[SSSD] [sssd PR#5284][opened] Remove leftover ccache from SSH credentials delegation
URL: https://github.com/SSSD/sssd/pull/5284
Author: justin-stephenson
Title: #5284: Remove leftover ccache from SSH credentials delegation
Action: opened
PR body:
"""
This PR addresses the issue described in
https://github.com/SSSD/sssd/pull/876#issuecomment-525734063
When KCM receives delegated credentials over SSH, a new ccache is initialized,
filled in and switched to. If a ccache for this newly initialized principal
already exists, an expired/stale ccache gets leftover in the cache.
KCM will now compare this newly initialized principal against all existing
ccache principals and remove any comparison match, ensuring KCM doesn't end up
with a duplicate old ccache.
I believe this finalizes the remaining work needed to resolve
https://pagure.io/SSSD/sssd/issue/4017 (the main work being done in
https://github.com/SSSD/sssd/pull/736 and
https://github.com/SSSD/sssd/pull/876) but I would like to have someone confirm
this.
A simple reproducer case is the following:
~~~
# kinit $user
# ssh -K -l $user hostname klist -A
# ssh -K -l $user hostname klist -A
~~~
Without this PR each successive run of the ssh command would generate and store
a new ccache in KCM on the host *hostname*, and that will be evident in the
`klist -A` output.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5284/head:pr5284
git checkout pr5284
From 293cf3e75544b8323aebecf6df695b2de27114c1 Mon Sep 17 00:00:00 2001
From: Justin Stephenson
Date: Wed, 5 Aug 2020 20:29:59 +
Subject: [PATCH 1/2] KCM: Remove stale ccache from delegation
When KCM receives delegated credentials over SSH, a new ccache is
initialized, filled in and switched to. If a ccache for this newly
initialized principal already exists, an expired/stale ccache gets
leftover in the cache.
KCM will now compare this newly initialized principal against all
existing ccache principals and remove any comparison match, ensuring
KCM doesn't end up with a duplicate old ccache.
---
src/responder/kcm/kcmsrv_ops.c | 176 -
1 file changed, 174 insertions(+), 2 deletions(-)
diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c
index 1fc21453eb..48193ce4f9 100644
--- a/src/responder/kcm/kcmsrv_ops.c
+++ b/src/responder/kcm/kcmsrv_ops.c
@@ -362,11 +362,20 @@ struct kcm_op_initialize_state {
struct kcm_ccache *new_cc;
const char *name;
krb5_principal princ;
+
+int index;
+uuid_t *uuid_list;
+uuid_t current_uuid;
};
static void kcm_op_initialize_got_byname(struct tevent_req *subreq);
static void kcm_op_initialize_cc_create_done(struct tevent_req *subreq);
static void kcm_op_initialize_cc_delete_done(struct tevent_req *subreq);
+static void kcm_op_initialize_remove_existing_ccache(struct tevent_req *req);
+static void kcm_op_initialize_remove_existing_uuid_list_done(struct tevent_req *req);
+static errno_t kcm_op_initialize_remove_existing_ccache_step(struct tevent_req *req);
+static void kcm_op_initialize_remove_existing_ccache_done(struct tevent_req *subreq);
+static void kcm_op_initialize_remove_existing_final_done(struct tevent_req *subreq);
static void kcm_op_initialize_fill_princ_step(struct tevent_req *req);
static void kcm_op_initialize_fill_princ_done(struct tevent_req *subreq);
static void kcm_op_initialize_create_step(struct tevent_req *req);
@@ -454,10 +463,11 @@ static void kcm_op_initialize_got_byname(struct tevent_req *subreq)
if (state->new_cc != NULL) {
if (kcm_cc_get_client_principal(state->new_cc) == NULL) {
/* This is a cache that was pre-created w/o a principal (sshd does this),
- * let's fill in the principal and set the cache as default if not
