diff --git a/0001-Added-option-to-use-libcrypto-instead-of-NSS.patch b/0001-Added-option-to-use-libcrypto-instead-of-NSS.patch deleted file mode 100644 index 429adf0..0000000 --- a/0001-Added-option-to-use-libcrypto-instead-of-NSS.patch +++ /dev/null @@ -1,451 +0,0 @@ -From bf75a22ffc04dfa0387a1389750b0a1e6d3ac397 Mon Sep 17 00:00:00 2001 -From: Ralf Haferkamp -Date: Fri, 26 Mar 2010 15:04:51 +0100 -Subject: [PATCH] Added option to use libcrypto instead of NSS. - -crypto_sha512crypt.c is a clone of nss_sha512crypt.c with the exception that -all usage of NSS and related libraries has been switched to libcrypto. -I renamed nss_sha512crypt.h to sha512crypt.h since it is common to both -crypto_sha512crypt.c and nss_sha512crypt.c. Note that the random number -generator is not seeded manually and thus relies on seeding done -automatically by libcrypto. On some systems without /dev/urandom -seeding may not be performed. -See http://www.openssl.org/docs/crypto/RAND_add.html. -Signed-off-by: George McCollister - -Conflicts: - - server/util/nss_sha512crypt.h - server/util/sha512crypt.h - src/Makefile.am - src/configure.ac - src/util/sha512crypt.h ---- - server/external/crypto.m4 | 13 ++ - server/util/crypto_sha512crypt.c | 382 ++++++++++++++++++++++++++++++++++++++ - server/util/sha512crypt.h | 4 + - 3 files changed, 399 insertions(+), 0 deletions(-) - create mode 100644 server/external/crypto.m4 - create mode 100644 server/util/crypto_sha512crypt.c - create mode 100644 server/util/sha512crypt.h - -diff --git a/server/external/crypto.m4 b/server/external/crypto.m4 -new file mode 100644 -index 0000000..d1bcf40 ---- /dev/null -+++ b/server/external/crypto.m4 -@@ -0,0 +1,13 @@ -+AC_ARG_ENABLE(crypto, -+ [ --enable-crypto Use OpenSSL crypto instead of NSS], -+ [CRYPTO="$enableval"], -+ [CRYPTO="no"] -+) -+ -+if test x$CRYPTO != xyes; then -+ PKG_CHECK_MODULES([NSS],[nss],[have_nss=1],[have_nss=]) -+else -+ PKG_CHECK_MODULES([CRYPTO],[libcrypto],[have_crypto=1],[have_crypto=]) -+fi -+AM_CONDITIONAL([HAVE_NSS], [test x$have_nss != x]) -+AM_CONDITIONAL([HAVE_CRYPTO], [test x$have_crypto != x]) -diff --git a/server/util/crypto_sha512crypt.c b/server/util/crypto_sha512crypt.c -new file mode 100644 -index 0000000..9cd03a1 ---- /dev/null -+++ b/server/util/crypto_sha512crypt.c -@@ -0,0 +1,382 @@ -+/* This file is based on nss_sha512crypt.c which is based on the work of -+ * Ulrich Drepper (http://people.redhat.com/drepper/SHA-crypt.txt). -+ * -+ * libcrypto is used to provide SHA512 and random number generation. -+ * (http://www.openssl.org/docs/crypto/crypto.html). -+ * -+ * Sumit Bose -+ * George McCollister -+ */ -+/* SHA512-based Unix crypt implementation. -+ Released into the Public Domain by Ulrich Drepper . */ -+ -+#define _GNU_SOURCE -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "util/util.h" -+ -+#include -+#include -+ -+/* Define our magic string to mark salt for SHA512 "encryption" replacement. */ -+const char sha512_salt_prefix[] = "$6$"; -+#define SALT_PREF_SIZE (sizeof(sha512_salt_prefix) - 1) -+ -+/* Prefix for optional rounds specification. */ -+const char sha512_rounds_prefix[] = "rounds="; -+#define