forked from pool/sssd
Accepting request 77656 from network:ldap
bnc#705768,bnc#709747 (forwarded request 77655 from rhafer) OBS-URL: https://build.opensuse.org/request/show/77656 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=28
This commit is contained in:
parent
063ac87209
commit
38f473b96f
53
0001-sss_client-avoid-leaking-file-descriptors.patch
Normal file
53
0001-sss_client-avoid-leaking-file-descriptors.patch
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
From 151681511c4519463c2fe10c656db29a12c01821 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simo Sorce <ssorce@redhat.com>
|
||||||
|
Date: Thu, 28 Jul 2011 15:15:26 -0400
|
||||||
|
Subject: sss_client: avoid leaking file descriptors
|
||||||
|
|
||||||
|
If a pam or nss module is dlcolse()d and unloaded we were leaking
|
||||||
|
the file descriptor used to communicate to sssd in the process.
|
||||||
|
|
||||||
|
Make sure the fucntion used to close the socket file descriptor is
|
||||||
|
called on dlclose()
|
||||||
|
|
||||||
|
Silence autoconf 2.28 warnings (Patch by Jakub Hrozek)
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index 84b83eb..c0b7f8f 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -170,6 +170,18 @@ AC_CHECK_HEADERS([sys/inotify.h])
|
||||||
|
|
||||||
|
AC_CHECK_HEADERS([sasl/sasl.h],,AC_MSG_ERROR([Could not find SASL headers]))
|
||||||
|
|
||||||
|
+AC_CACHE_CHECK([whether compiler supports __attribute__((destructor))],
|
||||||
|
+ sss_client_cv_attribute_destructor,
|
||||||
|
+ [AC_COMPILE_IFELSE(
|
||||||
|
+ [AC_LANG_SOURCE([__attribute__((destructor)) static void cleanup(void) { }])],
|
||||||
|
+ sss_client_cv_attribute_destructor=yes)
|
||||||
|
+ ])
|
||||||
|
+
|
||||||
|
+if test x"$sss_client_cv_attribute_destructor" = xyes ; then
|
||||||
|
+ AC_DEFINE(HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR, 1,
|
||||||
|
+ [whether compiler supports __attribute__((destructor))])
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
PKG_CHECK_MODULES([CHECK], [check >= 0.9.5], [have_check=1], [have_check=])
|
||||||
|
if test x$have_check = x; then
|
||||||
|
AC_MSG_WARN([Without the 'CHECK' libraries, you will be unable to run all tests in the 'make check' suite])
|
||||||
|
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
|
||||||
|
index c17629a..5f6af41 100644
|
||||||
|
--- a/src/sss_client/common.c
|
||||||
|
+++ b/src/sss_client/common.c
|
||||||
|
@@ -55,6 +55,9 @@
|
||||||
|
int sss_cli_sd = -1; /* the sss client socket descriptor */
|
||||||
|
struct stat sss_cli_sb; /* the sss client stat buffer */
|
||||||
|
|
||||||
|
+#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR
|
||||||
|
+__attribute__((destructor))
|
||||||
|
+#endif
|
||||||
|
static void sss_cli_close_socket(void)
|
||||||
|
{
|
||||||
|
if (sss_cli_sd != -1) {
|
||||||
|
--
|
||||||
|
1.7.3.4
|
||||||
|
|
@ -0,0 +1,42 @@
|
|||||||
|
From 587b013d0b6f8a9411617b5faac2750d2e4b7a5d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Mon, 1 Aug 2011 15:22:53 +0200
|
||||||
|
Subject: Request password control unconditionally during bind
|
||||||
|
|
||||||
|
https://fedorahosted.org/sssd/ticket/940
|
||||||
|
|
||||||
|
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
|
||||||
|
index cab3657..9d543ec 100644
|
||||||
|
--- a/src/providers/ldap/sdap_async_connection.c
|
||||||
|
+++ b/src/providers/ldap/sdap_async_connection.c
|
||||||
|
@@ -437,10 +437,10 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx,
|
||||||
|
state->user_dn = user_dn;
|
||||||
|
state->pw = pw;
|
||||||
|
|
||||||
|
- ret = sdap_control_create(state->sh, LDAP_CONTROL_PASSWORDPOLICYREQUEST,
|
||||||
|
- 0, NULL, 0, &ctrls[0]);
|
||||||
|
+ ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST,
|
||||||
|
+ 0, NULL, 0, &ctrls[0]);
|
||||||
|
if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) {
|
||||||
|
- DEBUG(1, ("sdap_control_create failed to create "
|
||||||
|
+ DEBUG(1, ("sss_ldap_control_create failed to create "
|
||||||
|
"Password Policy control.\n"));
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
@@ -1634,10 +1634,10 @@ static int sdap_rebind_proc(LDAP *ldap, LDAP_CONST char *url, ber_tag_t request,
|
||||||
|
sasl_mech = dp_opt_get_string(p->opts->basic, SDAP_SASL_MECH);
|
||||||
|
|
||||||
|
if (sasl_mech == NULL) {
|
||||||
|
- ret = sdap_control_create(p->sh, LDAP_CONTROL_PASSWORDPOLICYREQUEST,
|
||||||
|
- 0, NULL, 0, &ctrls[0]);
|
||||||
|
+ ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST,
|
||||||
|
+ 0, NULL, 0, &ctrls[0]);
|
||||||
|
if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) {
|
||||||
|
- DEBUG(1, ("sdap_control_create failed to create "
|
||||||
|
+ DEBUG(1, ("sss_ldap_control_create failed to create "
|
||||||
|
"Password Policy control.\n"));
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
1.7.3.4
|
||||||
|
|
@ -0,0 +1,33 @@
|
|||||||
|
From d0bf20038fddf5ad296287fb16bc80082088b770 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
Date: Mon, 1 Aug 2011 10:48:06 -0400
|
||||||
|
Subject: Allow LDAP to decide when an expiration warning is warranted
|
||||||
|
|
||||||
|
Previously, we were only displaying expiration warnings if the
|
||||||
|
password was going to expire within a day. We'll allow LDAP to
|
||||||
|
make this decision (by whether it passes us the expiration time).
