- Log startup errors to the syslog

- Allow cache cleanup to be disabled in sssd.conf
2010-11-16 12:48:57 -05:00 · 2010-11-16 12:48:57 -05:00 · 4e1de07cd8
parent 9d5bcde0eb
commit 4e1de07cd8
5 changed files with 139 additions and 64 deletions
--- a/0001-Log-startup-errors-to-syslog.patch
+++ b/0001-Log-startup-errors-to-syslog.patch
@ -0,0 +1,56 @@
+From 57736f3037984574b42b72fef7ae14fa2bce35b0 Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Wed, 10 Nov 2010 11:04:31 -0500
+Subject: [PATCH 1/2] Log startup errors to syslog
+
+---
+ src/monitor/monitor.c |   16 +++++++++-------
+ 1 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
+index 1c2a058e5a8d684798dcb2ea461199467c73f407..6479f7a9fd5877e7b5baaaee4f3f92001506d730 100644
+--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
+@@ -2167,7 +2167,7 @@ int main(int argc, const char *argv[])
+     uid = getuid();
+     if (uid != 0) {
+         DEBUG(1, ("Running under %d, must be root\n", uid));
+-        ERROR("sssd must be run as root\n");
+        sss_log(SSS_LOG_ALERT, "sssd must be run as root");
+         return 8;
+     }
+ 
+@@ -2202,9 +2202,10 @@ int main(int argc, const char *argv[])
+     ret = check_file(NSCD_SOCKET_PATH, -1, -1, -1, CHECK_SOCK, NULL);
+     if (ret == EOK) {
+         DEBUG(0, ("WARNING: nscd appears to be running\n"));
+-        ERROR("nscd socket was detected.  As nscd caching capabilities "
+-              "may conflict with SSSD, it is recommended to not run "
+-              "nscd in parallel with SSSD\n");
+        sss_log(SSS_LOG_NOTICE,
+                "nscd socket was detected.  As nscd caching capabilities "
+                "may conflict with SSSD, it is recommended to not run "
+                "nscd in parallel with SSSD");
+     }
+ 
+     /* Parse config file, fail if cannot be done */
+@@ -2212,12 +2213,13 @@ int main(int argc, const char *argv[])
+     if (ret != EOK) {
+         if (ret == EPERM) {
+             DEBUG(1, ("Cannot read configuration file %s\n", config_file));
+-            ERROR("Cannot read config file %s, please check if permissions "
+-                  "are 0600 and the file is owned by root.root\n", config_file);
+            sss_log(SSS_LOG_ALERT,
+                    "Cannot read config file %s, please check if permissions "
+                    "are 0600 and the file is owned by root.root", config_file);
+         } else {
+             DEBUG(1, ("Error loading configuration database: [%d]: %s",
+                       ret, strerror(ret)));
+-            ERROR("Cannot load configuration database\n");
+            sss_log(SSS_LOG_ALERT, "Cannot load configuration database");
+         }
+         return 4;
+     }
+-- 
+1.7.3.2
+
--- a/0001-Treat-a-zero-length-password-as-a-failure.patch
+++ b/0001-Treat-a-zero-length-password-as-a-failure.patch
@ -1,32 +0,0 @@
-From 8eeb47279a5a4559d9d7f911250d6164ab120897 Mon Sep 17 00:00:00 2001
-From: Stephen Gallagher <sgallagh@redhat.com>
-Date: Wed, 18 Aug 2010 12:57:43 -0400
-Subject: [PATCH 9/9] Treat a zero-length password as a failure
-
-Some LDAP servers allow binding with blank passwords. We should
-not allow a blank password to authenticate the SSSD.
---
- src/providers/ldap/ldap_auth.c |    7 +++++++
- 1 files changed, 7 insertions(+), 0 deletions(-)
-
-diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
-index b05e3075ce117fad17b87ffde257c80fc035b8c4..1a959d4cc45980fe5dd12db3460cc23f341466fd 100644
--- a/src/providers/ldap/ldap_auth.c
-+++ b/src/providers/ldap/ldap_auth.c
-@@ -557,6 +557,13 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx,
-     req = tevent_req_create(memctx, &state, struct auth_state);
-     if (!req) return NULL;
- 
-+    /* Treat a zero-length password as a failure */
-+    if (password.length == 0) {
-+        state->result = SDAP_AUTH_FAILED;
-+        tevent_req_done(req);
-+        return tevent_req_post(req, ev);
-+    }
-+
-     state->ev = ev;
-     state->ctx = ctx;
-     state->username = username;
-- 
-1.7.2.1
-
--- a/0002-Properly-document-ldap_purge_cache_timeout.patch
+++ b/0002-Properly-document-ldap_purge_cache_timeout.patch
@ -0,0 +1,72 @@
+From 4f8400f86d33d0f64adccb71c8190ad33db2770a Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Tue, 2 Nov 2010 07:46:13 -0400
+Subject: [PATCH 2/2] Properly document ldap_purge_cache_timeout
+
+Also allow it to be disabled entirely
+---
+ src/man/sssd-ldap.5.xml          |   19 +++++++++++++++++++
+ src/providers/ldap/ldap_common.c |   10 +++++++++-
+ 2 files changed, 28 insertions(+), 1 deletions(-)
+
+diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
