[Pkg-sssd-devel] [Git][sssd-team/sssd][master] 306 commits: Update version in version.m4 to track the next release
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Wed Jun 7 12:44:16 BST 2023
Timo Aaltonen pushed to branch master at Debian SSSD packaging / sssd
Commits:
6a2de710 by Pavel Březina at 2022-10-07T12:58:06+02:00
Update version in version.m4 to track the next release
- - - - -
7a1976c9 by Iker Pedrosa at 2022-10-10T13:07:02+02:00
fido2: register key with helper process
Create a helper process to handle the FIDO2 key registration. In order
to do that the helper process will parse the command line arguments,
list the connected devices, select the first one in the list, prepare
the user credentials, generate the key credentials, verify them to
ensure that everything has worked correctly and print the credentials.
FIDO U2F fallback has been disabled to force a PIN usage, thus
increasing the security as a lost or stolen key would be unusable with
it.
Moreover, include the libfido2 dependency in the configuration and the
spec file.
Finally, several test cases have been added to the unit tests. Most of
them just check the happy path but some error handling is also tested.
:packaging: include libfido2 dependency
:config: New config to build passkey authentication
Resolves: https://github.com/SSSD/sssd/issues/6228
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5b27a353 by Justin Stephenson at 2022-10-10T13:07:02+02:00
Fido2 child: Add missing options
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9a2548ea by Iker Pedrosa at 2022-10-10T13:07:02+02:00
fido2: make the build conditional
Add a condition to build the FIDO2 support.
Resolves: SSSD#6228
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f800471e by Iker Pedrosa at 2022-10-10T13:07:02+02:00
sssd.supp: suppress leak errors
The suppression rule for popt malloc needs to be more generic. Moreover,
create a new suppression rule for sssd debug initialization when being
executed twice: from the production code and from the unit-tests.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8bdcc028 by Iker Pedrosa at 2022-10-10T13:07:02+02:00
passkey: change fido2 to passkey
Passkey is a more general term that the industry is using currently.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ab89455b by Justin Stephenson at 2022-10-12T14:22:14+02:00
CI: Build srpm fix for illegal version tag '-'
error: line 45: Illegal char '-' (0x2d) in: Version: sssd-2-7
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
a5403f78 by Alexey Tikhonov at 2022-10-13T21:00:10+02:00
IPA: "trusted user not found" isn't an error
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b38fdc81 by Pavel Březina at 2022-10-13T21:00:38+02:00
confdb: avoid syslog message when no domains are enabled
This syslog message would also appear when calling other tools like
sss_cache which is confusing. We return specific error code instead
and let the error be syslogged in the monitor in monitor.c:main (this
is already implemented).
Resolves: https://github.com/SSSD/sssd/issues/6387
:fixes: A regression when running sss_cache when no SSSD domain is
enabled would produce a syslog critical message was fixed.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4da86136 by Pavel Březina at 2022-10-13T21:00:38+02:00
monitor: read all enabled domains in add_implicit_services
Reading sssd/domains option is no longer sufficient since domains
can be enabled through domain/enabled.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
64c22dd1 by Pavel Březina at 2022-10-13T21:00:38+02:00
sss_cache: use ERR_NO_DOMAIN_ENABLED instead of ENOENT
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
df55b1f1 by Pavel Březina at 2022-10-13T21:00:38+02:00
confdb: chande debug level when no domain are found in confdb_get_domains
We print the error as fatal error in the monitor to make sure the
message is correctly visible. However, the error is not fatal for tools
like sss_cache and it should not be printed there by default.
Since the tools have default debug level set to SSSDBG_FATAL_FAILURE, it
is sufficient to just drop the level to critical.
Resolves: https://github.com/SSSD/sssd/issues/6387
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
a05719fa by Shridhar Gadekar at 2022-10-13T21:01:45+02:00
Tests: Porting the AD-Access-control test-suite to pytest
Minor docstring modifcations. Adding detailed expectedresults
instead of 'should succeed' in docstrings of testcases
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
6c0ae779 by aborah-sudo at 2022-10-20T11:04:07+02:00
Tests: port proxy_provider/rfc2307
https://gitlab.cee.redhat.com/sssd/sssd-qe/-/tree/RHEL8.6/client/proxy_provider/rfc2307
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8a2fd06b by Alexey Tikhonov at 2022-11-01T17:15:46+01:00
CFG RULES: allow 'fallback_to_nss' option
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
71466a8d by Alexey Tikhonov at 2022-11-01T17:19:07+01:00
SYSDB: pre-existence of MPG group in the cache isn't an error
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
103a4888 by Pavel Březina at 2022-11-01T17:19:35+01:00
autofs: do not yield warning on default configuratoin
This warning has been there for a long time now (since 1.14, 7 years,
see 999d6066c7a96f102b692d31435d76114478e874) and it was intended to
be removed eventually.
:relnote: SSSD will no longer warn about changed defaults when using
`ldap_schema = rfc2307` and default autofs mapping. This warning was
introduced in 1.14 to loudly warn about different default values.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
6d87af5e by Justin Stephenson at 2022-11-01T17:19:56+01:00
SSSCTL: Add passkey exec command
Simple wrapper which calls the passkey_child process, planned to be
used with passkey_child --register and also for troubleshooting.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ee0d73a2 by Justin Stephenson at 2022-11-01T17:19:56+01:00
SSSCTL: Use wrapper function for analyze
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
62458d49 by Pavel Březina at 2022-11-01T17:37:18+01:00
ci: enable ci for sssd-2-8 branch
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
c526acba by Pavel Březina at 2022-11-01T17:37:18+01:00
ci: switch to actions/checkout at v3
checkout at v3 runs on node16 so it will remove deprecation warning:
https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
770bf7bf by Pavel Březina at 2022-11-01T17:37:18+01:00
ci: use GITHUB_OUTPUT instead of set-output
https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
b2d193b9 by Pavel Březina at 2022-11-01T17:37:18+01:00
ci: switch to actions/upload-artifact at v3
upload-artifact at v3 runs on node16 so it will remove deprecation warning:
https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
2070000a by Alejandro López at 2022-11-02T15:58:35+01:00
CACHE_REQ: Do not use timestamp optimization on "files" provider.
Avoid requesting only the latest updates when using the "files"
provider as it only updates the cache if /etc/files or /etc/group
is touched.
Added a test for this situation.
Resolves: https://github.com/SSSD/sssd/issues/6398
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
4c678cbb by Justin Stephenson at 2022-11-03T11:08:21+01:00
Analyzer: Optimize list verbose output
Modify the analyzer to parse the responder log file in one pass. This
avoids repeated parsing of a single log file. This operation will now
store log lines in a dictionary on a single pass then format and print
the output accordingly. Does not affect 'list' or 'show' output.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
214540e7 by Alejandro López at 2022-11-03T11:15:35+01:00
Cache: String has to be duplicated instead of copied
input->name.attr has to be duplicated when not NULL.
Just copying the pointer is not a good thing.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
719c9253 by Alejandro López at 2022-11-03T11:15:35+01:00
CACHE_REQ: Initialize domain with NULL
Variable domain is compared to NULL before checking sss_parse_inp_recv()'s
return value. Let's initialize it to NULL.
Warning: sss_parse_inp_recv() modifies domain's value when returning EOK
or ERR_DOMAIN_NOT_FOUND. The situation is not perfect but is better than
before.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
8f7c35ea by Alejandro López at 2022-11-03T11:15:35+01:00
CACHE_REQ: Do not return duplicated values.
For each domain, a multi-domain search is done and all the results for
each domain are returned each time. This produces several copies of the
same results.
Function cache_req_input_parsed() decides whether to launch a multi- or
single-domain search based on the domain the user requested. If the user
didn’t request a domain (such as in a call to ListByName()), a
multi-domain search is launched, even if we are only looking for the
current domain. In that case a single-domain search is enough.
Resolves: https://github.com/SSSD/sssd/issues/6360
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
a9796282 by Alejandro López at 2022-11-03T11:15:35+01:00
TESTS: Correct ListByAttr()'s test
Now that ListByName() and ListBy Attr are fixed, the test needs to
be corrected as it was explicitly avoiding that case.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
569dca5f by Alejandro López at 2022-11-03T11:15:35+01:00
CACHE_REQ: Consider the domain when looking names in the cache
Using a fully-qualified name based on the expresion the user provided,
when looking for names in the cache.
Resolves: https://github.com/SSSD/sssd/issues/6361
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
09895561 by Alejandro López at 2022-11-03T11:15:35+01:00
TESTS: New test for D-Bus' ListByName()
Added a test for the D-Bus function ListByName().
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
c3453e4e by Alejandro López at 2022-11-03T11:15:35+01:00
CACHE_REQ: Use a const struct in cache_req_data_create()
The structure data is not modified in the function. The const modifier
can be used.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
ba5439c0 by Weblate at 2022-11-04T11:27:44+01:00
po: update translations
(Korean) currently translated at 51.0% (1331 of 2607 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 50.6% (1320 of 2607 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Korean) currently translated at 49.9% (1302 of 2607 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Polish) currently translated at 4.7% (126 of 2658 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/
po: update translations
(Polish) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/
po: update translations
(Polish) currently translated at 1.4% (39 of 2658 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/
po: update translations
(Korean) currently translated at 49.2% (1283 of 2607 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Ukrainian) currently translated at 100.0% (2686 of 2686 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
po: update translations
(Russian) currently translated at 100.0% (2686 of 2686 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Ukrainian) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/
po: update translations
(Russian) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/
po: update translations
(Ukrainian) currently translated at 99.3% (659 of 663 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/
po: update translations
(Polish) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/
po: update translations
(Polish) currently translated at 1.4% (38 of 2662 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/
po: update translations
(Korean) currently translated at 46.5% (1215 of 2609 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
- - - - -
92347d98 by Shridhar Gadekar at 2022-11-04T11:28:28+01:00
Tests: GSSAPI ssh login failing due to a missing directive
Adding the missing pxssh module import
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
a22af6f0 by Pavel Březina at 2022-11-04T11:35:03+01:00
pot: update translations
- - - - -
955192b1 by Shridhar Gadekar at 2022-11-09T10:00:48+01:00
Tests: gssapi ssh login minor fix
Trivial fix, the kinit command was missing '@' after usename. It was
causing obvious failure to fetch krb ticket.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
dab19a4d by aborah-sudo at 2022-11-09T20:25:30+01:00
Tests: Removing tests from gating pipe line
test_bz1368467 --- this one looks more perfomance than gatting
test_avoid_interlocking_among_threads --- feature not supported
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
60772306 by Shridhar Gadekar at 2022-11-09T20:25:50+01:00
Tests: Use negative cache better for lookup by SIDs
Minor change, adding import of re module
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
7c907a7c by aborah-sudo at 2022-11-10T14:04:18+05:30
Tests: Removing tests from gating pipe line
test_bz1368467 --- this one looks more perfomance than gatting
- - - - -
419b9b8f by Dan Lavu at 2022-11-10T09:22:52-05:00
Adding Ported DynDNS Testcases
This is merged branch of two following PRs, 6363 and 6344 which are now closed.
