New upstream release

- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1
- Support for the service map in NSS
- Support for setting default SELinux user context from FreeIPA
- Support for retrieving SSH user and host keys from LDAP (Experimental)
- Support for caching autofs LDAP requests (Experimental)
- Support for caching SUDO rules (Experimental)

.gitignore

@@ -21,3 +21,4 @@ sssd-1.2.91.tar.gz
 /sssd-1.6.3.tar.gz
 /sssd-1.6.4.tar.gz
 /sssd-1.7.0.tar.gz
+/sssd-1.8.0beta1.tar.gz

0001-LDAP-Do-not-fail-if-RootDSE-check-cannot-determine-s.patch

@@ -1,254 +0,0 @@
-From cd59e5d02ec97ea309fd51d4d6a6a4421617cd12 Mon Sep 17 00:00:00 2001
-From: Stephen Gallagher <sgallagh@redhat.com>
-Date: Wed, 1 Feb 2012 14:03:36 -0500
-Subject: [PATCH] LDAP: Do not fail if RootDSE check cannot determine search
- bases
-
-https://fedorahosted.org/sssd/ticket/1152
-
-Conflicts:
-
-	src/providers/ldap/sdap_async_services.c
----
- src/providers/ipa/ipa_netgroups.c          |    7 +++++
- src/providers/ldap/ldap_common.c           |    5 +--
- src/providers/ldap/sdap.c                  |    7 ++++-
- src/providers/ldap/sdap_async_groups.c     |    9 +++++++
- src/providers/ldap/sdap_async_initgroups.c |   35 +++++++++++++++++++++++++++-
- src/providers/ldap/sdap_async_netgroups.c  |   10 ++++++++
- src/providers/ldap/sdap_async_users.c      |    9 +++++++
- src/providers/ldap/sdap_sudo.c             |    9 +++++++
- 8 files changed, 86 insertions(+), 5 deletions(-)
-
-diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c
-index 78bcee1b44fec3c8d04fc5ba13b46db26396d1b1..7da1147c7d6fd1dec8872209e442ae99ee810aa1 100644
---- a/src/providers/ipa/ipa_netgroups.c
-+++ b/src/providers/ipa/ipa_netgroups.c
-@@ -209,6 +209,13 @@ struct tevent_req *ipa_get_netgroups_send(TALLOC_CTX *memctx,
-     state->base_filter = filter;
-     state->netgr_base_iter = 0;
- 
-+    if (!ipa_options->id->netgroup_search_bases) {
-+        DEBUG(SSSDBG_CRIT_FAILURE,
-+              ("Netgroup lookup request without a search base\n"));
-+        ret = EINVAL;
-+        goto done;
-+    }
-+
-     ret = sss_hash_create(state, 32, &state->new_netgroups);
-     if (ret != EOK) goto done;
-     ret = sss_hash_create(state, 32, &state->new_users);
-diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
-index 71921963a768a9975eca6432025704e06f28a2b8..c287b345217befeb872b25521d80d601fc27f0c7 100644
---- a/src/providers/ldap/ldap_common.c
-+++ b/src/providers/ldap/ldap_common.c
-@@ -538,9 +538,8 @@ int ldap_get_sudo_options(TALLOC_CTX *memctx,
-                   dp_opt_get_string(opts->basic, SDAP_SUDO_SEARCH_BASE)));
-         }
-     } else {
--        /* FIXME: try to discover it later */
--        DEBUG(SSSDBG_OP_FAILURE, ("Error: no SUDO search base set\n"));
--        return ENOENT;
-+        DEBUG(SSSDBG_TRACE_FUNC, ("Search base not set, trying to discover it later "
-+              "connecting to the LDAP server.\n"));
-     }
- 
-     ret = sdap_parse_search_base(opts, opts->basic,
-diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
-index 3ca2e286146e1e88b1fd7abef341fa8c3aa699ad..2b29116949b2f8efae269a994a0f3da64a0ee612 100644
---- a/src/providers/ldap/sdap.c
-+++ b/src/providers/ldap/sdap.c
-@@ -748,7 +748,12 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
-         naming_context = get_naming_context(opts->basic, rootdse);
