[SSSD] [PATCH] Optimize gorup enumerations
I've been thinking about optimizing group enumerations for a while as they were way too slow for my taste. I did that by relying on the way we store users in the database and by parsing the member attribute of the groups counting on the fact we build the user dn as name=,cn=users, This patch does indeed help a lot as the speedup with a large database is huge, on my machine the reduction is of at least 1 order of magnitude (from 2.5 seconds to 0.15 seconds) With this patch we do one search only ( therefore O(n) ) instead of a series of searches ( O(n^2) ). I also removed a lot of code, which is usually also a good thing. The downside is that I don't have a user entry to test for uid range, so I can't exclude users based on that. However I think we should move both name filtering and range filtering in the backend code and enforce them once at store time instead of testing and enforcing them again and again and again each time we query the database. If the range or list of filtered name changes we should catch that by simply filtering the database when the settings change and at startup. Comments are welcome. Simo. -- Simo Sorce * Red Hat, Inc * New York >From 28f11aabb072f678fa3d8449df53474c2731c072 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 17 Nov 2009 20:22:36 -0500 Subject: [PATCH] Optimize sysdb_enumgrent This brings down the time needed to enumerate my group database from 10s to 4s The downside is that I can't filter group members by uid range. --- server/db/sysdb.h | 10 +- server/db/sysdb_search.c | 341 ++-- server/responder/nss/nsssrv_cmd.c | 348 +++-- 3 files changed, 197 insertions(+), 502 deletions(-) diff --git a/server/db/sysdb.h b/server/db/sysdb.h index a329985..0512a7f 100644 --- a/server/db/sysdb.h +++ b/server/db/sysdb.h @@ -31,9 +31,12 @@ #define SYSDB_BASE "cn=sysdb" #define SYSDB_DOM_BASE "cn=%s,cn=sysdb" -#define SYSDB_TMPL_USER_BASE "cn=users,cn=%s,"SYSDB_BASE -#define SYSDB_TMPL_GROUP_BASE "cn=groups,cn=%s,"SYSDB_BASE -#define SYSDB_TMPL_CUSTOM_BASE "cn=custom,cn=%s,"SYSDB_BASE +#define SYSDB_USERS_CONTAINER "cn=users" +#define SYSDB_GROUPS_CONTAINER "cn=groups" +#define SYSDB_CUSTOM_CONTAINER "cn=custom" +#define SYSDB_TMPL_USER_BASE SYSDB_USERS_CONTAINER",cn=%s,"SYSDB_BASE +#define SYSDB_TMPL_GROUP_BASE SYSDB_GROUPS_CONTAINER",cn=%s,"SYSDB_BASE +#define SYSDB_TMPL_CUSTOM_BASE SYSDB_CUSTOM_CONTAINER",cn=%s,"SYSDB_BASE #define SYSDB_USER_CLASS "user" #define SYSDB_GROUP_CLASS "group" @@ -113,6 +116,7 @@ SYSDB_DEFAULT_ATTRS, \ NULL} #define SYSDB_GRSRC_ATTRS {SYSDB_NAME, SYSDB_GIDNUM, \ + SYSDB_MEMBER, \ SYSDB_DEFAULT_ATTRS, \ NULL} #define SYSDB_GRPW_ATTRS {SYSDB_NAME, SYSDB_UIDNUM, \ diff --git a/server/db/sysdb_search.c b/server/db/sysdb_search.c index 2b5dc36..03c7b27 100644 --- a/server/db/sysdb_search.c +++ b/server/db/sysdb_search.c @@ -35,7 +35,6 @@ struct sysdb_search_ctx { struct sss_domain_info *domain; -bool enumeration; const char *expression; sysdb_callback_t callback; @@ -43,8 +42,6 @@ struct sysdb_search_ctx { gen_callback gen_aux_fn; -struct get_mem_ctx *gmctx; - struct ldb_result *res; const char **attrs; @@ -96,12 +93,14 @@ static void request_done(struct sysdb_search_ctx *sctx) sctx->callback(sctx->ptr, EOK, sctx->res); } +static int mpg_convert(struct ldb_message *msg); + static int get_gen_callback(struct ldb_request *req, struct ldb_reply *rep) { struct sysdb_search_ctx *sctx; struct ldb_result *res; -int n; +int n, ret; sctx = talloc_get_type(req->context, struct sysdb_search_ctx); res = sctx->res; @@ -117,6 +116,15 @@ static int get_gen_callback(struct ldb_request *req, switch (rep->type) { case LDB_REPLY_ENTRY: + +if (sctx->ctx->mpg) { +ret = mpg_convert(rep->message); +if (ret != EOK) { +request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR); +return LDB_ERR_OPERATIONS_ERROR; +} +} + res->msgs = talloc_realloc(res, res->msgs, struct ldb_message *, res->count + 2); @@ -298,8 +306,6 @@ int sysdb_enumpwent(TALLOC_CTX *mem_ctx, return ENOMEM; } -sctx->enumeration = true; - if (expression) sctx->expression = expression; else @@ -320,225 +326,6 @@ int sysdb_enumpwent(TALLOC_CTX *mem_ctx, /* groups */ -struct get_mem_ctx { -struct sysdb_search_ctx *ret_sctx; -struct ldb_message **grps; -int num_grps; -}; - -static void get_members(struct sysdb_search_ctx *sctx) -{ -struct get_mem_ctx *gmctx; -struct ldb_request *req; -struct ldb_message *msg; -struct
[SSSD] [Transifex] File submitted via email to SSSD | master
Hello sssd, this is Transifex at http://www.transifex.net. The following attached files were submitted to SSSD | master by Bouska Please, visit Transifex at http://www.transifex.net/projects/p/sssd/c/master/ in order to see the component page. Thank you, Transifex # French translation of SSS Client # Copyright (C) 2009 Red Hat, Inc. # This file is distributed under the same license as the SSSD package. # Pablo Martin-Gomez , 2009. # msgid "" msgstr "" "Project-Id-Version: fr\n" "Report-Msgid-Bugs-To: sssd-de...@lists.fedorahosted.org\n" "POT-Creation-Date: 2009-10-23 14:32-0400\n" "PO-Revision-Date: 2009-11-17 21:05+0100\n" "Last-Translator: Pablo Martin-Gomez \n" "Language-Team: Français \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #: pam_sss.c:323 msgid "Passwords do not match" msgstr "Les mots de passe ne correspondent pas" #: pam_sss.c:599 msgid "Password: " msgstr "Mot de passe : " #: pam_sss.c:631 msgid "New Password: " msgstr "Nouveau mot de passe : " #: pam_sss.c:632 msgid "Reenter new Password: " msgstr "Retaper le nouveau mot de passe : " #: pam_sss.c:836 msgid "Password has expired." msgstr "Le mot de passe a expiré." ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [Transifex] File submitted via email to SSSD | master
Hello sssd, this is Transifex at http://www.transifex.net. The following attached files were submitted to SSSD | master by Bouska Please, visit Transifex at http://www.transifex.net/projects/p/sssd/c/master/ in order to see the component page. Thank you, Transifex # French translation of SSS Client # Copyright (C) 2009 Red Hat, Inc. # This file is distributed under the same license as the SSSD package. # Pablo Martin-Gomez , 2009. # msgid "" msgstr "" "Project-Id-Version: fr\n" "Report-Msgid-Bugs-To: sssd-de...@lists.fedorahosted.org\n" "POT-Creation-Date: 2009-10-23 14:32-0400\n" "PO-Revision-Date: 2009-11-17 21:05+0100\n" "Last-Translator: Pablo Martin-Gomez \n" "Language-Team: Français \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #: pam_sss.c:323 msgid "Passwords do not match" msgstr "Les mots de passe ne correspondent pas" #: pam_sss.c:599 msgid "Password: " msgstr "Mot de passe : " #: pam_sss.c:631 msgid "New Password: " msgstr "Nouveau mot de passe : " #: pam_sss.c:632 msgid "Reenter new Password: " msgstr "Retaper le nouveau mot de passe : " #: pam_sss.c:836 msgid "Password has expired." msgstr "Le mot de passe a expiré." ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [Transifex] File submitted via email to SSSD | master
