Compare commits
19 Commits
Author | SHA1 | Date |
---|---|---|
|
0424a6ce33 | |
|
afc7bd6f1e | |
|
40c3ae988f | |
|
8e5a5bd939 | |
|
4c3e129c7b | |
|
acb9f4dceb | |
|
1a4558387a | |
|
29b254886f | |
|
c13be84ef8 | |
|
75380a749d | |
|
c5df487fb9 | |
|
217f3182fe | |
|
93cf9863f6 | |
|
0aedfd6ccd | |
|
9850042b01 | |
|
d41bc2caab | |
|
0652a3507c | |
|
1d5ea15cb8 | |
|
a4b82ef7af |
|
@ -26,3 +26,10 @@ sssd-1.2.91.tar.gz
|
||||||
/sssd-1.8.0beta3.tar.gz
|
/sssd-1.8.0beta3.tar.gz
|
||||||
/sssd-1.8.0.tar.gz
|
/sssd-1.8.0.tar.gz
|
||||||
/sssd-1.8.1.tar.gz
|
/sssd-1.8.1.tar.gz
|
||||||
|
/sssd-1.8.2.tar.gz
|
||||||
|
/sssd-1.8.3.tar.gz
|
||||||
|
/sssd-1.8.4.tar.gz
|
||||||
|
/sssd-1.8.5.tar.gz
|
||||||
|
/sssd-1.8.6.tar.gz
|
||||||
|
/sssd-1.9.4.tar.gz
|
||||||
|
/sssd-1.9.5.tar.gz
|
||||||
|
|
|
@ -0,0 +1,39 @@
|
||||||
|
From cae3bf6af22855adc8dd7b270e11207f0a33c385 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||||
|
Date: Wed, 30 Jan 2013 13:45:27 +0100
|
||||||
|
Subject: [PATCH] krb: recreate ccache if it was deleted
|
||||||
|
|
||||||
|
https://fedorahosted.org/sssd/ticket/1512
|
||||||
|
|
||||||
|
If directory where a ccache file was stored was missing and user
|
||||||
|
was still logged in, we erroneously considered the ccache file
|
||||||
|
still active. Thus the ccache file was not recreated and user was
|
||||||
|
unable to login.
|
||||||
|
---
|
||||||
|
src/providers/krb5/krb5_utils.c | 9 ++++++++-
|
||||||
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c
|
||||||
|
index b770714be030076203b6578f90ef726226cb72f8..7b56be52497ae66fa536b76ca0561ec3cc3208ce 100644
|
||||||
|
--- a/src/providers/krb5/krb5_utils.c
|
||||||
|
+++ b/src/providers/krb5/krb5_utils.c
|
||||||
|
@@ -770,8 +770,15 @@ cc_residual_is_used(uid_t uid, const char *ccname,
|
||||||
|
|
||||||
|
ret = lstat(ccname, &stat_buf);
|
||||||
|
|
||||||
|
- if (ret == -1 && errno != ENOENT) {
|
||||||
|
+ if (ret == -1) {
|
||||||
|
ret = errno;
|
||||||
|
+ if (ret == ENOENT) {
|
||||||
|
+ DEBUG(SSSDBG_FUNC_DATA, ("Cache file [%s] does not exists, "
|
||||||
|
+ "it will be recreated\n", ccname));
|
||||||
|
+ *result = false;
|
||||||
|
+ return EOK;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
DEBUG(SSSDBG_OP_FAILURE,
|
||||||
|
("stat failed [%d][%s].\n", ret, strerror(ret)));
|
||||||
|
return ret;
|
||||||
|
--
|
||||||
|
1.7.11.7
|
||||||
|
|
|
@ -0,0 +1,69 @@
|
||||||
|
From a0388dc52f5461f72f8221c9bb7c92008e1fe2c5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||||
|
Date: Fri, 1 Feb 2013 12:17:47 +0100
|
||||||
|
Subject: [PATCH] subdomains: replace invalid characters with underscore in
|
||||||
|
krb5 mapping file name
|
||||||
|
|
||||||
|
https://fedorahosted.org/sssd/ticket/1795
|
||||||
|
|
||||||
|
Only alpha-numeric chars, dashes and underscores are allowed in
|
||||||
|
krb5 include directory.
|
||||||
|
---
|
||||||
|
src/providers/ipa/ipa_subdomains.c | 26 +++++++++++++++++++++++++-
|
||||||
|
1 file changed, 25 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
|
||||||
|
index ef6195d19de72be7fd2b12a309b33fcf20e0e3a1..f959c4e6eb1d830e3990f552c9f4cf962298ef48 100644
|
||||||
|
--- a/src/providers/ipa/ipa_subdomains.c
|
||||||
|
+++ b/src/providers/ipa/ipa_subdomains.c
|
||||||
|
@@ -287,22 +287,46 @@ ipa_subdomains_write_mappings(struct sss_domain_info *domain,
|
||||||
|
errno_t err;
|
||||||
|
TALLOC_CTX *tmp_ctx;
|
||||||
|
const char *mapping_file;
|
||||||
|
+ char *sanitized_domain;
|
||||||
|
char *tmp_file = NULL;
|
||||||
|
int fd = -1;
|
||||||
|
mode_t old_mode;
|
||||||
|
FILE *fstream = NULL;
|
||||||
|
size_t i;
|
||||||
|
|
||||||
|
+ if (domain == NULL || domain->name == NULL) {
|
||||||
|
+ DEBUG(SSSDBG_CRIT_FAILURE, ("No domain name provided\n"));
|
||||||
|
+ return EINVAL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
tmp_ctx = talloc_new(NULL);
|
||||||
|
if (!tmp_ctx) return ENOMEM;
|
||||||
|
|
||||||
|
+ sanitized_domain = talloc_strdup(tmp_ctx, domain->name);
|
||||||
|
+ if (sanitized_domain == NULL) {
|
||||||
|
+ DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_strdup() failed\n"));
|
||||||
|
+ return ENOMEM;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* only alpha-numeric chars, dashes and underscores are allowed in
|
||||||
|
+ * krb5 include directory */
|
||||||
|
+ for (i = 0; sanitized_domain[i] != '\0'; i++) {
|
||||||
|
+ if (!isalnum(sanitized_domain[i])
|
||||||
|
+ && sanitized_domain[i] != '-' && sanitized_domain[i] != '_') {
|
||||||
|
+ sanitized_domain[i] = '_';
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
mapping_file = talloc_asprintf(tmp_ctx, "%s/domain_realm_%s",
|
||||||
|
- IPA_SUBDOMAIN_MAPPING_DIR, domain->name);
|
||||||
|
+ IPA_SUBDOMAIN_MAPPING_DIR, sanitized_domain);
|
||||||
|
if (!mapping_file) {
|
||||||
|
ret = ENOMEM;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ DEBUG(SSSDBG_FUNC_DATA, ("Mapping file for domain [%s] is [%s]\n",
|
||||||
|
+ domain->name, mapping_file));
|
||||||
|
+
|
||||||
|
tmp_file = talloc_asprintf(tmp_ctx, "%sXXXXXX", mapping_file);
|
||||||
|
if (tmp_file == NULL) {
|
||||||
|
ret = ENOMEM;
|
||||||
|
--
|
||||||
|
1.7.11.7
|
||||||
|
|
|
@ -0,0 +1,39 @@
|
||||||
|
From e354a96bbca5da8525ee51f91907e75af897b856 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Thu, 14 Feb 2013 10:13:59 +0100
|
||||||
|
Subject: [PATCH] Fix the krb5 password expiration warning
|
||||||
|
|
||||||
|
https://fedorahosted.org/sssd/ticket/1808
|
||||||
|
---
|
||||||
|
src/confdb/confdb.c | 8 +++++++-
|
||||||
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
||||||
|
index 31efd9443be8490715961c8a45f9352bd1ade653..31c48bd28aee37008687e7e255ebf2ef2d79798a 100644
|
||||||
|
--- a/src/confdb/confdb.c
|
||||||
|
+++ b/src/confdb/confdb.c
|
||||||
|
@@ -1020,7 +1020,11 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* Set the PAM warning time, if specified */
|
||||||
|
+ /* Set the PAM warning time, if specified. If not specified, pass on
|
||||||
|
+ * the "not set" value of "-1" which means "use provider default". The
|
||||||
|
+ * value 0 means "always display the warning if server sends one" */
|
||||||
|
+ domain->pwd_expiration_warning = -1;
|
||||||
|
+
|
||||||
|
val = ldb_msg_find_attr_as_int(res->msgs[0],
|
||||||
|
CONFDB_DOMAIN_PWD_EXPIRATION_WARNING,
|
||||||
|
-1);
|
||||||
|
@@ -1035,6 +1039,8 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
||||||
|
}
|
||||||
|
|
||||||
|
if (val > 0) {
|
||||||
|
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
||||||
|
+ ("Setting domain password expiration warning to %d days\n", val));
|
||||||
|
/* The value is in days, transform it to seconds */
|
||||||
|
domain->pwd_expiration_warning = val * 24 * 3600;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
1.8.1.2
|
||||||
|
|
|
@ -0,0 +1,412 @@
|
||||||
|
From 754b09b5444e6da88ed58d6deaed8b815e268b6b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Sun, 3 Mar 2013 21:43:44 +0100
|
||||||
|
Subject: [PATCH 2/4] Add unit tests for simple access test by groups
|
||||||
|
|
||||||
|
I realized that the current unit tests for the simple access provider
|
||||||
|
only tested the user directives. To have a baseline and be able to
|
||||||
|
detect new bugs in the upcoming patch, I implemented unit tests for the
|
||||||
|
group lists, too.
