Hello all FreeIPA users and enthusiasts!
I would like to invite everyone to try our new public FreeIPA demo instance
running on Red Hat OpenStack platform:
The demo will always hold the latest stable version of FreeIPA or a Beta
version of a next major release (e.g. when 4.0 Beta is available).
The demo is great for:
* Testing changes and enhancements in the most recent CLI/Web UI/API
* Testing integration in the OS - FreeIPA clients can be enrolled
* Testing web applications with LDAP/Kerberos authentication and advanced
integration with FreeIPA
You can read all the details in the page referred above.
Martin Kosek <mkosek(a)redhat.com>
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.
=== SSSD 1.11.6 ===
The SSSD team is proud to announce the release of version 1.11.6 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 19 and 20 shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
== Highlights ==
* This release focuses on delivering bug fixes and a subset of the DBus
interface from 1.12.
* A new responder, called InfoPipe was added. This responder provides a
public D-Bus interface accessible over the system bus. In this release,
only methods for retrieving user attributes and list of groups were
added. The full interface is being developed in the 1.12 series. The
primary consumer if this interface subset are Apache modules such as
mod_lookup_identity or mod_intercept_form_submit
* Fixed bug in the AD responder that caused crashes when authenticating
as a user from a trusted domain to a system enrolled to a trusted
domain other than the forest root
* A potential crash on timeout in the autofs client library was fixed.
* Several patches that improve portability of SSSD, especially with
consideration of BSD systems have been included
== Packaging Changes ==
* The InfoPipe responder is packaged in its own subpackage
== Documentation Changes ==
* The new InfoPipe responder has several configuration options. Refer to
the sssd-ifp manual page for details.
* The LDAP provider has a new option ldap_user_extra_attrs that enables the
administrator to extend the map of attributes downloaded when looking up
a user. These custom attributes can then be retrieved with the new DBus API.
* A new pam_sss option ignore_authinfo_unavail was added. Setting this
option makes pam_sss return PAM_IGNORE when SSSD is not running instead
of PAM_AUTHINFO_UNAVAIL. This option is mostly useful for BSD systems.
== Tickets Fixed ==
[RFE] Allow sssd to replace macro (ie. %H) with value specified in
refresh_expired_interval man page doc is not clear
In sssd.conf, setting "ldap_group_nesting_level = 0" does not appear
SSSD Crashes when storage experiences high latency
Fails to start in interactive mode when stdin isn't a pts device
segfault in sssd_be when cross forest users are queried
Expanding home directory fails when the request comes from the PAC
Simple access fails to look up primary group when using sssd-ad until
running the id command.
== Detailed Changelog ==
Alexander Bokovoy (1):
* ipa subdomains provider: make sure search by SID works for homedir
Benjamin Franzke (1):
* BUILD: Link libsss_krb5_common.so to libkeyutils.so
Jakub Hrozek (36):
* Updating the version for the 1.11.6 development
* LDAP: Check the LDAP handle before using it
* AD: Do not remove non-root domains when looking up root domain
* Remove duplicate declaration
* UTIL: Move sss_parse_name_for_domains declaration to util.h
* IFP: Fix a typo in the Makefile
* IFP: Re-add the InfoPipe? server
* IFP: Connect to the system bus
* TESTS: Create a default sss_names_ctx in create_dom_test_ctx
* TESTS: Split a separate common_mock_resp_dp module
* RESPONDERS: Add a new request sss_parse_inp_send
* LDAP: Fix off-by-one bug in sdap_copy_opts
* LDAP: Make it possible to extend an attribute map
* AD: Initialize user_map_cnt in server mode
* Add a unit test for sss_parse_name_for_domains
* SBUS: Generate introspection from the interface meta structure
* SBUS: Create an sbus_method_meta instance for Introspection
* IFP: Close memstream handle in introspect destructor
* SBUS: several trivial style fixes
* SBUS: Fix error handling condition
* SBUS: Add a convenience function sbus_error_new
* SBUS: Split out dbus_conn_send
* SBUS: Add SBUS_CONN_TYPE_SYSBUS
* SBUS: Add an async request to retrieve the caller ID
* SBUS: Refactor sbus_message_handler to retrieve caller ID
* IFP: Add utility functions
* IFP: use a list of allowed_uids for authentication
* IFP: Initialize negative cache timeout
* IFP: Add GetUserAttrs? call
* IFP: Per-attribute ACL for users
* SYSDB: return SYSDB_NAME from sysdb_initgroups
* IFP: Add a GetGroupsList? method
* MAN: Add sssd-ifp to the list of translatable manual pages
* BUILD: Disable dbus tests when running distcheck
* Updating the translations for the 1.11.6 release
* Updating the translations again for the 1.11.6 release
Lukas Slebodnik (38):
* AUTOMAKE: Do not include generated files into tarball
* UTIL: Use constant instead of value for stdin.
