- Log startup errors to the syslog

- Allow cache cleanup to be disabled in sssd.conf
This commit is contained in:
Stephen Gallagher 2010-11-16 12:48:57 -05:00
parent 9d5bcde0eb
commit 4e1de07cd8
5 changed files with 139 additions and 64 deletions

View File

@ -0,0 +1,56 @@
From 57736f3037984574b42b72fef7ae14fa2bce35b0 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Wed, 10 Nov 2010 11:04:31 -0500
Subject: [PATCH 1/2] Log startup errors to syslog
---
src/monitor/monitor.c | 16 +++++++++-------
1 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 1c2a058e5a8d684798dcb2ea461199467c73f407..6479f7a9fd5877e7b5baaaee4f3f92001506d730 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -2167,7 +2167,7 @@ int main(int argc, const char *argv[])
uid = getuid();
if (uid != 0) {
DEBUG(1, ("Running under %d, must be root\n", uid));
- ERROR("sssd must be run as root\n");
+ sss_log(SSS_LOG_ALERT, "sssd must be run as root");
return 8;
}
@@ -2202,9 +2202,10 @@ int main(int argc, const char *argv[])
ret = check_file(NSCD_SOCKET_PATH, -1, -1, -1, CHECK_SOCK, NULL);
if (ret == EOK) {
DEBUG(0, ("WARNING: nscd appears to be running\n"));
- ERROR("nscd socket was detected. As nscd caching capabilities "
- "may conflict with SSSD, it is recommended to not run "
- "nscd in parallel with SSSD\n");
+ sss_log(SSS_LOG_NOTICE,
+ "nscd socket was detected. As nscd caching capabilities "
+ "may conflict with SSSD, it is recommended to not run "
+ "nscd in parallel with SSSD");
}
/* Parse config file, fail if cannot be done */
@@ -2212,12 +2213,13 @@ int main(int argc, const char *argv[])
if (ret != EOK) {
if (ret == EPERM) {
DEBUG(1, ("Cannot read configuration file %s\n", config_file));
- ERROR("Cannot read config file %s, please check if permissions "
- "are 0600 and the file is owned by root.root\n", config_file);
+ sss_log(SSS_LOG_ALERT,
+ "Cannot read config file %s, please check if permissions "
+ "are 0600 and the file is owned by root.root", config_file);
} else {
DEBUG(1, ("Error loading configuration database: [%d]: %s",
ret, strerror(ret)));
- ERROR("Cannot load configuration database\n");
+ sss_log(SSS_LOG_ALERT, "Cannot load configuration database");
}
return 4;
}
--
1.7.3.2

View File

@ -1,32 +0,0 @@
From 8eeb47279a5a4559d9d7f911250d6164ab120897 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Wed, 18 Aug 2010 12:57:43 -0400
Subject: [PATCH 9/9] Treat a zero-length password as a failure
Some LDAP servers allow binding with blank passwords. We should
not allow a blank password to authenticate the SSSD.
---
src/providers/ldap/ldap_auth.c | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index b05e3075ce117fad17b87ffde257c80fc035b8c4..1a959d4cc45980fe5dd12db3460cc23f341466fd 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -557,6 +557,13 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx,
req = tevent_req_create(memctx, &state, struct auth_state);
if (!req) return NULL;
+ /* Treat a zero-length password as a failure */
+ if (password.length == 0) {
+ state->result = SDAP_AUTH_FAILED;
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+
state->ev = ev;
state->ctx = ctx;
state->username = username;
--
1.7.2.1