|
||||||
|
---
|
||||||
|
src/tests/simple_access-tests.c | 283 +++++++++++++++++++++++++++++++++++-----
|
||||||
|
1 file changed, 252 insertions(+), 31 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/tests/simple_access-tests.c b/src/tests/simple_access-tests.c
|
||||||
|
index c61814eb54c1aa5138a1b45653f9384228c5456a..577c6d334edda513fd0f1e42a859ea333ba5ba23 100644
|
||||||
|
--- a/src/tests/simple_access-tests.c
|
||||||
|
+++ b/src/tests/simple_access-tests.c
|
||||||
|
@@ -30,39 +30,152 @@
|
||||||
|
#include "providers/simple/simple_access.h"
|
||||||
|
#include "tests/common.h"
|
||||||
|
|
||||||
|
+#define TESTS_PATH "tests_simple_access"
|
||||||
|
+#define TEST_CONF_FILE "tests_conf.ldb"
|
||||||
|
+
|
||||||
|
const char *ulist_1[] = {"u1", "u2", NULL};
|
||||||
|
+const char *glist_1[] = {"g1", "g2", NULL};
|
||||||
|
|
||||||
|
-struct simple_ctx *ctx = NULL;
|
||||||
|
+struct simple_test_ctx *test_ctx = NULL;
|
||||||
|
+
|
||||||
|
+struct simple_test_ctx {
|
||||||
|
+ struct sysdb_ctx *sysdb;
|
||||||
|
+ struct confdb_ctx *confdb;
|
||||||
|
+
|
||||||
|
+ struct simple_ctx *ctx;
|
||||||
|
+};
|
||||||
|
|
||||||
|
void setup_simple(void)
|
||||||
|
{
|
||||||
|
- fail_unless(ctx == NULL, "Simple context already initialized.");
|
||||||
|
- ctx = talloc_zero(NULL, struct simple_ctx);
|
||||||
|
- fail_unless(ctx != NULL, "Cannot create simple context.");
|
||||||
|
+ errno_t ret;
|
||||||
|
+ char *conf_db;
|
||||||
|
+ const char *val[2];
|
||||||
|
+ val[1] = NULL;
|
||||||
|
|
||||||
|
- ctx->domain = talloc_zero(ctx, struct sss_domain_info);
|
||||||
|
- fail_unless(ctx != NULL, "Cannot create domain in simple context.");
|
||||||
|
- ctx->domain->case_sensitive = true;
|
||||||
|
+ /* Create tests directory if it doesn't exist */
|
||||||
|
+ /* (relative to current dir) */
|
||||||
|
+ ret = mkdir(TESTS_PATH, 0775);
|
||||||
|
+ fail_if(ret == -1 && errno != EEXIST,
|
||||||
|
+ "Could not create %s directory", TESTS_PATH);
|
||||||
|
+
|
||||||
|
+ fail_unless(test_ctx == NULL, "Simple context already initialized.");
|
||||||
|
+ test_ctx = talloc_zero(NULL, struct simple_test_ctx);
|
||||||
|
+ fail_unless(test_ctx != NULL, "Cannot create simple test context.");
|
||||||
|
+
|
||||||
|
+ test_ctx->ctx = talloc_zero(test_ctx, struct simple_ctx);
|
||||||
|
+ fail_unless(test_ctx->ctx != NULL, "Cannot create simple context.");
|
||||||
|
+
|
||||||
|
+ conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE);
|
||||||
|
+ fail_if(conf_db == NULL, "Out of memory, aborting!");
|
||||||
|
+ DEBUG(SSSDBG_TRACE_LIBS, ("CONFDB: %s\n", conf_db));
|
||||||
|
+
|
||||||
|
+ /* Connect to the conf db */
|
||||||
|
+ ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db);
|
||||||
|
+ fail_if(ret != EOK, "Could not initialize connection to the confdb");
|
||||||
|
+
|
||||||
|
+ val[0] = "LOCAL";
|
||||||
|
+ ret = confdb_add_param(test_ctx->confdb, true,
|
||||||
|
+ "config/sssd", "domains", val);
|
||||||
|
+ fail_if(ret != EOK, "Could not initialize domains placeholder");
|
||||||
|
+
|
||||||
|
+ val[0] = "local";
|
||||||
|
+ ret = confdb_add_param(test_ctx->confdb, true,
|
||||||
|
+ "config/domain/LOCAL", "id_provider", val);
|
||||||
|
+ fail_if(ret != EOK, "Could not initialize provider");
|
||||||
|
+
|
||||||
|
+ val[0] = "TRUE";
|
||||||
|
+ ret = confdb_add_param(test_ctx->confdb, true,
|
||||||
|
+ "config/domain/LOCAL", "enumerate", val);
|
||||||
|
+ fail_if(ret != EOK, "Could not initialize LOCAL domain");
|
||||||
|
+
|
||||||
|
+ val[0] = "TRUE";
|
||||||
|
+ ret = confdb_add_param(test_ctx->confdb, true,
|
||||||
|
+ "config/domain/LOCAL", "cache_credentials", val);
|
||||||
|
+ fail_if(ret != EOK, "Could not initialize LOCAL domain");
|
||||||
|
+
|
||||||
|
+ ret = sysdb_init_domain_and_sysdb(test_ctx, test_ctx->confdb, "local",
|
||||||
|
+ TESTS_PATH,
|
||||||
|
+ &test_ctx->ctx->domain, &test_ctx->ctx->sysdb);
|
||||||
|
+ fail_if(ret != EOK, "Could not initialize connection to the sysdb (%d)", ret);
|
||||||
|
+ test_ctx->ctx->domain->case_sensitive = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
void teardown_simple(void)
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
- fail_unless(ctx != NULL, "Simple context already freed.");
|
||||||
|
- ret = talloc_free(ctx);
|
||||||
|
- ctx = NULL;
|
||||||
|
+ fail_unless(test_ctx != NULL, "Simple context already freed.");
|
||||||
|
+ ret = talloc_free(test_ctx);
|
||||||
|
+ test_ctx = NULL;
|
||||||
|
fail_unless(ret == 0, "Connot free simple context.");
|
||||||
|
}
|
||||||
|
|
||||||
|
+void setup_simple_group(void)
|
||||||
|
+{
|
||||||
|
+ errno_t ret;
|
||||||
|
+
|
||||||
|
+ setup_simple();
|
||||||
|
+
|
||||||
|
+ /* Add test users u1 and u2 that would be members of test groups
|
||||||
|
+ * g1 and g2 respectively */
|
||||||
|
+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
|
||||||
|
+ "u1", NULL, 123, 0, "u1", "/home/u1",
|
||||||
|
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
|
||||||
|
+ fail_if(ret != EOK, "Could not add u1");
|
||||||
|
+
|
||||||
|
+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
|
||||||
|
+ "u2", NULL, 456, 0, "u1", "/home/u1",
|
||||||
|
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
|
||||||
|
+ fail_if(ret != EOK, "Could not add u2");
|
||||||
|
+
|
||||||
|
+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
|
||||||
|
+ "u3", NULL, 789, 0, "u1", "/home/u1",
|
||||||
|
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
|
||||||
|
+ fail_if(ret != EOK, "Could not add u3");
|
||||||
|
+
|
||||||
|
+ ret = sysdb_add_group(test_ctx->ctx->sysdb,
|
||||||
|
+ "g1", 321, NULL, 0, 0);
|
||||||
|
+ fail_if(ret != EOK, "Could not add g1");
|
||||||
|
+
|
||||||
|
+ ret = sysdb_add_group(test_ctx->ctx->sysdb,
|
||||||
|
+ "g2", 654, NULL, 0, 0);
|
||||||
|
+ fail_if(ret != EOK, "Could not add g2");
|
||||||
|
+
|
||||||
|
+ ret = sysdb_add_group_member(test_ctx->ctx->sysdb,
|
||||||
|
+ "g1", "u1", SYSDB_MEMBER_USER);
|
||||||
|
+ fail_if(ret != EOK, "Could not add u1 to g1");
|
||||||
|
+
|
||||||
|
+ ret = sysdb_add_group_member(test_ctx->ctx->sysdb,
|
||||||
|
+ "g2", "u2", SYSDB_MEMBER_USER);
|
||||||
|
+ fail_if(ret != EOK, "Could not add u2 to g2");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void teardown_simple_group(void)
|
||||||
|
+{
|
||||||
|
+ errno_t ret;
|
||||||
|
+
|
||||||
|
+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u1", 0);
|
||||||
|
+ fail_if(ret != EOK, "Could not delete u1");
|
||||||
|
+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u2", 0);
|
||||||
|
+ fail_if(ret != EOK, "Could not delete u2");
|
||||||
|
+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u3", 0);
|
||||||
|
+ fail_if(ret != EOK, "Could not delete u3");
|
||||||
|
+ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g1", 0);
|
||||||
|
+ fail_if(ret != EOK, "Could not delete g1");
|
||||||
|
+ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g2", 0);
|
||||||
|
+ fail_if(ret != EOK, "Could not delete g2");
|
||||||
|
+
|
||||||
|
+ teardown_simple();
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
START_TEST(test_both_empty)
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
bool access_granted = false;
|
||||||
|
|
||||||
|
- ctx->allow_users = NULL;
|
||||||
|
- ctx->deny_users = NULL;
|
||||||
|
+ test_ctx->ctx->allow_users = NULL;
|
||||||
|
+ test_ctx->ctx->deny_users = NULL;
|
||||||
|
|
||||||
|
- ret = simple_access_check(ctx, "u1", &access_granted);
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||||
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
fail_unless(access_granted == true, "Access denied "
|
||||||
|
"while both lists are empty.");
|
||||||
|
@@ -74,15 +187,15 @@ START_TEST(test_allow_empty)
|
||||||
|
int ret;
|
||||||
|
bool access_granted = true;
|
||||||
|
|
||||||
|
- ctx->allow_users = NULL;
|
||||||
|
- ctx->deny_users = discard_const(ulist_1);
|
||||||
|
+ test_ctx->ctx->allow_users = NULL;
|
||||||
|
+ test_ctx->ctx->deny_users = discard_const(ulist_1);
|
||||||
|
|
||||||
|
- ret = simple_access_check(ctx, "u1", &access_granted);
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||||
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
fail_unless(access_granted == false, "Access granted "
|
||||||
|
"while user is in deny list.");
|
||||||
|
|
||||||
|
- ret = simple_access_check(ctx, "u3", &access_granted);
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
||||||
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
fail_unless(access_granted == true, "Access denied "
|
||||||
|
"while user is not in deny list.");
|
||||||
|
@@ -94,15 +207,15 @@ START_TEST(test_deny_empty)
|
||||||
|
int ret;
|
||||||
|
bool access_granted = false;
|
||||||
|
|
||||||
|
- ctx->allow_users = discard_const(ulist_1);
|
||||||
|
- ctx->deny_users = NULL;
|
||||||
|
+ test_ctx->ctx->allow_users = discard_const(ulist_1);
|
||||||
|
+ test_ctx->ctx->deny_users = NULL;
|
||||||
|
|
||||||
|
- ret = simple_access_check(ctx, "u1", &access_granted);
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||||
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
fail_unless(access_granted == true, "Access denied "
|
||||||
|
"while user is in allow list.");
|
||||||
|
|
||||||
|
- ret = simple_access_check(ctx, "u3", &access_granted);
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
||||||
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
fail_unless(access_granted == false, "Access granted "
|
||||||
|
"while user is not in allow list.");
|
||||||
|
@@ -114,15 +227,15 @@ START_TEST(test_both_set)
|
||||||
|
int ret;
|
||||||
|
bool access_granted = false;
|
||||||
|
|
||||||
|
- ctx->allow_users = discard_const(ulist_1);
|
||||||
|
- ctx->deny_users = discard_const(ulist_1);
|
||||||
|
+ test_ctx->ctx->allow_users = discard_const(ulist_1);
|
||||||
|
+ test_ctx->ctx->deny_users = discard_const(ulist_1);
|
||||||
|
|
||||||
|
- ret = simple_access_check(ctx, "u1", &access_granted);
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||||
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
fail_unless(access_granted == false, "Access granted "
|
||||||
|
"while user is in deny list.");
|
||||||
|
|
||||||
|
- ret = simple_access_check(ctx, "u3", &access_granted);
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
||||||
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
fail_unless(access_granted == false, "Access granted "
|
||||||
|
"while user is not in allow list.");
|
||||||
|
@@ -134,18 +247,18 @@ START_TEST(test_case)
|
||||||
|
int ret;
|
||||||
|
bool access_granted = false;
|
||||||
|
|
||||||
|
- ctx->allow_users = discard_const(ulist_1);
|
||||||
|
- ctx->deny_users = NULL;
|
||||||
|
+ test_ctx->ctx->allow_users = discard_const(ulist_1);
|
||||||
|
+ test_ctx->ctx->deny_users = NULL;
|
||||||
|
|
||||||
|
- ret = simple_access_check(ctx, "U1", &access_granted);
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
|
||||||
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
fail_unless(access_granted == false, "Access granted "
|
||||||
|
"for user with different case "
|
||||||
|
"in case-sensitive domain");
|
||||||
|
|
||||||
|
- ctx->domain->case_sensitive = false;
|
||||||
|
+ test_ctx->ctx->domain->case_sensitive = false;
|
||||||
|
|
||||||
|
- ret = simple_access_check(ctx, "U1", &access_granted);
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
|
||||||
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
fail_unless(access_granted == true, "Access denied "
|
||||||
|
"for user with different case "
|
||||||
|
@@ -153,11 +266,95 @@ START_TEST(test_case)
|
||||||
|
}
|
||||||
|
END_TEST
|
||||||
|
|
||||||
|
+START_TEST(test_group_allow_empty)
|
||||||
|
+{
|
||||||
|
+ int ret;
|
||||||
|
+ bool access_granted = true;
|
||||||
|
+
|
||||||
|
+ test_ctx->ctx->allow_groups = NULL;
|
||||||
|
+ test_ctx->ctx->deny_groups = discard_const(glist_1);
|
||||||
|
+
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||||
|
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
+ fail_unless(access_granted == false, "Access granted "
|
||||||
|
+ "while group is in deny list.");
|
||||||
|
+
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
||||||
|
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
+ fail_unless(access_granted == true, "Access denied "
|
||||||
|
+ "while group is not in deny list.");
|
||||||
|
+}
|
||||||
|
+END_TEST
|
||||||
|
+
|
||||||
|
+START_TEST(test_group_deny_empty)
|
||||||
|
+{
|
||||||
|
+ int ret;
|
||||||
|
+ bool access_granted = false;
|
||||||
|
+
|
||||||
|
+ test_ctx->ctx->allow_groups = discard_const(glist_1);
|
||||||
|
+ test_ctx->ctx->deny_groups = NULL;
|
||||||
|
+
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||||
|
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
+ fail_unless(access_granted == true, "Access denied "
|
||||||
|
+ "while group is in allow list.");
|
||||||
|
+
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
||||||
|
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
+ fail_unless(access_granted == false, "Access granted "
|
||||||
|
+ "while group is not in allow list.");
|
||||||
|
+}
|
||||||
|
+END_TEST
|
||||||
|
+
|
||||||
|
+START_TEST(test_group_both_set)
|
||||||
|
+{
|
||||||
|
+ int ret;
|
||||||
|
+ bool access_granted = false;
|
||||||
|
+
|
||||||
|
+ test_ctx->ctx->allow_groups = discard_const(ulist_1);
|
||||||
|
+ test_ctx->ctx->deny_groups = discard_const(ulist_1);
|
||||||
|
+
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||||
|
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
+ fail_unless(access_granted == false, "Access granted "
|
||||||
|
+ "while group is in deny list.");
|
||||||
|
+
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
||||||
|
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
+ fail_unless(access_granted == false, "Access granted "
|
||||||
|
+ "while group is not in allow list.");
|
||||||
|
+}
|
||||||
|
+END_TEST
|
||||||
|
+
|
||||||
|
+START_TEST(test_group_case)
|
||||||
|
+{
|
||||||
|
+ int ret;
|
||||||
|
+ bool access_granted = false;
|
||||||
|
+
|
||||||
|
+ test_ctx->ctx->allow_groups = discard_const(ulist_1);
|
||||||
|
+ test_ctx->ctx->deny_groups = NULL;
|
||||||
|
+
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
|
||||||
|
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
+ fail_unless(access_granted == false, "Access granted "
|
||||||
|
+ "for group with different case "
|
||||||
|
+ "in case-sensitive domain");
|
||||||
|
+
|
||||||
|
+ test_ctx->ctx->domain->case_sensitive = false;
|
||||||
|
+
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
|
||||||
|
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
+ fail_unless(access_granted == true, "Access denied "
|
||||||
|
+ "for group with different case "
|
||||||
|
+ "in case-insensitive domain");
|
||||||
|
+}
|
||||||
|
+END_TEST
|
||||||
|
+
|
||||||
|
Suite *access_simple_suite (void)
|
||||||
|
{
|
||||||
|
Suite *s = suite_create("access_simple");
|
||||||
|
|
||||||
|
- TCase *tc_allow_deny = tcase_create("allow/deny");
|
||||||
|
+ TCase *tc_allow_deny = tcase_create("user allow/deny");
|
||||||
|
tcase_add_checked_fixture(tc_allow_deny, setup_simple, teardown_simple);
|
||||||
|
tcase_add_test(tc_allow_deny, test_both_empty);
|
||||||
|
tcase_add_test(tc_allow_deny, test_allow_empty);
|
||||||
|
@@ -166,6 +363,15 @@ Suite *access_simple_suite (void)
|
||||||
|
tcase_add_test(tc_allow_deny, test_case);
|
||||||
|
suite_add_tcase(s, tc_allow_deny);
|
||||||
|
|
||||||
|
+ TCase *tc_grp_allow_deny = tcase_create("group allow/deny");
|
||||||
|
+ tcase_add_checked_fixture(tc_grp_allow_deny,
|
||||||
|
+ setup_simple_group, teardown_simple_group);
|
||||||
|
+ tcase_add_test(tc_grp_allow_deny, test_group_allow_empty);
|
||||||
|
+ tcase_add_test(tc_grp_allow_deny, test_group_deny_empty);
|
||||||
|
+ tcase_add_test(tc_grp_allow_deny, test_group_both_set);
|
||||||
|
+ tcase_add_test(tc_grp_allow_deny, test_group_case);
|
||||||
|
+ suite_add_tcase(s, tc_grp_allow_deny);
|
||||||
|
+
|
||||||
|
return s;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -174,6 +380,7 @@ int main(int argc, const char *argv[])
|
||||||
|
int opt;
|
||||||
|
poptContext pc;
|
||||||
|
int number_failed;
|
||||||
|
+ int ret;
|
||||||
|
|
||||||
|
struct poptOption long_options[] = {
|
||||||
|
POPT_AUTOHELP
|
||||||
|
@@ -205,6 +412,20 @@ int main(int argc, const char *argv[])
|
||||||
|
srunner_run_all(sr, CK_ENV);
|
||||||
|
number_failed = srunner_ntests_failed(sr);
|
||||||
|
srunner_free(sr);
|
||||||
|
+
|
||||||
|
+ ret = unlink(TESTS_PATH"/"TEST_CONF_FILE);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n",
|
||||||
|
+ errno, strerror(errno));
|
||||||
|
+ return EXIT_FAILURE;
|
||||||
|
+ }
|
||||||
|
+ ret = unlink(TESTS_PATH"/"LOCAL_SYSDB_FILE);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n",
|
||||||
|
+ errno, strerror(errno));
|
||||||
|
+ return EXIT_FAILURE;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
return (number_failed==0 ? EXIT_SUCCESS : EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
1.8.1.4
|
||||||
|
|
|
@ -0,0 +1,40 @@
|
||||||
|
From 26590d31f492dbbd36be6d0bde46a4bd3b221edb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Mon, 4 Mar 2013 16:37:04 +0100
|
||||||
|
Subject: [PATCH 3/4] Do not compile main() in DP if UNIT_TESTING is defined
|
||||||
|
|
||||||
|
The simple access provider unit tests now need to link against the Data
|
||||||
|
Provider when they start using the be_file_account_request() function.
|
||||||
|
But then we would start having conflicts as at least the main()
|
||||||
|
functions would clash.
|
||||||
|
|
||||||
|
If UNIT_TESTING is defined, then the data_provider_be.c module does not
|
||||||
|
contain the main() function and can be linked against directly from
|
||||||
|
another module that contains its own main() function
|
||||||
|
---
|
||||||
|
src/providers/data_provider_be.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
|
||||||
|
index f85a04d09b5b41b17be611c333324f7207242979..33590aeef0231427642916c6a2f9bc391c165c21 100644
|
||||||
|
--- a/src/providers/data_provider_be.c
|
||||||
|
+++ b/src/providers/data_provider_be.c
|
||||||
|
@@ -2651,6 +2651,7 @@ fail:
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef UNIT_TESTING
|
||||||
|
int main(int argc, const char *argv[])
|
||||||
|
{
|
||||||
|
int opt;
|
||||||
|
@@ -2732,6 +2733,7 @@ int main(int argc, const char *argv[])
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
static int data_provider_res_init(DBusMessage *message,
|
||||||
|
struct sbus_connection *conn)
|
||||||
|
--
|
||||||
|
1.8.1.4
|
||||||
|
|
|
@ -0,0 +1,236 @@
|
||||||
|
From b63830b142053f99bfe954d4be5a2b0f68ce3a93 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Fri, 22 Feb 2013 11:01:38 +0100
|
||||||
|
Subject: [PATCH 1/4] Provide a be_get_account_info_send function
|
||||||
|
|
||||||
|
In order to resolve group names in the simple access provider we need to
|
||||||
|
contact the Data Provider in a generic fashion from the access provider.
|
||||||
|
We can't call any particular implementation (like sdap_generic_send())
|
||||||
|
because we have no idea what kind of provider is configured as the
|
||||||
|
id_provider.
|
||||||
|
|
||||||
|
This patch splits introduces the be_file_account_request() function into
|
||||||
|
the data_provider_be module and makes it public.
|
||||||
|
|
||||||
|
A future patch should make the be_get_account_info function use the
|
||||||
|
be_get_account_info_send function.
|
||||||
|
---
|
||||||
|
src/providers/data_provider_be.c | 153 ++++++++++++++++++++++++++++++++++-----
|
||||||
|
src/providers/dp_backend.h | 15 ++++
|
||||||
|
2 files changed, 149 insertions(+), 19 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
|
||||||
|
index b261bf8d456829a513ec352c8290d2011bd3526a..f85a04d09b5b41b17be611c333324f7207242979 100644
|
||||||
|
--- a/src/providers/data_provider_be.c
|
||||||
|
+++ b/src/providers/data_provider_be.c
|
||||||
|
@@ -717,6 +717,34 @@ static errno_t be_initgroups_prereq(struct be_req *be_req)
|
||||||
|
}
|
||||||
|
|
||||||
|
static errno_t
|
||||||
|
+be_file_account_request(struct be_req *be_req, struct be_acct_req *ar)
|
||||||
|
+{
|
||||||
|
+ errno_t ret;
|
||||||
|
+ struct be_ctx *be_ctx = be_req->be_ctx;
|
||||||
|
+
|
||||||
|
+ be_req->req_data = ar;
|
||||||
|
+
|
||||||
|
+ /* see if we need a pre request call, only done for initgroups for now */
|
||||||
|
+ if ((ar->entry_type & 0xFF) == BE_REQ_INITGROUPS) {
|
||||||
|
+ ret = be_initgroups_prereq(be_req);
|
||||||
|
+ if (ret) {
|
||||||
|
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Prerequest failed"));
|
||||||
|
+ return ret;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* process request */
|
||||||
|
+ ret = be_file_request(be_ctx, be_req,
|
||||||
|
+ be_ctx->bet_info[BET_ID].bet_ops->handler);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to file request"));
|
||||||
|
+ return ret;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return EOK;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static errno_t
|
||||||
|
split_name_extended(TALLOC_CTX *mem_ctx,
|
||||||
|
const char *filter,
|
||||||
|
char **name,
|
||||||
|
@@ -742,6 +770,110 @@ split_name_extended(TALLOC_CTX *mem_ctx,
|
||||||
|
return EOK;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void
|
||||||
|
+be_get_account_info_done(struct be_req *be_req,
|
||||||
|
+ int dp_err, int dp_ret,
|
||||||
|
+ const char *errstr);
|
||||||
|
+
|
||||||
|
+struct be_get_account_info_state {
|
||||||
|
+ int err_maj;
|
||||||
|
+ int err_min;
|
||||||
|
+ const char *err_msg;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+struct tevent_req *
|
||||||
|
+be_get_account_info_send(TALLOC_CTX *mem_ctx,
|
||||||
|
+ struct tevent_context *ev,
|
||||||
|
+ struct be_client *becli,
|
||||||
|
+ struct be_ctx *be_ctx,
|
||||||
|
+ struct be_acct_req *ar)
|
||||||
|
+{
|
||||||
|
+ struct tevent_req *req;
|
||||||
|
+ struct be_get_account_info_state *state;
|
||||||
|
+ struct be_req *be_req;
|
||||||
|
+ errno_t ret;
|
||||||
|
+
|
||||||
|
+ req = tevent_req_create(mem_ctx, &state,
|
||||||
|
+ struct be_get_account_info_state);
|
||||||
|
+ if (!req) return NULL;
|
||||||
|
+
|
||||||
|
+ be_req = talloc_zero(mem_ctx, struct be_req);
|
||||||
|
+ if (be_req == NULL) {
|
||||||
|
+ ret = ENOMEM;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ be_req->becli = becli;
|
||||||
|
+ be_req->be_ctx = be_ctx;
|
||||||
|
+ be_req->fn = be_get_account_info_done;
|
||||||
|
+ be_req->pvt = req;
|
||||||
|
+
|
||||||
|
+ ret = be_file_account_request(be_req, ar);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return req;
|
||||||
|
+
|
||||||
|
+done:
|
||||||
|
+ tevent_req_error(req, ret);
|
||||||
|
+ tevent_req_post(req, ev);
|
||||||
|
+ return req;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+be_get_account_info_done(struct be_req *be_req,
|
||||||
|
+ int dp_err, int dp_ret,
|
||||||
|
+ const char *errstr)
|
||||||
|
+{
|
||||||
|
+ struct tevent_req *req;
|
||||||
|
+ struct be_get_account_info_state *state;
|
||||||
|
+
|
||||||
|
+ req = talloc_get_type(be_req->pvt, struct tevent_req);
|
||||||
|
+ state = tevent_req_data(req, struct be_get_account_info_state);
|
||||||
|
+
|
||||||
|
+ state->err_maj = dp_err;
|
||||||
|
+ state->err_min = dp_ret;
|
||||||
|
+ if (errstr) {
|
||||||
|
+ state->err_msg = talloc_strdup(state, errstr);
|
||||||
|
+ if (state->err_msg == NULL) {
|
||||||
|
+ talloc_free(be_req);
|
||||||
|
+ tevent_req_error(req, ENOMEM);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ talloc_free(be_req);
|
||||||
|
+ tevent_req_done(req);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+errno_t be_get_account_info_recv(struct tevent_req *req,
|
||||||
|
+ TALLOC_CTX *mem_ctx,
|
||||||
|
+ int *_err_maj,
|
||||||
|
+ int *_err_min,
|
||||||
|
+ const char **_err_msg)
|
||||||
|
+{
|
||||||
|
+ struct be_get_account_info_state *state;
|
||||||
|
+
|
||||||
|
+ state = tevent_req_data(req, struct be_get_account_info_state);
|
||||||
|
+
|
||||||
|
+ TEVENT_REQ_RETURN_ON_ERROR(req);
|
||||||
|
+
|
||||||
|
+ if (_err_maj) {
|
||||||
|
+ *_err_maj = state->err_maj;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (_err_min) {
|
||||||
|
+ *_err_min = state->err_min;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (_err_msg) {
|
||||||
|
+ *_err_msg = talloc_steal(mem_ctx, state->err_msg);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return EOK;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int be_get_account_info(DBusMessage *message, struct sbus_connection *conn)
|
||||||
|
{
|
||||||
|
struct be_acct_req *req;
|
||||||
|
@@ -845,8 +977,6 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
- be_req->req_data = req;
|
||||||
|
-
|
||||||
|
if ((attr_type != BE_ATTR_CORE) &&
|
||||||
|
(attr_type != BE_ATTR_MEM) &&
|
||||||
|
(attr_type != BE_ATTR_ALL)) {
|
||||||
|
@@ -893,26 +1023,11 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* see if we need a pre request call, only done for initgroups for now */
|
||||||
|
- if ((type & 0xFF) == BE_REQ_INITGROUPS) {
|
||||||
|
- ret = be_initgroups_prereq(be_req);
|
||||||
|
- if (ret) {
|
||||||
|
- err_maj = DP_ERR_FATAL;
|
||||||
|
- err_min = ret;
|
||||||
|
- err_msg = "Prerequest failed";
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /* process request */
|
||||||
|
-
|
||||||
|
- ret = be_file_request(becli->bectx->bet_info[BET_ID].pvt_bet_data,
|
||||||
|
- be_req,
|
||||||
|
- becli->bectx->bet_info[BET_ID].bet_ops->handler);
|
||||||
|
+ ret = be_file_account_request(be_req, req);
|
||||||
|
if (ret != EOK) {
|
||||||
|
err_maj = DP_ERR_FATAL;
|
||||||
|
err_min = ret;
|
||||||
|
- err_msg = "Failed to file request";
|
||||||
|
+ err_msg = "Cannot file account request";
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/src/providers/dp_backend.h b/src/providers/dp_backend.h
|
||||||
|
index 58a9b7490df8aab06a2a15f8c0fed9ac5ed33600..743b6f4ffe73fe9ec7404218184a7133aba054c6 100644
|
||||||
|
--- a/src/providers/dp_backend.h
|
||||||
|
+++ b/src/providers/dp_backend.h
|
||||||
|
@@ -258,4 +258,19 @@ int be_fo_run_callbacks_at_next_request(struct be_ctx *ctx,
|
||||||
|
const char *service_name);
|
||||||
|
|
||||||
|
void reset_fo(struct be_ctx *be_ctx);
|
||||||
|
+
|
||||||
|
+/* Request account information */
|
||||||
|
+struct tevent_req *
|
||||||
|
+be_get_account_info_send(TALLOC_CTX *mem_ctx,
|
||||||
|
+ struct tevent_context *ev,
|
||||||
|
+ struct be_client *becli,
|
||||||
|
+ struct be_ctx *be_ctx,
|
||||||
|
+ struct be_acct_req *ar);
|
||||||
|
+
|
||||||
|
+errno_t be_get_account_info_recv(struct tevent_req *req,
|
||||||
|
+ TALLOC_CTX *mem_ctx,
|
||||||
|
+ int *_err_maj,
|
||||||
|
+ int *_err_min,
|
||||||
|
+ const char **_err_msg);
|
||||||
|
+
|
||||||
|
#endif /* __DP_BACKEND_H___ */
|
||||||
|
--
|
||||||
|
1.8.1.4
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,53 @@
|
||||||
|
From cd2327153a9ac55f3cf470c294691506096bd1eb Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||||
|
Date: Wed, 27 Feb 2013 12:12:19 +0100
|
||||||
|
Subject: [PATCH] autofs: fix invalid header 'number of entries' in packet
|
||||||
|
|
||||||
|
https://fedorahosted.org/sssd/ticket/1739
|
||||||
|
|
||||||
|
Pointer to packet body may change while filling packet with autofs
|
||||||
|
mount points. As a consequence, we sometimes wrote the number of
|
||||||
|
entries into invalid body and we recieved an arbitrary number
|
||||||
|
on the client side.
|
||||||
|
|
||||||
|
If the number was 0, there were some skipped entries. If the number
|
||||||
|
was greater than 0, everything worked correctly, because we iterate
|
||||||
|
through the cached entries until we reach packet length - we don't
|
||||||
|
compare to the number.
|
||||||
|
---
|
||||||
|
src/responder/autofs/autofssrv_cmd.c | 6 +++++-
|
||||||
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c
|
||||||
|
index 550c981a73e40804701268d0b34f8d7198f3ecc6..491afbb1de057dae996cfc7d084cdaed0220b8e3 100644
|
||||||
|
--- a/src/responder/autofs/autofssrv_cmd.c
|
||||||
|
+++ b/src/responder/autofs/autofssrv_cmd.c
|
||||||
|
@@ -1085,13 +1085,13 @@ getautomntent_process(struct autofs_cmd_ctx *cmdctx,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* allocate memory for number of entries in the packet */
|
||||||
|
ret = sss_packet_grow(client->creq->out, sizeof(uint32_t));
|
||||||
|
if (ret != EOK) {
|
||||||
|
DEBUG(SSSDBG_OP_FAILURE, ("Cannot grow packet\n"));
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
- sss_packet_get_body(client->creq->out, &body, &blen);
|
||||||
|
rp = sizeof(uint32_t); /* We'll write the number of entries here */
|
||||||
|
|
||||||
|
left = map->entry_count - cursor;
|
||||||
|
@@ -1111,6 +1111,10 @@ getautomntent_process(struct autofs_cmd_ctx *cmdctx,
|
||||||
|
nentries++;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* packet grows in fill_autofs_entry, body pointer may change,
|
||||||
|
+ * thus we have to obtain it here */
|
||||||
|
+ sss_packet_get_body(client->creq->out, &body, &blen);
|
||||||
|
+
|
||||||
|
rp = 0;
|
||||||
|
SAFEALIGN_SET_UINT32(&body[rp], nentries, &rp);
|
||||||
|
|
||||||
|
--
|
||||||
|
1.8.1.4
|
||||||
|
|
|
@ -1,53 +0,0 @@
|
||||||
From 8ae0fc769b419e16ce7804bd516f7c2d03ce8471 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
|
||||||
Date: Wed, 22 Feb 2012 07:53:56 -0500
|
|
||||||
Subject: [PATCH] FEDORA: Change Kerberos credential cache default location
|
|
||||||
|
|
||||||
On Fedora, we need to default to using /run/user/%u for credential
|
|
||||||
caches for improved security and to simplify rpc.gssd locating the
|
|
||||||
cache for use with NFS.
|
|
||||||
---
|
|
||||||
src/man/sssd-krb5.5.xml | 4 ++--
|
|
||||||
src/providers/krb5/krb5_common.c | 4 ++--
|
|
||||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
|
|
||||||
index 247337a90a80b078d0395b27a02e5ea2c72a5ce8..cc10dc149c407450a59f39ebc2de0ac95e33028e 100644
|
|
||||||
--- a/src/man/sssd-krb5.5.xml
|
|
||||||
+++ b/src/man/sssd-krb5.5.xml
|
|
||||||
@@ -148,7 +148,7 @@
|
|
||||||
</citerefentry> for details) is created.
|
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
- Default: /tmp
|
|
||||||
+ Default: /run/user/%u
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
@@ -206,7 +206,7 @@
|
|
||||||
used to create a unique filename in a safe way.
|
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
- Default: FILE:%d/krb5cc_%U_XXXXXX
|
|
||||||
+ Default: FILE:%d/krb5cc
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
|
|
||||||
index c2cb94b61463cbdaf3f4fa5a5cb311af55b4b960..e3a74697249a8dd10907beaeaef415a48c3c30a9 100644
|
|
||||||
--- a/src/providers/krb5/krb5_common.c
|
|
||||||
+++ b/src/providers/krb5/krb5_common.c
|
|
||||||
@@ -34,8 +34,8 @@
|
|
||||||
struct dp_option default_krb5_opts[] = {
|
|
||||||
{ "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
|
||||||
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
|
||||||
- { "krb5_ccachedir", DP_OPT_STRING, { "/tmp" }, NULL_STRING },
|
|
||||||
- { "krb5_ccname_template", DP_OPT_STRING, { "FILE:%d/krb5cc_%U_XXXXXX" }, NULL_STRING},
|
|
||||||
+ { "krb5_ccachedir", DP_OPT_STRING, { "/run/user/%u" }, NULL_STRING },
|
|
||||||
+ { "krb5_ccname_template", DP_OPT_STRING, { "FILE:%d/krb5cc" }, NULL_STRING},
|
|
||||||
{ "krb5_auth_timeout", DP_OPT_NUMBER, { .number = 15 }, NULL_NUMBER },
|
|
||||||
{ "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING },
|
|
||||||
{ "krb5_validate", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
|
||||||
--
|
|
||||||
1.7.7.6
|
|
||||||
|
|
2
sources
2
sources
|
@ -1 +1 @@
|
||||||
8f5e88fbdc8edeba7bc816da3448b726 sssd-1.8.1.tar.gz
|
b2c31d92a18037d1ab5151ea920c8881 sssd-1.9.5.tar.gz
|
||||||
|
|
216
sssd.spec
216
sssd.spec
|
@ -12,11 +12,11 @@
|
||||||
|
|
||||||
# Determine the location of the LDB modules directory
|
# Determine the location of the LDB modules directory
|
||||||
%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
|
%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
|
||||||
%global ldb_version 1.1.4
|
%global ldb_version 1.1.6
|
||||||
|
|
||||||
Name: sssd
|
Name: sssd
|
||||||
Version: 1.8.1
|
Version: 1.9.5
|
||||||
Release: 7%{?dist}
|
Release: 1%{?dist}
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
Summary: System Security Services Daemon
|
Summary: System Security Services Daemon
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
|
@ -26,26 +26,25 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
||||||
|
|
||||||
### Patches ###
|
### Patches ###
|
||||||
|
|
||||||
Patch1001: FED01-Change-Kerberos-credential-cache-default-loca.patch
|
|
||||||
|
|
||||||
### Dependencies ###
|
### Dependencies ###
|
||||||
|
|
||||||
Conflicts: selinux-policy < 3.10.0-46
|
Conflicts: selinux-policy < 3.10.0-46
|
||||||
Requires: libldb = %{ldb_version}
|
Requires: libldb%{?_isa} = %{ldb_version}
|
||||||
Requires: libtdb >= 1.1.3
|
Requires: libtdb%{?_isa} >= 1.1.3
|
||||||
Requires: sssd-client%{?_isa} = %{version}-%{release}
|
Requires: sssd-client%{?_isa} = %{version}-%{release}
|
||||||
Requires: cyrus-sasl-gssapi%{?_isa}
|
Requires: cyrus-sasl-gssapi%{?_isa}
|
||||||
Requires: libipa_hbac%{?_isa} = %{version}-%{release}
|
Requires: libipa_hbac%{?_isa} = %{version}-%{release}
|
||||||
Requires: krb5-libs >= 1.9
|
Requires: libsss_idmap%{?_isa} = %{version}-%{release}
|
||||||
Requires: keyutils-libs
|
Requires: krb5-libs%{?_isa} >= 1.10
|
||||||
Requires(post): systemd-units initscripts chkconfig /sbin/ldconfig
|
Requires(post): systemd-units initscripts chkconfig
|
||||||
Requires(preun): systemd-units initscripts chkconfig
|
Requires(preun): systemd-units initscripts chkconfig
|
||||||
Requires(postun): systemd-units initscripts chkconfig /sbin/ldconfig
|
Requires(postun): systemd-units initscripts chkconfig
|
||||||
|
|
||||||
%global servicename sssd
|
%global servicename sssd
|
||||||
%global sssdstatedir %{_localstatedir}/lib/sss
|
%global sssdstatedir %{_localstatedir}/lib/sss
|
||||||
%global dbpath %{sssdstatedir}/db
|
%global dbpath %{sssdstatedir}/db
|
||||||
%global pipepath %{sssdstatedir}/pipes
|
%global pipepath %{sssdstatedir}/pipes
|
||||||
|
%global mcpath %{sssdstatedir}/mc
|
||||||
%global pubconfpath %{sssdstatedir}/pubconf
|
%global pubconfpath %{sssdstatedir}/pubconf
|
||||||
|
|
||||||
### Build Dependencies ###
|
### Build Dependencies ###
|
||||||
|
@ -78,7 +77,7 @@ BuildRequires: pcre-devel
|
||||||
BuildRequires: libxslt
|
BuildRequires: libxslt
|
||||||
BuildRequires: libxml2
|
BuildRequires: libxml2
|
||||||
BuildRequires: docbook-style-xsl
|
BuildRequires: docbook-style-xsl
|
||||||
BuildRequires: krb5-devel >= 1.9
|
BuildRequires: krb5-devel >= 1.10
|
||||||
BuildRequires: c-ares-devel
|
BuildRequires: c-ares-devel
|
||||||
BuildRequires: python-devel
|
BuildRequires: python-devel
|
||||||
BuildRequires: check-devel
|
BuildRequires: check-devel
|
||||||
|
@ -90,8 +89,11 @@ BuildRequires: keyutils-libs-devel
|
||||||
BuildRequires: libnl-devel
|
BuildRequires: libnl-devel
|
||||||
BuildRequires: gettext-devel
|
BuildRequires: gettext-devel
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
BuildRequires: libunistring-devel
|
BuildRequires: glib2-devel
|
||||||
|
BuildRequires: diffstat
|
||||||
BuildRequires: findutils
|
BuildRequires: findutils
|
||||||
|
BuildRequires: samba4-devel >= samba4-4.0.0-59beta2
|
||||||
|
BuildRequires: selinux-policy-targeted
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Provides a set of daemons to manage access to remote directories and
|
Provides a set of daemons to manage access to remote directories and
|
||||||
|
@ -104,6 +106,8 @@ services for projects like FreeIPA.
|
||||||
Summary: SSSD Client libraries for NSS and PAM
|
Summary: SSSD Client libraries for NSS and PAM
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
License: LGPLv3+
|
License: LGPLv3+
|
||||||
|
Requires(post): /sbin/ldconfig
|
||||||
|
Requires(postun): /sbin/ldconfig
|
||||||
|
|
||||||
%description client
|
%description client
|
||||||
Provides the libraries needed by the PAM and NSS stacks to connect to the SSSD
|
Provides the libraries needed by the PAM and NSS stacks to connect to the SSSD
|
||||||
|
@ -119,13 +123,37 @@ Requires: sssd = %{version}-%{release}
|
||||||
Provides userspace tools for manipulating users, groups, and nested groups in
|
Provides userspace tools for manipulating users, groups, and nested groups in
|
||||||
SSSD when using id_provider = local in /etc/sssd/sssd.conf.
|
SSSD when using id_provider = local in /etc/sssd/sssd.conf.
|
||||||
|
|
||||||
Also provides a userspace tool for generating an obfuscated LDAP password for
|
Also provides several other administrative tools:
|
||||||
use with ldap_default_authtok_type = obfuscated_password.
|
* sss_cache to expire cached entries
|
||||||
|
* sss_debuglevel to change the debug level on the fly
|
||||||
|
* sss_seed which pre-creates a user entry for use in kickstarts
|
||||||
|
* sss_obfuscate for generating an obfuscated LDAP password
|
||||||
|
|
||||||
|
%package -n libsss_idmap
|
||||||
|
Summary: FreeIPA Idmap library
|
||||||
|
Group: Development/Libraries
|
||||||
|
License: LGPLv3+
|
||||||
|
Requires(post): /sbin/ldconfig
|
||||||
|
Requires(postun): /sbin/ldconfig
|
||||||
|
|
||||||
|
%description -n libsss_idmap
|
||||||
|
Utility library to convert SIDs to Unix uids and gids
|
||||||
|
|
||||||
|
%package -n libsss_idmap-devel
|
||||||
|
Summary: FreeIPA Idmap library
|
||||||
|
Group: Development/Libraries
|
||||||
|
License: LGPLv3+
|
||||||
|
Requires: libsss_idmap = %{version}-%{release}
|
||||||
|
|
||||||
|
%description -n libsss_idmap-devel
|
||||||
|
Utility library to SIDs to Unix uids and gids
|
||||||
|
|
||||||
%package -n libipa_hbac
|
%package -n libipa_hbac
|
||||||
Summary: FreeIPA HBAC Evaluator library
|
Summary: FreeIPA HBAC Evaluator library
|
||||||
Group: Development/Libraries
|
Group: Development/Libraries
|
||||||
License: LGPLv3+
|
License: LGPLv3+
|
||||||
|
Requires(post): /sbin/ldconfig
|
||||||
|
Requires(postun): /sbin/ldconfig
|
||||||
|
|
||||||
%description -n libipa_hbac
|
%description -n libipa_hbac
|
||||||
Utility library to validate FreeIPA HBAC rules for authorization requests
|
Utility library to validate FreeIPA HBAC rules for authorization requests
|
||||||
|
@ -153,6 +181,9 @@ used by Python applications.
