Compare commits
19 Commits
Author | SHA1 | Date |
---|---|---|
|
0424a6ce33 | |
|
afc7bd6f1e | |
|
40c3ae988f | |
|
8e5a5bd939 | |
|
4c3e129c7b | |
|
acb9f4dceb | |
|
1a4558387a | |
|
29b254886f | |
|
c13be84ef8 | |
|
75380a749d | |
|
c5df487fb9 | |
|
217f3182fe | |
|
93cf9863f6 | |
|
0aedfd6ccd | |
|
9850042b01 | |
|
d41bc2caab | |
|
0652a3507c | |
|
1d5ea15cb8 | |
|
a4b82ef7af |
|
@ -26,3 +26,10 @@ sssd-1.2.91.tar.gz
|
|||
/sssd-1.8.0beta3.tar.gz
|
||||
/sssd-1.8.0.tar.gz
|
||||
/sssd-1.8.1.tar.gz
|
||||
/sssd-1.8.2.tar.gz
|
||||
/sssd-1.8.3.tar.gz
|
||||
/sssd-1.8.4.tar.gz
|
||||
/sssd-1.8.5.tar.gz
|
||||
/sssd-1.8.6.tar.gz
|
||||
/sssd-1.9.4.tar.gz
|
||||
/sssd-1.9.5.tar.gz
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
From cae3bf6af22855adc8dd7b270e11207f0a33c385 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Wed, 30 Jan 2013 13:45:27 +0100
|
||||
Subject: [PATCH] krb: recreate ccache if it was deleted
|
||||
|
||||
https://fedorahosted.org/sssd/ticket/1512
|
||||
|
||||
If directory where a ccache file was stored was missing and user
|
||||
was still logged in, we erroneously considered the ccache file
|
||||
still active. Thus the ccache file was not recreated and user was
|
||||
unable to login.
|
||||
---
|
||||
src/providers/krb5/krb5_utils.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c
|
||||
index b770714be030076203b6578f90ef726226cb72f8..7b56be52497ae66fa536b76ca0561ec3cc3208ce 100644
|
||||
--- a/src/providers/krb5/krb5_utils.c
|
||||
+++ b/src/providers/krb5/krb5_utils.c
|
||||
@@ -770,8 +770,15 @@ cc_residual_is_used(uid_t uid, const char *ccname,
|
||||
|
||||
ret = lstat(ccname, &stat_buf);
|
||||
|
||||
- if (ret == -1 && errno != ENOENT) {
|
||||
+ if (ret == -1) {
|
||||
ret = errno;
|
||||
+ if (ret == ENOENT) {
|
||||
+ DEBUG(SSSDBG_FUNC_DATA, ("Cache file [%s] does not exists, "
|
||||
+ "it will be recreated\n", ccname));
|
||||
+ *result = false;
|
||||
+ return EOK;
|
||||
+ }
|
||||
+
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
("stat failed [%d][%s].\n", ret, strerror(ret)));
|
||||
return ret;
|
||||
--
|
||||
1.7.11.7
|
||||
|
|
@ -0,0 +1,69 @@
|
|||
From a0388dc52f5461f72f8221c9bb7c92008e1fe2c5 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Fri, 1 Feb 2013 12:17:47 +0100
|
||||
Subject: [PATCH] subdomains: replace invalid characters with underscore in
|
||||
krb5 mapping file name
|
||||
|
||||
https://fedorahosted.org/sssd/ticket/1795
|
||||
|
||||
Only alpha-numeric chars, dashes and underscores are allowed in
|
||||
krb5 include directory.
|
||||
---
|
||||
src/providers/ipa/ipa_subdomains.c | 26 +++++++++++++++++++++++++-
|
||||
1 file changed, 25 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
|
||||
index ef6195d19de72be7fd2b12a309b33fcf20e0e3a1..f959c4e6eb1d830e3990f552c9f4cf962298ef48 100644
|
||||
--- a/src/providers/ipa/ipa_subdomains.c
|
||||
+++ b/src/providers/ipa/ipa_subdomains.c
|
||||
@@ -287,22 +287,46 @@ ipa_subdomains_write_mappings(struct sss_domain_info *domain,
|
||||
errno_t err;
|
||||
TALLOC_CTX *tmp_ctx;
|
||||
const char *mapping_file;
|
||||
+ char *sanitized_domain;
|
||||
char *tmp_file = NULL;
|
||||
int fd = -1;
|
||||
mode_t old_mode;
|
||||
FILE *fstream = NULL;
|
||||
size_t i;
|
||||
|
||||
+ if (domain == NULL || domain->name == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, ("No domain name provided\n"));
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
tmp_ctx = talloc_new(NULL);
|
||||
if (!tmp_ctx) return ENOMEM;
|
||||
|
||||
+ sanitized_domain = talloc_strdup(tmp_ctx, domain->name);
|
||||
+ if (sanitized_domain == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_strdup() failed\n"));
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ /* only alpha-numeric chars, dashes and underscores are allowed in
|
||||
+ * krb5 include directory */
|
||||
+ for (i = 0; sanitized_domain[i] != '\0'; i++) {
|
||||
+ if (!isalnum(sanitized_domain[i])
|
||||
+ && sanitized_domain[i] != '-' && sanitized_domain[i] != '_') {
|
||||
+ sanitized_domain[i] = '_';
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
mapping_file = talloc_asprintf(tmp_ctx, "%s/domain_realm_%s",
|
||||
- IPA_SUBDOMAIN_MAPPING_DIR, domain->name);
|
||||
+ IPA_SUBDOMAIN_MAPPING_DIR, sanitized_domain);
|
||||
if (!mapping_file) {
|
||||
ret = ENOMEM;
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ DEBUG(SSSDBG_FUNC_DATA, ("Mapping file for domain [%s] is [%s]\n",
|
||||
+ domain->name, mapping_file));
|
||||
+
|
||||
tmp_file = talloc_asprintf(tmp_ctx, "%sXXXXXX", mapping_file);
|
||||
if (tmp_file == NULL) {
|
||||
ret = ENOMEM;
|
||||
--
|
||||
1.7.11.7
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
From e354a96bbca5da8525ee51f91907e75af897b856 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Thu, 14 Feb 2013 10:13:59 +0100
|
||||
Subject: [PATCH] Fix the krb5 password expiration warning
|
||||
|
||||
https://fedorahosted.org/sssd/ticket/1808
|
||||
---
|
||||
src/confdb/confdb.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
||||
index 31efd9443be8490715961c8a45f9352bd1ade653..31c48bd28aee37008687e7e255ebf2ef2d79798a 100644
|
||||
--- a/src/confdb/confdb.c
|
||||
+++ b/src/confdb/confdb.c
|
||||
@@ -1020,7 +1020,11 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- /* Set the PAM warning time, if specified */
|
||||
+ /* Set the PAM warning time, if specified. If not specified, pass on
|
||||
+ * the "not set" value of "-1" which means "use provider default". The
|
||||
+ * value 0 means "always display the warning if server sends one" */
|
||||
+ domain->pwd_expiration_warning = -1;
|
||||
+
|
||||
val = ldb_msg_find_attr_as_int(res->msgs[0],
|
||||
CONFDB_DOMAIN_PWD_EXPIRATION_WARNING,
|
||||
-1);
|
||||
@@ -1035,6 +1039,8 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
||||
}
|
||||
|
||||
if (val > 0) {
|
||||
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
||||
+ ("Setting domain password expiration warning to %d days\n", val));
|
||||
/* The value is in days, transform it to seconds */
|
||||
domain->pwd_expiration_warning = val * 24 * 3600;
|
||||
}
|
||||
--
|
||||
1.8.1.2
|
||||
|
|
@ -0,0 +1,412 @@
|
|||
From 754b09b5444e6da88ed58d6deaed8b815e268b6b Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Sun, 3 Mar 2013 21:43:44 +0100
|
||||
Subject: [PATCH 2/4] Add unit tests for simple access test by groups
|
||||
|
||||
I realized that the current unit tests for the simple access provider
|
||||
only tested the user directives. To have a baseline and be able to
|
||||
detect new bugs in the upcoming patch, I implemented unit tests for the
|
||||
group lists, too.
|
||||
---
|
||||
src/tests/simple_access-tests.c | 283 +++++++++++++++++++++++++++++++++++-----
|
||||
1 file changed, 252 insertions(+), 31 deletions(-)
|
||||
|
||||
diff --git a/src/tests/simple_access-tests.c b/src/tests/simple_access-tests.c
|
||||
index c61814eb54c1aa5138a1b45653f9384228c5456a..577c6d334edda513fd0f1e42a859ea333ba5ba23 100644
|
||||
--- a/src/tests/simple_access-tests.c
|
||||
+++ b/src/tests/simple_access-tests.c
|
||||
@@ -30,39 +30,152 @@
|
||||
#include "providers/simple/simple_access.h"
|
||||
#include "tests/common.h"
|
||||
|
||||
+#define TESTS_PATH "tests_simple_access"
|
||||
+#define TEST_CONF_FILE "tests_conf.ldb"
|
||||
+
|
||||
const char *ulist_1[] = {"u1", "u2", NULL};
|
||||
+const char *glist_1[] = {"g1", "g2", NULL};
|
||||
|
||||
-struct simple_ctx *ctx = NULL;
|
||||
+struct simple_test_ctx *test_ctx = NULL;
|
||||
+
|
||||
+struct simple_test_ctx {
|
||||
+ struct sysdb_ctx *sysdb;
|
||||
+ struct confdb_ctx *confdb;
|
||||
+
|
||||
+ struct simple_ctx *ctx;
|
||||
+};
|
||||
|
||||
void setup_simple(void)
|
||||
{
|
||||
- fail_unless(ctx == NULL, "Simple context already initialized.");
|
||||
- ctx = talloc_zero(NULL, struct simple_ctx);
|
||||
- fail_unless(ctx != NULL, "Cannot create simple context.");
|
||||
+ errno_t ret;
|
||||
+ char *conf_db;
|
||||
+ const char *val[2];
|
||||
+ val[1] = NULL;
|
||||
|
||||
- ctx->domain = talloc_zero(ctx, struct sss_domain_info);
|
||||
- fail_unless(ctx != NULL, "Cannot create domain in simple context.");
|
||||
- ctx->domain->case_sensitive = true;
|
||||
+ /* Create tests directory if it doesn't exist */
|
||||
+ /* (relative to current dir) */
|
||||
+ ret = mkdir(TESTS_PATH, 0775);
|
||||
+ fail_if(ret == -1 && errno != EEXIST,
|
||||
+ "Could not create %s directory", TESTS_PATH);
|
||||
+
|
||||
+ fail_unless(test_ctx == NULL, "Simple context already initialized.");
|
||||
+ test_ctx = talloc_zero(NULL, struct simple_test_ctx);
|
||||
+ fail_unless(test_ctx != NULL, "Cannot create simple test context.");
|
||||
+
|
||||
+ test_ctx->ctx = talloc_zero(test_ctx, struct simple_ctx);
|
||||
+ fail_unless(test_ctx->ctx != NULL, "Cannot create simple context.");
|
||||
+
|
||||
+ conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE);
|
||||
+ fail_if(conf_db == NULL, "Out of memory, aborting!");
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS, ("CONFDB: %s\n", conf_db));
|
||||
+
|
||||
+ /* Connect to the conf db */
|
||||
+ ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db);
|
||||
+ fail_if(ret != EOK, "Could not initialize connection to the confdb");
|
||||
+
|
||||
+ val[0] = "LOCAL";
|
||||
+ ret = confdb_add_param(test_ctx->confdb, true,
|
||||
+ "config/sssd", "domains", val);
|
||||
+ fail_if(ret != EOK, "Could not initialize domains placeholder");
|
||||
+
|
||||
+ val[0] = "local";
|
||||
+ ret = confdb_add_param(test_ctx->confdb, true,
|
||||
+ "config/domain/LOCAL", "id_provider", val);
|
||||
+ fail_if(ret != EOK, "Could not initialize provider");
|
||||
+
|
||||
+ val[0] = "TRUE";
|
||||
+ ret = confdb_add_param(test_ctx->confdb, true,
|
||||
+ "config/domain/LOCAL", "enumerate", val);
|
||||
+ fail_if(ret != EOK, "Could not initialize LOCAL domain");
|
||||
+
|
||||
+ val[0] = "TRUE";
|
||||
+ ret = confdb_add_param(test_ctx->confdb, true,
|
||||
+ "config/domain/LOCAL", "cache_credentials", val);
|
||||
+ fail_if(ret != EOK, "Could not initialize LOCAL domain");
|
||||
+
|
||||
+ ret = sysdb_init_domain_and_sysdb(test_ctx, test_ctx->confdb, "local",
|
||||
+ TESTS_PATH,
|
||||
+ &test_ctx->ctx->domain, &test_ctx->ctx->sysdb);
|
||||
+ fail_if(ret != EOK, "Could not initialize connection to the sysdb (%d)", ret);
|
||||
+ test_ctx->ctx->domain->case_sensitive = true;
|
||||
}
|
||||
|
||||
void teardown_simple(void)
|
||||
{
|
||||
int ret;
|
||||
- fail_unless(ctx != NULL, "Simple context already freed.");
|
||||
- ret = talloc_free(ctx);
|
||||
- ctx = NULL;
|
||||
+ fail_unless(test_ctx != NULL, "Simple context already freed.");
|
||||
+ ret = talloc_free(test_ctx);
|
||||
+ test_ctx = NULL;
|
||||
fail_unless(ret == 0, "Connot free simple context.");
|
||||
}
|
||||
|
||||
+void setup_simple_group(void)
|
||||
+{
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ setup_simple();
|
||||
+
|
||||
+ /* Add test users u1 and u2 that would be members of test groups
|
||||
+ * g1 and g2 respectively */
|
||||
+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
|
||||
+ "u1", NULL, 123, 0, "u1", "/home/u1",
|
||||
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
|
||||
+ fail_if(ret != EOK, "Could not add u1");
|
||||
+
|
||||
+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
|
||||
+ "u2", NULL, 456, 0, "u1", "/home/u1",
|
||||
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
|
||||
+ fail_if(ret != EOK, "Could not add u2");
|
||||
+
|
||||
+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
|
||||
+ "u3", NULL, 789, 0, "u1", "/home/u1",
|
||||
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
|
||||
+ fail_if(ret != EOK, "Could not add u3");
|
||||
+
|
||||
+ ret = sysdb_add_group(test_ctx->ctx->sysdb,
|
||||
+ "g1", 321, NULL, 0, 0);
|
||||
+ fail_if(ret != EOK, "Could not add g1");
|
||||
+
|
||||
+ ret = sysdb_add_group(test_ctx->ctx->sysdb,
|
||||
+ "g2", 654, NULL, 0, 0);
|
||||
+ fail_if(ret != EOK, "Could not add g2");
|
||||
+
|
||||
+ ret = sysdb_add_group_member(test_ctx->ctx->sysdb,
|
||||
+ "g1", "u1", SYSDB_MEMBER_USER);
|
||||
+ fail_if(ret != EOK, "Could not add u1 to g1");
|
||||
+
|
||||
+ ret = sysdb_add_group_member(test_ctx->ctx->sysdb,
|
||||
+ "g2", "u2", SYSDB_MEMBER_USER);
|
||||
+ fail_if(ret != EOK, "Could not add u2 to g2");
|
||||
+}
|
||||
+
|
||||
+void teardown_simple_group(void)
|
||||
+{
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u1", 0);
|
||||
+ fail_if(ret != EOK, "Could not delete u1");
|
||||
+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u2", 0);
|
||||
+ fail_if(ret != EOK, "Could not delete u2");
|
||||
+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u3", 0);
|
||||
+ fail_if(ret != EOK, "Could not delete u3");
|
||||
+ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g1", 0);
|
||||
+ fail_if(ret != EOK, "Could not delete g1");
|
||||
+ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g2", 0);
|
||||
+ fail_if(ret != EOK, "Could not delete g2");
|
||||
+
|
||||
+ teardown_simple();
|
||||
+}
|
||||
+
|
||||
START_TEST(test_both_empty)
|
||||
{
|
||||
int ret;
|
||||
bool access_granted = false;
|
||||
|
||||
- ctx->allow_users = NULL;
|
||||
- ctx->deny_users = NULL;
|
||||
+ test_ctx->ctx->allow_users = NULL;
|
||||
+ test_ctx->ctx->deny_users = NULL;
|
||||
|
||||