Hello sssd, this is Transifex at http://www.transifex.net. The following attached files were submitted to SSSD | master by Bouska Please, visit Transifex at http://www.transifex.net/projects/p/sssd/c/master/ in order to see the component page. Thank you, Transifex # French translation of SSS Client # Copyright (C) 2009 Red Hat, Inc. # This file is distributed under the same license as the SSSD package. # Pablo Martin-Gomez , 2009. # msgid "" msgstr "" "Project-Id-Version: fr\n" "Report-Msgid-Bugs-To: sssd-de...@lists.fedorahosted.org\n" "POT-Creation-Date: 2009-10-23 14:32-0400\n" "PO-Revision-Date: 2009-11-17 21:05+0100\n" "Last-Translator: Pablo Martin-Gomez \n" "Language-Team: Français \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #: pam_sss.c:323 msgid "Passwords do not match" msgstr "Les mots de passe ne correspondent pas" #: pam_sss.c:599 msgid "Password: " msgstr "Mot de passe : " #: pam_sss.c:631 msgid "New Password: " msgstr "Nouveau mot de passe : " #: pam_sss.c:632 msgid "Reenter new Password: " msgstr "Retaper le nouveau mot de passe : " #: pam_sss.c:836 msgid "Password has expired." msgstr "Le mot de passe a expiré." ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] fix uninitialized timeout vriable leading to segfault
subj says it all. Simo. -- Simo Sorce * Red Hat, Inc * New York >From 0fd049f4b62e92d275561e073b7f32ba6e5d43fe Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 17 Nov 2009 14:55:41 -0500 Subject: [PATCH] Fix crash due to uninitialized timeout variable This slipped through in previous patches. Fixes #283 --- server/db/sysdb_ops.c |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/server/db/sysdb_ops.c b/server/db/sysdb_ops.c index 7e232a4..4a44f28 100644 --- a/server/db/sysdb_ops.c +++ b/server/db/sysdb_ops.c @@ -2181,6 +2181,7 @@ struct tevent_req *sysdb_add_group_send(TALLOC_CTX *mem_ctx, state->name = name; state->gid = gid; state->attrs = attrs; +state->cache_timeout = cache_timeout; if (domain->id_max != 0 && gid != 0 && (gid < domain->id_min || gid > domain->id_max)) { -- 1.6.2.5 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCHES] Handle case-sensitivity issues
On Tue, 2009-11-17 at 14:02 -0500, Stephen Gallagher wrote: > On 11/17/2009 11:15 AM, Simo Sorce wrote: > > On Tue, 2009-11-17 at 09:58 -0500, Stephen Gallagher wrote: > >> + > >> +*ver = "0.4"; > >> +return ret; > >> +} > > > > Shouldn't you use SYSDB_VERSION_0_4 here ? :-) > > > > Simo. > > > > Absolutely correct! I've also fixed the same in another place. Ack, 0001 and 0002 Simo. -- Simo Sorce * Red Hat, Inc * New York ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCHES] Handle case-sensitivity issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/17/2009 11:22 AM, Simo Sorce wrote: >> +} Simo and I discussed this offline. I didn't realize all that UTF-8 support entails regarding lowercasing. We've agreed to defer this functionality to a future release. The case-sensitivity (patches 0001 and 0002) are still undergoing review and are eligible for inclusion in 1.0. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAksC9VIACgkQeiVVYja6o6NR1gCfTPtJgp4294XkFJAyifnZirJY 0+oAnRu9+ok1k9e1EcShBI6MN8AkhA2v =TSXB -END PGP SIGNATURE- ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCHES] Handle case-sensitivity issues
On 11/17/2009 11:15 AM, Simo Sorce wrote: > On Tue, 2009-11-17 at 09:58 -0500, Stephen Gallagher wrote: >> + >> +*ver = "0.4"; >> +return ret; >> +} > > Shouldn't you use SYSDB_VERSION_0_4 here ? :-) > > Simo. > Absolutely correct! I've also fixed the same in another place. -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ From 601c39cdea7c3a3fef66b50e2e07f3c211e25b52 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Fri, 13 Nov 2009 10:50:27 -0500 Subject: [PATCH 1/5] Make the sysdb user and group names case-sensitive --- server/db/sysdb_private.h |1 - server/tests/sysdb-tests.c | 39 +++ 2 files changed, 39 