|
||||||
Summary: A library to allow communication between SUDO and SSSD
|
Summary: A library to allow communication between SUDO and SSSD
|
||||||
Group: Development/Libraries
|
Group: Development/Libraries
|
||||||
License: LGPLv3+
|
License: LGPLv3+
|
||||||
|
Requires(post): /sbin/ldconfig
|
||||||
|
Requires(postun): /sbin/ldconfig
|
||||||
|
Requires: sssd = %{version}-%{release}
|
||||||
|
|
||||||
%description -n libsss_sudo
|
%description -n libsss_sudo
|
||||||
A utility library to allow communication between SUDO and SSSD
|
A utility library to allow communication between SUDO and SSSD
|
||||||
|
@ -195,6 +226,7 @@ autoreconf -ivf
|
||||||
--with-db-path=%{dbpath} \
|
--with-db-path=%{dbpath} \
|
||||||
--with-pipe-path=%{pipepath} \
|
--with-pipe-path=%{pipepath} \
|
||||||
--with-pubconf-path=%{pubconfpath} \
|
--with-pubconf-path=%{pubconfpath} \
|
||||||
|
--with-mcache-path=%{mcpath} \
|
||||||
--with-init-dir=%{_initrddir} \
|
--with-init-dir=%{_initrddir} \
|
||||||
--with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
|
--with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
|
||||||
--enable-nsslibdir=/%{_lib} \
|
--enable-nsslibdir=/%{_lib} \
|
||||||
|
@ -202,7 +234,8 @@ autoreconf -ivf
|
||||||
--disable-static \
|
--disable-static \
|
||||||
--disable-rpath \
|
--disable-rpath \
|
||||||
--with-test-dir=/dev/shm \
|
--with-test-dir=/dev/shm \
|
||||||
--enable-all-experimental-features
|
--enable-all-experimental-features \
|
||||||
|
--with-unicode-lib=glib2
|
||||||
|
|
||||||
make %{?_smp_mflags} all docs
|
make %{?_smp_mflags} all docs
|
||||||
|
|
||||||
|
@ -243,7 +276,7 @@ cp src/sysv/systemd/sssd.service $RPM_BUILD_ROOT/%{_unitdir}/
|
||||||
find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \;
|
find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \;
|
||||||
|
|
||||||
# Suppress developer-only documentation
|
# Suppress developer-only documentation
|
||||||
rm -Rf ${RPM_BUILD_ROOT}/%{_docdir}/%{name}/doc
|
rm -Rf ${RPM_BUILD_ROOT}/%{_docdir}/%{name}
|
||||||
|
|
||||||
# Older versions of rpmbuild can only handle one -f option
|
# Older versions of rpmbuild can only handle one -f option
|
||||||
# So we need to append to the sssd.lang file
|
# So we need to append to the sssd.lang file
|
||||||
|
@ -253,6 +286,7 @@ do
|
||||||
done
|
done
|
||||||
|
|
||||||
touch sssd_tools.lang
|
touch sssd_tools.lang
|
||||||
|
touch sssd_client.lang
|
||||||
for man in `find $RPM_BUILD_ROOT/%{_mandir}/??/man?/ -type f | sed -e "s#$RPM_BUILD_ROOT/%{_mandir}/##"`
|
for man in `find $RPM_BUILD_ROOT/%{_mandir}/??/man?/ -type f | sed -e "s#$RPM_BUILD_ROOT/%{_mandir}/##"`
|
||||||
do
|
do
|
||||||
lang=`echo $man | cut -c 1-2`
|
lang=`echo $man | cut -c 1-2`
|
||||||
|
@ -260,6 +294,9 @@ do
|
||||||
sss_*)
|
sss_*)
|
||||||
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_tools.lang
|
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_tools.lang
|
||||||
;;
|
;;
|
||||||
|
sssd_krb5_*)
|
||||||
|
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang
|
||||||
|
;;
|
||||||
pam_sss*)
|
pam_sss*)
|
||||||
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang
|
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang
|
||||||
;;
|
;;
|
||||||
|
@ -292,22 +329,47 @@ rm -rf $RPM_BUILD_ROOT
|
||||||
%doc src/examples/sssd-example.conf
|
%doc src/examples/sssd-example.conf
|
||||||
%{_unitdir}/sssd.service
|
%{_unitdir}/sssd.service
|
||||||
%{_sbindir}/sssd
|
%{_sbindir}/sssd
|
||||||
%{_libexecdir}/%{servicename}/
|
|
||||||
%{_libdir}/%{name}/
|
%dir %{_libexecdir}/%{servicename}
|
||||||
|
%{_libexecdir}/%{servicename}/krb5_child
|
||||||
|
%{_libexecdir}/%{servicename}/ldap_child
|
||||||
|
%{_libexecdir}/%{servicename}/proxy_child
|
||||||
|
%{_libexecdir}/%{servicename}/sssd_be
|
||||||
|
%{_libexecdir}/%{servicename}/sssd_nss
|
||||||
|
%{_libexecdir}/%{servicename}/sssd_pam
|
||||||
|
%{_libexecdir}/%{servicename}/sssd_autofs
|
||||||
|
%{_libexecdir}/%{servicename}/sssd_ssh
|
||||||
|
%{_libexecdir}/%{servicename}/sssd_sudo
|
||||||
|
%{_libexecdir}/%{servicename}/sssd_pac
|
||||||
|
|
||||||
|
%dir %{_libdir}/%{name}
|
||||||
|
%{_libdir}/%{name}/libsss_ipa.so
|
||||||
|
%{_libdir}/%{name}/libsss_krb5.so
|
||||||
|
%{_libdir}/%{name}/libsss_ldap.so
|
||||||
|
%{_libdir}/%{name}/libsss_proxy.so
|
||||||
|
%{_libdir}/%{name}/libsss_simple.so
|
||||||
|
%{_libdir}/%{name}/libsss_ad.so
|
||||||
|
|
||||||
%{ldb_modulesdir}/memberof.so
|
%{ldb_modulesdir}/memberof.so
|
||||||
%{_bindir}/sss_ssh_authorizedkeys
|
%{_bindir}/sss_ssh_authorizedkeys
|
||||||
%{_bindir}/sss_ssh_knownhostsproxy
|
%{_bindir}/sss_ssh_knownhostsproxy
|
||||||
|
|
||||||
%dir %{sssdstatedir}
|
%dir %{sssdstatedir}
|
||||||
%dir %{_localstatedir}/cache/krb5rcache
|
%dir %{_localstatedir}/cache/krb5rcache
|
||||||
%attr(700,root,root) %dir %{dbpath}
|
%attr(700,root,root) %dir %{dbpath}
|
||||||
|
%attr(755,root,root) %dir %{mcpath}
|
||||||
|
%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/passwd
|
||||||
|
%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/group
|
||||||
%attr(755,root,root) %dir %{pipepath}
|
%attr(755,root,root) %dir %{pipepath}
|
||||||
%attr(755,root,root) %dir %{pubconfpath}
|
%attr(755,root,root) %dir %{pubconfpath}
|
||||||
|
%attr(755,root,root) %dir %{pubconfpath}/krb5.include.d
|
||||||
%attr(700,root,root) %dir %{pipepath}/private
|
%attr(700,root,root) %dir %{pipepath}/private
|
||||||
%attr(750,root,root) %dir %{_var}/log/%{name}
|
%attr(750,root,root) %dir %{_var}/log/%{name}
|
||||||
%attr(700,root,root) %dir %{_sysconfdir}/sssd
|
%attr(700,root,root) %dir %{_sysconfdir}/sssd
|
||||||
%ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
|
%ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
|
||||||
%config(noreplace) %{_sysconfdir}/logrotate.d/sssd
|
%config(noreplace) %{_sysconfdir}/logrotate.d/sssd
|
||||||
%config(noreplace) %{_sysconfdir}/rwtab.d/sssd
|
%config(noreplace) %{_sysconfdir}/rwtab.d/sssd
|
||||||
|
%dir %{_datadir}/sssd
|
||||||
%{_datadir}/sssd/sssd.api.conf
|
%{_datadir}/sssd/sssd.api.conf
|
||||||
%{_datadir}/sssd/sssd.api.d
|
%{_datadir}/sssd/sssd.api.d
|
||||||
%{_mandir}/man1/sss_ssh_authorizedkeys.1*
|
%{_mandir}/man1/sss_ssh_authorizedkeys.1*
|
||||||
|
@ -317,9 +379,13 @@ rm -rf $RPM_BUILD_ROOT
|
||||||
%{_mandir}/man5/sssd-krb5.5*
|
%{_mandir}/man5/sssd-krb5.5*
|
||||||
%{_mandir}/man5/sssd-ldap.5*
|
%{_mandir}/man5/sssd-ldap.5*
|
||||||
%{_mandir}/man5/sssd-simple.5*
|
%{_mandir}/man5/sssd-simple.5*
|
||||||
|
%{_mandir}/man5/sssd-ad.5*
|
||||||
|
%{_mandir}/man5/sssd-sudo.5*
|
||||||
%{_mandir}/man8/sssd.8*
|
%{_mandir}/man8/sssd.8*
|
||||||
%{python_sitearch}/pysss.so
|
%{python_sitearch}/pysss.so
|
||||||
%{python_sitelib}/*.py*
|
%{python_sitearch}/pysss_murmur.so
|
||||||
|
%dir %{python_sitelib}/SSSDConfig
|
||||||
|
%{python_sitelib}/SSSDConfig/*.py*
|
||||||
|
|
||||||
%files client -f sssd_client.lang
|
%files client -f sssd_client.lang
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
|
@ -327,6 +393,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||||
/%{_lib}/libnss_sss.so.2
|
/%{_lib}/libnss_sss.so.2
|
||||||
/%{_lib}/security/pam_sss.so
|
/%{_lib}/security/pam_sss.so
|
||||||
%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
|
%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
|
||||||
|
%{_libdir}/krb5/plugins/authdata/sssd_pac_plugin.so
|
||||||
%{_mandir}/man8/pam_sss.8*
|
%{_mandir}/man8/pam_sss.8*
|
||||||
%{_mandir}/man8/sssd_krb5_locator_plugin.8*
|
%{_mandir}/man8/sssd_krb5_locator_plugin.8*
|
||||||
|
|
||||||
|
@ -343,6 +410,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||||
%{_sbindir}/sss_obfuscate
|
%{_sbindir}/sss_obfuscate
|
||||||
%{_sbindir}/sss_cache
|
%{_sbindir}/sss_cache
|
||||||
%{_sbindir}/sss_debuglevel
|
%{_sbindir}/sss_debuglevel
|
||||||
|
%{_sbindir}/sss_seed
|
||||||
%{_mandir}/man8/sss_groupadd.8*
|
%{_mandir}/man8/sss_groupadd.8*
|
||||||
%{_mandir}/man8/sss_groupdel.8*
|
%{_mandir}/man8/sss_groupdel.8*
|
||||||
%{_mandir}/man8/sss_groupmod.8*
|
%{_mandir}/man8/sss_groupmod.8*
|
||||||
|
@ -353,6 +421,19 @@ rm -rf $RPM_BUILD_ROOT
