- Log startup errors to the syslog
- Allow cache cleanup to be disabled in sssd.conf
This commit is contained in:
parent
9d5bcde0eb
commit
4e1de07cd8
56
0001-Log-startup-errors-to-syslog.patch
Normal file
56
0001-Log-startup-errors-to-syslog.patch
Normal file
@ -0,0 +1,56 @@
|
|||||||
|
From 57736f3037984574b42b72fef7ae14fa2bce35b0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
Date: Wed, 10 Nov 2010 11:04:31 -0500
|
||||||
|
Subject: [PATCH 1/2] Log startup errors to syslog
|
||||||
|
|
||||||
|
---
|
||||||
|
src/monitor/monitor.c | 16 +++++++++-------
|
||||||
|
1 files changed, 9 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
|
||||||
|
index 1c2a058e5a8d684798dcb2ea461199467c73f407..6479f7a9fd5877e7b5baaaee4f3f92001506d730 100644
|
||||||
|
--- a/src/monitor/monitor.c
|
||||||
|
+++ b/src/monitor/monitor.c
|
||||||
|
@@ -2167,7 +2167,7 @@ int main(int argc, const char *argv[])
|
||||||
|
uid = getuid();
|
||||||
|
if (uid != 0) {
|
||||||
|
DEBUG(1, ("Running under %d, must be root\n", uid));
|
||||||
|
- ERROR("sssd must be run as root\n");
|
||||||
|
+ sss_log(SSS_LOG_ALERT, "sssd must be run as root");
|
||||||
|
return 8;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -2202,9 +2202,10 @@ int main(int argc, const char *argv[])
|
||||||
|
ret = check_file(NSCD_SOCKET_PATH, -1, -1, -1, CHECK_SOCK, NULL);
|
||||||
|
if (ret == EOK) {
|
||||||
|
DEBUG(0, ("WARNING: nscd appears to be running\n"));
|
||||||
|
- ERROR("nscd socket was detected. As nscd caching capabilities "
|
||||||
|
- "may conflict with SSSD, it is recommended to not run "
|
||||||
|
- "nscd in parallel with SSSD\n");
|
||||||
|
+ sss_log(SSS_LOG_NOTICE,
|
||||||
|
+ "nscd socket was detected. As nscd caching capabilities "
|
||||||
|
+ "may conflict with SSSD, it is recommended to not run "
|
||||||
|
+ "nscd in parallel with SSSD");
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Parse config file, fail if cannot be done */
|
||||||
|
@@ -2212,12 +2213,13 @@ int main(int argc, const char *argv[])
|
||||||
|
if (ret != EOK) {
|
||||||
|
if (ret == EPERM) {
|
||||||
|
DEBUG(1, ("Cannot read configuration file %s\n", config_file));
|
||||||
|
- ERROR("Cannot read config file %s, please check if permissions "
|
||||||
|
- "are 0600 and the file is owned by root.root\n", config_file);
|
||||||
|
+ sss_log(SSS_LOG_ALERT,
|
||||||
|
+ "Cannot read config file %s, please check if permissions "
|
||||||
|
+ "are 0600 and the file is owned by root.root", config_file);
|
||||||
|
} else {
|
||||||
|
DEBUG(1, ("Error loading configuration database: [%d]: %s",
|
||||||
|
ret, strerror(ret)));
|
||||||
|
- ERROR("Cannot load configuration database\n");
|
||||||
|
+ sss_log(SSS_LOG_ALERT, "Cannot load configuration database");
|
||||||
|
}
|
||||||
|
return 4;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
1.7.3.2
|
||||||
|
|
@ -1,32 +0,0 @@
|
|||||||
From 8eeb47279a5a4559d9d7f911250d6164ab120897 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
|
||||||
Date: Wed, 18 Aug 2010 12:57:43 -0400
|
|
||||||
Subject: [PATCH 9/9] Treat a zero-length password as a failure
|
|
||||||
|
|
||||||
Some LDAP servers allow binding with blank passwords. We should
|
|
||||||
not allow a blank password to authenticate the SSSD.
|
|
||||||
---
|
|
||||||
src/providers/ldap/ldap_auth.c | 7 +++++++
|
|
||||||
1 files changed, 7 insertions(+), 0 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
|
|
||||||
index b05e3075ce117fad17b87ffde257c80fc035b8c4..1a959d4cc45980fe5dd12db3460cc23f341466fd 100644
|
|
||||||
--- a/src/providers/ldap/ldap_auth.c
|
|
||||||
+++ b/src/providers/ldap/ldap_auth.c
|
|
||||||
@@ -557,6 +557,13 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx,
|
|
||||||
req = tevent_req_create(memctx, &state, struct auth_state);
|
|
||||||
if (!req) return NULL;
|
|
||||||
|
|
||||||
+ /* Treat a zero-length password as a failure */
|
|
||||||
+ if (password.length == 0) {
|
|
||||||
+ state->result = SDAP_AUTH_FAILED;
|
|
||||||
+ tevent_req_done(req);
|
|
||||||
+ return tevent_req_post(req, ev);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
state->ev = ev;
|
|
||||||
state->ctx = ctx;
|
|
||||||
state->username = username;
|
|
||||||
--
|
|
||||||
1.7.2.1
|
|
||||||
|
|
72
0002-Properly-document-ldap_purge_cache_timeout.patch
Normal file
72
0002-Properly-document-ldap_purge_cache_timeout.patch
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
From 4f8400f86d33d0f64adccb71c8190ad33db2770a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
Date: Tue, 2 Nov 2010 07:46:13 -0400
|
||||||
|
Subject: [PATCH 2/2] Properly document ldap_purge_cache_timeout
|
||||||
|
|
||||||
|
Also allow it to be disabled entirely
|
||||||
|
---
|
||||||
|
src/man/sssd-ldap.5.xml | 19 +++++++++++++++++++
|
||||||
|
src/providers/ldap/ldap_common.c | 10 +++++++++-
|
||||||
|
2 files changed, 28 insertions(+), 1 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
|
||||||
|
index 87d388ade2b9b3613a18eb70e079b1266e940a14..64f216f5f5092a23635b9c4f96dbb133b309e556 100644
|
||||||
|
--- a/src/man/sssd-ldap.5.xml
|
||||||
|
+++ b/src/man/sssd-ldap.5.xml
|
||||||
|
@@ -447,6 +447,25 @@
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
+ <term>ldap_purge_cache_timeout</term>
|
||||||
|
+ <listitem>
|
||||||
|
+ <para>
|
||||||
|
+ Determine how often to check the cache for
|
||||||
|
+ inactive entries (such as groups with no
|
||||||
|
+ members and users who have never logged in) and
|
||||||
|
+ remove them to save space.
|
||||||
|
+ </para>
|
||||||
|
+ <para>
|
||||||
|
+ Setting this option to zero will disable the
|
||||||
|
+ cache cleanup operation.
|
||||||
|
+ </para>
|
||||||
|
+ <para>
|
||||||
|
+ Default: 10800 (12 hours)
|
||||||
|
+ </para>
|
||||||
|
+ </listitem>
|
||||||
|
+ </varlistentry>
|
||||||
|
+
|
||||||
|
+ <varlistentry>
|
||||||
|
<term>ldap_user_fullname (string)</term>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
|
||||||
|
index ea5f957076675b4b8210917a928761e68088d485..c074098d6574078a6ec0e80851a1b02a51f5b0e1 100644
|
||||||
|
--- a/src/providers/ldap/ldap_common.c
|
||||||
|
+++ b/src/providers/ldap/ldap_common.c
|
||||||
|
@@ -397,6 +397,7 @@ int sdap_id_setup_tasks(struct sdap_id_ctx *ctx)
|
||||||
|
{
|
||||||
|
struct timeval tv;
|
||||||
|
int ret = EOK;
|
||||||
|
+ int delay;
|
||||||
|
|
||||||
|
/* set up enumeration task */
|
||||||
|
if (ctx->be->domain->enumerate) {
|
||||||
|
@@ -406,7 +407,14 @@ int sdap_id_setup_tasks(struct sdap_id_ctx *ctx)
|
||||||
|
ret = ldap_id_enumerate_set_timer(ctx, tv);
|
||||||
|
} else {
|
||||||
|
/* the enumeration task, runs the cleanup process by itself,
|
||||||
|
- * but if enumeration is not runnig we need to schedule it */
|
||||||
|
+ * but if enumeration is not running we need to schedule it */
|
||||||
|
+ delay = dp_opt_get_int(ctx->opts->basic, SDAP_CACHE_PURGE_TIMEOUT);
|
||||||
|
+ if (delay == 0) {
|
||||||
|
+ /* Cleanup has been explicitly disabled, so we won't
|
||||||
|
+ * schedule any cleanup tasks.
