[SSSD] [sssd PR#43][comment] RESPONDER: Enable sudoRule in case insen. domains (1.15)
URL: https://github.com/SSSD/sssd/pull/43 Title: #43: RESPONDER: Enable sudoRule in case insen. domains (1.15) celestian commented: """ So, new version is pushed. It uses only ```sudoUser``` attribute. """ See the full comment at https://github.com/SSSD/sssd/pull/43#issuecomment-258353222 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#43][-Changes requested] RESPONDER: Enable sudoRule in case insen. domains (1.15)
URL: https://github.com/SSSD/sssd/pull/43 Title: #43: RESPONDER: Enable sudoRule in case insen. domains (1.15) Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#43][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.15)
URL: https://github.com/SSSD/sssd/pull/43 Author: celestian Title: #43: RESPONDER: Enable sudoRule in case insen. domains (1.15) Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/43/head:pr43 git checkout pr43 From 60acf1ed5403a88bd55c6f894159b01c324cde26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= Date: Wed, 12 Oct 2016 16:48:38 +0200 Subject: [PATCH 1/2] SYSDB: Adding lowercase sudoUser form If domain is not case sensitive we add lowercase form of usernames to sudoUser attributes. So we actually able to apply sudoRule on user Administrator@... with login admnistrator@... Resolves: https://fedorahosted.org/sssd/ticket/3203 --- src/db/sysdb_sudo.c | 64 + 1 file changed, 64 insertions(+) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 601fb63..4bd93ff 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -852,6 +852,65 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule, return EOK; } +static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain, +struct sysdb_attrs *rule) +{ +TALLOC_CTX *tmp_ctx; +const char **users = NULL; +const char *lowered = NULL; +errno_t ret; + +if (domain->case_sensitive == true || rule == NULL) { +return EOK; +} + +tmp_ctx = talloc_new(NULL); +if (tmp_ctx == NULL) { +return ENOMEM; +} + +ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx, + &users); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n", + SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +goto done; +} + +if (users == NULL) { +ret = EOK; +goto done; +} + +for (int i = 0; users[i] != NULL; i++) { +lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]); +if (lowered == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n"); +ret = ENOMEM; +goto done; +} + +if (strcmp(users[i], lowered) == 0) { +/* It protects us from adding duplicate. */ +continue; +} + +ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, + "Unable to add %s attribute [%d]: %s\n", + SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +goto done; +} +} + +ret = EOK; + +done: +talloc_zfree(tmp_ctx); +return ret; +} + static errno_t sysdb_sudo_store_rule(struct sss_domain_info *domain, struct sysdb_attrs *rule, @@ -868,6 +927,11 @@ sysdb_sudo_store_rule(struct sss_domain_info *domain, DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", name); +ret = sysdb_sudo_add_lowered_users(domain, rule); +if (ret != EOK) { +return ret; +} + ret = sysdb_sudo_add_sss_attrs(rule, name, cache_timeout, now); if (ret != EOK) { return ret; From 8c2933059d62a60d69b50409cde4e1e3b5e3c8b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= Date: Thu, 13 Oct 2016 09:31:52 +0200 Subject: [PATCH 2/2] TESTS: Extending sysdb sudo store tests We covered diference between case sensitive and case insensitive domains. If domain is case insensitive we add lowercase form of sudoUser to local sysdb cache. Resolves: https://fedorahosted.org/sssd/ticket/3203 --- src/tests/cmocka/test_sysdb_sudo.c | 168 - 1 file changed, 167 insertions(+), 1 deletion(-) diff --git a/src/tests/cmocka/test_sysdb_sudo.c b/src/tests/cmocka/test_sysdb_sudo.c index 889de72..f21ff36 100644 --- a/src/tests/cmocka/test_sysdb_sudo.c +++ b/src/tests/cmocka/test_sysdb_sudo.c @@ -44,7 +44,7 @@ struct test_user { const char *name; uid_t uid; gid_t gid; -} users[] = { { "test_user1", 1001, 1001 }, +} users[] = { { "test_USER1", 1001, 1001 }, { "test_user2", 1002, 1002 }, { "test_user3", 1003, 1003 } }; @@ -104,6 +104,29 @@ static void create_rule_attrs(struct sysdb_attrs *rule, int i) assert_int_equal(ret, EOK); } +static void create_rule_attrs_multiple_sudoUser(struct sysdb_attrs *rule) +{ +errno_t ret; + +ret = sysdb_attrs_add_string_safe(rule, SYSDB_SUDO_CACHE_AT_CN, + rules[0].name); +assert_int_equal(ret, EOK); + +ret = sysdb_attrs_add_string_safe(rule, SYSDB_SUDO_CACHE_AT_HOST, + rules[0].host); +assert_int_equal(ret, EOK); + +ret = sysdb_attrs_add_string_safe(rule, SYSDB_SUDO_CACHE_AT_RUNASUSER, + rules[0].as_user); +assert_int_equal(ret, EOK); + +for (int i = 0; i < 3; i++ ) { +
[SSSD] [sssd PR#43][comment] RESPONDER: Enable sudoRule in case insen. domains (1.15)
URL: https://github.com/SSSD/sssd/pull/43 Title: #43: RESPONDER: Enable sudoRule in case insen. domains (1.15) jhrozek commented: """ Oops sorry I accidentally replied to list instead of commenting in the PR. Let me paste my commend again here: Because in responders, we should be searching ideally only indexed attributes and the indexing would prevent downgrades because the cache version number would have to be increased, we decided to just put all the case variants into the sudoUser attribute. I'm sorry we're overriding what you asked for when you are away for a week, but we need to fix this issue soon in downstream. If you would prefer to keep the original values as well in the cache for some reason, I would suggest to add additional patch later with the originalSudoUser value. """ See the full comment at https://github.com/SSSD/sssd/pull/43#issuecomment-258155481 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][+Changes requested] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#43][+Changes requested] RESPONDER: Enable sudoRule in case insen. domains (1.15)
