| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
Do not wait for SSSD to become online if directory server is going
for shutdown. Since it is guaranteed that SSSD will not be able to
function with 389-ds offline, it makes no sense to continue a loop.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case libsss_nss_idmap provides timeout-enabled NSS API, use it.
This solves a problem of too long queries to an NSS backend with
traditional POSIX NSS API. In case SSSD takes too long to respond
to a query, corresponding 389-ds thread running schema-compat plugin
would stuck waiting that response. It can lead to an exhaustion of
389-ds threads.
A refactored interface to NSS backends is introduced with this commit.
A backend API looks like an API an NSS plugin has to implement in glibc
but also allows to handle timeout-based requests internally.
If backend implements timeout-enabled calls, then
backend_nss_set_timeout() function can be used to modify a per-context
state. There is no need for a caller to know whether backend supports
timeout-enabled calls because either way these calls are synchronous
and backend choice is done at compile-time.
schema-compat plugin uses 10 seconds as its default timeout. One can
change it via 'slapi-nss-timeout' attribute in the plugin config entry.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSSD exposes an extended NSS API via libsss_nss_idmap. This API allows
to query getpwnam()/getgrnam()/getgruid()/getpwuid()/getgrouplist()
information with a timeout per request. As result, an application has
possibility to cancel too long request.
This API also allows to ignore SSSD cache or invalidate it when
requesting certain information. slapi-nis needs this functionality when
invalidating own entries as result of changes done by other LDAP clients
in the areas which slapi-nis doesn't track directly.
For example, an update of ID override in the Default Trust View should
invalidate user or group entry for that AD object. Since retrieval of
the user/group information relies on SSSD, SSSD needs to be notified
that there is a change in ID override and evict the entry from its cache
as well.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Plug into a processing of LDAP add/delete/modify to see if an ID override entry
was added/deleted/updated. ID overrides aren't directly used to produce
map cache entries but when AD user or group is resolved, SSSD on IPA
master amends that information with ID Override from a Default Trust
View. Since nothing else would remove AD user or group entry from the map cache
on ID override change, handle their removal here.
Check if we have any nssswitch-generated entry in a map cache that
corresponds to this entry. Such entries would be evicted from the map
cache to allow their refresh.
Allow backends to inspect entries related to a map set
Entries may be related to a map set content but not used directly to
generate it. An example would be ID overrides in FreeIPA. An addition,
removal or change of an ID override in the Default Trust View should be
reflected by evicting an entry from the corresponding seti.
Let backends to handle exact logic. NIS backend does not support
exposing AD users so it provides set of dummy callbacks that always
return FALSE (entry is not related). Schema Compat backend, on other
hand, does track ID overrides in a Default Trust View in FreeIPA.
|
|
|
|
| |
NIS doesn't need to handle ID overrides, it has to always skip related entries
|
| |
|
| |
|
|
|
|
|
|
| |
Replacing the old link pointing to fedorahosted.org retirement page.
Signed-off-by: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When SSSD resolves AD users on behalf of slapi-nis, it can accept
any user identifier, including user principal name (UPN) which
may be different than the canonical user name which SSSD returns.
As result, the entry created by slapi-nis will be using canonical user
name but the filter for search will refer to the original (aliased)
name. The search will not match the newly created entry.
Fix this issue by returning two values for 'uid' attribute: the
canonical one and the aliased one. This way search will match.
Verified that SSSD with id_provider=ldap happily consumes such entries.
By LDAP schema, 'uid' attribute can have multiple values.
Fixes https://fedorahosted.org/slapi-nis/ticket/12
|
|
|
|
|
|
|
|
|
|
|
| |
When extracting idview all we care is the DN of new target.
We don't really use the rewritten target as a string anymore,
so there is no need to rewrite the string in the pblock.
This fixes a bug when running with 389-ds 1.3.5.10+ which is more
strict about modification of the values in pblock.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1360245
|
|
|
|
|
|
|
|
|
| |
During Schema-compat cache priming, If it exists an associated domain
the entry returned by the internal search is freed twice.
This was introduced in order for slapi-nis to resolve IPA groups with
fully qualified suffix. To support SSSD 1.14+ change of logic to handle
a default domain suffix.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With SSSD 1.14+ there is a logic change to handling of a default domain
suffix.
SSSD has two different formats to handle: the input and output. The
input format is parsed into (name,domain) tuples with the re_expression
option and the output is formatted with the full_name_format option.
