- Log startup errors to the syslog
- Allow cache cleanup to be disabled in sssd.conf
This commit is contained in:
parent
9d5bcde0eb
commit
4e1de07cd8
56
0001-Log-startup-errors-to-syslog.patch
Normal file
56
0001-Log-startup-errors-to-syslog.patch
Normal file
@ -0,0 +1,56 @@
|
||||
From 57736f3037984574b42b72fef7ae14fa2bce35b0 Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||
Date: Wed, 10 Nov 2010 11:04:31 -0500
|
||||
Subject: [PATCH 1/2] Log startup errors to syslog
|
||||
|
||||
---
|
||||
src/monitor/monitor.c | 16 +++++++++-------
|
||||
1 files changed, 9 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
|
||||
index 1c2a058e5a8d684798dcb2ea461199467c73f407..6479f7a9fd5877e7b5baaaee4f3f92001506d730 100644
|
||||
--- a/src/monitor/monitor.c
|
||||
+++ b/src/monitor/monitor.c
|
||||
@@ -2167,7 +2167,7 @@ int main(int argc, const char *argv[])
|
||||
uid = getuid();
|
||||
if (uid != 0) {
|
||||
DEBUG(1, ("Running under %d, must be root\n", uid));
|
||||
- ERROR("sssd must be run as root\n");
|
||||
+ sss_log(SSS_LOG_ALERT, "sssd must be run as root");
|
||||
return 8;
|
||||
}
|
||||
|
||||
@@ -2202,9 +2202,10 @@ int main(int argc, const char *argv[])
|
||||
ret = check_file(NSCD_SOCKET_PATH, -1, -1, -1, CHECK_SOCK, NULL);
|
||||
if (ret == EOK) {
|
||||
DEBUG(0, ("WARNING: nscd appears to be running\n"));
|
||||
- ERROR("nscd socket was detected. As nscd caching capabilities "
|
||||
- "may conflict with SSSD, it is recommended to not run "
|
||||
- "nscd in parallel with SSSD\n");
|
||||
+ sss_log(SSS_LOG_NOTICE,
|
||||
+ "nscd socket was detected. As nscd caching capabilities "
|
||||
+ "may conflict with SSSD, it is recommended to not run "
|
||||
+ "nscd in parallel with SSSD");
|
||||
}
|
||||
|
||||
/* Parse config file, fail if cannot be done */
|
||||
@@ -2212,12 +2213,13 @@ int main(int argc, const char *argv[])
|
||||
if (ret != EOK) {
|
||||
if (ret == EPERM) {
|
||||
DEBUG(1, ("Cannot read configuration file %s\n", config_file));
|
||||
- ERROR("Cannot read config file %s, please check if permissions "
|
||||
- "are 0600 and the file is owned by root.root\n", config_file);
|
||||
+ sss_log(SSS_LOG_ALERT,
|
||||
+ "Cannot read config file %s, please check if permissions "
|
||||
+ "are 0600 and the file is owned by root.root", config_file);
|
||||
} else {
|
||||
DEBUG(1, ("Error loading configuration database: [%d]: %s",
|
||||
ret, strerror(ret)));
|
||||
- ERROR("Cannot load configuration database\n");
|
||||
+ sss_log(SSS_LOG_ALERT, "Cannot load configuration database");
|
||||
}
|
||||
return 4;
|
||||
}
|
||||
--
|
||||
1.7.3.2
|
||||
|
@ -1,32 +0,0 @@
|
||||
From 8eeb47279a5a4559d9d7f911250d6164ab120897 Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||
Date: Wed, 18 Aug 2010 12:57:43 -0400
|
||||
Subject: [PATCH 9/9] Treat a zero-length password as a failure
|
||||
|
||||
Some LDAP servers allow binding with blank passwords. We should
|
||||
not allow a blank password to authenticate the SSSD.
|
||||
---
|
||||
src/providers/ldap/ldap_auth.c | 7 +++++++
|
||||
1 files changed, 7 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
|
||||
index b05e3075ce117fad17b87ffde257c80fc035b8c4..1a959d4cc45980fe5dd12db3460cc23f341466fd 100644
|
||||
--- a/src/providers/ldap/ldap_auth.c
|
||||
+++ b/src/providers/ldap/ldap_auth.c
|
||||
@@ -557,6 +557,13 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx,
|
||||
req = tevent_req_create(memctx, &state, struct auth_state);
|
||||
if (!req) return NULL;
|
||||
|
||||
+ /* Treat a zero-length password as a failure */
|
||||
+ if (password.length == 0) {
|
||||
+ state->result = SDAP_AUTH_FAILED;
|
||||
+ tevent_req_done(req);
|
||||
+ return tevent_req_post(req, ev);
|
||||
+ }
|
||||
+
|
||||
state->ev = ev;
|
||||
state->ctx = ctx;
|
||||
state->username = username;
|
||||
--
|
||||
1.7.2.1
|
||||
|
72
0002-Properly-document-ldap_purge_cache_timeout.patch
Normal file
72
0002-Properly-document-ldap_purge_cache_timeout.patch
Normal file
@ -0,0 +1,72 @@
|
||||
From 4f8400f86d33d0f64adccb71c8190ad33db2770a Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||
Date: Tue, 2 Nov 2010 07:46:13 -0400
|
||||
Subject: [PATCH 2/2] Properly document ldap_purge_cache_timeout
|
||||
|
||||
Also allow it to be disabled entirely
|
||||
---
|
||||
src/man/sssd-ldap.5.xml | 19 +++++++++++++++++++
|
||||
src/providers/ldap/ldap_common.c | 10 +++++++++-
|
||||
2 files changed, 28 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
|
||||
index 87d388ade2b9b3613a18eb70e079b1266e940a14..64f216f5f5092a23635b9c4f96dbb133b309e556 100644
