diff --git a/.gitignore b/.gitignore index f27e8c4..ffc34b6 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,4 @@ sssd-1.2.91.tar.gz /sssd-1.5.9.tar.gz /sssd-1.5.10.tar.gz /sssd-1.5.11.tar.gz +/sssd-1.6.0.tar.gz diff --git a/0001-Return-pam-data-to-the-renewal-item-if-renewal-fails.patch b/0001-Return-pam-data-to-the-renewal-item-if-renewal-fails.patch deleted file mode 100644 index 2ed94e1..0000000 --- a/0001-Return-pam-data-to-the-renewal-item-if-renewal-fails.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 7c4392c598f4ce426ee9e3fb9c8786677f55a33d Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Mon, 2 May 2011 14:54:20 +0200 -Subject: [PATCH] Return pam data to the renewal item if renewal fails - -A previous patch changed a talloc_steal() into a talloc_move(). Now it -is not enough to change the parent memory context with talloc_steal to -give back the data, but it has to be assigned back too. - -Additionally this patch uses the missing pam data as an indication that -a renewal request for this data is currently running. ---- - src/providers/krb5/krb5_renew_tgt.c | 13 +++++++++---- - 1 files changed, 9 insertions(+), 4 deletions(-) - -diff --git a/src/providers/krb5/krb5_renew_tgt.c b/src/providers/krb5/krb5_renew_tgt.c -index cf50666ffea6cf68956673cf3a827f55c958d809..c848afbcfdee5a5201574551f72d23cec59a4263 100644 ---- a/src/providers/krb5/krb5_renew_tgt.c -+++ b/src/providers/krb5/krb5_renew_tgt.c -@@ -72,7 +72,8 @@ static void renew_tgt(struct tevent_context *ev, struct tevent_timer *te, - DEBUG(1, ("krb5_auth_send failed.\n")); - /* Give back the pam data to the renewal item to be able to retry at the next - * time the renewals re run. */ -- talloc_steal(auth_data->renew_data, auth_data->pd); -+ auth_data->renew_data->pd = talloc_steal(auth_data->renew_data, -+ auth_data->pd); - talloc_free(auth_data); - return; - } -@@ -95,7 +96,8 @@ static void renew_tgt_done(struct tevent_req *req) - DEBUG(1, ("krb5_auth request failed.\n")); - if (auth_data->renew_data != NULL) { - DEBUG(5, ("Giving back pam data.\n")); -- talloc_steal(auth_data->renew_data, auth_data->pd); -+ auth_data->renew_data->pd = talloc_steal(auth_data->renew_data, -+ auth_data->pd); - } - } else { - switch (pam_status) { -@@ -130,7 +132,8 @@ static void renew_tgt_done(struct tevent_req *req) - auth_data->pd->user)); - if (auth_data->renew_data != NULL) { - DEBUG(5, ("Giving back pam data.\n")); -- talloc_steal(auth_data->renew_data, auth_data->pd); -+ auth_data->renew_data->pd = talloc_steal(auth_data->renew_data, -+ auth_data->pd); - } - break; - default: -@@ -169,7 +172,9 @@ static errno_t renew_all_tgts(struct renew_tgt_ctx *renew_tgt_ctx) - renew_data = talloc_get_type(entries[c].value.ptr, struct renew_data); - DEBUG(9, ("Checking [%s] for renewal at [%.24s].\n", renew_data->ccfile, - ctime(&renew_data->start_renew_at))); -- if (renew_data->start_renew_at < now) { -+ /* If renew_data->pd == NULL a renewal request for this data is -+ * currently running so we skip it. */ -+ if (renew_data->start_renew_at < now && renew_data->pd != NULL) { - auth_data = talloc_zero(renew_tgt_ctx, struct auth_data); - if (auth_data == NULL) { - DEBUG(1, ("talloc_zero failed.\n")); --- -1.7.5 - diff --git a/sources b/sources index 55e82cf..7d46791 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -d4c7d20098f73a48053bf41d47d98b7b sssd-1.5.11.tar.gz +dd52363045b7e2c0094bb24603bb27b4 sssd-1.6.0.tar.gz diff --git a/sssd.spec b/sssd.spec index c89e71a..6a348ab 100644 --- a/sssd.spec +++ b/sssd.spec @@ -5,11 +5,11 @@ # Determine the location of the LDB modules directory %global ldb_modulesdir %(pkg-config --variable=modulesdir ldb) -%global ldb_version 1.0.2 +%global ldb_version 1.1.0 Name: sssd -Version: 1.5.11 -Release: 2%{?dist} +Version: 1.6.0 +Release: 1%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -79,6 +79,7 @@ BuildRequires: keyutils-libs-devel BuildRequires: libnl-devel BuildRequires: nscd BuildRequires: gettext-devel +BuildRequires: libunistring-devel %description Provides a set of daemons to manage access to remote directories and @@ -109,6 +110,34 @@ SSSD when using id_provider = local in /etc/sssd/sssd.conf. Also provides a userspace tool for generating an obfuscated LDAP password for use with ldap_default_authtok_type = obfuscated_password. +%package -n libipa_hbac +Summary: FreeIPA HBAC Evaluator library +Group: Development/Libraries +License: LGPLv3+ + +%description -n libipa_hbac +Utility library to validate FreeIPA HBAC rules for authorization requests + +%package -n libipa_hbac-devel +Summary: FreeIPA HBAC Evaluator library +Group: Development/Libraries +License: LGPLv3+ +Requires: libipa_hbac = %{version}-%{release} + +%description -n libipa_hbac-devel +Utility library to validate FreeIPA HBAC rules for authorization requests + +%package -n libipa_hbac-python +Summary: Python bindings for the FreeIPA HBAC Evaluator library +Group: Development/Libraries +License: LGPLv3+ +Requires: libipa_hbac = %{version}-%{release} + +%description -n libipa_hbac-python +The libipa_hbac-python contains the bindings so that libipa_hbac can be +used by Python applications. + + %prep %setup -q @@ -170,7 +199,9 @@ rm -f \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ipa.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_simple.la \ $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la \ - $RPM_BUILD_ROOT/%{python_sitearch}/pysss.la + $RPM_BUILD_ROOT/%{_libdir}/libipa_hbac.la \ + $RPM_BUILD_ROOT/%{python_sitearch}/pysss.la \ + $RPM_BUILD_ROOT/%{python_sitearch}/pyhbac.la # Older versions of rpmbuild can only handle one -f option # So we need to append to the sssd.lang file @@ -246,6 +277,7 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/sss_groupmod %{_sbindir}/sss_groupshow %{_sbindir}/sss_obfuscate +%{_sbindir}/sss_cache %{_mandir}/man8/sss_groupadd.8* %{_mandir}/man8/sss_groupdel.8* %{_mandir}/man8/sss_groupmod.8* @@ -254,6 +286,22 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sss_userdel.8* %{_mandir}/man8/sss_usermod.8* %{_mandir}/man8/sss_obfuscate.8* +%{_mandir}/man8/sss_cache.8* + +%files -n libipa_hbac +%defattr(-,root,root,-) +%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER +%{_libdir}/libipa_hbac.so.* + +%files -n libipa_hbac-devel +%defattr(-,root,root,-) +%{_includedir}/ipa_hbac.h +%{_libdir}/libipa_hbac.so +%{_libdir}/pkgconfig/ipa_hbac.pc + +%files -n libipa_hbac-python +%defattr(-,root,root,-) +%{python_sitearch}/pyhbac.so %post /sbin/ldconfig @@ -296,7 +344,24 @@ fi %postun client -p /sbin/ldconfig +%post -n libipa_hbac -p /sbin/ldconfig + +%postun -n libipa_hbac -p /sbin/ldconfig + %changelog +* Wed Aug 03 2011 Stephen Gallagher - 1.6.0-1 +- New upstream release 1.6.0 +- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 +- Add host access control support for LDAP (similar to pam_host_attr) +- Finer-grained control on principals used with Kerberos (such as for FAST or +- validation) +- Added a new tool sss_cache to allow selective expiring of cached entries +- Added support for LDAP DEREF and ASQ controls +- Added access control features for Novell Directory Server +- FreeIPA dynamic DNS update now checks first to see if an update is needed +- Complete rewrite of the HBAC library +- New libraries: libipa_hbac and libipa_hbac-python + * Tue Jul 05 2011 Stephen Gallagher - 1.5.11-2 - New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11