| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
It was mainly aimed for time when stable CentOS and
rhel nightly had different versions of krb5.
Anyway, rhel7.0 and rhel <= 6.6 are already out of support
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
We require newer libcurl version than is available on rhel6. We don't
ship secrets responder in rhel6 so we just disable its build.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
Adds a new KCM responder ccache back end that forwards all requests to
sssd-secrets.
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In order for the KCM server to work with ccaches stored in different
locations, implement a middle-man between the KCM server and the ccache
storage.
This module has asynchronous API because we can't assume anything about
where the ccaches are stored.
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds the initial build of the Kerberos Cache Manager responder (KCM).
This is a deamon that is capable of holding and storing Kerberos
ccaches. When KCM is used, the kerberos libraries (invoked through e.g.
kinit) are referred to as a 'client' and the KCM deamon is referred to
as 'server'.
At the moment, only the Heimdal implementation of Kerberos implements the
KCM server:
https://www.h5l.org/manual/HEAD/info/heimdal/Credential-cache-server-_002d-KCM.html
This patch adds a KCM server to SSSD.
In MIT, only the 'client-side' support was added:
http://k5wiki.kerberos.org/wiki/Projects/KCM_client
This page also describes the protocol between the client and the server.
The client is capable of talking to the server over either UNIX sockets
(Linux, most Unixes) or Mach RPC (macOS). Our server only implements the
UNIX sockets way and should be socket-activated by systemd, although can
in theory be also ran explicitly.
The KCM server only builds if the configuration option "--with-kcm" is
enabled. It is packaged in a new subpackage sssd-kcm in order to allow
distributions to enable the KCM credential caches by installing this
subpackage only, without the rest of the SSSD. The sssd-kcm subpackage
also includes a krb5.conf.d snippet that allows the admin to just uncomment
the KCM defaults and instructs them to start the socket.
The server can be configured in sssd.conf in the "[kcm]" section.
By default, the server only listens on the same socket path the Heimdal
server uses, which is "/var/run/.heim_org.h5l.kcm-socket". This is,
however, configurable.
The file src/responder/kcm/kcm.h is more or less directly imported from
the MIT Kerberos tree, with an additional sentinel code and some
comments. Not all KCM operations are implemented, only those that also
the MIT client implements. That said, this KCM server should also be
usable with a Heimdal client, although no special testing was with this
hybrid.
The patch also adds several error codes that will be used in later
patches.
Related to:
https://pagure.io/SSSD/sssd/issue/2887
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this library it would be possible to map certificates and users not
only by adding the full certificate to the user's LDAP object but by
adding e.g. only parts like the issuer and subject name. Additionally
the library is also able to flexible select/match certificates based on
values in the certificate.
Details about mapping and matching rules can be found in the included
man page.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
In order to test the curl integration code, this patch adds a
command-line tool and tests that it's possible to drive a conversation
with the secrets responder using the tool.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let's ensure that in case a responder is explicitly configured in the
sssd.conf its socket won't even start.
The patchset introduces a new binary that will be distributed and will
be called before starting the responders' sockets, ensuring the sockets
will only start in case the responder is supposed to be socket-activated
and its been configured accordingly. Otherwise the responders' socket
startup will fail with a quite helpful debug message leading the admins
to choose between using systemd or not and what has to be done to achieve
their desire.
This suggestion came from Sumit Bose.
The reason for adding a new binary instead of a simple python script is
to avoid dragging unnecessary dependencies to sssd-common package.
Resolves:
https://pagure.io/SSSD/sssd/issue/3300
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
| |
The new provider needs a man page.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a new provider type "files". The provider watches the UNIX password
and group databases for changes using inotify and propagates its
contents to the sysdb.
The files provider is only built on platforms that support the inotify
interface, polling or loading the entries on-deman is not supported.
During initialization, the files are loaded from the environment
variables SSS_FILES_PASSWD and SSS_FILES_GROUP, defaulting to
/etc/passwd and /etc/group respectively. Loading the files from
environment variables is mostly implemented for tests that need to load
nss_wrapped files.
The files provider is a bit different from other provider types in the
sense that it always enumerates full contents of the database.
Therefore, the requests from Data Provider are always just replied to
with success. Enumerating the contents is done in full at the moment,
all users and all groups are removed and added anew. Modifying the
passwd and group databses should be rare enough for this to be
justified and we can optimize the code later.
Since with large databases, the cache update might take a bit of time,
we signal the responders to disable the files domain once we receive the
inotify notification and re-enable the files domain after the update is
finished. The idea is that the NSS configuration would still contain
"files" after "sss" so that if the domain is disabled, libc would fall
back to a direct "files" lookup.
Resolves:
https://fedorahosted.org/sssd/ticket/3262
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As part of the effort of making all responders socket-activatable (or,
in the IFP case, dbus-activatable), let's make the IFP responder ready
for this by providing its systemd's units.
Related:
https://fedorahosted.org/sssd/ticket/2243
Resolves:
https://fedorahosted.org/sssd/ticket/3129
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As part of the effort of making all responder socket-activatable, let's
make Sudo responder ready for this by providing its systemd's units.
In case the administrators want to use Sudo responder taking advantage
of socket-activation they will need to enable sssd-sudo.socket and
after a restart of the sssd service, the Sudo socket will be ready
waiting for any activity in order to start the Sudo responder. Also,
the Sudo responder must be removed from the services line on sssd.conf.
The Sudo responder service is binded to the SSSD service, which means
that the responder will be restarted in case SSSD is restarted and
shutdown in case SSSD is shutdown/crashes.
Related:
https://fedorahosted.org/sssd/ticket/2243
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As part of the effort of making all responder socket-activatable, let's
make SSH responder ready for this by providing its systemd's units.
In case the administrators want to use SSH responder taking advantage
of socket-activation they will need to enable sssd-ssh.socket and after
a restart of the sssd service, the SSH socket will be ready waiting for
any activity in order to start the SSH responder. Also, the SSH
responder must be removed from the services line on sssd.conf.
The SSH responder service is binded to the SSSD service, which means
that the responder will be restarted in case SSSD is restarted and
shutdown in case SSSD is shutdown/crashes.
Related:
https://fedorahosted.org/sssd/ticket/2243
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As part of the effort of making all responder socket-activatable, let's
make PAM responder ready for this by providing its systemd's units.
In case the administrators want to use PAM responder taking advantage
of socket-activation they will need to enable sssd-pam.socket and after
a restart of the sssd service, the PAM socket will be ready waiting for
any activity in order to start the PAM responder. Also, the PAM
responder must be removed from the services line on sssd.conf.
The PAM responder service is binded to the SSSD service, which means
that the responder will be restarted in case SSSD is restarted and
shutdown in case SSSD is shutdown/crashes.
PAM responder, differently from the others, is a special case as it has
two sockets and its private sockets must be owned by root and must have
a specifc permission (0600). It's not new, though, and it's following
what has been already done in the project..
Related:
https://fedorahosted.org/sssd/ticket/2243
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As part of the effort of making all responder socket-activatable, let's
make PAC responder ready for this by providing its systemd's units.
In case the administrators want to use PAC responder taking advantage
of socket-activation they will need to enable sssd-pac.socket and after
a restart of the sssd service, the PAC socket will be ready waiting for
any activity in order to start the PAC responder. Also, the PAC
responder must be removed from the services line on sssd.conf.
The PAC responder service is binded to the SSSD service, which means
that the responder will be restarted in case SSSD is restarted and
shutdown in case SSSD is shutdown/crashes.
Related:
https://fedorahosted.org/sssd/ticket/2243
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As part of the effort of making all responders socket-activatable, let's
make the NSS responder ready for this by providing its systemd's units.
In case the administrators want to use NSS responder taking advantage
of socket-activation they will need to enable sssd-nss.socket and after
a restart of the sssd service, the NSS socket will be ready waiting for
any activity in order to start the NSS responder. Also, the NSS
responder must be removed from the services line on sssd.conf.
The NSS responder service is binded to the SSSD service, which means
that the responder will be restarted in case SSSD is restarted and
shutdown in case SSSD is shutdown/crashes.
Is quite important to mention that NSS responder will always run as
root. The reason behind this is that systemd calls getpwnam() and
getgprnam() when "User="/"Group=" is set to something different than
"root". As it's done _before_ starting NSS responder, the clients would
end up hanging for a few minutes (due to "default_client_timeout"),
which is something that we really want to avoid.
Related:
https://fedorahosted.org/sssd/ticket/2243
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As part of the effort of making all responders socket-activatable, let's
make the AutoFS responder ready for this by providing its systemd's
units.
In case the administrators want to use AutoFS responder taking advantage
of socket-activation they will need to enable sssd-autofs.socket and
after a restart of the sssd service, the AutoFS socket will be ready
waiting for any activity in order to start the AutoFS responder. Also,
the AutoFS responder must be removed from the services line on
sssd.conf.
The AutoFS responder service is binded to the SSSD service, which means
that the responder will be restarted in case SSSD is restarted and
shutdown in case SSSD is shutdown/crashes.
Related:
https://fedorahosted.org/sssd/ticket/2243
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
If the script measured an 'id' run from the cache, there would be no
transactions and dereferencing the aggrefate would throw an error.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
libsss_config has been used only by OpenLMI and the project has been
deprecated making, then, no sense to keep the support on SSSD.
Distros that, for some reason, are still packing and distributing
OpenLMI can stick to SSSD 1.14 branch.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Dlopen test was added to blacklist due to following reason:
> Disable running dlopen-tests under Valgrind as their use of dlclose
> makes Valgrind drop symbols and produce meaningless backtraces, which
> cannot be matched with specific suppressions.
It's true that dlclose makes meaningless backtraces but backtraces should
not be generated otherwise there is a bug in some library which need to be
fixed and not suppressed.
Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
| |
|
|
|
|
|
|
| |
In order for sssctl to work on platforms that do not use systemd,
we need to require /sbin/service them for sssd-tools so that the binary
can be invoked.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3053
Documents the API and the purpose of the sssd-secrets responder.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Fedora and epel contains macro %python_provide
for simpler renaming of python packages. It will generate correct
provides and obsoletes.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Implements a simple HTTP client and uses it to talk to the sssd-secrets
responder. Only the local provider is tested at the moment.
Resolves:
https://fedorahosted.org/sssd/ticket/3054
Reviewed-by: Petr Čech <pcech@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Root can read anything from any directory even with permissions 000.
However SELinux checks discretionary access control (DAC)
and deny access if access is not allowed for root by DAC.
The pam_sss use different unix socket /var/lib/sss/pipes/private/pam
for user with uid 0. Therefore root need to be able read content
of directory with private pipes.
type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied
{ dac_read_search } for pid=20257 comm=vsftpd capability=dac_read_search
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied
{ dac_override } for pid=20257 comm=vsftpd capability=dac_override
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
Resolves:
https://fedorahosted.org/sssd/ticket/3143
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds two new files: sssd-secrets.socket and sssd-secrets.service. These
can be used to socket-acticate the secrets responder even without
explicitly starting it in the sssd config file.
The specfile activates the socket after installation which means that
the admin would just be able to use the secrets socket and the
sssd_secrets responder would be started automatically by systemd.
The sssd-secrets responder is started as root, mostly because I didn't
think of an easy way to pass the uid/gid to the responders without
asking about the sssd user identity in the first place. But nonetheless,
the sssd-secrets responder wasn't tested as non-root and at least the
initialization should be performed as root for the time being.
Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a bug on debian_testing in bash.
sh$ valgrind /bin/bash
==25145== Memcheck, a memory error detector
==25145== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==25145== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
==25145== Command: /bin/bash
==25145==
==25145== Invalid read of size 1
==25145== at 0x4B90B1: ??? (in /bin/bash)
==25145== by 0x43FE9B: initialize_shell_variables (in /bin/bash)
==25145== by 0x41E4C0: ??? (in /bin/bash)
==25145== by 0x41F722: main (in /bin/bash)
==25145== Address 0x58307f8 is 8 bytes before a block of size 31 alloc'd
==25145== at 0x4C2BBCF: malloc (vg_replace_malloc.c:299)
==25145== by 0x475D1A: xmalloc (in /bin/bash)
==25145== by 0x4B7F4A: tilde_expand (in /bin/bash)
==25145== by 0x42E63D: bash_tilde_expand (in /bin/bash)
==25145== by 0x43FE79: initialize_shell_variables (in /bin/bash)
==25145== by 0x41E4C0: ??? (in /bin/bash)
==25145== by 0x41F722: main (in /bin/bash)
==25145==
malloc: .././variables.c:570: assertion botched
free: called with unallocated block argument
last command: (null)
Aborting...==25145==
And /bin/bash was used as a default SHELL in scripts generated by
configure+libtool. It starting to fail with the latest valgrind
valgrind-3.12.0~svn20160714-1
Workaround is to use /bin/sh which is a symlink to /bin/dash
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3024
Reviewed-by: Noam Meltzer <tsnoam@gmail.com>
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3055
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Also adds support for the basic LOCAL provider that stores data
on the local machine.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Start implementing the Secrets Service Reponder core.
This commit implements stratup and basic conenction handling and HTTP
parsing (using the http-parser library).
Signed-off-by: Simo Sorce <simo@redhat.com>
Related:
https://fedorahosted.org/sssd/ticket/2913
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
This is an example of what sssd developers could use to silence the
SIGRTs from the newly created watchdog.
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2028
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2247
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
| |
With this plugin winbind can use the same id-mapping as SSSD which makes
it possible to run both together in a consistent way.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are still issues[1,2,3] with ipa and ad provider
which cause failures when sssd is running as non-privileged user.
It's easy to change default root to non-root
mock --resultdir . --rebuild ./sssd-1.13.90-0.fc24.src.rpm --with=sssd_user
or with plain rpmbuild
rpmbuild -ba SPECS/sssd.spec --with sssd_user
[1] https://fedorahosted.org/sssd/ticket/2963
[2] https://fedorahosted.org/sssd/ticket/2965
[3] https://fedorahosted.org/sssd/ticket/3014
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
Exclude files from /tmp during coverage generation to avoid issues with
(presumably) files generated by dtrace that couldn't otherwise be opened
or parsed.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When all the dependencies are installed, run the script using systemtap:
You'll see an output such as:
# stap /usr/share/sssd/systemtap/nested_group_perf.stp
^CTime spent in group sssd_be searches: 600
Time spent in sdap_nested_group_send/recv: 65 ms (ratio: 10.83%)
Time spent in zero-level sysdb transactions: 6813 ms (ratio: 1135.50%)
Breakdown of sdap_nested_group req (total: 65 ms)
sdap_nested_group_process req: 64
sdap_nested_group_process_split req: 22
sdap_nested_group_check_cache: 21
sdap_nested_group_sysdb_search_users: 10
sdap_nested_group_sysdb_search_groups: 9
ldap request breakdown of total 60
sdap_nested_group_deref req: 24
sdap_deref_search_send req 24
processing deref results: 0
sdap_nested_group_lookup_user req: 18
sdap_nested_group_lookup_group req: 0
Time spent refreshing unknown members: 18
Breakdown of results processing (total 6813)
Time spent populating nested members: 10
Time spent searching ldb while populating nested members: 5
Time spent saving nested members: 110
Time spent writing to the ldb: 678 ms
Please note that since the script is supposed to be used in scenarios such as
tracing "id" performance, which typically involve multiple group requests.
Therefore, the variables are not zeroed out and you need to interrupt the
script manually with Ctrl+C.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Run this script using "stap" as root:
sudo stap /path/to/sssd/contrib/systemtap/id_perf.stp
It is not required to restart the script between successive id runs,
the variables are cleared when systemtap detects id had started or finished.
You should see output as this one:
Total run time of id was: 112 ms
Number of zero-level cache transactions: 9
Time spent in level-0 sysdb transactions: 84 ms
Time spent writing to LDB: 80 ms
Number of LDAP searches: 13
Time spent waiting for LDAP: 11 ms
LDAP searches breakdown:
Number of user requests: 1
Time spent in user requests: 15
Number of group requests: 6
Time spent in group requests: 71
Number of initgroups requests: 1
Time spent in initgroups requests: 20
Unaccounted time: 17 ms
sysdb transaction breakdown:
1 hits of transaction sysdb_transaction_commit+0x6b [libsss_util.so]
sdap_save_users+0x2d2 [libsss_ldap_common.so]
sdap_get_users_done+0x186 [libsss_ldap_common.so]
sdap_search_user_process+0x2d9 [libsss_ldap_common.so]
generic_ext_search_handler+0x22f [libsss_ldap_common.so]
sdap_get_and_parse_generic_done+0x6f [libsss_ldap_common.so]
sdap_get_generic_op_finished+0x806 [libsss_ldap_common.so]
sdap_process_message+0x3c4 [libsss_ldap_common.so]
sdap_process_result+0x33a [libsss_ldap_common.so]
sdap_ldap_next_result+0x2f [libsss_
avg:14 min: 14 max: 14 sum: 14
5 hits of transaction sysdb_transaction_commit+0x6b [libsss_util.so]
sdap_nested_done+0x2c8 [libsss_ldap_common.so]
sdap_nested_group_done+0x9b [libsss_ldap_common.so]
0x7f47a6320be4 [libtevent.so.0.9.26+0x4be4]
avg:9 min: 9 max: 11 sum: 49
1 hits of transaction sysdb_transaction_commit+0x6b [libsss_util.so]
sdap_nested_done+0x2c8 [libsss_ldap_common.so]
sdap_nested_group_done+0x9b [libsss_ldap_common.so]
sdap_nested_group_process_done+0x1dc [libsss_ldap_common.so]
sdap_nested_group_single_done+0x112 [libsss_ldap_common.so]
sdap_nested_group_recurse_done+0x95 [libsss_ldap_common.so]
0x7f47a6320be4 [libtevent.so.0.9.26+0x4be4]
avg:11 min: 11 max: 11 sum: 11
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch makes SSSD possibly useful "out of the box" by allowing
packagers to provide a default config file located in $LIBDIR/sssd/conf
that will be copied by the monitor to /etc/sssd if no file already
exists in that location. This will make it possible to have SSSD set up
to have distribution-specific default configuration, such as enabling
the proxy provider to cache /etc/passwd (such as in the provided
example in this patch).
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
