From 3eed4c35576a51d22c302cc64d52bb9d09402a49 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Thu, 24 Mar 2011 15:17:41 -0400 Subject: [PATCH] Update to SSSD 1.5.4 Improve the way we detect the LDB plugin location New upstream release 1.5.4 https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 Fixes for Active Directory when not all users and groups have POSIX attributes Fixes for handling users and groups that have name aliases (aliases are ignored) Fix group memberships after initgroups in the IPA provider --- .gitignore | 1 + ...e-of-GID-number-and-name-in-group-se.patch | 150 ------------------ ...e-of-username-uid-and-gid-for-user-e.patch | 55 ------- sources | 2 +- sssd.spec | 31 ++-- 5 files changed, 19 insertions(+), 220 deletions(-) delete mode 100644 0001-Require-existence-of-GID-number-and-name-in-group-se.patch delete mode 100644 0002-Require-existence-of-username-uid-and-gid-for-user-e.patch diff --git a/.gitignore b/.gitignore index 63d7b92..b9a7e6a 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ sssd-1.2.91.tar.gz /sssd-1.5.1.tar.gz /sssd-1.5.2.tar.gz /sssd-1.5.3.tar.gz +/sssd-1.5.4.tar.gz diff --git a/0001-Require-existence-of-GID-number-and-name-in-group-se.patch b/0001-Require-existence-of-GID-number-and-name-in-group-se.patch deleted file mode 100644 index d06bc39..0000000 --- a/0001-Require-existence-of-GID-number-and-name-in-group-se.patch +++ /dev/null @@ -1,150 +0,0 @@ -From 2c97299c19a71aa41eef3f3155c24347cf392615 Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Fri, 11 Mar 2011 05:06:48 -0500 -Subject: [PATCH 1/2] Require existence of GID number and name in group searches - -https://fedorahosted.org/sssd/ticket/824 ---- - src/providers/ldap/ldap_id.c | 9 ++++++--- - src/providers/ldap/ldap_id_enum.c | 28 ++++++++++++++++------------ - src/providers/ldap/sdap_async_accounts.c | 30 ++++++++++++++++++++---------- - 3 files changed, 42 insertions(+), 25 deletions(-) - -diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c -index 9a234280082f7396eda4307e9e4bb4bd63b5615c..776df1ac2d9e983a792fbba0f6773c082898708d 100644 ---- a/src/providers/ldap/ldap_id.c -+++ b/src/providers/ldap/ldap_id.c -@@ -335,9 +335,12 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx, - goto fail; - } - -- state->filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))", -- attr_name, clean_name, -- ctx->opts->group_map[SDAP_OC_GROUP].name); -+ state->filter = -+ talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))", -+ attr_name, clean_name, -+ ctx->opts->group_map[SDAP_OC_GROUP].name, -+ ctx->opts->group_map[SDAP_AT_GROUP_NAME].name, -+ ctx->opts->group_map[SDAP_AT_GROUP_GID].name); - if (!state->filter) { - DEBUG(2, ("Failed to build filter\n")); - ret = ENOMEM; -diff --git a/src/providers/ldap/ldap_id_enum.c b/src/providers/ldap/ldap_id_enum.c -index f47ee9fbe170bae0058a682a3a051df21cfbc0d6..42c2911926602bfc2e3a33a0af837d6e809ee68b 100644 ---- a/src/providers/ldap/ldap_id_enum.c -+++ b/src/providers/ldap/ldap_id_enum.c -@@ -546,19 +546,23 @@ static struct tevent_req *enum_groups_send(TALLOC_CTX *memctx, - state->op = op; - - if (ctx->srv_opts && ctx->srv_opts->max_group_value && !purge) { -- state->filter = talloc_asprintf(state, -- "(&(%s=*)(objectclass=%s)(%s>=%s)(!(%s=%s)))", -- ctx->opts->group_map[SDAP_AT_GROUP_NAME].name, -- ctx->opts->group_map[SDAP_OC_GROUP].name, -- ctx->opts->group_map[SDAP_AT_GROUP_USN].name, -- ctx->srv_opts->max_group_value, -- ctx->opts->group_map[SDAP_AT_GROUP_USN].name, -- ctx->srv_opts->max_group_value); -+ state->filter = talloc_asprintf( -+ state, -+ "(&(objectclass=%s)(%s=*)(%s=*)(%s>=%s)(!(%s=%s)))", -+ ctx->opts->group_map[SDAP_OC_GROUP].name, -+ ctx->opts->group_map[SDAP_AT_GROUP_NAME].name, -+ ctx->opts->group_map[SDAP_AT_GROUP_GID].name, -+ ctx->opts->group_map[SDAP_AT_GROUP_USN].name, -+ ctx->srv_opts->max_group_value, -+ ctx->opts->group_map[SDAP_AT_GROUP_USN].name, -+ ctx->srv_opts->max_group_value); - } else { -- state->filter = talloc_asprintf(state, -- "(&(%s=*)(objectclass=%s))", -- ctx->opts->group_map[SDAP_AT_GROUP_NAME].name, -- ctx->opts->group_map[SDAP_OC_GROUP].name); -+ state->filter = talloc_asprintf( -+ state, -+ "(&(objectclass=%s)(%s=*)(%s=*))", -+ ctx->opts->group_map[SDAP_OC_GROUP].name, -+ ctx->opts->group_map[SDAP_AT_GROUP_NAME].name, -+ ctx->opts->group_map[SDAP_AT_GROUP_GID].name); - } - if (!state->filter) { - DEBUG(2, ("Failed to build filter\n")); -diff --git a/src/providers/ldap/sdap_async_accounts.c b/src/providers/ldap/sdap_async_accounts.c -index 8e459598674d589c0cdfcece125c183f7c95bb4d..3fedf07da7fbdc9409f5360ba8301158a65014cd 100644 ---- a/src/providers/ldap/sdap_async_accounts.c -+++ b/src/providers/ldap/sdap_async_accounts.c -@@ -2007,10 +2007,12 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx, - return NULL; - } - -- filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))", -+ filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))", - opts->group_map[SDAP_AT_GROUP_MEMBER].name, - clean_name, -- opts->group_map[SDAP_OC_GROUP].name); -+ opts->group_map[SDAP_OC_GROUP].name, -+ opts->group_map[SDAP_AT_GROUP_NAME].name, -+ opts->group_map[SDAP_AT_GROUP_GID].name); - if (!filter) { - talloc_zfree(req); - return NULL; -@@ -2211,8 +2213,10 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx, - return NULL; - } - -- state->filter = talloc_asprintf(state, "(objectclass=%s)", -- opts->group_map[SDAP_OC_GROUP].name); -+ state->filter = talloc_asprintf(state, "(&(objectclass=%s)(%s=*)(%s=*))", -+ opts->group_map[SDAP_OC_GROUP].name, -+ opts->group_map[SDAP_AT_GROUP_NAME].name, -+ opts->group_map[SDAP_AT_GROUP_GID].name); - if (!state->filter) { - talloc_zfree(req); - return NULL; -@@ -3103,8 +3107,10 @@ static errno_t sdap_nested_group_lookup_group(struct tevent_req *req) - } - - filter = talloc_asprintf( -- sdap_attrs, "(objectclass=%s)", -- state->opts->group_map[SDAP_OC_GROUP].name); -+ sdap_attrs, "(&(objectclass=%s)(%s=*)(%s=*))", -+ state->opts->group_map[SDAP_OC_GROUP].name, -+ state->opts->group_map[SDAP_AT_GROUP_NAME].name, -+ state->opts->group_map[SDAP_AT_GROUP_GID].name); - if (!filter) { - talloc_free(sdap_attrs); - return ENOMEM; -@@ -3435,10 +3441,12 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send( - return NULL; - } - -- filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))", -+ filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))", - opts->group_map[SDAP_AT_GROUP_MEMBER].name, - clean_orig_dn, -- opts->group_map[SDAP_OC_GROUP].name); -+ opts->group_map[SDAP_OC_GROUP].name, -+ opts->group_map[SDAP_AT_GROUP_NAME].name, -+ opts->group_map[SDAP_AT_GROUP_GID].name); - if (!filter) { - talloc_zfree(req); - return NULL; -@@ -3839,10 +3847,12 @@ static errno_t rfc2307bis_nested_groups_step(struct tevent_req *req) - } - - filter = talloc_asprintf( -- tmp_ctx, "(&(%s=%s)(objectclass=%s))", -+ tmp_ctx, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))", - state->opts->group_map[SDAP_AT_GROUP_MEMBER].name, - clean_orig_dn, -- state->opts->group_map[SDAP_OC_GROUP].name); -+ state->opts->group_map[SDAP_OC_GROUP].name, -+ state->opts->group_map[SDAP_AT_GROUP_NAME].name, -+ state->opts->group_map[SDAP_AT_GROUP_GID].name); - if (!filter) { - ret = ENOMEM; - goto error; --- -1.7.4 - diff --git a/0002-Require-existence-of-username-uid-and-gid-for-user-e.patch b/0002-Require-existence-of-username-uid-and-gid-for-user-e.patch deleted file mode 100644 index fb0a554..0000000 --- a/0002-Require-existence-of-username-uid-and-gid-for-user-e.patch +++ /dev/null @@ -1,55 +0,0 @@ -From c6f9fcdbf62d616f9fc89b7695aa48fa4c8ebd80 Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Mon, 14 Mar 2011 09:56:22 -0400 -Subject: [PATCH 2/2] Require existence of username, uid and gid for user enumeration - -We will ignore users that do not have these three values. ---- - src/providers/ldap/ldap_id_enum.c | 30 ++++++++++++++++++------------ - 1 files changed, 18 insertions(+), 12 deletions(-) - -diff --git a/src/providers/ldap/ldap_id_enum.c b/src/providers/ldap/ldap_id_enum.c -index 42c2911926602bfc2e3a33a0af837d6e809ee68b..6899b87c08b46c3c2b61fcd975ab14a4118cc918 100644 ---- a/src/providers/ldap/ldap_id_enum.c -+++ b/src/providers/ldap/ldap_id_enum.c -@@ -441,19 +441,25 @@ static struct tevent_req *enum_users_send(TALLOC_CTX *memctx, - state->op = op; - - if (ctx->srv_opts && ctx->srv_opts->max_user_value && !purge) { -- state->filter = talloc_asprintf(state, -- "(&(%s=*)(objectclass=%s)(%s>=%s)(!(%s=%s)))", -- ctx->opts->user_map[SDAP_AT_USER_NAME].name, -- ctx->opts->user_map[SDAP_OC_USER].name, -- ctx->opts->user_map[SDAP_AT_USER_USN].name, -- ctx->srv_opts->max_user_value, -- ctx->opts->user_map[SDAP_AT_USER_USN].name, -- ctx->srv_opts->max_user_value); -+ state->filter = talloc_asprintf( -+ state, -+ "(&(objectclass=%s)(%s=*)(%s=*)(%s=*)(%s>=%s)(!(%s=%s)))", -+ ctx->opts->user_map[SDAP_OC_USER].name, -+ ctx->opts->user_map[SDAP_AT_USER_NAME].name, -+ ctx->opts->user_map[SDAP_AT_USER_UID].name, -+ ctx->opts->user_map[SDAP_AT_USER_GID].name, -+ ctx->opts->user_map[SDAP_AT_USER_USN].name, -+ ctx->srv_opts->max_user_value, -+ ctx->opts->user_map[SDAP_AT_USER_USN].name, -+ ctx->srv_opts->max_user_value); - } else { -- state->filter = talloc_asprintf(state, -- "(&(%s=*)(objectclass=%s))", -- ctx->opts->user_map[SDAP_AT_USER_NAME].name, -- ctx->opts->user_map[SDAP_OC_USER].name); -+ state->filter = talloc_asprintf( -+ state, -+ "(&(objectclass=%s)(%s=*)(%s=*)(%s=*))", -+ ctx->opts->user_map[SDAP_OC_USER].name, -+ ctx->opts->user_map[SDAP_AT_USER_NAME].name, -+ ctx->opts->user_map[SDAP_AT_USER_UID].name, -+ ctx->opts->user_map[SDAP_AT_USER_GID].name); - } - if (!state->filter) { - DEBUG(2, ("Failed to build filter\n")); --- -1.7.4 - diff --git a/sources b/sources index 275db16..28b177a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -0d1c73ef2cc60e44098410f20818dc1c sssd-1.5.3.tar.gz +d1459f6e0d0a5246374f08e6ab24c7de sssd-1.5.4.tar.gz diff --git a/sssd.spec b/sssd.spec index 9d8c9dd..f3e2d7b 100644 --- a/sssd.spec +++ b/sssd.spec @@ -3,9 +3,13 @@ %{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} %endif +# Determine the location of the LDB modules directory +%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb) +%global ldb_version 1.0.2 + Name: sssd -Version: 1.5.3 -Release: 2%{?dist} +Version: 1.5.4 +Release: 1%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -14,12 +18,10 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) ### Patches ### -Patch0001: 0001-Require-existence-of-GID-number-and-name-in-group-se.patch -Patch0002: 0002-Require-existence-of-username-uid-and-gid-for-user-e.patch ### Dependencies ### -Requires: libldb = 1.0.2 +Requires: libldb = %{ldb_version} Requires: libtdb >= 1.1.3 Requires: sssd-client = %{version}-%{release} Requires: cyrus-sasl-gssapi @@ -50,10 +52,7 @@ BuildRequires: popt-devel BuildRequires: libtalloc-devel BuildRequires: libtevent-devel BuildRequires: libtdb-devel -BuildRequires: libldb-devel -%if 0%{?fedora} >= 15 -BuildRequires: libldb-devel = 1.0.2 -%endif +BuildRequires: libldb-devel = %{ldb_version} BuildRequires: libdhash-devel >= 0.4.2 BuildRequires: libcollection-devel BuildRequires: libini_config-devel @@ -112,9 +111,6 @@ use with ldap_default_authtok_type = obfuscated_password. %prep %setup -q -%patch0001 -p1 -%patch0002 -p1 - %build autoreconf -ivf %configure \ @@ -161,7 +157,7 @@ install -m644 src/examples/rwtab $RPM_BUILD_ROOT%{_sysconfdir}/rwtab.d/sssd rm -f \ $RPM_BUILD_ROOT/%{_lib}/libnss_sss.la \ $RPM_BUILD_ROOT/%{_lib}/security/pam_sss.la \ - $RPM_BUILD_ROOT/%{_libdir}/ldb/modules/ldb/memberof.la \ + $RPM_BUILD_ROOT/%{ldb_modulesdir}/memberof.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ldap.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_proxy.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_krb5.la \ @@ -201,7 +197,7 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/sssd %{_libexecdir}/%{servicename}/ %{_libdir}/%{name}/ -%{_libdir}/ldb/modules/ldb/memberof.so +%{ldb_modulesdir}/memberof.so %dir %{sssdstatedir} %attr(700,root,root) %dir %{dbpath} %attr(755,root,root) %dir %{pipepath} @@ -274,6 +270,13 @@ fi %postun client -p /sbin/ldconfig %changelog +* Thu Mar 24 2011 Stephen Gallagher - 1.5.4-1 +- New upstream release 1.5.4 +- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 +- Fixes for Active Directory when not all users and groups have POSIX attributes +- Fixes for handling users and groups that have name aliases (aliases are ignored) +- Fix group memberships after initgroups in the IPA provider + * Thu Mar 17 2011 Stephen Gallagher - 1.5.3-2 - Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication