rpms/sssd
5
0
Fork 0
Code Issues Pull Requests Releases Activity

- New upstream release 1.5.0

Browse Source 
- Fixed issues with LDAP search filters that needed to be escaped
- Add Kerberos FAST support on platforms that support it
- Reduced verbosity of PAM_TEXT_INFO messages for cached credentials
- Added a Kerberos access provider to honor .k5login
- Addressed several thread-safety issues in the sss_client code
- Improved support for delayed online Kerberos auth
- Significantly reduced time between connecting to the network/VPN and
- acquiring a TGT
- Added feature for automatic Kerberos ticket renewal
- Provides the kerberos ticket for long-lived processes or cron jobs
- even when the user logs out
- Added several new features to the LDAP access provider
- Support for 'shadow' access control
- Support for authorizedService access control
- Ability to mix-and-match LDAP access control features
- Added an option for a separate password-change LDAP server for those
- platforms where LDAP referrals are not supported
- Added support for manpage translations
This commit is contained in:
Stephen Gallagher 2010-12-22 14:08:33 -05:00
parent 9600ada0fd
commit 5225c3262b
7 changed files with 63 additions and 286 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -2,3 +2,4 @@ sssd-1.2.91.tar.gz
/sssd-1.3.0.tar.gz
/sssd-1.4.0.tar.gz
/sssd-1.4.1.tar.gz
/sssd-1.5.0.tar.gz

56
0001-Log-startup-errors-to-syslog.patch
View File

@ -1,56 +0,0 @@
From 57736f3037984574b42b72fef7ae14fa2bce35b0 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Wed, 10 Nov 2010 11:04:31 -0500
Subject: [PATCH 1/2] Log startup errors to syslog
---
src/monitor/monitor.c | 16 +++++++++-------
1 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 1c2a058e5a8d684798dcb2ea461199467c73f407..6479f7a9fd5877e7b5baaaee4f3f92001506d730 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -2167,7 +2167,7 @@ int main(int argc, const char *argv[])
uid = getuid();
if (uid != 0) {
DEBUG(1, ("Running under %d, must be root\n", uid));
- ERROR("sssd must be run as root\n");
+ sss_log(SSS_LOG_ALERT, "sssd must be run as root");
return 8;
}
@@ -2202,9 +2202,10 @@ int main(int argc, const char *argv[])
ret = check_file(NSCD_SOCKET_PATH, -1, -1, -1, CHECK_SOCK, NULL);
if (ret == EOK) {
DEBUG(0, ("WARNING: nscd appears to be running\n"));
- ERROR("nscd socket was detected. As nscd caching capabilities "
- "may conflict with SSSD, it is recommended to not run "
- "nscd in parallel with SSSD\n");
+ sss_log(SSS_LOG_NOTICE,
+ "nscd socket was detected. As nscd caching capabilities "
+ "may conflict with SSSD, it is recommended to not run "
+ "nscd in parallel with SSSD");
}
/* Parse config file, fail if cannot be done */
@@ -2212,12 +2213,13 @@ int main(int argc, const char *argv[])
if (ret != EOK) {
if (ret == EPERM) {
DEBUG(1, ("Cannot read configuration file %s\n", config_file));
- ERROR("Cannot read config file %s, please check if permissions "
- "are 0600 and the file is owned by root.root\n", config_file);
+ sss_log(SSS_LOG_ALERT,
+ "Cannot read config file %s, please check if permissions "
+ "are 0600 and the file is owned by root.root", config_file);
} else {
DEBUG(1, ("Error loading configuration database: [%d]: %s",
ret, strerror(ret)));
- ERROR("Cannot load configuration database\n");
+ sss_log(SSS_LOG_ALERT, "Cannot load configuration database");
}
return 4;
}
--
1.7.3.2

72
0002-Properly-document-ldap_purge_cache_timeout.patch
View File

@ -1,72 +0,0 @@
From 4f8400f86d33d0f64adccb71c8190ad33db2770a Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 2 Nov 2010 07:46:13 -0400
Subject: [PATCH 2/2] Properly document ldap_purge_cache_timeout
Also allow it to be disabled entirely
---
src/man/sssd-ldap.5.xml | 19 +++++++++++++++++++
src/providers/ldap/ldap_common.c | 10 +++++++++-
2 files changed, 28 insertions(+), 1 deletions(-)
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 87d388ade2b9b3613a18eb70e079b1266e940a14..64f216f5f5092a23635b9c4f96dbb133b309e556 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -447,6 +447,25 @@
</varlistentry>
<varlistentry>
+ <term>ldap_purge_cache_timeout</term>
+ <listitem>
+ <para>
+ Determine how often to check the cache for
+ inactive entries (such as groups with no
+ members and users who have never logged in) and
+ remove them to save space.
+ </para>
+ <para>
+ Setting this option to zero will disable the
+ cache cleanup operation.
+ </para>
+ <para>
+ Default: 10800 (12 hours)
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>ldap_user_fullname (string)</term>
<listitem>
<para>
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index ea5f957076675b4b8210917a928761e68088d485..c074098d6574078a6ec0e80851a1b02a51f5b0e1 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -397,6 +397,7 @@ int sdap_id_setup_tasks(struct sdap_id_ctx *ctx)
{
struct timeval tv;
int ret = EOK;
+ int delay;
/* set up enumeration task */
if (ctx->be->domain->enumerate) {
@@ -406,7 +407,14 @@ int sdap_id_setup_tasks(struct sdap_id_ctx *ctx)
ret = ldap_id_enumerate_set_timer(ctx, tv);
} else {
/* the enumeration task, runs the cleanup process by itself,
- * but if enumeration is not runnig we need to schedule it */
+ * but if enumeration is not running we need to schedule it */
+ delay = dp_opt_get_int(ctx->opts->basic, SDAP_CACHE_PURGE_TIMEOUT);
+ if (delay == 0) {
+ /* Cleanup has been explicitly disabled, so we won't
+ * schedule any cleanup tasks.
+ */
+ return EOK;
+ }
/* run the first one in a couple of seconds so that we have time to
* finish initializations first*/
--
1.7.3.2

34
0003-Ensure-that-SSSD-shuts-down-completely-before-restar.patch
View File

@ -1,34 +0,0 @@
From e3751e0a7567ccd7cc335a9c73acd278862ab5d0 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Wed, 17 Nov 2010 08:29:19 -0500
Subject: [PATCH 3/4] Ensure that SSSD shuts down completely before restarting
---
src/sysv/sssd | 9 +++++++++
1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/src/sysv/sssd b/src/sysv/sssd
index 47804371d0be6b537bc03226f0fd67d03c6ce58e..7339d86deb9792285691032bebb5205f4894a671 100644
--- a/src/sysv/sssd
+++ b/src/sysv/sssd
@@ -48,8 +48,17 @@ start() {
stop() {
echo -n $"Stopping $prog: "
+ pid=`cat $PID_FILE`
+
killproc -p $PID_FILE $SSSD -TERM
RETVAL=$?
+
+ # Wait until the monitor exits
+ while (checkpid $pid)
+ do
+ usleep 100000
+ done
+
echo
[ "$RETVAL" = 0 ] && rm -f $LOCK_FILE
return $RETVAL
--
1.7.3.2

