New upstream release 1.6.0
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 Add host access control support for LDAP (similar to pam_host_attr) Finer-grained control on principals used with Kerberos (such as for FAST or validation) Added a new tool sss_cache to allow selective expiring of cached entries Added support for LDAP DEREF and ASQ controls Added access control features for Novell Directory Server FreeIPA dynamic DNS update now checks first to see if an update is needed Complete rewrite of the HBAC library New libraries: libipa_hbac and libipa_hbac-python
This commit is contained in:
parent
ce222bafe5
commit
679b5f7a1b
1
.gitignore
vendored
1
.gitignore
vendored
@ -15,3 +15,4 @@ sssd-1.2.91.tar.gz
|
||||
/sssd-1.5.9.tar.gz
|
||||
/sssd-1.5.10.tar.gz
|
||||
/sssd-1.5.11.tar.gz
|
||||
/sssd-1.6.0.tar.gz
|
||||
|
@ -1,63 +0,0 @@
|
||||
From 7c4392c598f4ce426ee9e3fb9c8786677f55a33d Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 2 May 2011 14:54:20 +0200
|
||||
Subject: [PATCH] Return pam data to the renewal item if renewal fails
|
||||
|
||||
A previous patch changed a talloc_steal() into a talloc_move(). Now it
|
||||
is not enough to change the parent memory context with talloc_steal to
|
||||
give back the data, but it has to be assigned back too.
|
||||
|
||||
Additionally this patch uses the missing pam data as an indication that
|
||||
a renewal request for this data is currently running.
|
||||
---
|
||||
src/providers/krb5/krb5_renew_tgt.c | 13 +++++++++----
|
||||
1 files changed, 9 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/providers/krb5/krb5_renew_tgt.c b/src/providers/krb5/krb5_renew_tgt.c
|
||||
index cf50666ffea6cf68956673cf3a827f55c958d809..c848afbcfdee5a5201574551f72d23cec59a4263 100644
|
||||
--- a/src/providers/krb5/krb5_renew_tgt.c
|
||||
+++ b/src/providers/krb5/krb5_renew_tgt.c
|
||||
@@ -72,7 +72,8 @@ static void renew_tgt(struct tevent_context *ev, struct tevent_timer *te,
|
||||
DEBUG(1, ("krb5_auth_send failed.\n"));
|
||||
/* Give back the pam data to the renewal item to be able to retry at the next
|
||||
* time the renewals re run. */
|
||||
- talloc_steal(auth_data->renew_data, auth_data->pd);
|
||||
+ auth_data->renew_data->pd = talloc_steal(auth_data->renew_data,
|
||||
+ auth_data->pd);
|
||||
talloc_free(auth_data);
|
||||
return;
|
||||
}
|
||||
@@ -95,7 +96,8 @@ static void renew_tgt_done(struct tevent_req *req)
|
||||
DEBUG(1, ("krb5_auth request failed.\n"));
|
||||
if (auth_data->renew_data != NULL) {
|
||||
DEBUG(5, ("Giving back pam data.\n"));
|
||||
- talloc_steal(auth_data->renew_data, auth_data->pd);
|
||||
+ auth_data->renew_data->pd = talloc_steal(auth_data->renew_data,
|
||||
+ auth_data->pd);
|
||||
}
|
||||
} else {
|
||||
switch (pam_status) {
|
||||
@@ -130,7 +132,8 @@ static void renew_tgt_done(struct tevent_req *req)
|
||||
auth_data->pd->user));
|
||||
if (auth_data->renew_data != NULL) {
|
||||
DEBUG(5, ("Giving back pam data.\n"));
|
||||
- talloc_steal(auth_data->renew_data, auth_data->pd);
|
||||
+ auth_data->renew_data->pd = talloc_steal(auth_data->renew_data,
|
||||
+ auth_data->pd);
|
||||
}
|
||||
break;
|
||||
default:
|
||||
@@ -169,7 +172,9 @@ static errno_t renew_all_tgts(struct renew_tgt_ctx *renew_tgt_ctx)
|
||||
renew_data = talloc_get_type(entries[c].value.ptr, struct renew_data);
|
||||
DEBUG(9, ("Checking [%s] for renewal at [%.24s].\n", renew_data->ccfile,
|
||||
ctime(&renew_data->start_renew_at)));
|
||||
- if (renew_data->start_renew_at < now) {
|
||||
+ /* If renew_data->pd == NULL a renewal request for this data is
|
||||
+ * currently running so we skip it. */
|
||||
+ if (renew_data->start_renew_at < now && renew_data->pd != NULL) {
|
||||
auth_data = talloc_zero(renew_tgt_ctx, struct auth_data);
|
||||
if (auth_data == NULL) {
|
||||
DEBUG(1, ("talloc_zero failed.\n"));
|
||||
--
|
||||
1.7.5
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
d4c7d20098f73a48053bf41d47d98b7b sssd-1.5.11.tar.gz
|
||||
dd52363045b7e2c0094bb24603bb27b4 sssd-1.6.0.tar.gz
|
||||
|
73
sssd.spec
73
sssd.spec
@ -5,11 +5,11 @@
|
||||
|
||||
# Determine the location of the LDB modules directory
|
||||
%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
|
||||
%global ldb_version 1.0.2
|
||||
%global ldb_version 1.1.0
|
||||
|
||||
Name: sssd
|
||||
Version: 1.5.11
|
||||
Release: 2%{?dist}
|
||||
Version: 1.6.0
|
||||
Release: 1%{?dist}
|
||||
Group: Applications/System
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
@ -79,6 +79,7 @@ BuildRequires: keyutils-libs-devel
|
||||
BuildRequires: libnl-devel
|
||||
BuildRequires: nscd
|
||||
BuildRequires: gettext-devel
|
||||
BuildRequires: libunistring-devel
|
||||
|
||||
%description
|
||||
Provides a set of daemons to manage access to remote directories and
|
||||
@ -109,6 +110,34 @@ SSSD when using id_provider = local in /etc/sssd/sssd.conf.
