New upstream release

- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1
- Support for the service map in NSS
- Support for setting default SELinux user context from FreeIPA
- Support for retrieving SSH user and host keys from LDAP (Experimental)
- Support for caching autofs LDAP requests (Experimental)
- Support for caching SUDO rules (Experimental)
This commit is contained in:
Stephen Gallagher 2012-02-06 20:08:04 -05:00
parent e8905f5363
commit 881479933b
5 changed files with 71 additions and 538 deletions

1
.gitignore vendored
View File

@ -21,3 +21,4 @@ sssd-1.2.91.tar.gz
/sssd-1.6.3.tar.gz /sssd-1.6.3.tar.gz
/sssd-1.6.4.tar.gz /sssd-1.6.4.tar.gz
/sssd-1.7.0.tar.gz /sssd-1.7.0.tar.gz
/sssd-1.8.0beta1.tar.gz

View File

@ -1,254 +0,0 @@
From cd59e5d02ec97ea309fd51d4d6a6a4421617cd12 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Wed, 1 Feb 2012 14:03:36 -0500
Subject: [PATCH] LDAP: Do not fail if RootDSE check cannot determine search
bases
https://fedorahosted.org/sssd/ticket/1152
Conflicts:
src/providers/ldap/sdap_async_services.c
---
src/providers/ipa/ipa_netgroups.c | 7 +++++
src/providers/ldap/ldap_common.c | 5 +--
src/providers/ldap/sdap.c | 7 ++++-
src/providers/ldap/sdap_async_groups.c | 9 +++++++
src/providers/ldap/sdap_async_initgroups.c | 35 +++++++++++++++++++++++++++-
src/providers/ldap/sdap_async_netgroups.c | 10 ++++++++
src/providers/ldap/sdap_async_users.c | 9 +++++++
src/providers/ldap/sdap_sudo.c | 9 +++++++
8 files changed, 86 insertions(+), 5 deletions(-)
diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c
index 78bcee1b44fec3c8d04fc5ba13b46db26396d1b1..7da1147c7d6fd1dec8872209e442ae99ee810aa1 100644
--- a/src/providers/ipa/ipa_netgroups.c
+++ b/src/providers/ipa/ipa_netgroups.c
@@ -209,6 +209,13 @@ struct tevent_req *ipa_get_netgroups_send(TALLOC_CTX *memctx,
state->base_filter = filter;
state->netgr_base_iter = 0;
+ if (!ipa_options->id->netgroup_search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Netgroup lookup request without a search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
ret = sss_hash_create(state, 32, &state->new_netgroups);
if (ret != EOK) goto done;
ret = sss_hash_create(state, 32, &state->new_users);
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 71921963a768a9975eca6432025704e06f28a2b8..c287b345217befeb872b25521d80d601fc27f0c7 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -538,9 +538,8 @@ int ldap_get_sudo_options(TALLOC_CTX *memctx,
dp_opt_get_string(opts->basic, SDAP_SUDO_SEARCH_BASE)));
}
} else {
- /* FIXME: try to discover it later */
- DEBUG(SSSDBG_OP_FAILURE, ("Error: no SUDO search base set\n"));
- return ENOENT;
+ DEBUG(SSSDBG_TRACE_FUNC, ("Search base not set, trying to discover it later "
+ "connecting to the LDAP server.\n"));
}
ret = sdap_parse_search_base(opts, opts->basic,
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index 3ca2e286146e1e88b1fd7abef341fa8c3aa699ad..2b29116949b2f8efae269a994a0f3da64a0ee612 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -748,7 +748,12 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
naming_context = get_naming_context(opts->basic, rootdse);
if (naming_context == NULL) {
DEBUG(1, ("get_naming_context failed.\n"));
- ret = EINVAL;
+
+ /* This has to be non-fatal, since some servers offer
+ * multiple namingContexts entries. We will just
+ * add NULL checks for the search bases in the lookups.
