forked from jengelh/sssd
Accepting request 77656 from network:ldap
bnc#705768,bnc#709747 (forwarded request 77655 from rhafer) OBS-URL: https://build.opensuse.org/request/show/77656 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=28
This commit is contained in:
parent
063ac87209
commit
38f473b96f
53
0001-sss_client-avoid-leaking-file-descriptors.patch
Normal file
53
0001-sss_client-avoid-leaking-file-descriptors.patch
Normal file
@ -0,0 +1,53 @@
|
||||
From 151681511c4519463c2fe10c656db29a12c01821 Mon Sep 17 00:00:00 2001
|
||||
From: Simo Sorce <ssorce@redhat.com>
|
||||
Date: Thu, 28 Jul 2011 15:15:26 -0400
|
||||
Subject: sss_client: avoid leaking file descriptors
|
||||
|
||||
If a pam or nss module is dlcolse()d and unloaded we were leaking
|
||||
the file descriptor used to communicate to sssd in the process.
|
||||
|
||||
Make sure the fucntion used to close the socket file descriptor is
|
||||
called on dlclose()
|
||||
|
||||
Silence autoconf 2.28 warnings (Patch by Jakub Hrozek)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 84b83eb..c0b7f8f 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -170,6 +170,18 @@ AC_CHECK_HEADERS([sys/inotify.h])
|
||||
|
||||
AC_CHECK_HEADERS([sasl/sasl.h],,AC_MSG_ERROR([Could not find SASL headers]))
|
||||
|
||||
+AC_CACHE_CHECK([whether compiler supports __attribute__((destructor))],
|
||||
+ sss_client_cv_attribute_destructor,
|
||||
+ [AC_COMPILE_IFELSE(
|
||||
+ [AC_LANG_SOURCE([__attribute__((destructor)) static void cleanup(void) { }])],
|
||||
+ sss_client_cv_attribute_destructor=yes)
|
||||
+ ])
|
||||
+
|
||||
+if test x"$sss_client_cv_attribute_destructor" = xyes ; then
|
||||
+ AC_DEFINE(HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR, 1,
|
||||
+ [whether compiler supports __attribute__((destructor))])
|
||||
+fi
|
||||
+
|
||||
PKG_CHECK_MODULES([CHECK], [check >= 0.9.5], [have_check=1], [have_check=])
|
||||
if test x$have_check = x; then
|
||||
AC_MSG_WARN([Without the 'CHECK' libraries, you will be unable to run all tests in the 'make check' suite])
|
||||
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
|
||||
index c17629a..5f6af41 100644
|
||||
--- a/src/sss_client/common.c
|
||||
+++ b/src/sss_client/common.c
|
||||
@@ -55,6 +55,9 @@
|
||||
int sss_cli_sd = -1; /* the sss client socket descriptor */
|
||||
struct stat sss_cli_sb; /* the sss client stat buffer */
|
||||
|
||||
+#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR
|
||||
+__attribute__((destructor))
|
||||
+#endif
|
||||
static void sss_cli_close_socket(void)
|
||||
{
|
||||
if (sss_cli_sd != -1) {
|
||||
--
|
||||
1.7.3.4
|
||||
|
@ -0,0 +1,42 @@
|
||||
From 587b013d0b6f8a9411617b5faac2750d2e4b7a5d Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Mon, 1 Aug 2011 15:22:53 +0200
|
||||
Subject: Request password control unconditionally during bind
|
||||
|
||||
https://fedorahosted.org/sssd/ticket/940
|
||||
|
||||
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
|
||||
index cab3657..9d543ec 100644
|
||||
--- a/src/providers/ldap/sdap_async_connection.c
|
||||
+++ b/src/providers/ldap/sdap_async_connection.c
|
||||
@@ -437,10 +437,10 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx,
|
||||
state->user_dn = user_dn;
|
||||
state->pw = pw;
|
||||
|
||||
- ret = sdap_control_create(state->sh, LDAP_CONTROL_PASSWORDPOLICYREQUEST,
|
||||
- 0, NULL, 0, &ctrls[0]);
|
||||
+ ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST,
|
||||
+ 0, NULL, 0, &ctrls[0]);
|
||||
if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) {
|
||||
- DEBUG(1, ("sdap_control_create failed to create "
|
||||
+ DEBUG(1, ("sss_ldap_control_create failed to create "
|
||||
"Password Policy control.\n"));
|
||||
goto fail;
|
||||
}
|
||||
@@ -1634,10 +1634,10 @@ static int sdap_rebind_proc(LDAP *ldap, LDAP_CONST char *url, ber_tag_t request,
|
||||
sasl_mech = dp_opt_get_string(p->opts->basic, SDAP_SASL_MECH);
|
||||
|
||||
if (sasl_mech == NULL) {
|
||||
- ret = sdap_control_create(p->sh, LDAP_CONTROL_PASSWORDPOLICYREQUEST,
|
||||
- 0, NULL, 0, &ctrls[0]);
|
||||
+ ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST,
|
||||
+ 0, NULL, 0, &ctrls[0]);
|
||||
if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) {
|
||||
- DEBUG(1, ("sdap_control_create failed to create "
|
||||
+ DEBUG(1, ("sss_ldap_control_create failed to create "
|
||||
"Password Policy control.\n"));
|
||||
goto done;
|
||||
}
|
||||
--
|
||||
1.7.3.4
|
||||
|
@ -0,0 +1,33 @@
|
||||
From d0bf20038fddf5ad296287fb16bc80082088b770 Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||
Date: Mon, 1 Aug 2011 10:48:06 -0400
|
||||
Subject: Allow LDAP to decide when an expiration warning is warranted
|
||||
|
||||
Previously, we were only displaying expiration warnings if the
|
||||
password was going to expire within a day. We'll allow LDAP to
|
||||
make this decision (by whether it passes us the expiration time).
|
||||
|
||||
In the future, we can add an option to clamp this down to a
|
||||
shorter period if the local admin prefers it.
|
||||
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index 3c9d760..7fcf985 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -409,9 +409,10 @@ static errno_t filter_responses(struct confdb_ctx *cdb,
|
||||
}
|
||||
memcpy(&expire_warn, resp->data + sizeof(uint32_t),
|
||||
sizeof(uint32_t));
|
||||
- if(expire_warn > pam_expiration_warning * (60 * 60 * 24)) {
|
||||
- resp->do_not_send_to_client = true;
|
||||
- }
|
||||
+ /* TODO: Add an option to limit the display of the
|
||||
+ * expiration warning to a specified number of
|
||||
+ * days (e.g. 14)
|
||||
+ */
|
||||
break;
|
||||
default:
|
||||
DEBUG(7, ("User info type [%d] not filtered.\n"));
|
||||
--
|
||||
1.7.3.4
|
||||
|
14
sssd.changes
14
sssd.changes
@ -1,3 +1,17 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Aug 2 08:46:53 UTC 2011 - rhafer@suse.de
|
||||
|
||||
- Fixed typos in configure args
|
||||
- Cherry-picked password policy fixes from 1.5 branch (bnc#705768)
|
||||
- switched to fd-leak fix cherry-picked from 1.5 branch
|
||||
- Add /usr/sbin to the search path to make configure find nscd
|
||||
(bnc#709747)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 29 10:39:51 UTC 2011 - jengelh@medozas.de
|
||||
|
||||
- Add patches to fix an fd leak in sssd_pam
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jul 28 10:03:32 UTC 2011 - jengelh@medozas.de
|
||||
|
||||
|
13
sssd.spec
13
sssd.spec
@ -26,6 +26,9 @@ License: GPLv3+ and LGPLv3+
|
||||
Url: https://fedorahosted.org/sssd/
|
||||
Source0: %{name}-%{version}.tar.bz2
|
||||
Source1: baselibs.conf
|
||||
Patch1: 0001-sss_client-avoid-leaking-file-descriptors.patch
|
||||
Patch2: 0002-Request-password-control-unconditionally-during-bind.patch
|
||||
Patch3: 0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
|
||||
%define servicename sssd
|
||||
@ -109,23 +112,27 @@ Security Services Daemon (sssd).
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch -P 1 -P 2 -P 3 -p1
|
||||
|
||||
%build
|
||||
autoreconf
|
||||
export LDB_LIBS="-lldb"
|
||||
export LDB_CFLAGS="-I/usr/include"
|
||||
|
||||
# help configure find nscd
|
||||
export PATH=$PATH:/usr/sbin/
|
||||
|
||||
%configure \
|
||||
--without-tests \
|
||||
--with-db-path=%{dbpath} \
|
||||
--with-pipe-path=%{pipepath} \
|
||||
--with-pubconf-path=%{pubconfpath} \
|
||||
--with-init-dir=%{_initrddir} \
|
||||
--enable-nsslibdir=/%{_lib} \
|
||||
--enable-pammoddir=/%{_lib}/security \
|
||||
--enable-cryptp=yes \
|
||||
--enable-crypto=yes \
|
||||
--with-ldb-lib-dir=%{_libdir}/ldb \
|
||||
--with-selinux=no \
|
||||
--with-so=suse \
|
||||
--with-os=suse \
|
||||
--with-semanage=no
|
||||
make %{?_smp_mflags}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user