6344 Add the tests but are unreliable.
6363 contains the following changes, rewriting the suite.
* change_hostname fixture would revert back to the hostname in /etc/hostname, updated fixture
* disabled DNS recursion, lookups were being forwarded to authoritative servers resulting in false passing tests
* removed ipv6 address about part of the del_record, would result in passing but the wrong thing be searched
* created a DNSAD object to search for records directly on the DNS server, stabling results and skipping any cache
* cleaned up the functions and code for readability
Signed-off-by: Dan Lavu <dlavu at redhat.com>
- - - - -
f24b6daa by Iker Pedrosa at 2022-11-11T10:30:19+01:00
passkey: replace erroneous description
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
28124cfb by Iker Pedrosa at 2022-11-11T10:30:19+01:00
passkey: print PEM formatted public key
When registering a key print the public key in PEM format.
Resolves: https://github.com/SSSD/sssd/issues/6228
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
3e02de93 by Alexey Tikhonov at 2022-11-15T10:42:28+01:00
UTILS: socket connect: added missing new line and adjusted log level to more appropriate
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
a21c6662 by Jakub Vavra at 2022-11-15T10:43:20+01:00
Tests: Add a test for bz1964121 override homedir to lowercase
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1964121
Verifies: #6210
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
25eae1c0 by Alexey Tikhonov at 2022-11-18T14:47:12+01:00
SYSDB: use `sss_strerror()` to handle `ERR_GID_DUPLICATED`
Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
93ed5e58 by Alexey Tikhonov at 2022-11-18T14:48:39+01:00
UTILS: got rid of deprecated `inet_netof()` to please 'rpminspect'.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6ef3aade by Alexey Tikhonov at 2022-11-18T15:48:22+01:00
TOOLS: don't export internal helpers
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
7af46ba0 by Alexey Tikhonov at 2022-11-18T15:48:22+01:00
TOOLS: fixed handling of init error
Before execution of `tool_cmd_init()` `init_err` wasn't set,
so `sss_tools_handles_init_error()` check was a no-op.
Consequently, a proper check after `tool_cmd_init()` was missing.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
99791400 by Alexey Tikhonov at 2022-11-18T15:48:22+01:00
SSSCTL: don't require 'root' for "analyze" cmd
:relnote: `sssctl analyze` tool doesn't require anymore to be run under root.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
d4d9aa65 by Alexey Tikhonov at 2022-11-18T15:48:22+01:00
SSSCTL: don't require 'root' for "passkey-exec" cmd
:relnote: `sssctl passkey-exec` tool doesn't require anymore to be run under root.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
a7759ab3 by Jakub Vavra at 2022-11-18T15:59:52+01:00
Tests: Add the missing admisc pytest marker.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
bce2b0c8 by Jakub Vavra at 2022-11-18T15:59:52+01:00
Tests: Wait a bit before collection log in test_0015_ad_parameters_ad_hostname_machine.
This test is unstable on other architectures (ppc64le, aarch64) and it seems that
adding a 15s wait before collecting the log gives it enough time to wtrite it properly.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
d7e7efe9 by Jakub Vavra at 2022-11-18T15:59:52+01:00
Tests: Fix E126 in test_adparameters_ported.py
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
36e5479b by Alejandro López at 2022-11-18T16:00:24+01:00
BUILD: Fix some warnings thrown while building
Some of them are not actually needed (false positives) but this
helps to have a clean build and identify real warnings.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
285f1703 by aborah-sudo at 2022-11-18T16:00:45+01:00
Tests: fix test_bz1368467
This test was failing due to login error.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
bfa8d50c by Justin Stephenson at 2022-11-18T16:01:58+01:00
Analyzer: Ensure parsed id contains digit
In analyzer list verbose output, we parse the last field of cache_req_search_send() lines.
Certain log messages need to be filtered out by ensuring the parsed field is
a digit, such as the last line below.
[cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119 at testrealm.test
[cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119 at testrealm.test
[cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119 at domain-zflo.com
[cache_req_search_send] (0x0400): [CID#1] CR #1: Returning [GID:1031401119 at domain-zflo.com] from cache
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
790e7a77 by Steeve Goveas at 2022-11-18T18:08:51+01:00
Tests: Cannot SSH with AD user to ipa-client with invalid keytab
`krb5_validate` and `pac_check` settings conflict. Setting krb5_validate
to false skips the pac_check enabling the login
Verifies:
#6355
https://bugzilla.redhat.com/show_bug.cgi?id=2127822
https://bugzilla.redhat.com/show_bug.cgi?id=2128902
Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
14748ff9 by Jakub Vavra at 2022-11-22T18:36:33+01:00
Tests: Update fixture using adcli to handle password from stdin.
Adcli changed handling password dialog for bz2124030 so
the automation needs to be updated to work properly.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2f99cd31 by Justin Stephenson at 2022-11-22T18:37:17+01:00
SSSCTL: Add debug option to help message
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
ab6910ae by Iker Pedrosa at 2022-11-22T18:37:41+01:00
passkey: verify assertion
Include the assertion verification in the passkey helper process. For
that purpose, prepare the assertion request data, select the device to
use, get the device options and compare them with the organization
policy, decode the public key, request the assert and verify it.
Resolves: https://github.com/SSSD/sssd/issues/6228
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2b0a8f27 by Iker Pedrosa at 2022-11-22T18:37:41+01:00
passkey: public key in PEM format
It helps us obtain the cryptographic algorithm used to generate the key.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6b0d175f by Iker Pedrosa at 2022-11-22T18:37:41+01:00
passkey: input PIN via stdin
For the registration process add a new "quiet" option to suppress the
prompts and read the PIN from stdin. For the authentication process
always read the PIN from stdin.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f5c0e7b3 by Pavel Březina at 2022-11-25T13:25:11+01:00
ci: make /dev/shm writable
We build SSSD in /dev/shm which is mounted on read-only file system on
new podman version. We need to mount it as tmpfs to make it writable.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
ae614c17 by Pavel Březina at 2022-11-25T13:25:11+01:00
ci: install correct python development package
The package name has changed on new Ubuntu.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
336b1fac by Iker Pedrosa at 2022-11-25T13:25:39+01:00
ci: fix codeql
libsemanage1-dev renamed to libsemanage-dev in debian and its
derivatives.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
4a6eb258 by Justin Stephenson at 2022-11-25T13:26:05+01:00
CI: Update core github actions
Update dependent actions to address:
https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
fc3fad98 by Jakub Vavra at 2022-11-28T06:32:58+01:00
Tests: Fix automount OU removal from AD.
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
340691fa by Cole Robinson at 2022-11-30T16:48:06+01:00
MAN: Fix option typo on sssd-kcm.8
The option is called krb5_renewable_lifetime, not krb5_renew_lifetime
Signed-off-by: Cole Robinson <crobinso at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
91789449 by Sumit Bose at 2022-11-30T16:50:53+01:00
PAC: allow to disable UPN check
Currently it was not possible to skip the UPN check which checks if the
UPN in the PAC and the one stored in SSSD's cache are different.
Additionally the related debug message will show both principals if they
differ.
Resolves: https://github.com/SSSD/sssd/issues/6451
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
b3d7a4f6 by Sumit Bose at 2022-11-30T16:50:53+01:00
ipa: do not add guessed principal to the cache
Currently on IPA clients a calculated principal based on the user name
and the Kerberos realm is added to the cached user object. This code is
quite old and might have been necessary at times when sub-domain support
was added to SSSD. But since quite some time SSSD is capable of
generating the principal on the fly during authentication if nothing is
stored in the cache.
Removing the code makes the cache more consistent with other use-cases,
e.g. with the IPA server where this attribute is empty, and allows to
properly detect a missing UPN, e.g. during the PAC validation.
Resolves: https://github.com/SSSD/sssd/issues/6451
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
51b11db8 by Sumit Bose at 2022-11-30T16:50:53+01:00
pac: relax default check
To avoid issues with the UPN check during PAC validation when
'ldap_user_principal' is set to a not existing attribute to skip reading
user principals a new 'pac_check' option, 'check_upn_allow_missing' is
added to the default options. With this option only a log message is
shown but the check will not fail.
Resolves: https://github.com/SSSD/sssd/issues/6451
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
ad0a8c6a by aborah-sudo at 2022-11-30T16:53:31+01:00
Tests: fix test_sssctl_local.py::Testsssctl::test_0002_bz1599207
test_sssctl_local.py::Testsssctl::test_0002_bz1599207 is affcted by
disable "implicit files provider"
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
e4dd11f2 by Alexey Tikhonov at 2022-12-02T15:20:40+01:00
SYSDB: pre-existence of MPG group in the cache isn't an error
Addition to 71466a8dbdb1d755ace15680cc2b4b11b68a0573
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
3f8bc872 by Sumit Bose at 2022-12-02T15:24:14+01:00
certmap: add support for serial number
Read the serial number of the certificate and make it available.
Resolves: https://github.com/SSSD/sssd/issues/6403
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
10d977a3 by Sumit Bose at 2022-12-02T15:24:14+01:00
certamp: add support for subject key id
Read the subject key id from the certificate and make it available.
Resolves: https://github.com/SSSD/sssd/issues/6403
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
9e1b711b by Sumit Bose at 2022-12-02T15:24:14+01:00
certmap: add support for SID extension
Check if the SID extension is available, read the SID and make it
available.
