sssd.git/src/responder/nss, branch certificate_mapping Unnamed repository; edit this file to name it for gitweb. NSS: Make NSS responder socket-activatable 2017-01-23T17:46:37+00:00 Fabiano Fidêncio fidencio@redhat.com 2016-11-16T23:24:25+00:00 40e9ad2bf250cc3bfcdec7fb96031e2771160f69 As part of the effort of making all responders socket-activatable, let's make the NSS responder ready for this by providing its systemd's units. In case the administrators want to use NSS responder taking advantage of socket-activation they will need to enable sssd-nss.socket and after a restart of the sssd service, the NSS socket will be ready waiting for any activity in order to start the NSS responder. Also, the NSS responder must be removed from the services line on sssd.conf. The NSS responder service is binded to the SSSD service, which means that the responder will be restarted in case SSSD is restarted and shutdown in case SSSD is shutdown/crashes. Is quite important to mention that NSS responder will always run as root. The reason behind this is that systemd calls getpwnam() and getgprnam() when "User="/"Group=" is set to something different than "root". As it's done _before_ starting NSS responder, the clients would end up hanging for a few minutes (due to "default_client_timeout"), which is something that we really want to avoid. Related: https://fedorahosted.org/sssd/ticket/2243 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
As part of the effort of making all responders socket-activatable, let's
make the NSS responder ready for this by providing its systemd's units.

In case the administrators want to use NSS responder taking advantage
of socket-activation they will need to enable sssd-nss.socket and after
a restart of the sssd service, the NSS socket will be ready waiting for
any activity in order to start the NSS responder. Also, the NSS
responder must be removed from the services line on sssd.conf.

The NSS responder service is binded to the SSSD service, which means
that the responder will be restarted in case SSSD is restarted and
shutdown in case SSSD is shutdown/crashes.

Is quite important to mention that NSS responder will always run as
root. The reason behind this is that systemd calls getpwnam() and
getgprnam() when "User="/"Group=" is set to something different than
"root". As it's done _before_ starting NSS responder, the clients would
end up hanging for a few minutes (due to "default_client_timeout"),
which is something that we really want to avoid.

Related:
https://fedorahosted.org/sssd/ticket/2243

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
nss: remove the old code 2016-12-19T22:28:55+00:00 Pavel Březina pbrezina@redhat.com 2016-11-16T14:13:01+00:00 075d89886666d3b608355d8f235b411051a9d22e Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Resolves:
https://fedorahosted.org/sssd/ticket/3151

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
nss: rewrite nss responder so it uses cache_req 2016-12-19T22:28:55+00:00 Pavel Březina pbrezina@redhat.com 2016-10-05T12:05:45+00:00 4049b63f8c67ada17b453463b0451ca6be3d5de4 Given the size of the current nss responder it was quite impossible to simply switch into using the cache_req interface, especially because most of the code was duplication of cache lookups. This patch completely rewrites the responder from scratch. The amount of code was reduced to less than a half lines of code with no code duplication, better documentation and better maintainability and readability. All functionality should be intact. *Code organization* All protocol (parsing input message and send a reply) is placed in nss_protocol.c. Functions that deals with creating a reply packet are placed into their specific nss_protocol_$object.c files. All supported commands are placed into nss_cmd.c. Functions that deals with cache req are in nss_get_object.c and nss_enum.c. *Code flow for non-enumeration* An nss_getby_$input-type is called for each non-enumeration command. This function parses the input message, creates a cache_req_data structure and issues nss_get_object that calls cache_req. When this request is done nss_getby_done make sure a reply is sent to the client. *Comments on enumeration* I made some effort to make sure enumeration shares the same code for users, groups, services and netgroups. Netgroups now uses nss negative cache instead of implementing its own. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Given the size of the current nss responder it was quite impossible
to simply switch into using the cache_req interface, especially
because most of the code was duplication of cache lookups.

This patch completely rewrites the responder from scratch. The amount
of code was reduced to less than a half lines of code with no code duplication,
better documentation and better maintainability and readability.

All functionality should be intact.

*Code organization*
All protocol (parsing input message and send a reply) is placed
in nss_protocol.c. Functions that deals with creating a reply
packet are placed into their specific nss_protocol_$object.c files.

All supported commands are placed into nss_cmd.c. Functions that
deals with cache req are in nss_get_object.c and nss_enum.c.

*Code flow for non-enumeration*
An nss_getby_$input-type is called for each non-enumeration command.
This function parses the input message, creates a cache_req_data
structure and issues nss_get_object that calls cache_req. When
this request is done nss_getby_done make sure a reply is sent to
the client.

