Update to SSSD 1.5.4

Improve the way we detect the LDB plugin location

New upstream release 1.5.4
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4
Fixes for Active Directory when not all users and groups have POSIX attributes
Fixes for handling users and groups that have name aliases (aliases are ignored)
Fix group memberships after initgroups in the IPA provider
This commit is contained in:
Stephen Gallagher 2011-03-24 15:17:41 -04:00
parent f6c362454d
commit 3eed4c3557
5 changed files with 19 additions and 220 deletions

1
.gitignore vendored
View File

@ -6,3 +6,4 @@ sssd-1.2.91.tar.gz
/sssd-1.5.1.tar.gz
/sssd-1.5.2.tar.gz
/sssd-1.5.3.tar.gz
/sssd-1.5.4.tar.gz

View File

@ -1,150 +0,0 @@
From 2c97299c19a71aa41eef3f3155c24347cf392615 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Fri, 11 Mar 2011 05:06:48 -0500
Subject: [PATCH 1/2] Require existence of GID number and name in group searches
https://fedorahosted.org/sssd/ticket/824
---
src/providers/ldap/ldap_id.c | 9 ++++++---
src/providers/ldap/ldap_id_enum.c | 28 ++++++++++++++++------------
src/providers/ldap/sdap_async_accounts.c | 30 ++++++++++++++++++++----------
3 files changed, 42 insertions(+), 25 deletions(-)
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index 9a234280082f7396eda4307e9e4bb4bd63b5615c..776df1ac2d9e983a792fbba0f6773c082898708d 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -335,9 +335,12 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx,
goto fail;
}
- state->filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))",
- attr_name, clean_name,
- ctx->opts->group_map[SDAP_OC_GROUP].name);
+ state->filter =
+ talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))",
+ attr_name, clean_name,
+ ctx->opts->group_map[SDAP_OC_GROUP].name,
+ ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
+ ctx->opts->group_map[SDAP_AT_GROUP_GID].name);
if (!state->filter) {
DEBUG(2, ("Failed to build filter\n"));
ret = ENOMEM;
diff --git a/src/providers/ldap/ldap_id_enum.c b/src/providers/ldap/ldap_id_enum.c
index f47ee9fbe170bae0058a682a3a051df21cfbc0d6..42c2911926602bfc2e3a33a0af837d6e809ee68b 100644
--- a/src/providers/ldap/ldap_id_enum.c
+++ b/src/providers/ldap/ldap_id_enum.c
@@ -546,19 +546,23 @@ static struct tevent_req *enum_groups_send(TALLOC_CTX *memctx,
state->op = op;
if (ctx->srv_opts && ctx->srv_opts->max_group_value && !purge) {
- state->filter = talloc_asprintf(state,
- "(&(%s=*)(objectclass=%s)(%s>=%s)(!(%s=%s)))",
- ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
- ctx->opts->group_map[SDAP_OC_GROUP].name,
- ctx->opts->group_map[SDAP_AT_GROUP_USN].name,
- ctx->srv_opts->max_group_value,
- ctx->opts->group_map[SDAP_AT_GROUP_USN].name,
- ctx->srv_opts->max_group_value);
+ state->filter = talloc_asprintf(
+ state,
+ "(&(objectclass=%s)(%s=*)(%s=*)(%s>=%s)(!(%s=%s)))",
+ ctx->opts->group_map[SDAP_OC_GROUP].name,
+ ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
+ ctx->opts->group_map[SDAP_AT_GROUP_GID].name,
+ ctx->opts->group_map[SDAP_AT_GROUP_USN].name,
+ ctx->srv_opts->max_group_value,
+ ctx->opts->group_map[SDAP_AT_GROUP_USN].name,
+ ctx->srv_opts->max_group_value);
} else {
- state->filter = talloc_asprintf(state,
- "(&(%s=*)(objectclass=%s))",
- ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
- ctx->opts->group_map[SDAP_OC_GROUP].name);
+ state->filter = talloc_asprintf(
+ state,
+ "(&(objectclass=%s)(%s=*)(%s=*))",
+ ctx->opts->group_map[SDAP_OC_GROUP].name,
+ ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
+ ctx->opts->group_map[SDAP_AT_GROUP_GID].name);
}
if (!state->filter) {
DEBUG(2, ("Failed to build filter\n"));
diff --git a/src/providers/ldap/sdap_async_accounts.c b/src/providers/ldap/sdap_async_accounts.c
index 8e459598674d589c0cdfcece125c183f7c95bb4d..3fedf07da7fbdc9409f5360ba8301158a65014cd 100644
--- a/src/providers/ldap/sdap_async_accounts.c
+++ b/src/providers/ldap/sdap_async_accounts.c
@@ -2007,10 +2007,12 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx,
return NULL;
}
- filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))",
+ filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))",
opts->group_map[SDAP_AT_GROUP_MEMBER].name,
clean_name,
- opts->group_map[SDAP_OC_GROUP].name);
+ opts->group_map[SDAP_OC_GROUP].name,
+ opts->group_map[SDAP_AT_GROUP_NAME].name,
+ opts->group_map[SDAP_AT_GROUP_GID].name);
if (!filter) {
talloc_zfree(req);
return NULL;
@@ -2211,8 +2213,10 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx,
return NULL;
}
- state->filter = talloc_asprintf(state, "(objectclass=%s)",
- opts->group_map[SDAP_OC_GROUP].name);
+ state->filter = talloc_asprintf(state, "(&(objectclass=%s)(%s=*)(%s=*))",
+ opts->group_map[SDAP_OC_GROUP].name,
+ opts->group_map[SDAP_AT_GROUP_NAME].name,
+ opts->group_map[SDAP_AT_GROUP_GID].name);
if (!state->filter) {
talloc_zfree(req);
return NULL;
@@ -3103,8 +3107,10 @@ static errno_t sdap_nested_group_lookup_group(struct tevent_req *req)
}
filter = talloc_asprintf(
- sdap_attrs, "(objectclass=%s)",
- state->opts->group_map[SDAP_OC_GROUP].name);
+ sdap_attrs, "(&(objectclass=%s)(%s=*)(%s=*))",
+ state->opts->group_map[SDAP_OC_GROUP].name,
+ state->opts->group_map[SDAP_AT_GROUP_NAME].name,
+ state->opts->group_map[SDAP_AT_GROUP_GID].name);
if (!filter) {
talloc_free(sdap_attrs);
return ENOMEM;
@@ -3435,10 +3441,12 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send(
return NULL;
}
- filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))",
+ filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))",
opts->group_map[SDAP_AT_GROUP_MEMBER].name,
clean_orig_dn,
- opts->group_map[SDAP_OC_GROUP].name);
+ opts->group_map[SDAP_OC_GROUP].name,
+ opts->group_map[SDAP_AT_GROUP_NAME].name,
+ opts->group_map[SDAP_AT_GROUP_GID].name);
if (!filter) {
talloc_zfree(req);
return NULL;
@@ -3839,10 +3847,12 @@ static errno_t rfc2307bis_nested_groups_step(struct tevent_req *req)
}
filter = talloc_asprintf(
- tmp_ctx, "(&(%s=%s)(objectclass=%s))",
+ tmp_ctx, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))",
state->opts->group_map[SDAP_AT_GROUP_MEMBER].name,
clean_orig_dn,
- state->opts->group_map[SDAP_OC_GROUP].name);
+ state->opts->group_map[SDAP_OC_GROUP].name,
+ state->opts->group_map[SDAP_AT_GROUP_NAME].name,
+ state->opts->group_map[SDAP_AT_GROUP_GID].name);
if (!filter) {
ret = ENOMEM;
goto error;
--
1.7.4