|
||||
Also provides a userspace tool for generating an obfuscated LDAP password for
|
||||
use with ldap_default_authtok_type = obfuscated_password.
|
||||
|
||||
%package -n libipa_hbac
|
||||
Summary: FreeIPA HBAC Evaluator library
|
||||
Group: Development/Libraries
|
||||
License: LGPLv3+
|
||||
|
||||
%description -n libipa_hbac
|
||||
Utility library to validate FreeIPA HBAC rules for authorization requests
|
||||
|
||||
%package -n libipa_hbac-devel
|
||||
Summary: FreeIPA HBAC Evaluator library
|
||||
Group: Development/Libraries
|
||||
License: LGPLv3+
|
||||
Requires: libipa_hbac = %{version}-%{release}
|
||||
|
||||
%description -n libipa_hbac-devel
|
||||
Utility library to validate FreeIPA HBAC rules for authorization requests
|
||||
|
||||
%package -n libipa_hbac-python
|
||||
Summary: Python bindings for the FreeIPA HBAC Evaluator library
|
||||
Group: Development/Libraries
|
||||
License: LGPLv3+
|
||||
Requires: libipa_hbac = %{version}-%{release}
|
||||
|
||||
%description -n libipa_hbac-python
|
||||
The libipa_hbac-python contains the bindings so that libipa_hbac can be
|
||||
used by Python applications.
|
||||
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
|
||||
@ -170,7 +199,9 @@ rm -f \
|
||||
$RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ipa.la \
|
||||
$RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_simple.la \
|
||||
$RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la \
|
||||
$RPM_BUILD_ROOT/%{python_sitearch}/pysss.la
|
||||
$RPM_BUILD_ROOT/%{_libdir}/libipa_hbac.la \
|
||||
$RPM_BUILD_ROOT/%{python_sitearch}/pysss.la \
|
||||
$RPM_BUILD_ROOT/%{python_sitearch}/pyhbac.la
|
||||
|
||||
# Older versions of rpmbuild can only handle one -f option
|
||||
# So we need to append to the sssd.lang file
|
||||
@ -246,6 +277,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_sbindir}/sss_groupmod
|
||||
%{_sbindir}/sss_groupshow
|
||||
%{_sbindir}/sss_obfuscate
|
||||
%{_sbindir}/sss_cache
|
||||
%{_mandir}/man8/sss_groupadd.8*
|
||||
%{_mandir}/man8/sss_groupdel.8*
|
||||
%{_mandir}/man8/sss_groupmod.8*
|
||||
@ -254,6 +286,22 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_mandir}/man8/sss_userdel.8*
|
||||
%{_mandir}/man8/sss_usermod.8*
|
||||
%{_mandir}/man8/sss_obfuscate.8*
|
||||
%{_mandir}/man8/sss_cache.8*
|
||||
|
||||
%files -n libipa_hbac
|
||||
%defattr(-,root,root,-)
|
||||
%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
|
||||
%{_libdir}/libipa_hbac.so.*
|
||||
|
||||
%files -n libipa_hbac-devel
|
||||
%defattr(-,root,root,-)
|
||||
%{_includedir}/ipa_hbac.h
|
||||
%{_libdir}/libipa_hbac.so
|
||||
%{_libdir}/pkgconfig/ipa_hbac.pc
|
||||
|
||||
%files -n libipa_hbac-python
|
||||
%defattr(-,root,root,-)
|
||||
%{python_sitearch}/pyhbac.so
|
||||
|
||||
%post
|
||||
/sbin/ldconfig
|
||||
@ -296,7 +344,24 @@ fi
|
||||
|
||||
%postun client -p /sbin/ldconfig
|
||||
|
||||
%post -n libipa_hbac -p /sbin/ldconfig
|
||||
|
||||
%postun -n libipa_hbac -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Wed Aug 03 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.6.0-1
|
||||
- New upstream release 1.6.0
|
||||
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0
|
||||
- Add host access control support for LDAP (similar to pam_host_attr)
|
||||
- Finer-grained control on principals used with Kerberos (such as for FAST or
|
||||
- validation)
|
||||
- Added a new tool sss_cache to allow selective expiring of cached entries
|
||||
- Added support for LDAP DEREF and ASQ controls
|
||||
- Added access control features for Novell Directory Server
|
||||
- FreeIPA dynamic DNS update now checks first to see if an update is needed
|
||||
- Complete rewrite of the HBAC library
|
||||
- New libraries: libipa_hbac and libipa_hbac-python
|
||||
|
||||
* Tue Jul 05 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.11-2
|
||||
- New upstream release 1.5.11
|
||||
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11
|
||||
|
Loading…
Reference in New Issue
Block a user