+ */
+ ret = EOK;
goto done;
}
}
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index e59640997d78db525a98a63cd230d2bc1a74d1a1..fe5dbd49a159c0ca4f57d60b7f69a8792e9a42c9 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -1217,7 +1217,16 @@ struct tevent_req *sdap_get_groups_send(TALLOC_CTX *memctx,
state->base_iter = 0;
state->search_bases = search_bases;
+ if (!search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Group lookup request without a search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
ret = sdap_get_groups_next_base(req);
+
+done:
if (ret != EOK) {
tevent_req_error(req, ret);
tevent_req_post(req, ev);
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index 73ab25ea79cd66ff5fe7131ee7606cf71aa382e5..a769b100557b2d685cb022f09bea0d70ccfe3bb3 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -303,6 +303,13 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx,
state->base_iter = 0;
state->search_bases = opts->group_search_bases;
+ if (!state->search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Initgroups lookup request without a group search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
state->name = talloc_strdup(state, name);
if (!state->name) {
talloc_zfree(req);
@@ -337,6 +344,8 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx,
talloc_zfree(clean_name);
ret = sdap_initgr_rfc2307_next_base(req);
+
+done:
if (ret != EOK) {
tevent_req_error(req, ret);
tevent_req_post(req, ev);
@@ -1432,6 +1441,13 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send(
state->base_iter = 0;
state->search_bases = opts->group_search_bases;
+ if (!state->search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Initgroups lookup request without a group search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
ret = sss_hash_create(state, 32, &state->group_hash);
if (ret != EOK) {
talloc_free(req);
@@ -2006,9 +2022,17 @@ struct tevent_req *rfc2307bis_nested_groups_send(
SDAP_SEARCH_TIMEOUT);
state->base_iter = 0;
state->search_bases = opts->group_search_bases;
-
+ if (!state->search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Initgroups nested lookup request "
+ "without a group search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
ret = rfc2307bis_nested_groups_step(req);
+
+done:
if (ret == EOK) {
/* All parent groups were already processed */
tevent_req_done(req);
@@ -2378,9 +2402,16 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
state->user_base_iter = 0;
state->user_search_bases = id_ctx->opts->user_search_bases;
+ if (!state->user_search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Initgroups lookup request without a user search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
ret = sss_filter_sanitize(state, name, &clean_name);
if (ret != EOK) {
+ talloc_zfree(req);
return NULL;
}
@@ -2402,6 +2433,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
}
ret = sdap_get_initgr_next_base(req);
+
+done:
if (ret != EOK) {
tevent_req_error(req, ret);
tevent_req_post(req, ev);
diff --git a/src/providers/ldap/sdap_async_netgroups.c b/src/providers/ldap/sdap_async_netgroups.c
index 0888c7e2fcf03d0b133bcf93ad017086aedffe16..f3a378f6488cfd46001c22b3a5abf29724f2fd0d 100644
--- a/src/providers/ldap/sdap_async_netgroups.c
+++ b/src/providers/ldap/sdap_async_netgroups.c
@@ -579,7 +579,17 @@ struct tevent_req *sdap_get_netgroups_send(TALLOC_CTX *memctx,
state->base_iter = 0;
state->search_bases = search_bases;
+ if (!state->search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Netgroup lookup request without a netgroup search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
+
ret = sdap_get_netgroups_next_base(req);
+
+done:
if (ret != EOK) {
tevent_req_error(req, ret);
tevent_req_post(req, state->ev);
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