Resolves: https://github.com/SSSD/sssd/issues/6403
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
f293507d by Sumit Bose at 2022-12-02T15:24:14+01:00
certmap: fix for SAN URI
The URI was not added to the list of subject alternative names.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
c4085c9a by Sumit Bose at 2022-12-02T15:24:14+01:00
certmap: add bin_to_hex() helper function
This patch adds a helper function to format hexadecimal strings of
binary data.
Resolves: https://github.com/SSSD/sssd/issues/6403
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
11483f1e by Sumit Bose at 2022-12-02T15:24:14+01:00
sssctl: add cert-eval-rule sub-command
The new 'cert-eval-rule' sub-command of sssctl show the results of given
matching and mapping rules on a given certificate. This should help to
find suitable mapping and matching rules and to understand why given
certificate is matched or not.
Resolves: https://github.com/SSSD/sssd/issues/6403
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
3676a4fb by Sumit Bose at 2022-12-02T15:24:14+01:00
certmap: add get_digest_list() and get_hash()
Add support to calculate hash/digest values of binary data, e.g. of a
certificate.
Resolves: https://github.com/SSSD/sssd/issues/6404
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
0a906107 by Sumit Bose at 2022-12-02T15:24:14+01:00
certmap: dump new attributes in sss_cert_dump_content()
Add the newly discovered certificate values, i.e. serial number, subject
key id and SID to the output of sss_cert_dump_content() which is used
e.g. by 'sssctl cert-show'.
Resolves: https://github.com/SSSD/sssd/issues/6403
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
1303c624 by Sumit Bose at 2022-12-02T15:24:14+01:00
certmap: add LDAPU1 mapping rules
Add mapping rule templates for the new discovered attributes, templates
for certificate hashes and templates to select individual DN components.
To avoid issues with older versions of the library the new templates
must use the prefix LDAPU1.
:feature: New mapping template for serial number, subject key id, SID,
certificate hashes and DN components are added to
libsss_certmap.
Resolves: https://github.com/SSSD/sssd/issues/6403
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
4ac53fb5 by Sumit Bose at 2022-12-02T15:24:14+01:00
certmap: add tests for new attributes and LDAPU1 rules
Resolves: https://github.com/SSSD/sssd/issues/6403
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
882f560e by Sumit Bose at 2022-12-02T15:24:14+01:00
certmap: add LDAPU1 rules to man page
This patch adds the new LDAPU1 mapping rule templates to the sss-certmap
man page.
Resolves: https://github.com/SSSD/sssd/issues/6403
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
b0bdf712 by Sumit Bose at 2022-12-02T15:24:14+01:00
certmap: Add documentation for some internal functions
Resolves: https://github.com/SSSD/sssd/issues/6403
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
80690213 by Weblate at 2022-12-02T18:27:01+01:00
po: update translations
(Korean) currently translated at 63.5% (1657 of 2607 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 62.6% (1633 of 2607 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 62.0% (1618 of 2607 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Korean) currently translated at 62.0% (1618 of 2607 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Georgian) currently translated at 7.8% (52 of 663 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ka/
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/
po: update translations
(Korean) currently translated at 61.8% (1612 of 2607 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
- - - - -
664a436e by Shridhar Gadekar at 2022-12-05T10:18:39+01:00
Test: gssapi test fix
minor flake8 fixes
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
8b09c938 by Alexey Tikhonov at 2022-12-05T11:22:12+01:00
Translations: add missing `tools/sssctl/sssctl_cert.c` and macros
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
714ababe by Alexey Tikhonov at 2022-12-06T16:08:00+01:00
BUILD: deprecate `--enable-files-domain` build option
:relnote:`--enable-files-domain` configure option is deprecated and
will be removed in one of the next versions of SSSD.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2fda8e7b by Tomas Halman at 2022-12-06T16:08:47+01:00
RESOLV: Configuration option for DNS search
DNS search may increase the time of name resolution significantly.
Particularly when SSSD is misconfigured or the DNS server is
unreachable.
With this patch SSSD can avoid DNS search and the list
of domains from resolv.conf is ignored. To avoid DNS search in
kerberos library SSSD appends the dot to the server names before
they are written into KDC info file.
:relnote: SSSD can be configured not to perform a DNS search
during DNS name resolution. This behavior is governed by the
new dns_resolver_use_search_list. This parameter can
be used in the domain section. Default value is true - that
means that SSSD follows the system settings.
Resolves: https://github.com/SSSD/sssd/issues/5390
Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
aac303e8 by Sumit Bose at 2022-12-09T13:22:09+01:00
p11: fix size of argument array
Currently 19 options can be set for p11_child and the a NULL at the end
the array must have 20 elements.
Resolves: https://github.com/SSSD/sssd/issues/6479
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
34d55884 by Alejandro López at 2022-12-09T13:22:39+01:00
BACKEND: Reload resolv.conf after initialization
Once the backend initialization is finished, in particular after D-Bus
is initialized, reload the resolv.conf file to retrieve any change
signaled through D-Bus before its initialization.
Resolves: https://github.com/SSSD/sssd/issues/6383
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
81eb0606 by Madhuri Upadhye at 2022-12-09T13:23:51+01:00
Tests: Minor fixes for alltests
Enable files domain.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
4a658e6c by aborah-sudo at 2022-12-09T13:24:19+01:00
Tests: port proxy_provider/rfc2307bis
https://gitlab.cee.redhat.com/sssd/sssd-qe/-/tree/RHEL8.6/client/proxy_provider/rfc2307bis
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7c5dd878 by Weblate at 2022-12-09T13:25:51+01:00
po: update translations
(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/
po: update translations
(Japanese) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/
po: update translations
(French) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/
- - - - -
c6053c43 by Pavel Březina at 2022-12-09T13:35:31+01:00
pot: update pot files
- - - - -
153b1c91 by Jakub Vavra at 2022-12-15T20:02:03+01:00
Tests: Add mark tier1_4 so pytest is not throwing warnings.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
f43d8c9a by Pavel Březina at 2022-12-15T21:13:31+01:00
ci: increase timeout for covscan
Covscan task started recently taking more then six hours to finish.
Six hours is the default timeout and maximum limit for github-hosted
runner but we can increase it for self-hosted runner.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
24a53663 by Shridhar Gadekar at 2022-12-15T21:15:21+01:00
Tests: port bash idmap testcase to pytest
Adding return messages and backup/restore of sssd
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
7e8b97c1 by Pavel Březina at 2022-12-16T12:10:55+01:00
ldap: update shadow last change in sysdb as well
Otherwise pam can use the changed information whe id chaching is
enabled, so next authentication that fits into the id timeout
(5 seconds by default) will still sees the password as expired.
Resolves: https://github.com/SSSD/sssd/issues/6477
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
ddd85f95 by Shridhar Gadekar at 2022-12-20T13:15:52+01:00
Tests: change tier of dyndns tests
dropping dyndns from gating, till tests are
stable
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
02bdef7d by MCJ Vasseur at 2022-12-20T17:57:09+01:00
Fix typo (pasword -> password)
Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
2fa80dbd by Shridhar Gadekar at 2022-12-23T14:25:10+05:30
Dropping idmap
Test is unstable, moving out of gating for
further investigation
- - - - -
08784536 by Tomas Halman at 2022-12-23T11:49:18+01:00
cfg_rules.ini update
The option kr5_realm was listed twice. The option krb5_kdcinfo_lookahead
was missing.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
c4ea2851 by Jakub Vavra at 2022-12-23T11:53:12+01:00
Tests: Move some less important scenarios from tier 1 to tier 2.
Skip test_0015_ad_parameters_ad_hostname_machine on multiarch
as it is unstable there.
Move test_0002_improved_use_negative_sid_for_sid_lookup to tier 2
as it is unstable so it does not block gating.
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
42842c16 by Shridhar Gadekar at 2023-01-05T13:30:47+01:00
TESTS: bz2110091 sssd starting offline after reboot
changing tier. logs and cache are cleared.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
0da99b73 by Alejandro López at 2023-01-05T13:31:34+01:00
SDAP: Fixed header file
The sdap_access.h header file was not including the sdap_id_op.h
header file it depends on.
Build worked because sdap_id_op.h happened to be always included before
sdap_access.h.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
11dab864 by Alejandro López at 2023-01-05T13:31:34+01:00
PAM: Localize some forgotten words.
The units (days, hours, minutes) were not localized although they were
used in a localized sentence.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
475052a2 by Alejandro López at 2023-01-05T13:31:34+01:00
LDAP: Moved and renamed set_access_rules()
Function set_access_rules() was renamed to sdap_set_access_rules(),
moved from ldap_init.c to sdap_access.c and made public.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
ae74a9d1 by Alejandro López at 2023-01-05T13:31:34+01:00
IPA: Add password expiration warning when using ssh keys
When using IPA as access provider, it now reads the ipa_access_order
parameters from the configuration and, between others, it can process
the pwd_expire_policy_warn.
The accepted values for ipa_access_order are:
- expire (default)
- pwd_expire_policy_reject
- pwd_expire_policy_warn
- pwd_expire_policy_renew
There is no ipa_pwd_policy parameter. Internally it is forced to the only
accepted value: mit-kerberos.
Resolves: https://github.com/SSSD/sssd/issues/5080
:config: ipa_access_order parameter introduced. It behaves much like
ldap_access_order but affecting IPA domains (id_provider = ipa) and
accepting limited values. Please see sssd-ipa(5) for more information.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
be84d6ee by Alejandro López at 2023-01-05T13:31:34+01:00
PAM: Warn that the password has expired when using ssh keys
When using ssh keys and the LDAP_ACCESS_EXPIRE_POLICY_WARN flag,
the user is notified is the password is about to expire, but
nothing was said if the password had already expired.
This patch introduces a message when the password has expired.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
ede02a20 by Alejandro López at 2023-01-05T13:31:34+01:00
MAN: Cosmetic changes to sssd-ldap.5
Three values of ldap_access_order are presented as an itemized list.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
cfd71fec by Alejandro López at 2023-01-05T13:45:09+01:00
MONITOR: Move the file monitoring code to util.
Everything still works as before, but now the code used in sssd to
monitor resolv.conf is moved to a separate file (util/file_watch.c)
and everything is more loosely coupled.
This is in preparation to move the monitoring to the backends.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
d4e57447 by Alejandro López at 2023-01-05T13:45:09+01:00
TESTS: Add a test for file-watch
New tests using the file watching feature with both inotify and
polling.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
e1c0af26 by Alejandro López at 2023-01-05T13:45:09+01:00
MAN PAGES: Make try_inotify dependent on HAVE_INOTIFY.
