[SSSD] [sssd PR#860][opened] Prepare for multiple enumeration providers
URL: https://github.com/SSSD/sssd/pull/860 Author: scabrero Title: #860: Prepare for multiple enumeration providers Action: opened PR body: """ This prepares the road for future enumeration-capable providers. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/860/head:pr860 git checkout pr860 From dff1a4498ee69348113c0505edfc2bb8cd75d1d9 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Fri, 12 Jul 2019 15:03:18 +0200 Subject: [PATCH 1/8] SYSDB: Convert cached domain 'enumerated' attribute from bool to uint Currently only the 'id' provider setup enumeration tasks and uses this attribute, but other providers (or future ones) should be able to enumerate idependently from each other. The has_enumerated attribute in the domain cache entry is converted to a uint to store a bitmap indicating which provider has enumerated. Signed-off-by: Samuel Cabrero --- src/db/sysdb.c | 44 +--- src/db/sysdb.h | 13 src/providers/ldap/ldap_id_enum.c| 3 +- src/providers/ldap/sdap_async_enum.c | 3 +- src/providers/ldap/sdap_reinit.c | 2 +- src/tests/sysdb-tests.c | 35 -- 6 files changed, 65 insertions(+), 35 deletions(-) diff --git a/src/db/sysdb.c b/src/db/sysdb.c index 51acb86056..1174fc4168 100644 --- a/src/db/sysdb.c +++ b/src/db/sysdb.c @@ -1041,10 +1041,10 @@ errno_t sysdb_attrs_to_list(TALLOC_CTX *mem_ctx, return EOK; } -errno_t sysdb_get_bool(struct sysdb_ctx *sysdb, +errno_t sysdb_get_uint(struct sysdb_ctx *sysdb, struct ldb_dn *dn, const char *attr_name, - bool *value) + uint32_t *value) { TALLOC_CTX *tmp_ctx; struct ldb_result *res; @@ -1089,7 +1089,7 @@ errno_t sysdb_get_bool(struct sysdb_ctx *sysdb, goto done; } -*value = ldb_msg_find_attr_as_bool(res->msgs[0], attr_name, false); +*value = ldb_msg_find_attr_as_uint(res->msgs[0], attr_name, false); ret = EOK; @@ -1098,11 +1098,11 @@ errno_t sysdb_get_bool(struct sysdb_ctx *sysdb, return ret; } -errno_t sysdb_set_bool(struct sysdb_ctx *sysdb, +errno_t sysdb_set_uint(struct sysdb_ctx *sysdb, struct ldb_dn *dn, const char *cn_value, const char *attr_name, - bool value) + uint32_t value) { TALLOC_CTX *tmp_ctx = NULL; struct ldb_message *msg = NULL; @@ -1152,7 +1152,7 @@ errno_t sysdb_set_bool(struct sysdb_ctx *sysdb, } } -lret = ldb_msg_add_string(msg, attr_name, value ? "TRUE" : "FALSE"); +lret = ldb_msg_add_fmt(msg, attr_name, "%u", value); if (lret != LDB_SUCCESS) { ret = sysdb_error_to_errno(lret); goto done; @@ -1177,12 +1177,13 @@ errno_t sysdb_set_bool(struct sysdb_ctx *sysdb, } errno_t sysdb_has_enumerated(struct sss_domain_info *domain, + uint32_t provider, bool *has_enumerated) { errno_t ret; struct ldb_dn *dn; TALLOC_CTX *tmp_ctx; - +uint32_t enumerated; tmp_ctx = talloc_new(NULL); if (!tmp_ctx) { @@ -1196,8 +1197,14 @@ errno_t sysdb_has_enumerated(struct sss_domain_info *domain, goto done; } -ret = sysdb_get_bool(domain->sysdb, dn, SYSDB_HAS_ENUMERATED, - has_enumerated); +ret = sysdb_get_uint(domain->sysdb, dn, SYSDB_HAS_ENUMERATED, + ); + +if (ret != EOK) { +return ret; +} + +*has_enumerated = (enumerated & provider); done: talloc_free(tmp_ctx); @@ -1205,11 +1212,13 @@ errno_t sysdb_has_enumerated(struct sss_domain_info *domain, } errno_t sysdb_set_enumerated(struct sss_domain_info *domain, - bool enumerated) + uint32_t provider, + bool has_enumerated) { errno_t ret; TALLOC_CTX *tmp_ctx; struct ldb_dn *dn; +uint32_t enumerated = 0; tmp_ctx = talloc_new(NULL); if (!tmp_ctx) { @@ -1223,7 +1232,20 @@ errno_t sysdb_set_enumerated(struct sss_domain_info *domain, goto done; } -ret = sysdb_set_bool(domain->sysdb, dn, domain->name, +ret = sysdb_get_uint(domain->sysdb, dn, SYSDB_HAS_ENUMERATED, + ); + +if (ret != EOK && ret != ENOENT) { +return ret; +} + +if (has_enumerated) { +enumerated |= provider; +} else { +enumerated &= ~provider; +} + +ret = sysdb_set_uint(domain->sysdb, dn, domain->name, SYSDB_HAS_ENUMERATED, enumerated); done: diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 56fd770e44..a3f05fc978 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -224,6 +224,7 @@ #define SYSDB_USER_CERT_FILTER