Because of the way SSSD used to store the usernames in sysdb, it was
tied to the full_name_format option, just changing the output format
changed the way the names are stored internally. SSSD changed the cache
to always store names in a unified format (foo@bar) and use the
full_name_format only for output, as it should be.
This changed a logic of use_fully_qualified_names=True. It now mandates
that the /input/ contains both the name and the domain part and then
SSSD formats the output using the full_name_format option. The
default_domain_suffix is a hack that just appends its value to an
unqualified input, making all queries for "foo" into "foo@bar".
In new SSSD if configuration contains:
default_domain_suffix = win.domain
full_name_format = $1 # only name
then a request for "foo" will internally turn into "foo@win.domain" but
return "foo" on the output. However, queries for IPA's foo will have to
be qualified by the admin manually like "foo@ipa.domain" otherwise sssd
doesn't know which foo you meant.
Support this logic by querying associatedDomain attribute of the
restricted bases of the data set. IPA stores this information in the
$SUFFIX base dn (dc=example,dc=com) and configures slapi-nis with
restricted base set to $SUFFIX (and the plugin config). While
associatedDomain attribute is multivalued, the $SUFFIX object always has
a single value corresponding to the IPA domain name that is the same as
SSSD domain suffix.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During password modification ext. op (1.3.6.1.4.1.4203.1.11.1),
if the target entry is in the compat tree, slapi-nis should
remap the entry to the real entry.
This needs to be done in a pre-op extop that calls the callback
function handling a given OID.
The password mod. callback does a reverse mapping of
extop USERID and set it in SLAPI_TARGET_SDN.
https://fedorahosted.org/freeipa/ticket/5955
|
|
|
|
| |
Resolves: rhbz#1327197
|
|
|
|
| |
Resolves: rhbz#1327197
|
|
|
|
|
|
|
|
|
| |
Launching a separate thread to populate map cache has a side effect that
the thread could be scheduled to execute over a shutdown time. If LDAP server
received the request to shutdown, we need to stop processing the
original source and shut the priming thread.
Resolves: rhbz#1327197
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With ID Views in FreeIPA one can override different kinds of attributes,
including the uid. When uid attribute is overriden, LDAP BINDs with
DNs using new (overridden) uid are properly modified to reference the
original (non-overridden) object.
However, when uid attribute is not overridden, slapi-nis did mistakenly
avoided to build a reference to the original object without ID view.
This resulted in inability to do LDAP BIND as overriden DN with original
uid attribute.
Fix the issue by always processing a DN after removing ID view reference
from it, whether RDN value (uid) was replaced or not.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1301300
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a rule that adds two bang characters in front of the password.
When the password algorithm is defined as CRYPT and NIS is used to
authenticate users on other systems, there is no way to disable or lock
accounts. Traditional convention has been to put two bang (exclamation)
characters in front of the password, creating an impossible password
hash. This effectively locks the user account, preventing
authentication.
All UNIX systems agree that for encrypted passwords presence of a
character which cannot be part of CRYPT password scheme renders
impossible to login to system with such password. However, not all
systems have meaning of locked accounts and even how these locked
accounts express themselves.
There is certain controversy in what could be used to indicate locked
accounts:
- GNU/Linux systems expect '!' as first character of the password field
- FreeBSD expects '*LOCKED*' string at start of the password field
- Various Solaris versions expect '*LOCK*' string at start of the
password field
- NetBSD has no meaning of locked passwords via content of password field
Given that it is impossible to serve NIS maps with encrypted passwords
in a different way to different clients, standardize on '!!' scheme as
traditional among UNIX administrators.
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1298478
|
|
|
|
|
| |
Serialize process of initiliazing map cache to avoid locking the
directory server backends.
|
|
|
|
|
| |
Initializing map cache may take time. Skip slapi-nis lookups untli
the map cache is ready.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FreeIPA allows to include external (non-LDAP) members into POSIX groups.
To define external members, an attribute ipaExternalMember is set to
the list of references to external members. Currently both FreeIPA and
SSSD support only references done with SIDs (Security Identifiers) from
the forests trusted by FreeIPA.
Resolving external members of FreeIPA groups requires resolving SIDs to
user and group names. However, since this resolution is already
implemented by SSSD for the group in question, slapi-nis can use the
fact that there is non-empty ipaExternalMember attribute's value to
trigger lookup of the FreeIPA group via SSSD and then copy over
memberUid attribute value set.