View File

@ -0,0 +1,72 @@
From 4f8400f86d33d0f64adccb71c8190ad33db2770a Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 2 Nov 2010 07:46:13 -0400
Subject: [PATCH 2/2] Properly document ldap_purge_cache_timeout
Also allow it to be disabled entirely
---
src/man/sssd-ldap.5.xml | 19 +++++++++++++++++++
src/providers/ldap/ldap_common.c | 10 +++++++++-
2 files changed, 28 insertions(+), 1 deletions(-)
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 87d388ade2b9b3613a18eb70e079b1266e940a14..64f216f5f5092a23635b9c4f96dbb133b309e556 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -447,6 +447,25 @@
</varlistentry>
<varlistentry>
+ <term>ldap_purge_cache_timeout</term>
+ <listitem>
+ <para>
+ Determine how often to check the cache for
+ inactive entries (such as groups with no
+ members and users who have never logged in) and
+ remove them to save space.
+ </para>
+ <para>
+ Setting this option to zero will disable the
+ cache cleanup operation.
+ </para>
+ <para>
+ Default: 10800 (12 hours)
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>ldap_user_fullname (string)</term>
<listitem>
<para>
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index ea5f957076675b4b8210917a928761e68088d485..c074098d6574078a6ec0e80851a1b02a51f5b0e1 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -397,6 +397,7 @@ int sdap_id_setup_tasks(struct sdap_id_ctx *ctx)
{
struct timeval tv;
int ret = EOK;
+ int delay;
/* set up enumeration task */
if (ctx->be->domain->enumerate) {
@@ -406,7 +407,14 @@ int sdap_id_setup_tasks(struct sdap_id_ctx *ctx)
ret = ldap_id_enumerate_set_timer(ctx, tv);
} else {
/* the enumeration task, runs the cleanup process by itself,
- * but if enumeration is not runnig we need to schedule it */
+ * but if enumeration is not running we need to schedule it */
+ delay = dp_opt_get_int(ctx->opts->basic, SDAP_CACHE_PURGE_TIMEOUT);
+ if (delay == 0) {
+ /* Cleanup has been explicitly disabled, so we won't
+ * schedule any cleanup tasks.
+ */
+ return EOK;
+ }
/* run the first one in a couple of seconds so that we have time to
* finish initializations first*/
--
1.7.3.2

View File

@ -1,31 +0,0 @@
From f1e22670eaaa7c881593924896acc84ecc131872 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Fri, 1 Oct 2010 12:34:54 -0400
Subject: [PATCH] Return offline instead of error
When the failover code returns that there are no available servers
while we are marked offline, we were returning an error to the PAM
authentication code. Instead, we should return success with a
result value of SDAP_UNAVAIL so that the PAM responder will mark
the domain offline and attempt offline authentication.
---
src/providers/ldap/ldap_auth.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index d01449262c39865ffc4916c8d7dd8b6874cd4a02..0ea86f3e34db0cd5bab83ecff80859f495b234e2 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -567,7 +567,8 @@ static void auth_resolve_done(struct tevent_req *subreq)
if (ret) {
/* all servers have been tried and none
* was found good, go offline */
- tevent_req_error(req, EIO);
+ state->result = SDAP_UNAVAIL;
+ tevent_req_done(req);
return;
}
--
1.7.2.3

View File

@ -5,7 +5,7 @@
Name: sssd Name: sssd
Version: 1.4.1 Version: 1.4.1
Release: 1%{?dist} Release: 2%{?dist}
Group: Applications/System Group: Applications/System
Summary: System Security Services Daemon Summary: System Security Services Daemon
License: GPLv3+ License: GPLv3+
@ -15,6 +15,9 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ### ### Patches ###
Patch0001: 0001-Log-startup-errors-to-syslog.patch
Patch0002: 0002-Properly-document-ldap_purge_cache_timeout.patch
### Dependencies ### ### Dependencies ###
Requires: libldb >= 0.9.3 Requires: libldb >= 0.9.3
@ -93,6 +96,9 @@ service.
%prep %prep
%setup -q %setup -q
%patch0001 -p1
%patch0002 -p1
%build %build
%configure \ %configure \
--with-db-path=%{dbpath} \ --with-db-path=%{dbpath} \
@ -233,6 +239,10 @@ fi
%postun client -p /sbin/ldconfig %postun client -p /sbin/ldconfig
%changelog %changelog
* Tue Nov 16 2010 Stephen Gallagher <sgallagh@redhat.com> - 1.4.1-2
- Log startup errors to the syslog
- Allow cache cleanup to be disabled in sssd.conf
* Mon Nov 01 2010 Stephen Gallagher <sgallagh@redhat.com> - 1.4.1-1 * Mon Nov 01 2010 Stephen Gallagher <sgallagh@redhat.com> - 1.4.1-1
- New upstream release 1.4.1 - New upstream release 1.4.1
- Add support for netgroups to the proxy provider - Add support for netgroups to the proxy provider