New upstream release 1.6.0

https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0
Add host access control support for LDAP (similar to pam_host_attr)
Finer-grained control on principals used with Kerberos (such as for FAST or
validation)
Added a new tool sss_cache to allow selective expiring of cached entries
Added support for LDAP DEREF and ASQ controls
Added access control features for Novell Directory Server
FreeIPA dynamic DNS update now checks first to see if an update is needed
Complete rewrite of the HBAC library
New libraries: libipa_hbac and libipa_hbac-python
This commit is contained in:
Stephen Gallagher 2011-08-03 08:08:26 -04:00
parent ce222bafe5
commit 679b5f7a1b
4 changed files with 71 additions and 68 deletions

1
.gitignore vendored
View File

@ -15,3 +15,4 @@ sssd-1.2.91.tar.gz
/sssd-1.5.9.tar.gz
/sssd-1.5.10.tar.gz
/sssd-1.5.11.tar.gz
/sssd-1.6.0.tar.gz

View File

@ -1,63 +0,0 @@
From 7c4392c598f4ce426ee9e3fb9c8786677f55a33d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 2 May 2011 14:54:20 +0200
Subject: [PATCH] Return pam data to the renewal item if renewal fails
A previous patch changed a talloc_steal() into a talloc_move(). Now it
is not enough to change the parent memory context with talloc_steal to
give back the data, but it has to be assigned back too.
Additionally this patch uses the missing pam data as an indication that
a renewal request for this data is currently running.
---
src/providers/krb5/krb5_renew_tgt.c | 13 +++++++++----
1 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/src/providers/krb5/krb5_renew_tgt.c b/src/providers/krb5/krb5_renew_tgt.c
index cf50666ffea6cf68956673cf3a827f55c958d809..c848afbcfdee5a5201574551f72d23cec59a4263 100644
--- a/src/providers/krb5/krb5_renew_tgt.c
+++ b/src/providers/krb5/krb5_renew_tgt.c
@@ -72,7 +72,8 @@ static void renew_tgt(struct tevent_context *ev, struct tevent_timer *te,
DEBUG(1, ("krb5_auth_send failed.\n"));
/* Give back the pam data to the renewal item to be able to retry at the next
* time the renewals re run. */
- talloc_steal(auth_data->renew_data, auth_data->pd);
+ auth_data->renew_data->pd = talloc_steal(auth_data->renew_data,
+ auth_data->pd);
talloc_free(auth_data);
return;
}
@@ -95,7 +96,8 @@ static void renew_tgt_done(struct tevent_req *req)
DEBUG(1, ("krb5_auth request failed.\n"));
if (auth_data->renew_data != NULL) {
DEBUG(5, ("Giving back pam data.\n"));
- talloc_steal(auth_data->renew_data, auth_data->pd);
+ auth_data->renew_data->pd = talloc_steal(auth_data->renew_data,
+ auth_data->pd);
}
} else {
switch (pam_status) {
@@ -130,7 +132,8 @@ static void renew_tgt_done(struct tevent_req *req)
auth_data->pd->user));
if (auth_data->renew_data != NULL) {
DEBUG(5, ("Giving back pam data.\n"));
- talloc_steal(auth_data->renew_data, auth_data->pd);
+ auth_data->renew_data->pd = talloc_steal(auth_data->renew_data,
+ auth_data->pd);
}
break;
default:
@@ -169,7 +172,9 @@ static errno_t renew_all_tgts(struct renew_tgt_ctx *renew_tgt_ctx)
renew_data = talloc_get_type(entries[c].value.ptr, struct renew_data);
DEBUG(9, ("Checking [%s] for renewal at [%.24s].\n", renew_data->ccfile,
ctime(&renew_data->start_renew_at)));
- if (renew_data->start_renew_at < now) {
+ /* If renew_data->pd == NULL a renewal request for this data is
+ * currently running so we skip it. */
+ if (renew_data->start_renew_at < now && renew_data->pd != NULL) {
auth_data = talloc_zero(renew_tgt_ctx, struct auth_data);
if (auth_data == NULL) {
DEBUG(1, ("talloc_zero failed.\n"));
--
1.7.5

View File

@ -1 +1 @@
d4c7d20098f73a48053bf41d47d98b7b sssd-1.5.11.tar.gz
dd52363045b7e2c0094bb24603bb27b4 sssd-1.6.0.tar.gz

