Skip to content
Snippets Groups Projects
Commit 8cd677ea authored by Rocky Automation's avatar Rocky Automation :tv:
Browse files

import sssd-2.9.4-6.el10

parents
No related branches found
No related tags found
No related merge requests found
Expand all Hide whitespace changes
Inline Side-by-side
.sssd.checksum 0 → 100644
+ 1
0
View file @ 8cd677ea
Direct Git Import
.sssd.metadata 0 → 100644
+ 1
0
View file @ 8cd677ea
82b5ef80be47c96d518de26cfb440000f1bc6b9e3441a8393a007d21af316b18 SOURCES/sssd-2.9.4.tar.gz
SOURCES/0001-ENUMERATION-conditional-build-of-enumeration-support.patch 0 → 100644
+ 244
0
View file @ 8cd677ea
From b42cc3d2bf4ea1751cacb63e53536c8ad1782632 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 23 Jun 2023 16:33:09 +0200
Subject: [PATCH] ENUMERATION: conditional build of enumeration support for
providers other than LDAP
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
:relnote:Support of 'enumeration' feature (i.e. ability to list all
users/groups using 'getent passwd/group' without argument) for AD/IPA
providers is deprecated and might be removed in further releases.
Those who are interested to keep using it awhile should configure
its build explicitly using '--with-extended-enumeration-support'
./configure option.
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 9240bca7dcc28371ae5dce31c01e85d28409cd04)
---
configure.ac | 1 +
src/conf_macros.m4 | 17 +++++++++++++++++
src/confdb/confdb.c | 23 ++++++++++++++++++-----
src/db/sysdb_subdomains.c | 4 ++++
src/man/Makefile.am | 7 ++++++-
src/man/sssd-ldap.5.xml | 4 ++--
src/man/sssd.conf.5.xml | 14 +++++++++-----
7 files changed, 57 insertions(+), 13 deletions(-)
diff --git a/configure.ac b/configure.ac
index 470c04949..adb2c5447 100644
--- a/configure.ac
+++ b/configure.ac
@@ -185,6 +185,7 @@ WITH_SUDO
WITH_SUDO_LIB_PATH
WITH_AUTOFS
WITH_FILES_PROVIDER
+WITH_EXTENDED_ENUMERATION_SUPPORT
WITH_SUBID
WITH_SUBID_LIB_PATH
WITH_PASSKEY
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index cb97eeb78..5ef257908 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -651,6 +651,23 @@ AC_DEFUN([WITH_FILES_PROVIDER],
AM_CONDITIONAL([BUILD_FILES_PROVIDER], [test x"$with_files_provider" = xyes])
])
+AC_DEFUN([WITH_EXTENDED_ENUMERATION_SUPPORT],
+ [ AC_ARG_WITH([extended-enumeration-support],
+ [AC_HELP_STRING([--with-extended-enumeration-support],
+ [Whether to build enumeration support for
+ IPA and AD providers [no].]
+ )
+ ],
+ [with_extended_enumeration_support=$withval],
+ with_extended_enumeration_support=no
+ )
+
+ if test x"$with_extended_enumeration_support" = xyes; then
+ AC_DEFINE(BUILD_EXTENDED_ENUMERATION_SUPPORT, 1, [Whether to build extended enumeration support])
+ fi
+ AM_CONDITIONAL([BUILD_EXTENDED_ENUMERATION_SUPPORT], [test x"$with_extended_enumeration_support" = xyes])
+ ])
+
AC_DEFUN([WITH_SUBID],
[ AC_ARG_WITH([subid],
[AC_HELP_STRING([--with-subid],
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index a7344e166..1760ea6b5 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1068,6 +1068,9 @@ static errno_t confdb_init_domain_provider_and_enum(struct sss_domain_info *doma
errno_t ret;
const char *tmp, *tmp_pam_target, *tmp_auth;
+#ifndef BUILD_EXTENDED_ENUMERATION_SUPPORT
+ if (domain->provider != NULL && strcasecmp(domain->provider, "ldap") == 0) {
+#endif
/* TEMP: test if the old bitfield conf value is used and warn it has been
* superseded. */
val = ldb_msg_find_attr_as_int(res->msgs[0], CONFDB_DOMAIN_ENUMERATE, 0);
@@ -1086,6 +1089,11 @@ static errno_t confdb_init_domain_provider_and_enum(struct sss_domain_info *doma
goto done;
}
}
+#ifndef BUILD_EXTENDED_ENUMERATION_SUPPORT
+ } else {
+ domain->enumerate = false;
+ }
+#endif
if (is_files_provider(domain)) {