This logic requires that ipaExternalMember attribute value is present in
the entry to be put into the map cache. Thus, an additional
configuration is needed for the groups container:
schema-compat-entry-attribute: ipaexternalmember=%deref_r("member","ipaexternalmember")
Note that resolving external members of IPA groups requires to use
version of slapi-nis that populates the map cache after LDAP server
startup, as SSSD needs to talk back to the LDAP server in the process of
resolving external group members and that is not possible at the time
when slapi-nis plugin starts up as the LDAP server is not yet listenting
for incoming connections at that point.
|
|
|
|
|
|
|
|
| |
When memberUid attribute is generated, it has to be normalized or
otherwise searches for members against groups in compat tree will fail.
slapi-nis already normalizes elements of a search filter that mention
memberUid attribute values but the original memberUid value should be
normalized as well.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently slapi-nis design assumes the map cache is populated by
scanning the original trees on plugin start up. This has few
consequences:
- LDAP server cannot serve LDAP clients until all plugins are
initialized
- slapi-nis cannot ask SSSD to resolve external identities at
this point as SSSD will need to talk to the LDAP server which
is at this point not listening for connections. SSSD will put
whole IPA domain into offline and always will respond
with negative result
To solve these issues, schedule tree scan after LDAP server startup.
The problem here is that it is not possible to reliably detect when
389-ds starts to listen to the incoming connections. However, it is
possible to schedule an event into 389-ds event queue that will run
shortly after start of the event loop. Given that the call back function
which is registered to be called is called within the event loop thread,
one can fire off another thread and wait in the thread function some
time until the LDAP server is ready for connections.
The time interval is something that would depend on a specific
deployment profile but experiments show that having 5 seconds delay
should be enough as event queue is created just before starting the
listeners.
|
|
|
|
|
|
|
|
|
|
|
|
| |
- ID View processing should only happen if ID view is defined
- When finding attribute with slapi_entry_attr_find() use correct return
code (slapi_entry_attr_exists() returns 1, _find() returns 0)
- cn=<view>,cn=views,cn=compat,$SUFFIX lookup is fixed
Resolves: rhbz#1277576, rhbz#1265465
https://bugzilla.redhat.com/show_bug.cgi?id=1277576
https://bugzilla.redhat.com/show_bug.cgi?id=1265465
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When slapi-nis plugin responds on a search query, it holds read lock for
the internal structure called 'map cache'. The map cache lock can also be taken
for write when modification would be required like responding to DELETE, ADD, or
MODIFY operations.
As result of the lock semantics, write lock owner is blocked until all read lock
owners release their locks. This is generally not a problem but when readers sent
out LDAP query results, they call into SLAPI function that might take long time
to send out the data due to external reasons (network latencies, clients being
blocked, etc) and all this time map cache is locked for write operations.
When Kerberos KDC issues a TGT, it needs to modify few Kerberos-related attributes
in the principal's LDAP entry. These updates are generating MOD operations visible
by slapi-nis plugin which triggers re-scan of map cache to potentially replace
the affected entries. To perform potential replacement, slapi-nis has to take a write
lock and be blocked by outstanding readers.
Therefore, it is possible to encounter a situation where an LDAP client uses
SASL GSSAPI authentication and existing Kerberos ticket did expire in a course
of outstanding search request. According to LDAPv3 protocol specification, an
LDAP client must perform re-negotiation before reading any outstanding PDUs. It
would ask Kerberos KDC for a new (or renewed) TGT, that would cause MOD updates
for the primary tree which is tracked for changes by slapi-nis. These changes
would be blocked by a slapi-nis reader as the client cannot finish reading
outstanding PDUs yet.
To solve this problem, we avoid sending LDAP entries while keeping map cache
lock. Instead, we generate a linked list of copies of entries which will be
sent out. To allow sharing of entries between multiple parallel queries, we
hash the entry and reference the cached entry in the linked list with increased
reference count. Once entry is actually sent, its reference count decreased and
on reaching zero it is removed from the hash.
The entry in the hash table might become outdated. This is detected by comparing
both modifyTimestamp and entryUSN values of the entry to be sent and entry in the
hash table. If new version of the entry is different, hash table's entry reference
is replaced with a new copy. The old entry is not removed because it is still
referenced by some outstanding query processing. Thus, the hash table always
references the most recent version of an entry but there might be multiple copies
in possesion of the linked lists from the separate parallel queries.