index ac856a64208cb87994f676ab50fdba6d82dbcb50..01168321951fa9d14f4b58d891cb922c6c44d2c2 100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -434,7 +434,16 @@ struct tevent_req *sdap_get_users_send(TALLOC_CTX *memctx,
state->search_bases = search_bases;
state->enumeration = enumeration;
+ if (!state->search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("User lookup request without a search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
ret = sdap_get_users_next_base(req);
+
+done:
if (ret != EOK) {
tevent_req_error(req, ret);
tevent_req_post(req, state->ev);
diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c
index 68cb47cd38952594d34ccc81913b7308caf9af10..aeae22eccf2a9adf3fb2fde831a3b492a6c4afb7 100644
--- a/src/providers/ldap/sdap_sudo.c
+++ b/src/providers/ldap/sdap_sudo.c
@@ -237,6 +237,13 @@ struct tevent_req * sdap_sudo_load_sudoers_send(TALLOC_CTX *mem_ctx,
state->ldap_rules = NULL;
state->ldap_rules_count = 0;
+ if (!state->search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("SUDOERS lookup request without a search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
/* create filter */
state->filter = sdap_sudo_build_filter(state,
state->opts->sudorule_map,
@@ -256,6 +263,8 @@ struct tevent_req * sdap_sudo_load_sudoers_send(TALLOC_CTX *mem_ctx,
/* begin search */
ret = sdap_sudo_load_sudoers_next_base(req);
+
+done:
if (ret != EOK) {
tevent_req_error(req, ret);
tevent_req_post(req, sudo_ctx->be_ctx->ev);
--
1.7.7.6

View File

@ -1,265 +0,0 @@
From 707b20e80a5c5b86944dc55bbc652b392a4c6454 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Sat, 21 Jan 2012 12:11:23 -0500
Subject: [PATCH 5/5] DP: Fix bugs in sss_dp_get_account_int
The conversion to the tevent_req style introduced numerous bugs
related to memory management of the various client requests. In
some circumstances, this could cause memory corruption and
segmentation faults in the NSS responder. This patch makes the
following changes:
1) Rename the internal lookup from subreq to sidereq, to indicate
that it is not a sub-request of the current lookup (and therefore
is not cancelled if the current request is).
2) Change the handling of the callback loops since they call
tevent_req_[done|error], which results in them being freed (and
therefore removed from the cb_list. This was the source of the
memory corruption that would occasionally result in dereferencing
an unreadable request.
3) Remove the unnecessary sss_dp_get_account_int_recv() function
and change sss_dp_get_account_done() so that it only frees the
sidereq. All of the waiting processes have already been signaled
with the final results from sss_dp_get_account_int_done()
---
src/responder/common/responder_dp.c | 110 +++++++++++-----------------
src/responder/nss/nsssrv_cmd.c | 1 +
src/responder/pam/pamsrv_cmd.c | 1 +
src/responder/sudo/sudosrv_get_sudorules.c | 1 +
4 files changed, 47 insertions(+), 66 deletions(-)
diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
index f51e2496a165cc2b776af776f2e9d1ea75b8e62c..9219037cc6055899e675eef846af54238d5c61e1 100644
--- a/src/responder/common/responder_dp.c
+++ b/src/responder/common/responder_dp.c
@@ -92,11 +92,28 @@ static int sss_dp_req_destructor(void *ptr)
/* If there are callbacks that haven't been invoked, return
* an error now.
*/
- DLIST_FOR_EACH(cb, sdp_req->cb_list) {
+ while((cb = sdp_req->cb_list) != NULL) {
state = tevent_req_data(cb->req, struct dp_get_account_state);
state->err_maj = DP_ERR_FATAL;
state->err_min = EIO;
+
+ /* tevent_req_done/error will free cb */
tevent_req_error(cb->req, EIO);
+
+ /* Freeing the cb removes it from the cb_list.
+ * Therefore, the cb_list should now be pointing
+ * at a new callback. If it's not, it means the
+ * callback handler didn't free cb and may leak
+ * memory. Be paranoid and protect against this
+ * situation.
+ */
+ if (cb == sdp_req->cb_list) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ ("BUG: a callback did not free its request. "
+ "May leak memory\n"));
+ /* Skip to the next since a memory leak is non-fatal */
+ sdp_req->cb_list = sdp_req->cb_list->next;
+ }
}
/* Destroy the hash entry */
@@ -225,14 +242,6 @@ sss_dp_get_account_int_send(struct resp_ctx *rctx,
static void
sss_dp_get_account_done(struct tevent_req *subreq);
-static errno_t
-sss_dp_get_account_int_recv(TALLOC_CTX *mem_ctx,
- struct tevent_req *req,
- dbus_uint16_t *err_maj,
- dbus_uint32_t *err_min,
- char **err_msg);
-
-
/* Send a request to the data provider
* Once this function is called, the communication
* with the data provider will always run to
@@ -252,7 +261,7 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
errno_t ret;
int hret;
struct tevent_req *req;
- struct tevent_req *subreq;
+ struct tevent_req *sidereq;
struct dp_get_account_state *state;
struct sss_dp_req *sdp_req;
struct sss_dp_callback *cb;
@@ -343,19 +352,19 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
*/
value.type = HASH_VALUE_PTR;
- subreq = sss_dp_get_account_int_send(rctx, state->key, dom,
+ sidereq = sss_dp_get_account_int_send(rctx, state->key, dom,
be_type, filter);
- if (!subreq) {
+ if (!sidereq) {
ret = ENOMEM;
goto error;
}
- tevent_req_set_callback(subreq, sss_dp_get_account_done, NULL);
+ tevent_req_set_callback(sidereq, sss_dp_get_account_done, NULL);
/* We should now be able to find the sdp_req in the hash table */
hret = hash_lookup(rctx->dp_request_table, state->key, &value);
if (hret != HASH_SUCCESS) {
/* Something must have gone wrong with creating the request */
- talloc_zfree(subreq);
+ talloc_zfree(sidereq);
ret = EIO;
goto error;
}
@@ -402,23 +411,10 @@ error:
}
static void
-sss_dp_get_account_done(struct tevent_req *subreq)
+sss_dp_get_account_done(struct tevent_req *sidereq)
{
- errno_t ret;
- struct tevent_req *req = tevent_req_callback_data(subreq,
- struct tevent_req);
- struct dp_get_account_state *state =
- tevent_req_data(req, struct dp_get_account_state);
-
- ret = sss_dp_get_account_int_recv(state, req,
- &state->err_maj,
- &state->err_min,
- &state->err_msg);
- if (ret != EOK) {
- tevent_req_done(req);
- } else {
- tevent_req_error(req, ret);
- }
+ /* Nothing to do here. The callbacks have already been invoked */
+ talloc_zfree(sidereq);
}
errno_t
@@ -599,7 +595,7 @@ static void sss_dp_get_account_int_done(DBusPendingCall *pending, void *ptr)
int ret;
struct tevent_req *req;
struct sss_dp_req *sdp_req;
- struct sss_dp_callback *cb, *prevcb = NULL;
+ struct sss_dp_callback *cb;
struct dp_get_account_int_state *state;
struct dp_get_account_state *cb_state;
@@ -630,58 +626,40 @@ static void sss_dp_get_account_int_done(DBusPendingCall *pending, void *ptr)
}
/* Check whether we need to issue any callbacks */
- DLIST_FOR_EACH(cb, sdp_req->cb_list) {
+ while ((cb = sdp_req->cb_list) != NULL) {
cb_state = tevent_req_data(cb->req, struct dp_get_account_state);
cb_state->err_maj = sdp_req->err_maj;
cb_state->err_min = sdp_req->err_min;
cb_state->err_msg = talloc_strdup(cb_state, sdp_req->err_msg);
/* Don't bother checking for NULL. If it fails due to ENOMEM,
- * we can't really handle it annyway.
+ * we can't really handle it anyway.
*/
+ /* tevent_req_done/error will free cb */
if (ret == EOK) {
tevent_req_done(cb->req);
} else {
tevent_req_error(cb->req, ret);
}
- /* Freeing the request removes it from the list */
- if (prevcb) talloc_free(prevcb);
- prevcb = cb;
+ /* Freeing the cb removes it from the cb_list.
+ * Therefore, the cb_list should now be pointing
+ * at a new callback. If it's not, it means the
+ * callback handler didn't free cb and may leak
+ * memory. Be paranoid and protect against this
+ * situation.
+ */
+ if (cb == sdp_req->cb_list) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ ("BUG: a callback did not free its request. "
+ "May leak memory\n"));
+ /* Skip to the next since a memory leak is non-fatal */
+ sdp_req->cb_list = sdp_req->cb_list->next;
+ }
}
- talloc_free(prevcb);
/* We're done with this request. Free the sdp_req
* This will clean up the hash table entry as well
*/
talloc_zfree(sdp_req);
}
-
-static errno_t
-sss_dp_get_account_int_recv(TALLOC_CTX *mem_ctx,
- struct tevent_req *req,
- dbus_uint16_t *err_maj,
- dbus_uint32_t *err_min,
- char **err_msg)
-{
- struct dp_get_account_int_state *state =
- tevent_req_data(req, struct dp_get_account_int_state);
-
- enum tevent_req_state TRROEstate;
- uint64_t TRROEerr;
-
- *err_maj = state->sdp_req->err_maj;
- *err_min = state->sdp_req->err_min;
- *err_msg = talloc_steal(mem_ctx, state->sdp_req->err_msg);
-
- if (tevent_req_is_error(req, &TRROEstate, &TRROEerr)) {
- if (TRROEstate == TEVENT_REQ_USER_ERROR) {
- *err_maj = DP_ERR_FATAL;
- *err_min = TRROEerr;
- } else {
- return EIO;
- }
- }
-
- return EOK;
-}
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 3bc30ab8641b1787ded15165890e61836e46e802..fc2dca8d7a9e9dc1e5d68c98f95a5d3d67231f4a 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -700,6 +700,7 @@ static void nsssrv_dp_send_acct_req_done(struct tevent_req *req)
ret = sss_dp_get_account_recv(cb_ctx->mem_ctx, req,
&err_maj, &err_min,
&err_msg);
+ talloc_zfree(req);
if (ret != EOK) {
NSS_CMD_FATAL_ERROR(cb_ctx->cctx);
}
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 3b2d509e237b12516e1234a34a8542ae09752c43..2e544cd5aa5a566e5557f2d9280b57b24f39befd 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -994,6 +994,7 @@ static void pam_dp_send_acct_req_done(struct tevent_req *req)
ret = sss_dp_get_account_recv(cb_ctx->mem_ctx, req,
&err_maj, &err_min,
&err_msg);
+ talloc_zfree(req);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
("Fatal error, killing connection!\n"));
diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c
index 5d54f95ab78bc43338dd55205e85dbba7bd5f437..1723fd42c8222e72e46498a3b83e427099243369 100644
--- a/src/responder/sudo/sudosrv_get_sudorules.c
+++ b/src/responder/sudo/sudosrv_get_sudorules.c
@@ -181,6 +181,7 @@ static void sudosrv_dp_send_acct_req_done(struct tevent_req *req)
ret = sss_dp_get_account_recv(cb_ctx->mem_ctx, req,
&err_maj, &err_min,
&err_msg);
+ talloc_zfree(req);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
("Fatal error, killing connection!\n"));
--
1.7.4.1

View File

@ -1 +1 @@
1fbc9c99df8f2883513cb4b767d4b7d4 sssd-1.7.0.tar.gz e6fddc180edbf69fddcb4151701b2d5c sssd-1.8.0beta1.tar.gz

View File

@ -18,28 +18,27 @@
%global ldb_version 1.1.4 %global ldb_version 1.1.4
Name: sssd Name: sssd
Version: 1.7.0 Version: 1.8.0
Release: 5%{?dist} Release: 1%{?dist}.beta1
Group: Applications/System Group: Applications/System
Summary: System Security Services Daemon Summary: System Security Services Daemon
License: GPLv3+ License: GPLv3+
URL: http://fedorahosted.org/sssd/ URL: http://fedorahosted.org/sssd/
Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}beta1.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ### ### Patches ###
Patch0001: 0001-LDAP-Do-not-fail-if-RootDSE-check-cannot-determine-s.patch
Patch0002: 0002-DP-Fix-bugs-in-sss_dp_get_account_int.patch
### Dependencies ### ### Dependencies ###
Conflicts: selinux-policy < 3.10.0-46 Conflicts: selinux-policy < 3.10.0-46
Requires: libldb = %{ldb_version} Requires: libldb = %{ldb_version}
Requires: libtdb >= 1.1.3 Requires: libtdb >= 1.1.3
Requires: sssd-client%{?_isa} = %{version}-%{release} Requires: sssd-client%{?_isa} = %{version}-%{release}
Requires: cyrus-sasl-gssapi Requires: cyrus-sasl-gssapi%{?_isa}
Requires: libipa_hbac%{?_isa} = %{version}-%{release}
Requires: krb5-libs >= 1.9 Requires: krb5-libs >= 1.9
Requires: keyutils-libs
Requires(post): systemd-units initscripts chkconfig /sbin/ldconfig Requires(post): systemd-units initscripts chkconfig /sbin/ldconfig
Requires(preun): systemd-units initscripts chkconfig Requires(preun): systemd-units initscripts chkconfig
Requires(postun): systemd-units initscripts chkconfig /sbin/ldconfig Requires(postun): systemd-units initscripts chkconfig /sbin/ldconfig
@ -92,6 +91,7 @@ BuildRequires: keyutils-libs-devel
BuildRequires: libnl-devel BuildRequires: libnl-devel
BuildRequires: nscd BuildRequires: nscd
BuildRequires: gettext-devel BuildRequires: gettext-devel
BuildRequires: pkgconfig
BuildRequires: libunistring-devel BuildRequires: libunistring-devel
BuildRequires: findutils BuildRequires: findutils
@ -151,6 +151,22 @@ Requires: libipa_hbac = %{version}-%{release}
The libipa_hbac-python contains the bindings so that libipa_hbac can be The libipa_hbac-python contains the bindings so that libipa_hbac can be
used by Python applications. used by Python applications.
%package -n libsss_sudo
Summary: A library to allow communication between SUDO and SSSD
Group: Development/Libraries
License: LGPLv3+
%description -n libsss_sudo
A utility library to allow communication between SUDO and SSSD
%package -n libsss_sudo-devel
Summary: A library to allow communication between SUDO and SSSD
Group: Development/Libraries
License: LGPLv3+
Requires: libsss_sudo = %{version}-%{release}
%description -n libsss_sudo-devel
A utility library to allow communication between SUDO and SSSD
%prep %prep
# Update timestamps on the files touched by a patch, to avoid non-equal # Update timestamps on the files touched by a patch, to avoid non-equal
@ -168,7 +184,7 @@ UpdateTimestamps() {
done done
} }
%setup -q %setup -q -n %{name}-1.7.91
for p in %patches ; do for p in %patches ; do
%__patch -p1 -i $p %__patch -p1 -i $p
@ -187,7 +203,8 @@ autoreconf -ivf
--enable-pammoddir=/%{_lib}/security \ --enable-pammoddir=/%{_lib}/security \
--disable-static \ --disable-static \
--disable-rpath \ --disable-rpath \
--with-test-dir=/dev/shm --with-test-dir=/dev/shm \
--enable-all-experimental-features
make %{?_smp_mflags} all docs make %{?_smp_mflags} all docs
@ -204,11 +221,9 @@ make install DESTDIR=$RPM_BUILD_ROOT
# Prepare language files # Prepare language files
/usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd /usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd
# Copy SSSDConfig API files # Prepare empty config file
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sssd mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sssd
touch $RPM_BUILD_ROOT/%{_sysconfdir}/sssd/sssd.conf touch $RPM_BUILD_ROOT/%{_sysconfdir}/sssd/sssd.conf
install -m400 src/config/etc/sssd.api.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.api.conf
install -m400 src/config/etc/sssd.api.d/* $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.api.d/
# Copy default logrotate file # Copy default logrotate file
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d