* MONITOR: Fix start up with empty standard input
* BUILD: Make samba4 libraries optional
* BUILD: Explicitly link libsss_ad.so with sasl libs
* sss_autofs: Check return value of autofs make request
* sss_autofs: Do not try to free empty autofs context
* man: Substitute entity values for entity references
* TEST: Some macros aren't defined in older version of check.
* TEST: Link ipa_ldap_opt test with openldap libs
* UTIL: Add function sss_parse_name_const
* NSS: Refactor expand_homedir_template
* NSS: Add option to expand homedir template format
* TEST: Add test for expand homedir
* SPEC: Remove duplicate sssd_ifp.
* SBUS: Fix warning declaration shadows a global declaration
* Remove unused parameter from ifp_user_get_attr_handle_reply
* Remove unused parameter from ifp_user_get_groups_reply
* resolv: Do not try to free addrinfo in case of error
* CONFIGURE: Remove duplicate detection of pam
* CRYPTO: Use unprefixed version of function stpncpy
* PAM: macro PAM_DATA_REPLACE isn't available in openpam.
* PAM: Fix problem with missing declaration.
* UTIL: Fix order of header files.
* LDAP: Don't use macro _XOPEN_SOURCE for extra features
* PAM: add ignore_authinfo_unavail option
* SDAP: Use portable constant as level in setsockopt
* PAM: Include header file security/pam_appl.h
* MAKE: Remove PAM libraries from libsss_simple
* CONFIGURE: Enhance detection of pam
* PAM: Fix compilation of pam_test_client with openpam
* PAM: Use fallback version of some pam macros
* PAM: Define compatible macros for some functions.
* SBUS: Define DBUS_ERROR_INIT for old version of dbus
* SBUS: Include config.h for enabling function in stdio.h
* Unify usage of function gethostname
* MAN: Add reference to manual page sssd-sudo
* KRB: Prevent dereference of a null pointer
Nikolai Kondrashov (12):
* Add cscope inverted index files to .gitignore
* Move DEBUG macro body to debug_fn
* Remove extra flushing from debug message output
* Cleanup debug_fn
* Make DEBUG macro definition variadic
* Make DEBUG macro invocations variadic
* Fixup DEBUG macro invocations update
* Update DEBUG* invocations to use new levels
* Update debug levels in sss_semanage_error_callback
* Update debug level in sysdb_check_upgrade_02
* Remove DEBUG macro support for old debug levels
* build: Switch to AM_DISTCHECK_CONFIGURE_FLAGS
Pavel Březina (6):
* man: clarify refresh_expired_interval
* IFP: do not create client socket
* tests: add confdb_path to sss_test_ctx
* sbus_tests: fix missing invoker in initializer
* sbus request: fix error initialization
* SBUS: remove unused variables
Pavel Reichl (10):
* SDAP: augmented logging for group saving
* AD Provider: bug-fix uninitialized variable
* AD Provider: bugfix use-after-free
* SYSDB: augmented logging when adding new group
* LDAP: fix - find primary group by gid
* MAN: Detailed ldap_group_nesting_level option
* SDAP: Make nesting_level = 0 to ignore nested groups
* SDAP: Add option to disable use of Token-Groups
* refactor calls of sss_parse_name
* TEST: Remove unused variable
Stef Walter (13):
* sbus: Add meta data structures and code generator
* sbus: Add sbus_vtable and update codegen to support it
* nss: Stop using one DBus interface with totally different methods
* sbus: Rework sbus to use interface metadata and vtables
* sbus: Generate constants from interface definitions
* sbus: Use constants to make dbus calls
* sbus: Add struct sbus_request to represent a DBus invocation
* sbus: Refactor how we export DBus interfaces
* sbus: Make sbus_new_server() work for non-priveleged processes
* sbus_tests: Add some testing of dispatch and handler code
* sbus: Add the sbus_request_parse_or_finish() method
* sbus: Add type-safe DBus method handlers and finish functions
* sbus_codegen_tests: Add test case type-safe handler args
Sumit Bose (1):
* Make LDAP extra attributes available to IPA and AD
we're using SSSD in combination with active directory and have received
complaints from users about a corner case in our setup.
