gmane.linux.redhat.sssd.devel
http://blog.gmane.org/gmane.linux.redhat.sssd.devel
hourly11901-01-01T00:00+00:00Gmanehttp://gmane.org/img/gmane-25t.png
http://gmane.org
ldap_access_filter being ignored?
http://comments.gmane.org/gmane.linux.redhat.sssd.devel/9686
<pre>Hello,
I've set up OpenLDAP with PAM. Problem is, I needed name differentiation,
which sssd offers.
I've since migrated one of the two servers (I'm using replication) to
authenticate PAM using sssd.
I -can- log in just fine. One problem: the ldap_access_filter is being
ignored. I set it up to filter only to members of a certain group, and
it's just plain letting anyone log in if they're a user and have the
correct password for the account.
I've implemented memberOf as an overlay on the master and shadow LDAP
servers. I've even just totally purged and rebuilt the LDAP database from
original sources, based on something I read that said that if you implement
memberOf, it won't retroactively affect old accounts and groups. Still no
good.
I am -beyond- frustrated with this, and need it to work. I'm working with
an OpenSuSE 11.4 box, but I took out their old 1.4 version of sssd and put
in the latest 1.8.3 yesterday. So I'm working with the latest production
release.
One of the things that bothers me most is that the filter is present, but
even though it should be failing, it is letting anyone in. That makes no
sense to me. It looks like sssd was meant to err on the side of caution,
not permissiveness. That's why I don't understand why it's letting in just
anyone it finds, even if the filter fails. I even tried writing a
completely ridiculous filter that should never ever work (non-existant
group)...the users can still log in.
Any help I can get at this point would be hugely appreciated. Let me know
what you might need in terms of seeing configuration. I'll include the
relevant sssd section here [for confidentiality purposes, I changed my
client's domain name to my domain name, but everything else is accurate]:
[domain/fairlite.com]
access_provider = ldap
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://oh11.fairlite.com
ldap_search_base = dc=fairlite,dc=com
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/oh11.fairlite.com-CA.crt
cache_credentials = false
enumerate = true
ldap_access_filter = memberOf=cn=oh11,ou=Group,dc=fairlite,dc=com
ldap_access_order = filter
It's worth noting that I can't get memberOf to actually supply a memberuid
field with ldapsearch. That said, even if memberOf is -totally- broken,
I'd expect sssd to fail -all- logins, not let everyone in.
Any help I can get...I'd be extremely grateful for it. I really need
sssd's name differentiation. That's critical, and why I'm going with sssd
over direct ldap in the first place.
mark->
</pre>Fairlight2012-05-25T20:32:37[PATCH] Use uint32_t to copy the service port
http://comments.gmane.org/gmane.linux.redhat.sssd.devel/9669
<pre>The sss_client was copying 32bit port value, but the NSS responder was
reading 16bit port value. This was breaking on Big-Endian machines where
we read "the other 16bits".
By the way, is there a reason to use 32bits in the client in the first
place? IIRC a port number is a 16 bit value..
From eb8a81adfa05cfa8b62291bac0052c4e15124a8e Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek-H+wXaHxf7aLQT0dZR+AlfA< at >public.gmane.org>
Date: Fri, 25 May 2012 11:51:11 +0200
Subject: [PATCH] Use uint32_t to copy the service port
---
src/responder/nss/nsssrv_services.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/responder/nss/nsssrv_services.c b/src/responder/nss/nsssrv_services.c
index 2e539f13576d18c97d8c3bff2ced2fd5ed01290f..3a6e1b07866a539b36284446e60b2d507d312275 100644
--- a/src/responder/nss/nsssrv_services.c
+++ b/src/responder/nss/nsssrv_services.c
< at >< at > -1041,13 +1041,13 < at >< at > errno_t parse_getservbyport(TALLOC_CTX *mem_ctx,
errno_t ret;
size_t i, j;
size_t port_and_padding_len;
- uint16_t c, port;
+ uint32_t c, port;
char *protocol;
TALLOC_CTX *tmp_ctx = talloc_new(NULL);
if (!tmp_ctx) return ENOMEM;
/* Copy in the port */
- SAFEALIGN_COPY_UINT16(&c, body, NULL);
+ SAFEALIGN_COPY_UINT32(&c, body, NULL);
port = ntohs(c);
port_and_padding_len = 2 * sizeof(uint16_t) + sizeof(uint32_t);
</pre>Jakub Hrozek2012-05-25T10:46:53Use variable to control verbosity for things in commondirectory
http://comments.gmane.org/gmane.linux.redhat.sssd.devel/9668
<pre>
https://fedorahosted.org/sssd/ticket/394
I was reviewing this ticket and talks about a default value to verbosity.
althought i'm not sure if is about the sssd debug level or other case.
If the case of debug level:
Reading theory in
http://sgallagh.fedorapeople.org/sssd/1.8.91/man/sssd.conf.5.html
in section debug_level (integer) mentions that:
"0x0010 is the default value as well as the lowest allowed value"
"0x0010: Fatal failures. Anything that would prevent SSSD from starting up or causes it to cease running."
If you want to use a higher debug level is changed in sssd.conf-> debug_level = (desired level is placed).
By not specifying on command line flag, is used the indicated in sssd.conf ->debug_level.