|
||||||
|
|
||||||
|
In the future, we can add an option to clamp this down to a
|
||||||
|
shorter period if the local admin prefers it.
|
||||||
|
|
||||||
|
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||||
|
index 3c9d760..7fcf985 100644
|
||||||
|
--- a/src/responder/pam/pamsrv_cmd.c
|
||||||
|
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||||
|
@@ -409,9 +409,10 @@ static errno_t filter_responses(struct confdb_ctx *cdb,
|
||||||
|
}
|
||||||
|
memcpy(&expire_warn, resp->data + sizeof(uint32_t),
|
||||||
|
sizeof(uint32_t));
|
||||||
|
- if(expire_warn > pam_expiration_warning * (60 * 60 * 24)) {
|
||||||
|
- resp->do_not_send_to_client = true;
|
||||||
|
- }
|
||||||
|
+ /* TODO: Add an option to limit the display of the
|
||||||
|
+ * expiration warning to a specified number of
|
||||||
|
+ * days (e.g. 14)
|
||||||
|
+ */
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
DEBUG(7, ("User info type [%d] not filtered.\n"));
|
||||||
|
--
|
||||||
|
1.7.3.4
|
||||||
|
|
14
sssd.changes
14
sssd.changes
@ -1,3 +1,17 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Aug 2 08:46:53 UTC 2011 - rhafer@suse.de
|
||||||
|
|
||||||
|
- Fixed typos in configure args
|
||||||
|
- Cherry-picked password policy fixes from 1.5 branch (bnc#705768)
|
||||||
|
- switched to fd-leak fix cherry-picked from 1.5 branch
|
||||||
|
- Add /usr/sbin to the search path to make configure find nscd
|
||||||
|
(bnc#709747)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jul 29 10:39:51 UTC 2011 - jengelh@medozas.de
|
||||||
|
|
||||||
|
- Add patches to fix an fd leak in sssd_pam
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Jul 28 10:03:32 UTC 2011 - jengelh@medozas.de
|
Thu Jul 28 10:03:32 UTC 2011 - jengelh@medozas.de
|
||||||
|
|
||||||
|
13
sssd.spec
13
sssd.spec
@ -26,6 +26,9 @@ License: GPLv3+ and LGPLv3+
|
|||||||
Url: https://fedorahosted.org/sssd/
|
Url: https://fedorahosted.org/sssd/
|
||||||
Source0: %{name}-%{version}.tar.bz2
|
Source0: %{name}-%{version}.tar.bz2
|
||||||
Source1: baselibs.conf
|
Source1: baselibs.conf
|
||||||
|
Patch1: 0001-sss_client-avoid-leaking-file-descriptors.patch
|
||||||
|
Patch2: 0002-Request-password-control-unconditionally-during-bind.patch
|
||||||
|
Patch3: 0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
|
|
||||||
%define servicename sssd
|
%define servicename sssd
|
||||||
@ -109,23 +112,27 @@ Security Services Daemon (sssd).
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
%patch -P 1 -P 2 -P 3 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
autoreconf
|
autoreconf
|
||||||
export LDB_LIBS="-lldb"
|
export LDB_LIBS="-lldb"
|
||||||
export LDB_CFLAGS="-I/usr/include"
|
export LDB_CFLAGS="-I/usr/include"
|
||||||
|
|
||||||
|
# help configure find nscd
|
||||||
|
export PATH=$PATH:/usr/sbin/
|
||||||
|
|
||||||
%configure \
|
%configure \
|
||||||
--without-tests \
|
|
||||||
--with-db-path=%{dbpath} \
|
--with-db-path=%{dbpath} \
|
||||||
--with-pipe-path=%{pipepath} \
|
--with-pipe-path=%{pipepath} \
|
||||||
--with-pubconf-path=%{pubconfpath} \
|
--with-pubconf-path=%{pubconfpath} \
|
||||||
--with-init-dir=%{_initrddir} \
|
--with-init-dir=%{_initrddir} \
|
||||||
--enable-nsslibdir=/%{_lib} \
|
--enable-nsslibdir=/%{_lib} \
|
||||||
--enable-pammoddir=/%{_lib}/security \
|
--enable-pammoddir=/%{_lib}/security \
|
||||||
--enable-cryptp=yes \
|
--enable-crypto=yes \
|
||||||
--with-ldb-lib-dir=%{_libdir}/ldb \
|
--with-ldb-lib-dir=%{_libdir}/ldb \
|
||||||
--with-selinux=no \
|
--with-selinux=no \
|
||||||
--with-so=suse \
|
--with-os=suse \
|
||||||
--with-semanage=no
|
--with-semanage=no
|
||||||
make %{?_smp_mflags}
|
make %{?_smp_mflags}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user