insertions(+), 1 deletions(-) diff --git a/server/db/sysdb_private.h b/server/db/sysdb_private.h index 1f603eb..ea4b246 100644 --- a/server/db/sysdb_private.h +++ b/server/db/sysdb_private.h @@ -34,7 +34,6 @@ "cn: CASE_INSENSITIVE\n" \ "dc: CASE_INSENSITIVE\n" \ "dn: CASE_INSENSITIVE\n" \ - "name: CASE_INSENSITIVE\n" \ "objectclass: CASE_INSENSITIVE\n" \ "\n" \ "dn: @INDEXLIST\n" \ diff --git a/server/tests/sysdb-tests.c b/server/tests/sysdb-tests.c index fffcb72..f1d3ae4 100644 --- a/server/tests/sysdb-tests.c +++ b/server/tests/sysdb-tests.c @@ -1398,6 +1398,7 @@ START_TEST (test_sysdb_getpwnam) { struct sysdb_test_ctx *test_ctx; struct test_data *data; +struct test_data *data_uc; int ret; /* Setup */ @@ -1428,6 +1429,25 @@ START_TEST (test_sysdb_getpwnam) } fail_unless(data->uid == _i, "Did not find the expected UID"); + +/* Search for the user with the wrong case */ +data_uc = talloc_zero(test_ctx, struct test_data); +data_uc->ctx = test_ctx; +data_uc->username = talloc_asprintf(data_uc, "TESTUSER%d", _i); + +ret = sysdb_getpwnam(test_ctx, + test_ctx->sysdb, + data_uc->ctx->domain, + data_uc->username, + test_getpwent, + data_uc); +if (ret == EOK) { +ret = test_loop(data_uc); +} + +fail_unless(ret == ENOENT, +"The upper-case username search should fail. "); + done: talloc_free(test_ctx); } @@ -1437,6 +1457,7 @@ START_TEST (test_sysdb_getgrnam) { struct sysdb_test_ctx *test_ctx; struct test_data *data; +struct test_data *data_uc; int ret; /* Setup */ @@ -1468,6 +1489,24 @@ START_TEST (test_sysdb_getgrnam) fail_unless(data->gid == _i, "Did not find the expected GID (found %d expected %d)", data->gid, _i); + +/* Search for the group with the wrong case */ +data_uc = talloc_zero(test_ctx, struct test_data); +data_uc->ctx = test_ctx; +data_uc->groupname = talloc_asprintf(data_uc, "TESTGROUP%d", _i); + +ret = sysdb_getgrnam(test_ctx, + test_ctx->sysdb, + data_uc->ctx->domain, + data_uc->groupname, + test_getgrent, + data_uc); +if (ret == EOK) { +ret = test_loop(data_uc); +} + +fail_unless(ret == ENOENT, +"The upper-case groupname search should fail. "); done: talloc_free(test_ctx); } -- 1.6.2.5 From 976e141750d047d8b71635bc439e6b841b51 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Tue, 17 Nov 2009 09:47:04 -0500 Subject: [PATCH 2/5] Upgrade cache and local databases to case-sensitive names --- server/db/sysdb.c | 94 - server/db/sysdb_private.h |4 +- 2 files changed, 96 insertions(+), 2 deletions(-) diff --git a/server/db/sysdb.c b/server/db/sysdb.c index e4131f1..db68794 100644 --- a/server/db/sysdb.c +++ b/server/db/sysdb.c @@ -777,7 +777,7 @@ done: return EIO; } -*ver = "0.2"; +*ver = SYSDB_VERSION_0_2; return ret; } @@ -1065,6 +1065,93 @@ done: return ret; } +static int sysdb_upgrade_03(struct sysdb_ctx *ctx, const char **ver) +{ +TALLOC_CTX *tmp_ctx; +int ret; +struct ldb_message *msg; + +tmp_ctx = talloc_new(ctx); +if (!tmp_ctx) { +return ENOMEM; +} + +ret = ldb_transaction_start(ctx->ldb); +if (ret != LDB_SUCCESS) { +ret = EIO; +goto done; +} + +/* Make this database case-sensitive */ +msg = ldb_msg_new(tmp_ctx); +if (!msg) { +ret = ENOMEM; +goto done; +} +msg->dn = ldb_dn_new(tmp_ctx, ctx->ldb, "@ATTRIBUTES"); +if (!msg->dn) { +ret = ENOMEM; +goto done; +} + +ret = ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_DELETE, NULL); +if (ret != LDB_SUCCESS) { +ret = ENOMEM; +goto done; +} + +ret = ldb_modify(ctx->ldb, msg); +if (ret != LDB_SUCC
Re: [SSSD] [PATCHES] Handle case-sensitivity issues
