sssd-2.3.0-1: Rebase to latest upstream release
This commit is contained in:
Pavel Březina
parent
615654a817
commit
2092905a7d
|
|
@ -86,3 +86,4 @@ sssd-1.2.91.tar.gz
|
|||
/sssd-2.2.1.tar.gz
|
||||
/sssd-2.2.2.tar.gz
|
||||
/sssd-2.2.3.tar.gz
|
||||
/sssd-2.3.0.tar.gz
|
||||
|
|
|
|||
|
|
@ -1,53 +0,0 @@
|
|||
From bc56b10aea999284458dcc293b54cf65288e325d Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||
Date: Fri, 24 Jan 2020 15:17:39 +0100
|
||||
Subject: [PATCH] Fix build failure against samba 4.12.0rc1
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The ndr_pull_get_switch() function was dropped, but it was just a wrapper
|
||||
around the ndr_token_peek() function, so we can use this approach on both
|
||||
old and new versions of libndr.
|
||||
|
||||
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_gpo_ndr.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c
|
||||
index d57303349..8f405aa62 100644
|
||||
--- a/src/providers/ad/ad_gpo_ndr.c
|
||||
+++ b/src/providers/ad/ad_gpo_ndr.c
|
||||
@@ -105,7 +105,7 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr,
|
||||
union security_ace_object_type *r)
|
||||
{
|
||||
uint32_t level;
|
||||
- level = ndr_pull_get_switch_value(ndr, r);
|
||||
+ level = ndr_token_peek(&ndr->switch_list, r);
|
||||
NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
|
||||
if (ndr_flags & NDR_SCALARS) {
|
||||
NDR_CHECK(ndr_pull_union_align(ndr, 4));
|
||||
@@ -135,7 +135,7 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr,
|
||||
union security_ace_object_inherited_type *r)
|
||||
{
|
||||
uint32_t level;
|
||||
- level = ndr_pull_get_switch_value(ndr, r);
|
||||
+ level = ndr_token_peek(&ndr->switch_list, r);
|
||||
NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
|
||||
if (ndr_flags & NDR_SCALARS) {
|
||||
NDR_CHECK(ndr_pull_union_align(ndr, 4));
|
||||
@@ -198,7 +198,7 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr,
|
||||
union security_ace_object_ctr *r)
|
||||
{
|
||||
uint32_t level;
|
||||
- level = ndr_pull_get_switch_value(ndr, r);
|
||||
+ level = ndr_token_peek(&ndr->switch_list, r);
|
||||
NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
|
||||
if (ndr_flags & NDR_SCALARS) {
|
||||
NDR_CHECK(ndr_pull_union_align(ndr, 4));
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
From 88a0c39b341098f92725458b2055faaaf2bbad5b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Wed, 20 May 2020 12:07:13 +0200
|
||||
Subject: [PATCH] test: avoid endian issues in network tests
|
||||
|
||||
---
|
||||
src/tests/cmocka/test_nss_srv.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c
|
||||
index 2c91d0a23fe4ce6e66fee70da7501b0ec5f0feb8..3cd7809cf001f5f8ac68fcd191e05660b40cd267 100644
|
||||
--- a/src/tests/cmocka/test_nss_srv.c
|
||||
+++ b/src/tests/cmocka/test_nss_srv.c
|
||||
@@ -35,6 +35,7 @@
|
||||
#include "util/util_sss_idmap.h"
|
||||
#include "util/crypto/sss_crypto.h"
|
||||
#include "util/crypto/nss/nss_util.h"
|
||||
+#include "util/sss_endian.h"
|
||||
#include "db/sysdb_private.h" /* new_subdomain() */
|
||||
#include "db/sysdb_iphosts.h"
|
||||
#include "db/sysdb_ipnetworks.h"
|
||||
@@ -5308,7 +5309,13 @@ struct netent test_netent = {
|
||||
.n_name = discard_const("test_network"),
|
||||
.n_aliases = discard_const(test_netent_aliases),
|
||||
.n_addrtype = AF_INET,
|
||||
+#if (__BYTE_ORDER == __LITTLE_ENDIAN)
|
||||
.n_net = 0x04030201 /* 1.2.3.4 */
|
||||
+#elif (__BYTE_ORDER == __BIG_ENDIAN)
|
||||
+ .n_net = 0x01020304 /* 1.2.3.4 */
|
||||
+#else
|
||||
+ #error "unknow endianess"
|
||||
+#endif
|
||||
};
|
||||
|
||||
static void mock_input_netbyname(const char *name)
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
From 399ee9d1af9cca4026ce50c58ce25c45a30c85c2 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Sat, 1 Feb 2020 17:39:07 +0000
|
||||
Subject: [PATCH] BUILD: Accept krb5 1.18 for building the PAC plugin
|
||||
|
||||
Merges: https://pagure.io/SSSD/sssd/pull-request/4152
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/external/pac_responder.m4 | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4
|
||||
index dc986a1b8..114d8470f 100644
|
||||
--- a/src/external/pac_responder.m4
|
||||
+++ b/src/external/pac_responder.m4
|
||||
@@ -19,7 +19,8 @@ then
|
||||
Kerberos\ 5\ release\ 1.14* | \
|
||||
Kerberos\ 5\ release\ 1.15* | \
|
||||
Kerberos\ 5\ release\ 1.16* | \
|
||||
- Kerberos\ 5\ release\ 1.17*)
|
||||
+ Kerberos\ 5\ release\ 1.17* | \
|
||||
+ Kerberos\ 5\ release\ 1.18*)
|
||||
krb5_version_ok=yes
|
||||
AC_MSG_RESULT([yes])
|
||||
;;
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
From b626651847e188e89a332b8ac4bfaaa5047e1b3d Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Halman <thalman@redhat.com>
|
||||
Date: Tue, 10 Dec 2019 16:30:32 +0100
|
||||
Subject: [PATCH] INI: sssctl config-check command error messages
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In case of parsing error sssctl config-check command does not give
|
||||
proper error messages with line number. With this patch the error
|
||||
message is printed again.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/4129
|
||||
|
||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||
---
|
||||
src/util/sss_ini.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
|
||||
index e3699805d..5d91602cd 100644
|
||||
--- a/src/util/sss_ini.c
|
||||
+++ b/src/util/sss_ini.c
|
||||
@@ -865,6 +865,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
|
||||
|
||||
ret = sss_ini_parse(self);
|
||||
if (ret != EOK) {
|
||||
+ sss_ini_config_print_errors(self->error_list);
|
||||
DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n");
|
||||
return ERR_INI_PARSE_FAILED;
|
||||
}
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,42 +0,0 @@
|
|||
From 21cb9fb28db1f2eb4ee770eb029bfe20233e4392 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 12 Dec 2019 13:10:16 +0100
|
||||
Subject: [PATCH] certmap: mention special regex characters in man page
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Since some of the matching rules use regular expressions some characters
|
||||
must be escaped so that they can be used a ordinary characters in the
|
||||
rules.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/4127
|
||||
|
||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||
---
|
||||
src/man/sss-certmap.5.xml | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/src/man/sss-certmap.5.xml b/src/man/sss-certmap.5.xml
|
||||
index db258d14a..10343625e 100644
|
||||
--- a/src/man/sss-certmap.5.xml
|
||||
+++ b/src/man/sss-certmap.5.xml
|
||||
@@ -92,6 +92,15 @@
|
||||
<para>
|
||||
Example: <SUBJECT>.*,DC=MY,DC=DOMAIN
|
||||
</para>
|
||||
+ <para>
|
||||
+ Please note that the characters "^.[$()|*+?{\" have a
|
||||
+ special meaning in regular expressions and must be
|
||||
+ escaped with the help of the '\' character so that they
|
||||
+ are matched as ordinary characters.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Example: <SUBJECT>^CN=.* \(Admin\),DC=MY,DC=DOMAIN$
|
||||
+ </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,98 +0,0 @@
|
|||
From 580d61884b6c0a81357d8f9fa69fe69d1f017185 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 6 Dec 2019 12:29:49 +0100
|
||||
Subject: [PATCH] ldap_child: do not try PKINIT
|
||||
|
||||
if the PKINIT plugin is installed and pkinit_identities is set in
|
||||
/etc/krb5.conf libkrb5 will try to do PKINIT although ldap_child only
|
||||
wants to authenticate with a keytab. As a result ldap_child might try to
|
||||
access a Smartcard which is either not allowed at all or might cause
|
||||
unexpected delays.
|
||||
|
||||
To avoid this the current patch sets pkinit_identities for LDAP child
|
||||
explicitly to make the PKINIT plugin fail because if installed libkrb5
|
||||
will always use it.
|
||||
|
||||
It turned out the setting pre-authentication options requires some
|
||||
internal flags to be set and krb5_get_init_creds_opt_alloc() must be
|
||||
used to initialize the options struct.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/4126
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/providers/ldap/ldap_child.c | 30 ++++++++++++++++++++++--------
|
||||
1 file changed, 22 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
|
||||
index 408d64db4..b081df90f 100644
|
||||
--- a/src/providers/ldap/ldap_child.c
|
||||
+++ b/src/providers/ldap/ldap_child.c
|
||||
@@ -277,7 +277,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
|
||||
krb5_ccache ccache = NULL;
|
||||
krb5_principal kprinc;
|
||||
krb5_creds my_creds;
|
||||
- krb5_get_init_creds_opt options;
|
||||
+ krb5_get_init_creds_opt *options = NULL;
|
||||
krb5_error_code krberr;
|
||||
krb5_timestamp kdc_time_offset;
|
||||
int canonicalize = 0;
|
||||
@@ -392,19 +392,32 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
|
||||
}
|
||||
|
||||
memset(&my_creds, 0, sizeof(my_creds));
|
||||
- memset(&options, 0, sizeof(options));
|
||||
|
||||
- krb5_get_init_creds_opt_set_address_list(&options, NULL);
|
||||
- krb5_get_init_creds_opt_set_forwardable(&options, 0);
|
||||
- krb5_get_init_creds_opt_set_proxiable(&options, 0);
|
||||
- krb5_get_init_creds_opt_set_tkt_life(&options, lifetime);
|
||||
+ krberr = krb5_get_init_creds_opt_alloc(context, &options);
|
||||
+ if (krberr != 0) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "krb5_get_init_creds_opt_alloc failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ krb5_get_init_creds_opt_set_address_list(options, NULL);
|
||||
+ krb5_get_init_creds_opt_set_forwardable(options, 0);
|
||||
+ krb5_get_init_creds_opt_set_proxiable(options, 0);
|
||||
+ krb5_get_init_creds_opt_set_tkt_life(options, lifetime);
|
||||
+ krberr = krb5_get_init_creds_opt_set_pa(context, options,
|
||||
+ "X509_user_identity", "");
|
||||
+ if (krberr != 0) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "krb5_get_init_creds_opt_set_pa failed [%d], ignored.\n",
|
||||
+ krberr);
|
||||
+ }
|
||||
+
|
||||
|
||||
tmp_str = getenv("KRB5_CANONICALIZE");
|
||||
if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) {
|
||||
DEBUG(SSSDBG_CONF_SETTINGS, "Will canonicalize principals\n");
|
||||
canonicalize = 1;
|
||||
}
|
||||
- sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize);
|
||||
+ sss_krb5_get_init_creds_opt_set_canonicalize(options, canonicalize);
|
||||
|
||||
ccname_file = talloc_asprintf(tmp_ctx, "%s/ccache_%s",
|
||||
DB_PATH, realm_name);
|
||||
@@ -433,7 +446,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
|
||||
}
|
||||
|
||||
krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc,
|
||||
- keytab, 0, NULL, &options);
|
||||
+ keytab, 0, NULL, options);
|
||||
if (krberr != 0) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"krb5_get_init_creds_keytab() failed: %d\n", krberr);
|
||||
@@ -513,6 +526,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
|
||||
*expire_time_out = my_creds.times.endtime - kdc_time_offset;
|
||||
|
||||
done:
|
||||
+ krb5_get_init_creds_opt_free(context, options);
|
||||
if (krberr != 0) {
|
||||
if (*_krb5_msg == NULL) {
|
||||
/* no custom error message provided hence get one from libkrb5 */
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,52 +0,0 @@
|
|||
From 2c13d8bd00f1e8ff30e9fc81f183f6450303ac30 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Wed, 11 Dec 2019 18:42:49 +0100
|
||||
Subject: [PATCH] util/watchdog: fixed watchdog implementation
|
||||
|
||||
In case watchdog detected locked process and this process was parent
|
||||
process it just sent SIGTERM to the whole group of processes, including
|
||||
itself.
|
||||
This handling was wrong: generic `server_setup()` installs custom
|
||||
libtevent handler for SIGTERM signal so this signal is only processed
|
||||
in the context of tevent mainloop. But if tevent mainloop is stuck
|
||||
(exactly the case that triggers WD) then event is not processed
|
||||
and this made watchdog useless.
|
||||
`watchdog_handler()` and `watchdog_detect_timeshift()` were amended to do
|
||||
unconditional `_exit()` after optionally sending a signal to the group.
|
||||
|
||||
Resolves: https://pagure.io/SSSD/sssd/issue/4089
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/util/util_watchdog.c | 6 ++----
|
||||
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c
|
||||
index a07275b19..38c248271 100644
|
||||
--- a/src/util/util_watchdog.c
|
||||
+++ b/src/util/util_watchdog.c
|
||||
@@ -54,9 +54,8 @@ static void watchdog_detect_timeshift(void)
|
||||
if (write(watchdog_ctx.pipefd[1], "1", 1) != 1) {
|
||||
if (getpid() == getpgrp()) {
|
||||
kill(-getpgrp(), SIGTERM);
|
||||
- } else {
|
||||
- _exit(1);
|
||||
}
|
||||
+ _exit(1);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -75,9 +74,8 @@ static void watchdog_handler(int sig)
|
||||
if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > WATCHDOG_MAX_TICKS) {
|
||||
if (getpid() == getpgrp()) {
|
||||
kill(-getpgrp(), SIGTERM);
|
||||
- } else {
|
||||
- _exit(1);
|
||||
}
|
||||
+ _exit(1);
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,56 +0,0 @@
|
|||
From 1d4a7ffdcf8b303a40058db49d5e1be4bfb8271a Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Mon, 9 Dec 2019 17:20:28 +0100
|
||||
Subject: [PATCH 7/9] providers/krb5: got rid of unused code
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||
---
|
||||
src/providers/krb5/krb5_common.c | 10 ----------
|
||||
src/providers/krb5/krb5_common.h | 7 -------
|
||||
2 files changed, 17 deletions(-)
|
||||
|
||||
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
|
||||
index bfda561c1..5c11c347b 100644
|
||||
--- a/src/providers/krb5/krb5_common.c
|
||||
+++ b/src/providers/krb5/krb5_common.c
|
||||
@@ -1133,16 +1133,6 @@ void remove_krb5_info_files_callback(void *pvt)
|
||||
talloc_free(ctx);
|
||||
}
|
||||
|
||||
-void krb5_finalize(struct tevent_context *ev,
|
||||
- struct tevent_signal *se,
|
||||
- int signum,
|
||||
- int count,
|
||||
- void *siginfo,
|
||||
- void *private_data)
|
||||
-{
|
||||
- orderly_shutdown(0);
|
||||
-}
|
||||
-
|
||||
errno_t krb5_get_simple_upn(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx,
|
||||
struct sss_domain_info *dom, const char *username,
|
||||
const char *user_dom, char **_upn)
|
||||
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
|
||||
index cc9313115..493d12e5f 100644
|
||||
--- a/src/providers/krb5/krb5_common.h
|
||||
+++ b/src/providers/krb5/krb5_common.h
|
||||
@@ -196,13 +196,6 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx,
|
||||
|
||||
void remove_krb5_info_files_callback(void *pvt);
|
||||
|
||||
-void krb5_finalize(struct tevent_context *ev,
|
||||
- struct tevent_signal *se,
|
||||
- int signum,
|
||||
- int count,
|
||||
- void *siginfo,
|
||||
- void *private_data);
|
||||
-
|
||||
errno_t remove_krb5_info_files(TALLOC_CTX *mem_ctx, const char *realm);
|
||||
|
||||
errno_t krb5_get_simple_upn(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx,
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,84 +0,0 @@
|
|||
From e41e9b37e4d3fcd8544fb6c591dafbaef0954438 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Mon, 9 Dec 2019 17:48:14 +0100
|
||||
Subject: [PATCH 8/9] data_provider_be: got rid of duplicating SIGTERM handler
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
It was wrong to install two libtevent SIGTERM handlers both of which did
|
||||
orderly_shutdown()->exit(). Naturally only one of the handlers was executed
|
||||
(as process was terminated with exit()) and libtevent docs doesn't say
|
||||
anything about order of execution. But chances are, be_process_finalize()
|
||||
was executed first so default_quit() was not executed and main_ctx was not
|
||||
freed.
|
||||
|
||||
Moreover there is just no reason to have separate be_process_finalize()
|
||||
at all: default server handler default_quit() frees main_ctx. And be_ctx
|
||||
is linked to main_ctx so will be freed by default handler as well.
|
||||
|
||||
Resolves: https://pagure.io/SSSD/sssd/issue/4088
|
||||
|
||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||
---
|
||||
src/providers/data_provider_be.c | 37 --------------------------------
|
||||
1 file changed, 37 deletions(-)
|
||||
|
||||
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
|
||||
index cfcf0268d..ce00231ff 100644
|
||||
--- a/src/providers/data_provider_be.c
|
||||
+++ b/src/providers/data_provider_be.c
|
||||
@@ -445,36 +445,6 @@ be_register_monitor_iface(struct sbus_connection *conn, struct be_ctx *be_ctx)
|
||||
return sbus_connection_add_path_map(be_ctx->mon_conn, paths);
|
||||
}
|
||||
|
||||
-static void be_process_finalize(struct tevent_context *ev,
|
||||
- struct tevent_signal *se,
|
||||
- int signum,
|
||||
- int count,
|
||||
- void *siginfo,
|
||||
- void *private_data)
|
||||
-{
|
||||
- struct be_ctx *be_ctx;
|
||||
-
|
||||
- be_ctx = talloc_get_type(private_data, struct be_ctx);
|
||||
- talloc_free(be_ctx);
|
||||
- orderly_shutdown(0);
|
||||
-}
|
||||
-
|
||||
-static errno_t be_process_install_sigterm_handler(struct be_ctx *be_ctx)
|
||||
-{
|
||||
- struct tevent_signal *sige;
|
||||
-
|
||||
- BlockSignals(false, SIGTERM);
|
||||
-
|
||||
- sige = tevent_add_signal(be_ctx->ev, be_ctx, SIGTERM, SA_SIGINFO,
|
||||
- be_process_finalize, be_ctx);
|
||||
- if (sige == NULL) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_signal failed.\n");
|
||||
- return ENOMEM;
|
||||
- }
|
||||
-
|
||||
- return EOK;
|
||||
-}
|
||||
-
|
||||
static void dp_initialized(struct tevent_req *req);
|
||||
|
||||
errno_t be_process_init(TALLOC_CTX *mem_ctx,
|
||||
@@ -566,13 +536,6 @@ errno_t be_process_init(TALLOC_CTX *mem_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- /* Install signal handler */
|
||||
- ret = be_process_install_sigterm_handler(be_ctx);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "be_install_sigterm_handler failed.\n");
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
req = dp_init_send(be_ctx, be_ctx->ev, be_ctx, be_ctx->uid, be_ctx->gid);
|
||||
if (req == NULL) {
|
||||
ret = ENOMEM;
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,32 +0,0 @@
|
|||
From 3f52de891cba55230730602d41c3811cf1b17d96 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Mon, 9 Dec 2019 18:26:56 +0100
|
||||
Subject: [PATCH 9/9] util/server: improved debug at shutdown
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Relates: https://pagure.io/SSSD/sssd/issue/4088
|
||||
|
||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||
---
|
||||
src/util/server.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/util/server.c b/src/util/server.c
|
||||
index ee57ac128..33524066e 100644
|
||||
--- a/src/util/server.c
|
||||
+++ b/src/util/server.c
|
||||
@@ -242,7 +242,8 @@ void orderly_shutdown(int status)
|
||||
kill(-getpgrp(), SIGTERM);
|
||||
}
|
||||
#endif
|
||||
- if (status == 0) sss_log(SSS_LOG_INFO, "Shutting down");
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO, "Shutting down (status = %d)", status);
|
||||
+ sss_log(SSS_LOG_INFO, "Shutting down (status = %d)", status);
|
||||
exit(status);
|
||||
}
|
||||
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,52 +0,0 @@
|
|||
From 26e33b1984cce3549df170f58f8221201ad54cfd Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Tue, 7 Jan 2020 16:29:05 +0100
|
||||
Subject: [PATCH] util/sss_ptr_hash: fixed double free in
|
||||
sss_ptr_hash_delete_cb()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Calling data->callback(value->ptr) in sss_ptr_hash_delete_cb() could lead
|
||||
to freeing of value->ptr and thus to destruction of value->spy that is
|
||||
attached to value->ptr.
|
||||
In turn sss_ptr_hash_spy_destructor() calls sss_ptr_hash_delete() ->
|
||||
hash_delete() -> sss_ptr_hash_delete_cb() again and in this recursive
|
||||
execution hash entry was actually deleted and value was freed.
|
||||
When stack was unwound back to "first" sss_ptr_hash_delete_cb() it tried
|
||||
to free value again => double free.
|
||||
|
||||
To prevent this bug value and hence spy are now freed before execution of
|
||||
data->callback(value->ptr).
|
||||
|
||||
Resolves: https://pagure.io/SSSD/sssd/issue/4135
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/util/sss_ptr_hash.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c
|
||||
index c7403ffa6..8f9762cb9 100644
|
||||
--- a/src/util/sss_ptr_hash.c
|
||||
+++ b/src/util/sss_ptr_hash.c
|
||||
@@ -154,13 +154,13 @@ sss_ptr_hash_delete_cb(hash_entry_t *item,
|
||||
callback_entry.value.type = HASH_VALUE_PTR;
|
||||
callback_entry.value.ptr = value->ptr;
|
||||
|
||||
+ /* Free value, this also will disable spy */
|
||||
+ talloc_free(value);
|
||||
+
|
||||
/* Switch to the input value and call custom callback. */
|
||||
if (data->callback != NULL) {
|
||||
data->callback(&callback_entry, deltype, data->pvt);
|
||||
}
|
||||
-
|
||||
- /* Free value. */
|
||||
- talloc_free(value);
|
||||
}
|
||||
|
||||
hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx,
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,195 +0,0 @@
|
|||
From bd201746f8cf0e95615b3e98868555451b5e66b8 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Halman <thalman@redhat.com>
|
||||
Date: Mon, 2 Dec 2019 11:11:52 +0100
|
||||
Subject: [PATCH] sdap: Add randomness to ldap connection timeout
|
||||
|
||||
In case of mass deployment, mass registration of IPA clients roughly on
|
||||
the same time leads to regular CPU load spikes on IPA servers, the load
|
||||
spikes are caused by all/most clients refreshing their LDAP connections
|
||||
(ldap_connection_expire_timeout) every 15 minutes.
|
||||
|
||||
This patch introduces new random value (from 0 up to
|
||||
ldap_connection_expire_offset) that is added to the timeout.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3630
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/config/cfg_rules.ini | 1 +
|
||||
src/config/etc/sssd.api.d/sssd-ad.conf | 1 +
|
||||
src/config/etc/sssd.api.d/sssd-ipa.conf | 1 +
|
||||
src/config/etc/sssd.api.d/sssd-ldap.conf | 1 +
|
||||
src/man/sssd-ldap.5.xml | 19 +++++++++++++++++++
|
||||
src/providers/ad/ad_opts.c | 1 +
|
||||
src/providers/ipa/ipa_opts.c | 1 +
|
||||
src/providers/ldap/ldap_opts.c | 1 +
|
||||
src/providers/ldap/sdap.h | 1 +
|
||||
src/providers/ldap/sdap_async_connection.c | 12 ++++++++++++
|
||||
10 files changed, 39 insertions(+)
|
||||
|
||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
||||
index 8c73c89ac..c56d5a668 100644
|
||||
--- a/src/config/cfg_rules.ini
|
||||
+++ b/src/config/cfg_rules.ini
|
||||
@@ -600,6 +600,7 @@ option = ldap_chpass_dns_service_name
|
||||
option = ldap_chpass_update_last_change
|
||||
option = ldap_chpass_uri
|
||||
option = ldap_connection_expire_timeout
|
||||
+option = ldap_connection_expire_offset
|
||||
option = ldap_default_authtok
|
||||
option = ldap_default_authtok_type
|
||||
option = ldap_default_bind_dn
|
||||
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
|
||||
index 80e329b3b..aaa0b2345 100644
|
||||
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
|
||||
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
|
||||
@@ -58,6 +58,7 @@ ldap_deref = str, None, false
|
||||
ldap_page_size = int, None, false
|
||||
ldap_deref_threshold = int, None, false
|
||||
ldap_connection_expire_timeout = int, None, false
|
||||
+ldap_connection_expire_offset = int, None, false
|
||||
ldap_disable_paging = bool, None, false
|
||||
krb5_confd_path = str, None, false
|
||||
wildcard_limit = int, None, false
|
||||
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
|
||||
index e2d46db75..7ed153d36 100644
|
||||
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
|
||||
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
|
||||
@@ -52,6 +52,7 @@ ldap_deref = str, None, false
|
||||
ldap_page_size = int, None, false
|
||||
ldap_deref_threshold = int, None, false
|
||||
ldap_connection_expire_timeout = int, None, false
|
||||
+ldap_connection_expire_offset = int, None, false
|
||||
ldap_disable_paging = bool, None, false
|
||||
krb5_confd_path = str, None, false
|
||||
wildcard_limit = int, None, false
|
||||
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
|
||||
index 01c1d7f12..4f73e901e 100644
|
||||
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
|
||||
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
|
||||
@@ -36,6 +36,7 @@ ldap_deref_threshold = int, None, false
|
||||
ldap_sasl_canonicalize = bool, None, false
|
||||
ldap_sasl_minssf = int, None, false
|
||||
ldap_connection_expire_timeout = int, None, false
|
||||
+ldap_connection_expire_offset = int, None, false
|
||||
ldap_disable_paging = bool, None, false
|
||||
ldap_disable_range_retrieval = bool, None, false
|
||||
wildcard_limit = int, None, false
|
||||
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
|
||||
index 6d1ae23ec..f8bb973c7 100644
|
||||
--- a/src/man/sssd-ldap.5.xml
|
||||
+++ b/src/man/sssd-ldap.5.xml
|
||||
@@ -509,12 +509,31 @@
|
||||
the two values (this value vs. the TGT lifetime)
|
||||
will be used.
|
||||
</para>
|
||||
+ <para>
|
||||
+ This timeout can be extended of a random
|
||||
+ value specified by
|
||||
+ <emphasis>ldap_connection_expire_offset</emphasis>
|
||||
+ </para>
|
||||
<para>
|
||||
Default: 900 (15 minutes)
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
+ <varlistentry>
|
||||
+ <term>ldap_connection_expire_offset (integer)</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Random offset between 0 and configured value
|
||||
+ is added to
|
||||
+ <emphasis>ldap_connection_expire_timeout</emphasis>.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Default: 0
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
<varlistentry>
|
||||
<term>ldap_page_size (integer)</term>
|
||||
<listitem>
|
||||
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
|
||||
index cd568e466..1293219ee 100644
|
||||
--- a/src/providers/ad/ad_opts.c
|
||||
+++ b/src/providers/ad/ad_opts.c
|
||||
@@ -137,6 +137,7 @@ struct dp_option ad_def_ldap_opts[] = {
|
||||
{ "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
|
||||
{ "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
||||
{ "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER },
|
||||
+ { "ldap_connection_expire_offset", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
|
||||
{ "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
||||
{ "ldap_idmap_range_min", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER },
|
||||
{ "ldap_idmap_range_max", DP_OPT_NUMBER, { .number = 2000200000LL }, NULL_NUMBER },
|
||||
diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c
|
||||
index 7974cb8ea..4fafa073d 100644
|
||||
--- a/src/providers/ipa/ipa_opts.c
|
||||
+++ b/src/providers/ipa/ipa_opts.c
|
||||
@@ -147,6 +147,7 @@ struct dp_option ipa_def_ldap_opts[] = {
|
||||
{ "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
|
||||
{ "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
||||
{ "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER },
|
||||
+ { "ldap_connection_expire_offset", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
|
||||
{ "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
||||
{ "ldap_idmap_range_min", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER },
|
||||
{ "ldap_idmap_range_max", DP_OPT_NUMBER, { .number = 2000200000LL }, NULL_NUMBER },
|
||||
diff --git a/src/providers/ldap/ldap_opts.c b/src/providers/ldap/ldap_opts.c
|
||||
index a20ec0d86..ffd0c6baa 100644
|
||||
--- a/src/providers/ldap/ldap_opts.c
|
||||
+++ b/src/providers/ldap/ldap_opts.c
|
||||
@@ -107,6 +107,7 @@ struct dp_option default_basic_opts[] = {
|
||||
{ "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
|
||||
{ "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
||||
{ "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER },
|
||||
+ { "ldap_connection_expire_offset", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
|
||||
{ "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
||||
{ "ldap_idmap_range_min", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER },
|
||||
{ "ldap_idmap_range_max", DP_OPT_NUMBER, { .number = 2000200000LL }, NULL_NUMBER },
|
||||
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
|
||||
index d0a19a660..f27b3c480 100644
|
||||
--- a/src/providers/ldap/sdap.h
|
||||
+++ b/src/providers/ldap/sdap.h
|
||||
@@ -221,6 +221,7 @@ enum sdap_basic_opt {
|
||||
SDAP_DEREF_THRESHOLD,
|
||||
SDAP_SASL_CANONICALIZE,
|
||||
SDAP_EXPIRE_TIMEOUT,
|
||||
+ SDAP_EXPIRE_OFFSET,
|
||||
SDAP_DISABLE_PAGING,
|
||||
SDAP_IDMAP_LOWER,
|
||||
SDAP_IDMAP_UPPER,
|
||||
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
|
||||
index 0260cba6f..7438d14a7 100644
|
||||
--- a/src/providers/ldap/sdap_async_connection.c
|
||||
+++ b/src/providers/ldap/sdap_async_connection.c
|
||||
@@ -1803,6 +1803,8 @@ static void sdap_cli_auth_step(struct tevent_req *req)
|
||||
struct tevent_req *subreq;
|
||||
time_t now;
|
||||
int expire_timeout;
|
||||
+ int expire_offset;
|
||||
+
|
||||
const char *sasl_mech = dp_opt_get_string(state->opts->basic,
|
||||
SDAP_SASL_MECH);
|
||||
const char *user_dn = dp_opt_get_string(state->opts->basic,
|
||||
@@ -1832,6 +1834,16 @@ static void sdap_cli_auth_step(struct tevent_req *req)
|
||||
*/
|
||||
now = time(NULL);
|
||||
expire_timeout = dp_opt_get_int(state->opts->basic, SDAP_EXPIRE_TIMEOUT);
|
||||
+ expire_offset = dp_opt_get_int(state->opts->basic, SDAP_EXPIRE_OFFSET);
|
||||
+ if (expire_offset > 0) {
|
||||
+ expire_timeout += sss_rand() % (expire_offset + 1);
|
||||
+ } else if (expire_offset < 0) {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
+ "Negative value [%d] of ldap_connection_expire_offset "
|
||||
+ "is not allowed.\n",
|
||||
+ expire_offset);
|
||||
+ }
|
||||
+
|
||||
DEBUG(SSSDBG_CONF_SETTINGS, "expire timeout is %d\n", expire_timeout);
|
||||
if (!state->sh->expire_time
|
||||
|| (state->sh->expire_time > (now + expire_timeout))) {
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,55 +0,0 @@
|
|||
From 090cf77a0fd5f300a753667658af3ed763a88e83 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 26 Sep 2019 20:24:34 +0200
|
||||
Subject: [PATCH 12/15] ad: allow booleans for ad_inherit_opts_if_needed()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Currently ad_inherit_opts_if_needed() can only handle strings. With this
|
||||
patch it can handle boolean options as well.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/4131
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_common.c | 23 ++++++++++++++++++++---
|
||||
1 file changed, 20 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
||||
index 5540066d4..600e3ceb2 100644
|
||||
--- a/src/providers/ad/ad_common.c
|
||||
+++ b/src/providers/ad/ad_common.c
|
||||
@@ -1479,9 +1479,26 @@ errno_t ad_inherit_opts_if_needed(struct dp_option *parent_opts,
|
||||
const char *parent_val = NULL;
|
||||
char *dummy = NULL;
|
||||
char *option_list[2] = { NULL, NULL };
|
||||
-
|
||||
- parent_val = dp_opt_get_cstring(parent_opts, opt_id);
|
||||
- if (parent_val != NULL) {
|
||||
+ bool is_default = true;
|
||||
+
|
||||
+ switch (parent_opts[opt_id].type) {
|
||||
+ case DP_OPT_STRING:
|
||||
+ parent_val = dp_opt_get_cstring(parent_opts, opt_id);
|
||||
+ break;
|
||||
+ case DP_OPT_BOOL:
|
||||
+ /* For booleans it is hard to say if the option is set or not since
|
||||
+ * both possible values are valid ones. So we check if the value is
|
||||
+ * different from the default and skip if it is the default. In this
|
||||
+ * case the sub-domain option would either be the default as well or
|
||||
+ * manully set and in both cases we do not have to change it. */
|
||||
+ is_default = (parent_opts[opt_id].val.boolean
|
||||
+ == parent_opts[opt_id].def_val.boolean);
|
||||
+ break;
|
||||
+ default:
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC, "Unsupported type, skipping.\n");
|
||||
+ }
|
||||
+
|
||||
+ if (parent_val != NULL || !is_default) {
|
||||
ret = confdb_get_string(cdb, NULL, subdom_conf_path,
|
||||
parent_opts[opt_id].opt_name, NULL, &dummy);
|
||||
if (ret != EOK) {
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,438 +0,0 @@
|
|||
From da0be382d95f0bdbc6ad5ccb68503456c2ee858b Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 26 Sep 2019 20:27:09 +0200
|
||||
Subject: [PATCH 11/13] ad: add ad_use_ldaps
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
With this new boolean option the AD provider should only use the LDAPS
|
||||
port 636 and the Global Catalog port 3629 which is TLS protected as
|
||||
well.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/4131
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/config/SSSDConfig/__init__.py.in | 1 +
|
||||
src/config/cfg_rules.ini | 1 +
|
||||
src/config/etc/sssd.api.d/sssd-ad.conf | 1 +
|
||||
src/man/sssd-ad.5.xml | 20 +++++++++++++++++++
|
||||
src/providers/ad/ad_common.c | 24 +++++++++++++++++++----
|
||||
src/providers/ad/ad_common.h | 8 +++++++-
|
||||
src/providers/ad/ad_init.c | 8 +++++++-
|
||||
src/providers/ad/ad_opts.c | 1 +
|
||||
src/providers/ad/ad_srv.c | 16 ++++++++++++---
|
||||
src/providers/ad/ad_srv.h | 3 ++-
|
||||
src/providers/ad/ad_subdomains.c | 21 ++++++++++++++++++--
|
||||
src/providers/ipa/ipa_subdomains_server.c | 4 ++--
|
||||
12 files changed, 94 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
||||
index eba89b461..84631862a 100644
|
||||
--- a/src/config/SSSDConfig/__init__.py.in
|
||||
+++ b/src/config/SSSDConfig/__init__.py.in
|
||||
@@ -252,6 +252,7 @@ option_strings = {
|
||||
'ad_site' : _('a particular site to be used by the client'),
|
||||
'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'),
|
||||
'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'),
|
||||
+ 'ad_use_ldaps' : _('Use LDAPS port for LDAP and Global Catalog requests'),
|
||||
|
||||
# [provider/krb5]
|
||||
'krb5_kdcip' : _('Kerberos server address'),
|
||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
||||
index c56d5a668..1034a1fd6 100644
|
||||
--- a/src/config/cfg_rules.ini
|
||||
+++ b/src/config/cfg_rules.ini
|
||||
@@ -464,6 +464,7 @@ option = ad_machine_account_password_renewal_opts
|
||||
option = ad_maximum_machine_account_password_age
|
||||
option = ad_server
|
||||
option = ad_site
|
||||
+option = ad_use_ldaps
|
||||
|
||||
# IPA provider specific options
|
||||
option = ipa_anchor_uuid
|
||||
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
|
||||
index aaa0b2345..a2af72603 100644
|
||||
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
|
||||
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
|
||||
@@ -20,6 +20,7 @@ ad_gpo_default_right = str, None, false
|
||||
ad_site = str, None, false
|
||||
ad_maximum_machine_account_password_age = int, None, false
|
||||
ad_machine_account_password_renewal_opts = str, None, false
|
||||
+ad_use_ldaps = bool, None, false
|
||||
ldap_uri = str, None, false
|
||||
ldap_backup_uri = str, None, false
|
||||
ldap_search_base = str, None, false
|
||||
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
|
||||
index fdcb4e4b9..ade56cd6d 100644
|
||||
--- a/src/man/sssd-ad.5.xml
|
||||
+++ b/src/man/sssd-ad.5.xml
|
||||
@@ -1015,6 +1015,26 @@ ad_gpo_map_deny = +my_pam_service
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
+ <varlistentry>
|
||||
+ <term>ad_use_ldaps (bool)</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ By default SSSD uses the plain LDAP port 389 and the
|
||||
+ Global Catalog port 3628. If this option is set to
|
||||
+ True SSSD will use the LDAPS port 636 and Global
|
||||
+ Catalog port 3629 with LDAPS protection. Since AD
|
||||
+ does not allow to have multiple encryption layers on
|
||||
+ a single connection and we still want to use
|
||||
+ SASL/GSSAPI or SASL/GSS-SPNEGO for authentication
|
||||
+ the SASL security property maxssf is set to 0 (zero)
|
||||
+ for those connections.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Default: False
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
<varlistentry>
|
||||
<term>dyndns_update (boolean)</term>
|
||||
<listitem>
|
||||
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
||||
index 600e3ceb2..a2369166a 100644
|
||||
--- a/src/providers/ad/ad_common.c
|
||||
+++ b/src/providers/ad/ad_common.c
|
||||
@@ -729,6 +729,7 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
|
||||
const char *ad_gc_service,
|
||||
const char *ad_domain,
|
||||
bool use_kdcinfo,
|
||||
+ bool ad_use_ldaps,
|
||||
size_t n_lookahead_primary,
|
||||
size_t n_lookahead_backup,
|
||||
struct ad_service **_service)
|
||||
@@ -746,6 +747,16 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ if (ad_use_ldaps) {
|
||||
+ service->ldap_scheme = "ldaps";
|
||||
+ service->port = LDAPS_PORT;
|
||||
+ service->gc_port = AD_GC_LDAPS_PORT;
|
||||
+ } else {
|
||||
+ service->ldap_scheme = "ldap";
|
||||
+ service->port = LDAP_PORT;
|
||||
+ service->gc_port = AD_GC_PORT;
|
||||
+ }
|
||||
+
|
||||
service->sdap = talloc_zero(service, struct sdap_service);
|
||||
service->gc = talloc_zero(service, struct sdap_service);
|
||||
if (!service->sdap || !service->gc) {
|
||||
@@ -927,7 +938,8 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- new_uri = talloc_asprintf(service->sdap, "ldap://%s", srv_name);
|
||||
+ new_uri = talloc_asprintf(service->sdap, "%s://%s", service->ldap_scheme,
|
||||
+ srv_name);
|
||||
if (!new_uri) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy URI\n");
|
||||
ret = ENOMEM;
|
||||
@@ -935,7 +947,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
|
||||
}
|
||||
DEBUG(SSSDBG_CONF_SETTINGS, "Constructed uri '%s'\n", new_uri);
|
||||
|
||||
- sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, LDAP_PORT);
|
||||
+ sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, service->port);
|
||||
if (sockaddr == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_sockaddr_address failed.\n");
|
||||
ret = EIO;
|
||||
@@ -951,8 +963,12 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
|
||||
talloc_zfree(service->gc->uri);
|
||||
talloc_zfree(service->gc->sockaddr);
|
||||
if (sdata && sdata->gc) {
|
||||
- new_port = fo_get_server_port(server);
|
||||
- new_port = (new_port == 0) ? AD_GC_PORT : new_port;
|
||||
+ if (service->gc_port == AD_GC_LDAPS_PORT) {
|
||||
+ new_port = service->gc_port;
|
||||
+ } else {
|
||||
+ new_port = fo_get_server_port(server);
|
||||
+ new_port = (new_port == 0) ? service->gc_port : new_port;
|
||||
+ }
|
||||
|
||||
service->gc->uri = talloc_asprintf(service->gc, "%s:%d",
|
||||
new_uri, new_port);
|
||||
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
|
||||
index 75f11de2e..820e06124 100644
|
||||
--- a/src/providers/ad/ad_common.h
|
||||
+++ b/src/providers/ad/ad_common.h
|
||||
@@ -29,7 +29,8 @@
|
||||
#define AD_SERVICE_NAME "AD"
|
||||
#define AD_GC_SERVICE_NAME "AD_GC"
|
||||
/* The port the Global Catalog runs on */
|
||||
-#define AD_GC_PORT 3268
|
||||
+#define AD_GC_PORT 3268
|
||||
+#define AD_GC_LDAPS_PORT 3269
|
||||
|
||||
#define AD_AT_OBJECT_SID "objectSID"
|
||||
#define AD_AT_DNS_DOMAIN "DnsDomain"
|
||||
@@ -67,6 +68,7 @@ enum ad_basic_opt {
|
||||
AD_KRB5_CONFD_PATH,
|
||||
AD_MAXIMUM_MACHINE_ACCOUNT_PASSWORD_AGE,
|
||||
AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS,
|
||||
+ AD_USE_LDAPS,
|
||||
|
||||
AD_OPTS_BASIC /* opts counter */
|
||||
};
|
||||
@@ -82,6 +84,9 @@ struct ad_service {
|
||||
struct sdap_service *sdap;
|
||||
struct sdap_service *gc;
|
||||
struct krb5_service *krb5_service;
|
||||
+ const char *ldap_scheme;
|
||||
+ int port;
|
||||
+ int gc_port;
|
||||
};
|
||||
|
||||
struct ad_options {
|
||||
@@ -147,6 +152,7 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *ctx,
|
||||
const char *ad_gc_service,
|
||||
const char *ad_domain,
|
||||
bool use_kdcinfo,
|
||||
+ bool ad_use_ldaps,
|
||||
size_t n_lookahead_primary,
|
||||
size_t n_lookahead_backup,
|
||||
struct ad_service **_service);
|
||||
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
|
||||
index 290d5b5c1..2b4b9e2e7 100644
|
||||
--- a/src/providers/ad/ad_init.c
|
||||
+++ b/src/providers/ad/ad_init.c
|
||||
@@ -138,6 +138,7 @@ static errno_t ad_init_options(TALLOC_CTX *mem_ctx,
|
||||
char *ad_servers = NULL;
|
||||
char *ad_backup_servers = NULL;
|
||||
char *ad_realm;
|
||||
+ bool ad_use_ldaps = false;
|
||||
errno_t ret;
|
||||
|
||||
ad_sasl_initialize();
|
||||
@@ -154,12 +155,14 @@ static errno_t ad_init_options(TALLOC_CTX *mem_ctx,
|
||||
ad_servers = dp_opt_get_string(ad_options->basic, AD_SERVER);
|
||||
ad_backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);
|
||||
ad_realm = dp_opt_get_string(ad_options->basic, AD_KRB5_REALM);
|
||||
+ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);
|
||||
|
||||
/* Set up the failover service */
|
||||
ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,
|
||||
ad_realm, AD_SERVICE_NAME, AD_GC_SERVICE_NAME,
|
||||
dp_opt_get_string(ad_options->basic, AD_DOMAIN),
|
||||
false, /* will be set in ad_get_auth_options() */
|
||||
+ ad_use_ldaps,
|
||||
(size_t) -1,
|
||||
(size_t) -1,
|
||||
&ad_options->service);
|
||||
@@ -184,11 +187,13 @@ static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx,
|
||||
const char *ad_site_override;
|
||||
bool sites_enabled;
|
||||
errno_t ret;
|
||||
+ bool ad_use_ldaps;
|
||||
|
||||
hostname = dp_opt_get_string(ad_options->basic, AD_HOSTNAME);
|
||||
ad_domain = dp_opt_get_string(ad_options->basic, AD_DOMAIN);
|
||||
ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE);
|
||||
sites_enabled = dp_opt_get_bool(ad_options->basic, AD_ENABLE_DNS_SITES);
|
||||
+ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);
|
||||
|
||||
|
||||
if (!sites_enabled) {
|
||||
@@ -205,7 +210,8 @@ static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx,
|
||||
srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res,
|
||||
default_host_dbs, ad_options->id,
|
||||
hostname, ad_domain,
|
||||
- ad_site_override);
|
||||
+ ad_site_override,
|
||||
+ ad_use_ldaps);
|
||||
if (srv_ctx == NULL) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
|
||||
return ENOMEM;
|
||||
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
|
||||
index 1293219ee..30f9b62fd 100644
|
||||
--- a/src/providers/ad/ad_opts.c
|
||||
+++ b/src/providers/ad/ad_opts.c
|
||||
@@ -54,6 +54,7 @@ struct dp_option ad_basic_opts[] = {
|
||||
{ "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING },
|
||||
{ "ad_maximum_machine_account_password_age", DP_OPT_NUMBER, { .number = 30 }, NULL_NUMBER },
|
||||
{ "ad_machine_account_password_renewal_opts", DP_OPT_STRING, { "86400:750" }, NULL_STRING },
|
||||
+ { "ad_use_ldaps", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
||||
DP_OPTION_TERMINATOR
|
||||
};
|
||||
|
||||
diff --git a/src/providers/ad/ad_srv.c b/src/providers/ad/ad_srv.c
|
||||
index 5fd25f60e..ca15d3715 100644
|
||||
--- a/src/providers/ad/ad_srv.c
|
||||
+++ b/src/providers/ad/ad_srv.c
|
||||
@@ -244,6 +244,7 @@ struct ad_get_client_site_state {
|
||||
enum host_database *host_db;
|
||||
struct sdap_options *opts;
|
||||
const char *ad_domain;
|
||||
+ bool ad_use_ldaps;
|
||||
struct fo_server_info *dcs;
|
||||
size_t num_dcs;
|
||||
size_t dc_index;
|
||||
@@ -264,6 +265,7 @@ struct tevent_req *ad_get_client_site_send(TALLOC_CTX *mem_ctx,
|
||||
enum host_database *host_db,
|
||||
struct sdap_options *opts,
|
||||
const char *ad_domain,
|
||||
+ bool ad_use_ldaps,
|
||||
struct fo_server_info *dcs,
|
||||
size_t num_dcs)
|
||||
{
|
||||
@@ -288,6 +290,7 @@ struct tevent_req *ad_get_client_site_send(TALLOC_CTX *mem_ctx,
|
||||
state->host_db = host_db;
|
||||
state->opts = opts;
|
||||
state->ad_domain = ad_domain;
|
||||
+ state->ad_use_ldaps = ad_use_ldaps;
|
||||
state->dcs = dcs;
|
||||
state->num_dcs = num_dcs;
|
||||
|
||||
@@ -331,8 +334,11 @@ static errno_t ad_get_client_site_next_dc(struct tevent_req *req)
|
||||
subreq = sdap_connect_host_send(state, state->ev, state->opts,
|
||||
state->be_res->resolv,
|
||||
state->be_res->family_order,
|
||||
- state->host_db, "ldap", state->dc.host,
|
||||
- state->dc.port, false);
|
||||
+ state->host_db,
|
||||
+ state->ad_use_ldaps ? "ldaps" : "ldap",
|
||||
+ state->dc.host,
|
||||
+ state->ad_use_ldaps ? 636 : state->dc.port,
|
||||
+ false);
|
||||
if (subreq == NULL) {
|
||||
ret = ENOMEM;
|
||||
goto done;
|
||||
@@ -491,6 +497,7 @@ struct ad_srv_plugin_ctx {
|
||||
const char *ad_domain;
|
||||
const char *ad_site_override;
|
||||
const char *current_site;
|
||||
+ bool ad_use_ldaps;
|
||||
};
|
||||
|
||||
struct ad_srv_plugin_ctx *
|
||||
@@ -501,7 +508,8 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
|
||||
struct sdap_options *opts,
|
||||
const char *hostname,
|
||||
const char *ad_domain,
|
||||
- const char *ad_site_override)
|
||||
+ const char *ad_site_override,
|
||||
+ bool ad_use_ldaps)
|
||||
{
|
||||
struct ad_srv_plugin_ctx *ctx = NULL;
|
||||
errno_t ret;
|
||||
@@ -515,6 +523,7 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
|
||||
ctx->be_res = be_res;
|
||||
ctx->host_dbs = host_dbs;
|
||||
ctx->opts = opts;
|
||||
+ ctx->ad_use_ldaps = ad_use_ldaps;
|
||||
|
||||
ctx->hostname = talloc_strdup(ctx, hostname);
|
||||
if (ctx->hostname == NULL) {
|
||||
@@ -714,6 +723,7 @@ static void ad_srv_plugin_dcs_done(struct tevent_req *subreq)
|
||||
state->ctx->host_dbs,
|
||||
state->ctx->opts,
|
||||
state->discovery_domain,
|
||||
+ state->ctx->ad_use_ldaps,
|
||||
dcs, num_dcs);
|
||||
if (subreq == NULL) {
|
||||
ret = ENOMEM;
|
||||
diff --git a/src/providers/ad/ad_srv.h b/src/providers/ad/ad_srv.h
|
||||
index e553d594d..8e410ec26 100644
|
||||
--- a/src/providers/ad/ad_srv.h
|
||||
+++ b/src/providers/ad/ad_srv.h
|
||||
@@ -31,7 +31,8 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
|
||||
struct sdap_options *opts,
|
||||
const char *hostname,
|
||||
const char *ad_domain,
|
||||
- const char *ad_site_override);
|
||||
+ const char *ad_site_override,
|
||||
+ bool ad_use_ldaps);
|
||||
|
||||
struct tevent_req *ad_srv_plugin_send(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_context *ev,
|
||||
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
||||
index 2ce34489f..d8c201437 100644
|
||||
--- a/src/providers/ad/ad_subdomains.c
|
||||
+++ b/src/providers/ad/ad_subdomains.c
|
||||
@@ -282,6 +282,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
||||
bool use_kdcinfo = false;
|
||||
size_t n_lookahead_primary = SSS_KRB5_LOOKAHEAD_PRIMARY_DEFAULT;
|
||||
size_t n_lookahead_backup = SSS_KRB5_LOOKAHEAD_BACKUP_DEFAULT;
|
||||
+ bool ad_use_ldaps = false;
|
||||
|
||||
realm = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KRB5_REALM);
|
||||
hostname = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_HOSTNAME);
|
||||
@@ -312,6 +313,21 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
+ ret = ad_inherit_opts_if_needed(id_ctx->ad_options->basic,
|
||||
+ ad_options->basic,
|
||||
+ be_ctx->cdb, subdom_conf_path,
|
||||
+ AD_USE_LDAPS);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to inherit option [%s] to sub-domain [%s]. "
|
||||
+ "This error is ignored but might cause issues or unexpected "
|
||||
+ "behavior later on.\n",
|
||||
+ id_ctx->ad_options->basic[AD_USE_LDAPS].opt_name,
|
||||
+ subdom->name);
|
||||
+
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic,
|
||||
ad_options->id->basic,
|
||||
be_ctx->cdb, subdom_conf_path,
|
||||
@@ -344,6 +360,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
||||
|
||||
servers = dp_opt_get_string(ad_options->basic, AD_SERVER);
|
||||
backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);
|
||||
+ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);
|
||||
|
||||
if (id_ctx->ad_options->auth_ctx != NULL
|
||||
&& id_ctx->ad_options->auth_ctx->opts != NULL) {
|
||||
@@ -362,7 +379,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
||||
|
||||
ret = ad_failover_init(ad_options, be_ctx, servers, backup_servers,
|
||||
subdom->realm, service_name, gc_service_name,
|
||||
- subdom->name, use_kdcinfo,
|
||||
+ subdom->name, use_kdcinfo, ad_use_ldaps,
|
||||
n_lookahead_primary,
|
||||
n_lookahead_backup,
|
||||
&ad_options->service);
|
||||
@@ -386,7 +403,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
||||
ad_id_ctx->ad_options->id,
|
||||
hostname,
|
||||
ad_domain,
|
||||
- ad_site_override);
|
||||
+ ad_site_override, ad_use_ldaps);
|
||||
if (srv_ctx == NULL) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
|
||||
return ENOMEM;
|
||||
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
|
||||
index fd998877b..9aebf72a5 100644
|
||||
--- a/src/providers/ipa/ipa_subdomains_server.c
|
||||
+++ b/src/providers/ipa/ipa_subdomains_server.c
|
||||
@@ -319,7 +319,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
|
||||
ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,
|
||||
subdom->realm,
|
||||
service_name, gc_service_name,
|
||||
- subdom->name, use_kdcinfo,
|
||||
+ subdom->name, use_kdcinfo, false,
|
||||
n_lookahead_primary, n_lookahead_backup,
|
||||
&ad_options->service);
|
||||
if (ret != EOK) {
|
||||
@@ -344,7 +344,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
|
||||
ad_id_ctx->ad_options->id,
|
||||
id_ctx->server_mode->hostname,
|
||||
ad_domain,
|
||||
- ad_site_override);
|
||||
+ ad_site_override, false);
|
||||
if (srv_ctx == NULL) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
|
||||
return ENOMEM;
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,199 +0,0 @@
|
|||
From 78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 27 Sep 2019 11:49:59 +0200
|
||||
Subject: [PATCH 14/15] ldap: add new option ldap_sasl_maxssf
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
There is already the ldap_sasl_minssf option. To be able to control the
|
||||
maximal security strength factor (ssf) e.g. when using SASL together
|
||||
with TLS the option ldap_sasl_maxssf is added as well.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/4131
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/config/SSSDConfig/__init__.py.in | 1 +
|
||||
src/config/cfg_rules.ini | 1 +
|
||||
src/config/etc/sssd.api.d/sssd-ad.conf | 1 +
|
||||
src/config/etc/sssd.api.d/sssd-ipa.conf | 1 +
|
||||
src/config/etc/sssd.api.d/sssd-ldap.conf | 1 +
|
||||
src/man/sssd-ldap.5.xml | 16 ++++++++++++++++
|
||||
src/providers/ad/ad_opts.c | 1 +
|
||||
src/providers/ipa/ipa_opts.c | 1 +
|
||||
src/providers/ldap/ldap_opts.c | 1 +
|
||||
src/providers/ldap/sdap.h | 1 +
|
||||
src/providers/ldap/sdap_async_connection.c | 14 ++++++++++++++
|
||||
11 files changed, 39 insertions(+)
|
||||
|
||||
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
||||
index 6c2a1ce44..b3035fcff 100644
|
||||
--- a/src/config/SSSDConfig/__init__.py.in
|
||||
+++ b/src/config/SSSDConfig/__init__.py.in
|
||||
@@ -306,6 +306,7 @@ option_strings = {
|
||||
'ldap_sasl_authid' : _('Specify the sasl authorization id to use'),
|
||||
'ldap_sasl_realm' : _('Specify the sasl authorization realm to use'),
|
||||
'ldap_sasl_minssf' : _('Specify the minimal SSF for LDAP sasl authorization'),
|
||||
+ 'ldap_sasl_maxssf' : _('Specify the maximal SSF for LDAP sasl authorization'),
|
||||
'ldap_krb5_keytab' : _('Kerberos service keytab'),
|
||||
'ldap_krb5_init_creds' : _('Use Kerberos auth for LDAP connection'),
|
||||
'ldap_referrals' : _('Follow LDAP referrals'),
|
||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
||||
index 478ca9eb4..286443be4 100644
|
||||
--- a/src/config/cfg_rules.ini
|
||||
+++ b/src/config/cfg_rules.ini
|
||||
@@ -665,6 +665,7 @@ option = ldap_sasl_authid
|
||||
option = ldap_sasl_canonicalize
|
||||
option = ldap_sasl_mech
|
||||
option = ldap_sasl_minssf
|
||||
+option = ldap_sasl_maxssf
|
||||
option = ldap_schema
|
||||
option = ldap_pwmodify_mode
|
||||
option = ldap_search_base
|
||||
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
|
||||
index 51cdad536..4d10e69d7 100644
|
||||
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
|
||||
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
|
||||
@@ -42,6 +42,7 @@ ldap_tls_reqcert = str, None, false
|
||||
ldap_sasl_mech = str, None, false
|
||||
ldap_sasl_authid = str, None, false
|
||||
ldap_sasl_minssf = int, None, false
|
||||
+ldap_sasl_maxssf = int, None, false
|
||||
krb5_kdcip = str, None, false
|
||||
krb5_server = str, None, false
|
||||
krb5_backup_server = str, None, false
|
||||
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
|
||||
index 7ed153d36..839f9f471 100644
|
||||
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
|
||||
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
|
||||
@@ -32,6 +32,7 @@ ldap_tls_reqcert = str, None, false
|
||||
ldap_sasl_mech = str, None, false
|
||||
ldap_sasl_authid = str, None, false
|
||||
ldap_sasl_minssf = int, None, false
|
||||
+ldap_sasl_maxssf = int, None, false
|
||||
krb5_kdcip = str, None, false
|
||||
krb5_server = str, None, false
|
||||
krb5_backup_server = str, None, false
|
||||
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
|
||||
index 4f73e901e..6db9828b9 100644
|
||||
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
|
||||
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
|
||||
@@ -35,6 +35,7 @@ ldap_page_size = int, None, false
|
||||
ldap_deref_threshold = int, None, false
|
||||
ldap_sasl_canonicalize = bool, None, false
|
||||
ldap_sasl_minssf = int, None, false
|
||||
+ldap_sasl_maxssf = int, None, false
|
||||
ldap_connection_expire_timeout = int, None, false
|
||||
ldap_connection_expire_offset = int, None, false
|
||||
ldap_disable_paging = bool, None, false
|
||||
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
|
||||
index f8bb973c7..0dc675410 100644
|
||||
--- a/src/man/sssd-ldap.5.xml
|
||||
+++ b/src/man/sssd-ldap.5.xml
|
||||
@@ -612,6 +612,22 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
+ <varlistentry>
|
||||
+ <term>ldap_sasl_maxssf (integer)</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ When communicating with an LDAP server using SASL,
|
||||
+ specify the maximal security level necessary to
|
||||
+ establish the connection. The values of this
|
||||
+ option are defined by OpenLDAP.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Default: Use the system default (usually specified
|
||||
+ by ldap.conf)
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
<varlistentry>
|
||||
<term>ldap_deref_threshold (integer)</term>
|
||||
<listitem>
|
||||
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
|
||||
index 26420d655..e9a3dd6ef 100644
|
||||
--- a/src/providers/ad/ad_opts.c
|
||||
+++ b/src/providers/ad/ad_opts.c
|
||||
@@ -106,6 +106,7 @@ struct dp_option ad_def_ldap_opts[] = {
|
||||
{ "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||
{ "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||
{ "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
|
||||
+ { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
|
||||
{ "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||
{ "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
|
||||
/* use the same parm name as the krb5 module so we set it only once */
|
||||
diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c
|
||||
index 4fafa073d..55de6e600 100644
|
||||
--- a/src/providers/ipa/ipa_opts.c
|
||||
+++ b/src/providers/ipa/ipa_opts.c
|
||||
@@ -114,6 +114,7 @@ struct dp_option ipa_def_ldap_opts[] = {
|
||||
{ "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||
{ "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||
{ "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = 56 }, NULL_NUMBER },
|
||||
+ { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
|
||||
{ "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||
{ "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
|
||||
/* use the same parm name as the krb5 module so we set it only once */
|
||||
diff --git a/src/providers/ldap/ldap_opts.c b/src/providers/ldap/ldap_opts.c
|
||||
index ffd0c6baa..d1b4e98ad 100644
|
||||
--- a/src/providers/ldap/ldap_opts.c
|
||||
+++ b/src/providers/ldap/ldap_opts.c
|
||||
@@ -74,6 +74,7 @@ struct dp_option default_basic_opts[] = {
|
||||
{ "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||
{ "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||
{ "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
|
||||
+ { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
|
||||
{ "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||
{ "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
|
||||
/* use the same parm name as the krb5 module so we set it only once */
|
||||
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
|
||||
index f27b3c480..808a2c400 100644
|
||||
--- a/src/providers/ldap/sdap.h
|
||||
+++ b/src/providers/ldap/sdap.h
|
||||
@@ -192,6 +192,7 @@ enum sdap_basic_opt {
|
||||
SDAP_SASL_AUTHID,
|
||||
SDAP_SASL_REALM,
|
||||
SDAP_SASL_MINSSF,
|
||||
+ SDAP_SASL_MAXSSF,
|
||||
SDAP_KRB5_KEYTAB,
|
||||
SDAP_KRB5_KINIT,
|
||||
SDAP_KRB5_KDC,
|
||||
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
|
||||
index 7438d14a7..5f69cedcc 100644
|
||||
--- a/src/providers/ldap/sdap_async_connection.c
|
||||
+++ b/src/providers/ldap/sdap_async_connection.c
|
||||
@@ -148,6 +148,8 @@ static void sdap_sys_connect_done(struct tevent_req *subreq)
|
||||
const char *sasl_mech;
|
||||
int sasl_minssf;
|
||||
ber_len_t ber_sasl_minssf;
|
||||
+ int sasl_maxssf;
|
||||
+ ber_len_t ber_sasl_maxssf;
|
||||
|
||||
ret = sss_ldap_init_recv(subreq, &state->sh->ldap, &sd);
|
||||
talloc_zfree(subreq);
|
||||
@@ -291,6 +293,18 @@ static void sdap_sys_connect_done(struct tevent_req *subreq)
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ sasl_maxssf = dp_opt_get_int(state->opts->basic, SDAP_SASL_MAXSSF);
|
||||
+ if (sasl_maxssf >= 0) {
|
||||
+ ber_sasl_maxssf = (ber_len_t)sasl_maxssf;
|
||||
+ lret = ldap_set_option(state->sh->ldap, LDAP_OPT_X_SASL_SSF_MAX,
|
||||
+ &ber_sasl_maxssf);
|
||||
+ if (lret != LDAP_OPT_SUCCESS) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set LDAP MAX SSF option "
|
||||
+ "to %d\n", sasl_maxssf);
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
|
||||
/* if we do not use start_tls the connection is not really connected yet
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,91 +0,0 @@
|
|||
From 24387e19f065e6a585b1120d5568cb4df271d102 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 27 Sep 2019 13:45:13 +0200
|
||||
Subject: [PATCH 15/15] ad: set min and max ssf for ldaps
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
AD does not allow to use encryption in the TLS and SASL layer at the
|
||||
same time. To be able to use ldaps this patch sets min and max ssf to 0
|
||||
if ldaps should be used.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/4131
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_common.c | 21 +++++++++++++++++++++
|
||||
src/providers/ad/ad_common.h | 2 ++
|
||||
src/providers/ad/ad_subdomains.c | 4 ++++
|
||||
3 files changed, 27 insertions(+)
|
||||
|
||||
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
||||
index a2369166a..51300f5b2 100644
|
||||
--- a/src/providers/ad/ad_common.c
|
||||
+++ b/src/providers/ad/ad_common.c
|
||||
@@ -1021,6 +1021,23 @@ done:
|
||||
return;
|
||||
}
|
||||
|
||||
+void ad_set_ssf_for_ldaps(struct sdap_options *id_opts)
|
||||
+{
|
||||
+ int ret;
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Setting ssf for ldaps usage.\n");
|
||||
+ ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MINSSF, 0);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to set SASL minssf for ldaps usage, ignored.\n");
|
||||
+ }
|
||||
+ ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MAXSSF, 0);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to set SASL maxssf for ldaps usage, ignored.\n");
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
static errno_t
|
||||
ad_set_sdap_options(struct ad_options *ad_opts,
|
||||
struct sdap_options *id_opts)
|
||||
@@ -1079,6 +1096,10 @@ ad_set_sdap_options(struct ad_options *ad_opts,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ if (dp_opt_get_bool(ad_opts->basic, AD_USE_LDAPS)) {
|
||||
+ ad_set_ssf_for_ldaps(id_opts);
|
||||
+ }
|
||||
+
|
||||
/* Warn if the user is doing something silly like overriding the schema
|
||||
* with the AD provider
|
||||
*/
|
||||
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
|
||||
index 44da58fa0..8b7a86102 100644
|
||||
--- a/src/providers/ad/ad_common.h
|
||||
+++ b/src/providers/ad/ad_common.h
|
||||
@@ -182,6 +182,8 @@ errno_t
|
||||
ad_get_dyndns_options(struct be_ctx *be_ctx,
|
||||
struct ad_options *ad_opts);
|
||||
|
||||
+void ad_set_ssf_for_ldaps(struct sdap_options *id_opts);
|
||||
+
|
||||
struct ad_id_ctx *
|
||||
ad_id_ctx_init(struct ad_options *ad_opts, struct be_ctx *bectx);
|
||||
|
||||
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
||||
index d8c201437..a9c6b9f28 100644
|
||||
--- a/src/providers/ad/ad_subdomains.c
|
||||
+++ b/src/providers/ad/ad_subdomains.c
|
||||
@@ -328,6 +328,10 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
||||
return ret;
|
||||
}
|
||||
|
||||
+ if (dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS)) {
|
||||
+ ad_set_ssf_for_ldaps(ad_options->id);
|
||||
+ }
|
||||
+
|
||||
ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic,
|
||||
ad_options->id->basic,
|
||||
be_ctx->cdb, subdom_conf_path,
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
From 007d5b79b7aef67dd843ed9a3b65095faaeb580f Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Wed, 22 Jan 2020 09:43:21 +0000
|
||||
Subject: [PATCH] BE_REFRESH: Do not try to refresh domains from other backends
|
||||
|
||||
We cannot refresh domains from different sssd_be processes.
|
||||
We can refresh just subdomains
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/4142
|
||||
|
||||
Merges: https://pagure.io/SSSD/sssd/pull-request/4139
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/providers/be_refresh.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/src/providers/be_refresh.c b/src/providers/be_refresh.c
|
||||
index 6cce38390..5e43571ce 100644
|
||||
--- a/src/providers/be_refresh.c
|
||||
+++ b/src/providers/be_refresh.c
|
||||
@@ -385,6 +385,10 @@ static errno_t be_refresh_step(struct tevent_req *req)
|
||||
if (state->index == BE_REFRESH_TYPE_SENTINEL) {
|
||||
state->domain = get_next_domain(state->domain,
|
||||
SSS_GND_DESCEND);
|
||||
+ /* we can update just subdomains */
|
||||
+ if (state->domain != NULL && !IS_SUBDOMAIN(state->domain)) {
|
||||
+ break;
|
||||
+ }
|
||||
state->index = 0;
|
||||
continue;
|
||||
}
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,52 +0,0 @@
|
|||
From 58a67cd38b8be9bef45ce70588763d851840dd65 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= <ppolawsk@redhat.com>
|
||||
Date: Tue, 3 Dec 2019 04:13:53 +0100
|
||||
Subject: [PATCH] sysdb_sudo: Enable LDAP time format compatibility
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
LDAP specification allows to ommit seconds and minutes
|
||||
in time border definition. In that case they defaults to zeros.
|
||||
Current sssd.sudo implementation requires precision up to
|
||||
seconds in time definition. This commit allows to lower
|
||||
the precision up to hours.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/4118
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/db/sysdb_sudo.c | 16 ++++++++++++++++
|
||||
1 file changed, 16 insertions(+)
|
||||
|
||||
diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
|
||||
index 59d6824c0..18088b017 100644
|
||||
--- a/src/db/sysdb_sudo.c
|
||||
+++ b/src/db/sysdb_sudo.c
|
||||
@@ -55,6 +55,22 @@ static errno_t sysdb_sudo_convert_time(const char *str, time_t *unix_time)
|
||||
"%Y%m%d%H%M%S.0%z",
|
||||
"%Y%m%d%H%M%S,0Z",
|
||||
"%Y%m%d%H%M%S,0%z",
|
||||
+ /* LDAP specification says that minutes and seconds
|
||||
+ might be omitted and in that case these are meant
|
||||
+ to be treated as zeros [1].
|
||||
+ */
|
||||
+ "%Y%m%d%H%MZ", /* Discard seconds */
|
||||
+ "%Y%m%d%H%M%z",
|
||||
+ "%Y%m%d%H%M.0Z",
|
||||
+ "%Y%m%d%H%M.0%z",
|
||||
+ "%Y%m%d%H%M,0Z",
|
||||
+ "%Y%m%d%H%M,0%z",
|
||||
+ "%Y%m%d%HZ", /* Discard minutes and seconds*/
|
||||
+ "%Y%m%d%H%z",
|
||||
+ "%Y%m%d%H.0Z",
|
||||
+ "%Y%m%d%H.0%z",
|
||||
+ "%Y%m%d%H,0Z",
|
||||
+ "%Y%m%d%H,0%z",
|
||||
NULL};
|
||||
|
||||
for (format = formats; *format != NULL; format++) {
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,43 +0,0 @@
|
|||
From faa5dbf6f716bd4ac0a3020a28a1ee6fbf74654a Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Thu, 23 Jan 2020 17:22:28 +0100
|
||||
Subject: [PATCH 18/24] sbus_server: stylistic rename
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Renamed sbus_server_name_remove_from_table() to
|
||||
sbus_server_name_remove_from_table_cb() to keep naming consistent
|
||||
with other functions used as `hash_delete_callback` argument of
|
||||
sss_ptr_hash_create()
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/sbus/server/sbus_server.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/sbus/server/sbus_server.c b/src/sbus/server/sbus_server.c
|
||||
index 5405dae56..2b9327051 100644
|
||||
--- a/src/sbus/server/sbus_server.c
|
||||
+++ b/src/sbus/server/sbus_server.c
|
||||
@@ -584,7 +584,7 @@ sbus_server_name_lost(struct sbus_server *server,
|
||||
}
|
||||
|
||||
static void
|
||||
-sbus_server_name_remove_from_table(hash_entry_t *item,
|
||||
+sbus_server_name_remove_from_table_cb(hash_entry_t *item,
|
||||
hash_destroy_enum type,
|
||||
void *pvt)
|
||||
{
|
||||
@@ -676,7 +676,7 @@ sbus_server_create(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
sbus_server->names = sss_ptr_hash_create(sbus_server,
|
||||
- sbus_server_name_remove_from_table, sbus_server);
|
||||
+ sbus_server_name_remove_from_table_cb, sbus_server);
|
||||
if (sbus_server->names == NULL) {
|
||||
ret = ENOMEM;
|
||||
goto done;
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,91 +0,0 @@
|
|||
From adc7730a4e1b9721c93863a1b283457e9c02a3c5 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Thu, 23 Jan 2020 17:55:24 +0100
|
||||
Subject: [PATCH 19/24] sss_ptr_hash: don't keep empty sss_ptr_hash_delete_data
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
There is no need to allocate memory for `sss_ptr_hash_delete_data`
|
||||
if table user doesn't provide custom delete callback.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/util/sss_ptr_hash.c | 36 ++++++++++++++++++++----------------
|
||||
1 file changed, 20 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c
|
||||
index 8f9762cb9..f8addec1e 100644
|
||||
--- a/src/util/sss_ptr_hash.c
|
||||
+++ b/src/util/sss_ptr_hash.c
|
||||
@@ -138,12 +138,6 @@ sss_ptr_hash_delete_cb(hash_entry_t *item,
|
||||
struct sss_ptr_hash_value *value;
|
||||
struct hash_entry_t callback_entry;
|
||||
|
||||
- data = talloc_get_type(pvt, struct sss_ptr_hash_delete_data);
|
||||
- if (data == NULL) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Invalid data!\n");
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
value = talloc_get_type(item->value.ptr, struct sss_ptr_hash_value);
|
||||
if (value == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Invalid value!\n");
|
||||
@@ -157,8 +151,14 @@ sss_ptr_hash_delete_cb(hash_entry_t *item,
|
||||
/* Free value, this also will disable spy */
|
||||
talloc_free(value);
|
||||
|
||||
- /* Switch to the input value and call custom callback. */
|
||||
- if (data->callback != NULL) {
|
||||
+ if (pvt != NULL) {
|
||||
+ /* Switch to the input value and call custom callback. */
|
||||
+ data = talloc_get_type(pvt, struct sss_ptr_hash_delete_data);
|
||||
+ if (data == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid data!\n");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
data->callback(&callback_entry, deltype, data->pvt);
|
||||
}
|
||||
}
|
||||
@@ -167,17 +167,19 @@ hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx,
|
||||
hash_delete_callback *del_cb,
|
||||
void *del_cb_pvt)
|
||||
{
|
||||
- struct sss_ptr_hash_delete_data *data;
|
||||
+ struct sss_ptr_hash_delete_data *data = NULL;
|
||||
hash_table_t *table;
|
||||
errno_t ret;
|
||||
|
||||
- data = talloc_zero(NULL, struct sss_ptr_hash_delete_data);
|
||||
- if (data == NULL) {
|
||||
- return NULL;
|
||||
- }
|
||||
+ if (del_cb != NULL) {
|
||||
+ data = talloc_zero(NULL, struct sss_ptr_hash_delete_data);
|
||||
+ if (data == NULL) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
|
||||
- data->callback = del_cb;
|
||||
- data->pvt = del_cb_pvt;
|
||||
+ data->callback = del_cb;
|
||||
+ data->pvt = del_cb_pvt;
|
||||
+ }
|
||||
|
||||
ret = sss_hash_create_ex(mem_ctx, 10, &table, 0, 0, 0, 0,
|
||||
sss_ptr_hash_delete_cb, data);
|
||||
@@ -188,7 +190,9 @@ hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- talloc_steal(table, data);
|
||||
+ if (data != NULL) {
|
||||
+ talloc_steal(table, data);
|
||||
+ }
|
||||
|
||||
return table;
|
||||
}
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,62 +0,0 @@
|
|||
From d0eb88089b059bfe2da3bd1a3797b89d69119c29 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Thu, 23 Jan 2020 19:00:27 +0100
|
||||
Subject: [PATCH 20/24] sss_ptr_hash: sss_ptr_hash_delete fix/optimization
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
- no reason to skip hash_delete() just because sss_ptr_hash_lookup_internal()
|
||||
failed
|
||||
- avoid excessive lookup if it is not required to free payload
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/util/sss_ptr_hash.c | 17 +++++++++--------
|
||||
1 file changed, 9 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c
|
||||
index f8addec1e..7326244e6 100644
|
||||
--- a/src/util/sss_ptr_hash.c
|
||||
+++ b/src/util/sss_ptr_hash.c
|
||||
@@ -331,20 +331,21 @@ void sss_ptr_hash_delete(hash_table_t *table,
|
||||
struct sss_ptr_hash_value *value;
|
||||
hash_key_t table_key;
|
||||
int hret;
|
||||
- void *ptr;
|
||||
+ void *payload;
|
||||
|
||||
if (table == NULL || key == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
- value = sss_ptr_hash_lookup_internal(table, key);
|
||||
- if (value == NULL) {
|
||||
- /* Value not found. */
|
||||
- return;
|
||||
+ if (free_value) {
|
||||
+ value = sss_ptr_hash_lookup_internal(table, key);
|
||||
+ if (value == NULL) {
|
||||
+ free_value = false;
|
||||
+ } else {
|
||||
+ payload = value->ptr;
|
||||
+ }
|
||||
}
|
||||
|
||||
- ptr = value->ptr;
|
||||
-
|
||||
table_key.type = HASH_KEY_STRING;
|
||||
table_key.str = discard_const_p(char, key);
|
||||
|
||||
@@ -357,7 +358,7 @@ void sss_ptr_hash_delete(hash_table_t *table,
|
||||
|
||||
/* Also free the original value if requested. */
|
||||
if (free_value) {
|
||||
- talloc_free(ptr);
|
||||
+ talloc_free(payload);
|
||||
}
|
||||
|
||||
return;
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
From 8cc2ce4e9060a71d441a377008fb2f567baa5d92 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Thu, 23 Jan 2020 20:07:41 +0100
|
||||
Subject: [PATCH 21/24] sss_ptr_hash: removed redundant check
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
`sss_ptr_hash_check_type()` call would take care of this case.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/util/sss_ptr_hash.c | 6 ------
|
||||
1 file changed, 6 deletions(-)
|
||||
|
||||
diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c
|
||||
index 7326244e6..bf111a613 100644
|
||||
--- a/src/util/sss_ptr_hash.c
|
||||
+++ b/src/util/sss_ptr_hash.c
|
||||
@@ -268,12 +268,6 @@ sss_ptr_hash_lookup_internal(hash_table_t *table,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- /* This may happen if we are in delete callback
|
||||
- * and we try to search the hash table. */
|
||||
- if (table_value.ptr == NULL) {
|
||||
- return NULL;
|
||||
- }
|
||||
-
|
||||
if (!sss_ptr_hash_check_type(table_value.ptr, "struct sss_ptr_hash_value")) {
|
||||
return NULL;
|
||||
}
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,53 +0,0 @@
|
|||
From 4bc0c2c7833dd643fc1137daf6519670c05c3736 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Thu, 23 Jan 2020 21:11:16 +0100
|
||||
Subject: [PATCH 22/24] sss_ptr_hash: fixed memory leak
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In case `override` check was failed in _sss_ptr_hash_add()
|
||||
`value` was leaking.
|
||||
Fixed to do `override` check before value allocation.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/util/sss_ptr_hash.c | 14 +++++++-------
|
||||
1 file changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c
|
||||
index bf111a613..114b6edeb 100644
|
||||
--- a/src/util/sss_ptr_hash.c
|
||||
+++ b/src/util/sss_ptr_hash.c
|
||||
@@ -217,21 +217,21 @@ errno_t _sss_ptr_hash_add(hash_table_t *table,
|
||||
return ERR_INVALID_DATA_TYPE;
|
||||
}
|
||||
|
||||
+ table_key.type = HASH_KEY_STRING;
|
||||
+ table_key.str = discard_const_p(char, key);
|
||||
+
|
||||
+ if (override == false && hash_has_key(table, &table_key)) {
|
||||
+ return EEXIST;
|
||||
+ }
|
||||
+
|
||||
value = sss_ptr_hash_value_create(table, key, talloc_ptr);
|
||||
if (value == NULL) {
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
- table_key.type = HASH_KEY_STRING;
|
||||
- table_key.str = discard_const_p(char, key);
|
||||
-
|
||||
table_value.type = HASH_VALUE_PTR;
|
||||
table_value.ptr = value;
|
||||
|
||||
- if (override == false && hash_has_key(table, &table_key)) {
|
||||
- return EEXIST;
|
||||
- }
|
||||
-
|
||||
hret = hash_enter(table, &table_key, &table_value);
|
||||
if (hret != HASH_SUCCESS) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add key %s!\n", key);
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,366 +0,0 @@
|
|||
From 0bb1289252eec972ea26721a92adc7db47383f76 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Fri, 24 Jan 2020 23:57:39 +0100
|
||||
Subject: [PATCH 23/24] sss_ptr_hash: internal refactoring
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
sss_ptr_hash code was refactored:
|
||||
- got rid of a "spy" to make logic cleaner
|
||||
- table got destructor to wipe its content
|
||||
- described some usage limitation in the documentation
|
||||
|
||||
And resolves: https://pagure.io/SSSD/sssd/issue/4135
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/util/sss_ptr_hash.c | 183 +++++++++++++++++-----------------------
|
||||
src/util/sss_ptr_hash.h | 17 +++-
|
||||
2 files changed, 91 insertions(+), 109 deletions(-)
|
||||
|
||||
diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c
|
||||
index 114b6edeb..6409236c7 100644
|
||||
--- a/src/util/sss_ptr_hash.c
|
||||
+++ b/src/util/sss_ptr_hash.c
|
||||
@@ -39,67 +39,35 @@ static bool sss_ptr_hash_check_type(void *ptr, const char *type)
|
||||
return true;
|
||||
}
|
||||
|
||||
+static int sss_ptr_hash_table_destructor(hash_table_t *table)
|
||||
+{
|
||||
+ sss_ptr_hash_delete_all(table, false);
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
struct sss_ptr_hash_delete_data {
|
||||
hash_delete_callback *callback;
|
||||
void *pvt;
|
||||
};
|
||||
|
||||
struct sss_ptr_hash_value {
|
||||
- struct sss_ptr_hash_spy *spy;
|
||||
- void *ptr;
|
||||
-};
|
||||
-
|
||||
-struct sss_ptr_hash_spy {
|
||||
- struct sss_ptr_hash_value *value;
|
||||
hash_table_t *table;
|
||||
const char *key;
|
||||
+ void *payload;
|
||||
};
|
||||
|
||||
-static int
|
||||
-sss_ptr_hash_spy_destructor(struct sss_ptr_hash_spy *spy)
|
||||
-{
|
||||
- spy->value->spy = NULL;
|
||||
-
|
||||
- /* This results in removing entry from hash table and freeing the value. */
|
||||
- sss_ptr_hash_delete(spy->table, spy->key, false);
|
||||
-
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
-static struct sss_ptr_hash_spy *
|
||||
-sss_ptr_hash_spy_create(TALLOC_CTX *mem_ctx,
|
||||
- hash_table_t *table,
|
||||
- const char *key,
|
||||
- struct sss_ptr_hash_value *value)
|
||||
-{
|
||||
- struct sss_ptr_hash_spy *spy;
|
||||
-
|
||||
- spy = talloc_zero(mem_ctx, struct sss_ptr_hash_spy);
|
||||
- if (spy == NULL) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n");
|
||||
- return NULL;
|
||||
- }
|
||||
-
|
||||
- spy->key = talloc_strdup(spy, key);
|
||||
- if (spy->key == NULL) {
|
||||
- talloc_free(spy);
|
||||
- return NULL;
|
||||
- }
|
||||
-
|
||||
- spy->table = table;
|
||||
- spy->value = value;
|
||||
- talloc_set_destructor(spy, sss_ptr_hash_spy_destructor);
|
||||
-
|
||||
- return spy;
|
||||
-}
|
||||
-
|
||||
static int
|
||||
sss_ptr_hash_value_destructor(struct sss_ptr_hash_value *value)
|
||||
{
|
||||
- if (value->spy != NULL) {
|
||||
- /* Disable spy destructor and free it. */
|
||||
- talloc_set_destructor(value->spy, NULL);
|
||||
- talloc_zfree(value->spy);
|
||||
+ hash_key_t table_key;
|
||||
+
|
||||
+ if (value->table && value->key) {
|
||||
+ table_key.type = HASH_KEY_STRING;
|
||||
+ table_key.str = discard_const_p(char, value->key);
|
||||
+ if (hash_delete(value->table, &table_key) != HASH_SUCCESS) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "failed to delete entry with key '%s'\n", value->key);
|
||||
+ }
|
||||
}
|
||||
|
||||
return 0;
|
||||
@@ -112,18 +80,19 @@ sss_ptr_hash_value_create(hash_table_t *table,
|
||||
{
|
||||
struct sss_ptr_hash_value *value;
|
||||
|
||||
- value = talloc_zero(table, struct sss_ptr_hash_value);
|
||||
+ value = talloc_zero(talloc_ptr, struct sss_ptr_hash_value);
|
||||
if (value == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- value->spy = sss_ptr_hash_spy_create(talloc_ptr, table, key, value);
|
||||
- if (value->spy == NULL) {
|
||||
+ value->key = talloc_strdup(value, key);
|
||||
+ if (value->key == NULL) {
|
||||
talloc_free(value);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- value->ptr = talloc_ptr;
|
||||
+ value->table = table;
|
||||
+ value->payload = talloc_ptr;
|
||||
talloc_set_destructor(value, sss_ptr_hash_value_destructor);
|
||||
|
||||
return value;
|
||||
@@ -138,29 +107,31 @@ sss_ptr_hash_delete_cb(hash_entry_t *item,
|
||||
struct sss_ptr_hash_value *value;
|
||||
struct hash_entry_t callback_entry;
|
||||
|
||||
+ if (pvt == NULL) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
value = talloc_get_type(item->value.ptr, struct sss_ptr_hash_value);
|
||||
if (value == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Invalid value!\n");
|
||||
return;
|
||||
}
|
||||
|
||||
+ /* Switch to the input value and call custom callback. */
|
||||
+ data = talloc_get_type(pvt, struct sss_ptr_hash_delete_data);
|
||||
+ if (data == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid data!\n");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
callback_entry.key = item->key;
|
||||
callback_entry.value.type = HASH_VALUE_PTR;
|
||||
- callback_entry.value.ptr = value->ptr;
|
||||
-
|
||||
- /* Free value, this also will disable spy */
|
||||
- talloc_free(value);
|
||||
-
|
||||
- if (pvt != NULL) {
|
||||
- /* Switch to the input value and call custom callback. */
|
||||
- data = talloc_get_type(pvt, struct sss_ptr_hash_delete_data);
|
||||
- if (data == NULL) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Invalid data!\n");
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
- data->callback(&callback_entry, deltype, data->pvt);
|
||||
- }
|
||||
+ callback_entry.value.ptr = value->payload;
|
||||
+ /* Even if execution is already in the context of
|
||||
+ * talloc_free(payload) -> talloc_free(value) -> ...
|
||||
+ * there still might be legitimate reasons to execute callback.
|
||||
+ */
|
||||
+ data->callback(&callback_entry, deltype, data->pvt);
|
||||
}
|
||||
|
||||
hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx,
|
||||
@@ -194,6 +165,8 @@ hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx,
|
||||
talloc_steal(table, data);
|
||||
}
|
||||
|
||||
+ talloc_set_destructor(table, sss_ptr_hash_table_destructor);
|
||||
+
|
||||
return table;
|
||||
}
|
||||
|
||||
@@ -282,15 +255,15 @@ void *_sss_ptr_hash_lookup(hash_table_t *table,
|
||||
struct sss_ptr_hash_value *value;
|
||||
|
||||
value = sss_ptr_hash_lookup_internal(table, key);
|
||||
- if (value == NULL || value->ptr == NULL) {
|
||||
+ if (value == NULL || value->payload == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- if (!sss_ptr_hash_check_type(value->ptr, type)) {
|
||||
+ if (!sss_ptr_hash_check_type(value->payload, type)) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- return value->ptr;
|
||||
+ return value->payload;
|
||||
}
|
||||
|
||||
void *_sss_ptr_get_value(hash_value_t *table_value,
|
||||
@@ -311,11 +284,11 @@ void *_sss_ptr_get_value(hash_value_t *table_value,
|
||||
|
||||
value = table_value->ptr;
|
||||
|
||||
- if (!sss_ptr_hash_check_type(value->ptr, type)) {
|
||||
+ if (!sss_ptr_hash_check_type(value->payload, type)) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- return value->ptr;
|
||||
+ return value->payload;
|
||||
}
|
||||
|
||||
void sss_ptr_hash_delete(hash_table_t *table,
|
||||
@@ -323,74 +296,70 @@ void sss_ptr_hash_delete(hash_table_t *table,
|
||||
bool free_value)
|
||||
{
|
||||
struct sss_ptr_hash_value *value;
|
||||
- hash_key_t table_key;
|
||||
- int hret;
|
||||
- void *payload;
|
||||
+ void *payload = NULL;
|
||||
|
||||
if (table == NULL || key == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
- if (free_value) {
|
||||
- value = sss_ptr_hash_lookup_internal(table, key);
|
||||
- if (value == NULL) {
|
||||
- free_value = false;
|
||||
- } else {
|
||||
- payload = value->ptr;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- table_key.type = HASH_KEY_STRING;
|
||||
- table_key.str = discard_const_p(char, key);
|
||||
-
|
||||
- /* Delete table entry. This will free value and spy in delete callback. */
|
||||
- hret = hash_delete(table, &table_key);
|
||||
- if (hret != HASH_SUCCESS && hret != HASH_ERROR_KEY_NOT_FOUND) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to remove key from table [%d]\n",
|
||||
- hret);
|
||||
+ value = sss_ptr_hash_lookup_internal(table, key);
|
||||
+ if (value == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Unable to remove key '%s' from table\n", key);
|
||||
+ return;
|
||||
}
|
||||
|
||||
- /* Also free the original value if requested. */
|
||||
if (free_value) {
|
||||
- talloc_free(payload);
|
||||
+ payload = value->payload;
|
||||
}
|
||||
|
||||
+ talloc_free(value); /* this will call hash_delete() in value d-tor */
|
||||
+
|
||||
+ talloc_free(payload); /* it is safe to call talloc_free(NULL) */
|
||||
+
|
||||
return;
|
||||
}
|
||||
|
||||
void sss_ptr_hash_delete_all(hash_table_t *table,
|
||||
bool free_values)
|
||||
{
|
||||
+ hash_value_t *content;
|
||||
struct sss_ptr_hash_value *value;
|
||||
- hash_value_t *values;
|
||||
+ void *payload = NULL;
|
||||
unsigned long count;
|
||||
unsigned long i;
|
||||
int hret;
|
||||
- void *ptr;
|
||||
|
||||
if (table == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
- hret = hash_values(table, &count, &values);
|
||||
+ hret = hash_values(table, &count, &content);
|
||||
if (hret != HASH_SUCCESS) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get values [%d]\n", hret);
|
||||
return;
|
||||
}
|
||||
|
||||
- for (i = 0; i < count; i++) {
|
||||
- value = values[i].ptr;
|
||||
- ptr = value->ptr;
|
||||
-
|
||||
- /* This will remove the entry from hash table and free value. */
|
||||
- talloc_free(value->spy);
|
||||
-
|
||||
- if (free_values) {
|
||||
- /* Also free the original value. */
|
||||
- talloc_free(ptr);
|
||||
+ for (i = 0; i < count; ++i) {
|
||||
+ if ((content[i].type == HASH_VALUE_PTR) &&
|
||||
+ sss_ptr_hash_check_type(content[i].ptr,
|
||||
+ "struct sss_ptr_hash_value")) {
|
||||
+ value = content[i].ptr;
|
||||
+ if (free_values) {
|
||||
+ payload = value->payload;
|
||||
+ }
|
||||
+ talloc_free(value);
|
||||
+ if (free_values) {
|
||||
+ talloc_free(payload); /* it's safe to call talloc_free(NULL) */
|
||||
+ }
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Unexpected type of table content, skipping");
|
||||
}
|
||||
}
|
||||
|
||||
+ talloc_free(content);
|
||||
+
|
||||
return;
|
||||
}
|
||||
|
||||
diff --git a/src/util/sss_ptr_hash.h b/src/util/sss_ptr_hash.h
|
||||
index 56bb19a65..0889b171a 100644
|
||||
--- a/src/util/sss_ptr_hash.h
|
||||
+++ b/src/util/sss_ptr_hash.h
|
||||
@@ -28,7 +28,19 @@
|
||||
|
||||
/**
|
||||
* Create a new hash table with string key and talloc pointer value with
|
||||
- * possible delete callback.
|
||||
+ * possible custom delete callback @del_cb.
|
||||
+ * Table will have destructor setup to wipe content.
|
||||
+ * Never call hash_destroy(table) and hash_delete() explicitly but rather
|
||||
+ * use talloc_free(table) and sss_ptr_hash_delete().
|
||||
+ *
|
||||
+ * A notes about @del_cb:
|
||||
+ * - this callback must never modify hash table (i.e. add/del entries);
|
||||
+ * - this callback is triggered when value is either explicitly removed
|
||||
+ * from the table or simply freed (latter leads to removal of an entry
|
||||
+ * from the table);
|
||||
+ * - this callback is also triggered for every entry when table is freed
|
||||
+ * entirely. In this case (deltype == HASH_TABLE_DESTROY) any table
|
||||
+ * lookups / iteration are forbidden as table might be already invalidated.
|
||||
*/
|
||||
hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx,
|
||||
hash_delete_callback *del_cb,
|
||||
@@ -41,7 +53,8 @@ hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx,
|
||||
* the value is overridden. Otherwise EEXIST error is returned.
|
||||
*
|
||||
* If talloc_ptr is freed the key and value are automatically
|
||||
- * removed from the hash table.
|
||||
+ * removed from the hash table (del_cb that was set up during
|
||||
+ * table creation is executed as a first step of this removal).
|
||||
*
|
||||
* @return EOK If the <@key, @talloc_ptr> pair was inserted.
|
||||
* @return EEXIST If @key already exists and @override is false.
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,266 +0,0 @@
|
|||
From 88b23bf50dd1c12413f3314639de2c3909bd9098 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Tue, 28 Jan 2020 19:26:08 +0100
|
||||
Subject: [PATCH 24/24] TESTS: added sss_ptr_hash unit test
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
Makefile.am | 1 +
|
||||
src/tests/cmocka/test_sss_ptr_hash.c | 193 +++++++++++++++++++++++++++
|
||||
src/tests/cmocka/test_utils.c | 9 ++
|
||||
src/tests/cmocka/test_utils.h | 6 +
|
||||
4 files changed, 209 insertions(+)
|
||||
create mode 100644 src/tests/cmocka/test_sss_ptr_hash.c
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 57ba51356..c991f2aa0 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -3054,6 +3054,7 @@ test_ipa_idmap_LDADD = \
|
||||
test_utils_SOURCES = \
|
||||
src/tests/cmocka/test_utils.c \
|
||||
src/tests/cmocka/test_string_utils.c \
|
||||
+ src/tests/cmocka/test_sss_ptr_hash.c \
|
||||
src/p11_child/p11_child_common_utils.c \
|
||||
$(NULL)
|
||||
if BUILD_SSH
|
||||
diff --git a/src/tests/cmocka/test_sss_ptr_hash.c b/src/tests/cmocka/test_sss_ptr_hash.c
|
||||
new file mode 100644
|
||||
index 000000000..1458238f5
|
||||
--- /dev/null
|
||||
+++ b/src/tests/cmocka/test_sss_ptr_hash.c
|
||||
@@ -0,0 +1,193 @@
|
||||
+/*
|
||||
+ Copyright (C) 2020 Red Hat
|
||||
+
|
||||
+ This program is free software; you can redistribute it and/or modify
|
||||
+ it under the terms of the GNU General Public License as published by
|
||||
+ the Free Software Foundation; either version 3 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ This program is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ GNU General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU General Public License
|
||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+*/
|
||||
+
|
||||
+#include "tests/cmocka/common_mock.h"
|
||||
+#include "util/sss_ptr_hash.h"
|
||||
+
|
||||
+static const int MAX_ENTRIES_AMOUNT = 5;
|
||||
+
|
||||
+static void populate_table(hash_table_t *table, int **payloads)
|
||||
+{
|
||||
+ char key[2] = {'z', 0};
|
||||
+
|
||||
+ for (int i = 0; i < MAX_ENTRIES_AMOUNT; ++i) {
|
||||
+ payloads[i] = talloc_zero(global_talloc_context, int);
|
||||
+ assert_non_null(payloads[i]);
|
||||
+ *payloads[i] = i;
|
||||
+ key[0] = '0'+(char)i;
|
||||
+ assert_int_equal(sss_ptr_hash_add(table, key, payloads[i], int), 0);
|
||||
+ }
|
||||
+
|
||||
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT);
|
||||
+}
|
||||
+
|
||||
+static void free_payload_cb(hash_entry_t *item, hash_destroy_enum type, void *pvt)
|
||||
+{
|
||||
+ int *counter;
|
||||
+
|
||||
+ assert_non_null(item);
|
||||
+ assert_non_null(item->value.ptr);
|
||||
+ talloc_zfree(item->value.ptr);
|
||||
+
|
||||
+ assert_non_null(pvt);
|
||||
+ counter = (int *)pvt;
|
||||
+ (*counter)++;
|
||||
+}
|
||||
+
|
||||
+void test_sss_ptr_hash_with_free_cb(void **state)
|
||||
+{
|
||||
+ hash_table_t *table;
|
||||
+ int free_counter = 0;
|
||||
+ int *payloads[MAX_ENTRIES_AMOUNT];
|
||||
+
|
||||
+ table = sss_ptr_hash_create(global_talloc_context,
|
||||
+ free_payload_cb,
|
||||
+ &free_counter);
|
||||
+ assert_non_null(table);
|
||||
+
|
||||
+ populate_table(table, payloads);
|
||||
+
|
||||
+ /* check explicit removal from the hash */
|
||||
+ sss_ptr_hash_delete(table, "1", false);
|
||||
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-1);
|
||||
+ assert_int_equal(free_counter, 1);
|
||||
+
|
||||
+ /* check implicit removal triggered by payload deletion */
|
||||
+ talloc_free(payloads[3]);
|
||||
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-2);
|
||||
+ assert_int_equal(free_counter, 2);
|
||||
+
|
||||
+ /* try to remove non existent entry */
|
||||
+ sss_ptr_hash_delete(table, "q", false);
|
||||
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-2);
|
||||
+ assert_int_equal(free_counter, 2);
|
||||
+
|
||||
+ /* clear all */
|
||||
+ sss_ptr_hash_delete_all(table, false);
|
||||
+ assert_int_equal((int)hash_count(table), 0);
|
||||
+ assert_int_equal(free_counter, MAX_ENTRIES_AMOUNT);
|
||||
+
|
||||
+ /* check that table is still operable */
|
||||
+ populate_table(table, payloads);
|
||||
+ sss_ptr_hash_delete(table, "2", false);
|
||||
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-1);
|
||||
+ assert_int_equal(free_counter, MAX_ENTRIES_AMOUNT+1);
|
||||
+
|
||||
+ talloc_free(table);
|
||||
+ assert_int_equal(free_counter, MAX_ENTRIES_AMOUNT*2);
|
||||
+}
|
||||
+
|
||||
+struct table_wrapper
|
||||
+{
|
||||
+ hash_table_t **table;
|
||||
+};
|
||||
+
|
||||
+static void lookup_cb(hash_entry_t *item, hash_destroy_enum type, void *pvt)
|
||||
+{
|
||||
+ hash_table_t *table;
|
||||
+ hash_key_t *keys;
|
||||
+ unsigned long count;
|
||||
+ int *value = NULL;
|
||||
+ int sum = 0;
|
||||
+
|
||||
+ assert_non_null(pvt);
|
||||
+ table = *((struct table_wrapper *)pvt)->table;
|
||||
+ assert_non_null(table);
|
||||
+
|
||||
+ if (type == HASH_TABLE_DESTROY) {
|
||||
+ /* table is being destroyed */
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ assert_int_equal(hash_keys(table, &count, &keys), HASH_SUCCESS);
|
||||
+ for (unsigned int i = 0; i < count; ++i) {
|
||||
+ assert_int_equal(keys[i].type, HASH_KEY_STRING);
|
||||
+ value = sss_ptr_hash_lookup(table, keys[i].c_str, int);
|
||||
+ assert_non_null(value);
|
||||
+ sum += *value;
|
||||
+ }
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "sum of all values = %d\n", sum);
|
||||
+ talloc_free(keys);
|
||||
+}
|
||||
+
|
||||
+/* main difference with `test_sss_ptr_hash_with_free_cb()`
|
||||
+ * is that table cb here doesn't delete payload so
|
||||
+ * this is requested via `free_value(s)` arg
|
||||
+ */
|
||||
+void test_sss_ptr_hash_with_lookup_cb(void **state)
|
||||
+{
|
||||
+ hash_table_t *table;
|
||||
+ struct table_wrapper wrapper;
|
||||
+ int *payloads[MAX_ENTRIES_AMOUNT];
|
||||
+
|
||||
+ wrapper.table = &table;
|
||||
+ table = sss_ptr_hash_create(global_talloc_context,
|
||||
+ lookup_cb,
|
||||
+ &wrapper);
|
||||
+ assert_non_null(table);
|
||||
+
|
||||
+ populate_table(table, payloads);
|
||||
+
|
||||
+ /* check explicit removal from the hash */
|
||||
+ sss_ptr_hash_delete(table, "2", true);
|
||||
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-1);
|
||||
+
|
||||
+ /* check implicit removal triggered by payload deletion */
|
||||
+ talloc_free(payloads[0]);
|
||||
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-2);
|
||||
+
|
||||
+ /* clear all */
|
||||
+ sss_ptr_hash_delete_all(table, true);
|
||||
+ assert_int_equal((int)hash_count(table), 0);
|
||||
+ /* teardown function shall verify there are no leaks
|
||||
+ * on global_talloc_context and so that payloads[] were freed
|
||||
+ */
|
||||
+
|
||||
+ /* check that table is still operable */
|
||||
+ populate_table(table, payloads);
|
||||
+
|
||||
+ talloc_free(table);
|
||||
+ /* d-tor triggers hash_destroy() but since cb here doesn free payload
|
||||
+ * this should be done manually
|
||||
+ */
|
||||
+ for (int i = 0; i < MAX_ENTRIES_AMOUNT; ++i) {
|
||||
+ talloc_free(payloads[i]);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/* Just smoke test to verify that absence of cb doesn't break anything */
|
||||
+void test_sss_ptr_hash_without_cb(void **state)
|
||||
+{
|
||||
+ hash_table_t *table;
|
||||
+ int *payloads[MAX_ENTRIES_AMOUNT];
|
||||
+
|
||||
+ table = sss_ptr_hash_create(global_talloc_context, NULL, NULL);
|
||||
+ assert_non_null(table);
|
||||
+
|
||||
+ populate_table(table, payloads);
|
||||
+
|
||||
+ sss_ptr_hash_delete(table, "4", true);
|
||||
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-1);
|
||||
+
|
||||
+ talloc_free(payloads[1]);
|
||||
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-2);
|
||||
+
|
||||
+ sss_ptr_hash_delete_all(table, true);
|
||||
+ assert_int_equal((int)hash_count(table), 0);
|
||||
+
|
||||
+ talloc_free(table);
|
||||
+}
|
||||
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
|
||||
index 666f32903..c5eda4dd2 100644
|
||||
--- a/src/tests/cmocka/test_utils.c
|
||||
+++ b/src/tests/cmocka/test_utils.c
|
||||
@@ -2055,6 +2055,15 @@ int main(int argc, const char *argv[])
|
||||
cmocka_unit_test_setup_teardown(test_sss_get_domain_mappings_content,
|
||||
setup_dom_list_with_subdomains,
|
||||
teardown_dom_list),
|
||||
+ cmocka_unit_test_setup_teardown(test_sss_ptr_hash_with_free_cb,
|
||||
+ setup_leak_tests,
|
||||
+ teardown_leak_tests),
|
||||
+ cmocka_unit_test_setup_teardown(test_sss_ptr_hash_with_lookup_cb,
|
||||
+ setup_leak_tests,
|
||||
+ teardown_leak_tests),
|
||||
+ cmocka_unit_test_setup_teardown(test_sss_ptr_hash_without_cb,
|
||||
+ setup_leak_tests,
|
||||
+ teardown_leak_tests),
|
||||
};
|
||||
|
||||
/* Set debug level to invalid value so we can decide if -d 0 was used. */
|
||||
diff --git a/src/tests/cmocka/test_utils.h b/src/tests/cmocka/test_utils.h
|
||||
index e93e0da25..44b9479f9 100644
|
||||
--- a/src/tests/cmocka/test_utils.h
|
||||
+++ b/src/tests/cmocka/test_utils.h
|
||||
@@ -33,4 +33,10 @@ void test_guid_blob_to_string_buf(void **state);
|
||||
void test_get_last_x_chars(void **state);
|
||||
void test_concatenate_string_array(void **state);
|
||||
|
||||
+/* from src/tests/cmocka/test_sss_ptr_hash.c */
|
||||
+void test_sss_ptr_hash_with_free_cb(void **state);
|
||||
+void test_sss_ptr_hash_with_lookup_cb(void **state);
|
||||
+void test_sss_ptr_hash_without_cb(void **state);
|
||||
+
|
||||
+
|
||||
#endif /* __TESTS__CMOCKA__TEST_UTILS_H__ */
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,86 +0,0 @@
|
|||
From 7b647338a40d701c6a5bb51c48c10a31a6b72699 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 30 Jan 2020 13:14:14 +0100
|
||||
Subject: [PATCH 25/26] p11_child: check if card is present in wait_for_card()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Some implementations of C_WaitForSlotEvent() might return even if no
|
||||
card was inserted. So it has to be checked if a card is really present.
|
||||
|
||||
Resolves: https://pagure.io/SSSD/sssd/issue/4159
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/p11_child/p11_child_openssl.c | 47 ++++++++++++++++---------------
|
||||
1 file changed, 25 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
|
||||
index 56601b117..295715612 100644
|
||||
--- a/src/p11_child/p11_child_openssl.c
|
||||
+++ b/src/p11_child/p11_child_openssl.c
|
||||
@@ -1546,35 +1546,38 @@ static errno_t wait_for_card(CK_FUNCTION_LIST *module, CK_SLOT_ID *slot_id)
|
||||
CK_RV rv;
|
||||
CK_SLOT_INFO info;
|
||||
|
||||
- rv = module->C_WaitForSlotEvent(wait_flags, slot_id, NULL);
|
||||
- if (rv != CKR_OK) {
|
||||
- if (rv != CKR_FUNCTION_NOT_SUPPORTED) {
|
||||
+ do {
|
||||
+ rv = module->C_WaitForSlotEvent(wait_flags, slot_id, NULL);
|
||||
+ if (rv != CKR_OK && rv != CKR_FUNCTION_NOT_SUPPORTED) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"C_WaitForSlotEvent failed [%lu][%s].\n",
|
||||
rv, p11_kit_strerror(rv));
|
||||
return EIO;
|
||||
}
|
||||
|
||||
- /* Poor man's wait */
|
||||
- do {
|
||||
+ if (rv == CKR_FUNCTION_NOT_SUPPORTED) {
|
||||
+ /* Poor man's wait */
|
||||
sleep(10);
|
||||
- rv = module->C_GetSlotInfo(*slot_id, &info);
|
||||
- if (rv != CKR_OK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n");
|
||||
- return EIO;
|
||||
- }
|
||||
- DEBUG(SSSDBG_TRACE_ALL,
|
||||
- "Description [%s] Manufacturer [%s] flags [%lu] "
|
||||
- "removable [%s] token present [%s].\n",
|
||||
- info.slotDescription, info.manufacturerID, info.flags,
|
||||
- (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
|
||||
- (info.flags & CKF_TOKEN_PRESENT) ? "true": "false");
|
||||
- if ((info.flags & CKF_REMOVABLE_DEVICE)
|
||||
- && (info.flags & CKF_TOKEN_PRESENT)) {
|
||||
- break;
|
||||
- }
|
||||
- } while (true);
|
||||
- }
|
||||
+ }
|
||||
+
|
||||
+ rv = module->C_GetSlotInfo(*slot_id, &info);
|
||||
+ if (rv != CKR_OK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n");
|
||||
+ return EIO;
|
||||
+ }
|
||||
+ DEBUG(SSSDBG_TRACE_ALL,
|
||||
+ "Description [%s] Manufacturer [%s] flags [%lu] "
|
||||
+ "removable [%s] token present [%s].\n",
|
||||
+ info.slotDescription, info.manufacturerID, info.flags,
|
||||
+ (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
|
||||
+ (info.flags & CKF_TOKEN_PRESENT) ? "true": "false");
|
||||
+
|
||||
+ /* Check if really a token is present */
|
||||
+ if ((info.flags & CKF_REMOVABLE_DEVICE)
|
||||
+ && (info.flags & CKF_TOKEN_PRESENT)) {
|
||||
+ break;
|
||||
+ }
|
||||
+ } while (true);
|
||||
|
||||
return EOK;
|
||||
}
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
From 37780b895199bab991edae6b1eeb91b7b3966bcf Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 6 Feb 2020 14:50:23 +0100
|
||||
Subject: [PATCH 26/26] PAM client: only require UID 0 for private socket
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Some privileged services like e.g. gdm might only call with UID 0 but
|
||||
with a different GID. This patch removes the GID 0 requirement to access
|
||||
to private PAM socket so that e.g. gdm can use the wait-for-card option.
|
||||
|
||||
Resolves: https://pagure.io/SSSD/sssd/issue/4159
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/sss_client/common.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
|
||||
index 270ca8b54..902438c86 100644
|
||||
--- a/src/sss_client/common.c
|
||||
+++ b/src/sss_client/common.c
|
||||
@@ -910,8 +910,8 @@ int sss_pam_make_request(enum sss_cli_command cmd,
|
||||
goto out;
|
||||
}
|
||||
|
||||
- /* only root shall use the privileged pipe */
|
||||
- if (getuid() == 0 && getgid() == 0) {
|
||||
+ /* only UID 0 shall use the privileged pipe */
|
||||
+ if (getuid() == 0) {
|
||||
socket_name = SSS_PAM_PRIV_SOCKET_NAME;
|
||||
errno = 0;
|
||||
statret = stat(socket_name, &stat_buf);
|
||||
--
|
||||
2.20.1
|
||||
|
||||
2
sources
2
sources
|
|
@ -1 +1 @@
|
|||
SHA512 (sssd-2.2.3.tar.gz) = b61d52a53e26e8efa9cb799fc6efc2314bf9d174d3cacfe591a4ca77530637591eacc0dc70c0555252e04a9617e8b134b1ab2d9b0f7351b4228e7b61499e6a10
|
||||
SHA512 (sssd-2.3.0.tar.gz) = 72fc69018c4b8a71198f4a82e89d49d7a5c513e9291deff2f8e0e132cbd67341a8fa89598d28fcc1d785497526c9eeffe9b261c751524ee0e553badf0f748d59
|
||||
|
|
|
|||
38
sssd.spec
38
sssd.spec
|
|
@ -35,40 +35,15 @@
|
|||
%endif
|
||||
|
||||
Name: sssd
|
||||
Version: 2.2.3
|
||||
Release: 13%{?dist}
|
||||
Version: 2.3.0
|
||||
Release: 1%{?dist}
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
URL: https://pagure.io/SSSD/sssd/
|
||||
Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
|
||||
URL: https://gihub.com/SSSD/sssd/
|
||||
Source0: https://github.com/SSSD/sssd/releases/download/sssd-2_3_0/sssd-2.3.0.tar.gz
|
||||
|
||||
### Patches ###
|
||||
Patch0001: 0001-Fix-build-failure-against-samba-4.12.0rc1.patch
|
||||
Patch0002: 0002-BUILD-Accept-krb5-1.18-for-building-the-PAC-plugin.patch
|
||||
Patch0003: 0003-INI-sssctl-config-check-command-error-messages.patch
|
||||
Patch0004: 0004-certmap-mention-special-regex-characters-in-man-page.patch
|
||||
Patch0005: 0005-ldap_child-do-not-try-PKINIT.patch
|
||||
Patch0006: 0006-util-watchdog-fixed-watchdog-implementation.patch
|
||||
Patch0007: 0007-providers-krb5-got-rid-of-unused-code.patch
|
||||
Patch0008: 0008-data_provider_be-got-rid-of-duplicating-SIGTERM-hand.patch
|
||||
Patch0009: 0009-util-server-improved-debug-at-shutdown.patch
|
||||
Patch0010: 0010-util-sss_ptr_hash-fixed-double-free-in-sss_ptr_hash_.patch
|
||||
Patch0011: 0011-sdap-Add-randomness-to-ldap-connection-timeout.patch
|
||||
Patch0012: 0012-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch
|
||||
Patch0013: 0013-ad-add-ad_use_ldaps.patch
|
||||
Patch0014: 0014-ldap-add-new-option-ldap_sasl_maxssf.patch
|
||||
Patch0015: 0015-ad-set-min-and-max-ssf-for-ldaps.patch
|
||||
Patch0016: 0016-BE_REFRESH-Do-not-try-to-refresh-domains-from-other-.patch
|
||||
Patch0017: 0017-sysdb_sudo-Enable-LDAP-time-format-compatibility.patch
|
||||
Patch0018: 0018-sbus_server-stylistic-rename.patch
|
||||
Patch0019: 0019-sss_ptr_hash-don-t-keep-empty-sss_ptr_hash_delete_da.patch
|
||||
Patch0020: 0020-sss_ptr_hash-sss_ptr_hash_delete-fix-optimization.patch
|
||||
Patch0021: 0021-sss_ptr_hash-removed-redundant-check.patch
|
||||
Patch0022: 0022-sss_ptr_hash-fixed-memory-leak.patch
|
||||
Patch0023: 0023-sss_ptr_hash-internal-refactoring.patch
|
||||
Patch0024: 0024-TESTS-added-sss_ptr_hash-unit-test.patch
|
||||
Patch0025: 0025-p11_child-check-if-card-is-present-in-wait_for_card.patch
|
||||
Patch0026: 0026-PAM-client-only-require-UID-0-for-private-socket.patch
|
||||
Patch0001: 0001-test-avoid-endian-issues-in-network-tests.patch
|
||||
|
||||
### Downstream only patches ###
|
||||
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
|
||||
|
|
@ -1097,6 +1072,9 @@ fi
|
|||
%{_libdir}/%{name}/modules/libwbclient.so
|
||||
|
||||
%changelog
|
||||
* Wed May 20 2020 Pavel Březina <pbrezina@redhat.com> - 2.3.0-1
|
||||
- Rebase to SSSD 2.3.0
|
||||
|
||||
* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-13
|
||||
- Resolves: upstream#4159 - p11_child should have an option to skip
|
||||
C_WaitForSlotEvent if the PKCS#11 module does not
|
||||
|
|
|
|||
Loading…
Reference in New Issue