[SSSD] [sssd PR#860][comment] Prepare for multiple enumeration providers
URL: https://github.com/SSSD/sssd/pull/860 Title: #860: Prepare for multiple enumeration providers centos-ci commented: """ Can one of the admins verify this patch? """ See the full comment at https://github.com/SSSD/sssd/pull/860#issuecomment-518757431 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#837][comment] p11_child: make OCSP digest configurable
URL: https://github.com/SSSD/sssd/pull/837 Title: #837: p11_child: make OCSP digest configurable sumit-bose commented: """ Hi Jakub, thank you for the review, I addressed both of your comments. Btw, if you record the OCSP check with wireshark you can see the used hash type since OCSP typically uses plain http without encryption. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/837#issuecomment-518659367 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#837][synchronized] p11_child: make OCSP digest configurable
URL: https://github.com/SSSD/sssd/pull/837 Author: sumit-bose Title: #837: p11_child: make OCSP digest configurable Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/837/head:pr837 git checkout pr837 From d8d0835c60a7907f2243bb2abee1de380281b2fc Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 25 Jun 2019 12:46:10 +0200 Subject: [PATCH 1/3] utils: remove unused prototype (cert_to_ssh_key) This is a leftover from a previous cleanup done in the context of https://pagure.io/SSSD/sssd/issue/3489. --- src/util/cert.h | 5 - 1 file changed, 5 deletions(-) diff --git a/src/util/cert.h b/src/util/cert.h index d528029561..2fccc8be9f 100644 --- a/src/util/cert.h +++ b/src/util/cert.h @@ -48,11 +48,6 @@ errno_t bin_to_ldap_filter_value(TALLOC_CTX *mem_ctx, const uint8_t *blob, size_t blob_size, char **_str); -errno_t cert_to_ssh_key(TALLOC_CTX *mem_ctx, const char *ca_db, -const uint8_t *der_blob, size_t der_size, -struct cert_verify_opts *cert_verify_opts, -uint8_t **key, size_t *key_size); - errno_t get_ssh_key_from_cert(TALLOC_CTX *mem_ctx, uint8_t *der_blob, size_t der_size, uint8_t **key_blob, size_t *key_size); From 6d37b395ab2b09a47090ad2857b2ba7c0746f825 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 25 Jun 2019 12:57:29 +0200 Subject: [PATCH 2/3] utils: move parse_cert_verify_opts() into separate file parse_cert_verify_opts() is only used by p11_child, so it makes sense to move the sources nearer together. The related test is still in test_utils but it can be split out as well if there are more p11_child related unit tests. Related to https://pagure.io/SSSD/sssd/issue/4032 --- Makefile.am| 11 ++ src/p11_child/p11_child.h | 11 ++ src/p11_child/p11_child_common_utils.c | 182 + src/tests/cmocka/test_utils.c | 1 + src/util/util.c| 153 - src/util/util.h| 11 -- 6 files changed, 205 insertions(+), 164 deletions(-) create mode 100644 src/p11_child/p11_child_common_utils.c diff --git a/Makefile.am b/Makefile.am index 39cdaa1fa3..5ad959c6b4 100644 --- a/Makefile.am +++ b/Makefile.am @@ -3036,12 +3036,22 @@ test_ipa_idmap_LDADD = \ test_utils_SOURCES = \ src/tests/cmocka/test_utils.c \ src/tests/cmocka/test_string_utils.c \ +src/p11_child/p11_child_common_utils.c \ $(NULL) if BUILD_SSH test_utils_SOURCES += src/tests/cmocka/test_sss_ssh.c endif test_utils_CFLAGS = \ $(AM_CFLAGS) +if HAVE_NSS +test_utils_CFLAGS += \ +$(NSS_CFLAGS) \ +$(NULL) +else +test_utils_CFLAGS += \ +$(P11_KIT_CFLAGS) \ +$(NULL) +endif test_utils_LDADD = \ $(CMOCKA_LIBS) \ $(POPT_LIBS) \ @@ -4667,6 +4677,7 @@ proxy_child_LDADD = \ p11_child_SOURCES = \ src/p11_child/p11_child_common.c \ +src/p11_child/p11_child_common_utils.c \ src/util/atomic_io.c \ src/util/util.c \ src/util/util_ext.c \ diff --git a/src/p11_child/p11_child.h b/src/p11_child/p11_child.h index 92ecf74a89..d31a76f92d 100644 --- a/src/p11_child/p11_child.h +++ b/src/p11_child/p11_child.h @@ -30,6 +30,14 @@ #define PKCS11_FINIALIZE_INITIALIZE_WAIT_TIME 3 struct p11_ctx; +struct cert_verify_opts { +bool do_ocsp; +bool do_verification; +char *ocsp_default_responder; +char *ocsp_default_responder_signing_cert; +char *crl_file; +}; + enum op_mode { OP_NONE, OP_AUTH, @@ -55,4 +63,7 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx, enum op_mode mode, const char *pin, const char *module_name_in, const char *token_name_in, const char *key_id_in, const char *uri, char **_multi); + +errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts, + struct cert_verify_opts **cert_verify_opts); #endif /* __P11_CHILD_H__ */ diff --git a/src/p11_child/p11_child_common_utils.c b/src/p11_child/p11_child_common_utils.c new file mode 100644 index 00..0374eff0ab --- /dev/null +++ b/src/p11_child/p11_child_common_utils.c @@ -0,0 +1,182 @@ +/* +SSSD + +Helper child to commmunicate with SmartCard -- common code + +Authors: +Sumit Bose + +Copyright (C) 2019 Red Hat + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A
[SSSD] [sssd PR#856][+Accepted] pam_sss: Add missing colon to the PIN prompt
URL: https://github.com/SSSD/sssd/pull/856 Title: #856: pam_sss: Add missing colon to the PIN prompt Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#856][comment] pam_sss: Add missing colon to the PIN prompt
URL: https://github.com/SSSD/sssd/pull/856 Title: #856: pam_sss: Add missing colon to the PIN prompt sumit-bose commented: """ Patch works well and the CI failures are not related. ACK """ See the full comment at https://github.com/SSSD/sssd/pull/856#issuecomment-518620067 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#824][comment] CONFDB: Files domain if activated without .conf
URL: https://github.com/SSSD/sssd/pull/824 Title: #824: CONFDB: Files domain if activated without .conf thalman commented: """ @jhrozek re-pushed """ See the full comment at https://github.com/SSSD/sssd/pull/824#issuecomment-518590416 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#824][synchronized] CONFDB: Files domain if activated without .conf
URL: https://github.com/SSSD/sssd/pull/824 Author: thalman Title: #824: CONFDB: Files domain if activated without .conf Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/824/head:pr824 git checkout pr824 From 9b88b6c71fb4deb202bdf1f91ff952d42eef384c Mon Sep 17 00:00:00 2001 From: Tomas Halman Date: Mon, 15 Jul 2019 12:31:06 +0200 Subject: [PATCH 1/2] CONFDB: Files domain if activated without .conf Implicit files domain gets activated when no sssd.conf present and sssd is started. This does not respect --disable-files-domain configure option Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1713352 --- src/confdb/confdb_setup.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/confdb/confdb_setup.c b/src/confdb/confdb_setup.c index 5e35589659..e9944957da 100644 --- a/src/confdb/confdb_setup.c +++ b/src/confdb/confdb_setup.c @@ -34,7 +34,6 @@ "version: 2\n\n" \ "dn: cn=sssd,cn=config\n" \ "cn: sssd\n" \ -"enable_files_domain: true\n" \ "services: nss\n\n" #endif /* SSSD_FALLBACK_CONFIG_LDIF */ From e2aa9e15121706eadc5412c7ca210ac016e7efb7 Mon Sep 17 00:00:00 2001 From: Tomas Halman Date: Tue, 9 Jul 2019 14:24:07 +0200 Subject: [PATCH 2/2] TESTS: adapt tests to enabled default files domain Some tests expect that SSSD is compiled with --enable-files-domain option (test_no_sssd_conf). But having this enabled by default breaks some other tests. This patch adds --enable-files-domain to test build and explicitly disables the domain in configuration of some tests (ldap, enumeration). Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1713352 --- Makefile.am| 2 ++ src/tests/intg/test_enumeration.py | 1 + src/tests/intg/test_ldap.py| 1 + 3 files changed, 4 insertions(+) diff --git a/Makefile.am b/Makefile.am index 0c24ae6649..0c335ac1db 100644 --- a/Makefile.am +++ b/Makefile.am @@ -3763,6 +3763,8 @@ intgcheck-prepare: --enable-intgcheck-reqs \ --without-semanage \ --with-session-recording-shell=/bin/false \ + --enable-local-provider \ + --enable-files-domain \ $(INTGCHECK_CONFIGURE_FLAGS) \ CFLAGS="-O2 -g $$CFLAGS -DKCM_PEER_UID=$$(id -u)"; \ $(MAKE) $(AM_MAKEFLAGS) ; \ diff --git a/src/tests/intg/test_enumeration.py b/src/tests/intg/test_enumeration.py index 669fd86c7a..c105c6df02 100644 --- a/src/tests/intg/test_enumeration.py +++ b/src/tests/intg/test_enumeration.py @@ -113,6 +113,7 @@ def format_basic_conf(ldap_conn, schema): debug_level = 0x domains = LDAP services= nss, pam +enable_files_domain = false [nss] debug_level = 0x diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py index 787255f92d..c432068f91 100644 --- a/src/tests/intg/test_ldap.py +++ b/src/tests/intg/test_ldap.py @@ -117,6 +117,7 @@ def format_basic_conf(ldap_conn, schema): debug_level = 0x domains = LDAP services= nss, pam +enable_files_domain = false [nss] debug_level = 0x ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#859][opened] Make sure child log files have the right permissions
URL: https://github.com/SSSD/sssd/pull/859 Author: sumit-bose Title: #859: Make sure child log files have the right permissions Action: opened PR body: """ If SSSD runs a unprivileged user we should make sure the log files for child processes have the right permission so that the child process can write to them. Related to https://pagure.io/SSSD/sssd/issue/4056 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/859/head:pr859 git checkout pr859 From 8f77144df1f129d8a2beebf77e286c4dd26294e9 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 2 Aug 2019 13:44:18 +0200 Subject: [PATCH 1/3] pam: make sure p11_child.log has the right permissions If SSSD runs a unprivileged user we should make sure the log files for child processes have the right permission so that the child process can write to them. Related to https://pagure.io/SSSD/sssd/issue/4056 --- src/responder/pam/pamsrv.c | 9 + 1 file changed, 9 insertions(+) diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c index 38db6fc9b0..4f5b9b6647 100644 --- a/src/responder/pam/pamsrv.c +++ b/src/responder/pam/pamsrv.c @@ -399,6 +399,15 @@ int main(int argc, const char *argv[]) } } +/* server_setup() might switch to an unprivileged user, so the permissions + * for p11_child.log have to be fixed first. */ +ret = chown_debug_file("p11_child", uid, gid); +if (ret != EOK) { +DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot chown the p11_child debug file, " + "debugging might not work!\n"); +} + ret = server_setup("sssd[pam]", 0, uid, gid, CONFDB_PAM_CONF_ENTRY, _ctx); if (ret != EOK) return 2; From 95bd98ae7afc63fa6370c2a757d2f797fdc4a73b Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 5 Aug 2019 17:04:14 +0200 Subject: [PATCH 2/3] ssh: make sure p11_child.log has the right permissions If SSSD runs a unprivileged user we should make sure the log files for child processes have the right permission so that the child process can write to them. Related to https://pagure.io/SSSD/sssd/issue/4056 --- src/responder/ssh/sshsrv.c | 10 ++ 1 file changed, 10 insertions(+) diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c index ef2c9d01bc..07397834c7 100644 --- a/src/responder/ssh/sshsrv.c +++ b/src/responder/ssh/sshsrv.c @@ -187,6 +187,16 @@ int main(int argc, const char *argv[]) sss_set_logger(opt_logger); +/* server_setup() might switch to an unprivileged user, so the permissions + * for p11_child.log have to be fixed first. We might call p11_child to + * validate certificates. */ +ret = chown_debug_file("p11_child", uid, gid); +if (ret != EOK) { +DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot chown the p11_child debug file, " + "debugging might not work!\n"); +} + ret = server_setup("sssd[ssh]", 0, uid, gid, CONFDB_SSH_CONF_ENTRY, _ctx); if (ret != EOK) { From 2dcc20d06c219d658090e7b809dd5991894c5af1 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 5 Aug 2019 17:05:00 +0200 Subject: [PATCH 3/3] BE: make sure child log files have the right permissions If SSSD runs a unprivileged user we should make sure the log files for child processes have the right permission so that the child process can write to them. Related to https://pagure.io/SSSD/sssd/issue/4056 --- src/providers/data_provider_be.c | 23 +++ 1 file changed, 23 insertions(+) diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c index 6dce8286dd..ce00231ff5 100644 --- a/src/providers/data_provider_be.c +++ b/src/providers/data_provider_be.c @@ -554,6 +554,27 @@ errno_t be_process_init(TALLOC_CTX *mem_ctx, return ret; } +static void fix_child_log_permissions(uid_t uid, gid_t gid) +{ +int ret; +const char *child_names[] = { "krb5_child", + "ldap_child", + "selinux_child", + "ad_gpo_child", + "proxy_child", + NULL }; +size_t c; + +for (c = 0; child_names[c] != NULL; c++) { +ret = chown_debug_file(child_names[c], uid, gid); +if (ret != EOK) { +DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot chown the [%s] debug file, " + "debugging might not work!\n", child_names[c]); +} +} +} + static void dp_initialized(struct tevent_req *req) { struct tevent_signal *tes; @@ -609,6 +630,8 @@ static void dp_initialized(struct tevent_req *req) "Cannot chown the debug files, debugging might not work!\n"); } +fix_child_log_permissions(be_ctx->uid, be_ctx->gid); + ret = become_user(be_ctx->uid, be_ctx->gid); if (ret != EOK) { DEBUG(SSSDBG_FUNC_DATA,
[SSSD] [sssd PR#858][edited] ldap: do not store empty attribute with ldap_rfc2307_fallback_to_local_users = true
URL: https://github.com/SSSD/sssd/pull/858 Author: pbrezina Title: #858: ldap: do not store empty attribute with ldap_rfc2307_fallback_to_local_users = true Action: edited Changed field: body Original value: """ This caused an error when saving local user as a fallback: ``` [sdap_save_user] (0x0400): Storing info for user testu...@ldap.vm [sysdb_ldb_msg_difference] (0x2000): Added attr [gecos] to entry [name=testu...@ldap.vm,cn=users,cn=ldap.vm,cn=sysdb] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [Invalid attribute syntax](21)[Element gecos has empty attribute in ldb message (name=testu...@ldap.vm,cn=users,cn=ldap.vm,cn=sysdb)!] [sysdb_set_cache_entry_attr] (0x0040): Error: 22 (Invalid argument) [sysdb_set_entry_attr] (0x0080): Cannot set attrs for name=testu...@ldap.vm,cn=users,cn=ldap.vm,cn=sysdb, 22 [Invalid argument] [sysdb_store_user] (0x0040): Cache update failed: 22 [sysdb_store_user] (0x0400): Error: 22 (Invalid argument) [sdap_save_user] (0x0020): Failed to save user [testu...@ldap.vm] ``` Steps to reproduce: 1. create local user `testuser` 2. add it to LDAP group memberUid 3. set `passwd: sss files`, `group: sss files` (sss must be before files) 4. set enable_files_domain = false and ldap_rfc2307_fallback_to_local_users = true 5. run sssd 6. id testuser -> it does not contain the LDAP group without the patch Resolves: https://pagure.io/SSSD/sssd/issue/4013 Note: this fix only the case when the nsswitch order is `sss files` but no files domain is available. """ ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#858][synchronized] ldap: do not store empty attribute with ldap_rfc2307_fallback_to_local_users = true
URL: https://github.com/SSSD/sssd/pull/858 Author: pbrezina Title: #858: ldap: do not store empty attribute with ldap_rfc2307_fallback_to_local_users = true Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/858/head:pr858 git checkout pr858 From 19dbfc6b65b68f335f5872ce266ee5bddf352557 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Mon, 5 Aug 2019 14:09:06 +0200 Subject: [PATCH] ldap: do not store empty attribute with ldap_rfc2307_fallback_to_local_users = true This caused an error when saving local user as a fallback: ``` [sdap_save_user] (0x0400): Storing info for user testu...@ldap.vm [sysdb_ldb_msg_difference] (0x2000): Added attr [gecos] to entry [name=testu...@ldap.vm,cn=users,cn=ldap.vm,cn=sysdb] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [Invalid attribute syntax](21)[Element gecos has empty attribute in ldb message (name=testu...@ldap.vm,cn=users,cn=ldap.vm,cn=sysdb)!] [sysdb_set_cache_entry_attr] (0x0040): Error: 22 (Invalid argument) [sysdb_set_entry_attr] (0x0080): Cannot set attrs for name=testu...@ldap.vm,cn=users,cn=ldap.vm,cn=sysdb, 22 [Invalid argument] [sysdb_store_user] (0x0040): Cache update failed: 22 [sysdb_store_user] (0x0400): Error: 22 (Invalid argument) [sdap_save_user] (0x0020): Failed to save user [testu...@ldap.vm] ``` Steps to reproduce: 1. create local user `testuser` 2. add it to LDAP group memberUid 3. set `passwd: sss files`, `group: sss files` (sss must be before files) 4. set enable_files_domain = false and ldap_rfc2307_fallback_to_local_users = true 5. run sssd 6. id testuser -> it does not contain the LDAP group without the patch Related to: https://pagure.io/SSSD/sssd/issue/4013 --- src/providers/ldap/sdap_async_users.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c index af4dc1a175..9dcb59e233 100644 --- a/src/providers/ldap/sdap_async_users.c +++ b/src/providers/ldap/sdap_async_users.c @@ -1176,21 +1176,21 @@ errno_t sdap_fallback_local_user(TALLOC_CTX *memctx, goto done; } -if (pwd->pw_gecos) { +if (pwd->pw_gecos && *pwd->pw_gecos) { ret = sysdb_attrs_add_string(user, SYSDB_GECOS, pwd->pw_gecos); if (ret != EOK) { goto done; } } -if (pwd->pw_dir) { +if (pwd->pw_dir && *pwd->pw_dir) { ret = sysdb_attrs_add_string(user, SYSDB_HOMEDIR, pwd->pw_dir); if (ret != EOK) { goto done; } } -if (pwd->pw_shell) { +if (pwd->pw_shell && *pwd->pw_shell) { ret = sysdb_attrs_add_string(user, SYSDB_SHELL, pwd->pw_shell); if (ret != EOK) { goto done; ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#858][opened] ldap: do not store empty attribute with ldap_rfc2307_fallback_to_local_users = true