Our AD servers are only reachable from within our corporate network,
connection attempts from the outside are dropped by firewalls. This
leads to the following scenario:
- user takes machine (e.g. laptop) outside the corporate network
- user tries to authenticate (or in some cases also tries to "ls" which
causes uid/gid lookup)
- sssd will try to reach the configured servers for up to 30s
- sssd goes (back) into offline mode and uses cached credentials and
authenticates the user
This will however NOT happen if sssd gets told by the IP stack that a
connection to the target IP is not possible (e.g. "ip route add
blackhole 192.0.2.23/32" or one of the routers along the way generates
an ICMP unreachable). In such cases sssd will go immediately into
offline mode and use cached credentials.
I'm aware that this is over all sensible behaviour, but what I would
hope to fine tune is how sssd stays in offline mode. Currently it seems
like it will leave offline mode when it tries to reconnect (hardcoded
30s?). That leads to a flip flop scenario where it seems to be 30s
offline and 30s "online/connecting" and users have a fairly high chance
to hit a time during which their authentication will seemingly stall.
So my question is:
Is there a better way to deal with this in the sssd context?
If not we'll probably have to implement separate connection checking and
inject and remove blackhole routes accordingly. Not the nicest of
workarounds in my book.
PS: We're using sssd on many distributions, but our main distro at the
moment is ubuntu 12.04 with sssd 1.8.6 and we'll be rolling out 14.04 in
addition, which has sssd 1.11.3.
> On 06/02/2014 07:51 AM, John Hodrien wrote:
> > On Mon, 2 Jun 2014, Stephen Gallagher wrote:
> >> This is the real problem. If SSSD can route to the IP address,
> >> then we have to proceed assuming that the LDAP server should be
> >> available (thereby attempting to connect to it and perform
> >> online authentication). There's really no way to determine ahead
> >> of time whether the service is "supposed" to be available.
> >> You may want to play with the option 'ldap_opt_timeout' (see
> >> sssd-ldap(5)). It controls how long the OpenLDAP client libraries
> >> will wait for a response (in your case, how long it will wait
> >> while the packets are dropped. It defaults to 6s).
> > This should be a one off hit though, right? If I discover the
> > LDAP server is offline, I should remember this, admittedly recheck
> > periodically, but never cause another delay waiting for it to
> > spring back into life. Given the way some of these laptops are
> > used, I'd even quite like to configure it to default to this
> > state.
> > When I last tried this (which was a while ago) these delays would
> > happen repeatedly, so the setup was unusable, and I had to ditch
> > sssd on the laptop.
> Well, in most common cases, the LDAP server is unresolvable when not
> on the VPN/inside the network, so SSSD immediately detects that it
> can't get there and the delay is unnoticeable.
> It's those cases where the server is addressable but unresponsive that
> is much harder to handle.
> Right now, we have a two-minute sleep between operations trying to go
> online again. (I think I saw a patch go in for 1.12 that makes this
> configurable). That's mostly so that we catch cases where you've
> connected to the VPN but for one reason or another SSSD doesn't get
> notified that the network state changed (there are lots of edge-cases
> that cause this).
I am not 100% sure that the LDAP server being unresponsive is the
cause... Once I have the logs I will know more!
But isn't this is design flaw of the LDAP connectivity test?
If connectivity is tested only after some application/the system is
requesting information from SSSD and the server is unresponsive, this
causes a long and unpleasant delay if the request is kept pending until
the connection times out.
Hence, I'd suggest that SSSD periodically tests the LDAP connection in
the background (or after network state change) *without* an actual
request triggering this. As long as the LDAP server is unreachable or
unresponsive, SSSD should stay in offline mode and answer requests right
away with cached results.