View File

@ -5,11 +5,11 @@
# Determine the location of the LDB modules directory
%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
%global ldb_version 1.0.2
%global ldb_version 1.1.0
Name: sssd
Version: 1.5.11
Release: 2%{?dist}
Version: 1.6.0
Release: 1%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -79,6 +79,7 @@ BuildRequires: keyutils-libs-devel
BuildRequires: libnl-devel
BuildRequires: nscd
BuildRequires: gettext-devel
BuildRequires: libunistring-devel
%description
Provides a set of daemons to manage access to remote directories and
@ -109,6 +110,34 @@ SSSD when using id_provider = local in /etc/sssd/sssd.conf.
Also provides a userspace tool for generating an obfuscated LDAP password for
use with ldap_default_authtok_type = obfuscated_password.
%package -n libipa_hbac
Summary: FreeIPA HBAC Evaluator library
Group: Development/Libraries
License: LGPLv3+
%description -n libipa_hbac
Utility library to validate FreeIPA HBAC rules for authorization requests
%package -n libipa_hbac-devel
Summary: FreeIPA HBAC Evaluator library
Group: Development/Libraries
License: LGPLv3+
Requires: libipa_hbac = %{version}-%{release}
%description -n libipa_hbac-devel
Utility library to validate FreeIPA HBAC rules for authorization requests
%package -n libipa_hbac-python
Summary: Python bindings for the FreeIPA HBAC Evaluator library
Group: Development/Libraries
License: LGPLv3+
Requires: libipa_hbac = %{version}-%{release}
%description -n libipa_hbac-python
The libipa_hbac-python contains the bindings so that libipa_hbac can be
used by Python applications.
%prep
%setup -q
@ -170,7 +199,9 @@ rm -f \
$RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ipa.la \
$RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_simple.la \
$RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la \
$RPM_BUILD_ROOT/%{python_sitearch}/pysss.la
$RPM_BUILD_ROOT/%{_libdir}/libipa_hbac.la \
$RPM_BUILD_ROOT/%{python_sitearch}/pysss.la \
$RPM_BUILD_ROOT/%{python_sitearch}/pyhbac.la
# Older versions of rpmbuild can only handle one -f option
# So we need to append to the sssd.lang file
@ -246,6 +277,7 @@ rm -rf $RPM_BUILD_ROOT
%{_sbindir}/sss_groupmod
%{_sbindir}/sss_groupshow
%{_sbindir}/sss_obfuscate
%{_sbindir}/sss_cache
%{_mandir}/man8/sss_groupadd.8*
%{_mandir}/man8/sss_groupdel.8*
%{_mandir}/man8/sss_groupmod.8*
@ -254,6 +286,22 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/sss_userdel.8*
%{_mandir}/man8/sss_usermod.8*
%{_mandir}/man8/sss_obfuscate.8*
%{_mandir}/man8/sss_cache.8*
%files -n libipa_hbac
%defattr(-,root,root,-)
%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/libipa_hbac.so.*
%files -n libipa_hbac-devel
%defattr(-,root,root,-)
%{_includedir}/ipa_hbac.h
%{_libdir}/libipa_hbac.so
%{_libdir}/pkgconfig/ipa_hbac.pc
%files -n libipa_hbac-python
%defattr(-,root,root,-)
%{python_sitearch}/pyhbac.so
%post
/sbin/ldconfig
@ -296,7 +344,24 @@ fi
%postun client -p /sbin/ldconfig
%post -n libipa_hbac -p /sbin/ldconfig
%postun -n libipa_hbac -p /sbin/ldconfig
%changelog
* Wed Aug 03 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.6.0-1
- New upstream release 1.6.0
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0
- Add host access control support for LDAP (similar to pam_host_attr)
- Finer-grained control on principals used with Kerberos (such as for FAST or
- validation)
- Added a new tool sss_cache to allow selective expiring of cached entries
- Added support for LDAP DEREF and ASQ controls
- Added access control features for Novell Directory Server
- FreeIPA dynamic DNS update now checks first to see if an update is needed
- Complete rewrite of the HBAC library
- New libraries: libipa_hbac and libipa_hbac-python
* Tue Jul 05 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.11-2
- New upstream release 1.5.11
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11