- ret = simple_access_check(ctx, "u1", &access_granted);
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
fail_unless(access_granted == true, "Access denied "
|
||||
"while both lists are empty.");
|
||||
@@ -74,15 +187,15 @@ START_TEST(test_allow_empty)
|
||||
int ret;
|
||||
bool access_granted = true;
|
||||
|
||||
- ctx->allow_users = NULL;
|
||||
- ctx->deny_users = discard_const(ulist_1);
|
||||
+ test_ctx->ctx->allow_users = NULL;
|
||||
+ test_ctx->ctx->deny_users = discard_const(ulist_1);
|
||||
|
||||
- ret = simple_access_check(ctx, "u1", &access_granted);
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
fail_unless(access_granted == false, "Access granted "
|
||||
"while user is in deny list.");
|
||||
|
||||
- ret = simple_access_check(ctx, "u3", &access_granted);
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
||||
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
fail_unless(access_granted == true, "Access denied "
|
||||
"while user is not in deny list.");
|
||||
@@ -94,15 +207,15 @@ START_TEST(test_deny_empty)
|
||||
int ret;
|
||||
bool access_granted = false;
|
||||
|
||||
- ctx->allow_users = discard_const(ulist_1);
|
||||
- ctx->deny_users = NULL;
|
||||
+ test_ctx->ctx->allow_users = discard_const(ulist_1);
|
||||
+ test_ctx->ctx->deny_users = NULL;
|
||||
|
||||
- ret = simple_access_check(ctx, "u1", &access_granted);
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
fail_unless(access_granted == true, "Access denied "
|
||||
"while user is in allow list.");
|
||||
|
||||
- ret = simple_access_check(ctx, "u3", &access_granted);
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
||||
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
fail_unless(access_granted == false, "Access granted "
|
||||
"while user is not in allow list.");
|
||||
@@ -114,15 +227,15 @@ START_TEST(test_both_set)
|
||||
int ret;
|
||||
bool access_granted = false;
|
||||
|
||||
- ctx->allow_users = discard_const(ulist_1);
|
||||
- ctx->deny_users = discard_const(ulist_1);
|
||||
+ test_ctx->ctx->allow_users = discard_const(ulist_1);
|
||||
+ test_ctx->ctx->deny_users = discard_const(ulist_1);
|
||||
|
||||
- ret = simple_access_check(ctx, "u1", &access_granted);
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
fail_unless(access_granted == false, "Access granted "
|
||||
"while user is in deny list.");
|
||||
|
||||
- ret = simple_access_check(ctx, "u3", &access_granted);
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
||||
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
fail_unless(access_granted == false, "Access granted "
|
||||
"while user is not in allow list.");
|
||||
@@ -134,18 +247,18 @@ START_TEST(test_case)
|
||||
int ret;
|
||||
bool access_granted = false;
|
||||
|
||||
- ctx->allow_users = discard_const(ulist_1);
|
||||
- ctx->deny_users = NULL;
|
||||
+ test_ctx->ctx->allow_users = discard_const(ulist_1);
|
||||
+ test_ctx->ctx->deny_users = NULL;
|
||||
|
||||
- ret = simple_access_check(ctx, "U1", &access_granted);
|
||||
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
|
||||
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
fail_unless(access_granted == false, "Access granted "
|
||||
"for user with different case "
|
||||
"in case-sensitive domain");
|
||||
|
||||
- ctx->domain->case_sensitive = false;
|
||||
+ test_ctx->ctx->domain->case_sensitive = false;
|
||||
|
||||
- ret = simple_access_check(ctx, "U1", &access_granted);
|
||||
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
|
||||
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
fail_unless(access_granted == true, "Access denied "
|
||||
"for user with different case "
|
||||
@@ -153,11 +266,95 @@ START_TEST(test_case)
|
||||
}
|
||||
END_TEST
|
||||
|
||||
+START_TEST(test_group_allow_empty)
|
||||
+{
|
||||
+ int ret;
|
||||
+ bool access_granted = true;
|
||||
+
|
||||
+ test_ctx->ctx->allow_groups = NULL;
|
||||
+ test_ctx->ctx->deny_groups = discard_const(glist_1);
|
||||
+
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
+ fail_unless(access_granted == false, "Access granted "
|
||||
+ "while group is in deny list.");
|
||||
+
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
||||
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
+ fail_unless(access_granted == true, "Access denied "
|
||||
+ "while group is not in deny list.");
|
||||
+}
|
||||
+END_TEST
|
||||
+
|
||||
+START_TEST(test_group_deny_empty)
|
||||
+{
|
||||
+ int ret;
|
||||
+ bool access_granted = false;
|
||||
+
|
||||
+ test_ctx->ctx->allow_groups = discard_const(glist_1);
|
||||
+ test_ctx->ctx->deny_groups = NULL;
|
||||
+
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
+ fail_unless(access_granted == true, "Access denied "
|
||||
+ "while group is in allow list.");
|
||||
+
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
||||
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
+ fail_unless(access_granted == false, "Access granted "
|
||||
+ "while group is not in allow list.");
|
||||
+}
|
||||
+END_TEST
|
||||
+
|
||||
+START_TEST(test_group_both_set)
|
||||
+{
|
||||
+ int ret;
|
||||
+ bool access_granted = false;
|
||||
+
|
||||
+ test_ctx->ctx->allow_groups = discard_const(ulist_1);
|
||||
+ test_ctx->ctx->deny_groups = discard_const(ulist_1);
|
||||
+
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
+ fail_unless(access_granted == false, "Access granted "
|
||||
+ "while group is in deny list.");
|
||||
+
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
||||
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
+ fail_unless(access_granted == false, "Access granted "
|
||||
+ "while group is not in allow list.");
|
||||
+}
|
||||
+END_TEST
|
||||
+
|
||||
+START_TEST(test_group_case)
|
||||
+{
|
||||
+ int ret;
|
||||
+ bool access_granted = false;
|
||||
+
|
||||
+ test_ctx->ctx->allow_groups = discard_const(ulist_1);
|
||||
+ test_ctx->ctx->deny_groups = NULL;
|
||||
+
|
||||
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
|
||||
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
+ fail_unless(access_granted == false, "Access granted "
|
||||
+ "for group with different case "
|
||||
+ "in case-sensitive domain");
|
||||
+
|
||||
+ test_ctx->ctx->domain->case_sensitive = false;
|
||||
+
|
||||
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
|
||||
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
+ fail_unless(access_granted == true, "Access denied "
|
||||
+ "for group with different case "
|
||||
+ "in case-insensitive domain");
|
||||
+}
|
||||
+END_TEST
|
||||
+
|
||||
Suite *access_simple_suite (void)
|
||||
{
|
||||
Suite *s = suite_create("access_simple");
|
||||
|
||||
- TCase *tc_allow_deny = tcase_create("allow/deny");
|
||||
+ TCase *tc_allow_deny = tcase_create("user allow/deny");
|
||||
tcase_add_checked_fixture(tc_allow_deny, setup_simple, teardown_simple);
|
||||
tcase_add_test(tc_allow_deny, test_both_empty);
|
||||
tcase_add_test(tc_allow_deny, test_allow_empty);
|
||||
@@ -166,6 +363,15 @@ Suite *access_simple_suite (void)
|
||||
tcase_add_test(tc_allow_deny, test_case);
|
||||
suite_add_tcase(s, tc_allow_deny);
|
||||
|
||||
+ TCase *tc_grp_allow_deny = tcase_create("group allow/deny");
|
||||
+ tcase_add_checked_fixture(tc_grp_allow_deny,
|
||||
+ setup_simple_group, teardown_simple_group);
|
||||
+ tcase_add_test(tc_grp_allow_deny, test_group_allow_empty);
|
||||
+ tcase_add_test(tc_grp_allow_deny, test_group_deny_empty);
|
||||
+ tcase_add_test(tc_grp_allow_deny, test_group_both_set);
|
||||
+ tcase_add_test(tc_grp_allow_deny, test_group_case);
|
||||
+ suite_add_tcase(s, tc_grp_allow_deny);
|
||||
+
|
||||
return s;
|
||||
}
|
||||
|
||||
@@ -174,6 +380,7 @@ int main(int argc, const char *argv[])
|
||||
int opt;
|
||||
poptContext pc;
|
||||
int number_failed;
|
||||
+ int ret;
|
||||
|
||||
struct poptOption long_options[] = {
|
||||
POPT_AUTOHELP
|
||||
@@ -205,6 +412,20 @@ int main(int argc, const char *argv[])
|
||||
srunner_run_all(sr, CK_ENV);
|
||||
number_failed = srunner_ntests_failed(sr);
|
||||
srunner_free(sr);
|
||||
+
|
||||
+ ret = unlink(TESTS_PATH"/"TEST_CONF_FILE);
|
||||
+ if (ret != EOK) {
|
||||
+ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n",
|
||||
+ errno, strerror(errno));
|
||||
+ return EXIT_FAILURE;
|
||||
+ }
|
||||
+ ret = unlink(TESTS_PATH"/"LOCAL_SYSDB_FILE);
|
||||
+ if (ret != EOK) {
|
||||
+ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n",
|
||||
+ errno, strerror(errno));
|
||||
+ return EXIT_FAILURE;
|
||||
+ }
|
||||
+
|
||||
return (number_failed==0 ? EXIT_SUCCESS : EXIT_FAILURE);
|
||||
}
|
||||
|
||||
--
|
||||
1.8.1.4
|
||||
|
|
@ -0,0 +1,40 @@
|
|||
From 26590d31f492dbbd36be6d0bde46a4bd3b221edb Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Mon, 4 Mar 2013 16:37:04 +0100
|
||||
Subject: [PATCH 3/4] Do not compile main() in DP if UNIT_TESTING is defined
|
||||
|
||||
The simple access provider unit tests now need to link against the Data
|
||||
Provider when they start using the be_file_account_request() function.
|
||||
But then we would start having conflicts as at least the main()
|
||||
functions would clash.
|
||||
|
||||
If UNIT_TESTING is defined, then the data_provider_be.c module does not
|
||||
contain the main() function and can be linked against directly from
|
||||
another module that contains its own main() function
|
||||
---
|
||||
src/providers/data_provider_be.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
|
||||
index f85a04d09b5b41b17be611c333324f7207242979..33590aeef0231427642916c6a2f9bc391c165c21 100644
|
||||
--- a/src/providers/data_provider_be.c
|
||||
+++ b/src/providers/data_provider_be.c
|
||||
@@ -2651,6 +2651,7 @@ fail:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+#ifndef UNIT_TESTING
|
||||
int main(int argc, const char *argv[])
|
||||
{
|
||||
int opt;
|
||||
@@ -2732,6 +2733,7 @@ int main(int argc, const char *argv[])
|
||||
|
||||
return 0;
|
||||
}
|
||||
+#endif
|
||||
|
||||
static int data_provider_res_init(DBusMessage *message,
|
||||
struct sbus_connection *conn)
|
||||
--
|
||||
1.8.1.4
|
||||
|
|
@ -0,0 +1,236 @@
|
|||
From b63830b142053f99bfe954d4be5a2b0f68ce3a93 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Fri, 22 Feb 2013 11:01:38 +0100
|
||||
Subject: [PATCH 1/4] Provide a be_get_account_info_send function
|
||||
|
||||
In order to resolve group names in the simple access provider we need to
|
||||
contact the Data Provider in a generic fashion from the access provider.
|
||||
We can't call any particular implementation (like sdap_generic_send())
|
||||
because we have no idea what kind of provider is configured as the
|
||||
id_provider.
|
||||
|
||||
This patch splits introduces the be_file_account_request() function into
|
||||
the data_provider_be module and makes it public.
|
||||
|
||||
A future patch should make the be_get_account_info function use the
|
||||
be_get_account_info_send function.
|
||||
---
|
||||
src/providers/data_provider_be.c | 153 ++++++++++++++++++++++++++++++++++-----
|
||||
src/providers/dp_backend.h | 15 ++++
|
||||
2 files changed, 149 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
|
||||
index b261bf8d456829a513ec352c8290d2011bd3526a..f85a04d09b5b41b17be611c333324f7207242979 100644
|
||||
--- a/src/providers/data_provider_be.c
|
||||
+++ b/src/providers/data_provider_be.c
|
||||
@@ -717,6 +717,34 @@ static errno_t be_initgroups_prereq(struct be_req *be_req)
|
||||
}
|
||||
|
||||
static errno_t
|
||||
+be_file_account_request(struct be_req *be_req, struct be_acct_req *ar)
|
||||
+{
|
||||
+ errno_t ret;
|
||||
+ struct be_ctx *be_ctx = be_req->be_ctx;
|
||||
+
|
||||
+ be_req->req_data = ar;
|
||||
+
|
||||
+ /* see if we need a pre request call, only done for initgroups for now */
|
||||
+ if ((ar->entry_type & 0xFF) == BE_REQ_INITGROUPS) {
|
||||
+ ret = be_initgroups_prereq(be_req);
|
||||
+ if (ret) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Prerequest failed"));
|
||||
+ return ret;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* process request */
|
||||
+ ret = be_file_request(be_ctx, be_req,
|
||||
+ be_ctx->bet_info[BET_ID].bet_ops->handler);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to file request"));
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
+static errno_t
|
||||
split_name_extended(TALLOC_CTX *mem_ctx,
|
||||
const char *filter,
|
||||
char **name,
|
||||
@@ -742,6 +770,110 @@ split_name_extended(TALLOC_CTX *mem_ctx,
|
||||
return EOK;
|
||||
}
|
||||
|
||||
+static void
|
||||
+be_get_account_info_done(struct be_req *be_req,
|
||||
+ int dp_err, int dp_ret,
|
||||
+ const char *errstr);
|
||||
+
|
||||
+struct be_get_account_info_state {
|
||||
+ int err_maj;
|
||||
+ int err_min;
|
||||
+ const char *err_msg;
|
||||
+};
|
||||
+
|
||||
+struct tevent_req *
|
||||
+be_get_account_info_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct tevent_context *ev,
|
||||
+ struct be_client *becli,
|
||||
+ struct be_ctx *be_ctx,
|
||||
+ struct be_acct_req *ar)
|
||||
+{
|
||||
+ struct tevent_req *req;
|
||||
+ struct be_get_account_info_state *state;
|
||||
+ struct be_req *be_req;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ req = tevent_req_create(mem_ctx, &state,
|
||||
+ struct be_get_account_info_state);
|
||||
+ if (!req) return NULL;
|
||||
+
|
||||
+ be_req = talloc_zero(mem_ctx, struct be_req);
|
||||
+ if (be_req == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ be_req->becli = becli;
|
||||
+ be_req->be_ctx = be_ctx;
|
||||
+ be_req->fn = be_get_account_info_done;
|
||||
+ be_req->pvt = req;
|
||||
+
|
||||
+ ret = be_file_account_request(be_req, ar);
|
||||
+ if (ret != EOK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ return req;
|
||||
+
|
||||
+done:
|
||||
+ tevent_req_error(req, ret);
|
||||
+ tevent_req_post(req, ev);
|
||||
+ return req;
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+be_get_account_info_done(struct be_req *be_req,
|
||||
+ int dp_err, int dp_ret,
|
||||
+ const char *errstr)
|
||||
+{
|
||||
+ struct tevent_req *req;
|
||||
+ struct be_get_account_info_state *state;
|
||||
+
|
||||
+ req = talloc_get_type(be_req->pvt, struct tevent_req);
|
||||
+ state = tevent_req_data(req, struct be_get_account_info_state);
|
||||
+
|
||||
+ state->err_maj = dp_err;
|
||||
+ state->err_min = dp_ret;
|
||||
+ if (errstr) {
|
||||
+ state->err_msg = talloc_strdup(state, errstr);
|
||||
+ if (state->err_msg == NULL) {
|
||||
+ talloc_free(be_req);
|
||||
+ tevent_req_error(req, ENOMEM);
|
||||
+ return;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ talloc_free(be_req);
|
||||
+ tevent_req_done(req);
|
||||
+}
|
||||
+
|
||||
+errno_t be_get_account_info_recv(struct tevent_req *req,
|
||||
+ TALLOC_CTX *mem_ctx,
|
||||
+ int *_err_maj,
|
||||
+ int *_err_min,
|
||||
+ const char **_err_msg)
|
||||
+{
|
||||
+ struct be_get_account_info_state *state;
|
||||
+
|
||||
+ state = tevent_req_data(req, struct be_get_account_info_state);
|
||||
+
|
||||
+ TEVENT_REQ_RETURN_ON_ERROR(req);
|
||||
+
|
||||
+ if (_err_maj) {
|
||||
+ *_err_maj = state->err_maj;
|
||||
+ }
|
||||
+
|
||||
+ if (_err_min) {
|
||||
+ *_err_min = state->err_min;
|
||||
+ }
|
||||
+
|
||||
+ if (_err_msg) {
|
||||
+ *_err_msg = talloc_steal(mem_ctx, state->err_msg);
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
static int be_get_account_info(DBusMessage *message, struct sbus_connection *conn)
|
||||
{
|
||||
struct be_acct_req *req;
|
||||
@@ -845,8 +977,6 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con
|
||||
goto done;
|
||||
}
|
||||
|
||||
- be_req->req_data = req;
|
||||
-
|
||||
if ((attr_type != BE_ATTR_CORE) &&
|
||||
(attr_type != BE_ATTR_MEM) &&
|
||||
(attr_type != BE_ATTR_ALL)) {
|
||||
@@ -893,26 +1023,11 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con
|
||||
goto done;
|
||||
}
|
||||
|
||||
- /* see if we need a pre request call, only done for initgroups for now */
|
||||
- if ((type & 0xFF) == BE_REQ_INITGROUPS) {
|
||||
- ret = be_initgroups_prereq(be_req);
|
||||
- if (ret) {
|
||||
- err_maj = DP_ERR_FATAL;
|
||||
- err_min = ret;
|
||||
- err_msg = "Prerequest failed";
|
||||
- goto done;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- /* process request */
|
||||
-
|
||||
- ret = be_file_request(becli->bectx->bet_info[BET_ID].pvt_bet_data,
|
||||
- be_req,
|
||||
- becli->bectx->bet_info[BET_ID].bet_ops->handler);
|
||||
+ ret = be_file_account_request(be_req, req);
|
||||
if (ret != EOK) {
|
||||
err_maj = DP_ERR_FATAL;
|
||||
err_min = ret;
|
||||
- err_msg = "Failed to file request";
|
||||
+ err_msg = "Cannot file account request";
|
||||
goto done;
|
||||
}
|
||||
|
||||
diff --git a/src/providers/dp_backend.h b/src/providers/dp_backend.h
|
||||
index 58a9b7490df8aab06a2a15f8c0fed9ac5ed33600..743b6f4ffe73fe9ec7404218184a7133aba054c6 100644
|
||||
--- a/src/providers/dp_backend.h
|
||||
+++ b/src/providers/dp_backend.h
|
||||
@@ -258,4 +258,19 @@ int be_fo_run_callbacks_at_next_request(struct be_ctx *ctx,
|
||||
const char *service_name);
|
||||
|
||||
void reset_fo(struct be_ctx *be_ctx);
|
||||
+
|
||||
+/* Request account information */
|
||||
+struct tevent_req *
|
||||
+be_get_account_info_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct tevent_context *ev,
|
||||
+ struct be_client *becli,
|
||||
+ struct be_ctx *be_ctx,
|
||||
+ struct be_acct_req *ar);
|
||||
+
|
||||
+errno_t be_get_account_info_recv(struct tevent_req *req,
|
||||
+ TALLOC_CTX *mem_ctx,
|
||||
+ int *_err_maj,
|
||||
+ int *_err_min,
|
||||
+ const char **_err_msg);
|
||||
+
|
||||
#endif /* __DP_BACKEND_H___ */
|
||||
--
|
||||
1.8.1.4
|
||||
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,53 @@
|
|||
From cd2327153a9ac55f3cf470c294691506096bd1eb Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Wed, 27 Feb 2013 12:12:19 +0100
|
||||
Subject: [PATCH] autofs: fix invalid header 'number of entries' in packet
|
||||
|
||||
https://fedorahosted.org/sssd/ticket/1739
|
||||
|
||||
Pointer to packet body may change while filling packet with autofs
|
||||
mount points. As a consequence, we sometimes wrote the number of
|
||||
entries into invalid body and we recieved an arbitrary number
|
||||
on the client side.
|
||||
|
||||
If the number was 0, there were some skipped entries. If the number
|
||||
was greater than 0, everything worked correctly, because we iterate
|
||||
through the cached entries until we reach packet length - we don't
|
||||
compare to the number.
|
||||
---
|
||||
src/responder/autofs/autofssrv_cmd.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c
|
||||
index 550c981a73e40804701268d0b34f8d7198f3ecc6..491afbb1de057dae996cfc7d084cdaed0220b8e3 100644
|
||||
--- a/src/responder/autofs/autofssrv_cmd.c
|
||||
+++ b/src/responder/autofs/autofssrv_cmd.c
|
||||
@@ -1085,13 +1085,13 @@ getautomntent_process(struct autofs_cmd_ctx *cmdctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ /* allocate memory for number of entries in the packet */
|
||||
ret = sss_packet_grow(client->creq->out, sizeof(uint32_t));
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, ("Cannot grow packet\n"));
|
||||
goto done;
|
||||
}
|
||||
|
||||
- sss_packet_get_body(client->creq->out, &body, &blen);
|
||||
rp = sizeof(uint32_t); /* We'll write the number of entries here */
|
||||
|
||||
left = map->entry_count - cursor;
|
||||
@@ -1111,6 +1111,10 @@ getautomntent_process(struct autofs_cmd_ctx *cmdctx,
|
||||
nentries++;
|
||||
}
|
||||
|
||||
+ /* packet grows in fill_autofs_entry, body pointer may change,
|
||||
+ * thus we have to obtain it here */
|
||||
+ sss_packet_get_body(client->creq->out, &body, &blen);
|
||||
+
|
||||
rp = 0;
|
||||
SAFEALIGN_SET_UINT32(&body[rp], nentries, &rp);
|
||||
|
||||
--
|
||||
1.8.1.4
|
||||
|
|
@ -1,53 +0,0 @@
|
|||
From 8ae0fc769b419e16ce7804bd516f7c2d03ce8471 Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||
Date: Wed, 22 Feb 2012 07:53:56 -0500
|
||||
Subject: [PATCH] FEDORA: Change Kerberos credential cache default location
|
||||
|
||||
On Fedora, we need to default to using /run/user/%u for credential
|
||||
caches for improved security and to simplify rpc.gssd locating the
|
||||
cache for use with NFS.