+index 87d388ade2b9b3613a18eb70e079b1266e940a14..64f216f5f5092a23635b9c4f96dbb133b309e556 100644
+--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
+@@ -447,6 +447,25 @@
+                 </varlistentry>
+ 
+                 <varlistentry>
+                    <term>ldap_purge_cache_timeout</term>
+                    <listitem>
+                        <para>
+                            Determine how often to check the cache for
+                            inactive entries (such as groups with no
+                            members and users who have never logged in) and
+                            remove them to save space.
+                        </para>
+                        <para>
+                            Setting this option to zero will disable the
+                            cache cleanup operation.
+                        </para>
+                        <para>
+                            Default: 10800 (12 hours)
+                        </para>
+                    </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                     <term>ldap_user_fullname (string)</term>
+                     <listitem>
+                         <para>
+diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
+index ea5f957076675b4b8210917a928761e68088d485..c074098d6574078a6ec0e80851a1b02a51f5b0e1 100644
+--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
+@@ -397,6 +397,7 @@ int sdap_id_setup_tasks(struct sdap_id_ctx *ctx)
+ {
+     struct timeval tv;
+     int ret = EOK;
+    int delay;
+ 
+     /* set up enumeration task */
+     if (ctx->be->domain->enumerate) {
+@@ -406,7 +407,14 @@ int sdap_id_setup_tasks(struct sdap_id_ctx *ctx)
+         ret = ldap_id_enumerate_set_timer(ctx, tv);
+     } else {
+         /* the enumeration task, runs the cleanup process by itself,
+-         * but if enumeration is not runnig we need to schedule it */
+         * but if enumeration is not running we need to schedule it */
+        delay = dp_opt_get_int(ctx->opts->basic, SDAP_CACHE_PURGE_TIMEOUT);
+        if (delay == 0) {
+            /* Cleanup has been explicitly disabled, so we won't
+             * schedule any cleanup tasks.
+             */
+            return EOK;
+        }
+ 
+         /* run the first one in a couple of seconds so that we have time to
+          * finish initializations first*/
+-- 
+1.7.3.2
+
--- a/0002-Return-offline-instead-of-error.patch
+++ b/0002-Return-offline-instead-of-error.patch
@ -1,31 +0,0 @@
-From f1e22670eaaa7c881593924896acc84ecc131872 Mon Sep 17 00:00:00 2001
-From: Stephen Gallagher <sgallagh@redhat.com>
-Date: Fri, 1 Oct 2010 12:34:54 -0400
-Subject: [PATCH] Return offline instead of error
-
-When the failover code returns that there are no available servers
-while we are marked offline, we were returning an error to the PAM
-authentication code. Instead, we should return success with a
-result value of SDAP_UNAVAIL so that the PAM responder will mark
-the domain offline and attempt offline authentication.
---
- src/providers/ldap/ldap_auth.c |    3 ++-
- 1 files changed, 2 insertions(+), 1 deletions(-)
-
-diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
-index d01449262c39865ffc4916c8d7dd8b6874cd4a02..0ea86f3e34db0cd5bab83ecff80859f495b234e2 100644
--- a/src/providers/ldap/ldap_auth.c
-+++ b/src/providers/ldap/ldap_auth.c
-@@ -567,7 +567,8 @@ static void auth_resolve_done(struct tevent_req *subreq)
-     if (ret) {
-         /* all servers have been tried and none
-          * was found good, go offline */
-        tevent_req_error(req, EIO);
-+        state->result = SDAP_UNAVAIL;
-+        tevent_req_done(req);
-         return;
-     }
- 
-- 
-1.7.2.3
-
--- a/sssd.spec
+++ b/sssd.spec
@ -5,7 +5,7 @@

 Name: sssd
 Version: 1.4.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@ -15,6 +15,9 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)

 ### Patches ###

+Patch0001: 0001-Log-startup-errors-to-syslog.patch
+Patch0002: 0002-Properly-document-ldap_purge_cache_timeout.patch
+
 ### Dependencies ###

 Requires: libldb >= 0.9.3
@ -93,6 +96,9 @@ service.
 %prep
 %setup -q

+%patch0001 -p1
+%patch0002 -p1
+
 %build
 %configure \
    --with-db-path=%{dbpath} \
@ -233,6 +239,10 @@ fi
 %postun client -p /sbin/ldconfig

 %changelog
+* Tue Nov 16 2010 Stephen Gallagher <sgallagh@redhat.com> - 1.4.1-2
+- Log startup errors to the syslog
+- Allow cache cleanup to be disabled in sssd.conf
+
 * Mon Nov 01 2010 Stephen Gallagher <sgallagh@redhat.com> - 1.4.1-1
 - New upstream release 1.4.1
 - Add support for netgroups to the proxy provider