When HAVE_INOTIFY is not defined (inotify not present), the descrition
of try_inotify in sssd.conf.5 man page will only tell that this is not
used in systems without inotify.
If HAVE_INOTIFY is defined, the full description if provided.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
fadd8eb6 by Alejandro López at 2023-01-05T13:45:09+01:00
BACKEND: Move resolv.conf watching to the backends
Moved from the monitor, which no longer reads the file neither
notifies the backends they must read it.
The file is now monitored by the backends and read immediately
after start watching it.
Resolves: https://github.com/SSSD/sssd/issues/6383
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
2e3fa180 by Alejandro López at 2023-01-05T13:45:09+01:00
D-BUS: Remove resInit() method from sssd.services
This method was used by the monitor to tell the backends to reload
/etc/resolv.conf when it detected a change in the file. It is no longer
used as the backends now watch resolv.conf by themselves.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
c97d9275 by Alejandro López at 2023-01-05T13:45:09+01:00
FILE WATCH: Get rid of parent_ctx
parent_ctx pointed to the memory context to use for the timers.
It pointed to the file_watch_ctx which contained it, so better use
the file_watch_ctx and avoid having an extra field, and having to
pass the memory context as a parameter.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
729c1fc2 by Alejandro López at 2023-01-05T13:45:09+01:00
FILE WATCH: Simplify watching on missing files.
This code is needlessly repeated in fw_watch_file() and missing_file(),
and it's enough to simply call missing_file(). But since now this
function is used even before knowing whether the file exists, it is
better to rename it to set_file_watching().
A side effect of this is that watch_file() (which ends up calling
inotify_add_watch()) returns EOK even when the file is missing,
and thus the callback is invoked once. Considering that the flag
IN_CREATE was always passed to inotify_add_watch(), I think this
could have been hidden by the old code.
Polling for the file creation is no longuer used when inotify is used.
But because it is still required when inotify fails to initialize (not
installed) or use_inotify is set to false, this code cannot be removed.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
29326450 by Alexey Tikhonov at 2023-01-06T20:15:51+01:00
SBUS: don't call `dbus_server_get_address(NULL)`
Resolves: https://github.com/SSSD/sssd/issues/6465
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
76c7fa46 by aborah at 2023-01-13T08:59:18+01:00
Tests: make corresponding tests capture SSSD logs
To capture sssd logs in IDM-CI incase of sssd test failure.
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
8cda19e2 by Shridhar Gadekar at 2023-01-13T08:59:47+01:00
Tests: bz2128840 automation
minor indentation fix
Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
2bd0c249 by Sargun Narula at 2023-01-13T09:00:14+01:00
Tests: Ported Bash-krb-access-provider to pytest
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
a5176f4d by aborah at 2023-01-13T09:00:37+01:00
Tests: SSSD: `sssctl analyze` command shouldn't require 'root' privileged
`sssctl analyze` command shouldn't require 'root' privileged when run with `--logdir`
pointing to otherwise accessible files.
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
067c550c by Jakub Vavra at 2023-01-13T09:00:55+01:00
Tests: Test for bz2144491 UPN mismatch
UPN check cannot be disabled explicitly but requires krb5_validate = false as a work-around
Bugzilla:
- https://bugzilla.redhat.com/show_bug.cgi?id=2148737
- https://bugzilla.redhat.com/show_bug.cgi?id=2144491
- https://bugzilla.redhat.com/show_bug.cgi?id=2148989
- https://bugzilla.redhat.com/show_bug.cgi?id=2148988
Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4e600d9b by Alexey Tikhonov at 2023-01-13T18:20:54+01:00
Added a number of missing new lines.
Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
723872f3 by Iker Pedrosa at 2023-01-14T00:35:01+01:00
CI: remove flake8 action
When a new issue is found, the action is unable to report it properly in
the PR and it fails.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
b631c317 by Alexey Tikhonov at 2023-01-16T13:08:48+01:00
MAN: mention `attributes` in 'see also'
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
08ccd23f by Alexey Tikhonov at 2023-01-16T13:09:26+01:00
SSS_CLIENT: delete key in lib destructor
pthread_key_delete() disables thread at-exit destructors.
Otherwise an attempt to execute already unloaded `sss_at_thread_exit()`
would trigger segfault.
This doesn't solve an issue with leaking on `dlclose()` FDs initialized in
multiple threads, but better than crash.
Resolves: https://github.com/SSSD/sssd/issues/6505
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
927fa843 by Iker Pedrosa at 2023-01-17T12:59:38+01:00
passkey: register discoverable credentials
Apart from server-side credentials passkey should also register
discoverable credentials. Thus, a new argument has been added to select
the credential type. Moreover, the user id is also printed. Example:
passkey:credentialId,pemPublicKey,userId
Resolves: https://github.com/SSSD/sssd/issues/6228
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
62654e25 by Iker Pedrosa at 2023-01-17T12:59:38+01:00
passkey: user id for discoverable credentials
If the credential is discoverable, then print the user id.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
bd02f637 by Iker Pedrosa at 2023-01-17T12:59:38+01:00
passkey: fix uninitialized variable
616 in authenticate()
610 goto done;
611 }
612 613 ret = FIDO_OK;
614 615 done:
>>> CID 377752: Uninitialized variables (UNINIT)
>>> Using uninitialized value "pk_data.type" when calling "reset_public_key".
616 reset_public_key(&pk_data);
617 if (dev != NULL) {
618 fido_dev_close(dev);
619 }
620 fido_dev_free(&dev);
621 fido_assert_free(&assert);
622 fido_dev_info_free(&dev_list, dev_list_len);
623
624 return ret;
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7caf2da3 by Dan Lavu at 2023-01-17T11:17:12-05:00
Fixing dyndns tests
The server may not update DNS right away, updated the function to
perform a lookup up to 5 minutes, otherwise the test will have failed.
Signed-off-by: Dan Lavu <dlavu at redhat.com>
- - - - -
4e9c2fdb by Shridhar Gadekar at 2023-01-19T12:09:05+01:00
TESTS: clean up group delete fix
from correct 'ou' group object deletion fix
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
5021d239 by aborah at 2023-01-19T12:09:34+01:00
Tests: Fix minor error in root privilage test
mkdir: cannot create directory ‘/tmp/sssd’: File exists
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
718afc29 by Florence Blanc-Renaud at 2023-01-26T12:54:47+01:00
Passkey: flush stdout
IPA command "ipa user-add-passkey --register" reads the output
of passkey_child line by line in order to re-print the useful
messages and extract the generated passkey.
Flush stdout so that ipa gets the messages without delay.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
501e05f4 by Alexey Tikhonov at 2023-01-26T12:55:06+01:00
BUILD: remove `--enable-files-domain` build option
:relnote:Previously deprecated `--enable-files-domain` configure option
was removed.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
6b048a6a by Alexey Tikhonov at 2023-01-26T12:55:06+01:00
INTG TESTS: make `get_call_output()` respect `check` arg for Python < 3.7
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
708a924a by Jakub Vavra at 2023-02-01T14:20:55+01:00
Tests: Changes to the version handling and fixture create_testdir.
Function package_mgmt was not handling RHEL 9 properly.
service_sssd was doing exactly nothing on RHEL 9.
Fixture create_testdir was needlessly iterating lists via indexes
and duplicating code.
Removed some useless elses after return.
Fixed import order.
Switched to f-strings.
Disabled some pylint warnings.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
32a8b953 by Jakub Vavra at 2023-02-01T14:20:55+01:00
Tests: Optimize winhost properties
QeWinHost class had properties that were repeatedly calling command line commands.
This was slow, inefficient and created mess in the test logs.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
7a68ed1f by aborah at 2023-02-02T11:50:22+01:00
Tests: Fix ipa tests wrong ipa_client_ip
Fix ipa tests wrong ipa_client_ip
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
d249154c by Shridhar Gadekar at 2023-02-02T11:53:34+01:00
Test: porting of failing rfc2307bis testcase
change to tier1_4
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
c0b394ab by Pavel Březina at 2023-02-02T12:02:34+01:00
sudo: skip smart refresh if it happens inside full refresh
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
fc4f0399 by Jakub Vavra at 2023-02-02T14:40:11+01:00
Tests: Fix incorrect distro parsing in qe_class on Fedora.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
13d420ca by aborah at 2023-02-09T07:19:54+01:00
Tests: Fix test test_0017_filesldap
Logs string has changed.
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
4138b0a7 by Justin Stephenson at 2023-02-09T13:11:10+01:00
MAN: ldap_group_name enhancement with nested groups
Resolves: https://github.com/SSSD/sssd/issues/6544
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
fe67123c by Alejandro López at 2023-02-09T13:11:34+01:00
CONFIG-CHECK: Extracted code checking 'inherit_from'
Extracted the code checking that 'inherit_from' is not present in a
domain section from custom_sssd_checks() to its own function named
check_domain_inherit_from().
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
1911ad64 by Alejandro López at 2023-02-09T13:11:34+01:00
CONFIG-CHECK: Function always returns EOK
The function custom_sssd_checks() ignored the error codes and always
returned EOK. Now it returns the corresponding error code.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
255d9f6e by Alejandro López at 2023-02-09T13:11:34+01:00
CHECK-CONFIG: id_provider is now mandatory
For domains, the presence of 'id_provider' was accepted but no other
check was done. In particular, this option is mandatory and has a
limited set of accepted values. These changes introduce those checks.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
f604d033 by Alejandro López at 2023-02-09T13:11:34+01:00
TESTS: Test mandatory id_provider
Adapter the existing tests for the mandatory 'id_provider' and
created a test for the case when 'id_provider' is missing.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
f283248f by Alejandro López at 2023-02-09T13:11:34+01:00
CONFIG-CHECK: inherit_from is not a typo
The error message asked the user if introducing `inherit_from`
in a domain was a typo. This is an error but not a typo.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
53c8e8f0 by Dan Lavu at 2023-02-13T12:54:46+01:00
Removing unnecessary restart unnecessary restart
This allows us to do minimal changes to run existing tests, not as
the root user. Testing the non root feature of SSSD. Adding an
ansible play that creates a stub configuration file in /etc/sssd/conf.d/
i.e. /etc/sssd/conf.d/nonroot.conf containing
[sssd]
user = sssd
This sssd restart happens before SSSD is configured and when it contains
the stub file, it is an invalid configuration.
Signed-off-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
3dfc82a0 by aborah at 2023-02-13T12:56:17+01:00
Tests: Fix subidranges test
Add removal of maps.sh and unshare.pid
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
6ffd46d1 by Alexey Tikhonov at 2023-02-13T12:57:05+01:00
MAN: remove "experimental" notice off LDAP access control based on NDS attributes.
It's there since 37e7e93f1996cf50677cf59fd8af6938dd5d85b2,
clearly not "experimental" anymore.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
aa5c0c9c by Alexey Tikhonov at 2023-02-13T12:57:05+01:00
BUILD: remove long time unused '--enable-all-experimental-features'
It haven't been used since b2f9e5b7d553172401a340eb4a9c3abda6b5db43
:relnote: Long time unused '--enable-all-experimental-features'
configure option was removed.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
0b8638d8 by Alexey Tikhonov at 2023-02-13T12:57:27+01:00
SSS_CLIENT: fix error codes returned by common read/write/check helpers.
It's kind of expected that in case `(POLLERR | POLLHUP | POLLNVAL)`
error condition is detected, regular `POLLIN/POLLOUT` won't be set.
Error code set by error condition should have a priority. This enables
users of this helper to retry attempt (as designed).
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ef93284b by Alexey Tikhonov at 2023-02-13T12:57:27+01:00
SSS_CLIENT: if poll() returns POLLNVAL then socket is alredy closed (or wasn't open) so it shouldn't be closed again. Otherwise there is a risk to close "foreign" socket opened in another thread.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
bf3f73ea by Alexey Tikhonov at 2023-02-13T12:57:27+01:00
PAM_SSS: close(sss_cli_sd) should also be protected with mutex. Otherwise a thread calling pam_end() can close socket mid pam transaction in another thread.
Bug only manifested on platforms where "lockfree client"
feature wasn't built.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7fb89ab0 by Sumit Bose at 2023-02-13T12:58:31+01:00
passkey: do not copy more than received
Since buf is not initialized to 0 talloc_strdup() might actually copy
more data than was received.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
4e654005 by Alexey Tikhonov at 2023-02-15T15:41:03+01:00
PAM: removed outdated comment
Comment wasn't relevant since 5dccf76aff8ac5b4adf000c8b701a7a9fae506c2
Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
c55bb397 by Alexey Tikhonov at 2023-02-15T15:41:03+01:00
Use `is_files_provider()` helper where possible.
Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
8e75bb61 by Alexey Tikhonov at 2023-02-15T15:41:03+01:00
RESPONDERS: get rid of `NEED_CHECK_PROVIDER` helper
Since implementation of "local" provider was removed, the only
provider that doesn't need to "check provider" is "files provider".
Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
6ba0187e by Sumit Bose at 2023-02-17T15:01:40+01:00
certmap: fix to handle ediPartyName
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
ced32c44 by Sumit Bose at 2023-02-17T15:01:40+01:00
certmap: Handle type change of x400Address
Due to CVE-2023-0286 the type of the x400Address member of the
GENERAL_NAME struct was changed from ASN1_TYPE to ASN1_STRING. The
following patch tries to make sure that the x400Address can be extracted
from the certificate in either case.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
d4f7ed69 by Alexey Tikhonov at 2023-02-17T15:02:26+01:00
MONITOR: fix `socket_activated` flag initialization
When socket activated service connects for the first time, it is added to
`mt_ctx->svc_list` by `socket_activated_service_not_found()` with a proper
`socket_activated = true`.
But when it reconnects again, `get_service_in_the_list()` finds it in
`mt_ctx->svc_list` and overwrites `socket_activated = false` unconditionally.
This patch moves `socket_activated = false` to `start_service()`.
Resolves: https://github.com/SSSD/sssd/issues/6324
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
59d2f945 by Pavel Březina at 2023-02-17T15:03:26+01:00
fix missing new line in sss_iface.c and docstrings.rst
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f44e5864 by Pavel Březina at 2023-02-17T15:04:28+01:00
tests: fix all flake8 issues
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
61f1b893 by Sargun Narula at 2023-02-23T09:20:04+01:00
Tests: Ported Bash-krb-fast-principal to pytest
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
66687d8c by aborah at 2023-02-23T09:20:37+01:00
Tests: Port bz785908 and bz785898
https://gitlab.cee.redhat.com/sssd/sssd-qe/-/blob/RHEL8.8/client/ldap_provider/ldap_id_ldap_auth/bugzilla-automation.sh#L424
https://gitlab.cee.redhat.com/sssd/sssd-qe/-/blob/RHEL8.8/client/ldap_provider/ldap_id_ldap_auth/bugzilla-automation.sh#L300
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
173d0867 by aborah at 2023-02-23T09:21:04+01:00
Tests: Port Thread issue can cause the application to not get any identity information bz847043
https://gitlab.cee.redhat.com/sssd/sssd-qe/-/blob/RHEL9.2/client/ldap_provider/ldap_id_ldap_auth/bugzilla-automation.sh#L774
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
a75557b7 by Shridhar Gadekar at 2023-02-23T09:23:27+01:00
Test: porting bash range_retrieval to pytest
removing unused import
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
bd803bf6 by Pavel Březina at 2023-02-23T15:28:01+01:00
nssidmap: add getsidbyusername and getsidbygroupname
:feature: NSS IDMAP has two new methods: `getsidbyusername` and
`getsidbygroupname`
Resolves: https://github.com/SSSD/sssd/issues/6565
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
9f8e7115 by Alexey Tikhonov at 2023-02-28T21:47:32+01:00
MAN: describe security risk of `cache_credentials`
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
2ce24d38 by Alexey Tikhonov at 2023-02-28T21:54:35+01:00
UTILS: missing domain in `sss_parse_name()` input isn't SSSDBG_CONF_SETTINGS
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
f5787878 by Alexey Tikhonov at 2023-02-28T21:54:35+01:00
NSS: empty result of `..._group_by_origgid()` isn't an error
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
e5fba8f9 by Alexey Tikhonov at 2023-02-28T22:05:43+01:00
TESTS: fix compilation issue with musl libc
Resolves: https://github.com/SSSD/sssd/issues/6487
Reviewed-by: Andre Boscatto <aboscatt at redhat.com>
- - - - -
97c671e4 by aborah at 2023-03-02T13:41:47+01:00
Tests: Port automount bash tests to pytest
https://gitlab.cee.redhat.com/aborah/sssd-qe/-/tree/RHEL8.7/client/ldap_provider/automount
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
97e040f9 by Jakub Vavra at 2023-03-03T12:51:04+01:00
Tests: Set cryptopolicy for master for AD fips tests.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
61d6030b by Sargun Narula at 2023-03-03T12:51:34+01:00
Added entry for krb_access_provider in readme.rst
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
fb5a300b by Justin Stephenson at 2023-03-03T12:52:04+01:00
passkey: Add configuration options
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
fbbe9ba3 by Justin Stephenson at 2023-03-03T12:52:04+01:00
authtok: Add Passkey type
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
57152761 by Justin Stephenson at 2023-03-03T12:52:04+01:00
Add new option ldap_user_passkey
Retrieve user passkey mapping data from the below LDAP attributes:
IPA: ipaPasskey
AD: altSecurityIdentities
LDAP: passkey
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
3f24aa71 by Justin Stephenson at 2023-03-03T12:52:04+01:00
Extend IPA config search
Allow providing a custom search filter and search base, enabling this API to also
retrieve passkey configuration objects.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ec677493 by Justin Stephenson at 2023-03-03T12:52:05+01:00
Add DNS Domain name to struct sss_domain_info
dns_name string will be populated for IPA and AD domains
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ea9bcab6 by Justin Stephenson at 2023-03-03T12:52:05+01:00
IPA Retrieve passkey configuration
Retrieve the require user verification value (on/off/default) from
the IPA passkey configuration.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b92ff263 by Justin Stephenson at 2023-03-03T12:52:05+01:00
PAM: Call the passkey helper binary
When passkey auth is enabled, call the passkey child to interact
with the passkey device.
Resolves: https://github.com/SSSD/sssd/issues/6558
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7f8fe399 by Justin Stephenson at 2023-03-03T12:52:05+01:00
Support Passkey prompting config
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
64f98463 by Justin Stephenson at 2023-03-03T12:52:05+01:00
Tests: Passkey (Pre)auth
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
938676a3 by Justin Stephenson at 2023-03-03T12:52:05+01:00
Tests: Passkey prompting config
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
64aa2672 by Justin Stephenson at 2023-03-03T12:52:05+01:00
PAM: Add destructor for passkey pin
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5a22aefb by Justin Stephenson at 2023-03-03T12:52:05+01:00
PAM: Covscan NULL check for cache req result domain
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7356881c by Alexey Tikhonov at 2023-03-07T20:49:52+01:00
SDAP: removed leftovers after 65bd6bf05d75c843e525f8bf89e9b75b02a2bfb7
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
a9bc94f0 by Alexey Tikhonov at 2023-03-07T20:50:17+01:00
INTG-TESTS: add missing files to Makefile.am
Resolves: https://github.com/SSSD/sssd/issues/6588
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
5c83deb5 by bluikko at 2023-03-07T20:50:47+01:00
src/util/domain_info_utils.c: fix typo
Typo in libdefaults typed as kibdefaults.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Andre Boscatto <aboscatt at redhat.com>
- - - - -
47f82a41 by Gioele Barabucci at 2023-03-07T20:51:17+01:00
Makefile: Install dbus policy in /usr, not /etc
>From <https://bugs.debian.org/1006631>:
> dbus supports policy files in both `/usr/share/dbus-1/system.d` and
> `/etc/dbus-1/systemd`. [The] recently released dbus 1.14.0, officially
> deprecates installing packages' default policies into `/etc/dbus-1/systemd`,
> instead reserving it for the sysadmin. This is the same idea as the
> difference between `/usr/lib/udev/rules.d` and `/etc/udev/rules.d`.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
067cc5cc by Alexey Tikhonov at 2023-03-07T20:51:49+01:00
BUILD: make "files provider" build configurable
:relnote:"Files provider" (i.e. `id_provider = files`) is deprecated and
might be removed in further releases. Those who are interested to keep
using it awhile should configure its build explicitly using
`--with-files-provider` ./configure option. Or consider using "Proxy
provider" with "proxy_lib_name = files" instead.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
978ef179 by Alexey Tikhonov at 2023-03-07T20:51:49+01:00
UTILS: force inline `is_files_provider()`
This hopefully will ensure that compiler optimizer will remove unused
code that depends on `if (is_files_provider())` branch in case files
provider isn't built.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
c53390a8 by Alexey Tikhonov at 2023-03-07T20:51:49+01:00
DP: warn loudly if config uses 'files' when support wasn't built
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
8962eaca by Alexey Tikhonov at 2023-03-07T20:51:49+01:00
INTG-TESTS: enable '--with-files-provider'
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
e623fac7 by Timotej Lazar at 2023-03-09T11:25:21+01:00
tests: use echo instead of /bin/echo in Makefile
The binary might be somewhere else or not available at all during build.