|
||||
---
|
||||
src/man/sssd-krb5.5.xml | 4 ++--
|
||||
src/providers/krb5/krb5_common.c | 4 ++--
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
|
||||
index 247337a90a80b078d0395b27a02e5ea2c72a5ce8..cc10dc149c407450a59f39ebc2de0ac95e33028e 100644
|
||||
--- a/src/man/sssd-krb5.5.xml
|
||||
+++ b/src/man/sssd-krb5.5.xml
|
||||
@@ -148,7 +148,7 @@
|
||||
</citerefentry> for details) is created.
|
||||
</para>
|
||||
<para>
|
||||
- Default: /tmp
|
||||
+ Default: /run/user/%u
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -206,7 +206,7 @@
|
||||
used to create a unique filename in a safe way.
|
||||
</para>
|
||||
<para>
|
||||
- Default: FILE:%d/krb5cc_%U_XXXXXX
|
||||
+ Default: FILE:%d/krb5cc
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
|
||||
index c2cb94b61463cbdaf3f4fa5a5cb311af55b4b960..e3a74697249a8dd10907beaeaef415a48c3c30a9 100644
|
||||
--- a/src/providers/krb5/krb5_common.c
|
||||
+++ b/src/providers/krb5/krb5_common.c
|
||||
@@ -34,8 +34,8 @@
|
||||
struct dp_option default_krb5_opts[] = {
|
||||
{ "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||
- { "krb5_ccachedir", DP_OPT_STRING, { "/tmp" }, NULL_STRING },
|
||||
- { "krb5_ccname_template", DP_OPT_STRING, { "FILE:%d/krb5cc_%U_XXXXXX" }, NULL_STRING},
|
||||
+ { "krb5_ccachedir", DP_OPT_STRING, { "/run/user/%u" }, NULL_STRING },
|
||||
+ { "krb5_ccname_template", DP_OPT_STRING, { "FILE:%d/krb5cc" }, NULL_STRING},
|
||||
{ "krb5_auth_timeout", DP_OPT_NUMBER, { .number = 15 }, NULL_NUMBER },
|
||||
{ "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING },
|
||||
{ "krb5_validate", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
||||
--
|
||||
1.7.7.6
|
||||
|
2
sources
2
sources
|
@ -1 +1 @@
|
|||
8f5e88fbdc8edeba7bc816da3448b726 sssd-1.8.1.tar.gz
|
||||
b2c31d92a18037d1ab5151ea920c8881 sssd-1.9.5.tar.gz
|
||||
|
|
216
sssd.spec
216
sssd.spec
|
@ -12,11 +12,11 @@
|
|||
|
||||
# Determine the location of the LDB modules directory
|
||||
%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
|
||||
%global ldb_version 1.1.4
|
||||
%global ldb_version 1.1.6
|
||||
|
||||
Name: sssd
|
||||
Version: 1.8.1
|
||||
Release: 7%{?dist}
|
||||
Version: 1.9.5
|
||||
Release: 1%{?dist}
|
||||
Group: Applications/System
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
|
@ -26,26 +26,25 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
|||
|
||||
### Patches ###
|
||||
|
||||
Patch1001: FED01-Change-Kerberos-credential-cache-default-loca.patch
|
||||
|
||||
### Dependencies ###
|
||||
|
||||
Conflicts: selinux-policy < 3.10.0-46
|
||||
Requires: libldb = %{ldb_version}
|
||||
Requires: libtdb >= 1.1.3
|
||||
Requires: libldb%{?_isa} = %{ldb_version}
|
||||
Requires: libtdb%{?_isa} >= 1.1.3
|
||||
Requires: sssd-client%{?_isa} = %{version}-%{release}
|
||||
Requires: cyrus-sasl-gssapi%{?_isa}
|
||||
Requires: libipa_hbac%{?_isa} = %{version}-%{release}
|
||||
Requires: krb5-libs >= 1.9
|
||||
Requires: keyutils-libs
|
||||
Requires(post): systemd-units initscripts chkconfig /sbin/ldconfig
|
||||
Requires: libsss_idmap%{?_isa} = %{version}-%{release}
|
||||
Requires: krb5-libs%{?_isa} >= 1.10
|
||||
Requires(post): systemd-units initscripts chkconfig
|
||||
Requires(preun): systemd-units initscripts chkconfig
|
||||
Requires(postun): systemd-units initscripts chkconfig /sbin/ldconfig
|
||||
Requires(postun): systemd-units initscripts chkconfig
|
||||
|
||||
%global servicename sssd
|
||||
%global sssdstatedir %{_localstatedir}/lib/sss
|
||||
%global dbpath %{sssdstatedir}/db
|
||||
%global pipepath %{sssdstatedir}/pipes
|
||||
%global mcpath %{sssdstatedir}/mc
|
||||
%global pubconfpath %{sssdstatedir}/pubconf
|
||||
|
||||
### Build Dependencies ###
|
||||
|
@ -78,7 +77,7 @@ BuildRequires: pcre-devel
|
|||
BuildRequires: libxslt
|
||||
BuildRequires: libxml2
|
||||
BuildRequires: docbook-style-xsl
|
||||
BuildRequires: krb5-devel >= 1.9
|
||||
BuildRequires: krb5-devel >= 1.10
|
||||
BuildRequires: c-ares-devel
|
||||
BuildRequires: python-devel
|
||||
BuildRequires: check-devel
|
||||
|
@ -90,8 +89,11 @@ BuildRequires: keyutils-libs-devel
|
|||
BuildRequires: libnl-devel
|
||||
BuildRequires: gettext-devel
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: libunistring-devel
|
||||
BuildRequires: glib2-devel
|
||||
BuildRequires: diffstat
|
||||
BuildRequires: findutils
|
||||
BuildRequires: samba4-devel >= samba4-4.0.0-59beta2
|
||||
BuildRequires: selinux-policy-targeted
|
||||
|
||||
%description
|
||||
Provides a set of daemons to manage access to remote directories and
|
||||
|
@ -104,6 +106,8 @@ services for projects like FreeIPA.
|
|||
Summary: SSSD Client libraries for NSS and PAM
|
||||
Group: Applications/System
|
||||
License: LGPLv3+
|
||||
Requires(post): /sbin/ldconfig
|
||||
Requires(postun): /sbin/ldconfig
|
||||
|
||||
%description client
|
||||
Provides the libraries needed by the PAM and NSS stacks to connect to the SSSD
|
||||
|
@ -119,13 +123,37 @@ Requires: sssd = %{version}-%{release}
|
|||
Provides userspace tools for manipulating users, groups, and nested groups in
|
||||
SSSD when using id_provider = local in /etc/sssd/sssd.conf.
|
||||
|
||||
Also provides a userspace tool for generating an obfuscated LDAP password for
|
||||
use with ldap_default_authtok_type = obfuscated_password.
