uint32_t)) size) return EINVAL;
len = ((uint32_t *)(buf+p));
p += sizeof(uint32_t);
-str = talloc_memdup(pd, buf+p, sizeof(char) * (*len + 1));
-if (str == NULL) return ENOMEM;
-str[*len] = '\0';
-pd-newauthtok = str;
+
+if ((p + *len) size) return EINVAL;
+pd-newauthtok = copy_buffer_and_add_zero(pd, buf+p,
+ sizeof(char) * (*len));
+if (pd-newauthtok == NULL) return ENOMEM;
pd-newauthtok_size = *len + 1;
p += *len;
} else {
@@ -659,7 +681,7 @@ int main(int argc, char *argv[])
}
close(STDIN_FILENO);
-ret = unpack_buffer(buf, ret, pd, ccname);
+ret = unpack_buffer(buf, len, pd, ccname);
if (ret != EOK) {
DEBUG(1, (unpack_buffer failed.\n));
goto fail;
--
1.6.2.5
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] use old password if available during password change
On Fri, Oct 09, 2009 at 04:29:42PM -0400, Simo Sorce wrote: On Fri, 2009-10-09 at 21:02 +0200, Sumit Bose wrote: Hi, this one should fix #223. Because sshd runs as root the old password was not sent to sssd and changing the user password failed. Please review carefully. I guess the problem here is to understand what do current pam modules, when used through the proxy backend, expect. The current pam modules do not expect anything here, because they will handle expired passowrd during pam_acct_mgmt and not during pam_authenticate. Do they skip checks or ignore if the provided password is valid or not ? Should we think of forking a child in proxy and running it as the user that is attempting the password change? (Assuming we know it ?) I think forking isn't needed here, because pam_sss should be kept simple. Send everything you know to sssd and wait for a response. bye, Sumit Otherwise the patch looks sane to me, so I'd give a tentative ack. Simo. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] enable debugging of krb5_child
Hi,
Although there are lots of DEBUG calls in krb5_child it always runs with
debug_level=0. This patch starts krb5_child with the debugging options
of the backend.
There is a problem with --debug-to-files. krb5_child runs as the user
requesting the ticket so the path to krb5_child.log needs to have
matching permissions. A possible solution would be to create the file
with 666 permissions during the setup of the kerberos backend. Any other
ideas?
bye,
Sumit
From b6b92883b333107e743cb6665716a17e6cdee964 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Mon, 12 Oct 2009 15:38:29 +0200
Subject: [PATCH] enable debugging of krb5_child
---
server/Makefile.am |2 +
server/providers/krb5/krb5_auth.c | 56 ++-
server/providers/krb5/krb5_child.c | 41 +-
3 files changed, 95 insertions(+), 4 deletions(-)
diff --git a/server/Makefile.am b/server/Makefile.am
index a65c9fa..99c6867 100644
--- a/server/Makefile.am
+++ b/server/Makefile.am
@@ -458,9 +458,11 @@ krb5_child_SOURCES = \
providers/krb5/krb5_child.c
krb5_child_CFLAGS = \
$(AM_CFLAGS) \
+$(POPT_CFLAGS) \
$(KRB5_CFLAGS)
krb5_child_LDADD = \
$(TALLOC_LIBS) \
+$(POPT_LIBS) \
$(KRB5_LIBS)
memberof_la_SOURCES = \
diff --git a/server/providers/krb5/krb5_auth.c
b/server/providers/krb5/krb5_auth.c
index 582d013..61c529f 100644
--- a/server/providers/krb5/krb5_auth.c
+++ b/server/providers/krb5/krb5_auth.c
@@ -325,6 +325,51 @@ static void wait_for_child_handler(struct tevent_context
*ev,
return;
}
+static errno_t prepare_child_argv(TALLOC_CTX *mem_ctx, char ***_argv)
+{
+uint_t argc = 2; /* program name and NULL */
+char ** argv;
+
+if (debug_level != 0) argc ++;
+if (debug_to_file != 0) argc++;
+if (debug_timestamps != 0) argc++;
+
+argv = talloc_array(mem_ctx, char *, argc);
+if (argv == NULL) {
+DEBUG(1, (talloc_array failed.\n));
+return ENOMEM;
+}
+
+if (argc 2) goto fail;
+argv[--argc] = NULL;
+
+if (debug_level != 0) {
+if (argc 2) goto fail;
+argv[--argc] = talloc_asprintf(argv, --debug-level=%d, debug_level);
+}
+
+if (debug_to_file != 0) {
+if (argc 2) goto fail;
+argv[--argc] = talloc_strdup(argv, --debug-to-files);
+}
+
+if (debug_timestamps != 0) {
+if (argc 2) goto fail;
+argv[--argc] = talloc_strdup(argv, --debug-timestamps);
+}
+
+if (argc != 1) goto fail;
+argv[0] = talloc_strdup(argv, KRB5_CHILD);
+
+*_argv = argv;
+
+return EOK;
+
+fail:
+talloc_free(*argv);
+return EINVAL;
+}
+
static errno_t fork_child(struct krb5child_req *kr)
{
int pipefd_to_child[2];
@@ -332,6 +377,7 @@ static errno_t fork_child(struct krb5child_req *kr)
pid_t pid;
int ret;
errno_t err;
+char **argv;
ret = pipe(pipefd_from_child);
if (ret == -1) {
@@ -381,10 +427,16 @@ static errno_t fork_child(struct krb5child_req *kr)
return err;
}
-ret = execl(KRB5_CHILD, KRB5_CHILD, NULL);
+ret = prepare_child_argv(kr, argv);
+if (ret != EOK) {
+DEBUG(1, (prepare_child_argv.\n));
+return ret;
+}
+
+ret = execv(KRB5_CHILD, argv);
if (ret == -1) {
err = errno;
-DEBUG(1, (execl failed [%d][%s].\n, errno, strerror(errno)));
+DEBUG(1, (execv failed [%d][%s].\n, errno, strerror(errno)));
return err;
}
} else if (pid 0) { /* parent */
diff --git a/server/providers/krb5/krb5_child.c
b/server/providers/krb5/krb5_child.c
index 9b1be9c..70fd6b7 100644
--- a/server/providers/krb5/krb5_child.c
+++ b/server/providers/krb5/krb5_child.c
@@ -25,6 +25,7 @@
#include sys/types.h
#include unistd.h
#include sys/stat.h
+#include popt.h
#include security/pam_modules.h
@@ -641,7 +642,7 @@ failed:
return kerr;
}
-int main(int argc, char *argv[])
+int main(int argc, const char *argv[])
{
uint8_t *buf = NULL;
int ret;
@@ -649,10 +650,46 @@ int main(int argc, char *argv[])
struct pam_data *pd = NULL;
struct krb5_req *kr = NULL;
char *ccname;
+int opt;
+poptContext pc;
-debug_prg_name = argv[0];
+struct poptOption long_options[] = {
+POPT_AUTOHELP
+SSSD_DEBUG_OPTS
+POPT_TABLEEND
+};
+
+
+pc = poptGetContext(argv[0], argc, argv, long_options, 0);
+while((opt = poptGetNextOpt(pc)) != -1) {
+switch(opt) {
+default:
+fprintf(stderr, \nInvalid option %s: %s\n\n,
+ poptBadOption(pc, 0), poptStrerror(opt));
+poptPrintUsage(pc, stderr, 0);
+_exit(-1);
+}
+}
+
+poptFreeContext(pc);
pd = talloc(NULL, struct pam_data);
+if (pd == NULL) {
+DEBUG(1, (malloc failed.\n));
+_exit(-1);
+}
+
+debug_log_file = krb5_child
Re: [SSSD] [PATCH] enable debugging of krb5_child
On Mon, Oct 12, 2009 at 12:10:43PM -0400, Dmitri Pal wrote: Simo Sorce wrote: On Mon, 2009-10-12 at 10:47 -0400, Dmitri Pal wrote: Just pass the fd to the client, it's simple and doesn't require us to replicate logic to open/close debug files in the children. I didn't realize you could do that. I am not sure this approach is portable. I know Solaris and Linux can do it. I am not sure HP-UX can. We are not *transferring* a socket between process, we are merely not closing it on fork/exec. It is standard posix behavior that file descriptors are inherited by children afaik. Simo. Yes this way it is standard. I thought you wanted to pass a socket between processes later after fork. But here is the question. If you have multiple children writing to the same fd at the same time how you then sort which one has written what. Would it be better to have a log per child process instead and have a pid appended to the name of the log file than all output in one file mixed? It is usually hard to read and debug when everything is mixed in one file. -- Thank you, Dmitri Pal Currently I'll use the pid in the starting block of the log messsage. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Package SSSDConfig API
On Tue, Oct 13, 2009 at 09:22:51AM -0400, Stephen Gallagher wrote:
On 10/13/2009 08:08 AM, Stephen Gallagher wrote:
On 10/13/2009 06:22 AM, Stephen Gallagher wrote:
Do not push. This patch is incomplete.
On Oct 12, 2009, at 5:27 PM, Simo Sorce sso...@redhat.com wrote:
On Mon, 2009-10-12 at 17:21 -0400, Stephen Gallagher wrote:
ACK
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
I realized this morning I missed two things.
Patch 0001: I forgot to include a schema plugin for the proxy provider.
Patch 0002: I forgot to package the schema configuration files (and
plugin configuration) in the RPM.
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
One more try on Patch 0002: it wasn't building the RPM on RHEL5, because
the .egg-info file was not created in the older version of distutils.
--
Stephen Gallagher
RHCE 804006346421761
Maybe somebody will find a better check than
%{?fedora:%{python_sitelib}/*.egg-info}, but I think it is ok for now:
ACK
bye,
Sumit
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] add a replacement if ldap_control_create is missing
Hi,
this patch should fix the build issue on RHEL5 where ldap_control_create
is not available. I'm preparing a similar patch for Kerberos.
bye,
Sumit
From 2c8466a3c8d67dac39eb3ed237dd17a364ee6f7f Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Tue, 13 Oct 2009 12:11:07 +0200
Subject: [PATCH] add a replacement if ldap_control_create is missing
---
server/Makefile.am |4 ++-
server/external/ldap.m4|9 +
server/providers/ldap/sdap.c |1 -
server/providers/ldap/sdap.h |2 +-
server/providers/ldap/sdap_async.c | 12 +++---
server/util/sss_ldap.c | 70
server/util/sss_ldap.h | 30 +++
7 files changed, 119 insertions(+), 9 deletions(-)
create mode 100644 server/util/sss_ldap.c
create mode 100644 server/util/sss_ldap.h
diff --git a/server/Makefile.am b/server/Makefile.am
index 6b918d9..be417da 100644
--- a/server/Makefile.am
+++ b/server/Makefile.am
@@ -233,6 +233,7 @@ dist_noinst_HEADERS = \
util/sssd-i18n.h \
util/util.h \
util/strtonum.h \
+util/sss_ldap.h \
config.h \
monitor/monitor.h \
monitor/monitor_interfaces.h \
@@ -422,7 +423,8 @@ libsss_ldap_la_SOURCES = \
providers/ldap/ldap_id.c \
providers/ldap/ldap_auth.c \
providers/ldap/sdap_async.c \
-providers/ldap/sdap.c
+providers/ldap/sdap.c \
+util/sss_ldap.c
libsss_ldap_la_CFLAGS = \
$(AM_CFLAGS) \
$(LDAP_CFLAGS) \
diff --git a/server/external/ldap.m4 b/server/external/ldap.m4
index 5e817b8..a17ed7e 100644
--- a/server/external/ldap.m4
+++ b/server/external/ldap.m4
@@ -38,3 +38,12 @@ else
fi
AC_SUBST(OPENLDAP_LIBS)
+
+SAVE_CFLAGS=$CFLAGS
+SAVE_LIBS=$LIBS
+CFLAGS=$CFLAGS $OPENLDAP_CFLAGS
+LIBS=$LIBS $OPENLDAP_LIBS
+AC_CHECK_FUNCS([ldap_control_create])
+CFLAGS=$SAVE_CFLAGS
+LIBS=$SAVE_LIBS
+
diff --git a/server/providers/ldap/sdap.c b/server/providers/ldap/sdap.c
index 47f76f9..ba234ed 100644
--- a/server/providers/ldap/sdap.c
+++ b/server/providers/ldap/sdap.c
@@ -20,7 +20,6 @@
*/
#define LDAP_DEPRECATED 1
-#include ldap.h
#include util/util.h
#include confdb/confdb.h
#include providers/ldap/sdap.h
diff --git a/server/providers/ldap/sdap.h b/server/providers/ldap/sdap.h
index 3aa29a3..650ce5f 100644
--- a/server/providers/ldap/sdap.h
+++ b/server/providers/ldap/sdap.h
@@ -21,7 +21,7 @@
#include confdb/confdb.h
#include db/sysdb.h
-#include ldap.h
+#include util/sss_ldap.h
struct sdap_msg {
struct sdap_msg *next;
diff --git a/server/providers/ldap/sdap_async.c
b/server/providers/ldap/sdap_async.c
index 80b7e04..4f9294c 100644
--- a/server/providers/ldap/sdap_async.c
+++ b/server/providers/ldap/sdap_async.c
@@ -676,10 +676,10 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX
*memctx,
state-user_dn = user_dn;
state-pw = pw;
-ret = ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST, 0, NULL, 0,
- request_controls[0]);
+ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST,
+ 0, NULL, 0, request_controls[0]);
if (ret != LDAP_SUCCESS) {
-DEBUG(1, (ldap_control_create failed.\n));
+DEBUG(1, (sss_ldap_control_create failed.\n));
goto fail;
}
request_controls[1] = NULL;
@@ -2699,10 +2699,10 @@ struct tevent_req
*sdap_exop_modify_passwd_send(TALLOC_CTX *memctx,
return NULL;
}
-ret = ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST, 0, NULL, 0,
- request_controls[0]);
+ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST,
+ 0, NULL, 0, request_controls[0]);
if (ret != LDAP_SUCCESS) {
-DEBUG(1, (ldap_control_create failed.\n));
+DEBUG(1, (sss_ldap_control_create failed.\n));
goto fail;
}
request_controls[1] = NULL;
diff --git a/server/util/sss_ldap.c b/server/util/sss_ldap.c
new file mode 100644
index 000..f098e7d
--- /dev/null
+++ b/server/util/sss_ldap.c
@@ -0,0 +1,70 @@
+/*
+Authors:
+Sumit Bose sb...@redhat.com
+
+Copyright (C) 2009 Red Hat
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see http://www.gnu.org/licenses/.
+*/
+#include stdlib.h
+
+#include config.h
+
+#include util/sss_ldap.h
+
+
+int sss_ldap_control_create(const char
Re: [SSSD] [PATCH] Check for expired passwords in LDAP provider
On Wed, Oct 14, 2009 at 07:45:46PM -0400, Simo Sorce wrote:
On Fri, 2009-10-09 at 21:38 +0200, Sumit Bose wrote:
Hi,
with this patch the LDAP provider check typical attributes which
determines the lifetime of a password. If there is more than one scheme
available the following order is user:
- server side password policies
- Kerberos password attributes
- shadow attributes
Currently only in the case of server side password policies the password
can actually be changed. Kerberos password should be changed with the
Kerberos backend.
The patch seem mostly ok, I have tried it against a freeipa server (so
haven't tested shadow or password control), and found a problem.
The kerberos expiration time is read as it was in local time. It is not
it is in UTC. This prevented the code from detecting as expired an
account the was just expired, as it thought, wrongly, that the
expiration time was 5 hours in the future (I am GMT-5 here).
fixed
I think the shadow time checks may have a similar problem, but they use
a different method to test for expiration so I am not entirely sure,
please check that too.
I have adopted the calulations from pam_unix so it should be safe.
So NACK until this is fixed.
Patch also need to be rebased as option definitions have been moved to
ldap_common.c
done, new version attached.
Simo.
bye,
Sumit
From d1415c9b27fb219c4e992906ba721d12ffd25c40 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Fri, 9 Oct 2009 13:34:35 +0200
Subject: [PATCH] Check for expired passwords in LDAP provider
---
server/providers/ldap/ldap_auth.c | 370 +--
server/providers/ldap/ldap_common.c | 24 ++-
server/providers/ldap/sdap.h| 28 +++-
server/providers/ldap/sdap_async.c | 25 +++
4 files changed, 424 insertions(+), 23 deletions(-)
diff --git a/server/providers/ldap/ldap_auth.c
b/server/providers/ldap/ldap_auth.c
index 80726e7..971ece3 100644
--- a/server/providers/ldap/ldap_auth.c
+++ b/server/providers/ldap/ldap_auth.c
@@ -29,9 +29,13 @@
#define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U)
#endif
+#define _XOPEN_SOURCE 500 /* for strptime() */
+#include time.h
+#undef _XOPEN_SOURCE
#include errno.h
#include sys/time.h
+#include shadow.h
#include security/pam_modules.h
#include util/util.h
@@ -40,11 +44,219 @@
#include providers/ldap/ldap_common.h
#include providers/ldap/sdap_async.h
+enum pwexpire {
+PWEXPIRE_NONE = 0,
+PWEXPIRE_LDAP_PASSWORD_POLICY,
+PWEXPIRE_KERBEROS,
+PWEXPIRE_SHADOW
+};
+
struct sdap_auth_ctx {
struct be_ctx *be;
struct sdap_options *opts;
};
+static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now,
+ enum sdap_result *result)
+{
+char *end;
+struct tm tm = {0, 0, 0, 0, 0, 0, 0, 0, 0};
+time_t expire_time;
+
+*result = SDAP_AUTH_FAILED;
+
+end = strptime(expire_date, %Y%m%d%H%M%SZ, tm);
+if (end == NULL) {
+DEBUG(1, (Kerberos expire date [%s] invalid.\n, expire_date));
+return EINVAL;
+}
+if (*end != '\0') {
+DEBUG(1, (Kerberos expire date [%s] contains extra characters.\n,
+ expire_date));
+return EINVAL;
+}
+
+expire_time = mktime(tm);
+if (expire_time == -1) {
+DEBUG(1, (mktime failed to convert [%s].\n, expire_date));
+return EINVAL;
+}
+
+tzset();
+expire_time -= timezone;
+DEBUG(9, (Time info: tzname[0] [%s] tzname[1] [%s] timezone [%d]
+ daylight [%d] now [%d] expire_time [%d].\n, tzname[0],
+ tzname[1], timezone, daylight, now, expire_time));
+
+if (difftime(now, expire_time) 0.0) {
+DEBUG(4, (Kerberos password expired.\n));
+*result = SDAP_AUTH_PW_EXPIRED;
+} else {
+*result = SDAP_AUTH_SUCCESS;
+}
+
+return EOK;
+}
+
+static errno_t check_pwexpire_shadow(struct spwd *spwd, time_t now,
+ enum sdap_result *result)
+{
+long today;
+long password_age;
+
+if (spwd-sp_lstchg = 0) {
+DEBUG(4, (Last change day is not set, new password needed.\n));
+*result = SDAP_AUTH_PW_EXPIRED;
+return EOK;
+}
+
+today = (long) (now / (60 * 60 *24));
+password_age = today - spwd-sp_lstchg;
+if (password_age 0) {
+DEBUG(2, (The last password change time is in the future!.\n));
+*result = SDAP_AUTH_SUCCESS;
+return EOK;
+}
+
+if ((spwd-sp_expire != -1 today spwd-sp_expire) ||
+(spwd-sp_max != -1 spwd-sp_inact != -1
+ password_age spwd-sp_max + spwd-sp_inact))
+{
+DEBUG(4, (Account expired.\n));
+*result = SDAP_ACCT_EXPIRED;
+return EOK;
+}
+
+if (spwd-sp_max != -1 password_age spwd-sp_max) {
+DEBUG(4, (Password expired.\n));
+*result = SDAP_AUTH_PW_EXPIRED;
+return EOK
Re: [SSSD] [PATCH] enable debugging of krb5_child
On Thu, Oct 15, 2009 at 08:34:22AM -0400, Stephen Gallagher wrote:
Send a new patch, please. You have the infrastructure in place to test
it better than I can right now.