View File

@ -1,55 +0,0 @@
From c6f9fcdbf62d616f9fc89b7695aa48fa4c8ebd80 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Mon, 14 Mar 2011 09:56:22 -0400
Subject: [PATCH 2/2] Require existence of username, uid and gid for user enumeration
We will ignore users that do not have these three values.
---
src/providers/ldap/ldap_id_enum.c | 30 ++++++++++++++++++------------
1 files changed, 18 insertions(+), 12 deletions(-)
diff --git a/src/providers/ldap/ldap_id_enum.c b/src/providers/ldap/ldap_id_enum.c
index 42c2911926602bfc2e3a33a0af837d6e809ee68b..6899b87c08b46c3c2b61fcd975ab14a4118cc918 100644
--- a/src/providers/ldap/ldap_id_enum.c
+++ b/src/providers/ldap/ldap_id_enum.c
@@ -441,19 +441,25 @@ static struct tevent_req *enum_users_send(TALLOC_CTX *memctx,
state->op = op;
if (ctx->srv_opts && ctx->srv_opts->max_user_value && !purge) {
- state->filter = talloc_asprintf(state,
- "(&(%s=*)(objectclass=%s)(%s>=%s)(!(%s=%s)))",
- ctx->opts->user_map[SDAP_AT_USER_NAME].name,
- ctx->opts->user_map[SDAP_OC_USER].name,
- ctx->opts->user_map[SDAP_AT_USER_USN].name,
- ctx->srv_opts->max_user_value,
- ctx->opts->user_map[SDAP_AT_USER_USN].name,
- ctx->srv_opts->max_user_value);
+ state->filter = talloc_asprintf(
+ state,
+ "(&(objectclass=%s)(%s=*)(%s=*)(%s=*)(%s>=%s)(!(%s=%s)))",
+ ctx->opts->user_map[SDAP_OC_USER].name,
+ ctx->opts->user_map[SDAP_AT_USER_NAME].name,
+ ctx->opts->user_map[SDAP_AT_USER_UID].name,
+ ctx->opts->user_map[SDAP_AT_USER_GID].name,
+ ctx->opts->user_map[SDAP_AT_USER_USN].name,
+ ctx->srv_opts->max_user_value,
+ ctx->opts->user_map[SDAP_AT_USER_USN].name,
+ ctx->srv_opts->max_user_value);
} else {
- state->filter = talloc_asprintf(state,
- "(&(%s=*)(objectclass=%s))",
- ctx->opts->user_map[SDAP_AT_USER_NAME].name,
- ctx->opts->user_map[SDAP_OC_USER].name);
+ state->filter = talloc_asprintf(
+ state,
+ "(&(objectclass=%s)(%s=*)(%s=*)(%s=*))",
+ ctx->opts->user_map[SDAP_OC_USER].name,
+ ctx->opts->user_map[SDAP_AT_USER_NAME].name,
+ ctx->opts->user_map[SDAP_AT_USER_UID].name,
+ ctx->opts->user_map[SDAP_AT_USER_GID].name);
}
if (!state->filter) {
DEBUG(2, ("Failed to build filter\n"));
--
1.7.4

View File

@ -1 +1 @@
0d1c73ef2cc60e44098410f20818dc1c sssd-1.5.3.tar.gz
d1459f6e0d0a5246374f08e6ab24c7de sssd-1.5.4.tar.gz

View File

@ -3,9 +3,13 @@
%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
%endif
# Determine the location of the LDB modules directory
%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
%global ldb_version 1.0.2
Name: sssd
Version: 1.5.3
Release: 2%{?dist}
Version: 1.5.4
Release: 1%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -14,12 +18,10 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
Patch0001: 0001-Require-existence-of-GID-number-and-name-in-group-se.patch
Patch0002: 0002-Require-existence-of-username-uid-and-gid-for-user-e.patch
### Dependencies ###
Requires: libldb = 1.0.2
Requires: libldb = %{ldb_version}
Requires: libtdb >= 1.1.3
Requires: sssd-client = %{version}-%{release}
Requires: cyrus-sasl-gssapi
@ -50,10 +52,7 @@ BuildRequires: popt-devel
BuildRequires: libtalloc-devel
BuildRequires: libtevent-devel
BuildRequires: libtdb-devel
BuildRequires: libldb-devel
%if 0%{?fedora} >= 15
BuildRequires: libldb-devel = 1.0.2
%endif
BuildRequires: libldb-devel = %{ldb_version}
BuildRequires: libdhash-devel >= 0.4.2
BuildRequires: libcollection-devel
BuildRequires: libini_config-devel
@ -112,9 +111,6 @@ use with ldap_default_authtok_type = obfuscated_password.
%prep
%setup -q
%patch0001 -p1
%patch0002 -p1
%build
autoreconf -ivf
%configure \
@ -161,7 +157,7 @@ install -m644 src/examples/rwtab $RPM_BUILD_ROOT%{_sysconfdir}/rwtab.d/sssd
rm -f \
$RPM_BUILD_ROOT/%{_lib}/libnss_sss.la \
$RPM_BUILD_ROOT/%{_lib}/security/pam_sss.la \
$RPM_BUILD_ROOT/%{_libdir}/ldb/modules/ldb/memberof.la \
$RPM_BUILD_ROOT/%{ldb_modulesdir}/memberof.la \
$RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ldap.la \
$RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_proxy.la \
$RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_krb5.la \
@ -201,7 +197,7 @@ rm -rf $RPM_BUILD_ROOT
%{_sbindir}/sssd
%{_libexecdir}/%{servicename}/
%{_libdir}/%{name}/
%{_libdir}/ldb/modules/ldb/memberof.so
%{ldb_modulesdir}/memberof.so
%dir %{sssdstatedir}
%attr(700,root,root) %dir %{dbpath}
%attr(755,root,root) %dir %{pipepath}
@ -274,6 +270,13 @@ fi
%postun client -p /sbin/ldconfig
%changelog
* Thu Mar 24 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.4-1
- New upstream release 1.5.4
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4
- Fixes for Active Directory when not all users and groups have POSIX attributes
- Fixes for handling users and groups that have name aliases (aliases are ignored)
- Fix group memberships after initgroups in the IPA provider
* Thu Mar 17 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.3-2
- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication