[Pkg-sssd-devel] [Git][sssd-team/sssd][upstream] 131 commits: Update version in version.m4 to track the next release
Timo Aaltonen
gitlab at salsa.debian.org
Tue Dec 8 20:39:00 GMT 2020
Timo Aaltonen pushed to branch upstream at Debian SSSD packaging / sssd
Commits:
bb48af24 by Pavel Březina at 2020-07-27T11:21:58+02:00
Update version in version.m4 to track the next release
- - - - -
bb7d80d2 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
DLOPEN-TESTS: Fix error too few arguments to function ‘_ck_assert_failed’
* add missing messages to fail_{if,unless} macros
- - - - -
7e44cfd9 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
SYSDB-TESTS: Fix error too few arguments to function ‘_ck_assert_failed’
* add missing messages to fail_{if,unless} macros
* convert assertions to different macros
e.g.
src/tests/sysdb-tests.c:6622:5: error: too few arguments to function ‘_ck_assert_failed’
6622 | fail_if(ret != EOK);
- - - - -
a0945dca by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
SYSDB-TESTS: Fix format string
- - - - -
bae2b416 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
STRTONUM-TESTS: Fix format string issues
- - - - -
4954da70 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
RESOLV-TESTS: Fix error too few arguments to function ‘_ck_assert_failed’
* add missing messages to fail_{if,unless} macros
* convert assertions to different macros
- - - - -
dc598c53 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
KRB5-UTILS-TESTS: Fix error too few arguments to function ‘_ck_assert_failed’
* add missing messages to fail_{if,unless} macros
- - - - -
d46b44f3 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
KRB5-UTILS-TESTS: Fix format string issues
- - - - -
692f6b7e by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
CHECK-AND-OPEN-TESTS: Fix format string issues
- - - - -
0b89f511 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
REFCOUNT-TESTS: Fix error too few arguments to function ‘_ck_assert_failed’
* add missing messages to fail_{if,unless} macros
- - - - -
1bb42381 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
FAIL-OVER-TESTS: Fix error too few arguments to function ‘_ck_assert_failed’
* add missing messages to fail_{if,unless} macros
- - - - -
a933f60e by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
FAIL-OVER-TESTS: Fix format string issues
- - - - -
6c5374f9 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
AUTH-TESTS: Fix format string issues
- - - - -
e2dc5c3b by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
IPA-LDAP-OPT-TESTS: Fix error too few arguments to function ‘_ck_assert_failed’
* add missing messages to fail_{if,unless} macros
* convert assertions to different macros
- - - - -
0c20b4bd by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
CRYPTO-TESTS: Fix error too few arguments to function ‘_ck_assert_failed’
* add missing messages to fail_{if,unless} macros
* convert assertions to different macros
- - - - -
2e270367 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
UTIL-TESTS: Fix error too few arguments to function ‘_ck_assert_failed’
* add missing messages to fail_{if,unless} macros
* convert assertions to different macros
- - - - -
2cb15855 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
UTIL-TESTS: Fix format string issues
- - - - -
da64aea7 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
IPA-HBAC-TESTS: Fix error too few arguments to function ‘_ck_assert_failed’
* add missing messages to fail_{if,unless} macros
- - - - -
cc896210 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
SSS-IDMAP-TESTS: Fix format string issues
- - - - -
c445d169 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
RESPONDER-SOCKET-ACCESS-TESTS: Fix format string issues
- - - - -
d47e442d by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
DEBUG-TESTS: Fix warnings format not a string literal and no format arguments
e.g.
src/tests/resolv-tests.c: In function ‘test_timeout’:
src/tests/resolv-tests.c:942:5: error: format not a string literal and no format arguments [-Werror=format-security]
942 | ck_leaks_pop(tmp_ctx);
|
src/tests/debug-tests.c:413:9: error: format not a string literal and no format arguments [-Werror=format-security]
413 | fail_if(result == DEBUG_TEST_NOK_TS, msg);
| ^~~~~~~
src/tests/debug-tests.c: In function ‘test_debug_is_notset_timestamp_microseconds_fn’:
src/tests/debug-tests.c:603:13: error: format not a string literal and no format arguments [-Werror=format-security]
603 | fail(error_msg);
|
src/tests/debug-tests.c: In function ‘test_debug_is_set_false_fn’:
src/tests/debug-tests.c:671:9: error: format not a string literal and no format arguments [-Werror=format-security]
671 | fail_unless(result == 0, msg);
|
- - - - -
3bb91050 by ikerexxe at 2020-08-20T11:45:43+02:00
man: clarify AD certificate rule
Clarify AD specific certificate rule example by changing userPrincipal to
userPrincipalName. Moreover, match the subject principal name in the
example with the rule name.
Resolves:
https://github.com/SSSD/sssd/issues/5278
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4526858a by ikerexxe at 2020-08-20T11:46:32+02:00
config: allow prompting options in configuration
False warnings were logged after enabling prompting options in
configuration file. This change modifies the configuration rules to
allow prompting options.
Resolves:
https://github.com/SSSD/sssd/issues/5259
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4ad1dfa3 by Alexey Tikhonov at 2020-08-20T11:53:07+02:00
Got rid of unused Transifex settings (".tx")
Relates:
https://github.com/SSSD/sssd/issues/5097
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
70898d98 by Alexey Tikhonov at 2020-08-20T11:53:07+02:00
Got rid of "zanata.xml" due to migration to Weblate.