On Tue, 2009-11-17 at 09:58 -0500, Stephen Gallagher wrote: > + > +const char *make_lowercase(TALLOC_CTX *mem_ctx, const char *str) > +{ > +int len, i; > +char *retval; > + > +len = strlen(str); > +retval = talloc_array(mem_ctx, char, len+1); > +if (!retval) { > +return NULL; > +} > + > +i = 0; > +while (i < len) { > +retval[i] = tolower(str[i]); > +i++; > +} > +retval[len] = '\0'; > + > +return (const char *)retval; > +} This one needs to be utf8 safe. Can't ACK. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCHES] Handle case-sensitivity issues
On Tue, 2009-11-17 at 09:58 -0500, Stephen Gallagher wrote: > + > +*ver = "0.4"; > +return ret; > +} Shouldn't you use SYSDB_VERSION_0_4 here ? :-) Simo. -- Simo Sorce * Red Hat, Inc * New York ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCHES] Use ipachangeconf in the upgrade script
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/17/2009 12:16 PM, Jakub Hrozek wrote: > On 11/17/2009 01:06 AM, Jakub Hrozek wrote: >> [PATCH 1/2] Add Simo's ipachangeconf >> This patch adds the ipachangeconf class from FreeIPA and packages it in >> makefile and with python setuptools > >> [PATCH 2/2] Change the upgrade script to use ipachangeconf >> With this patch, the upgrade script we use for changing the config files >> is able to keep ordering and comments. > >> Fixes: #249 > > Self-NACK to patch 2 & new patches attached. As discussed on IRC, I'm resending the same two patches, just formatted with git format-patch -M to detect renamed upgrade script -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAksCvj0ACgkQHsardTLnvCXzigCghisbBaqeUL9UAI/7nKuwl5Q9 eysAni2bnD5vpvTqRZJllVktcBxN5sVq =O0WU -END PGP SIGNATURE- >From dffe621d043cbbeb2e1d5794da720207cf503a25 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 11 Nov 2009 13:07:45 +0100 Subject: [PATCH 1/2] Add Simo's ipachangeconf --- server/Makefile.am |1 + server/config/ipachangeconf.py | 459 server/config/setup.py |1 + 3 files changed, 461 insertions(+), 0 deletions(-) create mode 100644 server/config/ipachangeconf.py diff --git a/server/Makefile.am b/server/Makefile.am index 08c0295..33c4bf1 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -111,6 +111,7 @@ endif dist_noinst_SCRIPTS = \ config/setup.py \ +config/ipachangeconf.py \ config/SSSDConfig.py ### diff --git a/server/config/ipachangeconf.py b/server/config/ipachangeconf.py new file mode 100644 index 000..e083055 --- /dev/null +++ b/server/config/ipachangeconf.py @@ -0,0 +1,459 @@ +# +# ipachangeconf - configuration file manipulation classes and functions +# partially based on authconfig code +# Copyright (c) 1999-2007 Red Hat, Inc. +# Author: Simo Sorce +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# + +import fcntl +import os +import string +import time +import shutil + +def openLocked(filename, perms): +fd = -1 +try: +fd = os.open(filename, os.O_RDWR | os.O_CREAT, perms) +fcntl.lockf(fd, fcntl.LOCK_EX) +except OSError, (errno, strerr): +if fd != -1: +try: +os.close(fd) +except OSError: +pass +raise IOError(errno, strerr) +return os.fdopen(fd, "r+") + + +#TODO: add subsection as a concept +# (ex. REALM.NAME = { foo = x bar = y } ) +#TODO: put section delimiters as separating element of the list +# so that we can process multiple sections in one go +#TODO: add a comment all but provided options as a section option +class IPAChangeConf: + +def __init__(self, name): +self.progname = name +self.indent = ("","","") +self.assign = (" = ","=") +self.dassign = self.assign[0] +self.comment = ("#",) +self.dcomment = self.comment[0] +self.eol = ("\n",) +self.deol = self.eol[0] +self.sectnamdel = ("[","]") +self.subsectdel = ("{","}") +self.backup_suffix = ".ipabkp" + +def setProgName(self, name): +self.progname = name + +def setIndent(self, indent): +if type(indent) is tuple: +self.indent = indent +elif