-         if (naming_context == NULL) {
-             DEBUG(1, ("get_naming_context failed.\n"));
--            ret = EINVAL;
-+
-+            /* This has to be non-fatal, since some servers offer
-+             * multiple namingContexts entries. We will just
-+             * add NULL checks for the search bases in the lookups.
-+             */
-+            ret = EOK;
-             goto done;
-         }
-     }
-diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
-index e59640997d78db525a98a63cd230d2bc1a74d1a1..fe5dbd49a159c0ca4f57d60b7f69a8792e9a42c9 100644
---- a/src/providers/ldap/sdap_async_groups.c
-+++ b/src/providers/ldap/sdap_async_groups.c
-@@ -1217,7 +1217,16 @@ struct tevent_req *sdap_get_groups_send(TALLOC_CTX *memctx,
-     state->base_iter = 0;
-     state->search_bases = search_bases;
- 
-+    if (!search_bases) {
-+        DEBUG(SSSDBG_CRIT_FAILURE,
-+              ("Group lookup request without a search base\n"));
-+        ret = EINVAL;
-+        goto done;
-+    }
-+
-     ret = sdap_get_groups_next_base(req);
-+
-+done:
-     if (ret != EOK) {
-         tevent_req_error(req, ret);
-         tevent_req_post(req, ev);
-diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
-index 73ab25ea79cd66ff5fe7131ee7606cf71aa382e5..a769b100557b2d685cb022f09bea0d70ccfe3bb3 100644
---- a/src/providers/ldap/sdap_async_initgroups.c
-+++ b/src/providers/ldap/sdap_async_initgroups.c
-@@ -303,6 +303,13 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx,
-     state->base_iter = 0;
-     state->search_bases = opts->group_search_bases;
- 
-+    if (!state->search_bases) {
-+        DEBUG(SSSDBG_CRIT_FAILURE,
-+              ("Initgroups lookup request without a group search base\n"));
-+        ret = EINVAL;
-+        goto done;
-+    }
-+
-     state->name = talloc_strdup(state, name);
-     if (!state->name) {
-         talloc_zfree(req);
-@@ -337,6 +344,8 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx,
-     talloc_zfree(clean_name);
- 
-     ret = sdap_initgr_rfc2307_next_base(req);
-+
-+done:
-     if (ret != EOK) {
-         tevent_req_error(req, ret);
-         tevent_req_post(req, ev);
-@@ -1432,6 +1441,13 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send(
-     state->base_iter = 0;
-     state->search_bases = opts->group_search_bases;
- 
-+    if (!state->search_bases) {
-+        DEBUG(SSSDBG_CRIT_FAILURE,
-+              ("Initgroups lookup request without a group search base\n"));
-+        ret = EINVAL;
-+        goto done;
-+    }
-+
-     ret = sss_hash_create(state, 32, &state->group_hash);
-     if (ret != EOK) {
-         talloc_free(req);
-@@ -2006,9 +2022,17 @@ struct tevent_req *rfc2307bis_nested_groups_send(
-                                     SDAP_SEARCH_TIMEOUT);
-     state->base_iter = 0;
-     state->search_bases = opts->group_search_bases;
--
-+    if (!state->search_bases) {
-+        DEBUG(SSSDBG_CRIT_FAILURE,
-+              ("Initgroups nested lookup request "
-+               "without a group search base\n"));
-+        ret = EINVAL;
-+        goto done;
-+    }
- 
-     ret = rfc2307bis_nested_groups_step(req);
-+
-+done:
-     if (ret == EOK) {
-         /* All parent groups were already processed */
-         tevent_req_done(req);
-@@ -2378,9 +2402,16 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
