[SSSD] [sssd PR#5262][comment] DN with white spaces

2020-08-27 Thread alexey-tikhonov 
  URL: https://github.com/SSSD/sssd/pull/5262
Title: #5262: DN with white spaces

alexey-tikhonov commented:
"""
> Thanks, @alexey-tikhonov, which solution would you prefer?

If I understood correctly, your approach is to use the same DN string as a 
table key everywhere instead of attempt to unify (transform to single state) 
two DN strings (with help of trimming/sanitization).

If I got it right, then in general I like your approach more.

But I must admit I don't understand sdap* code well enough to:
 - verify if you spotted all the places where this "new" attribute 
(SYSDB_DN_FOR_MEMBER_HASH_TABLE) must be stored/updated and read to be used as 
a key;
 - to estimate performance hit (shouldn't be dramatic though, because it's just 
one additional attr to store, and should have no impact during lookup; but I 
can't compare performance-wise with Tomas' patch).

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5262#issuecomment-682111564
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5302][comment] conf: disable python2 bindings by default

2020-08-27 Thread ikerexxe 
  URL: https://github.com/SSSD/sssd/pull/5302
Title: #5302: conf: disable python2 bindings by default

ikerexxe commented:
"""
LGTM
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5302#issuecomment-681972285
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5262][comment] DN with white spaces

2020-08-27 Thread sumit-bose 
  URL: https://github.com/SSSD/sssd/pull/5262
Title: #5262: DN with white spaces

sumit-bose commented:
"""
> > I was thinking if this issue can be avoided in general by using the DN from 
> > the member attribute as well when adding the user to the hash table and 
> > came up with https://github.com/sumit-bose/sssd/commits/ghost_hash_dn. Can 
> > you check if this will make the group lookup worked as well when you 
> > replace your 'CACHE: trim spaces in DN before hash lookup' and 'CACHE: use 
> > talloc_pool to avoid malloc' with this patch?
> > bye,
> > Sumit
> 
> Tested, works well

Thanks, @alexey-tikhonov, which solution would you prefer?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5262#issuecomment-681917021
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5283][comment] Add dyndns_auth_ptr support

2020-08-27 Thread joakim-tjernlund 
  URL: https://github.com/SSSD/sssd/pull/5283
Title: #5283: Add dyndns_auth_ptr support

joakim-tjernlund commented:
"""
@sumit-bose , could you have a look at this PR?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5283#issuecomment-681910420
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5246][-Accepted] Drop support of libnss as a crypto backend

2020-08-27 Thread pbrezina 
  URL: https://github.com/SSSD/sssd/pull/5246
Title: #5246: Drop support of libnss as a crypto backend

Label: -Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5246][+Pushed] Drop support of libnss as a crypto backend

2020-08-27 Thread pbrezina 
  URL: https://github.com/SSSD/sssd/pull/5246
Title: #5246: Drop support of libnss as a crypto backend

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5246][comment] Drop support of libnss as a crypto backend

2020-08-27 Thread pbrezina 
  URL: https://github.com/SSSD/sssd/pull/5246
Title: #5246: Drop support of libnss as a crypto backend

pbrezina commented:
"""
Pushed PR: https://github.com/SSSD/sssd/pull/5246

* `master`
* a2911482a00dfad79e5f69d42d7e882fc0c717af - Get rid of "NSS DB" references.
* 266ecc083d5fe9f576b7932a80ecb014d2d25311 - Drop support of libnss as a 
crypto backend

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5246#issuecomment-681906191
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5289][+Pushed] build: Don't use AC_CHECK_FILE when building manpages

2020-08-27 Thread pbrezina 
  URL: https://github.com/SSSD/sssd/pull/5289
Title: #5289: build: Don't use AC_CHECK_FILE when building manpages

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5289][-Accepted] build: Don't use AC_CHECK_FILE when building manpages

2020-08-27 Thread pbrezina 
  URL: https://github.com/SSSD/sssd/pull/5289
Title: #5289: build: Don't use AC_CHECK_FILE when building manpages

Label: -Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5289][comment] build: Don't use AC_CHECK_FILE when building manpages

2020-08-27 Thread pbrezina 
  URL: https://github.com/SSSD/sssd/pull/5289
Title: #5289: build: Don't use AC_CHECK_FILE when building manpages

pbrezina commented:
"""
Pushed PR: https://github.com/SSSD/sssd/pull/5289

* `master`
* 2b73285ef603389926ea578b901d3f9013c57fa9 - build: Don't use AC_CHECK_FILE 
when building manpages

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5289#issuecomment-681905340
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5289][-Ready to push] build: Don't use AC_CHECK_FILE when building manpages

2020-08-27 Thread pbrezina 
  URL: https://github.com/SSSD/sssd/pull/5289
Title: #5289: build: Don't use AC_CHECK_FILE when building manpages

Label: -Ready to push
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5289][closed] build: Don't use AC_CHECK_FILE when building manpages

2020-08-27 Thread pbrezina 
   URL: https://github.com/SSSD/sssd/pull/5289
Author: jonte
 Title: #5289: build: Don't use AC_CHECK_FILE when building manpages
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5289/head:pr5289
git checkout pr5289
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5289][+Ready to push] build: Don't use AC_CHECK_FILE when building manpages

2020-08-27 Thread pbrezina 
  URL: https://github.com/SSSD/sssd/pull/5289
Title: #5289: build: Don't use AC_CHECK_FILE when building manpages

Label: +Ready to push
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5302][opened] conf: disable python2 bindings by default

2020-08-27 Thread pbrezina 
   URL: https://github.com/SSSD/sssd/pull/5302
Author: pbrezina
 Title: #5302: conf: disable python2 bindings by default
Action: opened

PR body:
"""
Python2 is being fully replaced by Python3 on modern distros so
there is no need to build the bindings by default. We even don't
ship python2 packages in Fedora for quite some time now.

