sssd2.git, branch sssd-1-9

Display the last grace warning, too

2013-05-02T10:52:49+00:00

Due to a comparison error, the last warning when an LDAP password was in
its grace period was never displayed.

https://fedorahosted.org/sssd/ticket/1890

Only try to relink ghost users if we're not enumerating

2013-04-29T18:44:19+00:00

https://fedorahosted.org/sssd/ticket/1893

When SSSD is not enumerating (which is the default), we are trying to
link any "ghost" entries with a newly created user entry. However, when
enumeration is on, this means a spurious search on adding any user.

Bump the version for the 1.9.6 release

2013-04-29T18:42:11+00:00

Updating the translations for the 1.9.5 release

2013-04-23T12:25:23+00:00

tests: Link the simple access tests with -ldl

2013-04-22T13:35:58+00:00

In SSSD, we use dlopen() and dlsym() in two files
src/providers/data_provider_be.c and src/providers/proxy/proxy_init.c.
Hence we should explicitly link with -ldl also in simple_access-tests.

SSSD can be compiled with two crypto libraries nss or libcrypto. NSS has
dependency nspr which depends on "libdl and libpthread" This is a reason why
compilation of test did not fail even if -ldl was not explicitly added to
simple_access_tests_LDADD. But libcrypto doesn't depend on libdl, so in
this case compilation of tests will not be successful.

Upstream nspr 4.9 has two ways have to obtain metainformation about
libraries
pkg-config and own script nspr-config. First one doesn't list "-ldl"
"-lpthread" but second one lists both "-ldl" "-lpthread"

That's also why the Ubuntu maintainer found this bug -- Fedora has got
patched version of nspr, but Debian (Ubuntu) doesn't

LDAP: do not invalidate pointer with realloc while processing ghost users

2013-04-19T12:08:31+00:00

https://fedorahosted.org/sssd/ticket/1799

One peculiarity of the sysdb_attrs_get_el interface is that if the
attribute does not exist, then the attrs array is reallocated and the
element is created. But in case other pointers are already pointing
into the array, the realloc might invalidate them.

Such case was in the sdap_process_ghost_members function where if
the group had no members, the "gh" pointer requested earlier might have
been invalidated by the realloc in order to create the member element.

Fix simple access group control in case-insensitive domains

2013-04-15T13:03:45+00:00

https://fedorahosted.org/sssd/ticket/1880

In the simple access provider, we need to only canonicalize user names when
comparing with values in the ACL, not when searching the cache. The sysdb
searches might do a base search with a DN constructed with the username
which fails if the username is lower case.

Fix krbcc dir creation issue with MIT krb5 1.11

2013-04-15T09:44:52+00:00

In krb5-libs >= 1.11, function krb5_cc_resolve verify if credential cache dir
exists. If it doesn't exist, than it will be created with process permissions
and not user permissions.

Function cc_residual_is_used has already checked for non existing
directory, but it wasn't considered to be a failure and therefore next call
of krb5_init_context will create directory with wrong permissions.

Now if directory doesn't exist, it will be handled like there was not ccache
attribute in sysdb cache. We also check if "primary" file in ccache directory
has right permissions. But we ignore missing "primary" file.

https://fedorahosted.org/sssd/ticket/1822

krb5: include backwards compatible declaration of krb5_trace_info

2013-04-15T09:44:52+00:00

krb5-1.10 used to include "struct krb5_trace_info", now krb5-1.11
includes a "krb5_trace_info" typedefed from "struct _krb5_trace_info".

Do the same in the SSSD to allow compiling with both 1.10 and 1.11.

sssd fails with readonly SELinux login files

2013-04-12T17:26:54+00:00

Do not try to remove SELinux login file if SELinux
support is not available.

https://fedorahosted.org/sssd/ticket/1868