[SSSD] [sssd PR#5262][comment] DN with white spaces
URL: https://github.com/SSSD/sssd/pull/5262 Title: #5262: DN with white spaces alexey-tikhonov commented: """ > Thanks, @alexey-tikhonov, which solution would you prefer? If I understood correctly, your approach is to use the same DN string as a table key everywhere instead of attempt to unify (transform to single state) two DN strings (with help of trimming/sanitization). If I got it right, then in general I like your approach more. But I must admit I don't understand sdap* code well enough to: - verify if you spotted all the places where this "new" attribute (SYSDB_DN_FOR_MEMBER_HASH_TABLE) must be stored/updated and read to be used as a key; - to estimate performance hit (shouldn't be dramatic though, because it's just one additional attr to store, and should have no impact during lookup; but I can't compare performance-wise with Tomas' patch). """ See the full comment at https://github.com/SSSD/sssd/pull/5262#issuecomment-682111564 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5302][comment] conf: disable python2 bindings by default
URL: https://github.com/SSSD/sssd/pull/5302 Title: #5302: conf: disable python2 bindings by default ikerexxe commented: """ LGTM """ See the full comment at https://github.com/SSSD/sssd/pull/5302#issuecomment-681972285 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5262][comment] DN with white spaces
URL: https://github.com/SSSD/sssd/pull/5262 Title: #5262: DN with white spaces sumit-bose commented: """ > > I was thinking if this issue can be avoided in general by using the DN from > > the member attribute as well when adding the user to the hash table and > > came up with https://github.com/sumit-bose/sssd/commits/ghost_hash_dn. Can > > you check if this will make the group lookup worked as well when you > > replace your 'CACHE: trim spaces in DN before hash lookup' and 'CACHE: use > > talloc_pool to avoid malloc' with this patch? > > bye, > > Sumit > > Tested, works well Thanks, @alexey-tikhonov, which solution would you prefer? """ See the full comment at https://github.com/SSSD/sssd/pull/5262#issuecomment-681917021 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5283][comment] Add dyndns_auth_ptr support
URL: https://github.com/SSSD/sssd/pull/5283 Title: #5283: Add dyndns_auth_ptr support joakim-tjernlund commented: """ @sumit-bose , could you have a look at this PR? """ See the full comment at https://github.com/SSSD/sssd/pull/5283#issuecomment-681910420 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5246][-Accepted] Drop support of libnss as a crypto backend
URL: https://github.com/SSSD/sssd/pull/5246 Title: #5246: Drop support of libnss as a crypto backend Label: -Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5246][+Pushed] Drop support of libnss as a crypto backend
URL: https://github.com/SSSD/sssd/pull/5246 Title: #5246: Drop support of libnss as a crypto backend Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5246][comment] Drop support of libnss as a crypto backend
URL: https://github.com/SSSD/sssd/pull/5246 Title: #5246: Drop support of libnss as a crypto backend pbrezina commented: """ Pushed PR: https://github.com/SSSD/sssd/pull/5246 * `master` * a2911482a00dfad79e5f69d42d7e882fc0c717af - Get rid of "NSS DB" references. * 266ecc083d5fe9f576b7932a80ecb014d2d25311 - Drop support of libnss as a crypto backend """ See the full comment at https://github.com/SSSD/sssd/pull/5246#issuecomment-681906191 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5289][+Pushed] build: Don't use AC_CHECK_FILE when building manpages
URL: https://github.com/SSSD/sssd/pull/5289 Title: #5289: build: Don't use AC_CHECK_FILE when building manpages Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5289][-Accepted] build: Don't use AC_CHECK_FILE when building manpages
URL: https://github.com/SSSD/sssd/pull/5289 Title: #5289: build: Don't use AC_CHECK_FILE when building manpages Label: -Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5289][comment] build: Don't use AC_CHECK_FILE when building manpages
URL: https://github.com/SSSD/sssd/pull/5289 Title: #5289: build: Don't use AC_CHECK_FILE when building manpages pbrezina commented: """ Pushed PR: https://github.com/SSSD/sssd/pull/5289 * `master` * 2b73285ef603389926ea578b901d3f9013c57fa9 - build: Don't use AC_CHECK_FILE when building manpages """ See the full comment at https://github.com/SSSD/sssd/pull/5289#issuecomment-681905340 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5289][-Ready to push] build: Don't use AC_CHECK_FILE when building manpages
URL: https://github.com/SSSD/sssd/pull/5289 Title: #5289: build: Don't use AC_CHECK_FILE when building manpages Label: -Ready to push ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5289][closed] build: Don't use AC_CHECK_FILE when building manpages
URL: https://github.com/SSSD/sssd/pull/5289 Author: jonte Title: #5289: build: Don't use AC_CHECK_FILE when building manpages Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5289/head:pr5289 git checkout pr5289 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5289][+Ready to push] build: Don't use AC_CHECK_FILE when building manpages
URL: https://github.com/SSSD/sssd/pull/5289 Title: #5289: build: Don't use AC_CHECK_FILE when building manpages Label: +Ready to push ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5302][opened] conf: disable python2 bindings by default