|
||||
Also provides several other administrative tools:
|
||||
* sss_cache to expire cached entries
|
||||
* sss_debuglevel to change the debug level on the fly
|
||||
* sss_seed which pre-creates a user entry for use in kickstarts
|
||||
* sss_obfuscate for generating an obfuscated LDAP password
|
||||
|
||||
%package -n libsss_idmap
|
||||
Summary: FreeIPA Idmap library
|
||||
Group: Development/Libraries
|
||||
License: LGPLv3+
|
||||
Requires(post): /sbin/ldconfig
|
||||
Requires(postun): /sbin/ldconfig
|
||||
|
||||
%description -n libsss_idmap
|
||||
Utility library to convert SIDs to Unix uids and gids
|
||||
|
||||
%package -n libsss_idmap-devel
|
||||
Summary: FreeIPA Idmap library
|
||||
Group: Development/Libraries
|
||||
License: LGPLv3+
|
||||
Requires: libsss_idmap = %{version}-%{release}
|
||||
|
||||
%description -n libsss_idmap-devel
|
||||
Utility library to SIDs to Unix uids and gids
|
||||
|
||||
%package -n libipa_hbac
|
||||
Summary: FreeIPA HBAC Evaluator library
|
||||
Group: Development/Libraries
|
||||
License: LGPLv3+
|
||||
Requires(post): /sbin/ldconfig
|
||||
Requires(postun): /sbin/ldconfig
|
||||
|
||||
%description -n libipa_hbac
|
||||
Utility library to validate FreeIPA HBAC rules for authorization requests
|
||||
|
@ -153,6 +181,9 @@ used by Python applications.
|
|||
Summary: A library to allow communication between SUDO and SSSD
|
||||
Group: Development/Libraries
|
||||
License: LGPLv3+
|
||||
Requires(post): /sbin/ldconfig
|
||||
Requires(postun): /sbin/ldconfig
|
||||
Requires: sssd = %{version}-%{release}
|
||||
|
||||
%description -n libsss_sudo
|
||||
A utility library to allow communication between SUDO and SSSD
|
||||
|
@ -195,6 +226,7 @@ autoreconf -ivf
|
|||
--with-db-path=%{dbpath} \
|
||||
--with-pipe-path=%{pipepath} \
|
||||
--with-pubconf-path=%{pubconfpath} \
|
||||
--with-mcache-path=%{mcpath} \
|
||||
--with-init-dir=%{_initrddir} \
|
||||
--with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
|
||||
--enable-nsslibdir=/%{_lib} \
|
||||
|
@ -202,7 +234,8 @@ autoreconf -ivf
|
|||
--disable-static \
|
||||
--disable-rpath \
|
||||
--with-test-dir=/dev/shm \
|
||||
--enable-all-experimental-features
|
||||
--enable-all-experimental-features \
|
||||
--with-unicode-lib=glib2
|
||||
|
||||
make %{?_smp_mflags} all docs
|
||||
|
||||
|
@ -243,7 +276,7 @@ cp src/sysv/systemd/sssd.service $RPM_BUILD_ROOT/%{_unitdir}/
|
|||
find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \;
|
||||
|
||||
# Suppress developer-only documentation
|
||||
rm -Rf ${RPM_BUILD_ROOT}/%{_docdir}/%{name}/doc
|
||||
rm -Rf ${RPM_BUILD_ROOT}/%{_docdir}/%{name}
|
||||
|
||||
# Older versions of rpmbuild can only handle one -f option
|
||||
# So we need to append to the sssd.lang file
|
||||
|
@ -253,6 +286,7 @@ do
|
|||
done
|
||||
|
||||
touch sssd_tools.lang
|
||||
touch sssd_client.lang
|
||||
for man in `find $RPM_BUILD_ROOT/%{_mandir}/??/man?/ -type f | sed -e "s#$RPM_BUILD_ROOT/%{_mandir}/##"`
|
||||
do
|
||||
lang=`echo $man | cut -c 1-2`
|
||||
|
@ -260,6 +294,9 @@ do
|
|||
sss_*)
|
||||
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_tools.lang
|
||||
;;
|
||||
sssd_krb5_*)
|
||||
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang
|
||||
;;
|
||||
pam_sss*)
|
||||
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang
|
||||
;;
|
||||
|
@ -292,22 +329,47 @@ rm -rf $RPM_BUILD_ROOT
|
|||
%doc src/examples/sssd-example.conf
|
||||
%{_unitdir}/sssd.service
|
||||
%{_sbindir}/sssd
|
||||
%{_libexecdir}/%{servicename}/
|
||||
%{_libdir}/%{name}/
|
||||
|
||||
%dir %{_libexecdir}/%{servicename}
|
||||
%{_libexecdir}/%{servicename}/krb5_child
|
||||
%{_libexecdir}/%{servicename}/ldap_child
|
||||
%{_libexecdir}/%{servicename}/proxy_child
|
||||
%{_libexecdir}/%{servicename}/sssd_be
|
||||
%{_libexecdir}/%{servicename}/sssd_nss
|
||||
%{_libexecdir}/%{servicename}/sssd_pam
|
||||
%{_libexecdir}/%{servicename}/sssd_autofs
|
||||
%{_libexecdir}/%{servicename}/sssd_ssh
|
||||
%{_libexecdir}/%{servicename}/sssd_sudo
|
||||
%{_libexecdir}/%{servicename}/sssd_pac
|
||||
|
||||
%dir %{_libdir}/%{name}
|
||||
%{_libdir}/%{name}/libsss_ipa.so
|
||||
%{_libdir}/%{name}/libsss_krb5.so
|
||||
%{_libdir}/%{name}/libsss_ldap.so
|
||||
%{_libdir}/%{name}/libsss_proxy.so
|
||||
%{_libdir}/%{name}/libsss_simple.so
|
||||
%{_libdir}/%{name}/libsss_ad.so
|
||||
|
||||
%{ldb_modulesdir}/memberof.so
|
||||
%{_bindir}/sss_ssh_authorizedkeys
|
||||
%{_bindir}/sss_ssh_knownhostsproxy
|
||||
|
||||
%dir %{sssdstatedir}
|
||||
%dir %{_localstatedir}/cache/krb5rcache
|
||||
%attr(700,root,root) %dir %{dbpath}
|
||||
%attr(755,root,root) %dir %{mcpath}
|
||||
%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/passwd
|
||||
%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/group
|
||||
%attr(755,root,root) %dir %{pipepath}
|
||||
%attr(755,root,root) %dir %{pubconfpath}
|
||||
%attr(755,root,root) %dir %{pubconfpath}/krb5.include.d
|
||||
%attr(700,root,root) %dir %{pipepath}/private
|
||||
%attr(750,root,root) %dir %{_var}/log/%{name}
|
||||
%attr(700,root,root) %dir %{_sysconfdir}/sssd
|
||||
%ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
|
||||
%config(noreplace) %{_sysconfdir}/logrotate.d/sssd
|
||||
%config(noreplace) %{_sysconfdir}/rwtab.d/sssd
|
||||
%dir %{_datadir}/sssd
|
||||
%{_datadir}/sssd/sssd.api.conf
|
||||
%{_datadir}/sssd/sssd.api.d
|
||||
%{_mandir}/man1/sss_ssh_authorizedkeys.1*
|
||||
|
@ -317,9 +379,13 @@ rm -rf $RPM_BUILD_ROOT
|
|||
%{_mandir}/man5/sssd-krb5.5*
|
||||
%{_mandir}/man5/sssd-ldap.5*
|
||||
%{_mandir}/man5/sssd-simple.5*
|
||||
%{_mandir}/man5/sssd-ad.5*
|
||||
%{_mandir}/man5/sssd-sudo.5*
|
||||
%{_mandir}/man8/sssd.8*
|
||||
%{python_sitearch}/pysss.so
|
||||
%{python_sitelib}/*.py*
|
||||
%{python_sitearch}/pysss_murmur.so
|
||||
%dir %{python_sitelib}/SSSDConfig
|
||||
%{python_sitelib}/SSSDConfig/*.py*
|
||||
|
||||
%files client -f sssd_client.lang
|
||||
%defattr(-,root,root,-)
|
||||
|
@ -327,6 +393,7 @@ rm -rf $RPM_BUILD_ROOT
|
|||
/%{_lib}/libnss_sss.so.2
|
||||
/%{_lib}/security/pam_sss.so
|
||||
%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
|
||||
%{_libdir}/krb5/plugins/authdata/sssd_pac_plugin.so
|
||||
%{_mandir}/man8/pam_sss.8*
|
||||
%{_mandir}/man8/sssd_krb5_locator_plugin.8*
|
||||
|
||||
|
@ -343,6 +410,7 @@ rm -rf $RPM_BUILD_ROOT
|
|||
%{_sbindir}/sss_obfuscate
|
||||
%{_sbindir}/sss_cache
|
||||
%{_sbindir}/sss_debuglevel
|
||||
%{_sbindir}/sss_seed
|
||||
%{_mandir}/man8/sss_groupadd.8*
|
||||
%{_mandir}/man8/sss_groupdel.8*
|
||||
%{_mandir}/man8/sss_groupmod.8*
|
||||
|
