freeipa.git/daemons/ipa-slapi-plugins/ipa-extdom-extop, branch fix_ber_scanf FreeIPA patches extdom: use sss_nss_*_timeout calls 2019-09-12T07:48:13+00:00 Tomas Halman thalman@redhat.com 2019-09-10T11:46:08+00:00 84b6c0f53b9ebdd4c01181898499bb6992aa9e8a Use nss calls with timeout in extdom plugin Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Use nss calls with timeout in extdom plugin

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
extdom: plugin doesn't use timeout in blocking call 2019-09-12T07:48:13+00:00 Tomas Halman thalman@redhat.com 2019-09-10T11:32:45+00:00 5f898c3c614f4165f0eb15c3aad2157689fbbcfe Expose nss timeout parameter. Use sss_nss_getorigbyname_timeout instead of sss_nss_getorigbyname Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Expose nss timeout parameter. Use sss_nss_getorigbyname_timeout
instead of sss_nss_getorigbyname

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
extdom: plugin doesn't allow @ in group name 2019-09-12T07:48:13+00:00 Tomas Halman thalman@redhat.com 2019-09-03T14:33:54+00:00 e5f04258b5b3fb6c04c28ddd38ae251c822e80bc Old implementation handles username and group names with one common call. Character @ is used in the call to detect UPN. Group name can legaly contain this character and therefore the common approach doesn't work in such case. Also the original call is less efficient because it tries to resolv username allways then it fallback to group resolution. Here we implement two new separate calls for resolving users and groups. Fixes: https://bugzilla.redhat.com/1746951 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Old implementation handles username and group names with
one common call. Character @ is used in the call to detect UPN.

Group name can legaly contain this character and therefore the
common approach doesn't work in such case.

Also the original call is less efficient because it tries to resolv
username allways then it fallback to group resolution.

Here we implement two new separate calls for resolving users and
groups.

Fixes: https://bugzilla.redhat.com/1746951
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-extdom-extop: test timed out getgrgid_r 2019-08-19T08:20:57+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-08-19T07:15:50+00:00 c78cb9404e4fad9a8f4f778cee59c1c2b9038a49 Simulate getgrgid_r() timeout when packing list of groups user is a member of in pack_ber_user(). Related: https://pagure.io/freeipa/issue/8044 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Simulate getgrgid_r() timeout when packing list of groups user is a
member of in pack_ber_user().

Related: https://pagure.io/freeipa/issue/8044
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT 2019-08-19T08:20:57+00:00 Sumit Bose sbose@redhat.com 2019-06-14T09:13:54+00:00 9fe984fed7a7091bd1366be95fdfa2f56f777bb8 A return code LDAP_NO_SUCH_OBJECT will tell SSSD on the IPA client to remove the searched object from the cache. As a consequence LDAP_NO_SUCH_OBJECT should only be returned if the object really does not exists otherwise the data of existing objects might be removed form the cache of the clients causing unexpected behaviour like authentication errors. Currently some code-paths use LDAP_NO_SUCH_OBJECT as default error code. With this patch LDAP_NO_SUCH_OBJECT is only returned if the related lookup functions return ENOENT. Timeout related error code will lead to LDAP_TIMELIMIT_EXCEEDED and LDAP_OPERATIONS_ERROR is used as default error code. Fixes: https://pagure.io/freeipa/issue/8044 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
A return code LDAP_NO_SUCH_OBJECT will tell SSSD on the IPA client to
remove the searched object from the cache. As a consequence
LDAP_NO_SUCH_OBJECT should only be returned if the object really does
not exists otherwise the data of existing objects might be removed form
the cache of the clients causing unexpected behaviour like
authentication errors.

Currently some code-paths use LDAP_NO_SUCH_OBJECT as default error code.
With this patch LDAP_NO_SUCH_OBJECT is only returned if the related
lookup functions return ENOENT. Timeout related error code will lead to
LDAP_TIMELIMIT_EXCEEDED and LDAP_OPERATIONS_ERROR is used as default
error code.

Fixes: https://pagure.io/freeipa/issue/8044
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Coverity: fix issue in ipa_extdom_extop.c 2019-03-21T14:18:56+00:00 Florence Blanc-Renaud flo@redhat.com 2019-03-21T12:59:32+00:00 3ae38973c5961c17bd95b6831ab7a8469a4bfc5c Coverity found the following issue: Error: BAD_COMPARE (CWE-697): [#def1] freeipa-4.6.5/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c:121: null_misuse: Comparing pointer "threadnumber" against "NULL" using anything besides "==" or "!=" is likely to be incorrect. The comparison is using the pointer while it should use the pointed value. Fixes: https://pagure.io/freeipa/issue/7884 Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Coverity found the following issue:
Error: BAD_COMPARE (CWE-697): [#def1]
freeipa-4.6.5/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c:121: null_misuse: Comparing pointer "threadnumber" against "NULL" using anything besides "==" or "!=" is likely to be incorrect.

The comparison is using the pointer while it should use the pointed value.

Fixes: https://pagure.io/freeipa/issue/7884
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa-extdom-exop: add instance counter and limit 2019-03-14T13:42:35+00:00 Sumit Bose sbose@redhat.com 2019-03-08T15:07:56+00:00 33af8c75b334b847c59ee67f33f9777f58eba41f The user and group lookups done by the extdom plugin might need some time depending on the state of the service (typically SSSD) handling the requests. To avoid that all worker threads are busy waiting on a connect or a reply from SSSD and no other request can be handled this patch adds an instance counter and an instance limit for the extdom plugin. By default the limit will be around 80% of the number of worker threads. It can be tuned further with the plugin option ipaExtdomMaxInstances which must in set in ipaextdommaxinstances and should have an integer value larger than 0 and lesser than the number of worker threads. If the instance limit is reached the extdom plugin will return LDAP_BUSY for every new request until the number of instance is again below the limit. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
The user and group lookups done by the extdom plugin might need some
time depending on the state of the service (typically SSSD) handling the
requests.

To avoid that all worker threads are busy waiting on a connect or a
reply from SSSD and no other request can be handled this patch adds an
instance counter and an instance limit for the extdom plugin.

By default the limit will be around 80% of the number of worker threads.
It can be tuned further with the plugin option ipaExtdomMaxInstances
which must in set in ipaextdommaxinstances and should have an integer
value larger than 0 and lesser than the number of worker threads.

If the instance limit is reached the extdom plugin will return LDAP_BUSY
for every new request until the number of instance is again below the
limit.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-extdom-extop: Update licenses to GPLv3 or later with exceptions 2018-08-13T11:03:13+00:00 Alexander Bokovoy abokovoy@redhat.com 2018-08-10T11:27:21+00:00 1a0b0d2fd1b654fb1b614876c959661db4c3edf5 The code in question was supposed to have the same license as the rest of the plugin. Fix it by updating the comment header. Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com> 
The code in question was supposed to have the same license as the
rest of the plugin. Fix it by updating the comment header.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Silence GCC warning in ipa_extdom 2018-02-23T13:38:20+00:00 Christian Heimes cheimes@redhat.com 2018-02-23T09:15:16+00:00 642712f9c48b80693510543baedab6625aebcb06 NSS_STATUS_RETURN is an internal value but GCC doesn't know that. ipa_extdom_common.c:103:5: warning: enumeration value ‘NSS_STATUS_RETURN’ not handled in switch [-Wswitch] Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
NSS_STATUS_RETURN is an internal value but GCC doesn't know that.

ipa_extdom_common.c:103:5: warning: enumeration value ‘NSS_STATUS_RETURN’ not handled in switch [-Wswitch]

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-extdom-extop: refactor nsswitch operations 2017-11-30T09:38:03+00:00 Alexander Bokovoy abokovoy@redhat.com 2017-11-14T10:44:02+00:00 78ad1cfe4f8f2f9c51acbe8044a652e49ebaf1d7 Refactor nsswitch operations in ipa-extdom-extop plugin to allow use of timeout-enabled nsswitch calls provided by libsss_nss_idmap. Standard POSIX nsswitch API has no way to cancel requests which may cause ipa-extdom-extop requests to hang far too long and potentially exhaust LDAP server workers. In addition, glibc nsswitch API iterates through all nsswitch modules one by one and with multiple parallel requests a lock up may happen in an unrelated nsswitch module like nss_files.so.2. A solution to the latter issue is to directly load nss_sss.so.2 plugin and utilize it. This, however, does not solve a problem with lack of cancellable API. With SSSD 1.16.1, libsss_nss_idmap provides a timeout-enabled variant of nsswitch API that is directly integrated with SSSD client side machinery used by nss_sss.so.2. As result, this API can be used instead of loading nss_sss.so.2 directly. To support older SSSD version, both direct loading of nss_sss.so.2 and new timeout-enabled API are supported by this changeset. An API to abstract both is designed to be a mix between internal glibc nsswitch API and external nsswitch API that libsss_nss_idmap mimics. API does not expose per-call timeout. Instead, it allows to set a timeout per nsswitch operation context to reduce requirements on information a caller has to maintain. A choice which API to use is made at configure time. In order to test the API, a cmocka test is updated to explicitly load nss_files.so.2 as a backend. Since use of nss_sss.so.2 would always depend on availablility of SSSD, predictable testing would not be possible without it otherwise. Also, cmocka test does not use nss_wrapper anymore because nss_wrapper overrides higher level glibc nsswitch API while we are loading an individual nsswitch module directly. As result, cmocka test overrides fopen() call used by nss_files.so.2 to load /etc/passwd and /etc/group. An overridden version changes paths to /etc/passwd and /etc/group to a local test_data/passwd and test_data/group. This way we can continue testing a backend API for ipa-extdom-extop with the same data as with nss_wrapper. Fixes https://pagure.io/freeipa/issue/5464 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
Refactor nsswitch operations in ipa-extdom-extop plugin to allow use
of timeout-enabled nsswitch calls provided by libsss_nss_idmap.

Standard POSIX nsswitch API has no way to cancel requests which may
cause ipa-extdom-extop requests to hang far too long and potentially
exhaust LDAP server workers. In addition, glibc nsswitch API iterates
through all nsswitch modules one by one and with multiple parallel
requests a lock up may happen in an unrelated nsswitch module like
nss_files.so.2.

A solution to the latter issue is to directly load nss_sss.so.2 plugin
and utilize it. This, however, does not solve a problem with lack of
cancellable API.

With SSSD 1.16.1, libsss_nss_idmap provides a timeout-enabled variant of
nsswitch API that is directly integrated with SSSD client side machinery
used by nss_sss.so.2. As result, this API can be used instead of loading
nss_sss.so.2 directly.

To support older SSSD version, both direct loading of nss_sss.so.2 and
new timeout-enabled API are supported by this changeset. An API to
abstract both is designed to be a mix between internal glibc nsswitch
API and external nsswitch API that libsss_nss_idmap mimics. API does not
expose per-call timeout. Instead, it allows to set a timeout per
nsswitch operation context to reduce requirements on information
a caller has to maintain.

A choice which API to use is made at configure time.

In order to test the API, a cmocka test is updated to explicitly load
nss_files.so.2 as a backend. Since use of nss_sss.so.2 would always
depend on availablility of SSSD, predictable testing would not be
possible without it otherwise. Also, cmocka test does not use
nss_wrapper anymore because nss_wrapper overrides higher level glibc
nsswitch API while we are loading an individual nsswitch module
directly.

As result, cmocka test overrides fopen() call used by nss_files.so.2 to
load /etc/passwd and /etc/group. An overridden version changes paths to
/etc/passwd and /etc/group to a local test_data/passwd and
test_data/group. This way we can continue testing a backend API for
ipa-extdom-extop with the same data as with nss_wrapper.

Fixes https://pagure.io/freeipa/issue/5464

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>