type(indent) is str: +self.indent = (indent, ) +else: + raise ValueError, 'Indent must be a list of strings' + +def setOptionAssignment(self, assign): +if type(assign) is tuple: +self.assign = assign +else: +self.assign = (assign, ) +self.dassign = self.assign[0] + +def setCommentPrefix(self, comment): +if type(comment) is tuple: +self.comment = comment +else: +self.comment = (comment, ) +self.dcomment = self.comment[0] + +def setEndLine(self, eol): +if type(eol) is tuple: +self.eol = eol +else: +self.eol = (eol, ) +self.deol = self.eol[0] + +def setSectionNameDelimiters(self, delims): +self.sectnamdel = delims + +def setSubSectionDelimiters(self, delims): +self.subsectdel = delims + +def matchComment(self
Re: [SSSD] [PATCHES] Handle case-sensitivity issues
New patches attached. 0001: Make the sysdb case-sensitive 0002: Upgrade existing databases for case-sensitivity. 0003: Add force_lowercase_names option 0004: Add tests for force_lowercase_names On 11/16/2009 03:41 PM, Simo Sorce wrote: > On Mon, 2009-11-16 at 11:42 -0500, Stephen Gallagher wrote: >> Patch 0001: Make the sysdb user and group names case-sensitive >> POSIX requires that usernames be case-sensitive. This will make the >> sysdb and cache compliant. > > Nack, I don't see code to upgrade an existing database. > >> Patch 0002: Add force_lowercase_names option for domains >> >> Since POSIX usernames must be case-sensitive, but remote servers do >> not, >> it is possible for entries on the server to have different >> capitalization in different uses. For those systems where this is the >> case, SSSD will now offer an option to force all user and group names >> to >> lowercase, which should eliminate inconsistencies. >> >> p.s. Don't be frightened by the size of Patch 0002. Most of the patch >> consists of new tests for this functionality. > > Can you please split the tests patch into a separate third one so that I > can review them more easily ? > > Simo. > > -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ From 601c39cdea7c3a3fef66b50e2e07f3c211e25b52 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Fri, 13 Nov 2009 10:50:27 -0500 Subject: [PATCH 1/5] Make the sysdb user and group names case-sensitive --- server/db/sysdb_private.h |1 - server/tests/sysdb-tests.c | 39 +++ 2 files changed, 39 insertions(+), 1 deletions(-) diff --git a/server/db/sysdb_private.h b/server/db/sysdb_private.h index 1f603eb..ea4b246 100644 --- a/server/db/sysdb_private.h +++ b/server/db/sysdb_private.h @@ -34,7 +34,6 @@ "cn: CASE_INSENSITIVE\n" \ "dc: CASE_INSENSITIVE\n" \ "dn: CASE_INSENSITIVE\n" \ - "name: CASE_INSENSITIVE\n" \ "objectclass: CASE_INSENSITIVE\n" \ "\n" \ "dn: @INDEXLIST\n" \ diff --git a/server/tests/sysdb-tests.c b/server/tests/sysdb-tests.c index fffcb72..f1d3ae4 100644 --- a/server/tests/sysdb-tests.c +++ b/server/tests/sysdb-tests.c @@ -1398,6 +1398,7 @@ START_TEST (test_sysdb_getpwnam) { struct sysdb_test_ctx *test_ctx; struct test_data *data; +struct test_data *data_uc; int ret; /* Setup */ @@ -1428,6 +1429,25 @@ START_TEST (test_sysdb_getpwnam) } fail_unless(data->uid == _i, "Did not find the expected UID"); + +/* Search for the user with the wrong case */ +data_uc = talloc_zero(test_ctx, struct test_data); +data_uc->ctx = test_ctx; +data_uc->username = talloc_asprintf(data_uc, "TESTUSER%d", _i); + +ret = sysdb_getpwnam(test_ctx, + test_ctx->sysdb, + data_uc->ctx->domain, + data_uc->username, + test_getpwent, + data_uc); +if (ret == EOK) { +ret = test_loop(data_uc); +} + +fail_unless(ret == ENOENT, +"The upper-case username search should fail. "); + done: talloc_free(test_ctx); } @@ -1437,6 +1457,7 @@ START_TEST (test_sysdb_getgrnam) { struct sysdb_test_ctx *test_ctx; struct test_data *data; +struct test_data *data_uc; int ret; /* Setup */ @@ -1468,6 +1489,24 @@ START_TEST (test_sysdb_getgrnam) fail_unless(data->gid == _i, "Did not find the expected GID (found %d expected %d)", data->gid, _i); + +/* Search for the group with the wrong case */ +data_uc = talloc_zero(test_ctx, struct test_data); +data_uc->ctx = test_ctx; +data_uc->groupname = talloc_asprintf(data_uc, "TESTGROUP%d", _i); + +ret = sysdb_getgrnam(test_ctx, + test_ctx->sysdb, + data_uc->ctx->domain, + data_uc->groupname, + test_getgrent, + data_uc); +if (ret == EOK) { +ret = test_loop(data_uc); +} + +fail_unless(ret == ENOENT, +"The upper-case groupname search should fail. "); done: talloc_free(test_ctx); } -- 1.6.2.5 From 5888c1b93ca54d82e7eeebcd813f6ddb1dc26256 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Tue, 17 Nov 2009 09:47:04 -0500 Subject: [PATCH 2/5] Upgrade cache and local databases to case-sensitive names --- server/db/sysdb.c | 92 + server/db/sysdb_private.h |4 +- 2 files changed, 95 insertions(+), 1 deletions(-) diff --git a/server/db/sysdb.c b/server/db/sysdb.c index e4131f1..4baa989 100644 --- a/server/db/sysdb.c +++ b/server/db/sysdb.c @@ -1065,6 +1065,93 @@ done: return ret; } +static int sysdb_upgrade_03(struct sysdb_ctx *ctx, const char **v
Re: [SSSD] [PATCH] Make the password field configurable in NSS
On Mon, 2009-11-16 at 20:21 -0500, Brian J. Murrell wrote: > On Tue, 2009-11-17 at 01:01 +0100, Jakub Hrozek wrote: > > Per the discussion on sssd-devel list, nss_sss should not return a > > hardcoded value but this should rather be configurable to allow whatever > > the OS or distribution thinks is the best for the particular case. > > I disagree with the nature of this fix. The decision as to what to > return in the password field of the passwd map is not really a > per-distribution issue. Even within the same distribution, different > configurations should have different results and altering the > configuration will change the results. > > With regard to the "x" as the password field, the rules/conditions are > quite clear. If there is shadow information available for the account, > the password field should be set to an "x". > > So in the case of an /etc/passwd and /etc/shadow, the password field > in /etc/passwd should be "x" and sssd should return that if it were > proxying for /etc/passwd (which I'm not even sure if it does). > > In the case of LDAP, if the entry for the user had shadow information > available (i.e. it has the shadowAccount object class in the entry) then > the password field should be returned as "x" and if it does NOT have > that object class, then the password field should return something else. > Probably, if the ldap entry has an otherwise viable password entry, it > should be returned, but if it does not, returning "*" seems to be > acceptable given that if the LDAP entry does not have a password, then > something else (i.e. kerberos) will be getting used. > > So as you can see what to return is much more local configuration > dependent than distro-policy. > > One could argue that the sysadmin should set the value to be returned to > something reasonable for his configuration, but what about a mixed mode > even, where some users are authenticated out of LDAP and some out of > kerberos? Then even a single configuration item is not possible. We don't support shadow maps so we never return shadow information currently. So I don't see the need for this to be conditional at this stage. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCHES] Use ipachangeconf in the upgrade script