Keeping this on by default requires using --without-python2-bindings
on modern distributions where python2 is not installed by default.
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5302/head:pr5302
git checkout pr5302
From edf498afbb2a8e9652392008aa3e198b6772ad77 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= 
Date: Thu, 27 Aug 2020 13:55:14 +0200
Subject: [PATCH] conf: disable python2 bindings by default

Python2 is being fully replaced by Python3 on modern distros so
there is no need to build the bindings by default. We even don't
ship python2 packages in Fedora for quite some time now.

Keeping this on by default requires using --without-python2-bindings
on modern distributions where python2 is not installed by default.
---
 src/conf_macros.m4 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index fa12a38a75..ec41ad9916 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -377,10 +377,10 @@ AC_DEFUN([WITH_KRB5_CONF],
 AC_DEFUN([WITH_PYTHON2_BINDINGS],
   [ AC_ARG_WITH([python2-bindings],
 [AC_HELP_STRING([--with-python2-bindings],
-[Whether to build python2 bindings [yes]])
+[Whether to build python2 bindings [no]])
 ],
 [],
-[with_python2_bindings=yes]
+[with_python2_bindings=no]
)
 if test x"$with_python2_bindings" = xyes; then
 AC_SUBST([HAVE_PYTHON2_BINDINGS], [yes])
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5253][+Changes requested] libdirsrv should be modified to be compatible with new DS

2020-08-27 Thread pbrezina 
  URL: https://github.com/SSSD/sssd/pull/5253
Title: #5253: libdirsrv should be modified to be compatible with new DS

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5241][comment] GPO: respect ad_gpo_implicit_deny when evaluation rules

2020-08-27 Thread sumit-bose 
  URL: https://github.com/SSSD/sssd/pull/5241
Title: #5241: GPO: respect ad_gpo_implicit_deny when evaluation rules

sumit-bose commented:
"""
> Can you add this overview to man pages? I think this would be helpful.

sure, please check the latest version.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5241#issuecomment-681866437
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#5241][synchronized] GPO: respect ad_gpo_implicit_deny when evaluation rules

2020-08-27 Thread sumit-bose 
   URL: https://github.com/SSSD/sssd/pull/5241
Author: sumit-bose
 Title: #5241: GPO: respect ad_gpo_implicit_deny when evaluation rules
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5241/head:pr5241
git checkout pr5241
From 20b8905a5ac201995a6cc35198add6d942ff86d6 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Fri, 10 Jul 2020 15:30:29 +0200
Subject: [PATCH] GPO: respect ad_gpo_implicit_deny when evaluation rules

Currently if setting ad_gpo_implicit_deny to 'True' is rejected access
if no GPOs applied to the host since in this case there are obvious not
allow rules available.

But according to the man page we have to be more strict "When this
option is set to True users will be allowed access only when explicitly
allowed by a GPO rule". So if GPOs apply and no allow rules are present
we have to reject access as well.

Resolves: https://github.com/SSSD/sssd/issues/5061
---
 src/man/sssd-ad.5.xml | 59 +++
 src/providers/ad/ad_gpo.c | 13 +++--
 2 files changed, 69 insertions(+), 3 deletions(-)

diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 5c2f465462..fbd4985d7a 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -477,9 +477,68 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,
 built-in Administrators group if no GPO rules
 apply to them.
 
+
 
 Default: False
 
+
+
+The following 2 tables should illustrate when a user
+is allowed or rejected based on the allow and deny
+login rights defined on the server-side and the
+setting of ad_gpo_implicit_deny.
+
+
+
+
+
+
+
+
+ad_gpo_implicit_deny = False (default)
+allow-rulesdeny-rules
+results
+
+
+missingmissing
+all users are allowed
+
+missingpresent
+only users not in deny-rules are
+allowed
+presentmissing
+only users in allow-rules are
+allowed
+presentpresent
+only users in allow-rules and not in
+deny-rules are allowed
+
+
+
+
+
+
+
+
+
+ad_gpo_implicit_deny = True
+allow-rulesdeny-rules
+results
+
+
+missingmissing
+no users are allowed
+
+missingpresent
+no users are allowed
+
+presentmissing
+only users in allow-rules are
+allowed
+presentpresent
+only users in allow-rules and not in
+deny-rules are allowed
+
 
 
 
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 2c6aa7fa63..0cf5da2a15 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -1531,6 +1531,7 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx,
 enum gpo_access_control_mode gpo_mode,
 enum gpo_map_type gpo_map_type,
 const char *user,
+bool gpo_implicit_deny,
 struct sss_domain_info *domain,
 char **allowed_sids,
 int allowed_size,
@@ -1575,7 +1576,7 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx,
   group_sids[j]);
 }
 
-if (allowed_size == 0) {
+if (allowed_size == 0 && !gpo_implicit_deny) {
 access_granted = true;
 }  else {
 access_granted = check_rights(allowed_sids, allowed_size, user_sid,
@@ -1694,6 +1695,7 @@ ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx,
enum gpo_access_control_mode gpo_mode,
enum gpo_map_type