Relates:
https://github.com/SSSD/sssd/issues/5097
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
10366b4e by Alexey Tikhonov at 2020-08-21T10:49:43+02:00
p11_child: switch default ocsp_dgst to sha1
For details please see discussion at
https://github.com/SSSD/sssd/pull/837#issuecomment-672831519
:newdefault: sssd:certificate_verification:ocsp_dgst, sha256, sha1
Resolves:
https://github.com/SSSD/sssd/issues/5002
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
00ae18dc by Justin Stephenson at 2020-08-24T11:13:35+02:00
KCM: Increase client idle timeout to 5 minutes
Increase the default timeout to allow time for
user interaction on the command-line with kinit.
Resolves:
https://github.com/SSSD/sssd/issues/4829
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
a4af77e0 by Justin Stephenson at 2020-08-24T11:15:33+02:00
CONFIG: Add SR exclude_users exclude_groups options
Add options to allow explicitly excluding users and groups from
enforcing session recording. These options are recognized only
when the SR configuration defines 'scope=all'.
Resolves:
https://github.com/SSSD/sssd/issues/5089
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
0049ec85 by Justin Stephenson at 2020-08-24T11:15:43+02:00
UTIL: Add support for SR exclude_users exclude_groups
Read the exclude_* option values to be applied elsewhere when
'scope=all'.
Resolves:
https://github.com/SSSD/sssd/issues/5089
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
38df7a3b by Justin Stephenson at 2020-08-24T11:15:46+02:00
NSS: Rely on sessionRecording attribute
Don't force the tlog-rec-session shell when 'scope=all' is set,
instead read the sessionRecording attribute allowing
exclude_* options to work properly.
Resolves:
https://github.com/SSSD/sssd/issues/5089
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
3a3be1cb by Justin Stephenson at 2020-08-24T11:15:49+02:00
PAM: Rely on sessionRecording attribute
Don't force the tlog-rec-session shell when 'scope=all' is set,
instead read the sessionRecording attribute allowing
exclude_* options to work properly.
Resolves:
https://github.com/SSSD/sssd/issues/5089
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
c51a9f6b by Justin Stephenson at 2020-08-24T11:15:52+02:00
DP: Support SR excludes in initgroups postprocessing
When 'scope=all' is configured, set the user sessionRecording attribute
to false if a match is found with 'exclude_users' and 'exclude_groups'
values, and true otherwise, when no exclude match is found.
Resolves:
https://github.com/SSSD/sssd/issues/5089
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
19602d9a by Justin Stephenson at 2020-08-24T11:15:54+02:00
CACHE_REQ: Support SR exclude options
When 'scope=all' is configured, set the user sessionRecording
attribute to false if a match is found with 'exclude_users' and
'exclude_groups' values, and true otherwise, when no exclude match is found.
Resolves:
https://github.com/SSSD/sssd/issues/5089
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
d947ac7a by Justin Stephenson at 2020-08-24T11:15:57+02:00
INTG: Add session recording exclude tests
Add basic tests for exclude_users and exclude_groups options.
Resolves:
https://github.com/SSSD/sssd/issues/5089
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
733cafd7 by Justin Stephenson at 2020-08-24T11:16:00+02:00
MAN: Add SR exclude_users and exclude_groups options
Resolves:
https://github.com/SSSD/sssd/issues/5089
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
2b73285e by Jonatan Pålsson at 2020-08-27T14:03:31+02:00
build: Don't use AC_CHECK_FILE when building manpages
AC_CHECK_FILE does not support cross-compilation, and will only check
the host rootfs. Replace AC_CHECK_FILE with a 'test -f <FILE>' instead,
to allow building manpages when cross-compiling.
Signed-off-by: Jonatan Pålsson <jonatan.p at gmail.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
266ecc08 by Alexey Tikhonov at 2020-08-27T14:05:09+02:00
Drop support of libnss as a crypto backend
Resolves: https://github.com/SSSD/sssd/issues/1041
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
a2911482 by Alexey Tikhonov at 2020-08-27T14:05:09+02:00
Get rid of "NSS DB" references.
Resolves: https://github.com/SSSD/sssd/issues/1041
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
20787da9 by Steeve Goveas at 2020-09-01T11:35:09+02:00
use prerealease option in make srpm script
With --prereleasae option enabled make_srpm.sh script can set different
version each time copr build is created. It adds date time and git
commit hash in the build version.
eg.
2.3.2-0.20200826.1356.gitdb1049057.fc31
Signed-off-by: Steeve Goveas <sgoveas at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
2f4140fa by Anuj Borah at 2020-09-01T11:36:21+02:00
libdirsrv should be modified to be compatible with new DS
Directory Server 1.4.x
As DS is going to get rid of setup-ds.pl file completely. We need to change the same on our side too.
Reviewed-by: Niranjan Mallapadi <mrniranjan at redhat.com>
- - - - -
f4322cd9 by Niranjan M.R at 2020-09-03T13:07:36+02:00
pytest/testlib: Execute pk12util command to create ca.p12
execute the pk12util command to create ca.p12 file
Minor fix: return variable should be out of the for loop scope
Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
39c564be by Steeve Goveas at 2020-09-03T13:07:54+02:00
Add seconds in copr version
Add seconds to distiguish builds that are triigerred in the same minute.
Shorten the year by using only the last 2 digits.
Signed-off-by: Steeve Goveas <sgoveas at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
69e1f5fe by Sumit Bose at 2020-09-03T13:08:12+02:00
GPO: respect ad_gpo_implicit_deny when evaluation rules
Currently if setting ad_gpo_implicit_deny to 'True' is rejected access
if no GPOs applied to the host since in this case there are obvious not
allow rules available.
But according to the man page we have to be more strict "When this
option is set to True users will be allowed access only when explicitly
allowed by a GPO rule". So if GPOs apply and no allow rules are present
we have to reject access as well.
Resolves: https://github.com/SSSD/sssd/issues/5061
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
d79f5933 by Pavel Březina at 2020-09-03T13:08:45+02:00
gpo: remove unused variable domain_dn
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
a0792b32 by Pavel Březina at 2020-09-03T13:08:45+02:00
gpo: use correct base dn
Domain name in SSSD configuration does not have to be the same
as the AD domain. GPO did not work in this case.
Steps to reproduce:
1. Join SSSD to an AD domain (ad.vm)
2. Create GPO that is applicable to the host/user
3. Name the SSSD domain differently ([domain/AD])
4. Try to authenticate as AD user
Resolves:
https://github.com/SSSD/sssd/issues/4840
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
b50521e4 by Sumit Bose at 2020-09-03T13:09:12+02:00
cache_req: allow to restrict the domains an object is search in
With the new call cache_req_data_set_requested_domains() a
NULL-terminated list of domain names can be added to cache_req so
that the object is only searched in the listed domains. If the list only
contains unknown domains the cache_req will return with an error.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
6ec94790 by Sumit Bose at 2020-09-03T13:09:12+02:00
tests: add unit-test for cache_req_data_set_requested_domains
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
3808c04f by Sumit Bose at 2020-09-03T13:09:12+02:00
pam: use requested_domains to restrict cache_req searches
If the 'domains' is used with pam_sss.so it is expected that only users
from the given domains are allowed. Currently it is checked after the
user is searched if the result is from one of those domains.
To speed things up and to allow more flexible setups this patch
restricts the list of domains already in the cache_req. The check after
the search is kept as an additional safe-guard although the cache_req
should now only return users from the given domains or an error.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
db170d0a by Sumit Bose at 2020-09-03T13:09:12+02:00
intg: krb5 auth and pam_sss domains option test
New integration tests for Kerberos authentication and the handling of
the 'domains' option of pam_sss are added. The purpose of the latter
test is to make sure that the 'domains' option is properly evaluated
even if multiple domains with the same user base are configure in
sssd.conf.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
35ab0493 by Sumit Bose at 2020-09-03T13:09:12+02:00
pam_sss: clarify man page entry of domains option
Resolves: https://github.com/SSSD/sssd/issues/3987
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
bca41326 by Sumit Bose at 2020-09-04T11:23:33+02:00
krb5: only try pkinit with Smartcard credentials
Currently pkinit is tried if a Smartcard is present. But depending on
the used PAM service and other configurations it might happen that the
user didn't provide the Smartcard PIN but e.g. the password. Hence,
before trying pkinit we should check if the right credentials are
available.
Resolves:
https://github.com/SSSD/sssd/issues/5290
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
83ae3450 by Alexey Tikhonov at 2020-09-04T11:24:26+02:00
CONFDB: fixed compilation warning
Fixed following compilation warning:
```
../src/confdb/confdb.c: In function ‘confdb_get_domains’:
../src/confdb/confdb.c:2499:12: warning: ‘enabled’ may be used uninitialized in this function [-Wmaybe-uninitialized]
```
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
fbc70821 by Alexey Tikhonov at 2020-09-04T11:24:26+02:00
CONFDB: fixed bug in confdb_get_domain_enabled()
In case CONFDB_DOMAIN_ENABLED option was set to a value other than
"true"/"false", function would return EOK while leaving `_enabled`
uninitialized.
Resolves:
https://github.com/SSSD/sssd/issues/4743
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5fb22633 by Sumit Bose at 2020-09-14T11:37:44+02:00
ldap: add new option ldap_library_debug_level
With the new option ldap_library_debug_level the debug level for
OpenLDAP's internal debugging can be set. If set the OpenLDAP debug
messages will be written to the logs independent of the general
debug_level.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
67b3f371 by Alexey Tikhonov at 2020-09-17T14:14:13+02:00
CLIENT:PAM: fixed missed return check
Return code of `prompt_2fa()` wasn't checked and
thus its fail wasn't properly processed.
Spotted with a help of following warning:
```
Error: CLANG_WARNING:
sssd-2.3.2/src/sss_client/pam_sss.c:2355:21: warning: Value stored to 'ret' is never read
# ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
# ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
05c06cd6 by Luiz Angelo Daros de Luca at 2020-09-17T14:15:10+02:00
ldap: add ldap_sasl_realm to cfg_rules.ini
Resolves:
https://github.com/SSSD/sssd/issues/5314
Signed-off-by: Luiz Angelo Daros de Luca <luizluca at gmail.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4a84f8e1 by Pavel Březina at 2020-09-17T14:16:24+02:00
dp: fix potential race condition in provider's sbus server
We can hit a segfault if provider start is somehow delayed.
- dp_init_send
- sbus_server_create_and_connect_send
- sbus_server_create (*)
- dp_init_done (callback for sbus_server_create_and_connect_send)
- sbus_server_create_and_connect_recv
- sbus_server_set_on_connection (sets clients data and creates dp_cli)
At (*) sbus server is already created and accepts new connections once
we get into tevent loop. So it is possible that the client connects to
server before sbus_server_set_on_connection is called and thus the client
is not properly initialized. However it should not happen in normal start
because providers are started before responders and it can happen only if
data provider startup is somehow delay.