|
||||||
%{_mandir}/man8/sss_obfuscate.8*
|
%{_mandir}/man8/sss_obfuscate.8*
|
||||||
%{_mandir}/man8/sss_cache.8*
|
%{_mandir}/man8/sss_cache.8*
|
||||||
%{_mandir}/man8/sss_debuglevel.8*
|
%{_mandir}/man8/sss_debuglevel.8*
|
||||||
|
%{_mandir}/man8/sss_seed.8*
|
||||||
|
|
||||||
|
%files -n libsss_idmap
|
||||||
|
%defattr(-,root,root,-)
|
||||||
|
%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
|
||||||
|
%{_libdir}/libsss_idmap.so.*
|
||||||
|
|
||||||
|
%files -n libsss_idmap-devel
|
||||||
|
%defattr(-,root,root,-)
|
||||||
|
%doc idmap_doc/html
|
||||||
|
%{_includedir}/sss_idmap.h
|
||||||
|
%{_libdir}/libsss_idmap.so
|
||||||
|
%{_libdir}/pkgconfig/sss_idmap.pc
|
||||||
|
|
||||||
%files -n libipa_hbac
|
%files -n libipa_hbac
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
|
@ -381,13 +462,11 @@ A utility library to allow communication between Autofs and SSSD
|
||||||
%files -n libsss_sudo
|
%files -n libsss_sudo
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
|
%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
|
||||||
%{_libdir}/libsss_sudo.so.*
|
%{_libdir}/libsss_sudo.so*
|
||||||
|
|
||||||
%files -n libsss_sudo-devel
|
%files -n libsss_sudo-devel
|
||||||
%doc libsss_sudo_doc/html
|
%doc libsss_sudo_doc/html
|
||||||
%{_includedir}/sss_sudo.h
|
%{_includedir}/sss_sudo.h
|
||||||
%{_libdir}/libsss_sudo.so
|
|
||||||
%{_libdir}/pkgconfig/libsss_sudo.pc
|
|
||||||
|
|
||||||
%files -n libsss_autofs
|
%files -n libsss_autofs
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
|
@ -395,15 +474,13 @@ A utility library to allow communication between Autofs and SSSD
|
||||||
%{_libdir}/sssd/modules/libsss_autofs.so*
|
%{_libdir}/sssd/modules/libsss_autofs.so*
|
||||||
|
|
||||||
%post
|
%post
|
||||||
/sbin/ldconfig
|
|
||||||
|
|
||||||
if [ $1 -ge 1 ] ; then
|
if [ $1 -ge 1 ] ; then
|
||||||
# Initial installation
|
# Initial installation
|
||||||
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
|
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
|
||||||
fi
|
fi
|
||||||
|
|
||||||
%preun
|
%preun
|
||||||
if [ $1 = 0 ]; then
|
if [ $1 -eq 0 ]; then
|
||||||
# Package removal, not upgrade
|
# Package removal, not upgrade
|
||||||
/bin/systemctl --no-reload disable sssd.service > /dev/null 2>&1 || :
|
/bin/systemctl --no-reload disable sssd.service > /dev/null 2>&1 || :
|
||||||
/bin/systemctl stop sssd.service > /dev/null 2>&1 || :
|
/bin/systemctl stop sssd.service > /dev/null 2>&1 || :
|
||||||
|
@ -423,11 +500,8 @@ fi
|
||||||
|
|
||||||
|
|
||||||
%postun
|
%postun
|
||||||
/sbin/ldconfig
|
|
||||||
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
|
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
|
||||||
if [ $1 -ge 1 ] ; then
|
if [ $1 -ge 1 ] ; then
|
||||||
# On upgrade, reload init system configuration if we changed unit files
|
|
||||||
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
|
|
||||||
/bin/systemctl try-restart sssd.service >/dev/null 2>&1 || :
|
/bin/systemctl try-restart sssd.service >/dev/null 2>&1 || :
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -439,7 +513,91 @@ fi
|
||||||
|
|
||||||
%postun -n libipa_hbac -p /sbin/ldconfig
|
%postun -n libipa_hbac -p /sbin/ldconfig
|
||||||
|
|
||||||
|
%post -n libsss_idmap -p /sbin/ldconfig
|
||||||
|
|
||||||
|
%postun -n libsss_idmap -p /sbin/ldconfig
|
||||||
|
|
||||||
|
%post -n libsss_sudo -p /sbin/ldconfig
|
||||||
|
|
||||||
|
%postun -n libsss_sudo -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Apr 23 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.9.5-1
|
||||||
|
- New upstream release 1.9.5
|
||||||
|
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.5
|
||||||
|
|
||||||
|
* Thu Mar 28 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.9.4-2
|
||||||
|
- autofs: return the correct number of maps to the client
|
||||||
|
|
||||||
|
* Mon Mar 25 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.9.4-1
|
||||||
|
- New upstream release 1.9.4
|
||||||
|
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.4
|
||||||
|
|
||||||
|
* Tue Jan 29 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.8.6-1
|
||||||
|
- New upstream release 1.8.6
|
||||||
|
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.6
|
||||||
|
|
||||||
|
* Sun Oct 07 2012 Jakub Hrozek <jhrozek@redhat.com> - 1.8.5-3
|
||||||
|
- Add autofs related options to the configAPI
|
||||||
|
- Resolves: #847845
|
||||||
|
|
||||||
|
* Sun Oct 07 2012 Jakub Hrozek <jhrozek@redhat.com> - 1.8.5-2
|
||||||
|
- Include the tarball in the sources
|
||||||
|
|
||||||
|
* Sun Oct 07 2012 Jakub Hrozek <jhrozek@redhat.com> - 1.8.5-1
|
||||||
|
- New upstream release 1.8.5
|
||||||
|
|
||||||
|
* Wed Jun 20 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.4-14
|
||||||
|
- Switch unicode library from libunistring to Glib
|
||||||
|
- Drop unnecessary explicit Requires on keyutils
|
||||||
|
- Guarantee that versioned Requires include the correct architecture
|
||||||
|
- Rebuild against newer libldb
|
||||||
|
|
||||||
|
* Wed Jun 13 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.4-13
|
||||||
|
- Fix several issues with the SSH key integration
|
||||||
|
- Fix for multilib issuss with libipa_hbac-devel and libsss_sudo-devel
|
||||||
|
- Resolves: rhbz#831411 - libipa_hbac-devel and libsss_sudo-devel multilib
|
||||||
|
conflicts
|
||||||
|
|
||||||
|
* Wed May 30 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.4-12
|
||||||
|
- New upstream release 1.8.4
|
||||||
|
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.4
|
||||||
|
- Fix a bug causing AD servers not to fail over properly when the KDC on the
|
||||||
|
primary server is down
|
||||||
|
- Fix an endianness bug on big-endian systems when looking up services
|
||||||
|
- Fix a segfault dealing with nested groups
|
||||||
|
- Make the nowait cache updates work for netgroups
|
||||||
|
- Fix a regression that broke domains with use_fully_qualified_names = True
|
||||||
|
- Correct package dependency versions to match installed arch
|
||||||
|
|
||||||
|
* Thu May 03 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.3-11
|
||||||
|
- New upstream release 1.8.3
|
||||||
|
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3
|
||||||
|
- Numerous manpage and translation updates
|
||||||
|
- LDAP: Handle situations where the RootDSE isn't available anonymously
|
||||||
|
- LDAP: Fix regression for users using non-standard LDAP attributes for user
|
||||||
|
information
|
||||||
|
|
||||||
|
* Mon Apr 09 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.2-10
|
||||||
|
- New upstream release 1.8.2
|
||||||
|
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2
|
||||||
|
- Several fixes to case-insensitive domain functions
|
||||||
|
- Fix for GSSAPI binds when the keytab contains unrelated principals
|
||||||
|
- Fixed several segfaults
|
||||||
|
- Workarounds added for LDAP servers with unreadable RootDSE
|
||||||
|
- SSH knownhostproxy will no longer enter an infinite loop preventing login
|
||||||
|
- The provided SYSV init script now starts SSSD earlier at startup and stops
|
||||||
|
it later during shutdown
|
||||||
|
- Assorted minor fixes for issues discovered by static analysis tools
|
||||||
|
|
||||||
|
* Mon Mar 26 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.1-9
|
||||||
|
- Don't duplicate libsss_autofs.so in two packages
|
||||||
|
- Set explicit package contents instead of globbing
|
||||||
|
|
||||||
|
* Wed Mar 21 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.1-8
|
||||||
|
- Fix uninitialized value bug causing crashes throughout the code
|
||||||
|
- Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup
|
||||||
|
|
||||||
* Mon Mar 12 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.1-7
|
* Mon Mar 12 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.1-7
|
||||||
- New upstream release 1.8.1
|
- New upstream release 1.8.1
|
||||||
- Resolve issue where we could enter an infinite loop trying to connect to an
|
- Resolve issue where we could enter an infinite loop trying to connect to an
|
||||||
|
|
Loading…
Reference in New Issue