sssd.git/src/confdb, branch certificate_mapping Unnamed repository; edit this file to name it for gitweb. Partially revert "CONFIG: Use default config when none provided" 2017-02-07T13:47:48+00:00 Lukas Slebodnik lslebodn@redhat.com 2016-12-12T17:33:48+00:00 c029f707d4847b01ff64bf3bb1fd46c0b5927cdb This reverts part of commit 59744cff6edb106ae799b2321cb8731edadf409a. Removed is copying of default configuration into /etc/sssd/sssd.conf Sample configurations is still part of installation. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
This reverts part of commit 59744cff6edb106ae799b2321cb8731edadf409a.

Removed is copying of default configuration into /etc/sssd/sssd.conf
Sample configurations is still part of installation.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
RESPONDER: Shutdown {dbus,socket}-activated responders in case they're idle 2017-01-23T17:46:37+00:00 Fabiano Fidêncio fidencio@redhat.com 2016-11-22T14:02:33+00:00 151a6de4793e0045a7085d4d72b975947662e566 This commit introduces a new option for the responders called responder_idle_timeout, which specifies the number of seconds that the responder process can be up without being used. The default value is 300 seconds (5 minutes) and can be configured per responder, being 60 seconds the minimum acceptable value. Is important to note that setting "responder_idle_timeout = 0" disables the responder timeout, which makes sense for the responders that always will be running. The shutdown timeout is activated per responder in case the responder has been {dbus,socket}-activated. In case of any commnunication with the responder the timeout is reset thereby ensuring we won't shutdown a responder that is not idle. Setting the responder's last request time is done slightly differently for socket-activated and dbus-activated responders. In both cases it's updated in any internal communication in sbus_message_handler(), but for the socket-activated responders it's also updated when the responder's socket is used. Currently it works properly with all responders but the secrets one, which has a different logic and must be treated separately in case some change is required there. Is worth to mention that this commit does not affect the responders explicitly configured in the "services" line of sssd.conf. Related: https://fedorahosted.org/sssd/ticket/3245 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
This commit introduces a new option for the responders called
responder_idle_timeout, which specifies the number of seconds that the
responder process can be up without being used. The default value is
300 seconds (5 minutes) and can be configured per responder, being 60
seconds the minimum acceptable value.

Is important to note that setting "responder_idle_timeout = 0" disables
the responder timeout, which makes sense for the responders that always
will be running.

The shutdown timeout is activated per responder in case the responder
has been {dbus,socket}-activated. In case of any commnunication with the
responder the timeout is reset thereby ensuring we won't shutdown a
responder that is not idle.

Setting the responder's last request time is done slightly differently
for socket-activated and dbus-activated responders. In both cases it's
updated in any internal communication in sbus_message_handler(), but
for the socket-activated responders it's also updated when the
responder's socket is used.

Currently it works properly with all responders but the secrets one,
which has a different logic and must be treated separately in case some
change is required there.

Is worth to mention that this commit does not affect the responders
explicitly configured in the "services" line of sssd.conf.

Related:
https://fedorahosted.org/sssd/ticket/3245

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
common: Fix domain case sensitivity init 2016-12-15T09:43:20+00:00 Michal Židek mzidek@redhat.com 2016-12-01T14:56:39+00:00 867bb85ecc8117aa8bdde9add0df8857cf87236e The domain case sensitivity was wrongly set in the domain context after initialization if the provider was AD. Resolves: https://fedorahosted.org/sssd/ticket/3235 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
The domain case sensitivity was wrongly set in the domain
context after initialization if the provider was AD.

Resolves:
https://fedorahosted.org/sssd/ticket/3235

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
CONFDB: Supress clang false passitive warnings 2016-11-29T08:46:20+00:00 Lukas Slebodnik lslebodn@redhat.com 2016-11-26T16:07:07+00:00 13b1d270fb72cf2c2e18f0b2a59cb424c51f7675 The errno is macro expandee into '(*__errno_location ())'. The reason is that errno is private in glibc and and the function __errno_location return address of private errno. sh$ objdump -T /lib64/libc.so.6 | grep errno 00000010 g D .tbss 00000004 GLIBC_PRIVATE errno 000208a0 g DF .text 00000011 GLIBC_2.2.5 __errno_location 001366b0 g DF .text 0000005f GLIBC_2.2.5 clnt_sperrno 00136710 g DF .text 00000074 GLIBC_2.2.5 clnt_perrno 00000064 g D .tbss 00000004 GLIBC_PRIVATE __h_errno 0011aad0 g DF .text 00000011 GLIBC_2.2.5 __h_errno_location It looks like clang static analyzer assume that value can be changed due to function call. errno = 0; val = strtol(values[0], NULL, 0); // Taking true branch => assuming "errno != 0" if (errno) { ret = errno; // errno was stored to ret but clang later assumes // that ret can be 0 goto failed; Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
The errno is macro expandee into '(*__errno_location ())'.
The reason is that errno is private in glibc and and the
function __errno_location return address of private errno.