If specified in command line debug_level first uses the command line, this was corrected in the ticket https://fedorahosted.org/sssd/ticket/764
In the case concerned from that, the flag already exists.
util.h
[code]
/** \def DEBUG_IS_SET(level)
\brief checks whether level (must be in new format) is set in debug_level
\param level the debug level, please use one of the SSSDBG*_ macros
*/
#define DEBUG_IS_SET(level) (debug_level & (level))
#define CONVERT_AND_SET_DEBUG_LEVEL(new_value) debug_level = ( \
((new_value) != SSSDBG_INVALID) \
? debug_convert_old_level(new_value) \
: SSSDBG_UNRESOLVED /* Debug level should be loaded from config file. */ \
);
[/code]
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Ariel Barria2012-05-25T05:22:19[PATCH] sss_idmap: add support for samba struct dom_sid
http://comments.gmane.org/gmane.linux.redhat.sssd.devel/9666
<pre>Hi,
this patch allows us besides other conversions to convert the dom_sid
structure used by samba to strings and back. This structure is used by
various samba libraries, but there are no public inferfaces for the
conversion. I've seen Simo adding code to the IPA kdb plugin doing these
conversions and I need them for the PAC responder as well. So I thought
it might be useful to put it in a library.
bye,
Sumit
From b33d2e0e6cb18a3c90a9b4fda0d4ae7e60136f97 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose< at >redhat.com>
Date: Thu, 24 May 2012 12:39:56 +0200
Subject: [PATCH] sss_idmap: add support for samba struct dom_sid
The samba ndr libraries use struct dom_sid to handle SIDs. Since there
is no public samba library which offers conversion from other
representations, e.g. as string, this is addded to libsss_idmap. There
is only a compile-time dependency to the samba header files to check if
struct dom_sid has the expected format. There is no run-time dependency
to any samba library.
---
Makefile.am | 3 +
configure.ac | 1 +
src/external/dom_sid.m4 | 65 ++++++++++++++
src/lib/idmap/sss_idmap.h | 107 +++++++++++++++++++++++
src/lib/idmap/sss_idmap_conv.c | 183 ++++++++++++++++++++++++++++++++++++++++
src/tests/sss_idmap-tests.c | 104 ++++++++++++++++++++++-
6 files changed, 461 insertions(+), 2 deletions(-)
create mode 100644 src/external/dom_sid.m4
diff --git a/Makefile.am b/Makefile.am
index 7663053..f0aab71 100644
--- a/Makefile.am
+++ b/Makefile.am
< at >< at > -513,6 +513,8 < at >< at > dist_pkgconfig_DATA += src/lib/idmap/sss_idmap.pc
libsss_idmap_la_SOURCES = \
src/lib/idmap/sss_idmap.c \
src/lib/idmap/sss_idmap_conv.c
+libsss_idmap_la_CFLAGS = \
+ $(NDR_CFLAGS)
libsss_idmap_la_LDFLAGS = \
-version-info 0:1:0
< at >< at > -985,6 +987,7 < at >< at > sss_idmap_tests_SOURCES = \
src/tests/sss_idmap-tests.c
sss_idmap_tests_CFLAGS = \
$(AM_CFLAGS) \
+ $(NDR_CFLAGS) \
$(CHECK_CFLAGS)
sss_idmap_tests_LDADD = \
$(CHECK_LIBS) \
diff --git a/configure.ac b/configure.ac
index 16e10d6..0b0e7b8 100644
--- a/configure.ac
+++ b/configure.ac
< at >< at > -126,6 +126,7 < at >< at > m4_include([src/external/libkeyutils.m4])
m4_include([src/external/libnl.m4])
m4_include([src/external/systemd.m4])
m4_include([src/external/pac_responder.m4])
+m4_include([src/external/dom_sid.m4])
m4_include([src/util/signal.m4])
WITH_UNICODE_LIB
diff --git a/src/external/dom_sid.m4 b/src/external/dom_sid.m4
new file mode 100644
index 0000000..0088008
--- /dev/null
+++ b/src/external/dom_sid.m4
< at >< at > -0,0 +1,65 < at >< at >
+AC_SUBST(NDR_CFLAGS)
+AC_SUBST(NDR_LIBS)
+PKG_CHECK_MODULES(NDR, ndr,,
+ AC_MSG_ERROR([Cannot check struct dom_sid without ndr header installed]))
+SAVE_CFLAGS=$CFLAGS
+CFLAGS="$CFLAGS $NDR_CFLAGS"
+dnl Since the names of the checked components are used as parts of variable
+dnl names by autoconf it is not possible to use the [] index notation directly.
+dnl As a workaround I used the define apporach below
+AC_CHECK_MEMBERS([struct dom_sid.sid_rev_num,
+ struct dom_sid.num_auths,
+ struct dom_sid.id_auth0,
+ struct dom_sid.id_auth1,
+ struct dom_sid.id_auth2,
+ struct dom_sid.id_auth3,
+ struct dom_sid.id_auth4,
+ struct dom_sid.id_auth5,
+ struct dom_sid.sub_auths0,
+ struct dom_sid.sub_auths1,
+ struct dom_sid.sub_auths2,
+ struct dom_sid.sub_auths3,
+ struct dom_sid.sub_auths4,
+ struct dom_sid.sub_auths5,
+ struct dom_sid.sub_auths6,
+ struct dom_sid.sub_auths7,
+ struct dom_sid.sub_auths8,
+ struct dom_sid.sub_auths9,
+ struct dom_sid.sub_auths10,
+ struct dom_sid.sub_auths11,
+ struct dom_sid.sub_auths12,
+ struct dom_sid.sub_auths13,
+ struct dom_sid.sub_auths14],
+ [AC_DEFINE([HAVE_VALID_DOM_SID],
+ [1],
+ [Define if struct dom_sid has all expected members.])],
+ [AC_MSG_ERROR([struct dom_sid does not has all expected members.])],
+ [[#include <pwd.h>
+ #include <stdbool.h>
+ #include <util/data_blob.h>
+ #include <gen_ndr/security.h>
+ #define id_auth0 id_auth[0]
+ #define id_auth1 id_auth[1]
+ #define id_auth2 id_auth[2]
+ #define id_auth3 id_auth[3]
+ #define id_auth4 id_auth[4]
+ #define id_auth5 id_auth[5]
+ #define sub_auths0 sub_auths[0]
+ #define sub_auths1 sub_auths[1]
+ #define sub_auths2 sub_auths[2]
+ #define sub_auths3 sub_auths[3]
+ #define sub_auths4 sub_auths[4]
+ #define sub_auths5 sub_auths[5]
+ #define sub_auths6 sub_auths[6]
+ #define sub_auths7 sub_auths[7]
+ #define sub_auths8 sub_auths[8]
+ #define sub_auths9 sub_auths[9]
+ #define sub_auths10 sub_auths[10]
+ #define sub_auths11 sub_auths[11]
+ #define sub_auths12 sub_auths[12]
+ #define sub_auths13 sub_auths[13]
+ #define sub_auths14 sub_auths[14]
+ #define sub_auths15 sub_auths[15]
+ ]])
+
+CFLAGS=$SAVE_CFLAGS
diff --git a/src/lib/idmap/sss_idmap.h b/src/lib/idmap/sss_idmap.h
index a3ec919..6b7cbe5 100644
--- a/src/lib/idmap/sss_idmap.h
+++ b/src/lib/idmap/sss_idmap.h
< at >< at > -98,6 +98,13 < at >< at > struct sss_dom_sid;
struct sss_idmap_ctx;
/**
+ * Placeholder for Samba's struct dom_sid. Consumers of libsss_idmap should
+ * include an appropriate Samba header file to define struct dom_sid. We use
+ * it here to avoid a hard dependency on Samba devel packages.