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/17/2009 01:06 AM, Jakub Hrozek wrote: > [PATCH 1/2] Add Simo's ipachangeconf > This patch adds the ipachangeconf class from FreeIPA and packages it in > makefile and with python setuptools > > [PATCH 2/2] Change the upgrade script to use ipachangeconf > With this patch, the upgrade script we use for changing the config files > is able to keep ordering and comments. > > Fixes: #249 Self-NACK to patch 2 & new patches attached. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAksChhIACgkQHsardTLnvCWXtwCg6vmZLhEOKz50SSUCaD7B3aNK d8IAn3iQRB/S77xEV+CFaYlGbc8EvY92 =fKya -END PGP SIGNATURE- >From dffe621d043cbbeb2e1d5794da720207cf503a25 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 11 Nov 2009 13:07:45 +0100 Subject: [PATCH 1/2] Add Simo's ipachangeconf --- server/Makefile.am |1 + server/config/ipachangeconf.py | 459 server/config/setup.py |1 + 3 files changed, 461 insertions(+), 0 deletions(-) create mode 100644 server/config/ipachangeconf.py diff --git a/server/Makefile.am b/server/Makefile.am index 08c0295..33c4bf1 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -111,6 +111,7 @@ endif dist_noinst_SCRIPTS = \ config/setup.py \ +config/ipachangeconf.py \ config/SSSDConfig.py ### diff --git a/server/config/ipachangeconf.py b/server/config/ipachangeconf.py new file mode 100644 index 000..e083055 --- /dev/null +++ b/server/config/ipachangeconf.py @@ -0,0 +1,459 @@ +# +# ipachangeconf - configuration file manipulation classes and functions +# partially based on authconfig code +# Copyright (c) 1999-2007 Red Hat, Inc. +# Author: Simo Sorce +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# + +import fcntl +import os +import string +import time +import shutil + +def openLocked(filename, perms): +fd = -1 +try: +fd = os.open(filename, os.O_RDWR | os.O_CREAT, perms) +fcntl.lockf(fd, fcntl.LOCK_EX) +except OSError, (errno, strerr): +if fd != -1: +try: +os.close(fd) +except OSError: +pass +raise IOError(errno, strerr) +return os.fdopen(fd, "r+") + + +#TODO: add subsection as a concept +# (ex. REALM.NAME = { foo = x bar = y } ) +#TODO: put section delimiters as separating element of the list +# so that we can process multiple sections in one go +#TODO: add a comment all but provided options as a section option +class IPAChangeConf: + +def __init__(self, name): +self.progname = name +self.indent = ("","","") +self.assign = (" = ","=") +self.dassign = self.assign[0] +self.comment = ("#",) +self.dcomment = self.comment[0] +self.eol = ("\n",) +self.deol = self.eol[0] +self.sectnamdel = ("[","]") +self.subsectdel = ("{","}") +self.backup_suffix = ".ipabkp" + +def setProgName(self, name): +self.progname = name + +def setIndent(self, indent): +if type(indent) is tuple: +self.indent = indent +elif type(indent) is str: +self.indent = (indent, ) +else: + raise ValueError, 'Indent must be a list of strings' + +def setOptionAssignment(self, assign): +if type(assign) is tuple: +self.assign = assign +else: +self.assign = (assign, ) +self.dassign = self.assign[0] + +def setCommentPrefix(self, comment): +if type(comment) is tuple: +self.comment = comment +else: +self.comment = (comment, ) +self.dcomment = self.comment[0] + +def setEndLine(self, eol): +if type(eol) is tuple: +self.eol = eol +else: +self.eol = (eol, ) +self.deol = self.eol[0] + +def setSectionNameDelimiters(self, delims): +self.sectnamdel = delims + +def setSubSectionDelimiters(self, delims): +self.subsectdel = delims + +def matchComment(self, line): +for v in self.comment: +if line.lstrip().startswith(v): +return line.lstrip()[len(v):] +return False + +def matchEmpty(self, line)