November 2011 - sssd-devel - Fedora Mailing-Lists

[PATCH] Providers cleanup: Remove unused parameters

by Jakub Hrozek

During the nested initgroups processing review, Jan requested removing unused "dom" parameter from the code. Instead of doing it on that one place, I compiled SSSD with -Wunused and cleaned up unused parameters in the providers code. It's mostly sss_domain_info no longer needed because of the sysdb refactoring. The patch brings no functional change, it's just cleanup.

12 years, 5 months

2
5
0 / 0

[PATCH] Fixed unchecked value of setenv() in check_and_export_options()

by Jan Zelený

https://fedorahosted.org/sssd/ticket/1080 Thanks Jan

12 years, 5 months

2
2
0 / 0

[PATCH] SYSDB: Make ENOENT log messages less threatening

by Stephen Gallagher

Previously, they were reported with the prefix "Error:" which caused confusion among end-users while debugging.

12 years, 5 months

2
2
0 / 0

LDAPS Connection error

by sssd help

Hi List, Any help here would be appreciated. We've been using SSSD (1.2) on RHEL6 for a while without issue. We are trying to make the move to RHEL6.1 and newer packages of SSSD (1.5.1) and we are running into some problems. For some reason the client doesnt seem to want to connect to our ldap server using LDAPS. See the following log output: (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [sdap_id_op_connect_step] (9): beginning to connect (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [fo_resolve_service_send] (4): Trying to resolve service 'LDAP' (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [get_server_status] (7): Status of server 'ldap.example.com' is 'name not resolved' (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [get_server_status] (4): Hostname resolution expired, reseting the server status of 'ldap.example.com ' (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [set_server_common_status] (4): Marking server 'ldap.example.com' as 'name not resolved' (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [get_port_status] (7): Port status of port 636 for server 'ldap.example.com' is 'neutral' (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [get_server_status] (7): Status of server 'ldap.example.com' is 'name not resolved' (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [resolv_gethostbyname_send] (4): Trying to resolve A record of 'ldap.example.com' (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [schedule_timeout_watcher] (9): Scheduling DNS timeout watcher (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [set_server_common_status] (4): Marking server 'ldap.example.com' as 'resolving name' (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [unschedule_timeout_watcher] (9): Unscheduling DNS timeout watcher (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [set_server_common_status] (4): Marking server 'ldap.example.com' as 'name resolved' (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [be_resolve_server_done] (4): Found address for server ldap.example.com: [10.17.8.103] (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [sdap_uri_callback] (6): Constructed uri 'ldaps://ldap.example.com/' (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [sdap_get_rootdse_send] (9): Getting rootdse (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [sdap_get_generic_send] (6): calling ldap_search_ext with [(objectclass=*)][]. (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [sdap_get_generic_send] (7): Requesting attrs: [*] (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [sdap_get_generic_send] (7): Requesting attrs: [altServer] (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [sdap_get_generic_send] (7): Requesting attrs: [namingContexts] (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [sdap_get_generic_send] (7): Requesting attrs: [supportedControl] (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [sdap_get_generic_send] (7): Requesting attrs: [supportedExtension] (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [sdap_get_generic_send] (7): Requesting attrs: [supportedFeatures] (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [sdap_get_generic_send] (7): Requesting attrs: [supportedLDAPVersion] (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [sdap_get_generic_send] (7): Requesting attrs: [supportedSASLMechanisms] (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [sdap_get_generic_send] (7): Requesting attrs: [defaultNamingContext] (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [sdap_get_generic_send] (7): Requesting attrs: [lastUSN] (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [sdap_get_generic_send] (7): Requesting attrs: [highestCommittedUSN] (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [sdap_ldap_connect_callback_add] (9): New LDAP connection to [ldaps:// ldap.example.com:636] with fd [25]. (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [sdap_get_generic_send] (3): ldap_search_ext failed: Can't contact LDAP server (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [sdap_get_generic_send] (3): Connection error: (null) (Mon Nov 21 17:07:58 2011) [sssd[be[default]]] [fo_set_port_status] (4): Marking port 636 of server 'ldap.example.com' as 'not working' Please also see the following sssd.conf: [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam #services = pam domains = default [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/default] ldap_tls_reqcert = never auth_provider = ldap ldap_id_use_start_tls = False chpass_provider = ldap enumerate = True cache_credentials = True ldap_group_search_base = ou=posixGroups,dc=example,dc=com ldap_user_search_base = ou=People,dc=example,dc=com ldap_default_authtok_type = password ldap_search_base = dc=example,dc=com debug_level = 20 id_provider = ldap ldap_default_bind_dn = uid=binduser,ou=Special Users,dc=example,dc=com ldap_user_gecos = cn ldap_uri = ldaps://ldap.example.com/ ldap_default_authtok = password ldap_tls_cacertdir = /etc/ssl/certs This is the very same config we use on RHEL6 with sssd 1.2. I also tried porting the older sssd build onto this machine and got the same results. Please note that TLS is not an option in our case because we are performing an ssl offload on a hardware load balancer that cannot handle TLS. This mailing list has been extremely helpful in the past and i hope it is so again. Thank you Brandon