- --
Stephen Gallagher
RHCE 804006346421761
ok, new version attached, thanks again.
bye,
Sumit
From 89440744c616396fc56dd4990eb5a5b93284f8c4 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Mon, 12 Oct 2009 15:38:29 +0200
Subject: [PATCH] enable debugging of krb5_child
---
server/Makefile.am |2 +
server/providers/krb5/krb5_auth.c | 101 +++-
server/providers/krb5/krb5_auth.h |1 +
server/providers/krb5/krb5_child.c | 44 +++-
server/util/debug.c| 40 +--
server/util/util.h |2 +
6 files changed, 182 insertions(+), 8 deletions(-)
diff --git a/server/Makefile.am b/server/Makefile.am
index 70b64b8..9adce0c 100644
--- a/server/Makefile.am
+++ b/server/Makefile.am
@@ -471,9 +471,11 @@ krb5_child_SOURCES = \
providers/krb5/krb5_child.c
krb5_child_CFLAGS = \
$(AM_CFLAGS) \
+$(POPT_CFLAGS) \
$(KRB5_CFLAGS)
krb5_child_LDADD = \
$(TALLOC_LIBS) \
+$(POPT_LIBS) \
$(KRB5_LIBS)
memberof_la_SOURCES = \
diff --git a/server/providers/krb5/krb5_auth.c
b/server/providers/krb5/krb5_auth.c
index 91f9196..4d98b93 100644
--- a/server/providers/krb5/krb5_auth.c
+++ b/server/providers/krb5/krb5_auth.c
@@ -327,6 +327,76 @@ static void wait_for_child_handler(struct tevent_context
*ev,
return;
}
+static errno_t prepare_child_argv(TALLOC_CTX *mem_ctx,
+ struct krb5child_req *kr,
+ char ***_argv)
+{
+uint_t argc = 3; /* program name, debug_level and NULL */
+char ** argv;
+errno_t ret = EINVAL;
+
+/* Save the current state in case an interrupt changes it */
+bool child_debug_to_file = debug_to_file;
+bool child_debug_timestamps = debug_timestamps;
+
+if (child_debug_to_file) argc++;
+if (child_debug_timestamps) argc++;
+
+/* program name, debug_level,
+ * debug_to_file, debug_timestamps
+ * and NULL */
+argv = talloc_array(mem_ctx, char *, argc);
+if (argv == NULL) {
+DEBUG(1, (talloc_array failed.\n));
+return ENOMEM;
+}
+
+argv[--argc] = NULL;
+
+argv[--argc] = talloc_asprintf(argv, --debug-level=%d,
+ debug_level);
+if (argv[argc] == NULL) {
+ret = ENOMEM;
+goto fail;
+}
+
+if (child_debug_to_file) {
+argv[--argc] = talloc_asprintf(argv, --debug-fd=%d,
+ kr-krb5_ctx-child_debug_fd);
+if (argv[argc] == NULL) {
+ret = ENOMEM;
+goto fail;
+}
+}
+
+if (child_debug_timestamps) {
+argv[--argc] = talloc_strdup(argv, --debug-timestamps);
+if (argv[argc] == NULL) {
+ret = ENOMEM;
+goto fail;
+}
+}
+
+argv[--argc] = talloc_strdup(argv, KRB5_CHILD);
+if (argv[argc] == NULL) {
+ret = ENOMEM;
+goto fail;
+}
+
+if (argc != 0) {
+ret = EINVAL;
+goto fail;
+}
+
+*_argv = argv;
+
+return EOK;
+
+fail:
+talloc_free(argv);
+return ret;
+}
+
static errno_t fork_child(struct krb5child_req *kr)
{
int pipefd_to_child[2];
@@ -334,6 +404,7 @@ static errno_t fork_child(struct krb5child_req *kr)
pid_t pid;
int ret;
errno_t err;
+char **argv;
ret = pipe(pipefd_from_child);
if (ret == -1) {
@@ -383,10 +454,16 @@ static errno_t fork_child(struct krb5child_req *kr)
return err;
}
-ret = execl(KRB5_CHILD, KRB5_CHILD, NULL);
+ret = prepare_child_argv(kr, kr, argv);
+if (ret != EOK) {
+DEBUG(1, (prepare_child_argv.\n));
+return ret;
+}
+
+ret = execv(KRB5_CHILD, argv);
if (ret == -1) {
err = errno;
-DEBUG(1, (execl failed [%d][%s].\n, errno, strerror(errno)));
+DEBUG(1, (execv failed [%d][%s].\n, errno, strerror(errno)));
return err;
}
} else if (pid 0) { /* parent */
@@ -912,6 +989,8 @@ int sssm_krb5_auth_init(struct be_ctx *bectx,
int ret;
struct tevent_signal *sige;
struct stat stat_buf;
+unsigned v;
+FILE *debug_filep;
ctx = talloc_zero(bectx, struct krb5_ctx);
if (!ctx) {
@@ -1015,6 +1094,24 @@ int sssm_krb5_auth_init(struct be_ctx *bectx,
goto fail;
}
+if (debug_to_file != 0) {
+ret = open_debug_file_ex(krb5_child, debug_filep);
+if (ret != EOK) {
+DEBUG(0, (Error setting up logging (%d) [%s]\n,
+ret, strerror(ret)));
+goto fail;
+}
+
+ctx-child_debug_fd = fileno(debug_filep);
+if (ctx-child_debug_fd == -1) {
+DEBUG(0, (fileno failed [%d][%s
Re: [SSSD] [PATCH] set chpass_provider implicit if not set explicit
On Thu, Oct 15, 2009 at 12:12:57PM +0200, Sumit Bose wrote:
On Wed, Oct 14, 2009 at 01:33:18PM -0400, Stephen Gallagher wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/14/2009 07:24 AM, Sumit Bose wrote:
Hi,
if auth_provider is set to a provider which can handle change password
request, e.g. LDAP, but chpass_provider is not set at all the user might
be surprised that the password connet be changed. This patch sets
chpass_provider implicit if an auth_provider is available and can handle
change password requests. If you want to disallow password changes
explicitly use 'chpass_provider = none'.
This patch should fix one part of #220.
bye,
Sumit
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
As discussed on IRC, if auth_provider is unspecified, we should use
id_provider as the default for both auth_provider and access_provider
(if the id_provider offers that option).
I think access provider should default to 'permit' unless otherwise
specified.
- --
Stephen Gallagher
RHCE 804006346421761
ok, I've created a new patch (0002) with the changes, 0001 is rebased
but unchanged. I've also added a 'deny' option for access_provider and a
man page entry.
bye,
Sumit
Please find attached rebased versions.
bye,
Sumit
From f3a0e41ae3123cd68d9e9ac8193fb20ed9d52d68 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Wed, 14 Oct 2009 12:49:10 +0200
Subject: [PATCH 1/2] set chpass_provider implicit if not set explicit
- if chpass_provider is not given in the configuration file but an
auth_provider and the auth_provider can also handle change password
requests it is used as chpass_provider.
---
server/man/sssd.conf.5.xml |7 +++
server/providers/data_provider_be.c | 79 ++-
server/providers/dp_backend.h |1 +
3 files changed, 67 insertions(+), 20 deletions(-)
diff --git a/server/man/sssd.conf.5.xml b/server/man/sssd.conf.5.xml
index 3eab235..7af2292 100644
--- a/server/man/sssd.conf.5.xml
+++ b/server/man/sssd.conf.5.xml
@@ -499,6 +499,13 @@
quoteproxy/quote for relaying password changes
to some other PAM target.
/para
+para
+quotenone/quote disallows password changes
explicitly.
+/para
+para
+Default: quoteauth_provider/quote is used if it
+is set and can handle change password request.
+/para
/listitem
/varlistentry
/variablelist
diff --git a/server/providers/data_provider_be.c
b/server/providers/data_provider_be.c
index 86218d6..f7830c9 100644
--- a/server/providers/data_provider_be.c
+++ b/server/providers/data_provider_be.c
@@ -45,6 +45,9 @@
#define MSG_TARGET_NO_CONFIGURED sssd_be: The requested target is not
configured
+#define ACCESS_PERMIT permit
+#define NO_PROVIDER none
+
struct sbus_method monitor_be_methods[] = {
{ MON_CLI_METHOD_PING, monitor_common_pong },
{ MON_CLI_METHOD_RES_INIT, monitor_common_res_init },
@@ -798,8 +801,8 @@ static struct bet_ops be_target_access_permit_ops = {
static int load_backend_module(struct be_ctx *ctx,
enum bet_type bet_type,
- struct bet_ops **be_ops,
- void **be_pvt_data)
+ struct bet_info *bet_info,
+ const char *default_mod_name)
{
TALLOC_CTX *tmp_ctx;
int ret = EINVAL;
@@ -811,6 +814,10 @@ static int load_backend_module(struct be_ctx *ctx,
char *mod_init_fn_name = NULL;
bet_init_fn_t mod_init_fn = NULL;
+(*bet_info).mod_name = NULL;
+(*bet_info).bet_ops = NULL;
+(*bet_info).pvt_bet_data = NULL;
+
if (bet_type = BET_NULL || bet_type = BET_MAX ||
bet_type != bet_data[bet_type].bet_type) {
DEBUG(2, (invalid bet_type or bet_data corrupted.\n));
@@ -831,10 +838,30 @@ static int load_backend_module(struct be_ctx *ctx,
goto done;
}
if (!mod_name) {
+if (default_mod_name != NULL) {
+DEBUG(5, (no module name found in confdb, using [%s].\n,
+ default_mod_name));
+mod_name = talloc_strdup(ctx, default_mod_name);
+} else {
+ret = ENOENT;
+goto done;
+}
+}
+
+if (strcasecmp(mod_name, NO_PROVIDER) == 0) {
ret = ENOENT;
goto done;
}
+if (strcmp(mod_name, ACCESS_PERMIT) == 0) {
+(*bet_info).bet_ops = be_target_access_permit_ops;
+(*bet_info).pvt_bet_data = NULL;
+(*bet_info
Re: [SSSD] Design question
On Thu, Oct 15, 2009 at 05:26:14PM -0400, Dmitri Pal wrote: Hi, Couple questions about async processing. The communication usually consists of several parts. Imagine that you have an object that is responsible for some sort of communication (socket, pipe, file, bus - whatever). Here are the basic things that can happen with such object: * Object is created * Communication channel is opened * Message is sent (and may be you get response back) * Communication channel is closed * Object is destructed Object creation and destruction are the same regardless of whether the communication is synchronous or asynchronous. They are pretty straightforward. So let us talk about the other three. Definitely communication on the channel can (and should) be asynchronous - this is the whole purpose. But what about opening the channel. Should a file or socket be always opened as O_NONBLOCK or the event library would set the flag on the FD itself? I guess the question who is responsible for making socket/fd nonblocking the creator of it or the async library that provided the event loop? Now imagine the situation: the opening of the channel includes actually two steps, establishing the channel itself (TCP for example) and sending some sort of the HELLO message. Can this hello message be done synchronously or the connection should be established in async way and the hello message should be treated as any other message? I understand that the preferred way is to do it asynchronously but the question is: is it acceptable not to at least in the first implementation? Same question about closing the channel when this operation involves sending some sort of good bye message first. Is it acceptable to send and close in one step synchronously or not? -- Thank you, Dmitri Pal I would suggest to provide special open and close calls. E.g. if you already have myasync_read_sent(), myasync_read_recv(), myasync_write_send() and myasync_write_recv() just add myasync_open() and myasync_close(). If you need to initialize the communication bye sending some HELLO messages you can provide myasync_myprotocol_init_send() and myasync_myprotocol_init_recv(). myasync_myprotocol_init_send() will first call myasync_open() and then myasync_write_sent() with a callback that does a myasync_read_send() to get the response from the peer. If there is even more communication needed, e.g. ssl 3way handshake, a new write/read sequence is started. If the request is finished the result can be obtained with myasync_myprotocol_init_recv(). Similar for myasync_myprotocol_teardown_sent() and myasync_myprotocol_teardown_recv(). The client can now do the following: msg2server_send() myasync_myprotocol_init_send() - callback: msg2server_init_done() msg2server_init_done() myasync_myprotocol_init_recv() myasync_write_send() - callback: msg2server_write_done() msg2server_write_done() myasync_write_recv() myasync_myprotocol_teardown_sent() - callback: msg2server_teardown_done() msg2server_teardown_done() myasync_myprotocol_teardown_recv() This way all details are hidden in the myasync_* calls and the client only need to know that _init_ must be called before _write_. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] add IPA backend
On Thu, Oct 15, 2009 at 07:10:26PM -0400, Simo Sorce wrote: This patcheset does the minimal necessary work to separate initialization from actual providers code for ldap and kerberos and uses this to introduce a first basic ipa provider skeleton that simply reuses the ldap and krb5 providers code. Simo. ACK I will provide a patch that will change that handling of the config options of the krb5 provider to the new style. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] added generic LDAP search sdap_get_generic_send/_recv
On Fri, Oct 16, 2009 at 02:47:38PM -0400, Simo Sorce wrote:
On Fri, 2009-10-16 at 11:58 +0200, Sumit Bose wrote:
Hi,
currently the sdap interface is only used by the ID provider and
consequently only offers special search for users and groups. This
patch
adds a generic search, i.e. the caller can specify the search base and
and an attribute list. This will be used by the IPA access provider to
load HABC rules from the IPA server.
Mostly ok but I have a few remarks.
1. please move sdap_parse_generic_entry() in another section, only
forward function declarations should stay between the state structure
and the _send() function.
moved to sdap.h
2. In _send() make sure you set to 0 any structure member that is not
initialized with a value as tevent_req_create() does not zero the state
structure, therefore you may find uninitialized values.
done
3. Use SDAP_NETWORK_TIMEOUT with dp_opt_get_int for the timeouts, no
FIXMEs please :)
done
4. Why do you return a list of reply_item structures instead of an array
of sysdb_attrs and and a counter ?
done, new patch attached.
bye,
Sumit
From c9cd8e2c0c103a0a91adc165504b17d7d14ca113 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Thu, 17 Sep 2009 11:12:36 +0200
Subject: [PATCH] added generic LDAP search sdap_get_generic_send/_recv
---
server/providers/ldap/sdap.c | 85 +++
server/providers/ldap/sdap.h |5 +
server/providers/ldap/sdap_async.c | 201
server/providers/ldap/sdap_async.h | 13 +++
4 files changed, 304 insertions(+), 0 deletions(-)
diff --git a/server/providers/ldap/sdap.c b/server/providers/ldap/sdap.c
index 7eaa1e9..9268692 100644
--- a/server/providers/ldap/sdap.c
+++ b/server/providers/ldap/sdap.c
@@ -191,6 +191,91 @@ fail:
return ret;
}
+int sdap_parse_generic_entry(TALLOC_CTX *memctx,
+struct sdap_handle *sh,
+struct sdap_msg *sm,
+struct sysdb_attrs **_attrs)
+{
+struct sysdb_attrs *attrs;
+BerElement *ber = NULL;
+struct berval **vals;
+struct ldb_val v;
+char *str;
+int lerrno;
+int i;
+int ret;
+
+lerrno = 0;
+ldap_set_option(sh-ldap, LDAP_OPT_RESULT_CODE, lerrno);
+
+attrs = sysdb_new_attrs(memctx);
+if (!attrs) return ENOMEM;
+
+str = ldap_get_dn(sh-ldap, sm-msg);
+if (!str) {
+ldap_get_option(sh-ldap, LDAP_OPT_RESULT_CODE, lerrno);
+DEBUG(1, (ldap_get_dn failed: %d(%s)\n,
+ lerrno, ldap_err2string(lerrno)));
+ret = EIO;
+goto fail;
+}
+
+DEBUG(9, (OriginalDN: [%s].\n, str));
+ret = sysdb_attrs_add_string(attrs, SYSDB_ORIG_DN, str);
+if (ret) goto fail;
+ldap_memfree(str);
+
+str = ldap_first_attribute(sh-ldap, sm-msg, ber);
+if (!str) {
+ldap_get_option(sh-ldap, LDAP_OPT_RESULT_CODE, lerrno);
+DEBUG(9, (Entry has no attributes [%d(%s)]!?\n,
+ lerrno, ldap_err2string(lerrno)));
+}
+while (str) {
+vals = ldap_get_values_len(sh-ldap, sm-msg, str);
+if (!vals) {
+ldap_get_option(sh-ldap, LDAP_OPT_RESULT_CODE, lerrno);
+DEBUG(1, (LDAP Library error: %d(%s),
+ lerrno, ldap_err2string(lerrno)));
+ret = EIO;
+goto fail;
+}
+if (!vals[0]) {
+DEBUG(1, (Missing value after ldap_get_values() ??\n));
+ret = EINVAL;
+goto fail;
+}
+for (i = 0; vals[i]; i++) {
+v.data = (uint8_t *) vals[i]-bv_val;
+v.length = vals[i]-bv_len;
+
+ret = sysdb_attrs_add_val(attrs, str, v);
+if (ret) goto fail;
+}
+ldap_value_free_len(vals);
+
+ldap_memfree(str);
+str = ldap_next_attribute(sh-ldap, sm-msg, ber);
+}
+ber_free(ber, 0);
+
+ldap_get_option(sh-ldap, LDAP_OPT_RESULT_CODE, lerrno);
+if (lerrno) {
+DEBUG(1, (LDAP Library error: %d(%s),
+ lerrno, ldap_err2string(lerrno)));
+ret = EIO;
+goto fail;
+}
+
+*_attrs = attrs;
+return EOK;
+
+fail:
+if (ber) ber_free(ber, 0);
+talloc_free(attrs);
+return ret;
+}
+
/* This function converts an ldap message into a sysdb_attrs structure.
* It converts only known user attributes, the rest are ignored.
* If the entry is not that of an user an error is returned.
diff --git a/server/providers/ldap/sdap.h b/server/providers/ldap/sdap.h
index 31c7289..3abe2d6 100644
--- a/server/providers/ldap/sdap.h
+++ b/server/providers/ldap/sdap.h
@@ -203,6 +203,11 @@ int sdap_parse_group(TALLOC_CTX *memctx, struct
sdap_options *opts,
struct sdap_handle *sh, struct sdap_msg *sm,
struct sysdb_attrs **_attrs, char **_dn);
+int sdap_parse_generic_entry(TALLOC_CTX *memctx
[SSSD] [PATCH] add store/search/delete interface for custom sysdb objects
Hi,
this patch adds a store/search/delete sysdb API for data not related to
users of groups. The data is stored in cn=custom,cn=domain,cn=sysdb. The
client must specify a subtree_name and an object_name to save the data
in cn=object_name,cn=subtree_name,cn=custom,cn=domain,cn=sysdb.
Please have a look at the sysdb_check_handle_* request, too. I think it
makes the code more readable and helps to reduce code duplications.
bye,
Sumit
From 1615be0ba99dd996a58d43d2e6000edae9cc272b Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Tue, 6 Oct 2009 09:17:56 +0200
Subject: [PATCH] add store/search/delete interface for custom sysdb objects
---
server/db/sysdb.c |8 +
server/db/sysdb.h | 35
server/db/sysdb_ops.c | 488
server/tests/sysdb-tests.c | 229 +
4 files changed, 760 insertions(+), 0 deletions(-)
diff --git a/server/db/sysdb.c b/server/db/sysdb.c
index 7a6d616..a0c1338 100644
--- a/server/db/sysdb.c
+++ b/server/db/sysdb.c
@@ -24,6 +24,14 @@
#include confdb/confdb.h
#include time.h
+struct ldb_dn *sysdb_custom_dn(struct sysdb_ctx *ctx, void *memctx,
+const char *domain, const char *object_name,
+const char *subtree_name)
+{
+return ldb_dn_new_fmt(memctx, ctx-ldb, SYSDB_TMPL_CUSTOM, object_name,
+ subtree_name, domain);
+}
+
struct ldb_dn *sysdb_user_dn(struct sysdb_ctx *ctx, void *memctx,
const char *domain, const char *name)
{
diff --git a/server/db/sysdb.h b/server/db/sysdb.h
index 9afb957..55852c5 100644
--- a/server/db/sysdb.h
+++ b/server/db/sysdb.h
@@ -33,6 +33,7 @@
#define SYSDB_DOM_BASE cn=%s,cn=sysdb
#define SYSDB_TMPL_USER_BASE cn=users,cn=%s,SYSDB_BASE
#define SYSDB_TMPL_GROUP_BASE cn=groups,cn=%s,SYSDB_BASE
+#define SYSDB_TMPL_CUSTOM_BASE cn=custom,cn=%s,SYSDB_BASE
#define SYSDB_USER_CLASS user
#define SYSDB_GROUP_CLASS group
@@ -132,6 +133,7 @@
#define SYSDB_TMPL_USER SYSDB_NAME=%s,SYSDB_TMPL_USER_BASE
#define SYSDB_TMPL_GROUP SYSDB_NAME=%s,SYSDB_TMPL_GROUP_BASE
+#define SYSDB_TMPL_CUSTOM SYSDB_NAME=%s,cn=%s,SYSDB_TMPL_CUSTOM_BASE
#define SYSDB_MOD_ADD LDB_FLAG_MOD_ADD
#define SYSDB_MOD_DEL LDB_FLAG_MOD_DELETE
@@ -176,6 +178,11 @@ struct ldb_dn *sysdb_group_dn(struct sysdb_ctx *ctx, void
*memctx,
const char *domain, const char *name);
struct ldb_dn *sysdb_domain_dn(struct sysdb_ctx *ctx, void *memctx,
const char *domain);
+struct ldb_dn *sysdb_custom_dn(struct sysdb_ctx *ctx, void *memctx,
+const char *domain, const char *object_name,
+const char *subtree_name);
+
+
struct ldb_context *sysdb_ctx_get_ldb(struct sysdb_ctx *ctx);
struct ldb_context *sysdb_handle_get_ldb(struct sysdb_handle *handle);
@@ -515,4 +522,32 @@ struct tevent_req *sysdb_cache_password_send(TALLOC_CTX
*mem_ctx,
const char *password);
int sysdb_cache_password_recv(struct tevent_req *req);
+struct tevent_req *sysdb_store_custom_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct sysdb_handle *handle,
+ struct sss_domain_info *domain,
+ const char *object_name,
+ const char *subtree_name,
+ struct sysdb_attrs *attrs);
+int sysdb_store_custom_recv(struct tevent_req *req);
+
+struct tevent_req *sysdb_search_custom_by_name_send(TALLOC_CTX *mem_ctx,
+struct tevent_context *ev,
+struct sysdb_ctx *sysdb,
+struct sysdb_handle
*handle,
+struct sss_domain_info
*domain,
+const char *object_name,
+const char *subtree_name,
+const char **attrs);
+int sysdb_search_custom_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ struct ldb_message **msg);
+
+struct tevent_req *sysdb_delete_custom_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct sysdb_handle *handle,
+ struct sss_domain_info *domain,
+ const char *object_name,
+ const char *subtree_name);
+int sysdb_delete_custom_recv(struct tevent_req *req
Re: [SSSD] [PATCHES] Assorted packaging fixes
On Mon, Oct 19, 2009 at 01:09:54PM -0400, Stephen Gallagher wrote: 0001: Use Python 3-compatible sitearch and sitelib 0002: Better detect installed language files. Previously we were including the translation files for both the daemon and clients in the server package. This will separate them so the sss_client translations will be shipped in the sssd-client package. 0003: Clean up rpmlint errors and warnings in sssd-client package - Run ldconfig in sssd-client post and postun - Version libnss_sss.so as libnss_sss.so.2 (to set the correct SONAME) 0004: Set the Default-Stop LSB option for the SSSD sysv init script rpmlint warned that no Default-Stop option had been specified (which is mandatory for LSB-compatibility) -- Stephen Gallagher RHCE 804006346421761 ACK to all bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Introduce native ipa options
On Fri, Oct 16, 2009 at 07:10:36PM -0400, Simo Sorce wrote: This patch introduces the first set of native ipa options. At the moment a full configuration still requires specifying krb5 specific options. This will be fixed once Sumit provides a patch for the krb5 provider that uses the dp_option helpers. NOTE: this is not reflected in the man page which is built with the final result in mind. Simo. ACK if you add sssd-ipa.5 to the spec-file. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] add store/search/delete interface for custom sysdb objects
On Tue, Oct 20, 2009 at 07:46:02PM -0400, Simo Sorce wrote: On Mon, 2009-10-19 at 16:42 +0200, Sumit Bose wrote: Hi, this patch adds a store/search/delete sysdb API for data not related to users of groups. The data is stored in cn=custom,cn=domain,cn=sysdb. The client must specify a subtree_name and an object_name to save the data in cn=object_name,cn=subtree_name,cn=custom,cn=domain,cn=sysdb. Please have a look at the sysdb_check_handle_* request, too. I think it makes the code more readable and helps to reduce code duplications. Why are you deleting and re-adding the entry in custom store ? Why not just replace the attributes you want to set ? Simo. I think it is a typical use case that you want to store a copy of some LDAP search result and replacing all exiting data. Maybe a update call can be integrated when needed. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] fix setting schema in ipa provider
On Thu, Oct 22, 2009 at 12:39:57PM -0400, Simo Sorce wrote: one liner -- Simo Sorce * Red Hat, Inc * New York From 86e1b6c35ed196140f25235a3e1a9610133696fc Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Thu, 22 Oct 2009 12:33:14 -0400 Subject: [PATCH] Fix setting the schema in the ipa provider --- server/providers/ipa/ipa_common.c |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/server/providers/ipa/ipa_common.c b/server/providers/ipa/ipa_common.c index 799ac2f..aee0cd6 100644 --- a/server/providers/ipa/ipa_common.c +++ b/server/providers/ipa/ipa_common.c @@ -288,6 +288,9 @@ int ipa_get_id_options(TALLOC_CTX *memctx, goto done; } +/* fix schema to IPAv1 for now */ +ipa_opts-id-schema_type = SDAP_SCHEMA_IPA_V1; + ret = sdap_get_map(ipa_opts-id, cdb, conf_path, ipa_user_map, -- 1.6.2.5 This looks very similar to the patch I have in my tree :-) ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] store original DN with cached group objects if available
Hi,
with this patch the original DN of a group object is store in sysdb.
This is needed e.g. for IPA HBAC.
bye,
Sumit
From 2466992484ad8d6838471208c5a1c3eb7968eaa5 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Fri, 23 Oct 2009 13:54:28 +0200
Subject: [PATCH] store original DN with cached group objects if available
---
server/providers/ldap/sdap_async.c | 16
1 files changed, 16 insertions(+), 0 deletions(-)
diff --git a/server/providers/ldap/sdap_async.c
b/server/providers/ldap/sdap_async.c
index 6350433..6b8790a 100644
--- a/server/providers/ldap/sdap_async.c
+++ b/server/providers/ldap/sdap_async.c
@@ -1648,6 +1648,22 @@ static struct tevent_req
*sdap_save_group_send(TALLOC_CTX *memctx,
goto fail;
}
+ret = sysdb_attrs_get_el(state-attrs, SYSDB_ORIG_DN, el);
+if (ret) {
+goto fail;
+}
+if (el-num_values == 0) {
+DEBUG(7, (Original DN is not available for [%s].\n, state-name));
+} else {
+DEBUG(7, (Adding original DN [%s] to attributes of [%s].\n,
+ el-values[0].data, state-name));
+ret = sysdb_attrs_add_string(group_attrs, SYSDB_ORIG_DN,
+ (const char *) el-values[0].data);
+if (ret) {
+goto fail;
+}
+}
+
ret = sysdb_attrs_get_el(state-attrs,
opts-group_map[SDAP_AT_GROUP_MODSTAMP].sys_name, el);
if (ret) {
--
1.6.2.5
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCHES] Minor fixes
On Sat, Oct 24, 2009 at 02:07:15PM -0400, Simo Sorce wrote: Shouldn't require comments. Simo. [PATCH] Add IPA conf template, looks ok to me: ACK [PATCH] Copy option overrides, ACK, but please fix the typo in the patch description. Maybe it would be helpful to add a call to dump the current configuration. [PATCH] Read the right buffer, avoids potential segfaults, ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Fix group enumerations for IPA/AD domains
On Tue, Oct 27, 2009 at 09:23:54AM -0400, Simo Sorce wrote: On Sat, 2009-10-24 at 14:08 -0400, Simo Sorce wrote: With this patch we correctly parse groups. A 2 pass approach for setting members assures even complicated nested groups do not risk to miss memberships Rebased on top of Sumit patch that stores the DN Also fixed an error in a debug message where the .* qualifier in %s was missing. -- Simo Sorce * Red Hat, Inc * New York ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] added a ASQ search API for sysdb
On Tue, Oct 27, 2009 at 10:27:40AM -0400, Simo Sorce wrote:
On Mon, 2009-10-26 at 17:43 +0100, Sumit Bose wrote:
Hi,
this patch adds a sysdb interface for ASQ (attribute scoped query)
searches. These are useful to limit searches to objects listed in
member/memberof attributes (this is not limited to member/memberof you
can take any attribute you want).
The sysdb part looks good, so I'd say: ACK
The tests should work fine although I have a couple of remarks on the
style, and what is tested.
The tests use a synchronous style, so in this case the _done() function
should just get you out of the loop.
The _recv() function should be called after the test_loop() returns.
We are being synchronous here so no need to suffer the pain of jumping
through functions to see the program flow.
Also the test itself is not a request, so the request structure in this
case should be named req and not subreq.
You are testing the return of only one result, it may be worth testing
with something that will return at least 2 results to exercise the
realloc machinery and the checks with more than one result.
Simo.
Thanks for review. I have modified the test accordingly and fixed the
indentation in sysdb.h and sysdb_ops.c.
bye,
Sumit
From bfd161aa6e2cbf1c03be3269d4f79e6b5684c360 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Mon, 26 Oct 2009 13:03:22 +0100
Subject: [PATCH] added a ASQ search API for sysdb
---
server/db/sysdb.h | 12 +++
server/db/sysdb_ops.c | 218
server/tests/sysdb-tests.c | 126 +
3 files changed, 356 insertions(+), 0 deletions(-)
diff --git a/server/db/sysdb.h b/server/db/sysdb.h
index dfb53aa..7e7a29c 100644
--- a/server/db/sysdb.h
+++ b/server/db/sysdb.h
@@ -551,4 +551,16 @@ struct tevent_req *sysdb_delete_custom_send(TALLOC_CTX
*mem_ctx,
const char *object_name,
const char *subtree_name);
int sysdb_delete_custom_recv(struct tevent_req *req);
+
+struct tevent_req *sysdb_asq_search_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct sysdb_ctx *sysdb,
+ struct sysdb_handle *handle,
+ struct sss_domain_info *domain,
+ struct ldb_dn *base_dn,
+ const char *expression,
+ const char *asq_attribute,
+ const char **attrs);
+int sysdb_asq_search_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ size_t *msgs_count, struct ldb_message ***msgs);
#endif /* __SYS_DB_H__ */
diff --git a/server/db/sysdb_ops.c b/server/db/sysdb_ops.c
index e045ad7..ae5c7f0 100644
--- a/server/db/sysdb_ops.c
+++ b/server/db/sysdb_ops.c
@@ -3828,3 +3828,221 @@ int sysdb_delete_custom_recv(struct tevent_req *req)
return EOK;
}
+
+/* = ASQ search request */
+struct sysdb_asq_search_state {
+struct tevent_context *ev;
+struct sysdb_ctx *sysdb;
+struct sysdb_handle *handle;
+struct sss_domain_info *domain;
+struct ldb_dn *base_dn;
+const char *asq_attribute;
+const char **attrs;
+const char *expression;
+
+int msgs_count;
+struct ldb_message **msgs;
+};
+
+void sysdb_asq_search_check_handle_done(struct tevent_req *subreq);
+static void sysdb_asq_search_done(struct tevent_req *subreq);
+
+struct tevent_req *sysdb_asq_search_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct sysdb_ctx *sysdb,
+ struct sysdb_handle *handle,
+ struct sss_domain_info *domain,
+ struct ldb_dn *base_dn,
+ const char *expression,
+ const char *asq_attribute,
+ const char **attrs)
+{
+struct tevent_req *req;
+struct tevent_req *subreq;
+struct sysdb_asq_search_state *state;
+int ret;
+
+if (sysdb == NULL handle == NULL) {
+DEBUG(1, (Sysdb context not available.\n));
+return NULL;
+}
+
+req = tevent_req_create(mem_ctx, state, struct sysdb_asq_search_state);
+if (req == NULL) {
+DEBUG(1, (tevent_req_create failed.\n));
+return NULL;
+}
+
+state-ev = ev;
+state-sysdb = (sysdb == NULL) ? handle-ctx : sysdb;
+state-handle = handle;
+state-domain = domain;
+state-base_dn = base_dn;
+state-expression = expression;
+state-asq_attribute = asq_attribute;
+state-attrs = attrs
[SSSD] [PATCH] Allow sysdb_search_entry request to return more than one result
Hi,
this patch makes the sysdb_search_entry request more flexible by
enableing it to return more than one result. I have modified the current
callers so that they only take the first result and send a DEBUG message
if there are more than one results.
bye,
Sumit
From 79149782d1dafc59f91fce3fcb305a2d652ecf7e Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Wed, 28 Oct 2009 19:42:06 +0100
Subject: [PATCH] Allow sysdb_search_entry request to return more than one result
---
server/db/sysdb.h |3 +-
server/db/sysdb_ops.c | 90 +--
server/tests/sysdb-tests.c | 112
3 files changed, 178 insertions(+), 27 deletions(-)
diff --git a/server/db/sysdb.h b/server/db/sysdb.h
index 5c15d3a..00a3378 100644
--- a/server/db/sysdb.h
+++ b/server/db/sysdb.h
@@ -321,7 +321,8 @@ struct tevent_req *sysdb_search_entry_send(TALLOC_CTX
*mem_ctx,
const char **attrs);
int sysdb_search_entry_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx,
-struct ldb_message **msg);
+size_t *msgs_size,
+struct ldb_message ***msgs);
/* Search User (by uid or name) */
struct tevent_req *sysdb_search_user_by_name_send(TALLOC_CTX *mem_ctx,
diff --git a/server/db/sysdb_ops.c b/server/db/sysdb_ops.c
index 1802234..3ebb03d 100644
--- a/server/db/sysdb_ops.c
+++ b/server/db/sysdb_ops.c
@@ -203,6 +203,8 @@ struct sysdb_op_state {
bool ignore_not_found;
struct ldb_reply *ldbreply;
+size_t msgs_count;
+struct ldb_message **msgs;
};
static void sysdb_op_default_done(struct tevent_req *subreq)
@@ -322,6 +324,8 @@ struct tevent_req *sysdb_search_entry_send(TALLOC_CTX
*mem_ctx,
state-handle = handle;
state-ignore_not_found = false;
state-ldbreply = NULL;
+state-msgs_count = 0;
+state-msgs = NULL;
ret = ldb_build_search_req(ldbreq, handle-ctx-ldb, state,
base_dn, scope, filter, attrs,
@@ -354,6 +358,7 @@ static void sysdb_search_entry_done(struct tevent_req
*subreq)
struct sysdb_op_state *state = tevent_req_data(req,
struct sysdb_op_state);
struct ldb_reply *ldbreply;
+struct ldb_message **dummy;
int ret;
ret = sldb_request_recv(subreq, state, ldbreply);
@@ -365,27 +370,32 @@ static void sysdb_search_entry_done(struct tevent_req
*subreq)
switch (ldbreply-type) {
case LDB_REPLY_ENTRY:
-if (state-ldbreply) {
-DEBUG(1, (More than one reply for a base search ?!
- DB seems corrupted, aborting.));
-tevent_req_error(req, EFAULT);
+dummy = talloc_realloc(state, state-msgs,
+ struct ldb_message *,
+ state-msgs_count + 2);
+if (dummy == NULL) {
+tevent_req_error(req, ENOMEM);
return;
}
+state-msgs = dummy;
-/* save the entry so that it can be retrieved by the caller */
-state-ldbreply = ldbreply;
+state-msgs[state-msgs_count + 1] = NULL;
-/* just return, wait for a LDB_REPLY_DONE entry */
+state-msgs[state-msgs_count] = talloc_steal(state-msgs,
+ ldbreply-message);
+state-msgs_count++;
+
+talloc_zfree(ldbreply);
return;
case LDB_REPLY_DONE:
-if (!state-ldbreply) {
-talloc_zfree(ldbreply);
+talloc_zfree(subreq);
+talloc_zfree(ldbreply);
+if (!state-msgs) {
DEBUG(6, (Error: Entry not Found!\n));
tevent_req_error(req, ENOENT);
return;
}
-talloc_zfree(ldbreply);
return tevent_req_done(req);
default:
@@ -399,7 +409,8 @@ static void sysdb_search_entry_done(struct tevent_req
*subreq)
int sysdb_search_entry_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx,
-struct ldb_message **msg)
+size_t *msgs_count,
+struct ldb_message ***msgs)
{
struct sysdb_op_state *state = tevent_req_data(req,
struct sysdb_op_state);
@@ -410,7 +421,8 @@ int sysdb_search_entry_recv(struct tevent_req *req,
return err;
}
-*msg = talloc_move(mem_ctx, state-ldbreply-message);
+*msgs_count = state-msgs_count;
+*msgs = talloc_move(mem_ctx, state-msgs);
return EOK;
}
@@ -427,7 +439,8 @@ struct sysdb_search_user_state {
const char *filter;
int scope;
-struct ldb_message *msg;
+size_t msgs_count;
+struct ldb_message **msgs;
};
static void sysdb_search_user_cont(struct tevent_req *subreq);
@@ -453,7 +466,8
Re: [SSSD] [PATCH] Allow sysdb_search_entry request to return more than one result
On Thu, Oct 29, 2009 at 09:15:23AM -0400, Stephen Gallagher wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/28/2009 02:55 PM, Sumit Bose wrote:
Hi,
this patch makes the sysdb_search_entry request more flexible by
enableing it to return more than one result. I have modified the current
callers so that they only take the first result and send a DEBUG message
if there are more than one results.
bye,
Sumit
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
Nack.
In sysdb_search_entry_done() please move state-msgs_count++; above the
talloc_realloc and use state-msgs_count + 1 for the size instead of +2.
It reads better (one extra for the NULL). I'd also prefer if you used
'if (state-msgs_count == 0)' instead of 'if (!state-msgs)' in
LDB_REPLY_DONE, because it's technically possible for state-msgs[0] ==
NULL and this test will still succeed (and be wrong).
In the assorted _recv() functions, you implicitly return the first entry
found. This is a distinct break from the previous functionality, where
sysdb_search_entry_done() would have thrown an error if the count was
1. I think we need to continue reporting an error here instead of
returning possibly incorrect data.* Besides, if we've gotten a
multiple-value return for a base search, there's something seriously
wrong and this needs to be reported.
* The data could be incorrect because we don't necessarily know whether
the LDB will always return the same user first.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkrplWYACgkQeiVVYja6o6MMcQCfVKSdyReoJ2tNFlSdLesFroqc
npEAn0iMItMh9/J9O/RjsB0JSPzcjS6S
=ekUQ
-END PGP SIGNATURE-
ok, the _recv functions return EFAULT now and the
'if (state-msgs_count == 0)' check is used. I haven't changed the
realloc section because it would result in a 'state-msgs_count -1'
in an index.
Thanks for the review.
bye,
Sumit
From 8c28f0936e02fdaeab6105c3e646aecce1027289 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Wed, 28 Oct 2009 19:42:06 +0100
Subject: [PATCH] Allow sysdb_search_entry request to return more than one result
---
server/db/sysdb.h |3 +-
server/db/sysdb_ops.c | 90 +--
server/tests/sysdb-tests.c | 112
3 files changed, 178 insertions(+), 27 deletions(-)
diff --git a/server/db/sysdb.h b/server/db/sysdb.h
index 5c15d3a..00a3378 100644
--- a/server/db/sysdb.h
+++ b/server/db/sysdb.h
@@ -321,7 +321,8 @@ struct tevent_req *sysdb_search_entry_send(TALLOC_CTX
*mem_ctx,
const char **attrs);
int sysdb_search_entry_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx,
-struct ldb_message **msg);
+size_t *msgs_size,
+struct ldb_message ***msgs);
/* Search User (by uid or name) */
struct tevent_req *sysdb_search_user_by_name_send(TALLOC_CTX *mem_ctx,
diff --git a/server/db/sysdb_ops.c b/server/db/sysdb_ops.c
index 1802234..acff5e5 100644
--- a/server/db/sysdb_ops.c
+++ b/server/db/sysdb_ops.c
@@ -203,6 +203,8 @@ struct sysdb_op_state {
bool ignore_not_found;
struct ldb_reply *ldbreply;
+size_t msgs_count;
+struct ldb_message **msgs;
};
static void sysdb_op_default_done(struct tevent_req *subreq)
@@ -322,6 +324,8 @@ struct tevent_req *sysdb_search_entry_send(TALLOC_CTX
*mem_ctx,
state-handle = handle;
state-ignore_not_found = false;
state-ldbreply = NULL;
+state-msgs_count = 0;
+state-msgs = NULL;
ret = ldb_build_search_req(ldbreq, handle-ctx-ldb, state,
base_dn, scope, filter, attrs,
@@ -354,6 +358,7 @@ static void sysdb_search_entry_done(struct tevent_req
*subreq)
struct sysdb_op_state *state = tevent_req_data(req,
struct sysdb_op_state);
struct ldb_reply *ldbreply;
+struct ldb_message **dummy;
int ret;
ret = sldb_request_recv(subreq, state, ldbreply);
@@ -365,27 +370,32 @@ static void sysdb_search_entry_done(struct tevent_req
*subreq)
switch (ldbreply-type) {
case LDB_REPLY_ENTRY:
-if (state-ldbreply) {
-DEBUG(1, (More than one reply for a base search ?!