You can use this diff to reproduce the crash:
```diff
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
838baa83 by ikerexxe at 2020-09-17T14:17:52+02:00
util/sss_python: change MODINITERROR to dereference module
Change MODINITERROR macro to dereference module when PyModule_*
interfaces report some type of failure.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
c008d899 by ikerexxe at 2020-09-17T14:17:52+02:00
python/pysss_nss_idmap: check return from functions
Coverity warns that PyModule_AddIntConstant() returns operation success
or failure but this value is never checked.
```
Error: CHECKED_RETURN (CWE-252):
sssd-2.3.0/src/python/pysss_nss_idmap.c:587: check_return: Calling
"PyModule_AddIntConstant" without checking return value (as is done
elsewhere 4 out of 5 times).
sssd-2.3.0/src/python/pyhbac.c:1956: example_assign: Example 1:
Assigning: "ret" = return value from "PyModule_AddIntConstant(m,
"HBAC_CATEGORY_ALL", 1L)".
sssd-2.3.0/src/python/pyhbac.c:1957: example_checked: Example 1 (cont.):
"ret" has its value checked in "ret == -1".
sssd-2.3.0/src/python/pyhbac.c:1960: example_assign: Example 2:
Assigning: "ret" = return value from "PyModule_AddIntConstant(m,
"HBAC_RULE_ELEMENT_USERS", 1L)".
sssd-2.3.0/src/python/pyhbac.c:1961: example_checked: Example 2 (cont.):
"ret" has its value checked in "ret == -1".
sssd-2.3.0/src/python/pyhbac.c:1972: example_assign: Example 3:
Assigning: "ret" = return value from "PyModule_AddIntConstant(m,
"HBAC_EVAL_DENY", HBAC_EVAL_DENY)".
sssd-2.3.0/src/python/pyhbac.c:1973: example_checked: Example 3 (cont.):
"ret" has its value checked in "ret == -1".
sssd-2.3.0/src/python/pyhbac.c:1982: example_assign: Example 4:
Assigning: "ret" = return value from "PyModule_AddIntConstant(m,
"HBAC_ERROR_NOT_IMPLEMENTED", HBAC_ERROR_NOT_IMPLEMENTED)"..
sssd-2.3.0/src/python/pyhbac.c:1983: example_checked: Example 4 (cont.):
"ret" has its value checked in "ret == -1".
# 585| PyModule_AddIntConstant(module, "ID_NOT_SPECIFIED",
# 586| SSS_ID_TYPE_NOT_SPECIFIED);
# 587|-> PyModule_AddIntConstant(module, "ID_USER", SSS_ID_TYPE_UID);
# 588| PyModule_AddIntConstant(module, "ID_GROUP", SSS_ID_TYPE_GID);
# 589| PyModule_AddIntConstant(module, "ID_BOTH", SSS_ID_TYPE_BOTH);
```
Moreover, even though coverity doesn't indicate it the same happens with
PyModule_AddStringConstant().
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
8b1a8cf9 by ikerexxe at 2020-09-17T14:17:52+02:00
python/pyhbac: if PyModule* fails decrement references
If PyModule* actions fail, then references to objects have to be
decremented.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
03b00f72 by ikerexxe at 2020-09-17T14:17:52+02:00
python/pysss: if PyModule* fails decrement references
If PyModule_AddObject fails, then references to objects have to be
decremented.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
245dea6e by Alexey Tikhonov at 2020-09-21T11:51:41+02:00
PAM responder: fixed compilation warning
Fixed following warning:
```
Error: CLANG_WARNING:
sssd-2.3.2/src/responder/pam/pamsrv_cmd.c:982:9: warning: Access to field 'cache_credentials' results in a dereference of a null pointer (loaded from field 'domain')
# preq->domain->cache_credentials &&
# ^ ~~~~~~
```
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
93bcfd15 by Alexey Tikhonov at 2020-09-21T11:51:41+02:00
KCM: supress false positive cppcheck warnings
Supress a bunch of warnings like this:
```
Error: CPPCHECK_WARNING (CWE-456):
sssd-2.3.2/src/responder/kcm/kcmsrv_ccache_json.c:154: error[uninitvar]: Uninitialized variable: key_uuid
# 152| uuid_t key_uuid;
# 153|
# 154|-> ret = sec_key_get_uuid(sec_key, key_uuid);
# 155| if (ret != EOK) {
# 156| DEBUG(SSSDBG_MINOR_FAILURE, "Cannot convert key to UUID\n");
```
Those are clearly false positives as in all those places `uuid` is output arg and
isn't read in following execution flow. "cppcheck" fails to detect this because
`uuid_t` and uuid_parse()/uuid_copy() are opaque for analyzer.
There is no sane way to initialize uuid_t in a way that would please cppcheck.
Moreover, it doesn't make sense to do so from performance point of view.
Hence suppression.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
c273a78c by Alexey Tikhonov at 2020-09-21T11:51:41+02:00
RESOLV: makes use of sss_rand() helper
Makes use of sss_rand() helper instead of plain srand()/rand()
Reduces amount of "Error: DC.WEAK_CRYPTO (CWE-327)" warnings.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
20b8b955 by Alexey Tikhonov at 2020-09-21T11:51:41+02:00
UTIL: fortify IS_SSSD_ERROR() check
Fixes following warning:
```
Error: NEGATIVE_RETURNS (CWE-394):
sssd-2.3.2/src/providers/ldap/sdap_async.c:1516: var_tested_neg: Variable "lret" tests negative.
sssd-2.3.2/src/providers/ldap/sdap_async.c:1525: negative_returns: "lret" is passed to a parameter that cannot be negative.
# 1523| }
# 1524| else {
# 1525|-> sss_log(SSS_LOG_ERR, "LDAP connection error, %s",
# 1526| sss_ldap_err2string(lret));
# 1527| }
```
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
4c218a55 by Alexey Tikhonov at 2020-09-21T11:51:41+02:00
LDAP: sdap_parse_entry() optimization
It doesn't make sense to iterate over `map` if sdap_parse_range()
returned ECANCELED anyway.
Also fixes following warning:
```
Error: CLANG_WARNING:
sssd-2.3.2/src/providers/ldap/sdap.c:529:13: warning: Value stored to 'ret' is never read
# ret = EOK;
# ^ ~~~
```
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
0c193e82 by Alexey Tikhonov at 2020-09-21T11:51:41+02:00
DP: fixes couple of covscan's complains
Fixes warnings like:
```
Error: MISSING_RESTORE (CWE-573):
sssd-2.3.2/src/providers/data_provider_fo.c:61: compare: Verifying that non-local "ctx->be_fo" is initially equal to sentinel value "NULL".
sssd-2.3.2/src/providers/data_provider_fo.c:65: modify: Modifying non-local "ctx->be_fo".
sssd-2.3.2/src/providers/data_provider_fo.c:67: end_of_path: Value of non-local "ctx->be_fo" that was verified to be "NULL" is not restored as it was along other paths.
sssd-2.3.2/src/providers/data_provider_fo.c:87: restore_example: The original value of non-local "ctx->be_fo" was restored here.
# 65| ctx->be_fo = talloc_zero(ctx, struct be_failover_ctx);
# 66| if (!ctx->be_fo) {
# 67|-> return ENOMEM;
# 68| }
# 69|
```
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
cf15e9ea by Luiz Angelo Daros de Luca at 2020-09-21T11:52:04+02:00
SSSCTL: fix logs-remove when log directory is empty
"sssctl logs-remove" calls "truncate --size 0 *.log" and "*.log"
will expand to literal '*.log' when directory is empty. The result
is a new empty '*.log' file.
Add '--no-create' to truncate call.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca at gmail.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f434fedf by Alexey Tikhonov at 2020-09-23T14:03:43+02:00
cmocka based tests: explicitly turn LTO off
cmocka based tests use "-Wl,-wrap" to wrap calls at link time. This is
incompatible with LTO.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
d34eb963 by Alexey Tikhonov at 2020-09-23T14:03:43+02:00
Makefile.am: get rid of `libsss_nss_idmap_tests`
`libsss_nss_idmap_tests` isn't required since
https://github.com/SSSD/sssd/pull/632
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
5f23f237 by Alexey Tikhonov at 2020-09-23T14:04:04+02:00
sss_nss_idmap-tests: fixed error in iteration over `test_data`
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
b377253b by Thorsten Scherf at 2020-09-23T14:04:21+02:00
MAN: fix 'pam_responsive_filter' option type
Resolves: https://github.com/SSSD/sssd/issues/5325
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
b1ef82b6 by Duncan Eastoe at 2020-09-23T14:05:02+02:00
data_provider_be: Configurable max offline time
The offline_timeout period determines the minimum time between
attempts of a data provider to go back online, if it is offline due
to eg. unreachable servers. Each time this check fails there is a
backoff factor applied meaning there can be up to 60 minutes between
these attempts.
Here we introduce the offline_timeout_max option which allows the
the maximum period between attempts to be defined in the configuration,
instead of the default 60 minutes; therefore providing more
flexibility.
Setting offline_timeout_max to 0 disables the backoff functionality.
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
7807ffd7 by Duncan Eastoe at 2020-09-23T14:05:02+02:00
be_ptask: max_backoff may not be reached
If the incremented delay value was greater than max_backoff then
the previous delay was used, rather than using max_backoff as a
ceiling value.
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
904ff17c by Duncan Eastoe at 2020-09-23T14:05:02+02:00
be_ptask: backoff not applied on first re-schedule
The task interval backoff is not applied on the first re-schedule
operation, since when scheduling the first run (BE_PTASK_FIRST_DELAY)
we do not calculate the backed off period for the next re-schedule.
Calculate the backed off period for the current scheduling operation,
rather than the next, to resolve this.
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
04ea4220 by Duncan Eastoe at 2020-09-23T14:05:02+02:00
data_provider_be: Add OFFLINE_TIMEOUT_DEFAULT
Replace hardcoded default value of 60 in a couple of places.
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
e5bdc0b7 by Thorsten Scherf at 2020-09-29T12:20:55+02:00
MAN: update 'ldap_referrals' config entry
Add explicit statement that 'ldap_referrals' should be turned off when Active Directory is used as a backend with the SSSD LDAP provider.
Resolves: https://github.com/SSSD/sssd/issues/5338
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
dda652a2 by Steeve Goveas at 2020-09-29T12:21:30+02:00
enable files domain in copr builds for testing
Tests against copr build fail without this option enabled
Signed-off-by: Steeve Goveas <sgoveas at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
abd19122 by Pavel Březina at 2020-09-29T12:22:20+02:00
conf: disable python2 bindings by default
Python2 is being fully replaced by Python3 on modern distros so
there is no need to build the bindings by default. We even don't
ship python2 packages in Fedora for quite some time now.