|
||||
--- a/src/man/sssd-ldap.5.xml
|
||||
+++ b/src/man/sssd-ldap.5.xml
|
||||
@@ -447,6 +447,25 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
+ <term>ldap_purge_cache_timeout</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Determine how often to check the cache for
|
||||
+ inactive entries (such as groups with no
|
||||
+ members and users who have never logged in) and
|
||||
+ remove them to save space.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Setting this option to zero will disable the
|
||||
+ cache cleanup operation.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Default: 10800 (12 hours)
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
+ <varlistentry>
|
||||
<term>ldap_user_fullname (string)</term>
|
||||
<listitem>
|
||||
<para>
|
||||
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
|
||||
index ea5f957076675b4b8210917a928761e68088d485..c074098d6574078a6ec0e80851a1b02a51f5b0e1 100644
|
||||
--- a/src/providers/ldap/ldap_common.c
|
||||
+++ b/src/providers/ldap/ldap_common.c
|
||||
@@ -397,6 +397,7 @@ int sdap_id_setup_tasks(struct sdap_id_ctx *ctx)
|
||||
{
|
||||
struct timeval tv;
|
||||
int ret = EOK;
|
||||
+ int delay;
|
||||
|
||||
/* set up enumeration task */
|
||||
if (ctx->be->domain->enumerate) {
|
||||
@@ -406,7 +407,14 @@ int sdap_id_setup_tasks(struct sdap_id_ctx *ctx)
|
||||
ret = ldap_id_enumerate_set_timer(ctx, tv);
|
||||
} else {
|
||||
/* the enumeration task, runs the cleanup process by itself,
|
||||
- * but if enumeration is not runnig we need to schedule it */
|
||||
+ * but if enumeration is not running we need to schedule it */
|
||||
+ delay = dp_opt_get_int(ctx->opts->basic, SDAP_CACHE_PURGE_TIMEOUT);
|
||||
+ if (delay == 0) {
|
||||
+ /* Cleanup has been explicitly disabled, so we won't
|
||||
+ * schedule any cleanup tasks.
|
||||
+ */
|
||||
+ return EOK;
|
||||
+ }
|
||||
|
||||
/* run the first one in a couple of seconds so that we have time to
|
||||
* finish initializations first*/
|
||||
--
|
||||
1.7.3.2
|
||||
|
@ -1,31 +0,0 @@
|
||||
From f1e22670eaaa7c881593924896acc84ecc131872 Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||
Date: Fri, 1 Oct 2010 12:34:54 -0400
|
||||
Subject: [PATCH] Return offline instead of error
|
||||
|
||||
When the failover code returns that there are no available servers
|
||||
while we are marked offline, we were returning an error to the PAM
|
||||
authentication code. Instead, we should return success with a
|
||||
result value of SDAP_UNAVAIL so that the PAM responder will mark
|
||||
the domain offline and attempt offline authentication.
|
||||
---
|
||||
src/providers/ldap/ldap_auth.c | 3 ++-
|
||||
1 files changed, 2 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
|
||||
index d01449262c39865ffc4916c8d7dd8b6874cd4a02..0ea86f3e34db0cd5bab83ecff80859f495b234e2 100644
|
||||
--- a/src/providers/ldap/ldap_auth.c
|
||||
+++ b/src/providers/ldap/ldap_auth.c
|
||||
@@ -567,7 +567,8 @@ static void auth_resolve_done(struct tevent_req *subreq)
|
||||
if (ret) {
|
||||
/* all servers have been tried and none
|
||||
* was found good, go offline */
|
||||
- tevent_req_error(req, EIO);
|
||||
+ state->result = SDAP_UNAVAIL;
|
||||
+ tevent_req_done(req);
|
||||
return;
|
||||
}
|
||||
|
||||
--
|
||||
1.7.2.3
|
||||
|
12
sssd.spec
12
sssd.spec
@ -5,7 +5,7 @@
|
||||
|
||||
Name: sssd
|
||||
Version: 1.4.1
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Group: Applications/System
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
@ -15,6 +15,9 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
||||
|
||||
### Patches ###
|
||||
|
||||
Patch0001: 0001-Log-startup-errors-to-syslog.patch
|
||||
Patch0002: 0002-Properly-document-ldap_purge_cache_timeout.patch
|
||||
|
||||
### Dependencies ###
|
||||
|
||||
Requires: libldb >= 0.9.3
|
||||
@ -93,6 +96,9 @@ service.
|
||||
%prep
|
||||
%setup -q
|
||||
|
||||
%patch0001 -p1
|
||||
%patch0002 -p1
|
||||
|
||||
%build
|
||||
%configure \
|
||||
--with-db-path=%{dbpath} \
|
||||
@ -233,6 +239,10 @@ fi
|
||||
%postun client -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Tue Nov 16 2010 Stephen Gallagher <sgallagh@redhat.com> - 1.4.1-2
|
||||
- Log startup errors to the syslog
|
||||
- Allow cache cleanup to be disabled in sssd.conf
|
||||
|
||||
* Mon Nov 01 2010 Stephen Gallagher <sgallagh@redhat.com> - 1.4.1-1
|
||||
- New upstream release 1.4.1
|
||||
- Add support for netgroups to the proxy provider
|
||||
|
Loading…
Reference in New Issue
Block a user