+ */
+struct dom_sid;
+
+/**
* < at >brief Initialize idmap context
*
* < at >param[in] alloc_func Function to allocate memory for the context, if
< at >< at > -375,6 +382,106 < at >< at > enum idmap_error_code sss_idmap_dom_sid_to_sid(struct sss_idmap_ctx *ctx,
enum idmap_error_code sss_idmap_sid_to_dom_sid(struct sss_idmap_ctx *ctx,
const char *sid,
struct sss_dom_sid **dom_sid);
+
+/**
+ * < at >brief Convert SID string to Samba dom_sid structure
+ *
+ * < at >param[in] ctx Idmap context
+ * < at >param[in] sid Zero-terminated string representation of the SID
+ * < at >param[out] smb_sid Samba dom_sid structure,
+ * must be freed if not needed anymore
+ *
+ * < at >return
+ * - #IDMAP_SID_INVALID: Given SID is invalid
+ * - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result
+ */
+enum idmap_error_code sss_idmap_sid_to_smb_sid(struct sss_idmap_ctx *ctx,
+ const char *sid,
+ struct dom_sid **smb_sid);
+
+/**
+ * < at >brief Convert Samba dom_sid structure to SID string
+ *
+ * < at >param[in] ctx Idmap context
+ * < at >param[in] smb_sid Samba dom_sid structure
+ * < at >param[out] sid Zero-terminated string representation of the SID,
+ * must be freed if not needed anymore
+ *
+ * < at >return
+ * - #IDMAP_SID_INVALID: Given SID is invalid
+ * - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result
+ */
+enum idmap_error_code sss_idmap_smb_sid_to_sid(struct sss_idmap_ctx *ctx,
+ struct dom_sid *smb_sid,
+ char **sid);
+
+/**
+ * < at >brief Convert SID stucture to Samba dom_sid structure
+ *
+ * < at >param[in] ctx Idmap context
+ * < at >param[in] dom_sid SID structure
+ * < at >param[out] smb_sid Samba dom_sid structure,
+ * must be freed if not needed anymore
+ *
+ * < at >return
+ * - #IDMAP_SID_INVALID: Given SID is invalid
+ * - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result
+ */
+enum idmap_error_code sss_idmap_dom_sid_to_smb_sid(struct sss_idmap_ctx *ctx,
+ struct sss_dom_sid *dom_sid,
+ struct dom_sid **smb_sid);
+
+/**
+ * < at >brief Convert Samba dom_sid structure to SID structure
+ *
+ * < at >param[in] ctx Idmap context
+ * < at >param[in] smb_sid Samba dom_sid structure
+ * < at >param[out] dom_sid SID structure,
+ * must be freed if not needed anymore
+ *
+ * < at >return
+ * - #IDMAP_SID_INVALID: Given SID is invalid
+ * - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result
+ */
+enum idmap_error_code sss_idmap_smb_sid_to_dom_sid(struct sss_idmap_ctx *ctx,
+ struct dom_sid *smb_sid,
+ struct sss_dom_sid **dom_sid);
+
+/**
+ * < at >brief Convert binary SID to Samba dom_sid structure
+ *
+ * < at >param[in] ctx Idmap context
+ * < at >param[in] bin_sid Array with the binary SID
+ * < at >param[in] length Size of the array containing the binary SID
+ * < at >param[out] smb_sid Samba dom_sid structure,
+ * must be freed if not needed anymore
+ *
+ * < at >return
+ * - #IDMAP_SID_INVALID: Given SID is invalid
+ * - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result
+ */
+enum idmap_error_code sss_idmap_bin_sid_to_smb_sid(struct sss_idmap_ctx *ctx,
+ const uint8_t *bin_sid,
+ size_t length,
+ struct dom_sid **smb_sid);
+
+/**
+ * < at >brief Convert Samba dom_sid structure to binary SID
+ *
+ * < at >param[in] ctx Idmap context
+ * < at >param[in] smb_sid Samba dom_sid structure
+ * < at >param[out] bin_sid Array with the binary SID,
+ * must be freed if not needed anymore
+ * < at >param[out] length Size of the array containing the binary SID
+ *
+ * < at >return
+ * - #IDMAP_SID_INVALID: Given SID is invalid
+ * - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result
+ */
+enum idmap_error_code sss_idmap_smb_sid_to_bin_sid(struct sss_idmap_ctx *ctx,
+ struct dom_sid *smb_sid,
+ uint8_t **bin_sid,
+ size_t *length);
/**
* < at >}
*/
diff --git a/src/lib/idmap/sss_idmap_conv.c b/src/lib/idmap/sss_idmap_conv.c
index df96fcc..d74df8c 100644
--- a/src/lib/idmap/sss_idmap_conv.c
+++ b/src/lib/idmap/sss_idmap_conv.c
< at >< at > -31,6 +31,10 < at >< at >
#include "lib/idmap/sss_idmap_private.h"
#include "util/util.h"
+#include <stdbool.h>
+#include <util/data_blob.h>
+#include <gen_ndr/security.h>
+
#define SID_ID_AUTHS 6
#define SID_SUB_AUTHS 15
struct sss_dom_sid {
< at >< at > -59,6 +63,7 < at >< at > enum idmap_error_code sss_idmap_bin_sid_to_dom_sid(struct sss_idmap_ctx *ctx,
if (dom_sid == NULL) {
return IDMAP_OUT_OF_MEMORY;
}
+ memset(dom_sid, 0, sizeof(struct sss_dom_sid));
/* Safely copy in the SID revision number */
dom_sid->sid_rev_num = (uint8_t) *(bin_sid + p);
< at >< at > -387,3 +392,181 < at >< at > done:
return err;
}
+
+enum idmap_error_code sss_idmap_sid_to_smb_sid(struct sss_idmap_ctx *ctx,
+ const char *sid,
+ struct dom_sid **_smb_sid)
+{
+ enum idmap_error_code err;
+ struct sss_dom_sid *dom_sid = NULL;
+ struct dom_sid *smb_sid = NULL;
+
+ err = sss_idmap_sid_to_dom_sid(ctx, sid, &dom_sid);
+ if (err != IDMAP_SUCCESS) {
+ goto done;
+ }
+
+ err = sss_idmap_dom_sid_to_smb_sid(ctx, dom_sid, &smb_sid);
+ if (err != IDMAP_SUCCESS) {
+ goto done;
+ }
+
+ *_smb_sid = smb_sid;
+ err = IDMAP_SUCCESS;
+
+done:
+ talloc_free(dom_sid);
+ if (err != IDMAP_SUCCESS) {
+ talloc_free(smb_sid);
+ }
+
+ return err;
+}
+
+enum idmap_error_code sss_idmap_smb_sid_to_sid(struct sss_idmap_ctx *ctx,
+ struct dom_sid *smb_sid,
+ char **_sid)
+{
+ enum idmap_error_code err;
+ struct sss_dom_sid *dom_sid = NULL;
+ char *sid = NULL;
+
+ err = sss_idmap_smb_sid_to_dom_sid(ctx, smb_sid, &dom_sid);
+ if (err != IDMAP_SUCCESS) {
+ goto done;
+ }
+
+ err = sss_idmap_dom_sid_to_sid(ctx, dom_sid, &sid);
+ if (err != IDMAP_SUCCESS) {
+ goto done;
+ }
+
+ *_sid = sid;
+ err = IDMAP_SUCCESS;
+
+done:
+ talloc_free(dom_sid);
+ if (err != IDMAP_SUCCESS) {
+ talloc_free(sid);
+ }
+
+ return err;
+}
+
+enum idmap_error_code sss_idmap_dom_sid_to_smb_sid(struct sss_idmap_ctx *ctx,
+ struct sss_dom_sid *dom_sid,
+ struct dom_sid **_smb_sid)
+{
+ struct dom_sid *smb_sid;
+ size_t c;
+
+ smb_sid = ctx->alloc_func(sizeof(struct dom_sid), ctx->alloc_pvt);
+ if (smb_sid == NULL) {
+ return IDMAP_OUT_OF_MEMORY;
+ }
+ memset(smb_sid, 0, sizeof(struct dom_sid));
+
+ smb_sid->sid_rev_num = dom_sid->sid_rev_num;
+ smb_sid->num_auths = dom_sid->num_auths;
+ for (c = 0; c < SID_ID_AUTHS; c++) {
+ smb_sid->id_auth[c] = dom_sid->id_auth[c];
+ }
+ for (c = 0; c < SID_SUB_AUTHS; c++) {
+ smb_sid->sub_auths[c] = dom_sid->sub_auths[c];
+ }
+
+ *_smb_sid = smb_sid;
+
+ return IDMAP_SUCCESS;
+}
+
+enum idmap_error_code sss_idmap_smb_sid_to_dom_sid(struct sss_idmap_ctx *ctx,
+ struct dom_sid *smb_sid,
+ struct sss_dom_sid **_dom_sid)
+{
+ struct sss_dom_sid *dom_sid;
+ size_t c;
+
+ dom_sid = ctx->alloc_func(sizeof(struct sss_dom_sid), ctx->alloc_pvt);
+ if (dom_sid == NULL) {
+ return IDMAP_OUT_OF_MEMORY;
+ }
+ memset(dom_sid, 0, sizeof(struct sss_dom_sid));
+
+ dom_sid->sid_rev_num = smb_sid->sid_rev_num;
+ dom_sid->num_auths = smb_sid->num_auths;
+ for (c = 0; c < SID_ID_AUTHS; c++) {
+ dom_sid->id_auth[c] = smb_sid->id_auth[c];
+ }
+ for (c = 0; c < SID_SUB_AUTHS; c++) {
+ dom_sid->sub_auths[c] = smb_sid->sub_auths[c];
+ }
+
+ *_dom_sid = dom_sid;
+
+ return IDMAP_SUCCESS;
+}
+
+enum idmap_error_code sss_idmap_bin_sid_to_smb_sid(struct sss_idmap_ctx *ctx,
+ const uint8_t *bin_sid,
+ size_t length,
+ struct dom_sid **_smb_sid)
+{
+ enum idmap_error_code err;
+ struct sss_dom_sid *dom_sid = NULL;
+ struct dom_sid *smb_sid = NULL;
+
+ err = sss_idmap_bin_sid_to_dom_sid(ctx, bin_sid, length, &dom_sid);
+ if (err != IDMAP_SUCCESS) {
+ goto done;
+ }
+
+ err = sss_idmap_dom_sid_to_smb_sid(ctx, dom_sid, &smb_sid);
+ if (err != IDMAP_SUCCESS) {
+ goto done;
+ }
+
+ *_smb_sid = smb_sid;
+ err = IDMAP_SUCCESS;
+
+done:
+ talloc_free(dom_sid);
+ if (err != IDMAP_SUCCESS) {
+ talloc_free(smb_sid);
+ }
+
+ return err;
+}
+
+enum idmap_error_code sss_idmap_smb_sid_to_bin_sid(struct sss_idmap_ctx *ctx,
+ struct dom_sid *smb_sid,
+ uint8_t **_bin_sid,
+ size_t *_length)
+{
+ enum idmap_error_code err;
+ struct sss_dom_sid *dom_sid = NULL;
+ uint8_t *bin_sid = NULL;
+ size_t length;
+
+ err = sss_idmap_smb_sid_to_dom_sid(ctx, smb_sid, &dom_sid);
+ if (err != IDMAP_SUCCESS) {
+ goto done;
+ }
+
+ err = sss_idmap_dom_sid_to_bin_sid(ctx, dom_sid, &bin_sid, &length);
+ if (err != IDMAP_SUCCESS) {
+ goto done;
+ }
+
+ *_bin_sid = bin_sid;
+ *_length = length;
+ err = IDMAP_SUCCESS;
+
+done:
+ talloc_free(dom_sid);
+ if (err != IDMAP_SUCCESS) {
+ talloc_free(bin_sid);
+ }
+
+ return err;
+}
diff --git a/src/tests/sss_idmap-tests.c b/src/tests/sss_idmap-tests.c
index b821dfc..a7d5f57 100644
--- a/src/tests/sss_idmap-tests.c
+++ b/src/tests/sss_idmap-tests.c
< at >< at > -21,6 +21,9 < at >< at >
*/
#include <check.h>
+#include <stdbool.h>
+#include <util/data_blob.h>
+#include <gen_ndr/security.h>
#include "lib/idmap/sss_idmap.h"
#include "tests/common.h"
< at >< at > -35,6 +38,8 < at >< at > uint8_t test_bin_sid[] = {0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15,
0x00};
size_t test_bin_sid_length = sizeof(test_bin_sid);
+struct dom_sid test_smb_sid = {1, 5, {0, 0, 0, 0, 0, 5}, {21, 2127521184, 1604012920, 1887927527, 72713, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}};
+
struct sss_idmap_ctx *idmap_ctx;
static void *idmap_talloc(size_t size, void *pvt)
< at >< at > -267,7 +272,7 < at >< at > START_TEST(idmap_test_uid2bin_sid)
}
END_TEST
-START_TEST(idmap_test_sid_bin2dom_sid)
+START_TEST(idmap_test_bin_sid2dom_sid)
{
struct sss_dom_sid *dom_sid = NULL;
enum idmap_error_code err;
< at >< at > -357,6 +362,96 < at >< at > START_TEST(idmap_test_bin_sid2sid)
}
END_TEST
+START_TEST(idmap_test_smb_sid2dom_sid)
+{
+ struct sss_dom_sid *dom_sid = NULL;
+ enum idmap_error_code err;
+ struct dom_sid *new_smb_sid = NULL;
+
+ err = sss_idmap_smb_sid_to_dom_sid(idmap_ctx, &test_smb_sid, &dom_sid);
+ fail_unless(err == IDMAP_SUCCESS,
+ "Failed to convert samba dom_sid to struct sss_dom_sid.");
+
+ err = sss_idmap_dom_sid_to_smb_sid(idmap_ctx, dom_sid, &new_smb_sid);
+ fail_unless(err == IDMAP_SUCCESS,
+ "Failed to convert struct sss_dom_sid to samba dom_sid.");
+
+ fail_unless(memcmp(&test_smb_sid, new_smb_sid, sizeof(struct dom_sid)) == 0,
+ "Samba dom_sid-s do not match.");
+
+ talloc_free(dom_sid);
+ talloc_free(new_smb_sid);
+}
+END_TEST
+
+START_TEST(idmap_test_smb_sid2bin_sid)
+{
+ enum idmap_error_code err;
+ size_t length;
+ uint8_t *bin_sid = NULL;
+
+ err = sss_idmap_smb_sid_to_bin_sid(idmap_ctx, &test_smb_sid,
+ &bin_sid, &length);
+ fail_unless(err == IDMAP_SUCCESS,
+ "Failed to convert samba dom_sid to binary sid.");
+ fail_unless(length == test_bin_sid_length,
+ "Size of binary SIDs do not match, got [%d], expected [%d]",
+ length, test_bin_sid_length);
+ fail_unless(memcmp(bin_sid, test_bin_sid, test_bin_sid_length) == 0,
+ "Binary SIDs do not match.");
+
+ talloc_free(bin_sid);
+}
+END_TEST
+
+START_TEST(idmap_test_bin_sid2smb_sid)
+{
+ enum idmap_error_code err;
+ struct dom_sid *smb_sid = NULL;
+
+ err = sss_idmap_bin_sid_to_smb_sid(idmap_ctx, test_bin_sid,
+ test_bin_sid_length, &smb_sid);
+ fail_unless(err == IDMAP_SUCCESS,
+ "Failed to convert binary sid to samba dom_sid.");
+ fail_unless(memcmp(&test_smb_sid, smb_sid, sizeof(struct dom_sid)) == 0,
+ "Samba dom_sid structs do not match.");
+
+ talloc_free(smb_sid);
+}
+END_TEST
+
+START_TEST(idmap_test_smb_sid2sid)
+{
+ enum idmap_error_code err;
+ char *sid = NULL;
+
+ err = sss_idmap_smb_sid_to_sid(idmap_ctx, &test_smb_sid, &sid);
+ fail_unless(err == IDMAP_SUCCESS,
+ "Failed to convert samba dom_sid to sid string.");
+ fail_unless(strcmp(sid, test_sid) == 0, "SID strings do not match, "
+ "expected [%s], get [%s]",
+ test_sid, sid);
+
+ talloc_free(sid);
+}
+END_TEST
+
+START_TEST(idmap_test_sid2smb_sid)
+{
+ enum idmap_error_code err;
+ struct dom_sid *smb_sid = NULL;
+
+ err = sss_idmap_sid_to_smb_sid(idmap_ctx, test_sid, &smb_sid);
+ fail_unless(err == IDMAP_SUCCESS,
+ "Failed to convert binary sid to samba dom_sid.");
+ fail_unless(memcmp(&test_smb_sid, smb_sid, sizeof(struct dom_sid)) == 0,
+ "Samba dom_sid structs do not match.");
+
+ talloc_free(smb_sid);
+}
+END_TEST
+
+
Suite *idmap_test_suite (void)
{
Suite *s = suite_create ("IDMAP");
< at >< at > -392,10 +487,15 < at >< at > Suite *idmap_test_suite (void)
idmap_ctx_setup,
idmap_ctx_teardown);
- tcase_add_test(tc_conv, idmap_test_sid_bin2dom_sid);
+ tcase_add_test(tc_conv, idmap_test_bin_sid2dom_sid);
tcase_add_test(tc_conv, idmap_test_sid2dom_sid);
tcase_add_test(tc_conv, idmap_test_sid2bin_sid);
tcase_add_test(tc_conv, idmap_test_bin_sid2sid);
+ tcase_add_test(tc_conv, idmap_test_smb_sid2dom_sid);
+ tcase_add_test(tc_conv, idmap_test_smb_sid2bin_sid);
+ tcase_add_test(tc_conv, idmap_test_bin_sid2smb_sid);
+ tcase_add_test(tc_conv, idmap_test_smb_sid2sid);
+ tcase_add_test(tc_conv, idmap_test_sid2smb_sid);
suite_add_tcase(s, tc_conv);
</pre>Sumit Bose2012-05-24T13:04:36[RFE] Add 'auth_provider = none' as an option to SSSD
http://comments.gmane.org/gmane.linux.redhat.sssd.devel/9656
<pre>
Hi, i would comment for to see if i'm wrong.
Ticket https://fedorahosted.org/sssd/ticket/1339
"auth_provider = none" already exists (it seems)
Reading theory in http://sgallagh.fedorapeople.org/sssd/1.8.91/man/sssd.conf.5.html mentions that:
auth_provider (string)
"none" disallows password changes explicitly.
Default: "id_provider" is used if it is set and can handle authentication requests.
in data_provider_be.c
[code]
if (strcasecmp(mod_name, NO_PROVIDER) == 0) {
ret = ENOENT;
goto done;
}
[/code]
and by placing "id_provider = proxy" the default auth_provider= id_provider (proxy) , this ago that request proxy_pam_target.
this is correct?
Thanks. _______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Ariel Barria2012-05-23T22:30:01[PATCH] NSS: Fix segfault when mmap cache cannot beinitialized
http://comments.gmane.org/gmane.linux.redhat.sssd.devel/9652
<pre>If the mmap cache cannot be initialized (such as insufficient
permissions or SELinux/AppArmor denial), we are supposed to fall back to
our 1.8 behavior of LDB cache only. However, we weren't properly
checking that the cache had been set up and we were always attempting to
dereference the mmap context in fill_pwent() and fill_grent().
Fixes https://fedorahosted.org/sssd/ticket/1346
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Stephen Gallagher2012-05-23T13:03:16Securing remote domains
http://comments.gmane.org/gmane.linux.redhat.sssd.devel/9645
<pre>Hello all,
We're interested in using SSSD to replace our current use of
NSS/PAM/NSCD/NSLCD. However, we were curious whether or not
SSSD had implemented some critical security checks to protect
against malicious remote domains.
- What are the semantics of the local domain: that is,
do I have a guarantee that entries in local will never
be affected by the network?
- If the answer to the above is true, how does SSSD resolve
conflicts between two domains which have entries that claim
the same UID? I understand that the max_id/min_id functionality
is intended to address this partially, but does SSSD do any
further sanity checks, such as refusing information from
remote domains that exist in local domains?
- Additionally, users may come with groups, and it is bad if
remote domains can spoof ownership in local groups. Is there
anyway to lock this down?
- It is frequently useful for applications running on the system
to be able to identify nonlocal users as opposed to local users;
we had a nsswitch module which identified nonlocal users and
added them to their own group. Does this functionality exist
in SSSD? (It's also convenient to have another group which contains
local users.)
- A nice to have feature (though not strictly necessary), is the
ability to pretend that nonlocal users are in some local group.
This may be necessary if remote domains cannot dictate ownership
in local groups.
In general, we would like to avoid trusting the source of the remote
authentication data: local accounts are first class, whereas remote accounts
are merely "nice to have". The remote LDAP server may not be held to as high
security standards as the machine itself, and if we can achieve isolation at
very little cost, we should do so.
The MIT Debathena and Scripts projects would be very interested
in seeing this functionality exist, and if it doesn't, we'd be
interested in contributing this functionality. We consider this
a blocker for moving to SSSD.
Thanks,
Edward
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Edward Z. Yang2012-05-23T02:06:56New mailing list: sssd-users
http://comments.gmane.org/gmane.linux.redhat.sssd.devel/9643
<pre>For quite some time, we have used the sssd-devel mailing list for
development and user configuration issue discussions. As the project has
grown, it becomes more and more clear that we need to separate these
topics into their own lists.
So as of today, we now have a new mailing list for user questions. You
can subscribe at https://fedorahosted.org/mailman/listinfo/sssd-users
This list will be considerably less noisy for our users as they will not
be bombarded with patch review emails and other development-centric
issues.
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Stephen Gallagher2012-05-22T17:41:27[PATCH] LDAP nested groups: Do not process callback with _post deep in the nested structure
http://comments.gmane.org/gmane.linux.redhat.sssd.devel/9638
<pre>https://fedorahosted.org/sssd/ticket/1343
I still haven't been able to fully test the patch, but sending out for
review anyway.
From d111b80ff5f49f5efcf3bf7d30abf76533e4d440 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek-H+wXaHxf7aLQT0dZR+AlfA< at >public.gmane.org>
Date: Tue, 22 May 2012 17:41:52 +0200
Subject: [PATCH] LDAP nested groups: Do not process callback with _post deep
in the nested structure
https://fedorahosted.org/sssd/ticket/1343
---
src/providers/ldap/sdap_async_groups.c | 22 ++++++++++------------
1 file changed, 10 insertions(+), 12 deletions(-)
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index 84eb7cbfd6536f286c5bf4b1f41e150d003130aa..b587f668e678fd0b68eb401174fc2b097b3f4b87 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
< at >< at > -2498,14 +2498,13 < at >< at > static errno_t sdap_nested_group_lookup_user(struct tevent_req *req,
ret = sdap_nested_group_process_step(req);
}
- if (ret == EOK) {
- /* EOK means it's complete */
+ if (ret != EOK && ret != EAGAIN) {
+ DEBUG(SSSDBG_OP_FAILURE, ("Nested group processing failed\n"));
+ return ret;
+ } else if (ret == EOK) {
+ DEBUG(SSSDBG_TRACE_FUNC, ("All done.\n"));
tevent_req_done(req);
- tevent_req_post(req, state->ev);
- } else if (ret != EAGAIN) {
- return ret;
}
-
return EOK;
}
/*
< at >< at > -2583,14 +2582,13 < at >< at > static errno_t sdap_nested_group_lookup_group(struct tevent_req *req)
ret = sdap_nested_group_process_step(req);
}
- if (ret == EOK) {
- /* EOK means it's complete */
- tevent_req_done(req);
- tevent_req_post(req, state->ev);
- } else if (ret != EAGAIN) {
+ if (ret != EOK && ret != EAGAIN) {
+ DEBUG(SSSDBG_OP_FAILURE, ("Nested group processing failed\n"));
return ret;
+ } else if (ret == EOK) {
+ DEBUG(SSSDBG_TRACE_FUNC, ("All done.\n"));
+ tevent_req_done(req);
}
-
return EOK;
}
</pre>Jakub Hrozek2012-05-22T15:43:43[PATCH] Fixed issue in SELinux user maps
http://comments.gmane.org/gmane.linux.redhat.sssd.devel/9636
<pre>There was an issue when IPA provider didn't set PAM_SUCCESS when
successfully finished loading SELinux user maps. This lead to the map
not being read in the responder.
Thanks
Jan
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Jan Zelený2012-05-22T14:44:43sssd & AD frequently disconnecting
http://comments.gmane.org/gmane.linux.redhat.sssd.devel/9627
<pre>Hi List,
I am using sssd (F17) with AD and what I observed is that sssd frequently marks my AD server working and then "not working". Symptoms:
(Mon May 21 13:58:43 2012) [sssd[be[default]]] [sdap_id_op_connect_step] (0x4000): beginning to connect
(Mon May 21 13:58:43 2012) [sssd[be[default]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Mon May 21 13:58:43 2012) [sssd[be[default]]] [get_server_status] (0x1000): Status of server 'dcpra1.XXX' is 'working'
(Mon May 21 13:58:43 2012) [sssd[be[default]]] [get_port_status] (0x1000): Port status of port 389 for server 'dcpra1.XXX' is 'not working'
(Mon May 21 13:58:43 2012) [sssd[be[default]]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP'
Sometimes sssd does manage to connect, sometimes not.
I know there is a problem with the AD controller cutting the connection after some timeout that we can not (yet) handle correctly, but this
also happens shortly after sssd restart.
Is there any explanation to this?
Thanks,
Ondrej
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s).
Please direct any additional queries to: communications-K2D8ygZuxnnowKkBSvOlow< at >public.gmane.org
Thank You.
Silicon and Software Systems Limited. Registered in Ireland no. 378073.
Registered Office: South County Business Park, Leopardstown, Dublin 18_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Ondrej Valousek2012-05-21T12:08:33Request for community input: Support of RADIUS authentication via SSSD
http://comments.gmane.org/gmane.linux.redhat.sssd.devel/9625
<pre>Hello,
As SSSD (the System Security Services Daemon) is gaining ground as a
bridge between applications running on a machine and central
authentication sources such as Active Directory and FreeIPA, questions
about support for other authentication protocols start to come up. One
such protocol is RADIUS (Remote Authentication Dial In User Service).
RADIUS is a popular authentication protocol for enterprise deployments,
notably for VPN (virtual private network) and WPA (WiFI Protected
Access) access.
Some enterprise deployments today also rely on RADIUS for the
authentication of system users. This is most often accomplished through
the use of the pam_radius_auth[1] module for PAM (Pluggable
Authentication Modules).
From a design standpoint, a RADIUS authentication module would be a
simple fit. SSSD would acquire user identities from an LDAP directory
server, but would perform authentication against a RADIUS server, rather
than via LDAP simple-bind or Kerberos TGT acquisition. From a
completeness perspective, it seems sensible for SSSD to implement a
RADIUS authentication provider.
The question we need to ask is whether support of RADIUS in SSSD adds any
additional benefits. For this, we need to reach out to our community for
their experience and advice. Do you have (or know of) any specific
use-cases where the availability of a RADIUS authentication provider
would be beneficial? Similarly, do you feel that implementation of such
a provider would be best served by SSSD (and by extension, with offline
cached-credentials capability), or should we recommend continued use of
pam_radius_auth and simply ensure that SSSD gets out of its way?
Please provide as much justification and reasoning to back your
recommendations, so we can use this information to best identify our
path forward on this.
[1] http://freeradius.org/pam_radius_auth/
</pre>Dmitri Pal2012-05-22T10:05:55[PATCH] KRB5: Avoid NULL-dereference with empty keytab
http://comments.gmane.org/gmane.linux.redhat.sssd.devel/9619
<pre>Fixes https://fedorahosted.org/sssd/ticket/1330
Both places in the code that consume this function are properly checking
for n_etype_list > 0 before using it.
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Stephen Gallagher2012-05-22T00:38:26sssd & AD frequently disconnecting
http://comments.gmane.org/gmane.linux.redhat.sssd.devel/9613
<pre>Hi List,
I am using sssd (F17) with AD and what I observed is that sssd frequently marks my AD server working and then "not working". Symptoms:
(Mon May 21 13:58:43 2012) [sssd[be[default]]] [sdap_id_op_connect_step] (0x4000): beginning to connect
(Mon May 21 13:58:43 2012) [sssd[be[default]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Mon May 21 13:58:43 2012) [sssd[be[default]]] [get_server_status] (0x1000): Status of server 'dcpra1.XXX' is 'working'
(Mon May 21 13:58:43 2012) [sssd[be[default]]] [get_port_status] (0x1000): Port status of port 389 for server 'dcpra1.XXX' is 'not working'
(Mon May 21 13:58:43 2012) [sssd[be[default]]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP'
Sometimes sssd does manage to connect, sometimes not.
I know there is a problem with the AD controller cutting the connection after some timeout that we can not (yet) handle correctly, but this
also happens shortly after sssd restart.
Is there any explanation to this?
Thanks,
Ondrej
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Ondrej Valousek2012-05-21T12:16:11[PATCHES] Improvements to SSSDConfig build and install
http://comments.gmane.org/gmane.linux.redhat.sssd.devel/9605
<pre>Patch 0001: Make SSSDConfig a package
We were polluting the primary Python space with several
dependencies. We will now install them their own directory/module. This
has been done in such a way that existing scripts that import SSSDConfig
will require no modifications.
Patch 0002: Make default config and schema file locations configurable
Previously, we were hard-coding the sssd.conf and sssd.api.* locations
into the source. With this patch, we will take the default locations
from values specified by autoconf.
Fixes https://fedorahosted.org/sssd/ticket/1008
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Stephen Gallagher2012-05-18T13:28:20[PATCH] 1213-Warn to syslog when dereference requests fail
http://comments.gmane.org/gmane.linux.redhat.sssd.devel/9604
<pre>
https://fedorahosted.org/sssd/ticket/1213 _______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Ariel Barria2012-05-18T05:18:31[PATCH] Always use positional arguments in translatablestrings
http://comments.gmane.org/gmane.linux.redhat.sssd.devel/9603
<pre>Some languages might need to change the order of the variables in the
strings. By assigning them a positional value, we make it possible to
reorder them.
I added positional values to the strings that have only a single
variable as well, mostly so it will be a guideline to anyone modifying
those strings.
Fixes https://fedorahosted.org/sssd/ticket/1336
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Stephen Gallagher2012-05-17T17:56:44Developer Tutorials
http://comments.gmane.org/gmane.linux.redhat.sssd.devel/9602
<pre>In the interests of helping new developers get up to speed faster, I've
created a new wiki page for development tutorials. So far it includes
links to Pavel Březina's excellent Talloc tutorial and a few guides for
git usage with the SSSD.
All contributions to this effort are welcome and encouraged!
https://fedorahosted.org/sssd/wiki/DevelTutorials
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Stephen Gallagher2012-05-17T14:33:38[PATCH] NSS: Expire in-memory netgroup cache before the nowait timeout
http://comments.gmane.org/gmane.linux.redhat.sssd.devel/9595
<pre>The fact that we were keeping it in memory for the full duration
of the cache timeout meant that we would never reap the benefits
of the midpoint cache refresh.
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Stephen Gallagher2012-05-16T18:34:30[PATCH] Use the sysdb attribute name, not LDAP attribute name
http://comments.gmane.org/gmane.linux.redhat.sssd.devel/9594
<pre>I found two other places where we used the map name instead of sys_name. The
first is the probable reason of https://fedorahosted.org/sssd/ticket/1338,
although I haven't heard back from Ondrej yet if it fixed his issue
completely.
After I found the first one, I grepped for all occurences of "].name"
and I have found the second one. As far as I can tell, we're using the
maps correctly now.
From 8ad2c3e2b15a81f5f9b2f7018b67bf84f0a2ef1c Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek-H+wXaHxf7aLQT0dZR+AlfA< at >public.gmane.org>
Date: Wed, 16 May 2012 17:03:41 +0200
Subject: [PATCH] Use the sysdb attribute name, not LDAP attribute name
---
src/providers/ldap/sdap_async_autofs.c | 2 +-
src/providers/ldap/sdap_async_groups.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/providers/ldap/sdap_async_autofs.c b/src/providers/ldap/sdap_async_autofs.c
index 3140596efb07e8433f6e044dc2e2c8bba8735886..d8a2d0eec75c3e42cd3dc39930d20a0a51e2c541 100644
--- a/src/providers/ldap/sdap_async_autofs.c
+++ b/src/providers/ldap/sdap_async_autofs.c
< at >< at > -770,7 +770,7 < at >< at > sdap_autofs_setautomntent_save(struct tevent_req *req)
ret = sysdb_attrs_to_list(
tmp_ctx, state->entries,
state->entries_count,
- state->opts->autofs_entry_map[SDAP_AT_AUTOFS_ENTRY_KEY].name,
+ state->opts->autofs_entry_map[SDAP_AT_AUTOFS_ENTRY_KEY].sys_name,
&ldap_entrylist);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index 361525037eb270462251fe03d0c5e1df63de73f4..b48fe72eca1ab1dfe2dcb7a97a856ecef86d6f33 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
< at >< at > -3044,7 +3044,7 < at >< at > sdap_nested_group_process_deref_result(struct tevent_req *req)
} else if (dctx->deref_result[dctx->result_index]->map == \
state->opts->group_map) {
ret = sysdb_attrs_get_string(dctx->deref_result[dctx->result_index]->attrs,
- state->opts->group_map[SDAP_AT_GROUP_NAME].name,
+ state->opts->group_map[SDAP_AT_GROUP_NAME].sys_name,
&tmp_name);
if (ret == ENOENT) {
DEBUG(7, ("Dereferenced a group without name, skipping ...\n"));
</pre>Jakub Hrozek2012-05-16T17:38:36[PATCH] RPM: Allow running 'make rpms' on RHEL 5 machines
http://comments.gmane.org/gmane.linux.redhat.sssd.devel/9586
<pre>Our previous detection for this was flawed, because the %{rhel}
macro did not exist on the version of RPM shipped with RHEL 5, but
it worked when building for RHEL 5 through mock. This new patch
relies on grepping /etc/redhat-release for the version
information.
Fixes https://fedorahosted.org/sssd/ticket/1206
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Stephen Gallagher2012-05-15T15:54:10Search EngineSearch the mailing list at Gmanequery
http://search.gmane.org/?group=$group=gmane.linux.redhat.sssd.devel