- DB seems corrupted, aborting.));
-tevent_req_error(req, EFAULT);
+dummy = talloc_realloc(state, state-msgs,
+ struct ldb_message
Re: [SSSD] [PATCH] Slight change for ipa options
On Wed, Oct 28, 2009 at 05:12:59PM -0400, Simo Sorce wrote: And other changes, see commit message. Simo. -- Simo Sorce * Red Hat, Inc * New York From 1b8814820fad2d6e399af0a5f93713312b64d28d Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Wed, 28 Oct 2009 17:02:45 -0400 Subject: [PATCH] Tidy up ipa options Do not replicate every and each option we may want to set in ipa. Just read out ldap and krb provider options (added reference in the manual too, and removed mention of ipa specific timeout values, use ldap options for that) ACK, although I think we should reintroduce some of the values if it turns out that they are used often. Maybe in form of a ipa_base_timeout and derived the other timeouts from that value. Avoid calling auth module initialization twice, just pass the auth context to the chpass module too. ACK Add a new ldap option SDAP_SEARCH_BASE, so that a single searching base can be used for both users and groups. the user and group search bases can still be set separately if necessary but they are now optional and set to be identical to SDAP_SEARCH_BASE if not explicitly specified in the configuration. ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] add sysdb_delete_recursive request to sysdb API
On Thu, Oct 29, 2009 at 01:39:21PM +0100, Sumit Bose wrote:
Hi,
this patch adds a recursive delete request to the sysdb API. It has the
same interface as sysdb_delete_entry, but does not delete the entry, but
its children.
bye,
Sumit
This is a new version of the patch which tries to delete the entry AND
all its children. It searches all objects with a subtree search, sorts
the result so that the ones with the most components come first and
finally loops over the results and deletes them.
bye,
Sumit
From 0f087f921f5f3e26557049a25822c6183efcad91 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Thu, 29 Oct 2009 12:57:57 +0100
Subject: [PATCH] add sysdb_delete_recursive request to sysdb API
---
server/db/sysdb.h |8 +++
server/db/sysdb_ops.c | 145
server/tests/sysdb-tests.c | 111 -
3 files changed, 260 insertions(+), 4 deletions(-)
diff --git a/server/db/sysdb.h b/server/db/sysdb.h
index 00a3378..fcb8e5a 100644
--- a/server/db/sysdb.h
+++ b/server/db/sysdb.h
@@ -311,6 +311,14 @@ struct tevent_req *sysdb_delete_entry_send(TALLOC_CTX
*mem_ctx,
bool ignore_not_found);
int sysdb_delete_entry_recv(struct tevent_req *req);
+
+struct tevent_req *sysdb_delete_recursive_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct sysdb_handle *handle,
+ struct ldb_dn *dn,
+ bool ignore_not_found);
+int sysdb_delete_recursive_recv(struct tevent_req *req);
+
/* Search Entry */
struct tevent_req *sysdb_search_entry_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
diff --git a/server/db/sysdb_ops.c b/server/db/sysdb_ops.c
index acff5e5..882ef45 100644
--- a/server/db/sysdb_ops.c
+++ b/server/db/sysdb_ops.c
@@ -300,6 +300,151 @@ int sysdb_delete_entry_recv(struct tevent_req *req)
}
+/*
=Remove-Subentries-From-Sysdb=== */
+
+struct sysdb_delete_recursive_state {
+struct tevent_context *ev;
+struct sysdb_handle *handle;
+
+bool ignore_not_found;
+
+struct ldb_reply *ldbreply;
+size_t msgs_count;
+struct ldb_message **msgs;
+size_t current_item;
+};
+
+static void sysdb_delete_recursive_loop(struct tevent_req *subreq);
+
+struct tevent_req *sysdb_delete_recursive_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct sysdb_handle *handle,
+ struct ldb_dn *dn,
+ bool ignore_not_found)
+{
+struct tevent_req *req, *subreq;
+struct sysdb_delete_recursive_state *state;
+int ret;
+
+req = tevent_req_create(mem_ctx, state,
+struct sysdb_delete_recursive_state);
+if (!req) return NULL;
+
+state-ev = ev;
+state-handle = handle;
+state-ignore_not_found = ignore_not_found;
+state-ldbreply = NULL;
+state-msgs_count = 0;
+state-msgs = NULL;
+state-current_item = 0;
+
+subreq = sysdb_search_entry_send(state, ev, handle, dn, LDB_SCOPE_SUBTREE,
+ distinguishedName=*, NULL);
+
+if (!subreq) {
+ERROR_OUT(ret, ENOMEM, fail);
+}
+tevent_req_set_callback(subreq, sysdb_delete_recursive_loop, req);
+
+return req;
+
+fail:
+DEBUG(6, (Error: %d (%s)\n, ret, strerror(ret)));
+tevent_req_error(req, ret);
+tevent_req_post(req, ev);
+return req;
+}
+
+static int compare_ldb_dn_comp_num(const void *m1, const void *m2)
+{
+struct ldb_message *msg1 = talloc_get_type(*(const void **) m1,
+ struct ldb_message);
+struct ldb_message *msg2 = talloc_get_type(*(const void **) m2,
+ struct ldb_message);
+
+return ldb_dn_get_comp_num(msg2-dn) - ldb_dn_get_comp_num(msg1-dn);
+}
+
+static void sysdb_delete_recursive_loop(struct tevent_req *subreq)
+{
+struct tevent_req *req = tevent_req_callback_data(subreq,
+ struct tevent_req);
+struct sysdb_delete_recursive_state *state = tevent_req_data(req,
+ struct
sysdb_delete_recursive_state);
+int ret;
+struct ldb_request *ldbreq;
+
+if (state-current_item == 0) {
+ret = sysdb_search_entry_recv(subreq, state, state-msgs_count,
+ state-msgs);
+talloc_zfree(subreq);
+if (ret) {
+if (state-ignore_not_found ret == ENOENT) {
+tevent_req_done(req);
+}
+DEBUG(6, (Search error: %d (%s
Re: [SSSD] [PATCH] Clean up warnings in dhash tests
On Thu, Oct 29, 2009 at 01:43:06PM -0400, Stephen Gallagher wrote: Original warnings: ../../../common/dhash/dhash_test.c: In function ‘main’: ../../../common/dhash/dhash_test.c:288: warning: declaration of ‘i’ shadows a previous local ../../../common/dhash/dhash_test.c:115: warning: shadowed declaration is here ../../../common/dhash/dhash_test.c:312: warning: declaration of ‘i’ shadows a previous local ../../../common/dhash/dhash_test.c:115: warning: shadowed declaration is here ../../../common/dhash/dhash_test.c:332: warning: declaration of ‘i’ shadows a previous local ../../../common/dhash/dhash_test.c:115: warning: shadowed declaration is here ../../../common/dhash/dhash_example.c: In function ‘main’: ../../../common/dhash/dhash_example.c:44: warning: passing argument 2 of ‘new_data’ discards qualifiers from pointer target type ../../../common/dhash/dhash_example.c:28: note: expected ‘char *’ but argument is of type ‘const char *’ ../../../common/dhash/dhash_example.c:55: warning: assignment discards qualifiers from pointer target type ../../../common/dhash/dhash_example.c:76: warning: assignment discards qualifiers from pointer target type ../../../common/dhash/dhash_example.c:94: warning: declaration of ‘my_data’ shadows a previous local ../../../common/dhash/dhash_example.c:44: warning: shadowed declaration is here ../../../common/dhash/dhash_example.c:105: warning: assignment discards qualifiers from pointer target type -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ warnings are gone and dhash_example still works, ACK Maybe we should wait for a comment from John before pushing it? bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] add sysdb_delete_recursive request to sysdb API
On Thu, Oct 29, 2009 at 09:32:34PM +, Simo Sorce wrote:
On Thu, 2009-10-29 at 19:40 +0100, Sumit Bose wrote:
On Thu, Oct 29, 2009 at 01:39:21PM +0100, Sumit Bose wrote:
Hi,
this patch adds a recursive delete request to the sysdb API. It has
the
same interface as sysdb_delete_entry, but does not delete the entry,
but
its children.
bye,
Sumit
This is a new version of the patch which tries to delete the entry AND
all its children. It searches all objects with a subtree search, sorts
the result so that the ones with the most components come first and
finally loops over the results and deletes them.
Comments inline.
+
+subreq = sysdb_search_entry_send(state, ev, handle, dn,
LDB_SCOPE_SUBTREE,
+ distinguishedName=*, NULL);
Please use (objectclass=*) as filter to catch all entries.
I would prefer to stay with distinguishedName, because it is
auto-generated and always present.
Also please set attrs. Passing NULL, means you will retrieve all
attributes wasting a lot of memory unnecessarily. You are interested
only in the entries msg-dn, so you probably do not want any attribute
returned at all.
ah, I thought NULL means nothing, now I pass { NULL }
[..]
+static int compare_ldb_dn_comp_num(const void *m1, const void *m2)
+{
+struct ldb_message *msg1 = talloc_get_type(*(const void **) m1,
+ struct ldb_message);
+struct ldb_message *msg2 = talloc_get_type(*(const void **) m2,
+ struct ldb_message);
+
+return ldb_dn_get_comp_num(msg2-dn) -
ldb_dn_get_comp_num(msg1-dn);
+}
Please move this function in sysdb.c, it's a generic function that can
be used by multiple functions and here just interrupts reading the
program flow.
done
+static void sysdb_delete_recursive_loop(struct tevent_req *subreq)
[...]
I think you should split the this function into a function that receives
the results of sysdb_search_entry_recv() and then another one that sets
the loop. If necessary use the trick I used in sdap_cli_connect to do
continuation functions (see the sdap_cli_*_step functions).
done
The rest looks good to me.
Thanks for reviewing.
bye,
Sumit
Simo.
--
Simo Sorce * Red Hat, Inc * New York
From 693c4cc20d13a53340c9ffccfb165ffa8e57af2c Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Thu, 29 Oct 2009 12:57:57 +0100
Subject: [PATCH] add sysdb_delete_recursive request to sysdb API
---
server/db/sysdb.c | 12 +++
server/db/sysdb.h | 10 +++
server/db/sysdb_ops.c | 159
server/tests/sysdb-tests.c | 111 +-
4 files changed, 288 insertions(+), 4 deletions(-)
diff --git a/server/db/sysdb.c b/server/db/sysdb.c
index 5811ddc..1df3f77 100644
--- a/server/db/sysdb.c
+++ b/server/db/sysdb.c
@@ -1417,3 +1417,15 @@ int sysdb_get_ctx_from_list(struct sysdb_ctx_list
*ctx_list,
/* definitely not found */
return ENOENT;
}
+
+
+int compare_ldb_dn_comp_num(const void *m1, const void *m2)
+{
+struct ldb_message *msg1 = talloc_get_type(*(const void **) m1,
+ struct ldb_message);
+struct ldb_message *msg2 = talloc_get_type(*(const void **) m2,
+ struct ldb_message);
+
+return ldb_dn_get_comp_num(msg2-dn) - ldb_dn_get_comp_num(msg1-dn);
+}
+
diff --git a/server/db/sysdb.h b/server/db/sysdb.h
index 00a3378..72f56db 100644
--- a/server/db/sysdb.h
+++ b/server/db/sysdb.h
@@ -190,6 +190,8 @@ struct ldb_dn *sysdb_custom_dn(struct sysdb_ctx *ctx, void
*memctx,
struct ldb_context *sysdb_ctx_get_ldb(struct sysdb_ctx *ctx);
struct ldb_context *sysdb_handle_get_ldb(struct sysdb_handle *handle);
+int compare_ldb_dn_comp_num(const void *m1, const void *m2);
+
/* function to start and finish a transaction
* sysdb_transaction_send() will queue a request for a transaction
* when it is done it will call the tevent_req callback, which must
@@ -311,6 +313,14 @@ struct tevent_req *sysdb_delete_entry_send(TALLOC_CTX
*mem_ctx,
bool ignore_not_found);
int sysdb_delete_entry_recv(struct tevent_req *req);
+
+struct tevent_req *sysdb_delete_recursive_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct sysdb_handle *handle,
+ struct ldb_dn *dn,
+ bool ignore_not_found);
+int sysdb_delete_recursive_recv(struct tevent_req *req);
+
/* Search Entry */
struct tevent_req *sysdb_search_entry_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
diff --git a/server/db/sysdb_ops.c b/server
Re: [SSSD] Problem or not?
On Fri, Oct 30, 2009 at 01:54:19PM -0700, Jeff Schroeder wrote: I've built this package for Fedora 10 and am testing it out. http://kojipkgs.fedoraproject.org/packages/sssd/0.7.1/1.fc12/src/sssd-0.7.1-1.fc12.src.rpm In /var/log/sssd/sssd.log: [sssd[be[LDAP]]] [load_backend_module] (0): Unable to load init fn sssm_ldap_access_init from module ldap, error: /usr/lib64/sssd/libsss_ldap.so: undefined symbol: sssm_ldap_access_init Is this a problem? Authentication appears to be working but I'm not sure 100% as that can't be good. This is just a warning. There is already a bug filed to make this message less irritating. bye, Sumit -- Jeff Schroeder Don't drink and derive, alcohol and analysis don't mix. http://www.digitalprognosis.com ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] add sysdb_delete_recursive request to sysdb API
On Fri, Oct 30, 2009 at 05:42:10PM -0400, Simo Sorce wrote:
On Fri, 2009-10-30 at 12:01 +0100, Sumit Bose wrote:
On Thu, Oct 29, 2009 at 11:26:39PM +0100, Sumit Bose wrote:
On Thu, Oct 29, 2009 at 09:32:34PM +, Simo Sorce wrote:
On Thu, 2009-10-29 at 19:40 +0100, Sumit Bose wrote:
On Thu, Oct 29, 2009 at 01:39:21PM +0100, Sumit Bose wrote:
Hi,
this patch adds a recursive delete request to the sysdb API. It has
the
same interface as sysdb_delete_entry, but does not delete the entry,
but
its children.
bye,
Sumit
This is a new version of the patch which tries to delete the entry AND
all its children. It searches all objects with a subtree search, sorts
the result so that the ones with the most components come first and
finally loops over the results and deletes them.
Comments inline.
+
+subreq = sysdb_search_entry_send(state, ev, handle, dn,
LDB_SCOPE_SUBTREE,
+ distinguishedName=*, NULL);
Please use (objectclass=*) as filter to catch all entries.
I would prefer to stay with distinguishedName, because it is
auto-generated and always present.
Also please set attrs. Passing NULL, means you will retrieve all
attributes wasting a lot of memory unnecessarily. You are interested
only in the entries msg-dn, so you probably do not want any attribute
returned at all.
ah, I thought NULL means nothing, now I pass { NULL }
[..]
+static int compare_ldb_dn_comp_num(const void *m1, const void *m2)
+{
+struct ldb_message *msg1 = talloc_get_type(*(const void **) m1,
+ struct ldb_message);
+struct ldb_message *msg2 = talloc_get_type(*(const void **) m2,
+ struct ldb_message);
+
+return ldb_dn_get_comp_num(msg2-dn) -
ldb_dn_get_comp_num(msg1-dn);
+}
Please move this function in sysdb.c, it's a generic function that can
be used by multiple functions and here just interrupts reading the
program flow.
done
+static void sysdb_delete_recursive_loop(struct tevent_req *subreq)
[...]
I think you should split the this function into a function that receives
the results of sysdb_search_entry_recv() and then another one that sets
the loop. If necessary use the trick I used in sdap_cli_connect to do
continuation functions (see the sdap_cli_*_step functions).
done
The rest looks good to me.
Thanks for reviewing.
bye,
Sumit
sorry, this new patch fixes a compiler warning.
Looks good to me, I have only a minor nitpick, shouldn't the ENOENT
error in sysdb_delete_recursive_op_done() be fatal ?
Given it should never happen, does it make sense to allow to continue ?
Simo.
ok, it is now fatal as all other errors
bye,
Sumit
From de69fe0de87ede1acabc37a94070a2f932a3ea00 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Thu, 29 Oct 2009 12:57:57 +0100
Subject: [PATCH] add sysdb_delete_recursive request to sysdb API
---
server/db/sysdb.c | 12
server/db/sysdb.h | 10 +++
server/db/sysdb_ops.c | 152
server/tests/sysdb-tests.c | 111 +++-
4 files changed, 281 insertions(+), 4 deletions(-)
diff --git a/server/db/sysdb.c b/server/db/sysdb.c
index 5811ddc..a2ac3b2 100644
--- a/server/db/sysdb.c
+++ b/server/db/sysdb.c
@@ -1417,3 +1417,15 @@ int sysdb_get_ctx_from_list(struct sysdb_ctx_list
*ctx_list,
/* definitely not found */
return ENOENT;
}
+
+
+int compare_ldb_dn_comp_num(const void *m1, const void *m2)
+{
+struct ldb_message *msg1 = talloc_get_type(*(void **) discard_const(m1),
+ struct ldb_message);
+struct ldb_message *msg2 = talloc_get_type(*(void **) discard_const(m2),
+ struct ldb_message);
+
+return ldb_dn_get_comp_num(msg2-dn) - ldb_dn_get_comp_num(msg1-dn);
+}
+
diff --git a/server/db/sysdb.h b/server/db/sysdb.h
index 00a3378..72f56db 100644
--- a/server/db/sysdb.h
+++ b/server/db/sysdb.h
@@ -190,6 +190,8 @@ struct ldb_dn *sysdb_custom_dn(struct sysdb_ctx *ctx, void
*memctx,
struct ldb_context *sysdb_ctx_get_ldb(struct sysdb_ctx *ctx);
struct ldb_context *sysdb_handle_get_ldb(struct sysdb_handle *handle);
+int compare_ldb_dn_comp_num(const void *m1, const void *m2);
+
/* function to start and finish a transaction
* sysdb_transaction_send() will queue a request for a transaction
* when it is done it will call the tevent_req callback, which must
@@ -311,6 +313,14 @@ struct tevent_req *sysdb_delete_entry_send(TALLOC_CTX
*mem_ctx,
bool
Re: [SSSD] [PATCH] add sysdb_delete_recursive request to sysdb API
On Fri, Oct 30, 2009 at 10:51:13PM +0100, Sumit Bose wrote:
On Fri, Oct 30, 2009 at 05:42:10PM -0400, Simo Sorce wrote:
On Fri, 2009-10-30 at 12:01 +0100, Sumit Bose wrote:
On Thu, Oct 29, 2009 at 11:26:39PM +0100, Sumit Bose wrote:
On Thu, Oct 29, 2009 at 09:32:34PM +, Simo Sorce wrote:
On Thu, 2009-10-29 at 19:40 +0100, Sumit Bose wrote:
On Thu, Oct 29, 2009 at 01:39:21PM +0100, Sumit Bose wrote:
Hi,
this patch adds a recursive delete request to the sysdb API. It
has
the
same interface as sysdb_delete_entry, but does not delete the
entry,
but
its children.
bye,
Sumit
This is a new version of the patch which tries to delete the entry
AND
all its children. It searches all objects with a subtree search,
sorts
the result so that the ones with the most components come first and
finally loops over the results and deletes them.
Comments inline.
+
+subreq = sysdb_search_entry_send(state, ev, handle, dn,
LDB_SCOPE_SUBTREE,
+ distinguishedName=*, NULL);
Please use (objectclass=*) as filter to catch all entries.
I would prefer to stay with distinguishedName, because it is
auto-generated and always present.
Also please set attrs. Passing NULL, means you will retrieve all
attributes wasting a lot of memory unnecessarily. You are interested
only in the entries msg-dn, so you probably do not want any attribute
returned at all.
ah, I thought NULL means nothing, now I pass { NULL }
[..]
+static int compare_ldb_dn_comp_num(const void *m1, const void *m2)
+{
+struct ldb_message *msg1 = talloc_get_type(*(const void **) m1,
+ struct ldb_message);
+struct ldb_message *msg2 = talloc_get_type(*(const void **) m2,
+ struct ldb_message);
+
+return ldb_dn_get_comp_num(msg2-dn) -
ldb_dn_get_comp_num(msg1-dn);
+}
Please move this function in sysdb.c, it's a generic function that can
be used by multiple functions and here just interrupts reading the
program flow.
done
+static void sysdb_delete_recursive_loop(struct tevent_req *subreq)
[...]
I think you should split the this function into a function that
receives
the results of sysdb_search_entry_recv() and then another one that
sets
the loop. If necessary use the trick I used in sdap_cli_connect to do
continuation functions (see the sdap_cli_*_step functions).
done
The rest looks good to me.
Thanks for reviewing.
bye,
Sumit
sorry, this new patch fixes a compiler warning.
Looks good to me, I have only a minor nitpick, shouldn't the ENOENT
error in sysdb_delete_recursive_op_done() be fatal ?
Given it should never happen, does it make sense to allow to continue ?
Simo.
ok, it is now fatal as all other errors
bye,
Sumit
This new version adds a missing return after a tevent_req_done() call.
bye,
Sumit
From 44a77225d38dd5998e6da56fa420cdb817bddf94 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Thu, 29 Oct 2009 12:57:57 +0100
Subject: [PATCH] add sysdb_delete_recursive request to sysdb API
---
server/db/sysdb.c | 12
server/db/sysdb.h | 10 +++
server/db/sysdb_ops.c | 153
server/tests/sysdb-tests.c | 111 ++-
4 files changed, 282 insertions(+), 4 deletions(-)
diff --git a/server/db/sysdb.c b/server/db/sysdb.c
index 5811ddc..a2ac3b2 100644
--- a/server/db/sysdb.c
+++ b/server/db/sysdb.c
@@ -1417,3 +1417,15 @@ int sysdb_get_ctx_from_list(struct sysdb_ctx_list
*ctx_list,
/* definitely not found */
return ENOENT;
}
+
+
+int compare_ldb_dn_comp_num(const void *m1, const void *m2)
+{
+struct ldb_message *msg1 = talloc_get_type(*(void **) discard_const(m1),
+ struct ldb_message);
+struct ldb_message *msg2 = talloc_get_type(*(void **) discard_const(m2),
+ struct ldb_message);
+
+return ldb_dn_get_comp_num(msg2-dn) - ldb_dn_get_comp_num(msg1-dn);
+}
+
diff --git a/server/db/sysdb.h b/server/db/sysdb.h
index 00a3378..72f56db 100644
--- a/server/db/sysdb.h
+++ b/server/db/sysdb.h
@@ -190,6 +190,8 @@ struct ldb_dn *sysdb_custom_dn(struct sysdb_ctx *ctx, void
*memctx,
struct ldb_context *sysdb_ctx_get_ldb(struct sysdb_ctx *ctx);
struct ldb_context *sysdb_handle_get_ldb(struct sysdb_handle *handle);
+int compare_ldb_dn_comp_num(const void *m1, const void *m2);
+
/* function to start and finish
[SSSD] [PATCH] Make debug message less irritating.
Hi,
this patch should fix #251.
bye,
Sumit
From 9ec33e808fe82895473e8350eb2e8c5a78ba1ccb Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Mon, 2 Nov 2009 14:32:00 +0100
Subject: [PATCH] Make debug message less irritating.
The 'Unable to load' debug message is now only shown when the backend
target is given explicitly in the config file. I the other case we
let the caller decided how to handle this error condition.
---
server/providers/data_provider_be.c |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/server/providers/data_provider_be.c
b/server/providers/data_provider_be.c
index 65f33ce..b20ac1f 100644
--- a/server/providers/data_provider_be.c
+++ b/server/providers/data_provider_be.c
@@ -939,8 +939,6 @@ static int load_backend_module(struct be_ctx *ctx,
mod_init_fn = (bet_init_fn_t)dlsym(ctx-loaded_be[lb].handle,
mod_init_fn_name);
if (mod_init_fn == NULL) {
-DEBUG(0, (Unable to load init fn %s from module %s, error: %s\n,
- mod_init_fn_name, mod_name, dlerror()));
if (default_mod_name != NULL
strcmp(default_mod_name, mod_name) == 0 ) {
/* If the default is used and fails we indicate this to the caller
@@ -948,6 +946,8 @@ static int load_backend_module(struct be_ctx *ctx,
* handle the different types of error conditions. */
ret = ENOENT;
} else {
+DEBUG(0, (Unable to load init fn %s from module %s, error: %s\n,
+ mod_init_fn_name, mod_name, dlerror()));
ret = ELIBBAD;
}
goto done;
--
1.6.2.5
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] set ipa_hostname if not given in config file
Hi,
I find this patch useful. If IPA_HOSTNAME is found to be NULL later on
in the code you can simply assume an error and don't have to call
gethostname again and again.
bye,
Sumit
From d87db5a63e0737cc5da955c6679a410350939419 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Wed, 28 Oct 2009 13:09:51 +0100
Subject: [PATCH] set ipa_hostname if not given in config file
---
server/providers/ipa/ipa_common.c | 20
1 files changed, 20 insertions(+), 0 deletions(-)
diff --git a/server/providers/ipa/ipa_common.c
b/server/providers/ipa/ipa_common.c
index d324970..3f4d25d 100644
--- a/server/providers/ipa/ipa_common.c
+++ b/server/providers/ipa/ipa_common.c
@@ -144,7 +144,9 @@ int ipa_get_options(TALLOC_CTX *memctx,
struct ipa_options *opts;
char *domain;
char *server;
+char *ipa_hostname;
int ret;
+char hostname[HOST_NAME_MAX + 1];
opts = talloc_zero(memctx, struct ipa_options);
if (!opts) return ENOMEM;
@@ -173,6 +175,24 @@ int ipa_get_options(TALLOC_CTX *memctx,
goto done;
}
+ipa_hostname = dp_opt_get_string(opts-basic, IPA_HOSTNAME);
+if (ipa_hostname == NULL) {
+ret = gethostname(hostname, HOST_NAME_MAX);
+if (ret != EOK) {
+DEBUG(1, (gethostname failed [%d][%s].\n, errno,
+ strerror(errno)));
+ret = errno;
+goto done;
+}
+hostname[HOST_NAME_MAX] = '\0';
+DEBUG(9, (Setting ipa_hostname to [%s].\n, hostname));
+ret = dp_opt_set_string(opts-basic, IPA_HOSTNAME, hostname);
+if (ret != EOK) {
+goto done;
+}
+}
+
+
ret = EOK;
*_opts = opts;
--
1.6.2.5
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] Add sysdb_attrs_replace_name to sysdb API
Hi,
this patch adds the sysdb_attrs_replace_name() call to replace the name
of an attribute with a new one. This is useful if you want to store the
results of an LDAP query in sysdb, but need to replace certain attribute
names, e.g. member or memberOf.
bye,
Sumit
From 68d17d27f4f876e2060b93bbeb981a5a97667182 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Wed, 4 Nov 2009 12:36:25 +0100
Subject: [PATCH] Add sysdb_attrs_replace_name to sysdb API.
---
server/db/sysdb.c | 32 +++
server/db/sysdb.h |3 ++
server/tests/sysdb-tests.c | 45
3 files changed, 80 insertions(+), 0 deletions(-)
diff --git a/server/db/sysdb.c b/server/db/sysdb.c
index a2ac3b2..f090960 100644
--- a/server/db/sysdb.c
+++ b/server/db/sysdb.c
@@ -1429,3 +1429,35 @@ int compare_ldb_dn_comp_num(const void *m1, const void
*m2)
return ldb_dn_get_comp_num(msg2-dn) - ldb_dn_get_comp_num(msg1-dn);
}
+int sysdb_attrs_replace_name(struct sysdb_attrs *attrs, const char *oldname,
+ const char *newname)
+{
+struct ldb_message_element *e = NULL;
+int i;
+const char *dummy;
+
+if (attrs == NULL || oldname == NULL || newname == NULL) return EINVAL;
+
+for (i = 0; i attrs-num; i++) {
+if (strcasecmp(oldname, attrs-a[i].name) == 0) {
+e = (attrs-a[i]);
+}
+if (strcasecmp(newname, attrs-a[i].name) == 0) {
+DEBUG(3, (New attribute name [%s] already exists.\n, newname));
+return EEXIST;
+}
+}
+
+if (e != NULL) {
+dummy = talloc_strdup(e, newname);
+if (dummy == NULL) {
+DEBUG(1, (talloc_strdup failed.\n));
+return ENOMEM;
+}
+
+talloc_free(discard_const(e-name));
+e-name = dummy;
+}
+
+return EOK;
+}
diff --git a/server/db/sysdb.h b/server/db/sysdb.h
index 72f56db..8d6bd76 100644
--- a/server/db/sysdb.h
+++ b/server/db/sysdb.h
@@ -171,6 +171,9 @@ int sysdb_attrs_get_el(struct sysdb_attrs *attrs, const
char *name,
int sysdb_attrs_steal_string(struct sysdb_attrs *attrs,
const char *name, char *str);
+int sysdb_attrs_replace_name(struct sysdb_attrs *attrs, const char *oldname,
+ const char *newname);
+
/* convert an ldb error into an errno error */
int sysdb_error_to_errno(int ldberr);
diff --git a/server/tests/sysdb-tests.c b/server/tests/sysdb-tests.c
index ed61e27..d08a155 100644
--- a/server/tests/sysdb-tests.c
+++ b/server/tests/sysdb-tests.c
@@ -2310,6 +2310,49 @@ START_TEST (test_sysdb_delete_recursive)
}
END_TEST
+START_TEST (test_sysdb_attrs_replace_name)
+{
+struct sysdb_attrs *attrs;
+struct ldb_message_element *el;
+int ret;
+
+attrs = sysdb_new_attrs(NULL);
+fail_unless(attrs != NULL, sysdb_new_attrs failed);
+
+ret = sysdb_attrs_add_string(attrs, foo, bar);
+fail_unless(ret == EOK, sysdb_attrs_add_string failed);
+
+ret = sysdb_attrs_add_string(attrs, fool, bool);
+fail_unless(ret == EOK, sysdb_attrs_add_string failed);
+
+ret = sysdb_attrs_add_string(attrs, foot, boot);
+fail_unless(ret == EOK, sysdb_attrs_add_string failed);
+
+ret = sysdb_attrs_replace_name(attrs, foo, foot);
+fail_unless(ret == EEXIST,
+sysdb_attrs_replace overwrites existing attribute);
+
+ret = sysdb_attrs_replace_name(attrs, foo, oof);
+fail_unless(ret == EOK, sysdb_attrs_replace failed);
+
+ret = sysdb_attrs_get_el(attrs, foo, el);
+fail_unless(ret == EOK, sysdb_attrs_get_el failed);
+fail_unless(el-num_values == 0, Attribute foo is not empty.);
+
+ret = sysdb_attrs_get_el(attrs, oof, el);
+fail_unless(ret == EOK, sysdb_attrs_get_el failed);
+fail_unless(el-num_values == 1,
+Wrong number of values for attribute oof,
+expected [1] got [%d]., el-num_values);
+fail_unless(strncmp(bar, (char *) el-values[0].data,
+el-values[0].length) == 0,
+Wrong value, expected [bar] got [%.*s], el-values[0].length,
+ el-values[0].data);
+
+talloc_free(attrs);
+}
+END_TEST
+
Suite *create_sysdb_suite(void)
{
Suite *s = suite_create(sysdb);
@@ -2404,6 +2447,8 @@ Suite *create_sysdb_suite(void)
/* test recursive delete */
tcase_add_test(tc_sysdb, test_sysdb_delete_recursive);
+tcase_add_test(tc_sysdb, test_sysdb_attrs_replace_name);
+
/* Add all test cases to the test suite */
suite_add_tcase(s, tc_sysdb);
--
1.6.2.5
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Add sysdb_attrs_replace_name to sysdb API
On Wed, Nov 04, 2009 at 12:53:22PM +0100, Sumit Bose wrote:
Hi,
this patch adds the sysdb_attrs_replace_name() call to replace the name
of an attribute with a new one. This is useful if you want to store the
results of an LDAP query in sysdb, but need to replace certain attribute
names, e.g. member or memberOf.
bye,
Sumit
self NACK, I have found a talloc issue, new version attached.
bye,
Sumit
From 1f6e34c7f3d18a1f0a43cf327bb55c2990215154 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Wed, 4 Nov 2009 12:36:25 +0100
Subject: [PATCH] Add sysdb_attrs_replace_name to sysdb API.
---
server/db/sysdb.c | 32 +++
server/db/sysdb.h |3 ++
server/tests/sysdb-tests.c | 45
3 files changed, 80 insertions(+), 0 deletions(-)
diff --git a/server/db/sysdb.c b/server/db/sysdb.c
index a2ac3b2..4473fe8 100644
--- a/server/db/sysdb.c
+++ b/server/db/sysdb.c
@@ -1429,3 +1429,35 @@ int compare_ldb_dn_comp_num(const void *m1, const void
*m2)
return ldb_dn_get_comp_num(msg2-dn) - ldb_dn_get_comp_num(msg1-dn);
}
+int sysdb_attrs_replace_name(struct sysdb_attrs *attrs, const char *oldname,
+ const char *newname)
+{
+struct ldb_message_element *e = NULL;
+int i;
+const char *dummy;
+
+if (attrs == NULL || oldname == NULL || newname == NULL) return EINVAL;
+
+for (i = 0; i attrs-num; i++) {
+if (strcasecmp(oldname, attrs-a[i].name) == 0) {
+e = (attrs-a[i]);
+}
+if (strcasecmp(newname, attrs-a[i].name) == 0) {
+DEBUG(3, (New attribute name [%s] already exists.\n, newname));
+return EEXIST;
+}
+}
+
+if (e != NULL) {
+dummy = talloc_strdup(talloc_parent(e-name), newname);
+if (dummy == NULL) {
+DEBUG(1, (talloc_strdup failed.\n));
+return ENOMEM;
+}
+
+talloc_free(discard_const(e-name));
+e-name = dummy;
+}
+
+return EOK;
+}
diff --git a/server/db/sysdb.h b/server/db/sysdb.h
index 72f56db..8d6bd76 100644
--- a/server/db/sysdb.h
+++ b/server/db/sysdb.h
@@ -171,6 +171,9 @@ int sysdb_attrs_get_el(struct sysdb_attrs *attrs, const
char *name,
int sysdb_attrs_steal_string(struct sysdb_attrs *attrs,
const char *name, char *str);
+int sysdb_attrs_replace_name(struct sysdb_attrs *attrs, const char *oldname,
+ const char *newname);
+
/* convert an ldb error into an errno error */
int sysdb_error_to_errno(int ldberr);
diff --git a/server/tests/sysdb-tests.c b/server/tests/sysdb-tests.c
index ed61e27..d08a155 100644
--- a/server/tests/sysdb-tests.c
+++ b/server/tests/sysdb-tests.c
@@ -2310,6 +2310,49 @@ START_TEST (test_sysdb_delete_recursive)
}
END_TEST
+START_TEST (test_sysdb_attrs_replace_name)
+{
+struct sysdb_attrs *attrs;
+struct ldb_message_element *el;
+int ret;
+
+attrs = sysdb_new_attrs(NULL);
+fail_unless(attrs != NULL, sysdb_new_attrs failed);
+
+ret = sysdb_attrs_add_string(attrs, foo, bar);
+fail_unless(ret == EOK, sysdb_attrs_add_string failed);
+
+ret = sysdb_attrs_add_string(attrs, fool, bool);
+fail_unless(ret == EOK, sysdb_attrs_add_string failed);
+
+ret = sysdb_attrs_add_string(attrs, foot, boot);
+fail_unless(ret == EOK, sysdb_attrs_add_string failed);
+
+ret = sysdb_attrs_replace_name(attrs, foo, foot);
+fail_unless(ret == EEXIST,
+sysdb_attrs_replace overwrites existing attribute);
+
+ret = sysdb_attrs_replace_name(attrs, foo, oof);
+fail_unless(ret == EOK, sysdb_attrs_replace failed);
+
+ret = sysdb_attrs_get_el(attrs, foo, el);
+fail_unless(ret == EOK, sysdb_attrs_get_el failed);
+fail_unless(el-num_values == 0, Attribute foo is not empty.);
+
+ret = sysdb_attrs_get_el(attrs, oof, el);
+fail_unless(ret == EOK, sysdb_attrs_get_el failed);
+fail_unless(el-num_values == 1,
+Wrong number of values for attribute oof,
+expected [1] got [%d]., el-num_values);
+fail_unless(strncmp(bar, (char *) el-values[0].data,
+el-values[0].length) == 0,
+Wrong value, expected [bar] got [%.*s], el-values[0].length,
+ el-values[0].data);
+
+talloc_free(attrs);
+}
+END_TEST
+
Suite *create_sysdb_suite(void)
{
Suite *s = suite_create(sysdb);
@@ -2404,6 +2447,8 @@ Suite *create_sysdb_suite(void)
/* test recursive delete */
tcase_add_test(tc_sysdb, test_sysdb_delete_recursive);
+tcase_add_test(tc_sysdb, test_sysdb_attrs_replace_name);
+
/* Add all test cases to the test suite */
suite_add_tcase(s, tc_sysdb);
--
1.6.2.5
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Add sysdb_attrs_replace_name to sysdb API
On Wed, Nov 04, 2009 at 09:25:29AM -0500, Simo Sorce wrote:
On Wed, 2009-11-04 at 15:05 +0100, Sumit Bose wrote:
+if (e != NULL) {
+dummy = talloc_strdup(talloc_parent(e-name), newname);
The parent should be attrs, I would use that and not talloc_parent(),
so even if the parent is something else, we get the new parent right.
Simo.
fixed
bye,
Sumit
From f6e248d7481fba0a90e97f603a6b2521b1590265 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Wed, 4 Nov 2009 12:36:25 +0100
Subject: [PATCH] Add sysdb_attrs_replace_name to sysdb API.
---
server/db/sysdb.c | 32 +++
server/db/sysdb.h |3 ++
server/tests/sysdb-tests.c | 45
3 files changed, 80 insertions(+), 0 deletions(-)
diff --git a/server/db/sysdb.c b/server/db/sysdb.c
index a2ac3b2..ae32ef4 100644
--- a/server/db/sysdb.c
+++ b/server/db/sysdb.c
@@ -1429,3 +1429,35 @@ int compare_ldb_dn_comp_num(const void *m1, const void
*m2)
return ldb_dn_get_comp_num(msg2-dn) - ldb_dn_get_comp_num(msg1-dn);
}
+int sysdb_attrs_replace_name(struct sysdb_attrs *attrs, const char *oldname,
+ const char *newname)
+{
+struct ldb_message_element *e = NULL;
+int i;
+const char *dummy;
+
+if (attrs == NULL || oldname == NULL || newname == NULL) return EINVAL;
+
+for (i = 0; i attrs-num; i++) {
+if (strcasecmp(oldname, attrs-a[i].name) == 0) {
+e = (attrs-a[i]);
+}
+if (strcasecmp(newname, attrs-a[i].name) == 0) {
+DEBUG(3, (New attribute name [%s] already exists.\n, newname));
+return EEXIST;
+}
+}
+
+if (e != NULL) {
+dummy = talloc_strdup(attrs, newname);
+if (dummy == NULL) {
+DEBUG(1, (talloc_strdup failed.\n));
+return ENOMEM;
+}
+
+talloc_free(discard_const(e-name));
+e-name = dummy;
+}
+
+return EOK;
+}
diff --git a/server/db/sysdb.h b/server/db/sysdb.h
index 72f56db..8d6bd76 100644
--- a/server/db/sysdb.h
+++ b/server/db/sysdb.h
@@ -171,6 +171,9 @@ int sysdb_attrs_get_el(struct sysdb_attrs *attrs, const
char *name,
int sysdb_attrs_steal_string(struct sysdb_attrs *attrs,
const char *name, char *str);
+int sysdb_attrs_replace_name(struct sysdb_attrs *attrs, const char *oldname,
+ const char *newname);
+
/* convert an ldb error into an errno error */
int sysdb_error_to_errno(int ldberr);
diff --git a/server/tests/sysdb-tests.c b/server/tests/sysdb-tests.c
index ed61e27..d08a155 100644
--- a/server/tests/sysdb-tests.c
+++ b/server/tests/sysdb-tests.c
@@ -2310,6 +2310,49 @@ START_TEST (test_sysdb_delete_recursive)
}
END_TEST
+START_TEST (test_sysdb_attrs_replace_name)
+{
+struct sysdb_attrs *attrs;
+struct ldb_message_element *el;
+int ret;
+
+attrs = sysdb_new_attrs(NULL);
+fail_unless(attrs != NULL, sysdb_new_attrs failed);
+
+ret = sysdb_attrs_add_string(attrs, foo, bar);
+fail_unless(ret == EOK, sysdb_attrs_add_string failed);
+
+ret = sysdb_attrs_add_string(attrs, fool, bool);
+fail_unless(ret == EOK, sysdb_attrs_add_string failed);
+
+ret = sysdb_attrs_add_string(attrs, foot, boot);
+fail_unless(ret == EOK, sysdb_attrs_add_string failed);
+
+ret = sysdb_attrs_replace_name(attrs, foo, foot);
+fail_unless(ret == EEXIST,
+sysdb_attrs_replace overwrites existing attribute);
+
+ret = sysdb_attrs_replace_name(attrs, foo, oof);
+fail_unless(ret == EOK, sysdb_attrs_replace failed);
+
+ret = sysdb_attrs_get_el(attrs, foo, el);
+fail_unless(ret == EOK, sysdb_attrs_get_el failed);
+fail_unless(el-num_values == 0, Attribute foo is not empty.);
+
+ret = sysdb_attrs_get_el(attrs, oof, el);
+fail_unless(ret == EOK, sysdb_attrs_get_el failed);
+fail_unless(el-num_values == 1,
+Wrong number of values for attribute oof,
+expected [1] got [%d]., el-num_values);
+fail_unless(strncmp(bar, (char *) el-values[0].data,
+el-values[0].length) == 0,
+Wrong value, expected [bar] got [%.*s], el-values[0].length,
+ el-values[0].data);
+
+talloc_free(attrs);
+}
+END_TEST
+
Suite *create_sysdb_suite(void)
{
Suite *s = suite_create(sysdb);
@@ -2404,6 +2447,8 @@ Suite *create_sysdb_suite(void)
/* test recursive delete */
tcase_add_test(tc_sysdb, test_sysdb_delete_recursive);
+tcase_add_test(tc_sysdb, test_sysdb_attrs_replace_name);
+
/* Add all test cases to the test suite */
suite_add_tcase(s, tc_sysdb);
--
1.6.2.5
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] Properly wrap #include krb5.h
On Wed, Nov 04, 2009 at 12:24:40PM -0500, Stephen Gallagher wrote:
Depending on the platform, krb5.h may be available as
#include krb5.h
or
#include krb5/krb5.h
We were properly testing for this in krb5_common.h, but not in
sdap_async.c
Sorry, I forgot to post the attached patch, it fixes the includes, but
also add substitutions for missing API calls in older version of MIT
Kerberos.