@ -353,6 +421,19 @@ rm -rf $RPM_BUILD_ROOT
|
|||
%{_mandir}/man8/sss_obfuscate.8*
|
||||
%{_mandir}/man8/sss_cache.8*
|
||||
%{_mandir}/man8/sss_debuglevel.8*
|
||||
%{_mandir}/man8/sss_seed.8*
|
||||
|
||||
%files -n libsss_idmap
|
||||
%defattr(-,root,root,-)
|
||||
%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
|
||||
%{_libdir}/libsss_idmap.so.*
|
||||
|
||||
%files -n libsss_idmap-devel
|
||||
%defattr(-,root,root,-)
|
||||
%doc idmap_doc/html
|
||||
%{_includedir}/sss_idmap.h
|
||||
%{_libdir}/libsss_idmap.so
|
||||
%{_libdir}/pkgconfig/sss_idmap.pc
|
||||
|
||||
%files -n libipa_hbac
|
||||
%defattr(-,root,root,-)
|
||||
|
@ -381,13 +462,11 @@ A utility library to allow communication between Autofs and SSSD
|
|||
%files -n libsss_sudo
|
||||
%defattr(-,root,root,-)
|
||||
%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
|
||||
%{_libdir}/libsss_sudo.so.*
|
||||
%{_libdir}/libsss_sudo.so*
|
||||
|
||||
%files -n libsss_sudo-devel
|
||||
%doc libsss_sudo_doc/html
|
||||
%{_includedir}/sss_sudo.h
|
||||
%{_libdir}/libsss_sudo.so
|
||||
%{_libdir}/pkgconfig/libsss_sudo.pc
|
||||
|
||||
%files -n libsss_autofs
|
||||
%defattr(-,root,root,-)
|
||||
|
@ -395,15 +474,13 @@ A utility library to allow communication between Autofs and SSSD
|
|||
%{_libdir}/sssd/modules/libsss_autofs.so*
|
||||
|
||||
%post
|
||||
/sbin/ldconfig
|
||||
|
||||
if [ $1 -ge 1 ] ; then
|
||||
# Initial installation
|
||||
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
|
||||
fi
|
||||
|
||||
%preun
|
||||
if [ $1 = 0 ]; then
|
||||
if [ $1 -eq 0 ]; then
|
||||
# Package removal, not upgrade
|
||||
/bin/systemctl --no-reload disable sssd.service > /dev/null 2>&1 || :
|
||||
/bin/systemctl stop sssd.service > /dev/null 2>&1 || :
|
||||
|
@ -423,11 +500,8 @@ fi
|
|||
|
||||
|
||||
%postun
|
||||
/sbin/ldconfig
|
||||
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
|
||||
if [ $1 -ge 1 ] ; then
|
||||
# On upgrade, reload init system configuration if we changed unit files
|
||||
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
|
||||
/bin/systemctl try-restart sssd.service >/dev/null 2>&1 || :
|
||||
fi
|
||||
|
||||
|
@ -439,7 +513,91 @@ fi
|
|||
|
||||
%postun -n libipa_hbac -p /sbin/ldconfig
|
||||
|
||||
%post -n libsss_idmap -p /sbin/ldconfig
|
||||
|
||||
%postun -n libsss_idmap -p /sbin/ldconfig
|
||||
|
||||
%post -n libsss_sudo -p /sbin/ldconfig
|
||||
|
||||
%postun -n libsss_sudo -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Tue Apr 23 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.9.5-1
|
||||
- New upstream release 1.9.5
|
||||
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.5
|
||||
|
||||
* Thu Mar 28 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.9.4-2
|
||||
- autofs: return the correct number of maps to the client
|
||||
|
||||
* Mon Mar 25 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.9.4-1
|
||||
- New upstream release 1.9.4
|
||||
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.4
|
||||
|
||||
* Tue Jan 29 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.8.6-1
|
||||
- New upstream release 1.8.6
|
||||
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.6
|
||||
|
||||
* Sun Oct 07 2012 Jakub Hrozek <jhrozek@redhat.com> - 1.8.5-3
|
||||
- Add autofs related options to the configAPI
|
||||
- Resolves: #847845
|
||||
|
||||
* Sun Oct 07 2012 Jakub Hrozek <jhrozek@redhat.com> - 1.8.5-2
|
||||
- Include the tarball in the sources
|
||||
|
||||
* Sun Oct 07 2012 Jakub Hrozek <jhrozek@redhat.com> - 1.8.5-1
|
||||
- New upstream release 1.8.5
|
||||
|
||||
* Wed Jun 20 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.4-14
|
||||
- Switch unicode library from libunistring to Glib
|
||||
- Drop unnecessary explicit Requires on keyutils
|
||||
- Guarantee that versioned Requires include the correct architecture
|
||||
- Rebuild against newer libldb
|
||||
|
||||
* Wed Jun 13 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.4-13
|
||||
- Fix several issues with the SSH key integration
|
||||
- Fix for multilib issuss with libipa_hbac-devel and libsss_sudo-devel
|
||||
- Resolves: rhbz#831411 - libipa_hbac-devel and libsss_sudo-devel multilib
|
||||
conflicts
|
||||
|
||||
* Wed May 30 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.4-12
|
||||
- New upstream release 1.8.4
|
||||
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.4
|
||||
- Fix a bug causing AD servers not to fail over properly when the KDC on the
|
||||
primary server is down
|
||||
- Fix an endianness bug on big-endian systems when looking up services
|
||||
- Fix a segfault dealing with nested groups
|
||||
- Make the nowait cache updates work for netgroups
|
||||
- Fix a regression that broke domains with use_fully_qualified_names = True
|
||||
- Correct package dependency versions to match installed arch
|
||||
|
||||
* Thu May 03 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.3-11
|
||||
- New upstream release 1.8.3
|
||||
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3
|
||||
- Numerous manpage and translation updates
|
||||
- LDAP: Handle situations where the RootDSE isn't available anonymously
|
||||
- LDAP: Fix regression for users using non-standard LDAP attributes for user
|
||||
information
|
||||
|
||||
* Mon Apr 09 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.2-10
|
||||
- New upstream release 1.8.2
|
||||
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2
|
||||
- Several fixes to case-insensitive domain functions
|
||||
- Fix for GSSAPI binds when the keytab contains unrelated principals
|
||||
- Fixed several segfaults
|
||||
- Workarounds added for LDAP servers with unreadable RootDSE
|
||||
- SSH knownhostproxy will no longer enter an infinite loop preventing login
|
||||
- The provided SYSV init script now starts SSSD earlier at startup and stops
|
||||
it later during shutdown
|
||||
- Assorted minor fixes for issues discovered by static analysis tools
|
||||
|
||||
* Mon Mar 26 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.1-9
|
||||
- Don't duplicate libsss_autofs.so in two packages
|
||||
- Set explicit package contents instead of globbing
|
||||
|
||||
* Wed Mar 21 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.1-8
|
||||
- Fix uninitialized value bug causing crashes throughout the code
|
||||
- Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup
|
||||
|
||||
* Mon Mar 12 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.1-7
|
||||
- New upstream release 1.8.1
|
||||
- Resolve issue where we could enter an infinite loop trying to connect to an
|
||||
|
|
Loading…
Reference in New Issue