No special features are needed so the shell builtin is enough.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9fd8da28 by Sargun Narula at 2023-03-09T11:25:59+01:00
Fixed domainname value in krb_ldap_connection
Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
34f1c222 by SargunNarula at 2023-03-09T11:25:59+01:00
Reused sssdTools Instance
Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
30daa0cc by Iker Pedrosa at 2023-03-09T11:27:30+01:00
spec: update to include passkey
Update the spec file to include the passkey feature. Made it
configurable so that it can be disabled, added the dependencies and the
passkey subpackage, and also include the passkey_child.
:feature: New passkey functionality, which will allow to use FIDO2
compliant devices to authenticate a centrally managed user
locally. Moreover, in the case of a FreeIPA user, it will also
issue a Kerberos ticket automatically.
:packaging: Include passkey subpackage and dependency for libfido2.
:config: New options to enable and tune passkey behaviour:
'pam_passkey_auth', 'passkey_verification',
'passkey_child_timeout', 'interactive', 'interactive_prompt',
'touch' and 'touch_prompt'.
Resolves: https://github.com/SSSD/sssd/issues/6228
Relates: https://github.com/SSSD/sssd/issues/6551
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
712377ea by Pavel Březina at 2023-03-09T11:28:34+01:00
tests: add system tests using pytest-mh framework
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
9145544f by Jakub Vavra at 2023-03-10T09:28:16+01:00
Tests: Add a remedy for a missing multihost_dir.
Move the create_testdir fixture to fixtures.py and make sure that it is used.
Extend it to create testdir and env.sh also on windows machines.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
50a3a191 by Justin Stephenson at 2023-03-10T09:29:17+01:00
Passkey: Use correct User verification comparison
IPA require user verification configuration value changed from
"on, off, omit" to a boolean value of "True" or "False".
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
1c55f0d4 by Jakub Vavra at 2023-03-13T10:40:18+01:00
Tests: Refactor join ad.
Refactored pieces for joing and leaving ad to reuse more code.
Changed realm join to use DC instead of realm to mitigate machines on different
networks that breaks auto-discovery.
Lock resolv.conf so it is not broken by cloud-init after machine reboot.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
80d28bab by Jakub Vavra at 2023-03-13T12:59:58+01:00
Tests: Make sure that session_multihost.ad is always available.
We need it to be defined at least as an empty list so we do not get an
AtributeError when we try to iterate over it.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
cc0545b4 by aborah at 2023-03-22T10:20:11+01:00
Tests: Port Bash Password Policy to pytest
https://gitlab.cee.redhat.com/sssd/sssd-qe/-/blob/RHEL8.7/client/ldap_provider/ldap_id_ldap_auth/password_policy.sh
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
96a0e9fb by David Härdeman at 2023-03-23T10:36:56+01:00
LDAP: Handle MIT LDAP KDB password expiry
Currently SSSD only treats a missing krbPasswordExpiration attribute as
an indication that a given password never expires (which is how the
FreeIPA KDB plugin handles the expiry). The MIT implementation, however,
treats *either* a missing attribute *or* a zero attribute as meaning that
the password doesn't expire.
$ kadmin getprinc bob
Principal: bob at EXAMPLE.COM
...
Password expiration date: [never]
...
$ ldapsearch -Z -x -LLL "(uid=bob)" | grep krbPasswordExpiration
krbPasswordExpiration: 19700101000000Z
Note that 19700101000000Z == (time_t)0
Resolves: https://github.com/SSSD/sssd/issues/6612
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ce81f017 by Pavel Březina at 2023-03-23T10:37:21+01:00
tests: include requirements.txt in system tests documentation requirements
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
df7a5c33 by Pavel Březina at 2023-03-23T10:37:21+01:00
tests: build systen tests documentation in readthedocs
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
42594c37 by HelloCarry at 2023-03-23T10:37:57+01:00
fix sysvol_gpt_version may be used uninitialized
Resolves: https://github.com/SSSD/sssd/issues/6610
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9aece27d by Dan Lavu at 2023-03-23T10:38:21+01:00
Adding ptr zone creation to class setup
The AD server maybe provisioned onto a different subnet than the client,
adding a fixture to add both the AD server and client PTR zones to DNS.
In addition, cleaned up the find_a and find_ptr functions to remove
false positives.
Signed-off-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
92d1b469 by Iker Pedrosa at 2023-03-23T11:16:07+01:00
passkey: move select authenticator
Move select authenticator logic to its own function.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
bccdc2af by Iker Pedrosa at 2023-03-23T11:16:07+01:00
passkey: obtain assertion data
New action to obtain the assertion data. For that purpose, prepare the
assertion request data, select the device to use, select the
authenticator, get the device options and compare them with the
organization policy, request the assert, get the authenticator data, get
the signature and print this all information.
Resolves: https://github.com/SSSD/sssd/issues/6228
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f77ec4f5 by Iker Pedrosa at 2023-03-23T11:16:07+01:00
passkey: verify assertion data
New action to verify the assertion data. To this end, prepare the
assertion data, including the authenticator data and the signature;
decode the public key and verify the assertion.
Resolves: https://github.com/SSSD/sssd/issues/6228
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8218634d by Iker Pedrosa at 2023-03-23T11:16:07+01:00
passkey: replace printf by PRINT
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
c6db359f by aborah at 2023-03-27T10:20:41+02:00
Tests: Fix restore work for ipa test
Fix restore work for ipa test
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
b3c681a7 by aborah at 2023-03-27T10:21:14+02:00
Tests: Port bash inmemory_cache test suit to pytest
https://gitlab.cee.redhat.com/sssd/sssd-qe/-/tree/RHEL8.7/client/ldap_provider/inmemory_cache
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
132fb401 by Alexey Tikhonov at 2023-03-27T12:43:48+02:00
Deprecate 'sss_simpleifp' library.
:relnote:'sss_simpleifp' library is deprecated and might be
removed in further releases. Those who are interested to keep
using it awhile should configure its build explicitly using
`--with-libsifp` ./configure option.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
c586b9a2 by Alexey Tikhonov at 2023-03-27T12:44:08+02:00
RESPONDERS: delete obsolete 'responder_sbus.h'
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
437dbe9e by Alexey Tikhonov at 2023-03-27T12:44:08+02:00
MONITOR: currently only 'ifp' doesn't support running as non-root
This should be easier to read.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
e2106c94 by Alexey Tikhonov at 2023-03-27T12:44:08+02:00
SUDO: fix mistype
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
5159992d by Alexey Tikhonov at 2023-03-27T12:44:08+02:00
RESPONDER: use safe helper
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
64424963 by Alexey Tikhonov at 2023-03-27T12:44:08+02:00
UTILS: sanitize `cli_creds_get_*` macro
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
55e27a42 by Alejandro López at 2023-03-27T12:44:34+02:00
KCM: Switch default caches only when there is no current default.
Only when there was a current default cache
(uuid_is_null(old_dfl_uuid) == false), the default cache was switched.
This condition should be negated so that the cache is switched when
there is no current default.
Resolves: https://github.com/SSSD/sssd/issues/6357
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
0e25f0d1 by answer9030 at 2023-03-27T12:45:04+02:00
Fixed pid wrapping in sss_cli_check_socket
Resolves: https://github.com/SSSD/sssd/issues/6592
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5c363bfb by answer9030 at 2023-03-27T12:45:04+02:00
Fixed the problem of calling getpid() and lstat() twice in sss_cli_check_socket()
the second call to getpid() and lstat() is redundant.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ae691f0b by Alexey Tikhonov at 2023-03-27T12:46:14+02:00
NSS: change default value of 'cache_first' to 'true'
Having 'cache_first' as 'false' is a performance degradation without a reason
in the multi-(sub)domains enviroments (typical case when AD is involved).
But there is a subtile issue that doesn't allow to switch default when
'files provider' is used.
:config: Default value of 'cache_first' option was changed to 'true' in case
SSSD is built without 'files provider'.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
cfc591d6 by Alejandro López at 2023-03-27T12:47:50+02:00
SDAP: Include struct ldb_dn in struct sdap_search_base
struct sdap_search_base includes the DN as a string. To better
compare the DNs it is better to use a struct ldb_dn, in addition to
the string.
The struct ldb_dn also needs to keep the associated struct ldb_context,
so we are also storing it in the structure.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
84e7dbc9 by Alejandro López at 2023-03-27T12:47:50+02:00
SDAP: Ignore the cn=views entries in nested groups
When resolving the nested groups, ignore any entry in
cn=views,cn=accounts,$BASEDN (or whatever the user configured).
Resolves: https://github.com/SSSD/sssd/issues/6548
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
9e9d5825 by Alejandro López at 2023-03-27T12:47:50+02:00
Tests: Test that cn=views is ignored.
Add a new test to check the ignored search bases.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
62cb54dc by Pavel Březina at 2023-03-30T12:17:48+02:00
tests: make pytest-ldap aware of TLS options
OPT_X_TLS_NEWCTX must be set to create a new TLS context after
changing TLS options in order to actually use them in python-ldap.
This is required to run the tests inside idm-ci where the internal
hostname that is used in certificate does not match the external
hostname or IP address that is used to connect to the remote host.
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
745379bc by Justin Stephenson at 2023-03-31T12:30:44+02:00
SSSCTL: Switch passkey-exec to passkey-register
Users currently only need to call --register
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
f46fe473 by Jakub Vavra at 2023-04-03T09:37:32+02:00
Tests: Skip test_0002_ad_parameters_junk_domain on multiarch
The test does not work properly on multiarch due to beaker being
on a different network than openstack.
Fixed some misleading comments.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
9c17615a by aborah at 2023-04-04T12:12:38+02:00
Tests: don't fail if chattr file doesn't exist
error: DEBUG - chattr: Operation not supported while reading flags on /etc/resolv.conf
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
ad68d71c by Pavel Březina at 2023-04-04T12:13:16+02:00
passkey: add Kerberos plugins
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2a16c256 by Pavel Březina at 2023-04-04T12:13:16+02:00
idp: switch to common API for radius-style plugin
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
cdfe2c51 by Justin Stephenson at 2023-04-04T12:13:16+02:00
Authtok: Support SSS_AUTHTOK_TYPE_PASSKEY{_REPLY}
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5de070f9 by Justin Stephenson at 2023-04-04T12:13:16+02:00
pam_sss: Add passkey kerberos preauth support
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7c34742c by Justin Stephenson at 2023-04-04T12:13:17+02:00
krb5_child: Add passkey kerberos preauth support
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
c76ba343 by Justin Stephenson at 2023-04-04T12:13:17+02:00
PAM: Passkey kerberos preauth support
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9869e487 by Justin Stephenson at 2023-04-04T12:13:17+02:00
krb5_child: Increase child buffer and chunk size
Passkey data can be larger than 512 bytes.
Received passkey data from krb5 with multiple credentials
exceeds 256 bytes.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
88f4d3cf by Justin Stephenson at 2023-04-04T12:13:17+02:00
Passkey: Add util function to prefix passkey data
Allows converting passkey child --get-assert output to
the format which the passkey krb5 plugin expects.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
1032ca21 by Justin Stephenson at 2023-04-04T12:13:17+02:00
MAN: Clarify user_verification will be overwritten
The user_verification sssd.conf option for passkey will only be used
LDAP or AD, in the non-kerberos pre-auth case.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
bb21171b by Justin Stephenson at 2023-04-04T12:13:17+02:00
Passkey: Changes to debug_libfido2 option
Change debug_libfido2 to passkey_debug_libfido2 and
move from passkey verification options to PAM option
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5744bad7 by Justin Stephenson at 2023-04-04T12:13:17+02:00
Tests: Amend PAM Preauth tests
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9e061fc0 by Jakub Vavra at 2023-04-04T14:58:56+02:00
Tests: Remove keytab on realm leave.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
a5efc5e6 by Pavel Březina at 2023-04-04T14:59:26+02:00
tests: fix type errors due to type enhancements in jc
The library we depend on `jc` made its typing more specific so we
need to check that we got the expected type.
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
3d0fcca3 by Pavel Březina at 2023-04-04T14:59:26+02:00
tests: avoid list() and dict() as default parameter value
"Default parameter values are evaluated from left to right when the
function definition is executed." which means that the list or dict
is created only once and then the same reference is passed to the
function with each invokation, so the function calls can be affected
by the previous one.
See:
https://docs.python.org/3/reference/compound_stmts.html#function-definitions
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
a825b28b by Pavel Březina at 2023-04-11T10:06:35+02:00
passkey: fix copyrights and comments in krb plugin
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
576a1c19 by Madhuri Upadhye at 2023-04-11T10:07:00+02:00
Tests: Automation of bug, bz2100789, which test id_provider parameter from domain section
Add automation of bug which check id_provider parameter from
domain section.
Conatains following two test cases:
1. Test when domain section does not have id_provider
2. Test when id_provider's value is invalid
verify:
#https://bugzilla.redhat.com/show_bug.cgi?id=2100789
#https://github.com/SSSD/sssd/pull/6550
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
bc5de686 by Jakub Vavra at 2023-04-13T12:25:27+02:00
Tests: Add a timeout to realm join for AD, modify realm leave.
The realm join gets stuck on other architectures particularly on s390x.
This makes it fail and suite can continue running instead of waiting
for timeout for the whole suite.
Handle the edge case when realm leave fails for the machine and removal from AD
is also not done resulting in the following tests unable to join as the machine
is already present on AD.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
e794bfde by Pavel Březina at 2023-04-14T12:11:40+02:00
ci: prepend pr copr build with high version number
Currently, it is not possible to simply install the copr pull reques
package because number is considered to be higher then a string version,
therefore 2.8.0 > pr6286 and dnf considers it a potential installation
to be a downgrade which may cause conflicts.
Prepending 9 makes sure that the pull request copr build always wins.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
526aea3e by Tomas Halman at 2023-04-14T12:12:15+02:00
util: Improve re_expression defaults
The original defaults of re_expressions did not use "^" so they
may skip/ignore some leading character (@ and \).
The new defaults uses ^ and $ to be sure that all characters
are used.
Resolves: https://github.com/SSSD/sssd/issues/6635
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b78b508b by Tomas Halman at 2023-04-14T12:12:15+02:00
responder: regexp cleanup
Update ifp and ssh responders to use regular expression
defined centrally.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
255c01a1 by Jakub Vavra at 2023-04-17T09:10:41+02:00
Tests: Fix error in cifs tests.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
c3a0b5f0 by Pavel Březina at 2023-04-17T11:57:59+02:00
tests: split system test framework into standalone repository
This change allows other project to use the framework as well.
https://github.com/SSSD/sssd-test-framework
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
08711256 by aborah at 2023-04-19T15:27:05+02:00
Tests: Add missing package
strace was missing from installed packages
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
821455c7 by Sargun Narula at 2023-04-19T15:34:45+02:00
Tests: Ported cache_performance testing cases to pytest
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
6d659e29 by Sargun Narula at 2023-04-19T15:34:45+02:00
Fixed docstring minor changes
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
54aabca0 by Alejandro López at 2023-04-19T15:35:35+02:00
UTIL: Introduicing SPRItime
SPRItime can be used to printf() time_t values.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
3463caa8 by Alejandro López at 2023-04-19T15:35:35+02:00
COVERITY: Remove several Y2K38_SAFETY warnings
Most of them are external function that receive a 32-bit integer but
SSSD provides a time_t value. For that we created the
sss_tevent_timeval_current_ofs_time_t(time_t t) wrapper function that
handles the conversion.
In another case, it was an internal function, so the function was
adapted to accept a time_t value.
Another case is a real problem caused by Kerberos storing times in the
32-bit signed krb5_timestamp, but time() returning a 64-bit value. It
seems Kerberos is planing on making unsigned this signed value. So the
recommended and adopted solution is to use the 32 lower bits.
Also de DEBUG() trace was dorrected to use the right size.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
3b65d7be by Alejandro López at 2023-04-19T15:35:35+02:00
COVERITY: Resolve a WRITE_CONST_FIELD warning
We are initializing the structure, so it is not a problem that we write
to const fields. In addition, using talloc_memdup() is better and avoids
the warning.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
c3d6cc9a by Alejandro López at 2023-04-19T15:40:10+02:00
AD: Do not use the shortcut when filter_groups is set.
When using 'id <user>', a shortcut avoids creating the proper group
object but, instead, one where the SID is the group name is created.
This prevents a proper filtering of groups which requires the actual
group name.
Not using the shortcut will retrieve the group names and the filtering
will work.
Resolves: https://github.com/SSSD/sssd/issues/6617
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
ebc1e460 by Sumit Bose at 2023-04-19T15:42:03+02:00
krb5: add joined/parent domain to [domain_realm]
So far only discovered sub-domains were adding to the [domain_realm]
section of one of the krb5 config snippets SSSD is generating. To fix
recent issues which were caused my missing entries of the joined domain
this domain is now added as well.
Resolves: https://github.com/SSSD/sssd/issues/6600
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
dae5367b by Iker Pedrosa at 2023-04-19T15:44:18+02:00
test: cast to `char *` assert_string_equal() args
CI build is reporting the following error several times:
```
error: pointer targets in passing argument 2 of '_assert_string_equal'
differ in signedness [-Werror=pointer-sign]
```
Casting the arguments of assert_string_equal() to `char *` fixes the
issue.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
325fc8e1 by Jakub Vavra at 2023-04-24T11:12:51+02:00
Tests: Improve stability of tests in TestADParamsPorted, remove un-needed backups.
There are some tests that are flaky in the suite, adding pytest.flaky
and moving them to tier2.
Made sure that flaky tests are only in one tier instead of failing in two suites.
Removed backup and restore of sssd.conf as it is done by adjoin now.
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
def571ba by Sumit Bose at 2023-04-24T11:13:37+02:00
krb5: make sure realm is known when writing domain_realms
To make sure that no broken krb5.conf snippet is created it is checked
if the realm member is defined in the sss_domain_inof struct before
writing it to the output.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
a41810bd by Iker Pedrosa at 2023-04-24T11:14:25+02:00
CI: store CodeQL configuration artifacts
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
eb494154 by aborah at 2023-04-24T11:15:10+02:00
Tests: Add support for ldapi:// URLs
bz: https://bugzilla.redhat.com/show_bug.cgi?id=2152177
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
30e0b472 by Jakub Vavra at 2023-04-24T11:25:01+02:00
Tests: Add tests for BZ1765354
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1765354
Verifies: #5080
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
9f2d8d69 by minfrin at 2023-04-24T13:12:31+02:00
Add support for ldapi:// URLs.
Make sssd aware of unix domain sockets, allowing connections to local
LDAP servers.
Make use of struct sockaddr and socklen_t consistent across the code.
:feature: Add support for ldapi:// URLs to allow connections to local
LDAP servers
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f2213418 by minfrin at 2023-04-24T13:12:31+02:00
Align sockaddr_storage to sockaddr for updated API.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
91b70123 by minfrin at 2023-04-24T13:12:31+02:00
Ensure we touch sockaddr_len in the success case only.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4ccd5b9a by minfrin at 2023-04-24T13:12:31+02:00
Do not set SO_KEEPALIVE on AF_UNIX.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2d54cf5e by minfrin at 2023-04-24T13:12:31+02:00
Rename sdap_get_server_ip_str() to sdap_get_server_peer_str()
Add support for printing AF_UNIX paths.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e004595a by minfrin at 2023-04-24T13:12:31+02:00
Don't force TLS on if we're a unix domain socket.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
559f29ff by Pavel Březina at 2023-04-26T10:13:58+02:00
tests: load fixtures from sssd-test-framework
This makes fixtures from sssd-test-framework available in our tests.
See tests.sssd.io to list the fixtures:
https://tests.sssd.io/en/latest/api/sssd_test_framework.fixtures.html
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
52c3d6c2 by Pavel Březina at 2023-04-26T10:13:58+02:00
tests: create data directory in system tests
The directory hierarchy is as follows:
* `data/`
* files shared for all test modules
* `test_module/` (directory for `test_module.py`)
* files shared for all tests within the module `test_module.py`
* `test_module__xyz/` (directory for single test from the module)
* files relevant only for the test `test_module__xyz`
It can be accessed via datadir, moduledatadir and testdatadir fixtures.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
9358a74d by Sumit Bose at 2023-04-26T10:32:25+02:00
ad: skip filtering if ad_enabled_domains is set
The domain filtering based on LDAP attributes might be too strict in
forests which have a long and complex history where not all attributes
might be updated to reflect the current state, e.g. membership to the
local forest. To skip the filtering the ad_enabled_domains attribute can
be set to the list of expected domains.
Resolves: https://github.com/SSSD/sssd/issues/6626
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
1bf47514 by Sumit Bose at 2023-04-26T10:32:25+02:00
tests: fix typo in ldapi test
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
ddec8ae2 by Alexey Tikhonov at 2023-04-27T06:52:51+02:00
SPEC: obsolete libsss_simpleifp
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
9329c09d by Jakub Vavra at 2023-04-27T06:53:10+02:00
Tests: Fix pytest markers to remove warnings.
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
04cc2f73 by Jakub Vavra at 2023-04-27T12:09:37+02:00
Tests: Install libsss_simpleifp conditionally based on release.
Package libsss_simpleifp is removed from fedora and a future
major version of RHEL, install it only on RHEL/Centos 7,8,9.
See https://github.com/SSSD/sssd/pull/6701.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
d735fb1e by Jakub Vavra at 2023-04-27T12:15:22+02:00
Tests: Ignore chattr result on resolv.conf
The resolv.conf can be a symlink (because of systemd/resolved) so chattr will not work on it.
We ignore the result so error is not produced on fedora where systemd/resolved is in play.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
ed2510d9 by Jakub Vavra at 2023-04-28T11:00:41+02:00
Tests: Add test for bz1913839 gid of filtered group gid still present in id
Verifies
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1913839
Group id of a group that should have been filtered is visible in
the id command output.
Fixed test numbering, removed un-needed backups,
moved log collection to later part of code to make the test_0016 more reliable.
Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
265f6e02 by Shridhar Gadekar at 2023-04-28T11:03:00+02:00
Tests: sss allows extraneous @ characters prefixed to username
corrected typo
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2180981
Verifies:
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
c200fc01 by Madhuri Upadhye at 2023-05-03T18:53:27+02:00
Test: Test nested group in view based search
Automation of BZ2151403
Test nested group entry in i cn=views,cn=accounts,$BASEDN
with id command from client.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
f97cd4d4 by Iker Pedrosa at 2023-05-03T18:53:46+02:00
passkey: don't print User ID
The User ID isn't part of any signed data, thus there isn't any
indication that it's related to the token. Moreover, the effort to store
it securely on the LDAP attribute is quite big. Taking that into account
the passkey child doesn't print it and this way we avoid storing it in
the LDAP server.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9724f871 by Alexander Bokovoy at 2023-05-03T18:54:06+02:00
passkey: only accept the client realm as relaying party ID
FreeIPA expects relaying party ID for FIDO2 exchange to be the same as
the realm. If a rogue KDC attempted to inject another relaying party ID,
reject it.
We use server principal as opposed to the client one to allow use of
enterprise principals. Server principal in AS-REQ would be
krbtgt/REALM at REALM for the realm of the client.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
d0a6bf60 by Alexander Bokovoy at 2023-05-03T18:54:06+02:00
passkey: implement realm check for the passkey challenge
A rogue KDC might respond to us with a passkey challenge that references
domain not associated with the realm we serve. In order to check that,
convert DNS domain from the challenge to the realm using hostrealm
interface provided by the krb5 library.
For a referral realm fall back to the explicit challenge domain check.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9bf55bf9 by Alexey Tikhonov at 2023-05-03T19:00:21+02:00
MONITOR: disable 'user' config option in case --with-sssd-user=root
In case SSSD was configured and built --with-sssd-user=root, no other
value of 'user' config option (besides default 'root') is supported.
Having it documented in the man page in this case only brings confusion.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
8b94af6e by Alexey Tikhonov at 2023-05-03T19:00:21+02:00
MONITOR: validate value of 'user' option.
Only 'root' and SSSD_USER are valid values.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
d4866940 by Luke Dickinson at 2023-05-04T10:39:33+02:00
Remove the need for a keytab when using fast with anonymous pkinit
Anonymous pkinit does rely on a keytab for authentication.
Removed unnecessary call to copy keytab into memory.
Resolves: https://github.com/SSSD/sssd/issues/6531
Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ede8c139 by Weblate at 2023-05-04T11:11:59+02:00
po: update translations
(Turkish) currently translated at 100.0% (706 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/
po: update translations
(Korean) currently translated at 64.3% (1676 of 2606 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Czech) currently translated at 99.4% (702 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/
po: update translations
(Czech) currently translated at 99.1% (700 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/
po: update translations
(French) currently translated at 100.0% (706 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/
po: update translations
(Korean) currently translated at 64.3% (1676 of 2606 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (706 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/
po: update translations
(Japanese) currently translated at 100.0% (706 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/
po: update translations
(French) currently translated at 100.0% (706 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/
po: update translations
(Japanese) currently translated at 94.0% (664 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/
po: update translations
(Finnish) currently translated at 10.0% (71 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/
po: update translations
(Georgian) currently translated at 7.9% (56 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ka/
po: update translations
(Polish) currently translated at 4.9% (132 of 2656 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/
po: update translations
(Korean) currently translated at 64.1% (1673 of 2606 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Finnish) currently translated at 9.9% (70 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/
po: update translations
(Swedish) currently translated at 100.0% (2722 of 2722 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Swedish) currently translated at 98.8% (2692 of 2722 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Swedish) currently translated at 98.1% (2672 of 2722 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Swedish) currently translated at 100.0% (706 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/
po: update translations
(Finnish) currently translated at 9.6% (68 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/
po: update translations
(Korean) currently translated at 64.1% (1671 of 2606 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Finnish) currently translated at 8.9% (63 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/
po: update translations
(Korean) currently translated at 63.7% (1661 of 2606 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Finnish) currently translated at 7.3% (52 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/
po: update translations
(Polish) currently translated at 4.9% (131 of 2656 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/
po: update translations
(Georgian) currently translated at 7.7% (55 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ka/
po: update translations
(Finnish) currently translated at 7.2% (51 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/
po: update translations
(Russian) currently translated at 100.0% (2722 of 2722 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Russian) currently translated at 100.0% (706 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/
po: update translations
(Ukrainian) currently translated at 100.0% (2722 of 2722 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
po: update translations
(Russian) currently translated at 97.3% (687 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/
po: update translations
(Korean) currently translated at 100.0% (706 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Ukrainian) currently translated at 99.1% (2700 of 2722 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
po: update translations
(Ukrainian) currently translated at 100.0% (706 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/
po: update translations
(Korean) currently translated at 97.1% (686 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Ukrainian) currently translated at 98.8% (2692 of 2722 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
po: update translations
(Ukrainian) currently translated at 96.4% (681 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/
po: update translations
(Polish) currently translated at 100.0% (706 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/
po: update translations
(Korean) currently translated at 63.6% (1659 of 2607 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
- - - - -
619ecbbc by Iker Pedrosa at 2023-05-04T13:35:09+02:00
test: add conditional build for passkey functions
`make distcheck` is failing because two passkey functions are defined
but never used. Add conditional build for them.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
e91b5d4a by Pavel Březina at 2023-05-05T10:07:26+02:00
man: put sssd_user_name.include to builddir
Putting it to the source directory makes "make distcheck" fail when
run directly from source directory instead of different build dir.
It produces this error message:
```
/bin/sh: line 1: ../../../../src/man//sssd_user_name.include: Permission denied
```
Because the source directory copied by distcheck is not writable.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
6c184c47 by Pavel Březina at 2023-05-05T10:11:07+02:00
pot: update pot files
- - - - -
e1195619 by Timo Aaltonen at 2023-06-06T21:18:34+03:00
Merge tag '2.8.2' into m
2.8.2
- - - - -
8706941f by Timo Aaltonen at 2023-06-06T21:18:38+03:00
Merge branch 'master' into m
- - - - -
4cfe8a54 by Timo Aaltonen at 2023-06-06T21:19:23+03:00
version bump
- - - - -
4eac205f by Timo Aaltonen at 2023-06-06T21:20:44+03:00
patches: Drop an upstreamed patch.
- - - - -
a2a6933b by Timo Aaltonen at 2023-06-06T22:03:11+03:00
Drop deprecated simple-ifp library and files provider.
- - - - -
ff5ca0bb by Timo Aaltonen at 2023-06-07T14:43:19+03:00
control, rules: Add sssd-passkey, and libfido2-dev to build-depends.
- - - - -
22 changed files:
- .github/workflows/analyze-target.yml
- .github/workflows/ci.yml
- .github/workflows/copr_build.yml
- .github/workflows/static-code-analysis.yml
- .gitignore
- Makefile.am
- configure.ac
- contrib/ci/configure.sh
- contrib/ci/deps.sh
- contrib/ci/sssd.supp
- contrib/fedora/bashrc_sssd
- contrib/sssd.spec.in
- debian/changelog
- debian/control
- − debian/libsss-simpleifp-dev.install
- − debian/libsss-simpleifp0.install
- − debian/patches/0004-Makefile-Install-dbus-policy-in-usr-not-etc.patch
- debian/patches/series
- debian/rules
- debian/sssd-common.install
- + debian/sssd-passkey.install
- po/bg.po
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/0bc80bdb887aa850b98f2b356cecf5fcc07a87d4...ff5ca0bb7153fc824e5ec649252137b1faa0a043
--
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/0bc80bdb887aa850b98f2b356cecf5fcc07a87d4...ff5ca0bb7153fc824e5ec649252137b1faa0a043
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20230607/bcfaadfe/attachment-0001.htm>
More information about the Pkg-sssd-devel
mailing list