12 years, 5 months

4
4
0 / 0

SSSD (another) wish-list

by Ondrej Valousek

Hi list, Currently, we are using Centrify for Linux&AD integration so I was thinking we could soon save some $$$ and use sssd for the same purpose. There is still one thing (among others to which a RFEs have already been submitted) I am missing: Would it be possible for sssd to maintain the OperatingSystem attribute in AD updated? I know that IPA uses quite minimalistic LDAP schema so it is pity that it does not have any such an attribute, but if it had (comments needed), the same code could be used for IPA and AD domains. I am asking for auditing purposes - currently with Centrify it is easy to query AD just for OperatingSystem attribute and one can immediately see which OSes have been installed in the company. Many thanks, Ondrej

12 years, 5 months

6
23
0 / 0

[PATCH] Fix FTBFS related to -Werror=format-security

by Stephen Gallagher

Patch provided by Krzysztof Klimonda <kklimonda(a)ubuntu.com> Fixes https://fedorahosted.org/sssd/ticket/1094 Ack and pushed to master, sssd-1-6 and sssd-1-5.

12 years, 5 months

1
0
0 / 0

[PATCH] Prevent printing NULL in several places of LDAP provider

by Jakub Hrozek

I've seen several "(null)"s being printed when I was testing the IPA password migrations. The attached patch sanitizes them.

12 years, 5 months

2
2
0 / 0

[PATCH] RESPONDER: Ensure that all input strings are valid UTF-8

by Stephen Gallagher

Fixes https://fedorahosted.org/sssd/ticket/1088

12 years, 5 months

3
8
0 / 0

[PATCH] Add ipa_hbac_support_srchost option to IPA provider

by Jan Zelený

don't fetch all host groups if this option is false https://fedorahosted.org/sssd/ticket/1078 I was also thinking of reducing the number of host groups, but that seemed to be redundant, since the number of host groups is usually not that high and the complexity of fetching only relevant groups doesn't seem worth it. Jan

12 years, 5 months

2
2
0 / 0

sssd can't get shadow information from ldap

by Aziz Sasmaz

Hi, sssd can't get shadow info from ldap. When I type getent passwd it shows pass section as * not as "x" As passwd (5) ; If the encrypted password is set to an asterisk, the user will be unable to login using login. Can sssd get shadow information from ldap. Is it possible to cache authentication when we use ldap/shadow ? nlastname1:*:1094:1004:Name Lastname:/home/user1:/bin/bash nlastname2:*:1025:501:otemli:/home/user2:/bin/sh nlastname3:*:1040:1009:Name Lastname:/home/user3:/bin/bash splunk:*:1116:1025:Splunk Server:/opt/splunkforwarder:/bin/bash my sssd.conf file: [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = ldap.jazzythemartian.com [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] [domain/ldap.jazzythemartian.com] id_provider = ldap auth_provider = ldap chpass_provider = ldap access_provider = ldap ldap_schema = rfc2307 ldap_uri = ldaps://ldaptest.jazzythemartian.com ldap_search_base = dc=jazzythemartian,dc=com ldap_tls_reqcert = allow cache_credentials = true enumerate = true entry_cache_timeout = 5400 ldap_pwd_policy = shadow ldap_user_gecos = uid My system-auth file: auth required pam_env.so auth sufficient pam_sss.so use_first_pass auth sufficient pam_ldap.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account [default=bad success=ok user_unknown=ignore] pam_sss.so account sufficient pam_ldap.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so #password requisite pam_cracklib.so try_first_pass retry=3 password required pam_passwdqc.so enforce=users min=disabled,16,12,8,6 password sufficient pam_sss.so use_authtok password sufficient pam_ldap.so use_authtok password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022 session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session sufficient pam_sss.so session required pam_unix.so session sufficient pam_ldap.so Thanks, AS

12 years, 5 months

4
9
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel November 2011