Keeping this on by default requires using --without-python2-bindings
on modern distributions where python2 is not installed by default.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f126afc9 by Justin Stephenson at 2020-09-29T14:24:10+02:00
KCM: Fix GSSAPI delegation for the memory back end
When GSSAPI credentials are delegated over SSH, the KCM set default ccache
operation looks for a ERR_NO_CREDS return code to continue handling the
SSH-created ccache correctly. The memory back end will now return this
error code in this situation, matching the default secdb back end.
Resolves: https://github.com/SSSD/sssd/issues/5333
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
0b069085 by Joakim Tjernlund at 2020-09-29T14:24:47+02:00
Add dyndns_auth_ptr support
Allows to specify auth method for DNS PTR updates.
Default to same as dyndns_auth.
Resolves: https://github.com/SSSD/sssd/issues/5274
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
62aceaf9 by Alexey Tikhonov at 2020-09-30T14:31:32+02:00
UTIL:utf8: code cleanup
This patch touches `sss_*_utf8_*_tolower()` helpers:
- gets rid of some of them
- simplifies / optimizes code (avoiding excessive realloc's / memcpy's)
- limits visibility of "internal" helper
It also fixes following covscan error:
```
Error: OVERRUN (CWE-119):
sssd-2.3.2/src/util/sss_utf8.c:75: strlen_assign: Setting variable "nlen" to the return value of strlen called with argument "glower".
sssd-2.3.2/src/util/sss_utf8.c:77: alloc_strlen: Allocating insufficient memory for the terminating null of the string.
# 75| nlen = strlen(glower);
# 76|
# 77|-> lower = g_malloc(nlen);
# 78| if (!lower) {
# 79| g_free(glower);
```
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
a0bf4b3d by Alexey Tikhonov at 2020-09-30T14:31:32+02:00
UTIL:utf8: moved a couple of helper
`sss_utf8_free()` and `sss_utf8_tolower` were moved to sss_tc_utf8.c
and made static as those helpers are only used there.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
430e695a by Samuel Cabrero at 2020-09-30T14:32:00+02:00
PROXY: Fix iphost not found code path in get_host_by_name_internal
Return the correct error code ENOENT when the iphost is not found.
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9d350e04 by Samuel Cabrero at 2020-09-30T14:32:00+02:00
NSS: Fix get ip network by address when address type is AF_UNSPEC
If type is AF_UNSPEC try to parse to a IPv4 address.
Resolves:
https://github.com/SSSD/sssd/issues/5256
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2c456951 by Samuel Cabrero at 2020-09-30T14:32:00+02:00
NSS: Fix _nss_sss_getnetbyaddr_r address byte order
The address is received in host byte order, but the nss protocol
parser expects it in network byte order.
Resolves:
https://github.com/SSSD/sssd/issues/5256
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
a590fd98 by Samuel Cabrero at 2020-09-30T14:32:00+02:00
PROXY: getnetbyaddr_r expects the net argument in host byte order
The inet_pton function returns the address in network byte order, but
getnetbyaddr_r expects it in host byte order.
Resolves:
https://github.com/SSSD/sssd/issues/5256
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9edc3c49 by Samuel Cabrero at 2020-09-30T14:32:00+02:00
TESTS: getnetbyaddr_r expects network in host byte order
Resolves:
https://github.com/SSSD/sssd/issues/5256
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
69af6848 by Samuel Cabrero at 2020-09-30T14:32:00+02:00
TESTS: Fix resolver test calling getnetbyname instead of getnetbyaddr
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
77734063 by Samuel Cabrero at 2020-09-30T14:32:00+02:00
TESTS: Extend resolver tests to check getnetbyaddr with AF_UNSPEC
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8fa70232 by Alexey Tikhonov at 2020-09-30T14:32:20+02:00
AD: validate `search_bases` in DPM_ACCT_DOMAIN_HANDLER
In specific circumstances "sdom->*_search_bases" might be unset yet
when "ad_get_account_domain_send() -> ad_get_account_domain_prepare_search()"
is executed.
Resolves:
https://github.com/SSSD/sssd/issues/5295
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
edec0ee3 by Alexey Tikhonov at 2020-09-30T14:32:20+02:00
DP:getAccountDomain: add DP_FAST_REPLY support
Let `getAccountDomain()` fail immediately if offline.
Resolves: https://github.com/SSSD/sssd/issues/5295
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
49481da2 by ikerexxe at 2020-10-01T13:03:07+02:00
IFP: GetUserGroups() returns origPrimaryGroupGidNumber
There was a mismatch between the information provided by NSS and IFP
interfaces. nss_protocol_fill_initgr() returned
origPrimaryGroupGidNumber as one of the group members of a user, but
GetUserGroups() didn't. This commit makes GetUserGroups() also return
origPrimaryGroupGidNumber value.
Resolves:
https://github.com/SSSD/sssd/issues/4569
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5ddabede by ikerexxe at 2020-10-01T13:03:07+02:00
IFP-TESTS: GetUserGroups() returns origPrimaryGroupGidNumber
New infopipe test case to check:
Given auto_private_groups is enabled
When GetUserGroups is called
Then the origPrimaryGroupGidNumber is returned as part of the group
memberships
Resolves:
https://github.com/SSSD/sssd/issues/4569
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7fbcaa8f by Pavel Březina at 2020-10-01T16:01:22+02:00
be: remove accidental sleep
This sleep was used to test a crash in data provider and quite unfortunately
it was left in the patch.
dp: fix potential race condition in provider's sbus server
4a84f8e18ea5604ac7e69849dee492718fd96296.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
414593cc by Pavel Březina at 2020-10-02T12:18:54+02:00
ldap: add support for cldap and udp connections
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8265674a by Pavel Březina at 2020-10-02T12:18:54+02:00
ad: use cldap for site and forrest discover (perform CLDAP ping)
All Windows clients uses CLDAP (UDP) for LDAP ping. Even though AD
also supports LDAP ping over TCP IPA does not therefore it is crusial
for us to perform the ping over CLDAP protocol.
Resolves:
https://github.com/SSSD/sssd/issues/5215
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
1889ca60 by Pavel Březina at 2020-10-02T12:18:55+02:00
ad: connect to the first available server for cldap ping
Resolves:
https://github.com/SSSD/sssd/issues/3743
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
fcfd834c by Pavel Březina at 2020-10-02T12:18:55+02:00
ad: if all in-site dc are unreachable try off-site controllers
Previous implementation would not fallback to the off-site domain
controllers. This would cause problems if the site actually changed.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
a62a13ae by Pavel Březina at 2020-10-02T12:18:55+02:00
man: fix typo in failover description
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9fdf5cfa by Pavel Březina at 2020-10-02T12:18:55+02:00
ad: renew site information only when SSSD was previously offline
Site and forest information is stable not dynamic. To avoid spamming
network with cldap pings all the time we will renew netlogon information
only when SSSD starts and when we are recovering from an offline state
to detect possible change (e.g. user moves to another location with laptop).
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f0d65079 by Pavel Březina at 2020-10-02T12:18:55+02:00
tevent: correctly handle req timeout error
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
093061f5 by Tomas Halman at 2020-10-02T12:19:51+02:00
UTIL: DN sanitization
Some of the ldap servers returns DN in attributes such as isMemberOf
with spaces like dc=example, dc=com. That should be fine and we
should ignore them (cut them out) instead of escaping.
Resolves:
https://github.com/SSSD/sssd/issues/5261
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
21b9417e by Tomas Halman at 2020-10-02T12:19:51+02:00
UTIL: Use sss_sanitize_dn where we deal with DN
Resolves:
https://github.com/SSSD/sssd/issues/5261
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
fe0f1e64 by Tomas Halman at 2020-10-02T12:19:51+02:00
UTIL: Use sss_sanitize_dn where we deal with DN 2
Tests show that also ldb_dn_get_linearized can
return DN with extra spaces. We have to trim that too.
Resolves:
https://github.com/SSSD/sssd/issues/5261
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
50d0d154 by Sumit Bose at 2020-10-02T12:19:51+02:00
ldap: use member DN to create ghost user hash table
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
88631392 by Sumit Bose at 2020-10-02T12:19:51+02:00
intg: allow member DN to have a different case
Make sure that group members are added properly to the group even if the
user DN in the RFC2307bis member attribute differs in case from the
original DN of the user object.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
a409ffae by Timothée Ravier at 2020-10-02T12:21:23+02:00
sss_cache: Do nothing if SYSTEMD_OFFLINE=1
Do not check for /var being RO as this will break cases where we
explicitely request sssd not to update the cache by setting
SYSTEMD_OFFLINE=1.
This will still complain if /var is RO and SYSTEMD_OFFLINE is not set.
See initial discussion at: https://pagure.io/SSSD/sssd/pull-request/3959
Fixes: sss_cache: Do nothing if /var is read-only
https://github.com/SSSD/sssd/commit/073b03a096a763170165fe3814fa987881713e75
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
1b016774 by Alexey Tikhonov at 2020-10-06T11:48:18+02:00
Got rid of unused providers/data_provider/dp_pam_data.h
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
d1ed68bd by Alexey Tikhonov at 2020-10-06T11:53:22+02:00
UTILS: adds helper to convert authtok type to str
This patch introduces helper to convert authtok type to string
and makes use of this helper in `pam_print_data()`
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
038385dd by Alexey Tikhonov at 2020-10-06T11:53:22+02:00
krb5_child: fixed few mistypes in debug messages
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
44581276 by Alexey Tikhonov at 2020-10-06T11:53:22+02:00
parse_krb5_child_response: adds verbosity
This patch decodes krb5 child response status and message types in
the log messages.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
68497dc1 by Alexey Tikhonov at 2020-10-06T11:53:22+02:00
krb5_child: adds verbosity
This patch decodes krb5 child command in the log messages.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
37ba37a4 by Sumit Bose at 2020-10-06T11:54:43+02:00
ad: fix handling of current site and forest in cldap ping
The current site and forest are stored in a long living context and we
have to make sure that they are not moved to a different talloc parent
with a shorter lifetime. To achieve this the values are copied at the
start of a new cldap ping although it is expected that the values won't
change.
Resolves: https://github.com/SSSD/sssd/issues/3743
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
93e35c76 by Pavel Březina at 2020-10-06T11:55:13+02:00
autofs: if more then one entry is found store all of them
There can be more entries with same cn (automountKey) attribute value
that differs only in casing if different attribute is chosen as rdn.
SSSD then searches for (cn=name)when name folder is being mounted but
this returns both lowercase and uppercase entry and we only store one
(which may not be the desired one based on the order in the result)
and fail to mount one of the directories.
Resolves:
https://github.com/SSSD/sssd/issues/5330
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
d39b6580 by Justin Stephenson at 2020-10-07T13:57:23+02:00
KCM: Fix access after free on shutdown
Skip triggering the queue entry destructor on KCM shutdown
to prevent a crash when multiple requests are queued.
Resolves: https://github.com/SSSD/sssd/issues/4733
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
4f65a8d1 by Sumit Bose at 2020-10-07T14:00:17+02:00
ad: add ad_allow_remote_domain_local_groups
As the option name says if set to true Domain Local groups from remote
domains won't be filtered out. This option is added to facilitate the
migration from other solution and should only be used for this purpose.
Resolves: https://github.com/SSSD/sssd/issues/5346
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
b427e059 by Pavel Březina at 2020-10-07T16:19:40+02:00
pot: update pot files to allow updated translations
- - - - -
bc1ce6f0 by Simo Sorce at 2020-10-08T13:29:41+02:00
krb5_child: Harden credentials validation code
The krb5_verify_init_creds() call is used to validate the credentials
just obtained by trying to acquire a ticket from the KDC that we can
decrypti. This insures the KDC is indeed legitimate as it proves
possesion of the shared key.
However this function will *enforce* this behavior only if the
KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL options is set to the value
TRUE.
If this option is unset it defaults to FALSE which means verify will
silently return success if no key is available.
SSSD *does* ensure that a key is always available for validation, so
this is not a security bug with the current code. However we add belt
and suspenders here to futureproof this code in case of future
inadvertent changes that may lead to a code path where a key may be
missing.
Signed-off-by: Simo Sorce <simo at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
78f221ed by Pavel Březina at 2020-10-08T13:29:55+02:00
multihost: move sssd.testlib closer to tests
So it can be used directly without the need of installing the package.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
974b4e90 by Pavel Březina at 2020-10-08T13:29:55+02:00
multihost: remove packaging files
The test library is not currently published in pypi nor Fedora and it is
not being reused by other projects so it makes no sense for us to keep
maintaining these files.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
3379dac2 by Pavel Březina at 2020-10-08T13:29:55+02:00
spec: enable kcm by default
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
d7d53141 by Pavel Březina at 2020-10-08T13:29:55+02:00
tests: run TIER-0 multihost tests in PRCI
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
d1e5d188 by Alexey Tikhonov at 2020-10-12T12:01:05+02:00
krb5_child: reduce log severity in sss_krb5_prompter
krb5_child primarily uses krb5_get_init_creds_opt_set_responder() /
sss_krb5_responder() to do a work, old scheme sss_krb5_prompter()
is mostly used for debug purposes and password prompt request isn't
a real error here.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5c309f52 by Sumit Bose at 2020-10-12T12:01:26+02:00
cert: move cert_to_ssh_key_send/recv() to ssh responder
The cert_to_ssh_key_send/recv() request is currently only used by the
SSD responder and adds an unneeded dependency to libsss_certmap to
lib_sss_cert.
Resolves: https://github.com/SSSD/sssd/issues/1030
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
deefae78 by Sumit Bose at 2020-10-12T12:01:26+02:00
sysdb: add sysdb_cert_derb64_to_ldap_filter()
sysdb_cert_derb64_to_ldap_filter() is a simplyfied version of
sss_cert_derb64_to_ldap_filter() for the case when no certificate
mapping context is available.
Resolves: https://github.com/SSSD/sssd/issues/1030
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
7fcc8b0e by Sumit Bose at 2020-10-12T12:01:26+02:00
cert: move sss_cert_derb64_to_ldap_filter() out of libsss_cert.so
To avoid a dependency to libsss_certmap.so
sss_cert_derb64_to_ldap_filter() is removed from the internal
libsss_cert.so library.
Resolves: https://github.com/SSSD/sssd/issues/1030
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
bb50ad83 by Sumit Bose at 2020-10-12T12:01:26+02:00
build: remove libsss_certmap from dependencies of libsss_cert
The internal library libsss_cert is used at various places and the
dependency to the public library libsss_certmap is not needed in most of
those places.
Resolves: https://github.com/SSSD/sssd/issues/1030
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
ad694411 by Pavel Březina at 2020-10-12T12:01:47+02:00
git-template: add tags to help with release notes automation
This commit add information on several tags that should be used
so we are able to generate release notes on each new release
automatically. This will make release notes more thorough and it
will also simplify the process a lot since it take lots of time
to do it manually.
Why I chose `:tag:` format:
1. Using @ notation creates user references in github so I wanted
to use something different. This notation is used in ReST
documentation language so it is commonly known.
2. Using a plain text like (Resolves) leads people to create their
own variations (Fixes, Resolves XYZ, ...) which adds additional
burden to maintainers. Using this format makes it less error
prone and easier to parse.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
c94d91c4 by Weblate at 2020-10-12T12:04:43+02:00
Update the translations for the 2.4.0 release
- - - - -
51db6a23 by Pavel Březina at 2020-10-12T12:16:19+02:00
Release sssd-2.4.0
- - - - -
14 changed files:
- .copr/Makefile
- .git-commit-template
- .gitignore
- − .tx/config
- Makefile.am
- configure.ac
- contrib/ci/configure.sh
- + contrib/ci/run-multihost
- contrib/fedora/make_srpm.sh
- contrib/sssd.spec.in
- contrib/test-suite/test-suite.yml
- po/LINGUAS
- po/bg.po
- po/ca.po
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/7e004b7c50204218928e5c615ba27c2c3dfe8e20...51db6a23a595582aa8071c0675de3df45b608072
--
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/7e004b7c50204218928e5c615ba27c2c3dfe8e20...51db6a23a595582aa8071c0675de3df45b608072
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20201208/b96f3692/attachment-0001.html>
More information about the Pkg-sssd-devel
mailing list