-     state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
-     state->user_base_iter = 0;
-     state->user_search_bases = id_ctx->opts->user_search_bases;
-+    if (!state->user_search_bases) {
-+        DEBUG(SSSDBG_CRIT_FAILURE,
-+              ("Initgroups lookup request without a user search base\n"));
-+        ret = EINVAL;
-+        goto done;
-+    }
- 
-     ret = sss_filter_sanitize(state, name, &clean_name);
-     if (ret != EOK) {
-+        talloc_zfree(req);
-         return NULL;
-     }
- 
-@@ -2402,6 +2433,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
-     }
- 
-     ret = sdap_get_initgr_next_base(req);
-+
-+done:
-     if (ret != EOK) {
-         tevent_req_error(req, ret);
-         tevent_req_post(req, ev);
-diff --git a/src/providers/ldap/sdap_async_netgroups.c b/src/providers/ldap/sdap_async_netgroups.c
-index 0888c7e2fcf03d0b133bcf93ad017086aedffe16..f3a378f6488cfd46001c22b3a5abf29724f2fd0d 100644
---- a/src/providers/ldap/sdap_async_netgroups.c
-+++ b/src/providers/ldap/sdap_async_netgroups.c
-@@ -579,7 +579,17 @@ struct tevent_req *sdap_get_netgroups_send(TALLOC_CTX *memctx,
-     state->base_iter = 0;
-     state->search_bases = search_bases;
- 
-+    if (!state->search_bases) {
-+        DEBUG(SSSDBG_CRIT_FAILURE,
-+              ("Netgroup lookup request without a netgroup search base\n"));
-+        ret = EINVAL;
-+        goto done;
-+    }
-+
-+
-     ret = sdap_get_netgroups_next_base(req);
-+
-+done:
-     if (ret != EOK) {
-         tevent_req_error(req, ret);
-         tevent_req_post(req, state->ev);
-diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
-index ac856a64208cb87994f676ab50fdba6d82dbcb50..01168321951fa9d14f4b58d891cb922c6c44d2c2 100644
---- a/src/providers/ldap/sdap_async_users.c
-+++ b/src/providers/ldap/sdap_async_users.c
-@@ -434,7 +434,16 @@ struct tevent_req *sdap_get_users_send(TALLOC_CTX *memctx,
-     state->search_bases = search_bases;
-     state->enumeration = enumeration;
- 
-+    if (!state->search_bases) {
-+        DEBUG(SSSDBG_CRIT_FAILURE,
-+              ("User lookup request without a search base\n"));
-+        ret = EINVAL;
-+        goto done;
-+    }
-+
-     ret = sdap_get_users_next_base(req);
-+
-+done:
-     if (ret != EOK) {
-         tevent_req_error(req, ret);
-         tevent_req_post(req, state->ev);
-diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c
-index 68cb47cd38952594d34ccc81913b7308caf9af10..aeae22eccf2a9adf3fb2fde831a3b492a6c4afb7 100644
---- a/src/providers/ldap/sdap_sudo.c
-+++ b/src/providers/ldap/sdap_sudo.c
-@@ -237,6 +237,13 @@ struct tevent_req * sdap_sudo_load_sudoers_send(TALLOC_CTX *mem_ctx,
-     state->ldap_rules = NULL;
-     state->ldap_rules_count = 0;
- 
-+    if (!state->search_bases) {
-+        DEBUG(SSSDBG_CRIT_FAILURE,
-+              ("SUDOERS lookup request without a search base\n"));
-+        ret = EINVAL;
-+        goto done;
-+    }
-+
-     /* create filter */
-     state->filter = sdap_sudo_build_filter(state,
-                                            state->opts->sudorule_map,
-@@ -256,6 +263,8 @@ struct tevent_req * sdap_sudo_load_sudoers_send(TALLOC_CTX *mem_ctx,
- 
-     /* begin search */
-     ret = sdap_sudo_load_sudoers_next_base(req);
-+
-+done:
-     if (ret != EOK) {
-         tevent_req_error(req, ret);
-         tevent_req_post(req, sudo_ctx->be_ctx->ev);
--- 
-1.7.7.6
-