+ * let's remove any existing ccache matching this principal,
+ * fill in the principal and set the cache as default if not
* already
*/
-kcm_op_initialize_fill_princ_step(req);
+kcm_op_initialize_remove_existing_ccache(req);
return;
}
@@ -512,6 +522,168 @@ static void kcm_op_initialize_cc_delete_done(struct tevent_req *subreq)
kcm_op_initialize_create_step(req);
}
+static void kcm_op_initialize_remove_existing_ccache(struct tevent_req *req)
+{
+struct tevent_req *subreq;
+struct kcm_op_initialize_state *state = tevent_req_data(req,
+struct kcm_op_initialize_state);
+
+DEBUG(SSSDBG_TRACE_FUNC, "Checking for existing duplicate ccache\n");
+
+subreq = kcm_ccdb_list_send(state, state->ev,
+state->op_ctx->kcm_data->db,
+state->op_ctx->client);
+if (subreq == NULL) {
+tevent_req_error(req, ENOMEM);
+return;
+}
+
+tevent_req_set_callback(subreq, kcm_op_initialize_remove_existing_uuid_list_done, req);
+}
+
+static void
[SSSD] [sssd PR#5280][-Waiting for review] p11_child: switch default ocsp_dgst to sha1
URL: https://github.com/SSSD/sssd/pull/5280 Title: #5280: p11_child: switch default ocsp_dgst to sha1 Label: -Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5280][+Changes requested] p11_child: switch default ocsp_dgst to sha1
URL: https://github.com/SSSD/sssd/pull/5280 Title: #5280: p11_child: switch default ocsp_dgst to sha1 Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5280][comment] p11_child: switch default ocsp_dgst to sha1
URL: https://github.com/SSSD/sssd/pull/5280 Title: #5280: p11_child: switch default ocsp_dgst to sha1 sumit-bose commented: """ Hi, thank you for the patch, it is still working fine in FIPS mode. I think it would be good if you can add an explanation to the man page that `sha1` is used as default to be compliant with RFC5019. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5280#issuecomment-676597614 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5257][comment] git-template: add tags to help with release notes automation
URL: https://github.com/SSSD/sssd/pull/5257 Title: #5257: git-template: add tags to help with release notes automation alexey-tikhonov commented: """ I think I liked idea of tags in commit message more. """ See the full comment at https://github.com/SSSD/sssd/pull/5257#issuecomment-676595114 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5257][comment] git-template: add tags to help with release notes automation
URL: https://github.com/SSSD/sssd/pull/5257 Title: #5257: git-template: add tags to help with release notes automation pbrezina commented: """ Or we can of course ask openstack developers if they would accept contributions. EDIT: Looking at the code, this would take lots of time to implement different logic there. """ See the full comment at https://github.com/SSSD/sssd/pull/5257#issuecomment-676536711 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5257][comment] git-template: add tags to help with release notes automation
URL: https://github.com/SSSD/sssd/pull/5257 Title: #5257: git-template: add tags to help with release notes automation pbrezina commented: """ Or we can of course ask openstack developers if they would accept contributions. """ See the full comment at https://github.com/SSSD/sssd/pull/5257#issuecomment-676536711 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5257][comment] git-template: add tags to help with release notes automation
