From 4e1de07cd887679ffbbe837df90346bbbf7015df Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Tue, 16 Nov 2010 12:48:57 -0500 Subject: [PATCH] - Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf --- 0001-Log-startup-errors-to-syslog.patch | 56 +++++++++++++++ ...-a-zero-length-password-as-a-failure.patch | 32 --------- ...ly-document-ldap_purge_cache_timeout.patch | 72 +++++++++++++++++++ 0002-Return-offline-instead-of-error.patch | 31 -------- sssd.spec | 12 +++- 5 files changed, 139 insertions(+), 64 deletions(-) create mode 100644 0001-Log-startup-errors-to-syslog.patch delete mode 100644 0001-Treat-a-zero-length-password-as-a-failure.patch create mode 100644 0002-Properly-document-ldap_purge_cache_timeout.patch delete mode 100644 0002-Return-offline-instead-of-error.patch diff --git a/0001-Log-startup-errors-to-syslog.patch b/0001-Log-startup-errors-to-syslog.patch new file mode 100644 index 0000000..17a4da6 --- /dev/null +++ b/0001-Log-startup-errors-to-syslog.patch @@ -0,0 +1,56 @@ +From 57736f3037984574b42b72fef7ae14fa2bce35b0 Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Wed, 10 Nov 2010 11:04:31 -0500 +Subject: [PATCH 1/2] Log startup errors to syslog + +--- + src/monitor/monitor.c | 16 +++++++++------- + 1 files changed, 9 insertions(+), 7 deletions(-) + +diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c +index 1c2a058e5a8d684798dcb2ea461199467c73f407..6479f7a9fd5877e7b5baaaee4f3f92001506d730 100644 +--- a/src/monitor/monitor.c ++++ b/src/monitor/monitor.c +@@ -2167,7 +2167,7 @@ int main(int argc, const char *argv[]) + uid = getuid(); + if (uid != 0) { + DEBUG(1, ("Running under %d, must be root\n", uid)); +- ERROR("sssd must be run as root\n"); ++ sss_log(SSS_LOG_ALERT, "sssd must be run as root"); + return 8; + } + +@@ -2202,9 +2202,10 @@ int main(int argc, const char *argv[]) + ret = check_file(NSCD_SOCKET_PATH, -1, -1, -1, CHECK_SOCK, NULL); + if (ret == EOK) { + DEBUG(0, ("WARNING: nscd appears to be running\n")); +- ERROR("nscd socket was detected. As nscd caching capabilities " +- "may conflict with SSSD, it is recommended to not run " +- "nscd in parallel with SSSD\n"); ++ sss_log(SSS_LOG_NOTICE, ++ "nscd socket was detected. As nscd caching capabilities " ++ "may conflict with SSSD, it is recommended to not run " ++ "nscd in parallel with SSSD"); + } + + /* Parse config file, fail if cannot be done */ +@@ -2212,12 +2213,13 @@ int main(int argc, const char *argv[]) + if (ret != EOK) { + if (ret == EPERM) { + DEBUG(1, ("Cannot read configuration file %s\n", config_file)); +- ERROR("Cannot read config file %s, please check if permissions " +- "are 0600 and the file is owned by root.root\n", config_file); ++ sss_log(SSS_LOG_ALERT, ++ "Cannot read config file %s, please check if permissions " ++ "are 0600 and the file is owned by root.root", config_file); + } else { + DEBUG(1, ("Error loading configuration database: [%d]: %s", + ret, strerror(ret))); +- ERROR("Cannot load configuration database\n"); ++ sss_log(SSS_LOG_ALERT, "Cannot load configuration database"); + } + return 4; + } +-- +1.7.3.2 + diff --git a/0001-Treat-a-zero-length-password-as-a-failure.patch b/0001-Treat-a-zero-length-password-as-a-failure.patch deleted file mode 100644 index 24c1570..0000000 --- a/0001-Treat-a-zero-length-password-as-a-failure.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 8eeb47279a5a4559d9d7f911250d6164ab120897 Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Wed, 18 Aug 2010 12:57:43 -0400 -Subject: [PATCH 9/9] Treat a zero-length password as a failure - -Some LDAP servers allow binding with blank passwords. We should -not allow a blank password to authenticate the SSSD. ---- - src/providers/ldap/ldap_auth.c | 7 +++++++ - 1 files changed, 7 insertions(+), 0 deletions(-) - -diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c -index b05e3075ce117fad17b87ffde257c80fc035b8c4..1a959d4cc45980fe5dd12db3460cc23f341466fd 100644 ---- a/src/providers/ldap/ldap_auth.c -+++ b/src/providers/ldap/ldap_auth.c -@@ -557,6 +557,13 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx, - req = tevent_req_create(memctx, &state, struct auth_state); - if (!req) return NULL; - -+ /* Treat a zero-length password as a failure */ -+ if (password.length == 0) { -+ state->result = SDAP_AUTH_FAILED; -+ tevent_req_done(req); -+ return tevent_req_post(req, ev); -+ } -+ - state->ev = ev; - state->ctx = ctx; - state->username = username; --- -1.7.2.1 - diff --git a/0002-Properly-document-ldap_purge_cache_timeout.patch