/* The password field must be reported as 'x', else pam_unix won't
@@ -1122,11 +1130,7 @@ static errno_t confdb_init_domain_provider_and_enum(struct sss_domain_info *doma
}
if (!domain->enumerate) {
- DEBUG(SSSDBG_TRACE_FUNC, "No enumeration for [%s]!\n", domain->name);
- DEBUG(SSSDBG_TRACE_FUNC,
- "Please note that when enumeration is disabled `getent "
- "passwd` does not return all users by design. See "
- "sssd.conf man page for more detailed information\n");
+ DEBUG(SSSDBG_TRACE_FUNC, "No enumeration for [%s]\n", domain->name);
}
ret = EOK;
@@ -1537,6 +1541,7 @@ static errno_t confdb_init_domain_subdomains(struct sss_domain_info *domain,
errno_t ret;
const char *tmp;
+#ifdef BUILD_EXTENDED_ENUMERATION_SUPPORT
tmp = ldb_msg_find_attr_as_string(res->msgs[0],
CONFDB_SUBDOMAIN_ENUMERATE,
CONFDB_DEFAULT_SUBDOMAIN_ENUMERATE);
@@ -1549,6 +1554,14 @@ static errno_t confdb_init_domain_subdomains(struct sss_domain_info *domain,
goto done;
}
}
+#else
+ ret = split_on_separator(domain, "none", ',', true, true,
+ &domain->sd_enumerate, NULL);
+ if (ret != 0) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Cannot set 'sd_enumerate'\n");
+ goto done;
+ }
+#endif
tmp = ldb_msg_find_attr_as_string(res->msgs[0],
CONFDB_DOMAIN_SUBDOMAIN_INHERIT,
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
index 61cf48c31..149e9a161 100644
--- a/src/db/sysdb_subdomains.c
+++ b/src/db/sysdb_subdomains.c
@@ -494,8 +494,12 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
}
mpg_mode = str_to_domain_mpg_mode(str_mpg_mode);
+#ifdef BUILD_EXTENDED_ENUMERATION_SUPPORT
enumerate = ldb_msg_find_attr_as_bool(res->msgs[i],
SYSDB_SUBDOMAIN_ENUM, false);
+#else
+ enumerate = false;
+#endif
forest = ldb_msg_find_attr_as_string(res->msgs[i],
SYSDB_SUBDOMAIN_FOREST, NULL);
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index 1e51aebfd..77b08e84c 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -55,12 +55,17 @@ FILES_PROVIDER_CONDS = ;with_files_provider
else
FILES_PROVIDER_CONDS = ;without_files_provider
endif
+if BUILD_EXTENDED_ENUMERATION_SUPPORT
+ENUM_CONDS = ;with_ext_enumeration
+else
+ENUM_CONDS = ;without_ext_enumeration
+endif
if SSSD_NON_ROOT_USER
SSSD_NON_ROOT_USER_CONDS = ;with_non_root_user_support
endif
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(FILES_PROVIDER_CONDS)$(SSSD_NON_ROOT_USER_CONDS)
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(FILES_PROVIDER_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(ENUM_CONDS)
#Special Rules:
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 0a814ec35..ccf284abb 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -323,7 +323,7 @@
before refreshing its cache of enumerated
records.
</para>
- <para>
+ <para condition="with_ext_enumeration">
This option can be also set per subdomain or
inherited via
<emphasis>subdomain_inherit</emphasis>.
@@ -486,7 +486,7 @@
cached results are returned (and offline mode is
entered)
</para>
- <para>
+ <para condition="with_ext_enumeration">
This option can be also set per subdomain or
inherited via
<emphasis>subdomain_inherit</emphasis>.
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index e7a8cbd9a..7276d233f 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2673,8 +2673,12 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
and store ALL user and group entries from the
remote server.
</para>
+ <para condition="without_ext_enumeration">
+ Feature is only supported for domains with
+ id_provider = ldap.
+ </para>
<para>
- Note: Enabling enumeration has a moderate
+ Note: Enabling enumeration has a severe
performance impact on SSSD while enumeration
is running. It may take up to several minutes
after SSSD startup to fully complete enumerations.
@@ -2709,7 +2713,7 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
</listitem>
</varlistentry>
- <varlistentry>
+ <varlistentry condition="with_ext_enumeration">
<term>subdomain_enumerate (string)</term>
<listitem>
<para>
@@ -3857,10 +3861,10 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
<para>
ldap_offline_timeout
</para>
- <para>
+ <para condition="with_ext_enumeration">
ldap_enumeration_refresh_timeout
</para>
- <para>
+ <para condition="with_ext_enumeration">
ldap_enumeration_refresh_offset
</para>
<para>
@@ -3876,7 +3880,7 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
<para>
ldap_krb5_ticket_lifetime
</para>
- <para>
+ <para condition="with_ext_enumeration">
ldap_enumeration_search_timeout
</para>
<para>
--
2.41.0
SOURCES/0002-Fix-the-build-with-Samba-4.20.patch 0 → 100644
+ 25
0
View file @ 8cd677ea
From 6b0cbea2f643269c5af6333b59979de9c0ad6ce5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 31 Jan 2024 10:42:40 +0100
Subject: [PATCH] Fix the build with Samba 4.20
Guenther
---
src/external/samba.m4 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/external/samba.m4 b/src/external/samba.m4
index 49c6db8d2..5ab0e7527 100644
--- a/src/external/samba.m4
+++ b/src/external/samba.m4
@@ -58,7 +58,7 @@ with argument --without-samba
SAVE_CFLAGS=$CFLAGS
SAVE_LIBS=$LIBS
CFLAGS="$CFLAGS $SMBCLIENT_CFLAGS $NDR_NBT_CFLAGS $NDR_KRB5PAC_CFLAGS"
- LIBS="$LIBS -L${sambalibdir} -lidmap-samba4 -Wl,-rpath ${sambalibdir}"
+ LIBS="$LIBS -L${sambalibdir} -lidmap-private-samba -Wl,-rpath ${sambalibdir}"
AC_RUN_IFELSE(
[AC_LANG_SOURCE([
#include <stdlib.h>
--
2.43.0
SOURCES/0003-tests-Drop-extensions-from-openssl-command-if-there-.patch 0 → 100644
+ 48
0
View file @ 8cd677ea
From 32b72c7c3303edb2bf55ae9a22e8db7855f3d7d1 Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Wed, 24 Jan 2024 23:03:04 +0100
Subject: [PATCH] tests: Drop -extensions from openssl command if there is no
-x509
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The 'openssl req' ignores the '-extensions' option without '-x509'.
OpenSSL versions prior 3.2 simply ignored it. Starting with version 3.2
an error is generated:
| /usr/bin/openssl req -batch -config
| ../../../../../src/tests/test_CA/intermediate_CA/SSSD_test_intermediate_CA.config
| -new -nodes -key
| …/build/../src/tests/test_CA/intermediate_CA/SSSD_test_intermediate_CA_key.pem
-sha256 -extensions v3_ca -out SSSD_test_intermediate_CA_req.pem
| Error adding request extensions from section v3_ca
| 003163BAB27F0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:../crypto/x509/v3_akid.c:156:
| 003163BAB27F0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:../crypto/x509/v3_conf.c:48:section=v3_ca, name=authorityKeyIdentifier, value=keyid:always,issuer:always
|
Remove the '-extensions' option.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/tests/test_CA/intermediate_CA/Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/test_CA/intermediate_CA/Makefile.am b/src/tests/test_CA/intermediate_CA/Makefile.am
index b439f82cb03e5c99006b948c9eba2ba26ef4206c..50fcddb8d22213400f7ee31c6ba1eb7b8ccd14cd 100644
--- a/src/tests/test_CA/intermediate_CA/Makefile.am
+++ b/src/tests/test_CA/intermediate_CA/Makefile.am
@@ -33,7 +33,7 @@ SSSD_test_CA.pem:
ln -s $(builddir)/../$@
SSSD_test_intermediate_CA_req.pem: $(openssl_intermediate_ca_key) $(openssl_intermediate_ca_config) SSSD_test_CA.pem
- $(OPENSSL) req -batch -config ${openssl_intermediate_ca_config} -new -nodes -key $< -sha256 -extensions v3_ca -out $@
+ $(OPENSSL) req -batch -config ${openssl_intermediate_ca_config} -new -nodes -key $< -sha256 -out $@
SSSD_test_intermediate_CA.pem: SSSD_test_intermediate_CA_req.pem $(openssl_root_ca_config) $(openssl_root_ca_key)
cd .. && $(OPENSSL) ca -config ${openssl_root_ca_config} -batch -notext -keyfile $(openssl_root_ca_key) -in $(abs_builddir)/$< -days 200 -extensions v3_intermediate_ca -out $(abs_builddir)/$@
--
2.43.2
SPECS/sssd.spec 0 → 100644
+ 0
0
View file @ 8cd677ea
This diff is collapsed.
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment