sssd.git/src/config/SSSDConfig, branch master Unnamed repository; edit this file 'description' to name the repository. secrets: allow to configure certificate check 2017-03-30T17:08:00+00:00 Pavel Březina pbrezina@redhat.com 2017-02-28T10:47:32+00:00 720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417 Some users may want to use TLS with unverified peer (for example if they use self-signed certificate) or if unverified hostname (if certificate hostname does not match with the real hostname). On the other side it may be useful to point to a directory containing custom certificate authorities. This patch add three new options to secrets responder: verify_peer => peer's certificate must be valid verify_host => hostnames must match capath => path to directory containing CA certs cacert => ca certificate cert => client certificate key => client private key Resolves: https://pagure.io/SSSD/sssd/issue/3192 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Some users may want to use TLS with unverified peer (for example if
they use self-signed certificate) or if unverified hostname (if
certificate hostname does not match with the real hostname). On the
other side it may be useful to point to a directory containing custom
certificate authorities.

This patch add three new options to secrets responder:
verify_peer => peer's certificate must be valid
verify_host => hostnames must match
capath => path to directory containing CA certs
cacert => ca certificate
cert => client certificate
key => client private key

Resolves:
https://pagure.io/SSSD/sssd/issue/3192

Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
PAM: Add application services 2017-03-30T12:09:52+00:00 Jakub Hrozek jhrozek@redhat.com 2017-03-26T16:28:41+00:00 3e789aa0bd6b7bb6e62f91458b76753498030fb5 Related to: https://pagure.io/SSSD/sssd/issue/3310 Adds a new PAM responder option 'pam_app_services'. This option can hold a list of PAM services that are allowed to contact the application non-POSIX domains. These services are NOT allowed to contact any of the POSIX domains. Reviewed-by: Sumit Bose <sbose@redhat.com> 
Related to:
https://pagure.io/SSSD/sssd/issue/3310

Adds a new PAM responder option 'pam_app_services'. This option can hold
a list of PAM services that are allowed to contact the application
non-POSIX domains. These services are NOT allowed to contact any of the
POSIX domains.

Reviewed-by: Sumit Bose <sbose@redhat.com>
CONFDB: Introduce SSSD domain type to distinguish POSIX and application domains 2017-03-30T12:09:02+00:00 Jakub Hrozek jhrozek@redhat.com 2017-03-22T11:53:17+00:00 6324eaf1fb321c41ca9883966118df6d45259b7e Related to: https://pagure.io/SSSD/sssd/issue/3310 Adds a new option that allows to distinguish domains that do contain POSIX users and groups and those that don't. The POSIX domains are the default. The non-POSIX domains are selected by selecting an "application" type domain. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Related to:
https://pagure.io/SSSD/sssd/issue/3310

Adds a new option that allows to distinguish domains that do contain
POSIX users and groups and those that don't. The POSIX domains are the
default. The non-POSIX domains are selected by selecting an
"application" type domain.

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Add domain_resolution_order config option 2017-03-29T12:00:17+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-03-26T01:00:14+00:00 16385568547351b5d2c562f3081f35f3341f695b This is the local equivalent of option of ipaDomainResolutionOrder and has precedence over the ones set on IPA side making the precedence order to be like: Local > View > Globally. As done for the IPA side configurations, the domains which were not explicitly set up will be apennded to the final of the domain_resolution_order list in the very same order they're presented in the "domains" option of [sssd] section in the config file. There's no guarantee of order for the subdomains though. It's also important to mention that no expansion magic is performed on our side. It means that if 'example.com' is set it does *not* stand for all its subdomains DNS wise (like 'foo.example.com', 'bar.example.com', etc). Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
This is the local equivalent of option of ipaDomainResolutionOrder and
has precedence over the ones set on IPA side making the precedence order
to be like: Local > View > Globally.

As done for the IPA side configurations, the domains which were not
explicitly set up will be apennded to the final of the
domain_resolution_order list in the very same order they're presented in
the "domains" option of [sssd] section in the config file. There's no
guarantee of order for the subdomains though.

It's also important to mention that no expansion magic is performed on
our side. It means that if 'example.com' is set it does *not* stand for
all its subdomains DNS wise (like 'foo.example.com', 'bar.example.com',
etc).

Related:
https://pagure.io/SSSD/sssd/issue/3001

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
SSSDConfig: Python 3.6 invalid escape sequence deprecation fix 2017-03-27T21:30:54+00:00 Ville Skyttä ville.skytta@iki.fi 2017-03-22T20:32:21+00:00 00172861b6908a72c41046e1b2b48d2b009127dd https://docs.python.org/3/whatsnew/3.6.html#deprecated-python-behavior Merges: https://pagure.io/SSSD/sssd/pull-request/3346 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
https://docs.python.org/3/whatsnew/3.6.html#deprecated-python-behavior

Merges: https://pagure.io/SSSD/sssd/pull-request/3346

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
CACHE_REQ: Check the caches first 2017-03-14T11:35:01+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-02-22T07:07:45+00:00 8bb6680637ead03e24a38d15ec5265d11a920a1d This patch introduces a new configurable option to define whether the responder should query all domains' caches before querying the Data Providers. This new option is called cache_first and, by default, it's disabled, meaning that, for each provider, the responder may contact the cache and the data provider in the same iteration. Co-Author: Pavel Březina <pbrezina@redhat.com> Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
This patch introduces a new configurable option to define whether the
responder should query all domains' caches before querying the Data
Providers.

This new option is called cache_first and, by default, it's disabled,
meaning that, for each provider, the responder may contact the cache and
the data provider in the same iteration.

Co-Author: Pavel Březina <pbrezina@redhat.com>

Related:
https://pagure.io/SSSD/sssd/issue/3001

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
MONITOR: Enable an implicit files domain if one is not configured 2017-02-27T18:14:15+00:00 Jakub Hrozek jhrozek@redhat.com 2017-02-21T15:34:45+00:00 78bb3676fe8326e0fe2b60daad8bf524e4625d4e If SSSD is compiled with --enable-files-domain, the loading of the domains changes such that: * if no domain with id_provider=files exists in the config file, an implicit SSSD files domain is added * this domain is always first in the list The administrator is free to create a files domain in the config file himself and either place it at the end of the list or not enable it at all. Resolves: https://pagure.io/SSSD/sssd/issue/3112 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
If SSSD is compiled with --enable-files-domain, the loading of the
domains changes such that:
    * if no domain with id_provider=files exists in the config file, an
      implicit SSSD files domain is added
    * this domain is always first in the list

The administrator is free to create a files domain in the config file
himself and either place it at the end of the list or not enable it at
all.

Resolves:
https://pagure.io/SSSD/sssd/issue/3112

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
RESPONDER: Shutdown {dbus,socket}-activated responders in case they're idle 2017-01-23T17:46:37+00:00 Fabiano Fidêncio fidencio@redhat.com 2016-11-22T14:02:33+00:00 151a6de4793e0045a7085d4d72b975947662e566 This commit introduces a new option for the responders called responder_idle_timeout, which specifies the number of seconds that the responder process can be up without being used. The default value is 300 seconds (5 minutes) and can be configured per responder, being 60 seconds the minimum acceptable value. Is important to note that setting "responder_idle_timeout = 0" disables the responder timeout, which makes sense for the responders that always will be running. The shutdown timeout is activated per responder in case the responder has been {dbus,socket}-activated. In case of any commnunication with the responder the timeout is reset thereby ensuring we won't shutdown a responder that is not idle. Setting the responder's last request time is done slightly differently for socket-activated and dbus-activated responders. In both cases it's updated in any internal communication in sbus_message_handler(), but for the socket-activated responders it's also updated when the responder's socket is used. Currently it works properly with all responders but the secrets one, which has a different logic and must be treated separately in case some change is required there. Is worth to mention that this commit does not affect the responders explicitly configured in the "services" line of sssd.conf. Related: https://fedorahosted.org/sssd/ticket/3245 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
This commit introduces a new option for the responders called
responder_idle_timeout, which specifies the number of seconds that the
responder process can be up without being used. The default value is
300 seconds (5 minutes) and can be configured per responder, being 60
seconds the minimum acceptable value.

Is important to note that setting "responder_idle_timeout = 0" disables
the responder timeout, which makes sense for the responders that always
will be running.

The shutdown timeout is activated per responder in case the responder
has been {dbus,socket}-activated. In case of any commnunication with the
responder the timeout is reset thereby ensuring we won't shutdown a
responder that is not idle.

Setting the responder's last request time is done slightly differently
for socket-activated and dbus-activated responders. In both cases it's
updated in any internal communication in sbus_message_handler(), but
for the socket-activated responders it's also updated when the
responder's socket is used.

Currently it works properly with all responders but the secrets one,
which has a different logic and must be treated separately in case some
change is required there.

Is worth to mention that this commit does not affect the responders
explicitly configured in the "services" line of sssd.conf.

Related:
https://fedorahosted.org/sssd/ticket/3245

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
SECRETS: Add configurable payload size limit of a secret 2016-11-24T08:55:45+00:00 Fabiano Fidêncio fidencio@redhat.com 2016-11-08T15:46:21+00:00 7171a7584dda534dde5409f3e7f4657e845ece15 Resolves: https://fedorahosted.org/sssd/ticket/3169 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Resolves:
https://fedorahosted.org/sssd/ticket/3169

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
PAM: add pam_response_filter option 2016-11-02T10:30:20+00:00 Sumit Bose sbose@redhat.com 2016-10-20T16:40:01+00:00 ce43f710c9638fbbeae077559cd7514370a10c0c Currently the main use-case for this new option is to not set the KRB5CCNAME environment varible for services like 'sudo-i'. Resolves https://fedorahosted.org/sssd/ticket/2296 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Currently the main use-case for this new option is to not set the
KRB5CCNAME environment varible for services like 'sudo-i'.

Resolves https://fedorahosted.org/sssd/ticket/2296

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>