URL: https://github.com/SSSD/sssd/pull/5257 Title: #5257: git-template: add tags to help with release notes automation pbrezina commented: """ I did lots of research on the topic. Ansible replaced `reno` with its own generator `antsibull-changelog` that is quite closely bound to Ansible development and cannot be used by unrelated projects. I also looked for other generators, most of them is just using git commit message (and only the subject line), many of them are tightly bound to the language and packaging system (most often pip or npm) so those can not be used. `reno` itself seemed promising but there are some limitations that do not work for us. * One of the biggest caveats is that it actually requires the relnote files to be never deleted. Once deleted, the release notes is also lost from the history when regenerating older release notes. So reverting a patch after a release would remove it from the old release notes as well so automation gets broken. * IMHO keeping dozens and later hundreds of release notes in the tree forever is not cool. * It uses tag name as the version name, this does not work for us since we use sssd-X_Y_Z instead of sssd-X.Y.Z for some reason. * Another thing is that `reno` attaches a unique id to each file so it is kind of required to use `reno new slug` by contributors which is unnecessary I think. It seem to work even without the id, but that would be prone to conflicts if we need to keep the files around. So what I would like to do is to keep the idea of putting the notes into yaml files into the repository but always delete them after the release. And prepare a custom generator that will fit our needs. It's just a few minutes work in Python, so it really does not matter. """ See the full comment at https://github.com/SSSD/sssd/pull/5257#issuecomment-676535344 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5281][comment] Dn with spaces for 1.16
URL: https://github.com/SSSD/sssd/pull/5281 Title: #5281: Dn with spaces for 1.16 sumit-bose commented: """ Hi, thanks for the update, ACK. Btw, the cherry-picked messages might need an update after the original patches are commited to master. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5281#issuecomment-676388286 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5262][comment] DN with white spaces
URL: https://github.com/SSSD/sssd/pull/5262 Title: #5262: DN with white spaces sumit-bose commented: """ > > Hi, > > thanks, I do not expect any CI issues, so ACK. > > bye, > > Sumit > > Unfortunately I had to put it back, Tests show that `ldb_dn_get_linearized()` > can return the spaces in DN too. > > Please review. Sorry for the misleading suggestion. The third patch restores the original state of your patch. ACK. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5262#issuecomment-676372476 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5281][comment] Dn with spaces for 1.16
URL: https://github.com/SSSD/sssd/pull/5281 Title: #5281: Dn with spaces for 1.16 thalman commented: """ Updated of an another part of the patch. """ See the full comment at https://github.com/SSSD/sssd/pull/5281#issuecomment-676371594 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5281][synchronized] Dn with spaces for 1.16
URL: https://github.com/SSSD/sssd/pull/5281
Author: thalman
Title: #5281: Dn with spaces for 1.16
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5281/head:pr5281
git checkout pr5281
From d0cc9f3b8b8b7aebb4980d1eb7228f0df2051672 Mon Sep 17 00:00:00 2001
From: Tomas Halman
Date: Fri, 31 Jul 2020 11:12:02 +0200
Subject: [PATCH 1/3] UTIL: DN sanitization
Some of the ldap servers returns DN in attributes such as isMemberOf
with spaces like dc=example, dc=com. That should be fine and we
should ignore them (cut them out) instead of escaping.
Resolves:
https://github.com/SSSD/sssd/issues/5261
(cherry picked from commit 882307cdc1b596ba0cc346a0001f4fc014818d82)
---
src/tests/cmocka/test_utils.c | 70 +++
src/util/util.c | 127 ++
src/util/util.h | 20 ++
3 files changed, 217 insertions(+)
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
index bd2c9e65da..aa245f00b2 100644
--- a/src/tests/cmocka/test_utils.c
+++ b/src/tests/cmocka/test_utils.c
@@ -1935,6 +1935,73 @@ static void test_sss_get_domain_mappings_content(void **state)
* capaths might not be as expected. */
}
+
+static void test_sss_filter_sanitize_dn(void **state)
+{
+TALLOC_CTX *tmp_ctx;
+char *trimmed;
+int ret;
+const char *DN = "cn=user,ou=people,dc=example,dc=com";
+
+tmp_ctx = talloc_new(NULL);
+assert_non_null(tmp_ctx);
+
+/* test that we remove spaces around '=' and ','*/
+ret = sss_filter_sanitize_dn(tmp_ctx, DN, );
+assert_int_equal(ret, EOK);
+assert_string_equal(DN, trimmed);
+talloc_free(trimmed);
+
+ret = sss_filter_sanitize_dn(tmp_ctx, "cn=user,ou=people,dc=example,dc=com", );
+assert_int_equal(ret, EOK);
+assert_string_equal(DN, trimmed);
+talloc_free(trimmed);
+
+ret = sss_filter_sanitize_dn(tmp_ctx, "cn= user,ou =people,dc = example,dc = com", );
+assert_int_equal(ret, EOK);
+assert_string_equal(DN, trimmed);
+talloc_free(trimmed);
+
+ret = sss_filter_sanitize_dn(tmp_ctx, "cn=user, ou=people ,dc=example , dc=com", );
+assert_int_equal(ret, EOK);
+assert_string_equal(DN, trimmed);
+talloc_free(trimmed);
+
+ret = sss_filter_sanitize_dn(tmp_ctx, "cn=user, ou=people ,dc=example , dc=com", );
+assert_int_equal(ret, EOK);
+assert_string_equal(DN, trimmed);
+talloc_free(trimmed);
+
+ret = sss_filter_sanitize_dn(tmp_ctx, "cn= user, ou =people ,dc = example , dc = com", );
+assert_int_equal(ret, EOK);
+assert_string_equal(DN, trimmed);
+talloc_free(trimmed);
+
+ret = sss_filter_sanitize_dn(tmp_ctx, " cn=user,ou=people,dc=example,dc=com ", );
+assert_int_equal(ret, EOK);
+assert_string_equal(DN, trimmed);
+talloc_free(trimmed);
+
+ret = sss_filter_sanitize_dn(tmp_ctx, " cn=user, ou=people, dc=example, dc=com ", );
+assert_int_equal(ret, EOK);
+assert_string_equal(DN, trimmed);
+talloc_free(trimmed);
+
+/* test that we keep spaces inside a value */
+ret = sss_filter_sanitize_dn(tmp_ctx, "cn = user one, ou=people branch, dc=example, dc=com", );
+assert_int_equal(ret, EOK);
+assert_string_equal("cn=user\\20one,ou=people\\20\\20branch,dc=example,dc=com", trimmed);
+talloc_free(trimmed);
+
+/* test that we keep escape special chars like () */
+ret = sss_filter_sanitize_dn(tmp_ctx, "cn = user one, ou=p(e)ople, dc=example, dc=com", );
+assert_int_equal(ret, EOK);
+assert_string_equal("cn=user\\20one,ou=p\\28e\\29ople,dc=example,dc=com", trimmed);
+talloc_free(trimmed);
+
+talloc_free(tmp_ctx);
+}
+
int main(int argc, const char *argv[])
{
poptContext pc;
@@ -2044,6 +2111,9 @@ int main(int argc, const char *argv[])
cmocka_unit_test_setup_teardown(test_sss_ptr_hash_without_cb,
setup_leak_tests,
teardown_leak_tests),
+cmocka_unit_test_setup_teardown(test_sss_filter_sanitize_dn,
+setup_leak_tests,
+teardown_leak_tests),
};
/* Set debug level to invalid value so we can decide if -d 0 was used. */
diff --git a/src/util/util.c b/src/util/util.c
index e3efa7fefe..4051c1f4ea 100644
--- a/src/util/util.c
+++ b/src/util/util.c
@@ -530,6 +530,133 @@ errno_t sss_filter_sanitize(TALLOC_CTX *mem_ctx,
return sss_filter_sanitize_ex(mem_ctx, input, sanitized, NULL);
}
+
+/* There is similar function ldap_dn_normalize in openldap.
+ * To avoid dependecies across project we have this own func.
+ * Also ldb can do this but doesn't handle all the cases
+ */
+static errno_t sss_trim_dn(TALLOC_CTX *mem_ctx,
+ const char *input,
+ char **trimmed)
+{
+int i = 0;
+int o = 0;
+int s;
+char *output;
+
[SSSD] [sssd PR#5281][-Changes requested] Dn with spaces for 1.16
URL: https://github.com/SSSD/sssd/pull/5281 Title: #5281: Dn with spaces for 1.16 Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5281][+Waiting for review] Dn with spaces for 1.16
URL: https://github.com/SSSD/sssd/pull/5281 Title: #5281: Dn with spaces for 1.16 Label: +Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5262][-Changes requested] DN with white spaces
URL: https://github.com/SSSD/sssd/pull/5262 Title: #5262: DN with white spaces Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5262][+Waiting for review] DN with white spaces
URL: https://github.com/SSSD/sssd/pull/5262 Title: #5262: DN with white spaces Label: +Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5262][comment] DN with white spaces
URL: https://github.com/SSSD/sssd/pull/5262 Title: #5262: DN with white spaces thalman commented: """ > Hi, > > thanks, I do not expect any CI issues, so ACK. > > bye, > Sumit Unfortunately I had to put it back, Tests show that `ldb_dn_get_linearized()` can return the spaces in DN too. Please review. """ See the full comment at https://github.com/SSSD/sssd/pull/5262#issuecomment-676364937 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5262][synchronized] DN with white spaces
URL: https://github.com/SSSD/sssd/pull/5262
Author: elkoniu
Title: #5262: DN with white spaces
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5262/head:pr5262
git checkout pr5262
From 882307cdc1b596ba0cc346a0001f4fc014818d82 Mon Sep 17 00:00:00 2001
From: Tomas Halman
Date: Fri, 31 Jul 2020 11:12:02 +0200
Subject: [PATCH 1/3] UTIL: DN sanitization
Some of the ldap servers returns DN in attributes such as isMemberOf
with spaces like dc=example, dc=com. That should be fine and we
should ignore them (cut them out) instead of escaping.
Resolves:
https://github.com/SSSD/sssd/issues/5261
---
src/tests/cmocka/test_utils.c | 70 +++
src/util/util.h | 20 ++
src/util/util_ext.c | 126 ++
3 files changed, 216 insertions(+)
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
index c5eda4dd26..92ca783d9f 100644
--- a/src/tests/cmocka/test_utils.c
+++ b/src/tests/cmocka/test_utils.c
@@ -1955,6 +1955,73 @@ static void test_sss_get_domain_mappings_content(void **state)
* capaths might not be as expected. */
}
+
+static void test_sss_filter_sanitize_dn(void **state)
+{
+TALLOC_CTX *tmp_ctx;
+char *trimmed;
+int ret;
+const char *DN = "cn=user,ou=people,dc=example,dc=com";
+
+tmp_ctx = talloc_new(NULL);
+assert_non_null(tmp_ctx);
+
+/* test that we remove spaces around '=' and ','*/
+ret = sss_filter_sanitize_dn(tmp_ctx, DN, );
+assert_int_equal(ret, EOK);
+assert_string_equal(DN, trimmed);
+talloc_free(trimmed);
+
+ret = sss_filter_sanitize_dn(tmp_ctx, "cn=user,ou=people,dc=example,dc=com", );
+assert_int_equal(ret, EOK);
+assert_string_equal(DN, trimmed);
+talloc_free(trimmed);
+
+ret = sss_filter_sanitize_dn(tmp_ctx, "cn= user,ou =people,dc = example,dc = com", );
+assert_int_equal(ret, EOK);
+assert_string_equal(DN, trimmed);
+talloc_free(trimmed);
+
+ret = sss_filter_sanitize_dn(tmp_ctx, "cn=user, ou=people ,dc=example , dc=com", );
+assert_int_equal(ret, EOK);
+assert_string_equal(DN, trimmed);
+talloc_free(trimmed);
+
+ret = sss_filter_sanitize_dn(tmp_ctx, "cn=user, ou=people ,dc=example , dc=com", );
+assert_int_equal(ret, EOK);
+assert_string_equal(DN, trimmed);
+talloc_free(trimmed);
+
+ret = sss_filter_sanitize_dn(tmp_ctx, "cn= user, ou =people ,dc = example , dc = com", );
+assert_int_equal(ret, EOK);
+assert_string_equal(DN, trimmed);
+talloc_free(trimmed);
+
+ret = sss_filter_sanitize_dn(tmp_ctx, " cn=user,ou=people,dc=example,dc=com ", );
+assert_int_equal(ret, EOK);
+assert_string_equal(DN, trimmed);
+talloc_free(trimmed);
+
+ret = sss_filter_sanitize_dn(tmp_ctx, " cn=user, ou=people, dc=example, dc=com ", );
+assert_int_equal(ret, EOK);
+assert_string_equal(DN, trimmed);
+talloc_free(trimmed);
+
+/* test that we keep spaces inside a value */
+ret = sss_filter_sanitize_dn(tmp_ctx, "cn = user one, ou=people branch, dc=example, dc=com", );
+assert_int_equal(ret, EOK);
+assert_string_equal("cn=user\\20one,ou=people\\20\\20branch,dc=example,dc=com", trimmed);
+talloc_free(trimmed);
+
+/* test that we keep escape special chars like () */
+ret = sss_filter_sanitize_dn(tmp_ctx, "cn = user one, ou=p(e)ople, dc=example, dc=com", );
+assert_int_equal(ret, EOK);
+assert_string_equal("cn=user\\20one,ou=p\\28e\\29ople,dc=example,dc=com", trimmed);
+talloc_free(trimmed);
+
+talloc_free(tmp_ctx);
+}
+
int main(int argc, const char *argv[])
{
poptContext pc;
@@ -2064,6 +2131,9 @@ int main(int argc, const char *argv[])
cmocka_unit_test_setup_teardown(test_sss_ptr_hash_without_cb,
setup_leak_tests,
teardown_leak_tests),
+cmocka_unit_test_setup_teardown(test_sss_filter_sanitize_dn,
+setup_leak_tests,
+teardown_leak_tests),
};
/* Set debug level to invalid value so we can decide if -d 0 was used. */
diff --git a/src/util/util.h b/src/util/util.h
index d538e0674d..aa9bf97d4c 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -478,6 +478,26 @@ errno_t sss_filter_sanitize_for_dom(TALLOC_CTX *mem_ctx,
char **sanitized,
char **lc_sanitized);
+/* Sanitize an input string (e.g. a DN) for use in
+ * an LDAP/LDB filter
+ *
+ * It is basically the same as sss_filter_sanitize(_ex),
+ * just extra spaces inside DN around '=' and ',' are removed
+ * before sanitizing other characters . According the documentation
+ * spaces in DN are allowed and some ldap servers can return them
+ * in isMemberOf or member attributes.
+ *
+ * (dc = my example, dc = com =>
[SSSD] [sssd PR#5281][-Accepted] Dn with spaces for 1.16
URL: https://github.com/SSSD/sssd/pull/5281 Title: #5281: Dn with spaces for 1.16 Label: -Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5281][+Changes requested] Dn with spaces for 1.16
URL: https://github.com/SSSD/sssd/pull/5281 Title: #5281: Dn with spaces for 1.16 Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5262][+Changes requested] DN with white spaces
URL: https://github.com/SSSD/sssd/pull/5262 Title: #5262: DN with white spaces Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5262][-Accepted] DN with white spaces
URL: https://github.com/SSSD/sssd/pull/5262 Title: #5262: DN with white spaces Label: -Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5283][comment] Add dyndns_auth_ptr support
URL: https://github.com/SSSD/sssd/pull/5283 Title: #5283: Add dyndns_auth_ptr support joakim-tjernlund commented: """ See issue https://github.com/SSSD/sssd/issues/5274 """ See the full comment at https://github.com/SSSD/sssd/pull/5283#issuecomment-675923680 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5283][opened] Add dyndns_auth_ptr support
URL: https://github.com/SSSD/sssd/pull/5283
Author: joakim-tjernlund
Title: #5283: Add dyndns_auth_ptr support
Action: opened
PR body:
"""
Allows to specify auth method for DNS PTR updates.
Default to same as dyndns_auth.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5283/head:pr5283
git checkout pr5283
From a95b6c87e965c4833bc1fe045590c6ddb98f04d6 Mon Sep 17 00:00:00 2001
From: Joakim Tjernlund
Date: Sat, 15 Aug 2020 11:47:42 +0200
Subject: [PATCH] Add dyndns_auth_ptr support
Allows to specify auth method for DNS PTR updates.
Default to same as dyndns_auth.
---
src/config/cfg_rules.ini | 1 +
src/man/sssd-ad.5.xml| 15 +++
src/man/sssd-ipa.5.xml | 15 +++
src/providers/ad/ad_dyndns.c | 1 +
src/providers/ad/ad_opts.c | 1 +
src/providers/be_dyndns.c| 13 +
src/providers/be_dyndns.h| 2 ++
src/providers/ipa/ipa_dyndns.c | 1 +
src/providers/ipa/ipa_opts.c | 1 +
src/providers/ldap/sdap_dyndns.c | 5 -
src/providers/ldap/sdap_dyndns.h | 1 +
11 files changed, 55 insertions(+), 1 deletion(-)
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 2874ea048b..6347024278 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -421,6 +421,7 @@ option = dyndns_refresh_interval
option = dyndns_update_ptr
option = dyndns_force_tcp
option = dyndns_auth
+option = dyndns_auth_ptr
option = dyndns_server
# files provider specific options
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 5c2f465462..e4712e26d9 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -1165,6 +1165,21 @@ ad_gpo_map_deny = +my_pam_service
+
+dyndns_auth_ptr (string)
+
+
+Whether the nsupdate utility should use GSS-TSIG
+authentication for secure PTR updates with the DNS
+server, insecure updates can be sent by setting
+this option to 'none'.
+
+
+Default: Same as dyndns_auth
+
+
+
+
dyndns_server (string)
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index 0de866740a..7b630493da 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -214,6 +214,21 @@
+
+dyndns_auth_ptr (string)
+
+
+Whether the nsupdate utility should use GSS-TSIG
+authentication for secure PTR updates with the DNS
+server, insecure updates can be sent by setting
+this option to 'none'.
+
+
+Default: Same as dyndns_auth
+
+
+
+
ipa_enable_dns_sites (boolean)
diff --git a/src/providers/ad/ad_dyndns.c b/src/providers/ad/ad_dyndns.c
index 00e1d253ae..71ef16c0b5 100644
--- a/src/providers/ad/ad_dyndns.c
+++ b/src/providers/ad/ad_dyndns.c
@@ -238,6 +238,7 @@ static void ad_dyndns_update_connect_done(struct tevent_req *subreq)
ctx->dyndns_ctx->opts,
sdap_ctx,
ctx->dyndns_ctx->auth_type,
+ ctx->dyndns_ctx->auth_ptr_type,
dp_opt_get_string(ctx->dyndns_ctx->opts,
DP_OPT_DYNDNS_IFACE),
dp_opt_get_string(ctx->basic,
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
index 25b1367731..9ebb9ad1a4 100644
--- a/src/providers/ad/ad_opts.c
+++ b/src/providers/ad/ad_opts.c
@@ -309,6 +309,7 @@ struct dp_option ad_dyndns_opts[] = {
{ "dyndns_update_ptr", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "dyndns_force_tcp", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "dyndns_auth", DP_OPT_STRING, { "gss-tsig" }, NULL_STRING },
+{ "dyndns_auth_ptr", DP_OPT_STRING, { "" }, NULL_STRING },
{ "dyndns_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
DP_OPTION_TERMINATOR
};
diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c
index 54f3cc08a3..f97779e1dc 100644
--- a/src/providers/be_dyndns.c
+++ b/src/providers/be_dyndns.c
@@ -1217,6 +1217,7 @@ static struct dp_option default_dyndns_opts[] = {
{ "dyndns_update_ptr", DP_OPT_BOOL, BOOL_TRUE, BOOL_FALSE },