*Comments on enumeration*
I made some effort to make sure enumeration shares the same code
for users, groups, services and netgroups. Netgroups now uses
nss negative cache instead of implementing its own.

Resolves:
https://fedorahosted.org/sssd/ticket/3151

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
responders: remove checks that are handled inside cache_req 2016-12-19T22:26:22+00:00 Pavel Březina pbrezina@redhat.com 2016-10-14T10:19:54+00:00 87d85db07bdd39081f558e2f7e891cc0065e3a0a Those checks were redundant, since they are already part of cache_req. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Those checks were redundant, since they are already part of cache_req.

Resolves:
https://fedorahosted.org/sssd/ticket/3151

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
responders: unify usage of sss_cmd_send_empty and _error 2016-12-19T22:24:41+00:00 Pavel Březina pbrezina@redhat.com 2016-10-05T11:38:20+00:00 0713b92ec9f10b6dd913dc56cbc7845d1b025ccb Originally sss_cmd_send_empty() called also sss_cmd_done() to send an empty reply packet to the cliant where as sss_cmd_send_error() did not invoke this call and required the caller to call it manually. For this reason, a possible error in users_find_by_cert_done() was not send to the caller. This patch unifies the usage of those two functions in a way that both of them only creates the reply packet but do not send it. Another sss_cmd_done() call is required to send the reply. Because sss_cmd_done() is now always called, unit tests needed to be changed to always mock a value for __wrap_sss_cmd_done. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Originally sss_cmd_send_empty() called also sss_cmd_done() to send
an empty reply packet to the cliant where as sss_cmd_send_error()
did not invoke this call and required the caller to call it manually.

For this reason, a possible error in users_find_by_cert_done() was not
send to the caller.

This patch unifies the usage of those two functions in a way that both
of them only creates the reply packet but do not send it. Another
sss_cmd_done() call is required to send the reply.

Because sss_cmd_done() is now always called, unit tests needed to be
changed to always mock a value for __wrap_sss_cmd_done.

Resolves:
https://fedorahosted.org/sssd/ticket/3151

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
cache_req: encapsulate output data into structure 2016-12-19T22:22:54+00:00 Pavel Březina pbrezina@redhat.com 2016-10-14T10:15:50+00:00 b206e1abb7f6ea373d12537b3338552aed6b656d In enumeration calls we want to get objects from all domains, not only from the first matched domain. We move the cache search result into a structure that contains combination of domain and ldb_result. This is preparation for enumeration support inside cache_req. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
In enumeration calls we want to get objects from all domains, not
only from the first matched domain. We move the cache search result
into a structure that contains combination of domain and ldb_result.

This is preparation for enumeration support inside cache_req.

Resolves:
https://fedorahosted.org/sssd/ticket/3151

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
setent_notify: remove unused private context 2016-12-19T22:22:22+00:00 Pavel Březina pbrezina@redhat.com 2016-11-08T09:44:51+00:00 e4b147ed01c8476d36ce356ee53899870d84351d Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
nss: move nss_ctx->global_names to rctx 2016-12-19T22:22:05+00:00 Pavel Březina pbrezina@redhat.com 2016-11-15T12:22:09+00:00 a22b0af1993a489c9c0e66fdc1083f43b410d12c Global names context is used to parse AD well known SIDs and names into its opposite. This patch moves definition of this parameter from nss responder into common responder context so it can be used also by other responders. This change will be use to enable looking up well known SIDs and names directly in cache_req. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Global names context is used to parse AD well known SIDs and names
into its opposite. This patch moves definition of this parameter
from nss responder into common responder context so it can be
used also by other responders.

This change will be use to enable looking up well known SIDs and
names directly in cache_req.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
MONITOR: Remove unused shutDown sbus method 2016-11-09T12:32:32+00:00 Jakub Hrozek jhrozek@redhat.com 2016-11-07T11:39:08+00:00 fd25e68446ae86135489edb0823607b394f4ec40 The shutDown method has not been used or set for a long time. Trim the internal interface by removing all references to this internal method. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
The shutDown method has not been used or set for a long time. Trim the
internal interface by removing all references to this internal method.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
MONITOR: Remove deprecated pong sbus method 2016-11-09T12:32:27+00:00 Jakub Hrozek jhrozek@redhat.com 2016-11-07T11:37:22+00:00 ab792150c97bd6eba1f8cd46653f41a0c64fd765 The pong method is deprecated since we started using the watchdog. Since this is dead code, it makes sense to just remove it. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
The pong method is deprecated since we started using the watchdog. Since
this is dead code, it makes sense to just remove it.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>