An entry sharing via hash table can be disabled by setting
slapi-entry-cache: 0
in the definition, cn=Schema Compatibility,cn=plugins,cn=config
Resolves: rhbz#1273587
https://bugzilla.redhat.com/show_bug.cgi?id=1273587
|
|
|
|
|
| |
When describing the NIS and compat filtering options, remind the reader
that indexing the involved attributes helps.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the case there are no groups in cn=groups map that have certain
memberUid as a member, we look at possibility that this user might
be coming from a trusted AD forest. However, all users from trusted
AD forests do have '@' separator in the name between the user name
and the domain.
In case there is no '@' separator, consider such search as not valid
for lookups in SSSD.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1243823
|
|
|
|
| |
CVE-2015-0283 slapi-nis: infinite loop in getgrnam_r() and getgrgid_r()
|
|
|
|
|
|
| |
By default initial buffer sizes for getgrent/getgrnam/... functions
are way small for large groups in Active Directory so make sure
we have something reasonable for groups with hundreds or thousands members.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
users via NSS
When Schema Compatibility plugin is configured to enumerate users and groups
from Active Directory domains trusted by FreeIPA, use nss_sss module directly
instead of following nsswitch.conf configuration.
The issue with nsswitch.conf configuration is in the fact that for each request
all modules in NSS chain are processed while only one of them is responsible
for users from trusted Active Directory domains, namely, nss_sss.
|
|
|
|
|
|
| |
To keep slapi-nis code portable to older versions of 389-ds-base,
avoid using slapi_entry_attr_exists() as it was only introduced in
389-ds-base 1.3.3.0.
|
| |
|
|
|
|
|
|
|
|
| |
If RDN of the bind DN is overridden within the ID view, rewrite the
target to use original value of the uid attribute.
If original uid attribute is not available, fail the search and thus
the whole bind request by claiming that bind DN does not exist.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
schema-compat plugin may provide multiple disjoint subtrees which
can be used to request overridden entries by prefixing the subtree
suffix with a
cn=<name of view>,cn=views,<subtree suffix>
As subtrees may be disjoint, we cannot rely on the common suffix. Thus,
any attempt to replace target DN and update filter terms must only be
done once we are sure the search will be done in the subtree.
This optimization prevents mistakenly changing the search filter when
FreeIPA and SSSD search for the ID overrides themselves, as the same
structure of the target DN is used for cn=views,cn=accounts,$SUFFIX
subtree in FreeIPA. This subtree is never handled by slapi-nis and
should be ignored.
https://bugzilla.redhat.com/show_bug.cgi?id=1157989
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
memberUid attribute uses IA5 String comparison which is case-sensitive.
At the same time, uid attribute uses case-insensitive comparison.
When memberUid is constructed for groups from AD, SSSD normalizes names
to a lower case. slapi-nis records these entries as they produced by SSSD.
However, the search filter is not modified, thus case-sensitive comparison
of memberUid attribute may fail match of the original term.
Workaround the issue by low-casing memberUid term in the search filter
if it includes '@' sign, meaning we are searching on fully-qualified user
name provided by SSSD.
https://bugzilla.redhat.com/show_bug.cgi?id=1130131
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FreeIPA ID views allow to override POSIX attributes for certain
users and groups.
A support is added to allow using specific ID view when serving
compatibility tree. Each user or group entry which has an override
in the view is amended with the overridden values from the view
before served out to the LDAP client.
A view to use is specified as a part of base DN:
cn=<view>,cn=views,cn=compat,$SUFFIX
where cn=compat,$SUFFIX is the original compatibility tree base DN.
Each entry, when served through the view, gets new DN rewritten to
specify the view. Additionally, if override in the view changes
uid (for users) or cn (for groups) attribute, the entry's RDN is changed
accordingly.
For groups memberUid attribute is modified as well in case there is an override
in the view that changes uid value of that member.
FreeIPA ID views support overrides for users of trusted Active Directory domains.
In case of a trusted AD domain's user or group is returned via compatibility tree,
view overrides are applied in two stages:
1. SSSD applies default view for AD users
2. slapi-nis applies explicitly specified (host-specific) view
on top of the entry returned by SSSD
Thus, slapi-nis does not need to apply default view for AD users and if there are
no host-specific views in use, there is no need to specify a view in the base DN,
making overhead of a default view for AD users lower.
|
| |
|
| |
|
|
|
|
|
| |
The values for NIS hosts.byname and hosts.byaddr maps should start with
addresses, not names. Reported by Rik Megens.
|
|
|
|
|
| |
Avoid calling strdup() in a situation where we don't need to, so that we
can better handle cases where it fails (static analysis).
|