URL: https://github.com/SSSD/sssd/pull/5302 Author: pbrezina Title: #5302: conf: disable python2 bindings by default Action: opened PR body: """ Python2 is being fully replaced by Python3 on modern distros so there is no need to build the bindings by default. We even don't ship python2 packages in Fedora for quite some time now. Keeping this on by default requires using --without-python2-bindings on modern distributions where python2 is not installed by default. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5302/head:pr5302 git checkout pr5302 From edf498afbb2a8e9652392008aa3e198b6772ad77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Thu, 27 Aug 2020 13:55:14 +0200 Subject: [PATCH] conf: disable python2 bindings by default Python2 is being fully replaced by Python3 on modern distros so there is no need to build the bindings by default. We even don't ship python2 packages in Fedora for quite some time now. Keeping this on by default requires using --without-python2-bindings on modern distributions where python2 is not installed by default. --- src/conf_macros.m4 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/conf_macros.m4 b/src/conf_macros.m4 index fa12a38a75..ec41ad9916 100644 --- a/src/conf_macros.m4 +++ b/src/conf_macros.m4 @@ -377,10 +377,10 @@ AC_DEFUN([WITH_KRB5_CONF], AC_DEFUN([WITH_PYTHON2_BINDINGS], [ AC_ARG_WITH([python2-bindings], [AC_HELP_STRING([--with-python2-bindings], -[Whether to build python2 bindings [yes]]) +[Whether to build python2 bindings [no]]) ], [], -[with_python2_bindings=yes] +[with_python2_bindings=no] ) if test x"$with_python2_bindings" = xyes; then AC_SUBST([HAVE_PYTHON2_BINDINGS], [yes]) ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5253][+Changes requested] libdirsrv should be modified to be compatible with new DS
URL: https://github.com/SSSD/sssd/pull/5253 Title: #5253: libdirsrv should be modified to be compatible with new DS Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5241][comment] GPO: respect ad_gpo_implicit_deny when evaluation rules
URL: https://github.com/SSSD/sssd/pull/5241 Title: #5241: GPO: respect ad_gpo_implicit_deny when evaluation rules sumit-bose commented: """ > Can you add this overview to man pages? I think this would be helpful. sure, please check the latest version. """ See the full comment at https://github.com/SSSD/sssd/pull/5241#issuecomment-681866437 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5241][synchronized] GPO: respect ad_gpo_implicit_deny when evaluation rules
URL: https://github.com/SSSD/sssd/pull/5241 Author: sumit-bose Title: #5241: GPO: respect ad_gpo_implicit_deny when evaluation rules Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5241/head:pr5241 git checkout pr5241 From 20b8905a5ac201995a6cc35198add6d942ff86d6 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 10 Jul 2020 15:30:29 +0200 Subject: [PATCH] GPO: respect ad_gpo_implicit_deny when evaluation rules Currently if setting ad_gpo_implicit_deny to 'True' is rejected access if no GPOs applied to the host since in this case there are obvious not allow rules available. But according to the man page we have to be more strict "When this option is set to True users will be allowed access only when explicitly allowed by a GPO rule". So if GPOs apply and no allow rules are present we have to reject access as well. Resolves: https://github.com/SSSD/sssd/issues/5061 --- src/man/sssd-ad.5.xml | 59 +++ src/providers/ad/ad_gpo.c | 13 +++-- 2 files changed, 69 insertions(+), 3 deletions(-) diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 5c2f465462..fbd4985d7a 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -477,9 +477,68 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example, built-in Administrators group if no GPO rules apply to them. + Default: False + + +The following 2 tables should illustrate when a user +is allowed or rejected based on the allow and deny +login rights defined on the server-side and the +setting of ad_gpo_implicit_deny. + + + + + + + + +ad_gpo_implicit_deny = False (default) +allow-rulesdeny-rules +results + + +missingmissing +all users are allowed + +missingpresent +only users not in deny-rules are +allowed +presentmissing +only users in allow-rules are +allowed +presentpresent +only users in allow-rules and not in +deny-rules are allowed + + + + + + + + + +ad_gpo_implicit_deny = True +allow-rulesdeny-rules +results + + +missingmissing +no users are allowed + +missingpresent +no users are allowed + +presentmissing +only users in allow-rules are +allowed +presentpresent +only users in allow-rules and not in +deny-rules are allowed + diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index 2c6aa7fa63..0cf5da2a15 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -1531,6 +1531,7 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx, enum gpo_access_control_mode gpo_mode, enum gpo_map_type gpo_map_type, const char *user, +bool gpo_implicit_deny, struct sss_domain_info *domain, char **allowed_sids, int allowed_size, @@ -1575,7 +1576,7 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx, group_sids[j]); } -if (allowed_size == 0) { +if (allowed_size == 0 && !gpo_implicit_deny) { access_granted = true; } else { access_granted = check_rights(allowed_sids, allowed_size, user_sid, @@ -1694,6 +1695,7 @@ ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx, enum gpo_access_control_mode gpo_mode, enum gpo_map_type