0002-DP-Fix-bugs-in-sss_dp_get_account_int.patch

@@ -1,265 +0,0 @@
-From 707b20e80a5c5b86944dc55bbc652b392a4c6454 Mon Sep 17 00:00:00 2001
-From: Stephen Gallagher <sgallagh@redhat.com>
-Date: Sat, 21 Jan 2012 12:11:23 -0500
-Subject: [PATCH 5/5] DP: Fix bugs in sss_dp_get_account_int
-
-The conversion to the tevent_req style introduced numerous bugs
-related to memory management of the various client requests. In
-some circumstances, this could cause memory corruption and
-segmentation faults in the NSS responder. This patch makes the
-following changes:
-
-1) Rename the internal lookup from subreq to sidereq, to indicate
-that it is not a sub-request of the current lookup (and therefore
-is not cancelled if the current request is).
-
-2) Change the handling of the callback loops since they call
-tevent_req_[done|error], which results in them being freed (and
-therefore removed from the cb_list. This was the source of the
-memory corruption that would occasionally result in dereferencing
-an unreadable request.
-
-3) Remove the unnecessary sss_dp_get_account_int_recv() function
-and change sss_dp_get_account_done() so that it only frees the
-sidereq. All of the waiting processes have already been signaled
-with the final results from sss_dp_get_account_int_done()
----
- src/responder/common/responder_dp.c        |  110 +++++++++++-----------------
- src/responder/nss/nsssrv_cmd.c             |    1 +
- src/responder/pam/pamsrv_cmd.c             |    1 +
- src/responder/sudo/sudosrv_get_sudorules.c |    1 +
- 4 files changed, 47 insertions(+), 66 deletions(-)
-
-diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
-index f51e2496a165cc2b776af776f2e9d1ea75b8e62c..9219037cc6055899e675eef846af54238d5c61e1 100644
---- a/src/responder/common/responder_dp.c
-+++ b/src/responder/common/responder_dp.c
-@@ -92,11 +92,28 @@ static int sss_dp_req_destructor(void *ptr)
-     /* If there are callbacks that haven't been invoked, return
-      * an error now.
-      */
--    DLIST_FOR_EACH(cb, sdp_req->cb_list) {
-+    while((cb = sdp_req->cb_list) != NULL) {
-         state = tevent_req_data(cb->req, struct dp_get_account_state);
-         state->err_maj = DP_ERR_FATAL;
-         state->err_min = EIO;
-+
-+        /* tevent_req_done/error will free cb */
-         tevent_req_error(cb->req, EIO);
-+
-+        /* Freeing the cb removes it from the cb_list.
-+         * Therefore, the cb_list should now be pointing
-+         * at a new callback. If it's not, it means the
-+         * callback handler didn't free cb and may leak
-+         * memory. Be paranoid and protect against this
-+         * situation.
-+         */
-+        if (cb == sdp_req->cb_list) {
-+            DEBUG(SSSDBG_FATAL_FAILURE,
-+                  ("BUG: a callback did not free its request. "
-+                   "May leak memory\n"));
-+            /* Skip to the next since a memory leak is non-fatal */
-+            sdp_req->cb_list = sdp_req->cb_list->next;
-+        }
-     }
- 
-     /* Destroy the hash entry */
-@@ -225,14 +242,6 @@ sss_dp_get_account_int_send(struct resp_ctx *rctx,
- static void
- sss_dp_get_account_done(struct tevent_req *subreq);
- 
--static errno_t
--sss_dp_get_account_int_recv(TALLOC_CTX *mem_ctx,
--                        struct tevent_req *req,
--                        dbus_uint16_t *err_maj,
--                        dbus_uint32_t *err_min,
--                        char **err_msg);
--
--
- /* Send a request to the data provider
-  * Once this function is called, the communication
-  * with the data provider will always run to