  sh$ objdump -T /lib64/libc.so.6 | grep errno
  00000010 g    D  .tbss  00000004  GLIBC_PRIVATE errno
  000208a0 g    DF .text  00000011  GLIBC_2.2.5 __errno_location
  001366b0 g    DF .text  0000005f  GLIBC_2.2.5 clnt_sperrno
  00136710 g    DF .text  00000074  GLIBC_2.2.5 clnt_perrno
  00000064 g    D  .tbss  00000004  GLIBC_PRIVATE __h_errno
  0011aad0 g    DF .text  00000011  GLIBC_2.2.5 __h_errno_location

It looks like clang static analyzer assume that value can be
changed due to function call.

  errno = 0;
  val = strtol(values[0], NULL, 0);
  // Taking true branch => assuming "errno != 0"
  if (errno) {
      ret = errno;
      // errno was stored to ret but clang later assumes
      // that ret can be 0
      goto failed;

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
SECRETS: Add configurable payload size limit of a secret 2016-11-24T08:55:45+00:00 Fabiano Fidêncio fidencio@redhat.com 2016-11-08T15:46:21+00:00 7171a7584dda534dde5409f3e7f4657e845ece15 Resolves: https://fedorahosted.org/sssd/ticket/3169 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Resolves:
https://fedorahosted.org/sssd/ticket/3169

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
PAM: add pam_response_filter option 2016-11-02T10:30:20+00:00 Sumit Bose sbose@redhat.com 2016-10-20T16:40:01+00:00 ce43f710c9638fbbeae077559cd7514370a10c0c Currently the main use-case for this new option is to not set the KRB5CCNAME environment varible for services like 'sudo-i'. Resolves https://fedorahosted.org/sssd/ticket/2296 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Currently the main use-case for this new option is to not set the
KRB5CCNAME environment varible for services like 'sudo-i'.

Resolves https://fedorahosted.org/sssd/ticket/2296

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SECRETS: Add a configurable limit of secrets that can be stored 2016-10-05T09:57:20+00:00 Fabiano Fidêncio fidencio@redhat.com 2016-09-30T14:48:47+00:00 65a38b8c9cabde6c46cc0e9868f54cb9bb10afbf Related: https://fedorahosted.org/sssd/ticket/3169 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Related:
https://fedorahosted.org/sssd/ticket/3169

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SECRETS: Add a configurable depth limit for nested containers 2016-10-03T13:32:33+00:00 Fabiano Fidêncio fidencio@redhat.com 2016-09-23T13:23:23+00:00 efc65e78fa4e01e6cecc8690a9899af61213be62 Resolves: https://fedorahosted.org/sssd/ticket/3168 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Resolves:
https://fedorahosted.org/sssd/ticket/3168

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
PROXY: Adding proxy_max_children option 2016-09-13T14:22:26+00:00 Petr Cech pcech@redhat.com 2016-08-24T12:41:09+00:00 aef0171e0bdc9a683958d69c7ee984fb10cd5de7 The new option 'proxy_max_children' is applicable in domain section. Default value is 10. Resolves: https://fedorahosted.org/sssd/ticket/3153 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
The new option 'proxy_max_children' is applicable
in domain section. Default value is 10.

Resolves:
https://fedorahosted.org/sssd/ticket/3153

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
MONITOR: Add disable_netlink option 2016-09-12T08:23:41+00:00 Justin Stephenson jstephen@redhat.com 2016-08-26T21:43:25+00:00 081c6d8c7c8e75487d1c4e42862964be1e85b575 Adding a new monitor boolean option to disable netlink support. This will give users more control over sssd state changes without having to modify systemd unit files. Resolves: https://fedorahosted.org/sssd/ticket/3142 Reviewed-by: Petr Cech <pcech@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Adding a new monitor boolean option to disable netlink support.
This will give users more control over sssd state changes without
having to modify systemd unit files.

Resolves:
https://fedorahosted.org/sssd/ticket/3142

Reviewed-by: Petr Cech <pcech@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>