|
||||||
|
+ */
|
||||||
|
+ return EOK;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* run the first one in a couple of seconds so that we have time to
|
||||||
|
* finish initializations first*/
|
||||||
|
--
|
||||||
|
1.7.3.2
|
||||||
|
|
@ -1,31 +0,0 @@
|
|||||||
From f1e22670eaaa7c881593924896acc84ecc131872 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
|
||||||
Date: Fri, 1 Oct 2010 12:34:54 -0400
|
|
||||||
Subject: [PATCH] Return offline instead of error
|
|
||||||
|
|
||||||
When the failover code returns that there are no available servers
|
|
||||||
while we are marked offline, we were returning an error to the PAM
|
|
||||||
authentication code. Instead, we should return success with a
|
|
||||||
result value of SDAP_UNAVAIL so that the PAM responder will mark
|
|
||||||
the domain offline and attempt offline authentication.
|
|
||||||
---
|
|
||||||
src/providers/ldap/ldap_auth.c | 3 ++-
|
|
||||||
1 files changed, 2 insertions(+), 1 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
|
|
||||||
index d01449262c39865ffc4916c8d7dd8b6874cd4a02..0ea86f3e34db0cd5bab83ecff80859f495b234e2 100644
|
|
||||||
--- a/src/providers/ldap/ldap_auth.c
|
|
||||||
+++ b/src/providers/ldap/ldap_auth.c
|
|
||||||
@@ -567,7 +567,8 @@ static void auth_resolve_done(struct tevent_req *subreq)
|
|
||||||
if (ret) {
|
|
||||||
/* all servers have been tried and none
|
|
||||||
* was found good, go offline */
|
|
||||||
- tevent_req_error(req, EIO);
|
|
||||||
+ state->result = SDAP_UNAVAIL;
|
|
||||||
+ tevent_req_done(req);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
1.7.2.3
|
|
||||||
|
|
12
sssd.spec
12
sssd.spec
@ -5,7 +5,7 @@
|
|||||||
|
|
||||||
Name: sssd
|
Name: sssd
|
||||||
Version: 1.4.1
|
Version: 1.4.1
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
Summary: System Security Services Daemon
|
Summary: System Security Services Daemon
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -15,6 +15,9 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
|||||||
|
|
||||||
### Patches ###
|
### Patches ###
|
||||||
|
|
||||||
|
Patch0001: 0001-Log-startup-errors-to-syslog.patch
|
||||||
|
Patch0002: 0002-Properly-document-ldap_purge_cache_timeout.patch
|
||||||
|
|
||||||
### Dependencies ###
|
### Dependencies ###
|
||||||
|
|
||||||
Requires: libldb >= 0.9.3
|
Requires: libldb >= 0.9.3
|
||||||
@ -93,6 +96,9 @@ service.
|
|||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
|
||||||
|
%patch0001 -p1
|
||||||
|
%patch0002 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure \
|
%configure \
|
||||||
--with-db-path=%{dbpath} \
|
--with-db-path=%{dbpath} \
|
||||||
@ -233,6 +239,10 @@ fi
|
|||||||
%postun client -p /sbin/ldconfig
|
%postun client -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Nov 16 2010 Stephen Gallagher <sgallagh@redhat.com> - 1.4.1-2
|
||||||
|
- Log startup errors to the syslog
|
||||||
|
- Allow cache cleanup to be disabled in sssd.conf
|
||||||
|
|
||||||
* Mon Nov 01 2010 Stephen Gallagher <sgallagh@redhat.com> - 1.4.1-1
|
* Mon Nov 01 2010 Stephen Gallagher <sgallagh@redhat.com> - 1.4.1-1
|
||||||
- New upstream release 1.4.1
|
- New upstream release 1.4.1
|
||||||
- Add support for netgroups to the proxy provider
|
- Add support for netgroups to the proxy provider
|
||||||
|
Loading…
Reference in New Issue
Block a user