@ -273,9 +288,8 @@ rm -rf $RPM_BUILD_ROOT
%ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf %ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
%config(noreplace) %{_sysconfdir}/logrotate.d/sssd %config(noreplace) %{_sysconfdir}/logrotate.d/sssd
%config(noreplace) %{_sysconfdir}/rwtab.d/sssd %config(noreplace) %{_sysconfdir}/rwtab.d/sssd
%config %{_sysconfdir}/sssd/sssd.api.conf %{_datadir}/sssd/sssd.api.conf
%attr(700,root,root) %dir %{_sysconfdir}/sssd/sssd.api.d %{_datadir}/sssd/sssd.api.d
%config %{_sysconfdir}/sssd/sssd.api.d/*
%{_mandir}/man5/sssd.conf.5* %{_mandir}/man5/sssd.conf.5*
%{_mandir}/man5/sssd-ipa.5* %{_mandir}/man5/sssd-ipa.5*
%{_mandir}/man5/sssd-krb5.5* %{_mandir}/man5/sssd-krb5.5*
@ -285,16 +299,20 @@ rm -rf $RPM_BUILD_ROOT
%{python_sitearch}/pysss.so %{python_sitearch}/pysss.so
%{python_sitelib}/*.py* %{python_sitelib}/*.py*
%files client -f sssd_tools.lang %files client
%defattr(-,root,root,-) %defattr(-,root,root,-)
%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER %doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
/%{_lib}/libnss_sss.so.2 /%{_lib}/libnss_sss.so.2
/%{_lib}/security/pam_sss.so /%{_lib}/security/pam_sss.so
%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
%{_bindir}/sss_ssh_authorizedkeys
%{_bindir}/sss_ssh_knownhostsproxy
%{_mandir}/man1/sss_ssh_authorizedkeys.1*
%{_mandir}/man1/sss_ssh_knownhostsproxy.1*
%{_mandir}/man8/pam_sss.8* %{_mandir}/man8/pam_sss.8*
%{_mandir}/man8/sssd_krb5_locator_plugin.8* %{_mandir}/man8/sssd_krb5_locator_plugin.8*
%files tools %files tools -f sssd_tools.lang
%defattr(-,root,root,-) %defattr(-,root,root,-)
%doc COPYING %doc COPYING
%{_sbindir}/sss_useradd %{_sbindir}/sss_useradd
@ -334,6 +352,30 @@ rm -rf $RPM_BUILD_ROOT
%defattr(-,root,root,-) %defattr(-,root,root,-)
%{python_sitearch}/pyhbac.so %{python_sitearch}/pyhbac.so
%package -n libsss_autofs
Summary: A library to allow communication between Autofs and SSSD
Group: Development/Libraries
License: LGPLv3+
%description -n libsss_autofs
A utility library to allow communication between Autofs and SSSD
%files -n libsss_sudo
%defattr(-,root,root,-)
%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/libsss_sudo.so.*
%files -n libsss_sudo-devel
%doc libsss_sudo_doc/html
%{_includedir}/sss_sudo.h
%{_libdir}/libsss_sudo.so
%{_libdir}/pkgconfig/libsss_sudo.pc
%files -n libsss_autofs
%defattr(-,root,root,-)
%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/sssd/modules/libsss_autofs.so*
%post %post
/sbin/ldconfig /sbin/ldconfig
@ -380,6 +422,15 @@ fi
%postun -n libipa_hbac -p /sbin/ldconfig %postun -n libipa_hbac -p /sbin/ldconfig
%changelog %changelog
* Mon Feb 06 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.0-1.beta1
- New upstream release
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1
- Support for the service map in NSS
- Support for setting default SELinux user context from FreeIPA
- Support for retrieving SSH user and host keys from LDAP (Experimental)
- Support for caching autofs LDAP requests (Experimental)
- Support for caching SUDO rules (Experimental)
* Wed Feb 01 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7.0-5 * Wed Feb 01 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7.0-5
- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for
new LDAP features - fix netgroups and sudo as well new LDAP features - fix netgroups and sudo as well