b/0002-Properly-document-ldap_purge_cache_timeout.patch new file mode 100644 index 0000000..fc1dc8c --- /dev/null +++ b/0002-Properly-document-ldap_purge_cache_timeout.patch @@ -0,0 +1,72 @@ +From 4f8400f86d33d0f64adccb71c8190ad33db2770a Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Tue, 2 Nov 2010 07:46:13 -0400 +Subject: [PATCH 2/2] Properly document ldap_purge_cache_timeout + +Also allow it to be disabled entirely +--- + src/man/sssd-ldap.5.xml | 19 +++++++++++++++++++ + src/providers/ldap/ldap_common.c | 10 +++++++++- + 2 files changed, 28 insertions(+), 1 deletions(-) + +diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml +index 87d388ade2b9b3613a18eb70e079b1266e940a14..64f216f5f5092a23635b9c4f96dbb133b309e556 100644 +--- a/src/man/sssd-ldap.5.xml ++++ b/src/man/sssd-ldap.5.xml +@@ -447,6 +447,25 @@ + + + ++ ldap_purge_cache_timeout ++ ++ ++ Determine how often to check the cache for ++ inactive entries (such as groups with no ++ members and users who have never logged in) and ++ remove them to save space. ++ ++ ++ Setting this option to zero will disable the ++ cache cleanup operation. ++ ++ ++ Default: 10800 (12 hours) ++ ++ ++ ++ ++ + ldap_user_fullname (string) + + +diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c +index ea5f957076675b4b8210917a928761e68088d485..c074098d6574078a6ec0e80851a1b02a51f5b0e1 100644 +--- a/src/providers/ldap/ldap_common.c ++++ b/src/providers/ldap/ldap_common.c +@@ -397,6 +397,7 @@ int sdap_id_setup_tasks(struct sdap_id_ctx *ctx) + { + struct timeval tv; + int ret = EOK; ++ int delay; + + /* set up enumeration task */ + if (ctx->be->domain->enumerate) { +@@ -406,7 +407,14 @@ int sdap_id_setup_tasks(struct sdap_id_ctx *ctx) + ret = ldap_id_enumerate_set_timer(ctx, tv); + } else { + /* the enumeration task, runs the cleanup process by itself, +- * but if enumeration is not runnig we need to schedule it */ ++ * but if enumeration is not running we need to schedule it */ ++ delay = dp_opt_get_int(ctx->opts->basic, SDAP_CACHE_PURGE_TIMEOUT); ++ if (delay == 0) { ++ /* Cleanup has been explicitly disabled, so we won't ++ * schedule any cleanup tasks. ++ */ ++ return EOK; ++ } + + /* run the first one in a couple of seconds so that we have time to + * finish initializations first*/ +-- +1.7.3.2 + diff --git a/0002-Return-offline-instead-of-error.patch b/0002-Return-offline-instead-of-error.patch deleted file mode 100644 index 44ce53d..0000000 --- a/0002-Return-offline-instead-of-error.patch +++ /dev/null @@ -1,31 +0,0 @@ -From f1e22670eaaa7c881593924896acc84ecc131872 Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Fri, 1 Oct 2010 12:34:54 -0400 -Subject: [PATCH] Return offline instead of error - -When the failover code returns that there are no available servers -while we are marked offline, we were returning an error to the PAM -authentication code. Instead, we should return success with a -result value of SDAP_UNAVAIL so that the PAM responder will mark -the domain offline and attempt offline authentication. ---- - src/providers/ldap/ldap_auth.c | 3 ++- - 1 files changed, 2 insertions(+), 1 deletions(-) - -diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c -index d01449262c39865ffc4916c8d7dd8b6874cd4a02..0ea86f3e34db0cd5bab83ecff80859f495b234e2 100644 ---- a/src/providers/ldap/ldap_auth.c -+++ b/src/providers/ldap/ldap_auth.c -@@ -567,7 +567,8 @@ static void auth_resolve_done(struct tevent_req *subreq) - if (ret) { - /* all servers have been tried and none - * was found good, go offline */ -- tevent_req_error(req, EIO); -+ state->result = SDAP_UNAVAIL; -+ tevent_req_done(req); - return; - } - --- -1.7.2.3 - diff --git a/sssd.spec b/sssd.spec index 3e5578c..c1b757c 100644 --- a/sssd.spec +++ b/sssd.spec @@ -5,7 +5,7 @@ Name: sssd Version: 1.4.1 -Release: 1%{?dist} +Release: 2%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -15,6 +15,9 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) ### Patches ### +Patch0001: 0001-Log-startup-errors-to-syslog.patch +Patch0002: 0002-Properly-document-ldap_purge_cache_timeout.patch + ### Dependencies ### Requires: libldb >= 0.9.3 @@ -93,6 +96,9 @@ service. %prep %setup -q +%patch0001 -p1 +%patch0002 -p1 + %build %configure \ --with-db-path=%{dbpath} \ @@ -233,6 +239,10 @@ fi %postun client -p /sbin/ldconfig %changelog +* Tue Nov 16 2010 Stephen Gallagher - 1.4.1-2 +- Log startup errors to the syslog +- Allow cache cleanup to be disabled in sssd.conf + * Mon Nov 01 2010 Stephen Gallagher - 1.4.1-1 - New upstream release 1.4.1 - Add support for netgroups to the proxy provider