New upstream release 1.5.2
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 Fixes for support of FreeIPA v2 Fixes for failover if DNS entries change Improved sss_obfuscate tool with better interactive mode Fix several crash bugs Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this Delete users from the local cache if initgroups calls return 'no such user' (previously only worked for getpwnam/getpwuid) Use new Transifex.net translations Better support for automatic TGT renewal (now survives restart) Netgroup fixes
This commit is contained in:
parent
b28cafe61b
commit
3b364490a6
@ -1,73 +0,0 @@
|
||||
From 979943195da209bdc28efd5e90a19f888f4b88ed Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||
Date: Mon, 31 Jan 2011 13:00:56 -0500
|
||||
Subject: [PATCH] Sanitize search filters for nested group lookups
|
||||
|
||||
---
|
||||
src/providers/ldap/sdap_async_accounts.c | 20 +++++++++++++++++---
|
||||
1 files changed, 17 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ldap/sdap_async_accounts.c b/src/providers/ldap/sdap_async_accounts.c
|
||||
index 648f9a734eca60401c07d2b0d0fa432751c9ab73..5b6d3d74ac1496fe6a4266c327d0111e12e24b64 100644
|
||||
--- a/src/providers/ldap/sdap_async_accounts.c
|
||||
+++ b/src/providers/ldap/sdap_async_accounts.c
|
||||
@@ -3409,6 +3409,7 @@ errno_t save_rfc2307bis_user_memberships(
|
||||
{
|
||||
errno_t ret, tret;
|
||||
char *member_dn;
|
||||
+ char *sanitized_dn;
|
||||
char *filter;
|
||||
const char **attrs;
|
||||
size_t reply_count, i;
|
||||
@@ -3447,12 +3448,18 @@ errno_t save_rfc2307bis_user_memberships(
|
||||
ret = ENOMEM;
|
||||
goto error;
|
||||
}
|
||||
+ ret = sss_filter_sanitize(tmp_ctx, member_dn, &sanitized_dn);
|
||||
+ if (ret != EOK) {
|
||||
+ goto error;
|
||||
+ }
|
||||
+ talloc_free(member_dn);
|
||||
|
||||
- filter = talloc_asprintf(tmp_ctx, "(member=%s)", member_dn);
|
||||
+ filter = talloc_asprintf(tmp_ctx, "(member=%s)", sanitized_dn);
|
||||
if (!filter) {
|
||||
ret = ENOMEM;
|
||||
goto error;
|
||||
}
|
||||
+ talloc_free(sanitized_dn);
|
||||
|
||||
ret = sysdb_search_groups(tmp_ctx, state->sysdb, state->dom,
|
||||
filter, attrs, &reply_count, &replies);
|
||||
@@ -3874,6 +3881,7 @@ static errno_t rfc2307bis_nested_groups_update_sysdb(
|
||||
const char *name;
|
||||
bool in_transaction = false;
|
||||
char *member_dn;
|
||||
+ char *sanitized_dn;
|
||||
char *filter;
|
||||
const char **attrs;
|
||||
size_t reply_count, i;
|
||||
@@ -3918,12 +3926,18 @@ static errno_t rfc2307bis_nested_groups_update_sysdb(
|
||||
goto error;
|
||||
}
|
||||
|
||||
- filter = talloc_asprintf(tmp_ctx, "(member=%s)", member_dn);
|
||||
+ ret = sss_filter_sanitize(tmp_ctx, member_dn, &sanitized_dn);
|
||||
+ if (ret != EOK) {
|
||||
+ goto error;
|
||||
+ }
|
||||
+ talloc_free(member_dn);
|
||||
+
|
||||
+ filter = talloc_asprintf(tmp_ctx, "(member=%s)", sanitized_dn);
|
||||
if (!filter) {
|
||||
ret = ENOMEM;
|
||||
goto error;
|
||||
}
|
||||
- talloc_free(member_dn);
|
||||
+ talloc_free(sanitized_dn);
|
||||
|
||||
ret = sysdb_search_groups(tmp_ctx, state->sysdb, state->dom,
|
||||
filter, attrs,
|
||||
--
|
||||
1.7.3.5
|
||||
|
@ -1,36 +0,0 @@
|
||||
From e7c95d693f4694f64790c3105550c141e94c5b45 Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||
Date: Thu, 17 Feb 2011 14:33:50 -0500
|
||||
Subject: [PATCH 4/6] Remove cached user entry if initgroups returns ENOENT
|
||||
|
||||
This behavior was present for getpwnam() but was lacking for
|
||||
initgroups.
