Add 2 other patches around offline auth caching
This commit is contained in:
parent
4e5c172095
commit
3a21c0ede9
123
0001-enable-offline-handling-for-native-LDAP-backend.patch
Normal file
123
0001-enable-offline-handling-for-native-LDAP-backend.patch
Normal file
@ -0,0 +1,123 @@
|
|||||||
|
>From 39ffa138c698f0fe1a440a05406852d1add7c73c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Tue, 28 Apr 2009 13:37:33 +0200
|
||||||
|
Subject: [PATCH] enable offline handling for native LDAP backend
|
||||||
|
|
||||||
|
---
|
||||||
|
server/providers/ldap_be.c | 52 ++++++++++++++++++++++++++++++++++++++++---
|
||||||
|
1 files changed, 48 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/server/providers/ldap_be.c b/server/providers/ldap_be.c
|
||||||
|
index e654702..365b7d0 100644
|
||||||
|
--- a/server/providers/ldap_be.c
|
||||||
|
+++ b/server/providers/ldap_be.c
|
||||||
|
@@ -49,6 +49,8 @@ struct sdap_ctx {
|
||||||
|
char *default_authtok_type;
|
||||||
|
uint32_t default_authtok_size;
|
||||||
|
char *default_authtok;
|
||||||
|
+ int network_timeout;
|
||||||
|
+ int opt_timeout;
|
||||||
|
};
|
||||||
|
|
||||||
|
struct sdap_ops;
|
||||||
|
@@ -197,6 +199,8 @@ static int sdap_init(struct sdap_req *lr)
|
||||||
|
int status=EOK;
|
||||||
|
int ldap_vers = LDAP_VERSION3;
|
||||||
|
int msgid;
|
||||||
|
+ struct timeval network_timeout;
|
||||||
|
+ struct timeval opt_timeout;
|
||||||
|
|
||||||
|
ret = ldap_initialize(&(lr->ldap), lr->sdap_ctx->ldap_uri);
|
||||||
|
if (ret != LDAP_SUCCESS) {
|
||||||
|
@@ -212,13 +216,35 @@ static int sdap_init(struct sdap_req *lr)
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ network_timeout.tv_sec = lr->sdap_ctx->network_timeout;
|
||||||
|
+ network_timeout.tv_usec = 0;
|
||||||
|
+ opt_timeout.tv_sec = lr->sdap_ctx->opt_timeout;
|
||||||
|
+ opt_timeout.tv_usec = 0;
|
||||||
|
+ ret = ldap_set_option(lr->ldap, LDAP_OPT_NETWORK_TIMEOUT, &network_timeout);
|
||||||
|
+ if (ret != LDAP_OPT_SUCCESS) {
|
||||||
|
+ DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret)));
|
||||||
|
+ status = EIO;
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+ ret = ldap_set_option(lr->ldap, LDAP_OPT_TIMEOUT, &opt_timeout);
|
||||||
|
+ if (ret != LDAP_OPT_SUCCESS) {
|
||||||
|
+ DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret)));
|
||||||
|
+ status = EIO;
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* For now TLS is forced. Maybe it would be necessary to make this
|
||||||
|
* configurable to allow people to expose their passwords over the
|
||||||
|
* network. */
|
||||||
|
ret = ldap_start_tls(lr->ldap, NULL, NULL, &msgid);
|
||||||
|
if (ret != LDAP_SUCCESS) {
|
||||||
|
- DEBUG(1, ("ldap_start_tls failed: %s\n", ldap_err2string(ret)));
|
||||||
|
- status = EIO;
|
||||||
|
+ DEBUG(1, ("ldap_start_tls failed: [%d][%s]\n", ret,
|
||||||
|
+ ldap_err2string(ret)));
|
||||||
|
+ if (ret == LDAP_SERVER_DOWN) {
|
||||||
|
+ status = EAGAIN;
|
||||||
|
+ } else {
|
||||||
|
+ status = EIO;
|
||||||
|
+ }
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -289,7 +315,11 @@ static void sdap_pam_loop(struct tevent_context *ev, struct tevent_fd *te,
|
||||||
|
if (ret != EOK) {
|
||||||
|
DEBUG(1, ("sdap_init failed.\n"));
|
||||||
|
lr->ldap = NULL;
|
||||||
|
- pam_status = PAM_SYSTEM_ERR;
|
||||||
|
+ if (ret == EAGAIN) {
|
||||||
|
+ pam_status = PAM_AUTHINFO_UNAVAIL;
|
||||||
|
+ } else {
|
||||||
|
+ pam_status = PAM_SYSTEM_ERR;
|
||||||
|
+ }
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
case SDAP_CHECK_INIT_RESULT:
|
||||||
|
@@ -573,7 +603,11 @@ static void sdap_start(struct tevent_context *ev, struct tevent_timer *te,
|
||||||
|
if (ret != EOK) {
|
||||||
|
DEBUG(1, ("sdap_init failed.\n"));
|
||||||
|
lr->ldap = NULL;
|
||||||
|
- pam_status = PAM_SYSTEM_ERR;
|
||||||
|
+ if (ret == EAGAIN) {
|
||||||
|
+ pam_status = PAM_AUTHINFO_UNAVAIL;
|
||||||
|
+ } else {
|
||||||
|
+ pam_status = PAM_SYSTEM_ERR;
|
||||||
|
+ }
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -663,6 +697,8 @@ int sssm_ldap_auth_init(struct be_ctx *bectx,
|
||||||
|
