[PATCH] LDAP: Setup periodic task only once.
by Lukas Slebodnik
ehlo,
If id provider is {ipa, ad} periodic task will be stared in sssm_{ipa,ad}_init
If you enable enumeration and use different providers for id and sudo(autofs)
then another periodic task will be scheduled.
This can cause weird behaviour (e.g. missing members of group)
I provided test package to reporter of bug #2153 with attached patch
(actually it was patch for 1.9 branch). I was not able to reproduce problem
with missing groups. Thus I was wainting for response from customer.
But it will be better to do a (pre-)review of patch.
I am also attaching part of log file. You can notice Two enumerations are
started. There is difference only few milliseconds.
LS
10 years, 1 month
[PATCH] IPA: Use function sysdb_attrs_get_el in safe way
by Lukas Slebodnik
ehlo,
Intention of ticket @2284 was to refactor function sysdb_attrs_get_el
This would be a big change and it would not ne easy to backport patch
to the branch sssd-1-11. The attached patch fixes prolem in simple way
and patch can be easily applied on top of branch sssd-1-11
Function sysdb_attrs_get_el can enlarge array of ldb_message_element in "struct
sysdb_attrs" if attribute is not among available attributes. Array will be
enlarged with function talloc_realloc but realloc can move array to another
place in memory therefore ldb_message_element should not be used after next
call of function sysdb_attrs_get_el
sysdb_attrs_get_el(netgroup, SYSDB_ORIG_MEMBER_USER, &user_found);
sysdb_attrs_get_el(netgroup, SYSDB_ORIG_MEMBER_HOST, &host_found);
With netgroups, it is common to omit user or host from netgroup triple.
There is very high probability that realloc will be called. it is possible
pointer user_found can refer to the old area after the second call of function
sysdb_attrs_get_el.
Resolves:
https://fedorahosted.org/sssd/ticket/2284
How to test?
sh-4.2$ getent netgroup netgroup_user1
netgroup_user2 (-,usersssd01,example.com)
and run backend with valgrind
Result:
--without patch: there are errors like in description of ticket
https://fedorahosted.org/sssd/ticket/2284
--with patch: errors are gone
LS
10 years, 1 month
[PATCH] KRB5: Do not attemtp to get a TGT after a password change using OTP
by Jakub Hrozek
Hi,
the attached patch fixes #2271. Kindly see the patch and the commit
message for more details.
I tested password change w/o OTPs to make sure we don't regress and also
with TOTP. I tested both expired passwords and password change via PAM. HOTP
currently doesn't work because of another bug.
10 years, 1 month
Ldap question: How to quickly see changes to a user's group list.
by Mark London
Hi - We are running an LDAP server on a Windows box. We have a need for our Linux clients to be able to quickly see
modifications we make to a user's account, i.e. adding a group to an account. The only way that I've found to be able to
do this, is to set ldap_enumeration_refresh_timeout to a small amount of time. Is there a better way to do this (that
uses less cpu)? Thanks. - Mark
10 years, 1 month
[PATCH] krb5-child: add revert_changepw_options()
by Sumit Bose
Hi,
a recent patch unified the usage of the krb5_get_init_creds_opt options
to make sure the same set of FAST related options are uses for
authentication and password changes. Before changing the password some
options were set to special values but were not reverted before
requesting a new TGT with the new password. As a result the new TGT will
have some unexpected options set or the request might even fail.
This patch set resets the password change related option to their
original values before requesting the new TGT.
The first two patches are just refactorings which are required to keep
the third patch simple.
bye,
Sumit
10 years, 1 month
[PATCH] SYSV: Do not call functions success and fail itself
by Lukas Slebodnik
ehlo,
Bash function daemon will call success or fail. It is useless to call them
one more time. It may cause strange behaviour with some configurations of
terminal.
# service sssd restart
Stopping sssd: [ OK ]
[ OK ] sssd: [ OK ]
Resolves:
https://fedorahosted.org/sssd/ticket/2280
sh-4.1# grep -Rn daemon /etc/init.d/ | grep failure
/etc/init.d/sssd:46: daemon $SSSD -f -D && success || failure
sh-4.1# grep -Rn daemon /etc/init.d/ | grep success
/etc/init.d/sssd:46: daemon $SSSD -f -D && success || failure
sh-4.1# ls -1 /etc/init.d/ | wc -l
57
simple patch is attached.
LS
10 years, 1 month