96
0004-Wait-for-all-children-to-exit.patch
View File

@ -1,96 +0,0 @@
From 1f1d7ead30d566a47cdcc2d8fe2618817851e1e1 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Thu, 11 Nov 2010 09:04:22 -0500
Subject: [PATCH 4/4] Wait for all children to exit
Previously, there was a race-condition where the monitor might
terminate before its children.
---
src/monitor/monitor.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++-
1 files changed, 61 insertions(+), 2 deletions(-)
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 6479f7a9fd5877e7b5baaaee4f3f92001506d730..98b671b2970b2a55c34e72a81bfc6e90c36bd820 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -1171,16 +1171,75 @@ static void monitor_quit(struct tevent_context *ev,
void *siginfo,
void *private_data)
{
+ struct mt_ctx *mt_ctx = talloc_get_type(private_data, struct mt_ctx);
+ struct mt_svc *svc;
+ pid_t pid;
+ int status;
+ errno_t error;
+
DEBUG(8, ("Received shutdown command\n"));
- monitor_cleanup();
+
+ DEBUG(0, ("Monitor received %s: terminating children\n",
+ strsignal(signum)));
+
+ /* Kill all of our known children manually */
+ DLIST_FOR_EACH(svc, mt_ctx->svc_list) {
+ if (svc->pid == 0) {
+ /* The local provider has no PID */
+ continue;
+ }
+
+ DEBUG(1, ("Terminating [%s]\n", svc->name));
+ kill(svc->pid, SIGTERM);
+
+ do {
+ errno = 0;
+ pid = waitpid(svc->pid, &status, 0);
+ if (pid == -1) {
+ /* An error occurred while waiting */
+ error = errno;
+ if (error != EINTR) {
+ DEBUG(0, ("[%d][%s] while waiting for [%s]\n",
+ error, strerror(error), svc->name));
+ /* Forcibly kill this child */
+ kill(svc->pid, SIGKILL);
+ break;
+ }
+ } else {
+ error = 0;
+ if WIFEXITED(status) {
+ DEBUG(1, ("Child [%s] exited gracefully\n", svc->name));
+ } else if WIFSIGNALED(status) {
+ DEBUG(1, ("Child [%s] terminated with a signal\n", svc->name));
+ } else {
+ DEBUG(0, ("Child [%s] did not exit cleanly\n", svc->name));
+ /* Forcibly kill this child */
+ kill(svc->pid, SIGKILL);
+ }
+ }
+ } while (error == EINTR);
+ }
#if HAVE_GETPGRP
+ /* Kill any remaining children in our process group, just in case
+ * we have any leftover children we don't expect. For example, if
+ * a krb5_child or ldap_child is running at the same moment.
+ */
+ error = 0;
if (getpgrp() == getpid()) {
- DEBUG(0,("%s: killing children\n", strsignal(signum)));
kill(-getpgrp(), SIGTERM);
+ do {
+ errno = 0;
+ pid = waitpid(0, &status, 0);
+ if (pid == -1) {
+ error = errno;
+ }
+ } while (error == EINTR || pid > 0);
}
#endif
+ monitor_cleanup();
+
exit(0);
}
--
1.7.3.2

2
sources
View File

@ -1 +1 @@
4f505e16bd0e9c5a441b2c9543cf0490 sssd-1.4.1.tar.gz
a06468f7d540fa4d5e3de2644d933744 sssd-1.5.0.tar.gz

88
sssd.spec
View File

@ -4,8 +4,8 @@
%endif
Name: sssd
Version: 1.4.1
Release: 3%{?dist}
Version: 1.5.0
Release: 1%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -15,10 +15,6 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
Patch0001: 0001-Log-startup-errors-to-syslog.patch
Patch0002: 0002-Properly-document-ldap_purge_cache_timeout.patch
Patch0003: 0003-Ensure-that-SSSD-shuts-down-completely-before-restar.patch
Patch0004: 0004-Wait-for-all-children-to-exit.patch
### Dependencies ###
@ -78,6 +74,7 @@ BuildRequires: bind-utils
BuildRequires: keyutils-libs-devel
BuildRequires: libnl-devel
BuildRequires: nscd
BuildRequires: po4a
%description
Provides a set of daemons to manage access to remote directories and
@ -95,14 +92,22 @@ License: LGPLv3+
Provides the libraries needed by the PAM and NSS stacks to connect to the SSSD
service.
%package tools
Summary: Userspace tools for use with the SSSD
Group: Applications/System
License: GPLv3+
Requires: sssd = %{version}-%{release}
%description tools
Provides userspace tools for manipulating users, groups, and nested groups in
SSSD when using id_provider = local in /etc/sssd/sssd.conf.
Also provides a userspace tool for generating an obfuscated LDAP password for
use with ldap_default_authtok_type = obfuscated_password.
%prep
%setup -q
%patch0001 -p1
%patch0002 -p1
%patch0003 -p1
%patch0004 -p1
%build
%configure \
--with-db-path=%{dbpath} \
@ -116,6 +121,7 @@ service.
--with-test-dir=/dev/shm
make %{?_smp_mflags}
make translated-manpages
%check
export CK_TIMEOUT_MULTIPLIER=10
@ -172,14 +178,6 @@ rm -rf $RPM_BUILD_ROOT
%doc COPYING
%{_initrddir}/%{name}
%{_sbindir}/sssd
%{_sbindir}/sss_useradd
%{_sbindir}/sss_userdel
%{_sbindir}/sss_usermod
%{_sbindir}/sss_groupadd
%{_sbindir}/sss_groupdel
%{_sbindir}/sss_groupmod
%{_sbindir}/sss_groupshow
%{_sbindir}/sss_obfuscate
%{_libexecdir}/%{servicename}/
%{_libdir}/%{name}/
%{_libdir}/ldb/memberof.so
@ -202,17 +200,11 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man5/sssd-ldap.5*
%{_mandir}/man5/sssd-simple.5*
%{_mandir}/man8/sssd.8*
%{_mandir}/man8/sss_groupadd.8*
%{_mandir}/man8/sss_groupdel.8*
%{_mandir}/man8/sss_groupmod.8*
%{_mandir}/man8/sss_groupshow.8*
%{_mandir}/man8/sss_useradd.8*
%{_mandir}/man8/sss_userdel.8*
%{_mandir}/man8/sss_usermod.8*
%{_mandir}/man8/sss_obfuscate.8*
%{python_sitearch}/pysss.so
%{python_sitelib}/*.py*
%lang(cs) %{_mandir}/cs/man[58]/*
%files client
%defattr(-,root,root,-)
%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
@ -222,6 +214,26 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/pam_sss.8*
%{_mandir}/man8/sssd_krb5_locator_plugin.8*
%files tools
%defattr(-,root,root,-)
%doc COPYING
%{_sbindir}/sss_useradd
%{_sbindir}/sss_userdel
%{_sbindir}/sss_usermod
%{_sbindir}/sss_groupadd
%{_sbindir}/sss_groupdel
%{_sbindir}/sss_groupmod
%{_sbindir}/sss_groupshow
%{_sbindir}/sss_obfuscate
%{_mandir}/man8/sss_groupadd.8*
%{_mandir}/man8/sss_groupdel.8*
%{_mandir}/man8/sss_groupmod.8*
%{_mandir}/man8/sss_groupshow.8*
%{_mandir}/man8/sss_useradd.8*
%{_mandir}/man8/sss_userdel.8*
%{_mandir}/man8/sss_usermod.8*
%{_mandir}/man8/sss_obfuscate.8*
%post
/sbin/ldconfig
/sbin/chkconfig --add %{servicename}
@ -243,6 +255,28 @@ fi
%postun client -p /sbin/ldconfig
%changelog
* Wed Dec 22 2010 Stephen Gallagher <sgallagh@redhat.com> - 1.5.0-1
- New upstream release 1.5.0
- Fixed issues with LDAP search filters that needed to be escaped
- Add Kerberos FAST support on platforms that support it
- Reduced verbosity of PAM_TEXT_INFO messages for cached credentials
- Added a Kerberos access provider to honor .k5login
- Addressed several thread-safety issues in the sss_client code
- Improved support for delayed online Kerberos auth
- Significantly reduced time between connecting to the network/VPN and
- acquiring a TGT
- Added feature for automatic Kerberos ticket renewal
- Provides the kerberos ticket for long-lived processes or cron jobs
- even when the user logs out
- Added several new features to the LDAP access provider
- Support for 'shadow' access control
- Support for authorizedService access control
- Ability to mix-and-match LDAP access control features
- Added an option for a separate password-change LDAP server for those
- platforms where LDAP referrals are not supported
- Added support for manpage translations
* Thu Nov 18 2010 Stephen Gallagher <sgallagh@redhat.com> - 1.4.1-3
- Solve a shutdown race-condition that sometimes left processes running
- Resolves: rhbz#606887 - SSSD stops on upgrade