diff --git a/.cvsignore b/.cvsignore index 4ba448b..3a9cec3 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -sssd-0.5.0.tar.gz +sssd-0.6.0.tar.gz diff --git a/sources b/sources index 76326f4..1149dcd 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -7566dcac75e7248ca99b4dd0bb49c1ee sssd-0.5.0.tar.gz +2a2e118d9f29dda15dd4b8202b9cac62 sssd-0.6.0.tar.gz diff --git a/sssd.conf.default b/sssd.conf.default index 1eaed3d..522948e 100644 --- a/sssd.conf.default +++ b/sssd.conf.default @@ -1,90 +1,57 @@ -[services] -description = Local Service Configuration -activeServices = nss, dp, pam - -[services/nss] -description = NSS Responder Configuration -# the following prevents sssd for searching for the root user/group in -# all domains (you can add here a comma separated list of system accounts are -# always going to be /etc/passwd users, or that you want to filter out) -filterGroups = root -filterUsers = root - -[services/dp] -description = Data Provider Configuration - -[services/pam] -description = PAM Responder Configuration - -[services/monitor] -description = Service Monitor Configuration -#if a backend is particularly slow you can raise this timeout here -sbusTimeout = 30 - -[domains] -description = Domains served by SSSD +[sssd] +config_file_version = 2 +# Number of times services should attempt to reconnect in the +# event of a crash or restart before they give up +reconnection_retries = 3 +# if a backend is particularly slow you can raise this timeout here +sbus_timeout = 30 +services = nss, dp, pam ; domains = LOCAL,LDAP - # SSSD will not start if you don't configure any domain. -# Add new domains condifgurations as [domains/] sections. +# Add new domains condifgurations as [domain/] sections. # Then add the list of domains (in the order you want them to be # queried in the 'domains" attribute above and uncomment it -# Example LOCAL domain that proxies to /etc/passwd and /etc/group files -# This configuration is meant mostly as a migration path to be able to store -# additional information about users while still keeping /etc/passwd -# authoritative. -; [domains/LOCAL] -; description = LOCAL migration domain -; enumerate = 3 -; minId = 500 -; magicPrivateGroups = FALSE -; legacy = TRUE -; -; provider = proxy -; libName = files -; libPath = libnss_files.so.2 +[nss] +# the following prevents sssd for searching for the root user/group in +# all domains (you can add here a comma separated list of system accounts are +# always going to be /etc/passwd users, or that you want to filter out) +filter_groups = root +filter_users = root +reconnection_retries = 3 -# optionally a file named sssdproxylocal can be place in pam.d configured to -# check pam_unix only and pam_sss can be used in the normal pam stack -; auth-module = proxy -; pam-target = sssdproxylocal +# The EntryCacheTimeout indicates the number of seconds to retain before +# an entry in cache is considered stale and must block to refresh. +# The EntryCacheNoWaitRefreshTimeout indicates the number of seconds to +# wait before updating the cache out-of-band. (NSS requests will still +# be returned from cache until the full EntryCacheTimeout). Setting this +# value to 0 turns this feature off (default) +; entry_cache_timeout = 600 +; entry_cache_nowait_timeout = 300 + +[pam] +reconnection_retries = 3 + +[dp] +reconnection_retries = 3 # Example LOCAL domain that stores all users natively in the SSSD internal # directory. These local users and groups are not visibile in /etc/passwd, it # now contains only root and system accounts. - -; [domains/LOCAL] +; [domain/LOCAL] ; description = LOCAL Users domain -; enumerate = 3 -; minId = 500 -; maxId = 999 -; legacy = FALSE -; magicPrivateGroups = TRUE -; provider = local +; id_provider = local +; enumerate = true +; min_id = 500 +; max_id = 999 -# Example LDAP domain that uses the proxy backend and the standard nss_ldap -# and pam_ldap modules (Useful until we have good working native ldap backends). -# For this to work the /etc/ldap.conf file needs to be correctly configured just -# like you would do when using nss_ldap in nsswitch.conf, but instead of setting -# passwd: files ldap, set passwd: files, sss instead there. -# Also consider using the following setting in /etc/ldap.conf to avoid needless -# delays if the ldap server is offline: -# timelimit 10 -# bind_timelimit 5 -# nss_reconnect_maxsleeptime 2 -# nss_reconnect_sleeptime 1 - -; [domains/LDAP] -; description = Proxy request to our LDAP server -; enumerate = 0 -; minId = 1000 -; legacy = TRUE -; -; provider = proxy -; libName = ldap -; libPath = libnss_ldap.so.2 -; -#if a backend is particularly slow you can raise this timeout here -; timeout = 60 +# Example native LDAP domain +; [domain/LDAP] +; id_provider = ldap +; auth_provider = ldap +; ldap_uri = ldap://ldap.mydomain.org +; ldap_user_search_base = dc=mydomain,dc=org +; ldap_tls_reqcert = demand +; cache_credentials = true +; enumerate = true diff --git a/sssd.spec b/sssd.spec index dac287b..641ec6d 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,5 +1,7 @@ +%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} + Name: sssd -Version: 0.5.0 +Version: 0.6.0 Release: 0%{?dist} Group: Applications/System Summary: System Security Services Daemon @@ -18,6 +20,8 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) Requires: libldb >= 0.9.3 Requires: libtdb >= 1.1.3 +Requires: sssd-client = 0.6.0 +Requires(post): python Requires(preun): initscripts chkconfig Requires(postun): /sbin/service @@ -32,7 +36,8 @@ BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool BuildRequires: m4 -BuildRequires: popt-devel +%{?fedora:BuildRequires: popt-devel} +%{?rhel:BuildRequires: popt} BuildRequires: libtalloc-devel BuildRequires: libtevent-devel BuildRequires: libtdb-devel @@ -49,6 +54,7 @@ BuildRequires: libxml2 BuildRequires: docbook-style-xsl BuildRequires: krb5-devel BuildRequires: c-ares-devel +BuildRequires: python-devel %description Provides a set of daemons to manage access to remote directories and @@ -57,6 +63,14 @@ the system and a pluggable backend system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA. +%package client +Summary: SSSD Client libraries for NSS and PAM +Group: Applications/System + +%description client +Provides the libraries needed by the PAM and NSS stacks to connect to the SSSD +service. + %prep %setup -q @@ -83,15 +97,22 @@ rm -f \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ldap.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_proxy.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_krb5.la \ - $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la + $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la \ + $RPM_BUILD_ROOT/%{python_sitearch}/pysss.la mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sssd install -m600 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf +touch locator.filelist +if test -e $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so +then + echo %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so > locator.filelist +fi + %clean rm -rf $RPM_BUILD_ROOT -%files +%files -f locator.filelist %defattr(-,root,root,-) %doc COPYING %attr(755,root,root) %{_initrddir}/%{name} @@ -105,23 +126,40 @@ rm -rf $RPM_BUILD_ROOT %{_libexecdir}/%{servicename}/ %{_libdir}/%{name}/ %{_libdir}/ldb/memberof.so -%{_libdir}/krb5/plugins/libkrb5/* %dir %{sssdstatedir} %attr(700,root,root) %dir %{dbpath} %attr(755,root,root) %dir %{pipepath} %attr(700,root,root) %dir %{pipepath}/private +%attr(750,root,root) %dir %{_var}/log/%{name} %dir %{_sysconfdir}/sssd %config(noreplace) %{_sysconfdir}/sssd/sssd.conf -/%{_lib}/libnss_sss.so.2 -/%{_lib}/security/pam_sss.so -%{_mandir}/man5/* -%{_mandir}/man8/* +%{_mandir}/man5/sssd.conf.5* +%{_mandir}/man5/sssd-krb5.5* +%{_mandir}/man5/sssd-ldap.5* +%{_mandir}/man8/sssd.8* +%{_mandir}/man8/sss_groupadd.8* +%{_mandir}/man8/sss_groupdel.8* +%{_mandir}/man8/sss_groupmod.8* +%{_mandir}/man8/sss_useradd.8* +%{_mandir}/man8/sss_userdel.8* +%{_mandir}/man8/sss_usermod.8* +%{_mandir}/man8/sssd_krb5_locator_plugin.8* %{_datadir}/locale/*/LC_MESSAGES/sss_client.mo %{_datadir}/locale/*/LC_MESSAGES/sss_daemon.mo +%{python_sitearch}/pysss.so + +%files client +/%{_lib}/libnss_sss.so.2 +/%{_lib}/security/pam_sss.so +%{_mandir}/man8/pam_sss.8* %post /sbin/ldconfig /sbin/chkconfig --add %{servicename} +if [ $1 -ge 2 ] ; then +# a one-time upgrade from confdb v1 to v2, only if upgrading + python %{_libexecdir}/%{servicename}/upgrade_config.py +fi %preun if [ $1 = 0 ]; then @@ -136,6 +174,9 @@ if [ $1 -ge 1 ] ; then fi %changelog +* Mon Sep 28 2009 Sumit Bose - 0.6.0-0 +- New upstream release 0.6.0 + * Mon Aug 24 2009 Simo Sorce - 0.5.0-0 - New upstream release 0.5.0