bye,
Sumit
From 31f99c1177d8f18ef44874bcccbedfc6014274e1 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Tue, 13 Oct 2009 13:53:32 +0200
Subject: [PATCH] add replacements for missing Kerberos calls
---
server/Makefile.am |8 ++-
server/providers/krb5/krb5_auth.h |1 +
server/providers/krb5/krb5_child.c | 40 +++
server/providers/krb5/krb5_common.h |6 +--
server/providers/ldap/sdap_async.c | 16 +++---
server/util/sss_krb5.c | 92 +++
server/util/sss_krb5.h | 45 +
7 files changed, 160 insertions(+), 48 deletions(-)
create mode 100644 server/util/sss_krb5.c
create mode 100644 server/util/sss_krb5.h
diff --git a/server/Makefile.am b/server/Makefile.am
index 81223f4..2173b17 100644
--- a/server/Makefile.am
+++ b/server/Makefile.am
@@ -247,6 +247,7 @@ dist_noinst_HEADERS = \
util/util.h \
util/strtonum.h \
util/sss_ldap.h \
+util/sss_krb5.h \
config.h \
monitor/monitor.h \
monitor/monitor_interfaces.h \
@@ -469,7 +470,8 @@ libsss_ldap_la_SOURCES = \
providers/ldap/ldap_common.c \
providers/ldap/sdap_async.c \
providers/ldap/sdap.c \
-util/sss_ldap.c
+util/sss_ldap.c \
+util/sss_krb5.c
libsss_ldap_la_CFLAGS = \
$(AM_CFLAGS) \
$(LDAP_CFLAGS) \
@@ -514,6 +516,7 @@ libsss_ipa_la_SOURCES = \
providers/ldap/sdap_async.c \
providers/ldap/sdap.c \
util/sss_ldap.c \
+util/sss_krb5.c \
providers/krb5/krb5_utils.c \
providers/krb5/krb5_common.c \
providers/krb5/krb5_auth.c
@@ -530,7 +533,8 @@ libsss_ipa_la_LDFLAGS = \
krb5_child_SOURCES = \
$(SSSD_DEBUG_OBJ) \
-providers/krb5/krb5_child.c
+providers/krb5/krb5_child.c \
+util/sss_krb5.c
krb5_child_CFLAGS = \
$(AM_CFLAGS) \
$(POPT_CFLAGS) \
diff --git a/server/providers/krb5/krb5_auth.h
b/server/providers/krb5/krb5_auth.h
index 95647e3..84eafec 100644
--- a/server/providers/krb5/krb5_auth.h
+++ b/server/providers/krb5/krb5_auth.h
@@ -26,6 +26,7 @@
#ifndef __KRB5_AUTH_H__
#define __KRB5_AUTH_H__
+#include util/sss_krb5.h
#include providers/dp_backend.h
#include providers/krb5/krb5_common.h
diff --git a/server/providers/krb5/krb5_child.c
b/server/providers/krb5/krb5_child.c
index e67ff88..319775a 100644
--- a/server/providers/krb5/krb5_child.c
+++ b/server/providers/krb5/krb5_child.c
@@ -90,19 +90,13 @@ struct krb5_req {
char *ccname;
};
-#ifdef HAVE_KRB5_GET_ERROR_MESSAGE
static krb5_context krb5_error_ctx;
static const char *__krb5_error_msg;
#define KRB5_DEBUG(level, krb5_error) do { \
-__krb5_error_msg = krb5_get_error_message(krb5_error_ctx, krb5_error); \
+__krb5_error_msg = sss_krb5_get_error_message(krb5_error_ctx, krb5_error);
\
DEBUG(level, (%d: [%d][%s]\n, __LINE__, krb5_error, __krb5_error_msg)); \
-krb5_free_error_message(krb5_error_ctx, __krb5_error_msg); \
+sss_krb5_free_error_message(krb5_error_ctx, __krb5_error_msg); \
} while(0);
-#else
-#define KRB5_DEBUG(level, krb5_error) do { \
-DEBUG(level, (%d: kerberos error [%d]\n, __LINE__, krb5_error)); \
-} while(0);
-#endif
struct response {
size_t max_size;
@@ -181,20 +175,14 @@ static struct response *prepare_response_message(struct
krb5_req *kr,
ret = pack_response_packet(resp, PAM_SUCCESS, PAM_ENV_ITEM, msg);
talloc_zfree(msg);
} else {
-#ifdef HAVE_KRB5_GET_ERROR_MESSAGE
-krb5_msg = krb5_get_error_message(krb5_error_ctx, kerr);
+krb5_msg = sss_krb5_get_error_message(krb5_error_ctx, kerr);
if (krb5_msg == NULL) {
-DEBUG(1, (krb5_get_error_message failed.\n));
+DEBUG(1, (sss_krb5_get_error_message failed.\n));
return NULL;
}
ret = pack_response_packet(resp, pam_status, PAM_USER_INFO, krb5_msg);
-krb5_free_error_message(krb5_error_ctx, krb5_msg);
-#else
-msg = talloc_asprintf(kr, Kerberos error [%d], kerr);
-ret = pack_response_packet(resp, pam_status, PAM_USER_INFO, msg);
-talloc_zfree(msg);
-#endif
+sss_krb5_free_error_message(krb5_error_ctx, krb5_msg);
}
if (ret != EOK) {
@@ -536,11 +524,7 @@ static int krb5_cleanup(void *ptr)
if (kr == NULL) return EOK;
if (kr-options != NULL) {
-#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
-krb5_get_init_creds_opt_free(kr-ctx, kr-options);
-#else
-free(kr-options);
-#endif
+sss_krb5_get_init_creds_opt_free(kr-ctx, kr-options);
}
if (kr-creds
Re: [SSSD] [PATCH] Simplify debug_fn()
On Wed, Nov 04, 2009 at 02:01:44PM -0500, Stephen Gallagher wrote:
We don't need to be allocating an output string here. This was
also causing a runtime bug when the output string contained
characters that would be interpreted by fprintf as specifiers.
--
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
From 6934b72a4521d8c4aeb9edab8cfb87897007b114 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher sgall...@redhat.com
Date: Wed, 4 Nov 2009 14:00:03 -0500
Subject: [PATCH] Simplify debug_fn()
We don't need to be allocating an output string here. This was
also causing a runtime bug when the output string contained
characters that would be interpreted by fprintf as specifiers.
---
server/util/debug.c | 13 ++---
1 files changed, 2 insertions(+), 11 deletions(-)
diff --git a/server/util/debug.c b/server/util/debug.c
index 862367c..f41af4b 100644
--- a/server/util/debug.c
+++ b/server/util/debug.c
@@ -56,23 +56,14 @@ errno_t set_debug_file_from_fd(const int fd)
void debug_fn(const char *format, ...)
{
va_list ap;
-char *s = NULL;
int ret;
Please remove 'ret', too. Otherwise it is working well: ACK
bye,
Sumit
va_start(ap, format);
-ret = vasprintf(s, format, ap);
-if (ret 0) {
-/* ENOMEM */
-return;
-}
+vfprintf(debug_file ? debug_file : stderr, format, ap);
+fflush(debug_file ? debug_file : stderr);
va_end(ap);
-
-/*write(state.fd, s, strlen(s));*/
-fprintf(debug_file ? debug_file : stderr, s);
-fflush(debug_file ? debug_file : stderr);
-free(s);
}
void ldb_debug_messages(void *context, enum ldb_debug_level level,
--
1.6.2.5
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] krb5 ticket renewal via gnome-screensaver not working
On Mon, Nov 09, 2009 at 07:52:43AM -0500, Brian J. Murrell wrote: On Mon, 2009-11-09 at 07:33 -0500, Stephen Gallagher wrote: Brian, can you open a bug at https://fedorahosted.org I would but I can't make out the stupid captcha and there is no button to generate a new one! I really hate captchas you know. They are getting to the point where nobody can read them. Then rerun your test and include the /var/log/sssd/sssd_pam.log and /var/log/sssd/sssd_yourdomain.log files as an attachment. Here is what the log says: Can you send krb5_child.log, too? Thanks. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] krb5 ticket renewal via gnome-screensaver not working
On Mon, Nov 09, 2009 at 08:48:19AM -0500, Brian J. Murrell wrote: On Mon, 2009-11-09 at 14:34 +0100, Sumit Bose wrote: Can you send krb5_child.log, too? Nothing too exciting: (1257770543) [[sssd[krb5_child[23777 [get_and_save_tgt] (1): 241: [-1765328191][Credentials cache I/O operation failed XXX] (1257770543) [[sssd[krb5_child[23777 [tgt_req_child] (1): 411: [-1765328191][Credentials cache I/O operation failed XXX] b. This error indicates a short write. Can you check if a ccache file is create at all and if yes check the content with klist? bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] krb5 ticket renewal via gnome-screensaver not working
On Mon, Nov 09, 2009 at 09:56:24AM -0500, Brian J. Murrell wrote: On Mon, 2009-11-09 at 15:47 +0100, Sumit Bose wrote: yes, can you send the log files for the gnome-screensaver case ? Sure. Nothing new in the krb5_child.log, however, sssd_pam.log: Does this mean you are still seeing [Credentials cache I/O operation failed XXX] in krb5_child.log? (1257778320) [sssd[pam]] [accept_fd_handler] (4): Client connected! (1257778320) [sssd[pam]] [sss_cmd_get_version] (5): Received client version [3]. (1257778320) [sssd[pam]] [sss_cmd_get_version] (5): Offered version [3]. (1257778320) [sssd[pam]] [pam_cmd_authenticate] (4): entering pam_cmd_authenticate (1257778320) [sssd[pam]] [pam_print_data] (4): command: 241 (1257778320) [sssd[pam]] [pam_print_data] (4): domain: (null) (1257778320) [sssd[pam]] [pam_print_data] (4): user: brian (1257778320) [sssd[pam]] [pam_print_data] (4): service: gnome-screensaver (1257778320) [sssd[pam]] [pam_print_data] (4): tty: :0.0 (1257778320) [sssd[pam]] [pam_print_data] (4): ruser: (null) (1257778320) [sssd[pam]] [pam_print_data] (4): rhost: (null) (1257778320) [sssd[pam]] [pam_print_data] (4): authtok type: 1 (1257778320) [sssd[pam]] [pam_print_data] (4): authtok size: 8 (1257778320) [sssd[pam]] [pam_print_data] (4): newauthtok type: 0 (1257778320) [sssd[pam]] [pam_print_data] (4): newauthtok size: 0 (1257778320) [sssd[pam]] [pam_print_data] (4): priv: 0 (1257778320) [sssd[pam]] [pam_print_data] (4): pw_uid: 0 (1257778320) [sssd[pam]] [pam_print_data] (4): gr_gid: 0 (1257778320) [sssd[pam]] [pam_print_data] (4): cli_pid: 24609 (1257778320) [sssd[pam]] [sss_dp_send_acct_req_create] (4): Sending request for [KRB][1][core][name=brian] (1257778321) [sssd[pam]] [sss_dp_get_reply] (4): Got reply (0, 0, Success) from Data Provider (1257778321) [sssd[pam]] [pam_dp_send_req] (4): Sending request with the following data: (1257778321) [sssd[pam]] [pam_print_data] (4): command: 241 (1257778321) [sssd[pam]] [pam_print_data] (4): domain: KRB (1257778321) [sssd[pam]] [pam_print_data] (4): user: brian (1257778321) [sssd[pam]] [pam_print_data] (4): service: gnome-screensaver (1257778321) [sssd[pam]] [pam_print_data] (4): tty: :0.0 (1257778321) [sssd[pam]] [pam_print_data] (4): ruser: (null) (1257778321) [sssd[pam]] [pam_print_data] (4): rhost: (null) (1257778321) [sssd[pam]] [pam_print_data] (4): authtok type: 1 (1257778321) [sssd[pam]] [pam_print_data] (4): authtok size: 8 (1257778321) [sssd[pam]] [pam_print_data] (4): newauthtok type: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): newauthtok size: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): priv: 0 (1257778321) [sssd[pam]] [pam_print_data] (4): pw_uid: 1001 (1257778321) [sssd[pam]] [pam_print_data] (4): gr_gid: 1001 (1257778321) [sssd[pam]] [pam_print_data] (4): cli_pid: 24609 (1257778321) [sssd[pam]] [pam_dom_forwarder] (4): pam_dp_send_req returned 0 (1257778321) [sssd[pam]] [pam_dp_process_reply] (4): received: [0][KRB] this indicates that everything is ok, please send krb5_child.log, if possible with debug level 10. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] Simplify krb5 child handler
Hi,
this patch simplifies then child handling of the kerberos provider to
reduce the number of missleading debug messages.
bye,
Sumit
From e40a3c9cf9b8b1b85d5668fa2491e2e6d48c439b Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Tue, 10 Nov 2009 11:31:29 +0100
Subject: [PATCH] Simplify krb5 child handler
Currently the Kerberos child handler evaluates the siginfo_t structure
to wait for a specific child. This scheme is prone to error, especially
when there are more than one child process active, and can produce
missleading debug message. This patch simplifies the scheme as it waits
for any child.
---
server/providers/krb5/krb5_auth.c | 35 ++-
1 files changed, 18 insertions(+), 17 deletions(-)
diff --git a/server/providers/krb5/krb5_auth.c
b/server/providers/krb5/krb5_auth.c
index cc5bc20..a02147e 100644
--- a/server/providers/krb5/krb5_auth.c
+++ b/server/providers/krb5/krb5_auth.c
@@ -307,26 +307,27 @@ void krb5_child_sig_handler(struct tevent_context *ev,
{
int ret;
int child_status;
-siginfo_t *siginfo = (siginfo_t *)__siginfo;
-errno = 0;
+DEBUG(7, (Waiting for [%d] childeren.\n, count));
do {
-ret = waitpid(siginfo-si_pid, child_status, WNOHANG);
-} while (ret == -1 errno == EINTR);
-if (ret == siginfo-si_pid) {
-DEBUG(4, (child status [%d].\n, child_status));
-if (WEXITSTATUS(child_status) != 0) {
-DEBUG(1, (child failed.\n));
+errno = 0;
+ret = waitpid(-1, child_status, WNOHANG);
+
+if (ret == -1) {
+DEBUG(1, (waitpid failed [%d][%s].\n, errno, strerror(errno)));
+} else if (ret == 0) {
+DEBUG(1, (waitpid did not found a child with changed status.\n));
+} else {
+if (WEXITSTATUS(child_status) != 0) {
+DEBUG(1, (child [%d] failed with status [%d].\n, ret,
+ child_status));
+} else {
+DEBUG(4, (child [%d] finished successful.\n, ret));
+}
}
-} else if (ret == 0) {
-DEBUG(1, (waitpid did not found a child with changed status.\n,
ret));
-} else if (ret = 0 ret != siginfo-si_pid) {
-DEBUG(1, (waitpid returned wrong child pid [%d], continue
waiting.\n, ret));
-} else if (ret == -1 errno == ECHILD) {
-DEBUG(1, (no child with pid [%d].\n, siginfo-si_pid));
-} else {
-DEBUG(1, (waitpid failed [%s].\n, strerror(errno)));
-}
+
+--count;
+} while (count 0);
return;
}
--
1.6.2.5
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] Add check for access-time rules to ipa_access.
Hi,
this patch adds a check to evaluate the acces time part of a HBAC rule
to the IPA access target.
bye,
Sumit
From 9a1f95d92fb71312d9709a7bf14787046368b40b Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Tue, 10 Nov 2009 13:38:20 +0100
Subject: [PATCH] Add check for access-time rules to ipa_access.
---
server/Makefile.am|1 +
server/providers/ipa/ipa_access.c | 64 +
server/providers/ipa/ipa_access.h |2 +
server/providers/ipa/ipa_init.c |7
4 files changed, 74 insertions(+), 0 deletions(-)
diff --git a/server/Makefile.am b/server/Makefile.am
index 0c894a6..bdc2f98 100644
--- a/server/Makefile.am
+++ b/server/Makefile.am
@@ -577,6 +577,7 @@ libsss_ipa_la_SOURCES = \
providers/ipa/ipa_init.c \
providers/ipa/ipa_common.c \
providers/ipa/ipa_access.c \
+providers/ipa/ipa_timerules.c \
providers/ldap/ldap_id.c \
providers/ldap/ldap_id_enum.c \
providers/ldap/ldap_auth.c \
diff --git a/server/providers/ipa/ipa_access.c
b/server/providers/ipa/ipa_access.c
index 19b707c..1b9 100644
--- a/server/providers/ipa/ipa_access.c
+++ b/server/providers/ipa/ipa_access.c
@@ -29,6 +29,7 @@
#include providers/ldap/sdap_async.h
#include providers/ipa/ipa_common.h
#include providers/ipa/ipa_access.h
+#include providers/ipa/ipa_timerules.h
#define IPA_HOST_MEMBEROF memberOf
#define IPA_HOST_SERVERHOSTNAME serverHostName
@@ -1168,6 +1169,63 @@ enum check_result check_service(struct pam_data *pd,
return RULE_ERROR;
}
+enum check_result check_access_time(struct time_rules_ctx *tr_ctx,
+struct sysdb_attrs *rule_attrs)
+{
+int ret;
+int i;
+TALLOC_CTX *tmp_ctx = NULL;
+struct ldb_message_element *el;
+char *rule;
+time_t now;
+bool result;
+
+now = time(NULL);
+if (now == (time_t) -1) {
+DEBUG(1, (time failed [%d][%s].\n, errno, strerror(errno)));
+return RULE_ERROR;
+}
+
+ret = sysdb_attrs_get_el(rule_attrs, IPA_ACCESS_TIME, el);
+if (ret != EOK) {
+DEBUG(1, (sysdb_attrs_get_el failed.\n));
+return RULE_ERROR;
+}
+if (el-num_values == 0) {
+DEBUG(9, (No access time specified, assuming rule applies.\n));
+return RULE_APPLICABLE;
+} else {
+tmp_ctx = talloc_new(NULL);
+if (tmp_ctx == NULL) {
+DEBUG(1, (talloc_new failed.\n));
+return RULE_ERROR;
+}
+
+for (i = 0; i el-num_values; i++) {
+rule = talloc_strndup(tmp_ctx, (const char *) el-values[i].data,
+ el-values[i].length);
+ret = check_time_rule(tmp_ctx, tr_ctx, rule, now, result);
+if (ret != EOK) {
+DEBUG(1, (check_time_rule failed.\n));
+ret = RULE_ERROR;
+goto done;
+}
+
+if (result) {
+DEBUG(9, (Current time [%d] matches rule [%s].\n, now,
rule));
+ret = RULE_APPLICABLE;
+goto done;
+}
+}
+}
+
+ret = RULE_NOT_APPLICABLE;
+
+done:
+talloc_free(tmp_ctx);
+return ret;
+}
+
enum check_result check_user(struct hbac_ctx *hbac_ctx,
struct sysdb_attrs *rule_attrs)
{
@@ -1343,6 +1401,11 @@ static errno_t check_if_rule_applies(enum hbac_result
*result,
goto not_applicable;
}
+ret = check_access_time(hbac_ctx-tr_ctx, rule_attrs);
+if (ret != RULE_APPLICABLE) {
+goto not_applicable;
+}
+
ret = check_remote_hosts(pd, rule_attrs);
if (ret != RULE_APPLICABLE) {
goto not_applicable;
@@ -1426,6 +1489,7 @@ void ipa_access_handler(struct be_req *be_req)
struct ipa_access_ctx);
hbac_ctx-sdap_ctx = ipa_access_ctx-sdap_ctx;
hbac_ctx-ipa_options = ipa_access_ctx-ipa_options;
+hbac_ctx-tr_ctx = ipa_access_ctx-tr_ctx;
req = hbac_get_host_info_send(hbac_ctx, be_req-be_ctx-ev,
hbac_ctx-sdap_ctx, be_req-be_ctx-sysdb,
diff --git a/server/providers/ipa/ipa_access.h
b/server/providers/ipa/ipa_access.h
index e4903cb..1b01e9f 100644
--- a/server/providers/ipa/ipa_access.h
+++ b/server/providers/ipa/ipa_access.h
@@ -35,11 +35,13 @@ enum ipa_access_mode {
struct ipa_access_ctx {
struct sdap_id_ctx *sdap_ctx;
struct dp_option *ipa_options;
+struct time_rules_ctx *tr_ctx;
};
struct hbac_ctx {
struct sdap_id_ctx *sdap_ctx;
struct dp_option *ipa_options;
+struct time_rules_ctx *tr_ctx;
struct be_req *be_req;
struct pam_data *pd;
struct hbac_host_info **hbac_host_info;
diff --git a/server/providers/ipa/ipa_init.c b/server/providers/ipa/ipa_init.c
index 7ef98e6..1b93e14 100644
--- a/server/providers/ipa/ipa_init.c
+++ b/server/providers/ipa/ipa_init.c
@@ -30,6 +30,7 @@
#include providers/ipa/ipa_common.h
#include providers/krb5
[SSSD] [PATCH] Add support for host, source host and user category
Hi,
this patch adds support for the evaluation of the category attributes.