URL: https://github.com/SSSD/sssd/pull/858 Author: pbrezina Title: #858: ldap: do not store empty attribute with ldap_rfc2307_fallback_to_local_users = true Action: opened PR body: """ This caused an error when saving local user as a fallback: ``` [sdap_save_user] (0x0400): Storing info for user testu...@ldap.vm [sysdb_ldb_msg_difference] (0x2000): Added attr [gecos] to entry [name=testu...@ldap.vm,cn=users,cn=ldap.vm,cn=sysdb] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [Invalid attribute syntax](21)[Element gecos has empty attribute in ldb message (name=testu...@ldap.vm,cn=users,cn=ldap.vm,cn=sysdb)!] [sysdb_set_cache_entry_attr] (0x0040): Error: 22 (Invalid argument) [sysdb_set_entry_attr] (0x0080): Cannot set attrs for name=testu...@ldap.vm,cn=users,cn=ldap.vm,cn=sysdb, 22 [Invalid argument] [sysdb_store_user] (0x0040): Cache update failed: 22 [sysdb_store_user] (0x0400): Error: 22 (Invalid argument) [sdap_save_user] (0x0020): Failed to save user [testu...@ldap.vm] ``` Steps to reproduce: 1. create local user `testuser` 2. add it to LDAP group memberUid 3. set `passwd: sss files`, `group: sss files` (sss must be before files) 4. set enable_files_domain = false and ldap_rfc2307_fallback_to_local_users = true 5. run sssd 6. id testuser -> it does not contain the LDAP group without the patch Resolves: https://pagure.io/SSSD/sssd/issue/4013 Note: this fix only the case when the nsswitch order is `sss files` but no files domain is available. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/858/head:pr858 git checkout pr858 From c9bb82974a2f1af49a97c7faac6a20f01e256245 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Mon, 5 Aug 2019 14:09:06 +0200 Subject: [PATCH] ldap: do not store empty attribute with ldap_rfc2307_fallback_to_local_users = true This caused an error when saving local user as a fallback: ``` [sdap_save_user] (0x0400): Storing info for user testu...@ldap.vm [sysdb_ldb_msg_difference] (0x2000): Added attr [gecos] to entry [name=testu...@ldap.vm,cn=users,cn=ldap.vm,cn=sysdb] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [Invalid attribute syntax](21)[Element gecos has empty attribute in ldb message (name=testu...@ldap.vm,cn=users,cn=ldap.vm,cn=sysdb)!] [sysdb_set_cache_entry_attr] (0x0040): Error: 22 (Invalid argument) [sysdb_set_entry_attr] (0x0080): Cannot set attrs for name=testu...@ldap.vm,cn=users,cn=ldap.vm,cn=sysdb, 22 [Invalid argument] [sysdb_store_user] (0x0040): Cache update failed: 22 [sysdb_store_user] (0x0400): Error: 22 (Invalid argument) [sdap_save_user] (0x0020): Failed to save user [testu...@ldap.vm] ``` Steps to reproduce: 1. create local user `testuser` 2. add it to LDAP group memberUid 3. set `passwd: sss files`, `group: sss files` (sss must be before files) 4. set enable_files_domain = false and ldap_rfc2307_fallback_to_local_users = true 5. run sssd 6. id testuser -> it does not contain the LDAP group without the patch Resolves: https://pagure.io/SSSD/sssd/issue/4013 --- src/providers/ldap/sdap_async_users.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c index af4dc1a175..9dcb59e233 100644 --- a/src/providers/ldap/sdap_async_users.c +++ b/src/providers/ldap/sdap_async_users.c @@ -1176,21 +1176,21 @@ errno_t sdap_fallback_local_user(TALLOC_CTX *memctx, goto done; } -if (pwd->pw_gecos) { +if (pwd->pw_gecos && *pwd->pw_gecos) { ret = sysdb_attrs_add_string(user, SYSDB_GECOS, pwd->pw_gecos); if (ret != EOK) { goto done; } } -if (pwd->pw_dir) { +if (pwd->pw_dir && *pwd->pw_dir) { ret = sysdb_attrs_add_string(user, SYSDB_HOMEDIR, pwd->pw_dir); if (ret != EOK) { goto done; } } -if (pwd->pw_shell) { +if (pwd->pw_shell && *pwd->pw_shell) { ret = sysdb_attrs_add_string(user, SYSDB_SHELL, pwd->pw_shell); if (ret != EOK) { goto done; ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org