|
||||
---
|
||||
src/providers/ldap/ldap_id.c | 11 +++++++++++
|
||||
1 files changed, 11 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
|
||||
index 09f0026b00cda442f90e07e30e0d083a53206d85..9a234280082f7396eda4307e9e4bb4bd63b5615c 100644
|
||||
--- a/src/providers/ldap/ldap_id.c
|
||||
+++ b/src/providers/ldap/ldap_id.c
|
||||
@@ -631,6 +631,17 @@ static void groups_by_user_done(struct tevent_req *subreq)
|
||||
return;
|
||||
}
|
||||
|
||||
+ if (ret == ENOENT) {
|
||||
+ ret = sysdb_delete_user(state,
|
||||
+ state->ctx->be->sysdb,
|
||||
+ state->ctx->be->domain,
|
||||
+ state->name, 0);
|
||||
+ if (ret != EOK && ret != ENOENT) {
|
||||
+ tevent_req_error(req, ret);
|
||||
+ return;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
state->dp_error = DP_ERR_OK;
|
||||
tevent_req_done(req);
|
||||
}
|
||||
--
|
||||
1.7.4
|
||||
|
@ -1,39 +0,0 @@
|
||||
From 4ef3fd7c5d0defbc1e2fca745853f0d292201f28 Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||
Date: Fri, 18 Feb 2011 09:33:42 -0500
|
||||
Subject: [PATCH 5/6] Perform initgroups lookups for all domains
|
||||
|
||||
Previously, we were setting the client context PAM lookup timeout
|
||||
after the first domain replied. However, if the user wasn't a
|
||||
member of the first domain, their information wasn't being
|
||||
updated.
|
||||
|
||||
This patch ensures that we only set this timeout after the user
|
||||
has been found or all domains were searched.
|
||||
---
|
||||
src/responder/pam/pamsrv_cmd.c | 8 +++++---
|
||||
1 files changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index 79993d3366073c75f1873ee8176eb4a70f2a383d..8035a687846fa6f4305fe129d1ec87d3291a7fc8 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -952,10 +952,12 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,
|
||||
(unsigned int)err_maj, (unsigned int)err_min, err_msg));
|
||||
}
|
||||
|
||||
- /* Make sure we don't go to the ID provider too often */
|
||||
- preq->cctx->pam_timeout = time(NULL) + pctx->id_timeout;
|
||||
-
|
||||
ret = pam_check_user_search(preq);
|
||||
+ if (ret == EOK || ret == ENOENT) {
|
||||
+ /* Make sure we don't go to the ID provider too often */
|
||||
+ preq->cctx->pam_timeout = time(NULL) + pctx->id_timeout;
|
||||
+ }
|
||||
+
|
||||
if (ret == EOK) {
|
||||
pam_dom_forwarder(preq);
|
||||
}
|
||||
--
|
||||
1.7.4
|
||||
|
@ -1,168 +0,0 @@
|
||||
From 9ffe746a46b299162c31a3864cb5db8b8518a569 Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||
Date: Fri, 18 Feb 2011 16:23:15 -0500
|
||||
Subject: [PATCH 6/6] IPA provider: remove deleted groups during initgroups()
|
||||
|
||||
The IPA provider was not properly removing groups in the cache
|
||||
that the user was no longer a member of.
|
||||
|
||||
https://fedorahosted.org/sssd/ticket/803
|
||||
---
|
||||
src/providers/ldap/sdap_async_accounts.c | 115 +++++++++++++++++++++++++++++-
|
||||
1 files changed, 112 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ldap/sdap_async_accounts.c b/src/providers/ldap/sdap_async_accounts.c
|
||||
index 5b6d3d74ac1496fe6a4266c327d0111e12e24b64..8e459598674d589c0cdfcece125c183f7c95bb4d 100644
|
||||
--- a/src/providers/ldap/sdap_async_accounts.c
|
||||
+++ b/src/providers/ldap/sdap_async_accounts.c
|
||||
@@ -2161,6 +2161,8 @@ struct sdap_initgr_nested_state {
|
||||
struct sss_domain_info *dom;
|
||||
struct sdap_handle *sh;
|
||||
|
||||
+ const char *username;
|
||||
+
|
||||
const char **grp_attrs;
|
||||
|
||||
char *filter;
|
||||
@@ -2188,7 +2190,8 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx,
|
||||
struct tevent_req *req, *subreq;
|
||||
struct sdap_initgr_nested_state *state;
|
||||
struct ldb_message_element *el;
|
||||
- int i, ret;
|
||||
+ int i;
|
||||
+ errno_t ret;
|
||||
|
||||
req = tevent_req_create(memctx, &state, struct sdap_initgr_nested_state);
|
||||
if (!req) return NULL;
|
||||
@@ -2201,6 +2204,13 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx,
|
||||
state->grp_attrs = grp_attrs;
|
||||
state->op = NULL;
|
||||
|
||||
+ ret = sysdb_attrs_get_string(user, SYSDB_NAME, &state->username);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(1, ("User entry had no username\n"));
|
||||
+ talloc_free(req);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
state->filter = talloc_asprintf(state, "(objectclass=%s)",
|
||||
opts->group_map[SDAP_OC_GROUP].name);
|
||||
if (!state->filter) {
|
||||
@@ -2311,13 +2321,112 @@ static void sdap_initgr_nested_search(struct tevent_req *subreq)
|
||||
static void sdap_initgr_nested_store(struct tevent_req *req)
|
||||
{
|
||||
struct sdap_initgr_nested_state *state;
|
||||
- int ret;
|
||||
+ errno_t ret, sret;
|
||||
+ const char *attrs[] = { SYSDB_MEMBEROF, NULL };
|
||||
+ struct ldb_message *msg;
|
||||
+ struct ldb_message_element *groups;
|
||||
+ char **sysdb_grouplist = NULL;
|
||||
+ char **ldap_grouplist = NULL;
|
||||
+ char **del_groups;
|
||||
+ size_t i, count;
|
||||
|
||||
state = tevent_req_data(req, struct sdap_initgr_nested_state);
|
||||
|
||||
+ ret = sysdb_transaction_start(state->sysdb);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(1, ("Could not create sysdb transaction\n"));
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
ret = sdap_save_groups(state, state->sysdb, state->dom, state->opts,
|
||||
state->groups, state->groups_cur, false, NULL);
|
||||
- if (ret) {
|
||||
+ if (ret != EOK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* Get the list of groups this user belongs to */
|
||||
+ ret = sysdb_search_user_by_name(state, state->sysdb, state->dom,
|
||||
+ state->username, attrs,
|
||||
+ &msg);
|
||||
+ if (ret != EOK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ groups = ldb_msg_find_element(msg, SYSDB_MEMBEROF);
|
||||
+ if (!groups || groups->num_values == 0) {
|
||||
+ /* No groups for this user in sysdb currently, so
|
||||
+ * nothing to delete.
|
||||
+ */
|
||||
+ ret = EOK;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ sysdb_grouplist = talloc_array(state, char *, groups->num_values+1);
|
||||
+ if (!sysdb_grouplist) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* Get a list of the groups by name */
|
||||
+ for (i = 0; i < groups->num_values; i++) {
|
||||
+ ret = sysdb_group_dn_name(state->sysdb,
|
||||
+ sysdb_grouplist,
|
||||
+ (const char *)groups->values[i].data,
|
||||
+ &sysdb_grouplist[i]);
|
||||
+ if (ret != EOK) goto done;
|
||||
+ }
|
||||
+ sysdb_grouplist[groups->num_values] = NULL;
|
||||
+
|
||||
+ count = 0;
|
||||
+ while (state->group_dns[count]) count++;
|
||||
+
|
||||
+ ldap_grouplist = talloc_array(state, char *, count+1);
|
||||
+ if (!ldap_grouplist) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; i < count; i++) {
|
||||
+ ret = sysdb_group_dn_name(state->sysdb,
|
||||
+ ldap_grouplist,
|
||||
+ state->group_dns[i],
|
||||
+ &ldap_grouplist[i]);
|
||||
+ if (ret != EOK) goto done;
|
||||
+ }
|
||||
+ ldap_grouplist[count] = NULL;
|
||||
+
|
||||
+ /* Find the differences between the sysdb and LDAP lists
|
||||
+ * Groups in the sysdb only must be removed.
|
||||
+ */
|
||||
+ ret = diff_string_lists(state, ldap_grouplist, sysdb_grouplist,
|
||||
+ NULL, &del_groups, NULL);
|
||||
+ if (ret != EOK) goto done;
|
||||
+
|
||||
+ if (!del_groups || !del_groups[0]) {
|
||||
+ /* No groups to delete */
|
||||
+ ret = EOK;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_update_members(state->sysdb, state->dom, state->username,
|
||||
+ SYSDB_MEMBER_USER, NULL,
|
||||
+ (const char *const *)del_groups);
|
||||
+
|
||||
+done:
|
||||
+ if (ret == EOK) {
|
||||
+ ret = sysdb_transaction_commit(state->sysdb);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(1, ("Could not commit transaction! [%d][%s]\n",
|
||||
+ ret, strerror(ret)));
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (ret != EOK) {
|
||||
+ sret = sysdb_transaction_cancel(state->sysdb);
|
||||
+ if (sret != EOK) {
|
||||
+ DEBUG(0, ("Unable to cancel transaction! [%d][%s]\n",
|
||||
+ sret, strerror(sret)));
|
||||
+ }
|
||||
tevent_req_error(req, ret);
|
||||
return;
|
||||
}
|
||||
--
|
||||
1.7.4
|
||||
|
35
sssd.spec
35
sssd.spec
@ -4,8 +4,8 @@
|
||||
%endif
|
||||
|
||||
Name: sssd
|
||||
Version: 1.5.1
|
||||
Release: 9%{?dist}
|
||||
Version: 1.5.2
|
||||
Release: 1%{?dist}
|
||||
Group: Applications/System
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
@ -14,12 +14,8 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
|
||||
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
||||
|
||||
### Patches ###
|
||||
Patch0001: 0001-Sanitize-search-filters-for-nested-group-lookups.patch
|
||||
Patch0002: 0002-Fix-module-registration-with-newer-LDB-libraries.patch
|
||||
Patch0003: 0003-Make-make-check-look-nice-again.patch
|
||||
Patch0004: 0004-Remove-cached-user-entry-if-initgroups-returns-ENOEN.patch
|
||||
Patch0005: 0005-Perform-initgroups-lookups-for-all-domains.patch
|
||||
Patch0006: 0006-IPA-provider-remove-deleted-groups-during-initgroups.patch
|
||||
Patch1001: FED01-Fix-module-registration-with-newer-LDB-libraries.patch
|
||||
Patch1002: FED02-Make-make-check-look-nice-again.patch
|
||||
|
||||
### Dependencies ###
|
||||
|
||||
@ -116,12 +112,8 @@ use with ldap_default_authtok_type = obfuscated_password.
|
||||
%prep
|
||||
%setup -q
|
||||
|
||||
%patch0001 -p1
|
||||
%patch0002 -p1
|
||||
%patch0003 -p1
|
||||
%patch0004 -p1
|
||||
%patch0005 -p1
|
||||
%patch0006 -p1
|
||||
%patch1001 -p1
|
||||
%patch1002 -p1
|
||||
|
||||
%build
|
||||
autoreconf -ivf
|
||||
@ -282,11 +274,24 @@ fi
|
||||
%postun client -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Thu Mar 10 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.2-1
|
||||
- New upstream release 1.5.2
|
||||
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2
|
||||
- Fixes for support of FreeIPA v2
|
||||
- Fixes for failover if DNS entries change
|
||||
- Improved sss_obfuscate tool with better interactive mode
|
||||
- Fix several crash bugs
|
||||
- Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this
|
||||
- Delete users from the local cache if initgroups calls return 'no such user'
|
||||
- (previously only worked for getpwnam/getpwuid)
|
||||
- Use new Transifex.net translations
|
||||
- Better support for automatic TGT renewal (now survives restart)
|
||||
- Netgroup fixes
|
||||
|
||||
* Sun Feb 27 2011 Simo Sorce <ssorce@redhat.com> - 1.5.1-9
|
||||
- Rebuild sssd against libldb 1.0.2 so the memberof module loads again.
|
||||
- Related: rhbz#677425
|
||||
|
||||
|
||||
* Mon Feb 21 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.1-8
|
||||
- Resolves: rhbz#677768 - name service caches names, so id command shows
|
||||
- recently deleted users
|
||||
|
Loading…
Reference in New Issue
Block a user