c0971b7e39
- Resolves: upstream#3821 - crash related to sbus_router_destructor()
- Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref
- Resolves: upstream#3819 - sssd only sets the SELinux login context if it
differs from the default
- Resolves: upstream#3807 - The sbus codegen script relies on "python" which
might not be available on all distributions
- Resolves: upstream#3820 - sudo: search with lower cased name for case
insensitive domains
- Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from
an allow-any default to a deny-any default when it
can't find any GPOs to apply to a user login.
- Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort
startup
- Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11
also for local account authentication
- Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup
- Resolves: upstream#3826 - Remove references of sss_user/group/add/del
commands in man pages since local provider is
deprecated
- Resolves: upstream#3827 - SSSD should log to syslog if a domain is not
started due to a misconfiguration
- Resolves: upstream#3830 - Printing incorrect information about domain with
sssctl utility
- Resolves: upstream#3489 - p11_child should work wit openssl1.0+
- Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary
changes in nsswitch.conf
- Resovles: upstream#3650 - RFE: Require smartcard authentication
- Resolves: upstream#3334 - sssctl config-check does not check any special
characters in domain name of domain section
- Resolves: upstream#3849 - Files: The files provider always enumerates
which causes duplicate when running getent passwd
- Related: upstream#3855 - session not recording for local user when groups
defined
- Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb
- Related: upstream#3493 - Remove the pysss.local interface
69 lines
2.5 KiB
Diff
69 lines
2.5 KiB
Diff
From 9fdc5f1d87a133885e6a22810a7eb980c60dcb55 Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Mon, 9 Jul 2018 18:45:21 +0200
|
|
Subject: [PATCH 29/83] responder: make sure SSS_DP_CERT is passed to files
|
|
provider
|
|
|
|
Currently the files provider is only contacted once in a while to update
|
|
the full cache with fresh data from the passwd file. To allow rule based
|
|
certificate mapping the lookup by certificate request must be always
|
|
send to the file provider so that it can evaluate the rules and add the
|
|
certificate to cached entry of the matching user.
|
|
|
|
Related to https://pagure.io/SSSD/sssd/issue/3500
|
|
|
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
---
|
|
src/responder/common/responder_dp.c | 20 +++++++++++++-------
|
|
1 file changed, 13 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
|
|
index 878aa1d..39f0f20 100644
|
|
--- a/src/responder/common/responder_dp.c
|
|
+++ b/src/responder/common/responder_dp.c
|
|
@@ -34,15 +34,17 @@ sss_dp_account_files_params(struct sss_domain_info *dom,
|
|
enum sss_dp_acct_type *_type_out,
|
|
const char **_opt_name_out)
|
|
{
|
|
- if (sss_domain_get_state(dom) != DOM_INCONSISTENT) {
|
|
+ if (type_in != SSS_DP_CERT) {
|
|
+ if (sss_domain_get_state(dom) != DOM_INCONSISTENT) {
|
|
+ DEBUG(SSSDBG_TRACE_INTERNAL,
|
|
+ "The entries in the files domain are up-to-date\n");
|
|
+ return EOK;
|
|
+ }
|
|
+
|
|
DEBUG(SSSDBG_TRACE_INTERNAL,
|
|
- "The entries in the files domain are up-to-date\n");
|
|
- return EOK;
|
|
+ "Domain files is not consistent, issuing update\n");
|
|
}
|
|
|
|
- DEBUG(SSSDBG_TRACE_INTERNAL,
|
|
- "Domain files is not consistent, issuing update\n");
|
|
-
|
|
switch(type_in) {
|
|
case SSS_DP_USER:
|
|
case SSS_DP_GROUP:
|
|
@@ -56,12 +58,16 @@ sss_dp_account_files_params(struct sss_domain_info *dom,
|
|
*_type_out = type_in;
|
|
*_opt_name_out = DP_REQ_OPT_FILES_INITGR;
|
|
return EAGAIN;
|
|
+ case SSS_DP_CERT:
|
|
+ /* Let the backend handle certificate mapping for local users */
|
|
+ *_type_out = type_in;
|
|
+ *_opt_name_out = opt_name_in;
|
|
+ return EAGAIN;
|
|
/* These are not handled by the files provider, just fall back */
|
|
case SSS_DP_NETGR:
|
|
case SSS_DP_SERVICES:
|
|
case SSS_DP_SECID:
|
|
case SSS_DP_USER_AND_GROUP:
|
|
- case SSS_DP_CERT:
|
|
case SSS_DP_WILDCARD_USER:
|
|
case SSS_DP_WILDCARD_GROUP:
|
|
return EOK;
|
|
--
|
|
2.9.5
|
|
|