URL: https://github.com/SSSD/sssd/pull/43 Title: #43: RESPONDER: Enable sudoRule in case insen. domains (1.15) Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) jhrozek commented: """ Setting changes requested to rework the patch to only include the sudoUser and not sudoUserAlias """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-258154386 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#43][comment] RESPONDER: Enable sudoRule in case insen. domains (1.15)
URL: https://github.com/SSSD/sssd/pull/43 Title: #43: RESPONDER: Enable sudoRule in case insen. domains (1.15) jhrozek commented: """ Setting changes requested to rework the patch to only include the sudoUser and not sudoUserAlias """ See the full comment at https://github.com/SSSD/sssd/pull/43#issuecomment-258154309 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: [sssd PR#43][comment] RESPONDER: Enable sudoRule in case insen. domains (1.14)
On Tue, Oct 25, 2016 at 12:38:57PM +0200, pbrezina wrote: > URL: https://github.com/SSSD/sssd/pull/43 > Title: #43: RESPONDER: Enable sudoRule in case insen. domains (1.14) > > pbrezina commented: > """ > I see why it works now, what I originally meant was to create a whole new > attribute, say sudoUserAlias that would contain lowercased values so we can > also distinguish between original and custom data when debugging issues. Can > you do it this way, please? The change should be small. > """ Because in responders, we should be searching ideally only indexed attributes and the indexing would prevent downgrades because the cache version number would have to be increased, we decided to just put all the case variants into the sudoUser attribute. I'm sorry we're overriding what you asked for when you are away for a week, but we need to fix this issue soon in downstream. If you would prefer to keep the original values as well in the cache for some reason, I would suggest to add additional patch later with the originalSudoUser value. ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#60][+Pushed] Document ad_access_filter search for nested groups
URL: https://github.com/SSSD/sssd/pull/60 Title: #60: Document ad_access_filter search for nested groups Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#49][closed] Try to match multiple results from an AD initgroups request against domain's search bases, too
URL: https://github.com/SSSD/sssd/pull/49 Author: jhrozek Title: #49: Try to match multiple results from an AD initgroups request against domain's search bases, too Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/49/head:pr49 git checkout pr49 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#49][-Accepted] Try to match multiple results from an AD initgroups request against domain's search bases, too
URL: https://github.com/SSSD/sssd/pull/49 Title: #49: Try to match multiple results from an AD initgroups request against domain's search bases, too Label: -Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#60][comment] Document ad_access_filter search for nested groups
URL: https://github.com/SSSD/sssd/pull/60 Title: #60: Document ad_access_filter search for nested groups jhrozek commented: """ master: cf5357ae83cc9fe2240038b8bdccec2cb98991fc sssd-1-14: e1c2aead482cd4bf83a7fe5e68630a981389e82b If any of the maintainers think we should apply the patch to sssd-1-13 as well, please just cherry-pick the patch. """ See the full comment at https://github.com/SSSD/sssd/pull/60#issuecomment-258108034 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#60][closed] Document ad_access_filter search for nested groups
URL: https://github.com/SSSD/sssd/pull/60 Author: taupehat Title: #60: Document ad_access_filter search for nested groups Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/60/head:pr60 git checkout pr60 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#60][-Accepted] Document ad_access_filter search for nested groups
URL: https://github.com/SSSD/sssd/pull/60 Title: #60: Document ad_access_filter search for nested groups Label: -Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#49][+Pushed] Try to match multiple results from an AD initgroups request against domain's search bases, too
URL: https://github.com/SSSD/sssd/pull/49 Title: #49: Try to match multiple results from an AD initgroups request against domain's search bases, too Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#49][comment] Try to match multiple results from an AD initgroups request against domain's search bases, too
URL: https://github.com/SSSD/sssd/pull/49 Title: #49: Try to match multiple results from an AD initgroups request against domain's search bases, too jhrozek commented: """ master: e5a984093ad7921c83da75272cede2b0e52ba2d6 24d8c85fae253f988165c112af208198cf48eef6 sssd-1-14: 956fdd727f8d7a28f1456146b3b7dfee49f38626 3f3dc8c737a8e8cfc4a29d7dbaf526ec3973c7a0 """ See the full comment at https://github.com/SSSD/sssd/pull/49#issuecomment-258106862 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#60][comment] Document ad_access_filter search for nested groups
URL: https://github.com/SSSD/sssd/pull/60 Title: #60: Document ad_access_filter search for nested groups sumit-bose commented: """ Thank you for the patch, ACK """ See the full comment at https://github.com/SSSD/sssd/pull/60#issuecomment-258102535 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#60][+Accepted] Document ad_access_filter search for nested groups
URL: https://github.com/SSSD/sssd/pull/60 Title: #60: Document ad_access_filter search for nested groups Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org