-@@ -252,7 +261,7 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
-     errno_t ret;
-     int hret;
-     struct tevent_req *req;
--    struct tevent_req *subreq;
-+    struct tevent_req *sidereq;
-     struct dp_get_account_state *state;
-     struct sss_dp_req *sdp_req;
-     struct sss_dp_callback *cb;
-@@ -343,19 +352,19 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
-          */
- 
-         value.type = HASH_VALUE_PTR;
--        subreq = sss_dp_get_account_int_send(rctx, state->key, dom,
-+        sidereq = sss_dp_get_account_int_send(rctx, state->key, dom,
-                                              be_type, filter);
--        if (!subreq) {
-+        if (!sidereq) {
-             ret = ENOMEM;
-             goto error;
-         }
--        tevent_req_set_callback(subreq, sss_dp_get_account_done, NULL);
-+        tevent_req_set_callback(sidereq, sss_dp_get_account_done, NULL);
- 
-         /* We should now be able to find the sdp_req in the hash table */
-         hret = hash_lookup(rctx->dp_request_table, state->key, &value);
-         if (hret != HASH_SUCCESS) {
-             /* Something must have gone wrong with creating the request */
--            talloc_zfree(subreq);
-+            talloc_zfree(sidereq);
-             ret = EIO;
-             goto error;
-         }
-@@ -402,23 +411,10 @@ error:
- }
- 
- static void
--sss_dp_get_account_done(struct tevent_req *subreq)
-+sss_dp_get_account_done(struct tevent_req *sidereq)
- {
--    errno_t ret;
--    struct tevent_req *req = tevent_req_callback_data(subreq,
--                                                      struct tevent_req);
--    struct dp_get_account_state *state =
--            tevent_req_data(req, struct dp_get_account_state);
--
--    ret = sss_dp_get_account_int_recv(state, req,
--                                      &state->err_maj,
--                                      &state->err_min,
--                                      &state->err_msg);
--    if (ret != EOK) {
--        tevent_req_done(req);
--    } else {
--        tevent_req_error(req, ret);
--    }
-+    /* Nothing to do here. The callbacks have already been invoked */
-+    talloc_zfree(sidereq);
- }
- 
- errno_t
-@@ -599,7 +595,7 @@ static void sss_dp_get_account_int_done(DBusPendingCall *pending, void *ptr)
-     int ret;
-     struct tevent_req *req;
-     struct sss_dp_req *sdp_req;
--    struct sss_dp_callback *cb, *prevcb = NULL;
-+    struct sss_dp_callback *cb;
-     struct dp_get_account_int_state *state;
-     struct dp_get_account_state *cb_state;
- 
-@@ -630,58 +626,40 @@ static void sss_dp_get_account_int_done(DBusPendingCall *pending, void *ptr)
-     }
- 
-     /* Check whether we need to issue any callbacks */
--    DLIST_FOR_EACH(cb, sdp_req->cb_list) {
-+    while ((cb = sdp_req->cb_list) != NULL) {
-         cb_state = tevent_req_data(cb->req, struct dp_get_account_state);
-         cb_state->err_maj = sdp_req->err_maj;
-         cb_state->err_min = sdp_req->err_min;
-         cb_state->err_msg = talloc_strdup(cb_state, sdp_req->err_msg);
-         /* Don't bother checking for NULL. If it fails due to ENOMEM,
--         * we can't really handle it annyway.
-+         * we can't really handle it anyway.
-          */
- 
-+        /* tevent_req_done/error will free cb */
-         if (ret == EOK) {
-             tevent_req_done(cb->req);
-         } else {
-             tevent_req_error(cb->req, ret);
-         }
- 
--        /* Freeing the request removes it from the list */
--        if (prevcb) talloc_free(prevcb);
--        prevcb = cb;
-+        /* Freeing the cb removes it from the cb_list.
-+         * Therefore, the cb_list should now be pointing
-+         * at a new callback. If it's not, it means the
-+         * callback handler didn't free cb and may leak
-+         * memory. Be paranoid and protect against this
-+         * situation.
-+         */
-+        if (cb == sdp_req->cb_list) {
-+            DEBUG(SSSDBG_FATAL_FAILURE,
-+                  ("BUG: a callback did not free its request. "
-+                   "May leak memory\n"));
-+            /* Skip to the next since a memory leak is non-fatal */
-+            sdp_req->cb_list = sdp_req->cb_list->next;
-+        }
-     }
--    talloc_free(prevcb);
- 
-     /* We're done with this request. Free the sdp_req
-      * This will clean up the hash table entry as well
-      */
-     talloc_zfree(sdp_req);
- }
--
--static errno_t
--sss_dp_get_account_int_recv(TALLOC_CTX *mem_ctx,
--                        struct tevent_req *req,
--                        dbus_uint16_t *err_maj,
--                        dbus_uint32_t *err_min,
--                        char **err_msg)
--{
--    struct dp_get_account_int_state *state =
--            tevent_req_data(req, struct dp_get_account_int_state);
--
--    enum tevent_req_state TRROEstate;
--    uint64_t TRROEerr;
--
--    *err_maj = state->sdp_req->err_maj;
--    *err_min = state->sdp_req->err_min;
--    *err_msg = talloc_steal(mem_ctx, state->sdp_req->err_msg);
--
--    if (tevent_req_is_error(req, &TRROEstate, &TRROEerr)) {
--        if (TRROEstate == TEVENT_REQ_USER_ERROR) {
--            *err_maj = DP_ERR_FATAL;
--            *err_min = TRROEerr;
--        } else {
--            return EIO;
--        }
--    }
--
--    return EOK;
--}
-diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
-index 3bc30ab8641b1787ded15165890e61836e46e802..fc2dca8d7a9e9dc1e5d68c98f95a5d3d67231f4a 100644
---- a/src/responder/nss/nsssrv_cmd.c
-+++ b/src/responder/nss/nsssrv_cmd.c
-@@ -700,6 +700,7 @@ static void nsssrv_dp_send_acct_req_done(struct tevent_req *req)
-     ret = sss_dp_get_account_recv(cb_ctx->mem_ctx, req,
-                                   &err_maj, &err_min,
-                                   &err_msg);
-+    talloc_zfree(req);
-     if (ret != EOK) {
-         NSS_CMD_FATAL_ERROR(cb_ctx->cctx);
-     }
-diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
-index 3b2d509e237b12516e1234a34a8542ae09752c43..2e544cd5aa5a566e5557f2d9280b57b24f39befd 100644
---- a/src/responder/pam/pamsrv_cmd.c
-+++ b/src/responder/pam/pamsrv_cmd.c
-@@ -994,6 +994,7 @@ static void pam_dp_send_acct_req_done(struct tevent_req *req)
-     ret = sss_dp_get_account_recv(cb_ctx->mem_ctx, req,
-                                   &err_maj, &err_min,
-                                   &err_msg);
-+    talloc_zfree(req);
-     if (ret != EOK) {
-         DEBUG(SSSDBG_CRIT_FAILURE,
-               ("Fatal error, killing connection!\n"));
-diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c
-index 5d54f95ab78bc43338dd55205e85dbba7bd5f437..1723fd42c8222e72e46498a3b83e427099243369 100644
---- a/src/responder/sudo/sudosrv_get_sudorules.c
-+++ b/src/responder/sudo/sudosrv_get_sudorules.c
-@@ -181,6 +181,7 @@ static void sudosrv_dp_send_acct_req_done(struct tevent_req *req)
-     ret = sss_dp_get_account_recv(cb_ctx->mem_ctx, req,
-                                   &err_maj, &err_min,
-                                   &err_msg);
-+    talloc_zfree(req);
-     if (ret != EOK) {
-         DEBUG(SSSDBG_CRIT_FAILURE,
-               ("Fatal error, killing connection!\n"));
--- 
-1.7.4.1
-

sources

@@ -1 +1 @@
-1fbc9c99df8f2883513cb4b767d4b7d4  sssd-1.7.0.tar.gz
+e6fddc180edbf69fddcb4151701b2d5c  sssd-1.8.0beta1.tar.gz

sssd.spec

@@ -18,28 +18,27 @@
 %global ldb_version 1.1.4
 
 Name: sssd
-Version: 1.7.0
+Version: 1.8.0
-Release: 5%{?dist}
+Release: 1%{?dist}.beta1
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
 URL: http://fedorahosted.org/sssd/
-Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
+Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}beta1.tar.gz
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 ### Patches ###
 
-Patch0001: 0001-LDAP-Do-not-fail-if-RootDSE-check-cannot-determine-s.patch
-Patch0002: 0002-DP-Fix-bugs-in-sss_dp_get_account_int.patch
-
 ### Dependencies ###
 
 Conflicts: selinux-policy < 3.10.0-46
 Requires: libldb = %{ldb_version}
 Requires: libtdb >= 1.1.3
 Requires: sssd-client%{?_isa} = %{version}-%{release}
-Requires: cyrus-sasl-gssapi
+Requires: cyrus-sasl-gssapi%{?_isa}
+Requires: libipa_hbac%{?_isa} = %{version}-%{release}
 Requires: krb5-libs >= 1.9
+Requires: keyutils-libs
 Requires(post): systemd-units initscripts chkconfig /sbin/ldconfig
 Requires(preun): systemd-units initscripts chkconfig
 Requires(postun): systemd-units initscripts chkconfig /sbin/ldconfig
@@ -92,6 +91,7 @@ BuildRequires: keyutils-libs-devel
 BuildRequires: libnl-devel
 BuildRequires: nscd
 BuildRequires: gettext-devel
+BuildRequires: pkgconfig
 BuildRequires: libunistring-devel
 BuildRequires: findutils
 
@@ -151,6 +151,22 @@ Requires: libipa_hbac = %{version}-%{release}
 The libipa_hbac-python contains the bindings so that libipa_hbac can be
 used by Python applications.
 
+%package -n libsss_sudo
+Summary: A library to allow communication between SUDO and SSSD
+Group: Development/Libraries
+License: LGPLv3+
+
+%description -n libsss_sudo
+A utility library to allow communication between SUDO and SSSD
+
+%package -n libsss_sudo-devel
+Summary: A library to allow communication between SUDO and SSSD
+Group: Development/Libraries
+License: LGPLv3+
+Requires: libsss_sudo = %{version}-%{release}
+
+%description -n libsss_sudo-devel
+A utility library to allow communication between SUDO and SSSD
 
 %prep
 # Update timestamps on the files touched by a patch, to avoid non-equal
@@ -168,7 +184,7 @@ UpdateTimestamps() {
   done
 }
 
-%setup -q
+%setup -q -n %{name}-1.7.91
 
 for p in %patches ; do
     %__patch -p1 -i $p
@@ -187,7 +203,8 @@ autoreconf -ivf
     --enable-pammoddir=/%{_lib}/security \
     --disable-static \
     --disable-rpath \
-    --with-test-dir=/dev/shm
+    --with-test-dir=/dev/shm \
+    --enable-all-experimental-features
 
 make %{?_smp_mflags} all docs
 
@@ -204,11 +221,9 @@ make install DESTDIR=$RPM_BUILD_ROOT
 # Prepare language files
 /usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd
 