Please note the with this patch a missing memberUser or missing
sourceHost and externalHost attributes are interpreted as 'not
applicable' if the corresponding category is not set to 'all'. This
behaviour a specified in the design documents.
bye,
Sumit
From 961a4949a72b53a958d479b18168ca4c63c7eae6 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Tue, 10 Nov 2009 16:45:07 +0100
Subject: [PATCH] Add support for host, source host and user category
This patch add support for the host, source host and user category
'all'. All other category values are ignored so far. With the patch the
interpretation of an empty memberUser and empty sourceHost and
externalHost is changed to 'not applicable'.
---
server/providers/ipa/ipa_access.c | 62 -
1 files changed, 54 insertions(+), 8 deletions(-)
diff --git a/server/providers/ipa/ipa_access.c
b/server/providers/ipa/ipa_access.c
index 19b707c..64f1ceb 100644
--- a/server/providers/ipa/ipa_access.c
+++ b/server/providers/ipa/ipa_access.c
@@ -44,6 +44,7 @@
#define IPA_UNIQUE_ID ipauniqueid
#define IPA_ENABLED_FLAG ipaenabledflag
#define IPA_MEMBER_HOST memberHost
+#define IPA_HOST_CATEGORY hostCategory
#define IPA_CN cn
#define IPA_HOST_BASE_TMPL cn=computers,cn=accounts,dc=%s
@@ -789,7 +790,7 @@ static struct tevent_req *hbac_get_rules_send(TALLOC_CTX
*memctx,
goto fail;
}
-state-hbac_attrs = talloc_array(state, const char *, 13);
+state-hbac_attrs = talloc_array(state, const char *, 15);
if (state-hbac_attrs == NULL) {
DEBUG(1, (Failed to allocate HBAC attribute list.\n));
ret = ENOMEM;
@@ -807,10 +808,14 @@ static struct tevent_req *hbac_get_rules_send(TALLOC_CTX
*memctx,
state-hbac_attrs[9] = IPA_ENABLED_FLAG;
state-hbac_attrs[10] = IPA_CN;
state-hbac_attrs[11] = objectclass;
-state-hbac_attrs[12] = NULL;
+state-hbac_attrs[12] = IPA_MEMBER_HOST;
+state-hbac_attrs[13] = IPA_HOST_CATEGORY;
+state-hbac_attrs[14] = NULL;
state-hbac_filter = talloc_asprintf(state,
-
((objectclass=ipaHBACRule)(|(%s=%s),
+ ((objectclass=ipaHBACRule)
+ (|(%s=%s)(%s=%s),
+ IPA_HOST_CATEGORY, all,
IPA_MEMBER_HOST, host_dn);
if (state-hbac_filter == NULL) {
ret = ENOMEM;
@@ -1181,14 +1186,33 @@ enum check_result check_user(struct hbac_ctx *hbac_ctx,
return RULE_ERROR;
}
-/* TODO: add group and category checks */
+ret = sysdb_attrs_get_el(rule_attrs, IPA_USER_CATEGORY, el);
+if (ret != EOK) {
+DEBUG(1, (sysdb_attrs_get_el failed.\n));
+return RULE_ERROR;
+}
+if (el-num_values == 0) {
+DEBUG(9, (USer category is not set.\n));
+} else {
+for (i = 0; i el-num_values; i++) {
+if (strncasecmp(all, (const char *) el-values[i].data,
+el-values[i].length) == 0) {
+DEBUG(9, (User category is set to 'all', rule applies.\n));
+return RULE_APPLICABLE;
+}
+DEBUG(9, (Unsupported user category [%.*s].\n,
+ el-values[i].length,
+ (char *) el-values[i].data));
+}
+}
+
ret = sysdb_attrs_get_el(rule_attrs, IPA_MEMBER_USER, el);
if (ret != EOK) {
DEBUG(1, (sysdb_attrs_get_el failed.\n));
return RULE_ERROR;
}
if (el-num_values == 0) {
-DEBUG(9, (No user specified, assuming rule applies.\n));
+DEBUG(9, (No user specified, rule does not apply.\n));
return RULE_APPLICABLE;
} else {
for (i = 0; i el-num_values; i++) {
@@ -1225,6 +1249,7 @@ enum check_result check_remote_hosts(struct pam_data *pd,
{
int ret;
int i;
+struct ldb_message_element *cat_el;
struct ldb_message_element *src_el;
struct ldb_message_element *ext_el;
const char *remote_hostname;
@@ -1243,7 +1268,28 @@ enum check_result check_remote_hosts(struct pam_data *pd,
remote_hostname = pd-rhost;
}
-/* TODO: add group and category checks */
+ret = sysdb_attrs_get_el(rule_attrs, IPA_SOURCE_HOST_CATEGORY, cat_el);
+if (ret != EOK) {
+DEBUG(1, (sysdb_attrs_get_el failed.\n));
+return RULE_ERROR;
+}
+if (cat_el-num_values == 0) {
+DEBUG(9, (Source host category not set.\n));
+} else {
+for(i = 0; i cat_el-num_values; i++) {
+if (strncasecmp(all, (const char *) cat_el-values[i].data,
+cat_el-values[i].length) == 0) {
+DEBUG(9, (Source host category is set to 'all',
+ rule applies.\n));
+return RULE_APPLICABLE;
+}
+DEBUG
Re: [SSSD] krb5 ticket renewal via gnome-screensaver not working
On Tue, Nov 10, 2009 at 11:36:45PM -0500, Brian J. Murrell wrote: On Mon, 2009-11-09 at 21:19 +0100, Sumit Bose wrote: Does this mean you are still seeing [Credentials cache I/O operation failed XXX] in krb5_child.log? No. I am seeing nothing new at all in the krb5_child.log when authentications happen. this indicates that everything is ok, please send krb5_child.log, if possible with debug level 10. Even with debug level 10, there is nothing new in the krb5_child.log: $ ls -ltar /var/log/sssd/ total 420 -rw--- 1 root root438 2009-11-09 09:23 krb5_child.log drwxr-xr-x 15 root root 4096 2009-11-10 07:41 .. drwxr-xr-x 2 root root 4096 2009-11-10 23:32 . -rw--- 1 root root 152408 2009-11-10 23:32 sssd_pam.log -rw--- 1 root root 238167 2009-11-10 23:32 sssd_KRB.log I have debug_level = 10 in my [domain/KRB] as well as the [pam] section. Also, I asked previously why I would want per-login unique ccache files with: krb5_ccname_template = FILE:%d/krb5cc_%U_XX but nobody answered. Do I really want this or is a single ccache file per user (i.e. drop the _XX in the template) not more ideal? b. ah, sorry, I misinterpreted your original post. I thought a ccache file wasn't created at all when using gnome-screensaver. You are right, if you use 'krb5_ccname_template = FILE:%d/krb5cc_%U_XX' with the current version every authentication will create a new ccache file. If you want to renew the TGT with every authentication you have to use a per-user unique ccache file, e.g. FILE:%d/krb5cc_%U. We are currently discussing how to handle renewals in a more general way so that it would be possible to renew FILE:%d/krb5cc_%U_XX-style files too. HTH. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] Make 'permit' the default for the access target
Hi,
this patch make 'permit' the default for the access target. This means
that access_provider has to be set explicitly if a specific provider
should be used, e.g. access_provider=ipa.
bye,
Sumit
From ee3ff411494c7bae1158b7baef1adc24ebdbe342 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Wed, 11 Nov 2009 23:06:09 +0100
Subject: [PATCH] Make 'permit' the default for the access target
---
server/man/sssd.conf.5.xml |4 +---
server/providers/data_provider_be.c | 17 -
2 files changed, 5 insertions(+), 16 deletions(-)
diff --git a/server/man/sssd.conf.5.xml b/server/man/sssd.conf.5.xml
index c342499..4facea6 100644
--- a/server/man/sssd.conf.5.xml
+++ b/server/man/sssd.conf.5.xml
@@ -513,9 +513,7 @@
quotedeny/quote always deny access.
/para
para
-Default: quoteid_provider/quote is used if it
-is set and can handle access control requests or
-quotepermit/quote otherwise.
+Default: quotepermit/quote
/para
/listitem
/varlistentry
diff --git a/server/providers/data_provider_be.c
b/server/providers/data_provider_be.c
index b20ac1f..d5c2492 100644
--- a/server/providers/data_provider_be.c
+++ b/server/providers/data_provider_be.c
@@ -1039,20 +1039,11 @@ int be_process_init(TALLOC_CTX *mem_ctx,
from provider [%s].\n, ctx-bet_info[BET_AUTH].mod_name));
}
-ret = load_backend_module(ctx, BET_ACCESS,
- ctx-bet_info[BET_ACCESS],
- ctx-bet_info[BET_ID].mod_name);
+ret = load_backend_module(ctx, BET_ACCESS, ctx-bet_info[BET_ACCESS],
+ ACCESS_PERMIT);
if (ret != EOK) {
-if (ret != ENOENT) {
-DEBUG(0, (No ACCESS backend target available.\n));
-return ret;
-}
-ret = load_backend_module(ctx, BET_ACCESS,
- ctx-bet_info[BET_ACCESS], ACCESS_PERMIT);
-if (ret != EOK) {
-DEBUG(0, (Failed to set ACCESS backend to default (permit).\n));
-return ret;
-}
+DEBUG(0, (Failed to setup ACCESS backend.\n));
+return ret;
}
DEBUG(9, (ACCESS backend target successfully loaded
from provider [%s].\n, ctx-bet_info[BET_ACCESS].mod_name));
--
1.6.2.5
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Validate Kerberos cerdentials with local keytab
On Thu, Nov 12, 2009 at 01:46:39PM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/12/2009 06:46 AM, Sumit Bose wrote: Hi, this patch add the possibility to validate the credentials obtained from a Kerberos server with a local keytab. The boolean option krb5_validate switches the validation on and off. It is disabled by default in the kerberos provider and enabled by default in the IPA provider. Typically root privileges are needed to read a keytab. As a consequence if validation is enabled the privileges cannot be drop before starting krb5_child, but only after reading the keytab. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel Nack. In the sssd-ipa manpage, I think we should change the please note to Please note that this default differs from the traditional kerberos provider backend. I think that referring to the underlying Kerberos provider makes it unclear. done In create_send_buffer(), you assign buf-size based on sizeof(int), but you're using uint32_t for the actual data. This is a waste of memory on 64-bit integer systems, and a serious error on a 16-bit integer system. (Not that we ever expect to support such a system) If you're copying in a 32-bit number, please guarantee that the space is allocated for a 32-bit number. done Please add a comment in fork_child() stating why the value of KRB5_VALIDATE dictates whether to assume the user's identity. done I think this is a serious error: you're only validating against the first entry in the keytab. It's possible for a keytab to have many different principals, as well as multiple enctypes for the same principal. We need to iterate through all keytab entries and test first for the principal we need to validate against and not fail until all enctypes for the sought-after principal have been tried. ok, I look for the first key with a matching realm or try the last one in the keytab file. get_and_save_tgt(): Again a comment would be nice around become_user() noting that it was being done here after being deferred from earlier so that we can validate the TGT. done General question: if we're moving where become_user() is called, will this affect our SELinux policy? I think it will not affect the policy, because the krb5_child inherits the SELinux labels from the parent, but I will check with Dan. bye, Sumit - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkr8WAoACgkQeiVVYja6o6OG+ACeL0nd8tqxwtNKqER/ukPkJc7l nHYAnAmH383bqT9y6HioBTWTh1ZQ+IQX =DYJU -END PGP SIGNATURE- ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel From 65e1945014b49e776c61f7fea866c596318949ab Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Wed, 11 Nov 2009 14:16:41 +0100 Subject: [PATCH] Validate Kerberos credentials with local keytab --- server/Makefile.am |3 + server/config/SSSDConfig.py |2 + server/config/SSSDConfigTest.py |2 + server/config/etc/sssd.api.d/sssd-krb5.conf |4 +- server/external/krb5.m4 |3 +- server/man/sssd-ipa.5.xml | 17 +++ server/man/sssd-krb5.5.xml | 25 + server/providers/ipa/ipa_common.c |2 + server/providers/krb5/krb5_auth.c | 74 +++--- server/providers/krb5/krb5_become_user.c| 61 +++ server/providers/krb5/krb5_child.c | 148 ++- server/providers/krb5/krb5_common.c |2 + server/providers/krb5/krb5_common.h |2 + server/providers/krb5/krb5_utils.h |2 + server/util/sss_krb5.c | 16 +++- server/util/sss_krb5.h |2 + 16 files changed, 322 insertions(+), 43 deletions(-) create mode 100644 server/providers/krb5/krb5_become_user.c diff --git a/server/Makefile.am b/server/Makefile.am index 08c0295..6dfc2ae 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -564,6 +564,7 @@ libsss_proxy_la_LDFLAGS = \ libsss_krb5_la_SOURCES = \ providers/krb5/krb5_utils.c \ +providers/krb5/krb5_become_user.c \ providers/krb5/krb5_auth.c \ providers/krb5/krb5_common.c \ providers/krb5/krb5_init.c @@ -591,6 +592,7 @@ libsss_ipa_la_SOURCES = \ util/sss_ldap.c \ util/sss_krb5.c \ providers/krb5/krb5_utils.c \ +providers/krb5/krb5_become_user.c \ providers/krb5
[SSSD] [PATCH] Enhance check for remote hosts
Hi,
with this patch the ipa_access target should be functional complete (if
I haven't forgotten something). It tries to resolve to group memberships
of the remote host and checks the hbac rule against them.
bye,
Sumit
From bc9a15f8fa3bef050e26e2a4e71105ac38f55c0f Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Fri, 13 Nov 2009 09:56:32 +0100
Subject: [PATCH] Enhance check for remote hosts
---
server/providers/ipa/ipa_access.c | 144 +++--
server/providers/ipa/ipa_access.h |8 ++
2 files changed, 97 insertions(+), 55 deletions(-)
diff --git a/server/providers/ipa/ipa_access.c
b/server/providers/ipa/ipa_access.c
index 8be91a6..230cabc 100644
--- a/server/providers/ipa/ipa_access.c
+++ b/server/providers/ipa/ipa_access.c
@@ -56,14 +56,6 @@
#define HBAC_RULES_SUBDIR hbac_rules
#define HBAC_HOSTS_SUBDIR hbac_hosts
-struct hbac_host_info {
-const char *fqdn;
-const char *serverhostname;
-const char *dn;
-const char **memberof;
-};
-
-
static void ipa_access_reply(struct be_req *be_req, int pam_status)
{
struct pam_data *pd;
@@ -297,7 +289,6 @@ struct hbac_get_host_info_state {
struct sysdb_ctx *sysdb;
struct sysdb_handle *handle;
-const char *hostname;
char *host_filter;
char *host_search_base;
const char **host_attrs;
@@ -319,15 +310,16 @@ static struct tevent_req
*hbac_get_host_info_send(TALLOC_CTX *memctx,
struct sdap_id_ctx *sdap_ctx,
struct sysdb_ctx *sysdb,
const char *ipa_domain,
- const char *hostname)
+ const char **hostnames)
{
struct tevent_req *req = NULL;
struct tevent_req *subreq = NULL;
struct hbac_get_host_info_state *state;
int ret;
+int i;
-if (hostname == NULL || ipa_domain == NULL) {
-DEBUG(1, (Missing fqdn or domain.\n));
+if (hostnames == NULL || ipa_domain == NULL) {
+DEBUG(1, (Missing hostnames or domain.\n));
return NULL;
}
@@ -341,20 +333,33 @@ static struct tevent_req
*hbac_get_host_info_send(TALLOC_CTX *memctx,
state-sdap_ctx = sdap_ctx;
state-sysdb = sysdb;
state-handle = NULL;
-state-hostname= hostname;
state-host_reply_list = NULL;
state-host_reply_count = 0;
state-current_item = 0;
+state-hbac_host_info = NULL;
-state-host_filter = talloc_asprintf(state,
-
((|(fqdn=%s)(serverhostname=%s))(objectclass=ipaHost)),
- hostname, hostname);
+state-host_filter = talloc_asprintf(state, (|);
if (state-host_filter == NULL) {
DEBUG(1, (Failed to create filter.\n));
ret = ENOMEM;
goto fail;
}
+for (i = 0; hostnames[i] != NULL; i++) {
+state-host_filter = talloc_asprintf_append(state-host_filter,
+ ((objectclass=ipaHost)
+
(|(fqdn=%s)(serverhostname=%s))),
+ hostnames[i], hostnames[i]);
+if (state-host_filter == NULL) {
+ret = ENOMEM;
+goto fail;
+}
+}
+state-host_filter = talloc_asprintf_append(state-host_filter, ));
+if (state-host_filter == NULL) {
+ret = ENOMEM;
+goto fail;
+}
state-host_search_base = talloc_asprintf(state, IPA_HOST_BASE_TMPL,
ipa_domain);
@@ -477,8 +482,8 @@ static void host_get_host_memberof_done(struct tevent_req
*subreq)
return;
}
-if (state-host_reply_list == NULL) {
-DEBUG(1, (Host [%s] not found in IPA server.\n, state-hostname));
+if (state-host_reply_count == 0) {
+DEBUG(1, (No hosts not found in IPA server.\n));
ret = ENOENT;
goto fail;
}
@@ -493,7 +498,7 @@ static void host_get_host_memberof_done(struct tevent_req
*subreq)
sizeof(struct hbac_host_info *) * (state-host_reply_count + 1));
for (i = 0; i state-host_reply_count; i++) {
-hhi[i] = talloc_zero(state, struct hbac_host_info);
+hhi[i] = talloc_zero(hhi, struct hbac_host_info);
if (hhi[i] == NULL) {
ret = ENOMEM;
goto fail;
@@ -1302,30 +1307,22 @@ enum check_result check_user(struct hbac_ctx *hbac_ctx,
return RULE_ERROR;
}
-enum check_result check_remote_hosts(struct pam_data *pd,
+enum check_result check_remote_hosts(const char *rhost,
+ struct hbac_host_info *hhi,
struct sysdb_attrs *rule_attrs)
{
int ret;
int i;
+int m;
struct ldb_message_element *cat_el;
struct ldb_message_element *src_el;
struct ldb_message_element *ext_el;
-const
[SSSD] [PATCH] Ignore shadow attributes
Hi,
this patch should fix #279 by ignoring the shadow attributes by
default.
bye,
Sumit
From 8bcd2646e948a1f05b279196a4e6f4350aa5d5a9 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Mon, 16 Nov 2009 13:56:57 +0100
Subject: [PATCH] Ignore shadow attributes
---
server/man/sssd-ldap.5.xml | 25 +
server/providers/ldap/ldap_auth.c | 19 +++
server/providers/ldap/ldap_common.c |3 ++-
server/providers/ldap/sdap.h|1 +
4 files changed, 47 insertions(+), 1 deletions(-)
diff --git a/server/man/sssd-ldap.5.xml b/server/man/sssd-ldap.5.xml
index a2aa730..c971a2c 100644
--- a/server/man/sssd-ldap.5.xml
+++ b/server/man/sssd-ldap.5.xml
@@ -582,6 +582,31 @@
/listitem
/varlistentry
+varlistentry
+termldap_ignore_shadow_attributes (boolean)/term
+listitem
+para
+If set to true ignore the LDAP attributes
+corresponding to the values describes in
+citerefentryrefentrytitleshadow/refentrytitle
+manvolnum5/manvolnum/citerefentry during
+authentication, i.e. they are not used to evaluate
+if the password is expired.