char *user_search_base;
|
||||||
|
char *user_name_attribute;
|
||||||
|
char *user_object_class;
|
||||||
|
+ int network_timeout;
|
||||||
|
+ int opt_timeout;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
ctx = talloc(bectx, struct sdap_ctx);
|
||||||
|
@@ -715,7 +751,15 @@ int sssm_ldap_auth_init(struct be_ctx *bectx,
|
||||||
|
ctx->default_authtok = default_authtok;
|
||||||
|
ctx->default_authtok_size = (default_authtok==NULL?0:strlen(default_authtok));
|
||||||
|
|
||||||
|
+ ret = confdb_get_int(bectx->cdb, ctx, bectx->conf_path,
|
||||||
|
+ "network_timeout", 5, &network_timeout);
|
||||||
|
+ if (ret != EOK) goto done;
|
||||||
|
+ ctx->network_timeout = network_timeout;
|
||||||
|
|
||||||
|
+ ret = confdb_get_int(bectx->cdb, ctx, bectx->conf_path,
|
||||||
|
+ "opt_timeout", 5, &opt_timeout);
|
||||||
|
+ if (ret != EOK) goto done;
|
||||||
|
+ ctx->network_timeout = opt_timeout;
|
||||||
|
|
||||||
|
*ops = &sdap_mod_ops;
|
||||||
|
*pvt_data = ctx;
|
||||||
|
--
|
||||||
|
1.6.0.6
|
||||||
|
|
33
0001-handle-other-pam-calls-when-offline.patch
Normal file
33
0001-handle-other-pam-calls-when-offline.patch
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
>From 883549efb0a55291b2e6bce05b51e0a6c5847dbb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Tue, 28 Apr 2009 10:17:38 +0200
|
||||||
|
Subject: [PATCH] handle other pam calls when offline
|
||||||
|
|
||||||
|
---
|
||||||
|
server/responder/pam/pamsrv_cmd.c | 10 ++++++++++
|
||||||
|
1 files changed, 10 insertions(+), 0 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/server/responder/pam/pamsrv_cmd.c b/server/responder/pam/pamsrv_cmd.c
|
||||||
|
index 4c7bf1f..6d3f899 100644
|
||||||
|
--- a/server/responder/pam/pamsrv_cmd.c
|
||||||
|
+++ b/server/responder/pam/pamsrv_cmd.c
|
||||||
|
@@ -172,6 +172,16 @@ static void pam_reply(struct pam_auth_req *preq)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* TODO: we need the pam session cookie here to make sure that cached
|
||||||
|
+ * authentication was successful */
|
||||||
|
+ if ((pd->cmd == SSS_PAM_SETCRED || pd->cmd == SSS_PAM_ACCT_MGMT ||
|
||||||
|
+ pd->cmd == SSS_PAM_OPEN_SESSION || pd->cmd == SSS_PAM_CLOSE_SESSION) &&
|
||||||
|
+ pd->pam_status == PAM_AUTHINFO_UNAVAIL) {
|
||||||
|
+ DEBUG(2, ("Assuming offline authentication "
|
||||||
|
+ "setting status for pam call %d to PAM_SUCCESS.\n", pd->cmd));
|
||||||
|
+ pd->pam_status = PAM_SUCCESS;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
cctx = preq->cctx;
|
||||||
|
|
||||||
|
if (pd->response_delay > 0) {
|
||||||
|
--
|
||||||
|
1.6.0.6
|
||||||
|
|
@ -15,6 +15,8 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
|||||||
### Patches ###
|
### Patches ###
|
||||||
Patch1: 0001-Use-different-attribute-for-cached-passwords.patch
|
Patch1: 0001-Use-different-attribute-for-cached-passwords.patch
|
||||||
Patch2: 0001-Use-different-attribute-for-cached-passwords-change.patch
|
Patch2: 0001-Use-different-attribute-for-cached-passwords-change.patch
|
||||||
|
Patch3: 0001-enable-offline-handling-for-native-LDAP-backend.patch
|
||||||
|
Patch4: 0001-handle-other-pam-calls-when-offline.patch
|
||||||
|
|
||||||
### Dependencies ###
|
### Dependencies ###
|
||||||
|
|
||||||
@ -55,6 +57,8 @@ services for projects like FreeIPA.
|
|||||||
|
|
||||||
%patch1 -p 1 -b .pwd-attr
|
%patch1 -p 1 -b .pwd-attr
|
||||||
%patch2 -p 1 -b .pwd-cache-attr
|
%patch2 -p 1 -b .pwd-cache-attr
|
||||||
|
%patch3 -p 1 -b .ldap-offline
|
||||||
|
%patch4 -p 1 -b .pam-offline
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
|
||||||
@ -144,7 +148,7 @@ fi
|
|||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Apr 28 2009 Simo Sorce <ssorce@redhat.com> - 0.3.3-1
|
* Tue Apr 28 2009 Simo Sorce <ssorce@redhat.com> - 0.3.3-1
|
||||||
- Add patches to fix password caching
|
- Add patches to fix password caches when offline
|
||||||
|
|
||||||
* Mon Apr 27 2009 Simo Sorce <ssorce@redhat.com> - 0.3.3-0
|
* Mon Apr 27 2009 Simo Sorce <ssorce@redhat.com> - 0.3.3-0
|
||||||
- Version 0.3.3
|
- Version 0.3.3
|
||||||
|
Loading…
Reference in New Issue
Block a user