-# Copy SSSDConfig API files
+# Prepare empty config file
 mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sssd
 touch $RPM_BUILD_ROOT/%{_sysconfdir}/sssd/sssd.conf
-install -m400 src/config/etc/sssd.api.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.api.conf
-install -m400 src/config/etc/sssd.api.d/* $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.api.d/
 
 # Copy default logrotate file
 mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d
@@ -243,7 +258,7 @@ do
     case `basename $man` in
         sss_*)
             echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_tools.lang
-        ;;
+            ;;
         *)
             echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang
             ;;
@@ -273,9 +288,8 @@ rm -rf $RPM_BUILD_ROOT
 %ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
 %config(noreplace) %{_sysconfdir}/logrotate.d/sssd
 %config(noreplace) %{_sysconfdir}/rwtab.d/sssd
-%config %{_sysconfdir}/sssd/sssd.api.conf
+%{_datadir}/sssd/sssd.api.conf
-%attr(700,root,root) %dir %{_sysconfdir}/sssd/sssd.api.d
+%{_datadir}/sssd/sssd.api.d
-%config %{_sysconfdir}/sssd/sssd.api.d/*
 %{_mandir}/man5/sssd.conf.5*
 %{_mandir}/man5/sssd-ipa.5*
 %{_mandir}/man5/sssd-krb5.5*
@@ -285,16 +299,20 @@ rm -rf $RPM_BUILD_ROOT
 %{python_sitearch}/pysss.so
 %{python_sitelib}/*.py*
 
-%files client -f sssd_tools.lang
+%files client
 %defattr(-,root,root,-)
 %doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
 /%{_lib}/libnss_sss.so.2
 /%{_lib}/security/pam_sss.so
 %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
+%{_bindir}/sss_ssh_authorizedkeys
+%{_bindir}/sss_ssh_knownhostsproxy
+%{_mandir}/man1/sss_ssh_authorizedkeys.1*
+%{_mandir}/man1/sss_ssh_knownhostsproxy.1*
 %{_mandir}/man8/pam_sss.8*
 %{_mandir}/man8/sssd_krb5_locator_plugin.8*
 
-%files tools
+%files tools -f sssd_tools.lang
 %defattr(-,root,root,-)
 %doc COPYING
 %{_sbindir}/sss_useradd
@@ -334,6 +352,30 @@ rm -rf $RPM_BUILD_ROOT
 %defattr(-,root,root,-)
 %{python_sitearch}/pyhbac.so
 
+%package -n libsss_autofs
+Summary: A library to allow communication between Autofs and SSSD
+Group: Development/Libraries
+License: LGPLv3+
+
+%description -n libsss_autofs
+A utility library to allow communication between Autofs and SSSD
+
+%files -n libsss_sudo
+%defattr(-,root,root,-)
+%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
+%{_libdir}/libsss_sudo.so.*
+
+%files -n libsss_sudo-devel
+%doc libsss_sudo_doc/html
+%{_includedir}/sss_sudo.h
+%{_libdir}/libsss_sudo.so
+%{_libdir}/pkgconfig/libsss_sudo.pc
+
+%files -n libsss_autofs
+%defattr(-,root,root,-)
+%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
+%{_libdir}/sssd/modules/libsss_autofs.so*
+
 %post
 /sbin/ldconfig
 
@@ -380,6 +422,15 @@ fi
 %postun -n libipa_hbac -p /sbin/ldconfig
 
 %changelog
+* Mon Feb 06 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.0-1.beta1
+- New upstream release
+- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1
+- Support for the service map in NSS
+- Support for setting default SELinux user context from FreeIPA
+- Support for retrieving SSH user and host keys from LDAP (Experimental)
+- Support for caching autofs LDAP requests (Experimental)
+- Support for caching SUDO rules (Experimental)
+
 * Wed Feb 01 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7.0-5
 - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for
                           new LDAP features - fix netgroups and sudo as well