+/para
+para
+Default: true
+/para
+para
+Please note that you should only set this value to
+false if there is a password change mechanism
+available which can update the last changed time.
+The current version of sssd
+emphasisdoes not/emphasis update the
+corresponding attribute.
+/para
+/listitem
+/varlistentry
+
/variablelist
/para
/refsect1
diff --git a/server/providers/ldap/ldap_auth.c
b/server/providers/ldap/ldap_auth.c
index a9f03a7..114fc36 100644
--- a/server/providers/ldap/ldap_auth.c
+++ b/server/providers/ldap/ldap_auth.c
@@ -572,6 +572,7 @@ struct sdap_pam_chpass_state {
char *password;
char *new_password;
struct sdap_handle *sh;
+struct sdap_auth_ctx *ctx;
};
static void sdap_auth4chpass_done(struct tevent_req *req);
@@ -611,6 +612,7 @@ void sdap_pam_chpass_handler(struct be_req *breq)
if (!state) goto done;
state-breq = breq;
+state-ctx = ctx;
state-pd = pd;
state-username = pd-user;
state-password = talloc_strndup(state,
@@ -661,6 +663,12 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
if (result == SDAP_AUTH_SUCCESS) {
switch (pw_expire_type) {
case PWEXPIRE_SHADOW:
+if (dp_opt_get_bool(state-ctx-opts-basic,
+SDAP_IGNORE_SHADOW_ATTRIBUTES)) {
+DEBUG(5, (Ignoring shadow attributes.\n));
+pw_expire_type = PWEXPIRE_NONE;
+break;
+}
ret = check_pwexpire_shadow(pw_expire_data, time(NULL),
result);
if (ret != EOK) {
@@ -764,6 +772,7 @@ struct sdap_pam_auth_state {
struct pam_data *pd;
const char *username;
struct dp_opt_blob password;
+struct sdap_auth_ctx *ctx;
};
static void sdap_pam_auth_done(struct tevent_req *req);
@@ -798,6 +807,7 @@ void sdap_pam_auth_handler(struct be_req *breq)
state-breq = breq;
state-pd = pd;
+state-ctx = ctx;
state-username = pd-user;
state-password.data = pd-authtok;
state-password.length = pd-authtok_size;
@@ -846,6 +856,12 @@ static void sdap_pam_auth_done(struct tevent_req *req)
if (result == SDAP_AUTH_SUCCESS) {
switch (pw_expire_type) {
case PWEXPIRE_SHADOW:
+if (dp_opt_get_bool(state-ctx-opts-basic,
+SDAP_IGNORE_SHADOW_ATTRIBUTES)) {
+DEBUG(5, (Ignoring shadow attributes.\n));
+pw_expire_type = PWEXPIRE_NONE;
+break;
+}
ret = check_pwexpire_shadow(pw_expire_data, time(NULL),
result);
if (ret != EOK) {
@@ -883,6 +899,9 @@ static void sdap_pam_auth_done(struct tevent_req *req)
case SDAP_UNAVAIL:
state-pd-pam_status = PAM_AUTHINFO_UNAVAIL;
break;
+case SDAP_ACCT_EXPIRED:
+state-pd-pam_status = PAM_ACCT_EXPIRED;
+break;
case SDAP_AUTH_PW_EXPIRED:
state-pd-pam_status = PAM_AUTHTOK_EXPIRED;
break;
diff --git a/server/providers/ldap/ldap_common.c
b/server
Re: [SSSD] [PATCH] Ignore shadow attributes
On Mon, Nov 16, 2009 at 09:23:17AM -0500, Simo Sorce wrote: On Mon, 2009-11-16 at 14:06 +0100, Sumit Bose wrote: Hi, this patch should fix #279 by ignoring the shadow attributes by default. I was thinking about this and I think I don't want to go down this way. While automatic discovery of the expiration attributes is nice, I think it is an issue. I would rather see an attribute that overrides find_password_expiration_attributes() instead. This way the admin can force what expiration policy should be used regardless of what random attributes may be found. something like: password_policy_type choice of: none, ldap_pwd_policy, mit_kerberos, shadow, auto so if you don't want anything use password_policy_type = none if you want to use only shadow (even if the server supports ldap_pwd_policies set password_policy_type = shadow I am unsure if we want to add auto, that would be the default and use the find_password_expiration_attributes() to autodetect what to use. Thoughts ? Simo. I like it. Please wait for a new patch ... bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] better cleanup task for ldap driver
On Wed, Nov 18, 2009 at 07:23:09PM -0500, Simo Sorce wrote: See the commit comment, but, long story short, this is much better behavior then what we have now. I would like to read the commit comment, but ... Simo. -- Simo Sorce * Red Hat, Inc * New York ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Fix sysdb upgrade bug
On Thu, Nov 19, 2009 at 08:24:42AM -0500, Stephen Gallagher wrote: Sumit caught a bug in my recent case-sensitivity patch. Here's the one-line fix. After completing an upgrade successfully, we were still falling into the version not found case. We should be exiting the function after performing the upgrade. ACK bye, Sumit -- Stephen Gallagher RHCE 804006346421761 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] Read KDC info from file instead from environment
Hi,
this patch changes the way the locator plugin finds out about the KDC.
Now the information is written to a file which is read by the plugin.
Two thing will be address in different patches.
- the enviroment variables are still sent to the client. I haven't
removed them in this patch, because it would introduce a dependency to
other not-committed patches. I thought it might be easier this way.
- integration of the fail-over framework.
bye,
Sumit
From cee867db56fb09b28c33e855f4a853e75075a044 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Thu, 19 Nov 2009 17:53:38 +0100
Subject: [PATCH] Read KDC info from file instead from environment
Then name or IP adress of the KDC is written into the pubconf directory
into a file named kdcinfo.REALM. The locator plugin will then read this
file and pass the data to the kerberos libraries.
---
contrib/sssd.spec.in |3 +
server/Makefile.am|4 +-
server/conf_macros.m4 | 17
server/configure.ac |1 +
server/krb5_plugin/sssd_krb5_locator_plugin.c | 122 +++--
server/providers/krb5/krb5_common.c | 104 ++---
server/providers/krb5/krb5_common.h |4 +
7 files changed, 209 insertions(+), 46 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 173d049..1251fe5 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -28,6 +28,7 @@ Requires(postun): /sbin/service
%define sssdstatedir %{_localstatedir}/lib/sss
%define dbpath %{sssdstatedir}/db
%define pipepath %{sssdstatedir}/pipes
+%define pubconfpath %{sssdstatedir}/pubconf
### Build Dependencies ###
@@ -80,6 +81,7 @@ KRB5_LIBS=-lkrb5 \
--without-tests \
--with-db-path=%{dbpath} \
--with-pipe-path=%{pipepath} \
+--with-pubconf-path=%{pubconfpath} \
--with-init-dir=%{_initrddir} \
--enable-nsslibdir=/%{_lib}
@@ -138,6 +140,7 @@ rm -rf $RPM_BUILD_ROOT
%dir %{sssdstatedir}
%attr(700,root,root) %dir %{dbpath}
%attr(755,root,root) %dir %{pipepath}
+%attr(755,root,root) %dir %{pubconfpath}
%attr(700,root,root) %dir %{pipepath}/private
%attr(750,root,root) %dir %{_var}/log/%{name}
%attr(700,root,root) %dir %{_sysconfdir}/sssd
diff --git a/server/Makefile.am b/server/Makefile.am
index 196486a..2ebbcfb 100644
--- a/server/Makefile.am
+++ b/server/Makefile.am
@@ -22,6 +22,7 @@ pidpath = @pidpath@
pipepath = @pipepath@
initdir = @initdir@
logpath = @logpath@
+pubconfpath = @pubconfpath@
AM_CFLAGS =
if WANT_AUX_INFO
@@ -723,7 +724,8 @@ installsssddirs::
$(DESTDIR)$(dbpath) \
$(DESTDIR)$(pidpath) \
$(DESTDIR)$(initdir) \
-$(DESTDIR)$(logpath)
+$(DESTDIR)$(logpath) \
+$(DESTDIR)$(pubconfpath)
install-exec-hook: installsssddirs
if [ $(DESTDIR) = ]; then \
diff --git a/server/conf_macros.m4 b/server/conf_macros.m4
index 0990e50..86ccf5d 100644
--- a/server/conf_macros.m4
+++ b/server/conf_macros.m4
@@ -66,6 +66,23 @@ AC_DEFUN([WITH_LOG_PATH],
AC_DEFINE_UNQUOTED(LOG_PATH, $config_logpath, [Where to store log files
for the SSSD])
])
+AC_DEFUN([WITH_PUBCONF_PATH],
+ [ AC_ARG_WITH([pubconf-path],
+[AC_HELP_STRING([--with-pubconf-path=PATH],
+[Where to store pubconf files for the SSSD
[/var/lib/sss/pubconf]]
+ )
+]
+ )
+config_pubconfpath=\VARDIR\/lib/sss/pubconf
+pubconfpath=${localstatedir}/lib/sss/pubconf
+if test x$with_pubconf_path != x; then
+config_pubconfpath=$with_pubconf_path
+pubconfpath=$with_pubconf_path
+fi
+AC_SUBST(pubconfpath)
+AC_DEFINE_UNQUOTED(PUBCONF_PATH, $config_pubconfpath, [Where to store
pubconf files for the SSSD])
+ ])
+
AC_DEFUN([WITH_PIPE_PATH],
[ AC_ARG_WITH([pipe-path],
[AC_HELP_STRING([--with-pipe-path=PATH],
diff --git a/server/configure.ac b/server/configure.ac
index 1a94158..696a5a4 100644
--- a/server/configure.ac
+++ b/server/configure.ac
@@ -45,6 +45,7 @@ WITH_DB_PATH
WITH_PLUGIN_PATH
WITH_PID_PATH
WITH_LOG_PATH
+WITH_PUBCONF_PATH
WITH_PIPE_PATH
WITH_INIT_DIR
WITH_SHADOW_UTILS_PATH
diff --git a/server/krb5_plugin/sssd_krb5_locator_plugin.c
b/server/krb5_plugin/sssd_krb5_locator_plugin.c
index a30586c..5e79733 100644
--- a/server/krb5_plugin/sssd_krb5_locator_plugin.c
+++ b/server/krb5_plugin/sssd_krb5_locator_plugin.c
@@ -27,12 +27,14 @@
#include errno.h
#include sys/types.h
#include netdb.h
-
+#include sys/stat.h
+#include fcntl.h
#include krb5/locate_plugin.h
#include providers/krb5/krb5_common.h
+#define BUFSIZE 512
#define SSSD_KRB5_LOCATOR_DEBUG SSSD_KRB5_LOCATOR_DEBUG
#define DEBUG_KEY [sssd_krb5_locator]
#define PLUGIN_DEBUG(body) do { \
@@ -67,33 +69,60 @@ void debug_fn(const char *format, ...)
free(s);
}
-krb5_error_code sssd_krb5_locator_init(krb5_context context
Re: [SSSD] [PATCH] correctly escape RDNs
On Thu, Nov 19, 2009 at 07:30:32PM -0500, Simo Sorce wrote:
See commit comment.
--
Simo Sorce * Red Hat, Inc * New York
From 49862816e3b7077bc7a002c980901d31aff06269 Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Thu, 19 Nov 2009 19:28:36 -0500
Subject: [PATCH] Correctly escape DN value.
In building the DN string we weren't correctly escaping the value of the RDN
component. This patches fixes that.
---
server/db/sysdb_ops.c | 48 ++--
1 files changed, 42 insertions(+), 6 deletions(-)
diff --git a/server/db/sysdb_ops.c b/server/db/sysdb_ops.c
index 4a44f28..da53fd3 100644
--- a/server/db/sysdb_ops.c
+++ b/server/db/sysdb_ops.c
@@ -2769,6 +2769,42 @@ int sysdb_store_user_recv(struct tevent_req *req)
/* =Store-Group-(Native/Legacy)-(replaces-existing-data)== */
+static char *build_dom_dn_str_escape(TALLOC_CTX *memctx, const char
*template,
+ const char *domain, const char *name)
+{
+char *ret;
+int l;
+
+l = strcspn(name, ,=\n+#;\\\);
Wouldn't it be better to always call ldb_dn_escape_value() instead of
depending on a hardcoded set of characters which might be different in
other/coming versions of libldb?
bye,
Sumit
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Optimize gorup enumerations
On Tue, Nov 17, 2009 at 08:38:00PM -0500, Simo Sorce wrote: I've been thinking about optimizing group enumerations for a while as they were way too slow for my taste. I did that by relying on the way we store users in the database and by parsing the member attribute of the groups counting on the fact we build the user dn as name=username,cn=users, We already rely on this in sysdb_search_user_by_name_send() so I think it's ok to do it here, too. This patch does indeed help a lot as the speedup with a large database is huge, on my machine the reduction is of at least 1 order of magnitude (from 2.5 seconds to 0.15 seconds) With this patch we do one search only ( therefore O(n) ) instead of a series of searches ( O(n^2) ). I also removed a lot of code, which is usually also a good thing. nitpick You don't like the recommendation in http://freeipa.org/page/Coding_Style#Declaring, don't you? /nitpick The downside is that I don't have a user entry to test for uid range, so I can't exclude users based on that. However I think we should move both name filtering and range filtering in the backend code and enforce them once at store time instead of testing and enforcing them again and again and again each time we query the database. If the range or list of filtered name changes we should catch that by simply filtering the database when the settings change and at startup. Comments are welcome. I agree, you have already provided a patch for this and we should continue discussing the details in that thread. ACK bye, Sumit Simo. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] move id range checks into providers
On Fri, Nov 20, 2009 at 10:40:29AM +0100, Sumit Bose wrote: On Wed, Nov 18, 2009 at 12:09:58PM -0500, Simo Sorce wrote: This way we check them once at storage time instead of checking again and again at search time. Applies only on top of the sysdb_enumgrent optimization patch. Simo. Works well, especially with Optimize-sysdb_enumgrent.patch, but please create a utility function or a macro for the range check and fix responder/nss/nsssrv_cmd.c: In function 'fill_grent': responder/nss/nsssrv_cmd.c:1476: warning: unused variable 'uid' bye, Sumit Can you add a task that removes entries outside of the range at startup? bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Make use of failover code in backends.
On Mon, Nov 16, 2009 at 05:55:51PM -0500, Simo Sorce wrote: This patch implements the use of the fail_over code under the control of the data provider backend code. All providers share the same failover structure and if they use the same service name, they also share the same servers lists. Please add a utility function to split the server list. A set of callbacks is made available so that if a new resolution is performed that changes the server currently in use then all providers can update their status. I have done limited testing with the ipa backend which exercises both the ldap and krb code, although the standalone krb code still doesn't implement using the failover code. Simo. I have tested with with three server and can see that they are tried one after the other, but if the last one is reached and fails it looks like it never tries other servers again. I only get: [sssd[be[NEWIPA]]] [fo_resolve_service_send] (1): No available servers for service 'IPA'. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Improve handling of ccache files
On Thu, Nov 19, 2009 at 02:31:36PM +0100, Sumit Bose wrote: Hi, this patch improves the handling of ccache files. It addresses two issues already discussed on the list. When randomized ccache file are used (or the client process id is used in the name of the ccache file) each authentication of the user created a new ccache file. This patch saves the name of the ccache in sysdb and reuses the saved file name if the user has running processes on the system. So a single user only has one active ccache file. If the authentication happens when the system is offline the kerberos related environment variables were not sent to the client. If a later authentication happens online the old session still cannot see the ccache file with the valid credentials. This patch send the environment variables bach to the client even when offline. bye, Sumit Stephen found a compilation issue. The attached version should fix it. bye, Sumit From d3e45ae1df2bea9b63e5c94900bc3b82affe01f9 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 9 Nov 2009 21:54:06 +0100 Subject: [PATCH] Improve handling of ccache files - save current ccache file to sysdb - use the saved ccache file if the user has running processes - create an empty ccache if offline - return enviroment variables if offline --- server/Makefile.am | 30 ++- server/db/sysdb.h |1 + server/providers/krb5/krb5_auth.c | 546 +--- server/providers/krb5/krb5_auth.h |3 +- server/providers/krb5/krb5_child.c | 250 ++--- server/tests/find_uid-tests.c | 124 server/util/find_uid.c | 297 server/util/find_uid.h | 36 +++ 8 files changed, 1081 insertions(+), 206 deletions(-) create mode 100644 server/tests/find_uid-tests.c create mode 100644 server/util/find_uid.c create mode 100644 server/util/find_uid.h diff --git a/server/Makefile.am b/server/Makefile.am index 196486a..b792836 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -68,10 +68,11 @@ if HAVE_CHECK resolv-tests \ krb5-utils-tests \ check_and_open-tests \ - ipa_timerules-tests \ +ipa_timerules-tests \ files-tests \ refcount-tests \ -fail_over-tests +fail_over-tests \ +find_uid-tests endif check_PROGRAMS = \ @@ -132,7 +133,7 @@ INI_CFG_LIBS = \ DHASH_CFLAGS = \ -I$(srcdir)/../common/dhash DHASH_LIBS = \ --L$(builddir)/../common/dhash/.libs/ \ +-L$(builddir)/../common/dhash/ \ -ldhash AM_CPPFLAGS = -Wall \ @@ -266,6 +267,7 @@ dist_noinst_HEADERS = \ util/sss_ldap.h \ util/sss_krb5.h \ util/refcount.h \ +util/find_uid.h \ config.h \ monitor/monitor.h \ monitor/monitor_interfaces.h \ @@ -518,6 +520,20 @@ ipa_timerules_tests_LDADD = \ $(TALLOC_LIBS) \ $(CHECK_LIBS) +find_uid_tests_SOURCES = \ +tests/find_uid-tests.c \ +util/find_uid.c \ +$(SSSD_DEBUG_OBJ) +find_uid_tests_CFLAGS = \ +$(AM_CFLAGS) \ +$(TALLOC_CFLAGS) \ +$(DHASH_CFLAGS) \ +$(CHECK_CFLAGS) +find_uid_tests_LDADD = \ +$(TALLOC_LIBS) \ +$(DHASH_LIBS) \ +$(CHECK_LIBS) + endif stress_tests_SOURCES = \ @@ -564,6 +580,7 @@ libsss_proxy_la_LDFLAGS = \ -module libsss_krb5_la_SOURCES = \ +util/find_uid.c \ providers/krb5/krb5_utils.c \ providers/krb5/krb5_become_user.c \ providers/krb5/krb5_auth.c \ @@ -571,7 +588,9 @@ libsss_krb5_la_SOURCES = \ providers/krb5/krb5_init.c libsss_krb5_la_CFLAGS = \ $(AM_CFLAGS) \ -$(KRB5_CFLAGS) +$(DHASH_CFLAGS) +libsss_krb5_la_LIBADD = \ +$(DHASH_LIBS) libsss_krb5_la_LDFLAGS = \ -version-info 1:0:0 \ -module @@ -593,6 +612,7 @@ libsss_ipa_la_SOURCES = \ providers/ldap/sdap.c \ util/sss_ldap.c \ util/sss_krb5.c \ +util/find_uid.c \ providers/krb5/krb5_utils.c \ providers/krb5/krb5_become_user.c \ providers/krb5/krb5_common.c \ @@ -600,9 +620,11 @@ libsss_ipa_la_SOURCES = \ libsss_ipa_la_CFLAGS = \ $(AM_CFLAGS) \ $(LDAP_CFLAGS) \ +$(DHASH_CFLAGS) \ $(KRB5_CFLAGS) libsss_ipa_la_LIBADD = \ $(OPENLDAP_LIBS) \ +$(DHASH_LIBS) \ $(KRB5_LIBS) libsss_ipa_la_LDFLAGS = \ -version-info 1:0:0 \ diff --git a/server/db/sysdb.h b/server/db/sysdb.h index a329985..f94b43f 100644 --- a/server/db/sysdb.h +++ b/server/db/sysdb.h @@ -72,6 +72,7 @@ #define SYSDB_UUID uniqueID #define SYSDB_UPN userPrincipalName +#define SYSDB_CCACHE_FILE ccacheFile #define SYSDB_ORIG_DN originalDN #define SYSDB_ORIG_MODSTAMP originalModifyTimestamp diff --git a/server/providers/krb5/krb5_auth.c b/server/providers/krb5/krb5_auth.c index d3e05e1..8068bce 100644 --- a/server/providers/krb5/krb5_auth.c +++ b/server/providers/krb5/krb5_auth.c @@ -29,10 +29,12 @@ #include sys/wait.h #include fcntl.h #include pwd.h +#include sys/stat.h