ROUNDS_SIZE (sizeof(sha512_rounds_prefix) - 1) -+ -+#define SALT_LEN_MAX 16 -+#define ROUNDS_DEFAULT 5000 -+#define ROUNDS_MIN 1000 -+#define ROUNDS_MAX 999999999 -+ -+/* Table with characters for base64 transformation. */ -+const char b64t[64] = -+ "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; -+ -+/* base64 conversion function */ -+static inline void b64_from_24bit(char **dest, size_t *len, size_t n, -+ uint8_t b2, uint8_t b1, uint8_t b0) -+{ -+ uint32_t w; -+ size_t i; -+ -+ if (*len < n) n = *len; -+ -+ w = (b2 << 16) | (b1 << 8) | b0; -+ for (i = 0; i < n; i++) { -+ (*dest)[i] = b64t[w & 0x3f]; -+ w >>= 6; -+ } -+ -+ *len -= i; -+ *dest += i; -+} -+ -+#define PTR_2_INT(x) ((x) - ((__typeof__ (x)) NULL)) -+#define ALIGN64 __alignof__(uint64_t) -+ -+static int sha512_crypt_r(const char *key, -+ const char *salt, -+ char *buffer, size_t buflen) -+{ -+ unsigned char temp_result[64] __attribute__((__aligned__(ALIGN64))); -+ unsigned char alt_result[64] __attribute__((__aligned__(ALIGN64))); -+ size_t rounds = ROUNDS_DEFAULT; -+ bool rounds_custom = false; -+ EVP_MD_CTX alt_ctx; -+ EVP_MD_CTX ctx; -+ size_t salt_len; -+ size_t key_len; -+ size_t cnt; -+ char *copied_salt = NULL; -+ char *copied_key = NULL; -+ char *p_bytes = NULL; -+ char *s_bytes = NULL; -+ int p1, p2, p3, pt, n; -+ unsigned int part; -+ char *cp, *tmp; -+ int ret; -+ -+ /* Find beginning of salt string. The prefix should normally always be -+ * present. Just in case it is not. */ -+ if (strncmp(salt, sha512_salt_prefix, SALT_PREF_SIZE) == 0) { -+ /* Skip salt prefix. */ -+ salt += SALT_PREF_SIZE; -+ } -+ -+ if (strncmp(salt, sha512_rounds_prefix, ROUNDS_SIZE) == 0) { -+ unsigned long int srounds; -+ const char *num; -+ char *endp; -+ -+ num = salt + ROUNDS_SIZE; -+ srounds = strtoul(num, &endp, 10); -+ if (*endp == '$') { -+ salt = endp + 1; -+ if (srounds < ROUNDS_MIN) srounds = ROUNDS_MIN; -+ if (srounds > ROUNDS_MAX) srounds = ROUNDS_MAX; -+ rounds = srounds; -+ rounds_custom = true; -+ } -+ } -+ -+ salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX); -+ key_len = strlen(key); -+ -+ if ((PTR_2_INT(key) % ALIGN64) != 0) { -+ tmp = (char *)alloca(key_len + ALIGN64); -+ key = copied_key = memcpy(tmp + ALIGN64 - PTR_2_INT(tmp) % ALIGN64, key, key_len); -+ } -+ -+ if (PTR_2_INT(salt) % ALIGN64 != 0) { -+ tmp = (char *)alloca(salt_len + ALIGN64); -+ salt = copied_salt = memcpy(tmp + ALIGN64 - PTR_2_INT(tmp) % ALIGN64, salt, salt_len); -+ } -+ -+ EVP_MD_CTX_init(&ctx); -+ -+ EVP_MD_CTX_init(&alt_ctx); -+ -+ /* Prepare for the real work. */ -+ if (!EVP_DigestInit_ex(&ctx, EVP_sha512(), NULL)) { -+ ret = EIO; -+ goto done; -+ } -+ -+ /* Add the key string. */ -+ EVP_DigestUpdate(&ctx, (const unsigned char *)key, key_len); -+ -+ /* The last part is the salt string. This must be at most 16 -+ * characters and it ends at the first `$' character (for -+ * compatibility with existing implementations). */ -+ EVP_DigestUpdate(&ctx, (const unsigned char *)salt, salt_len); -+ -+ -+ /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. -+ * The final result will be added to the first context. */ -+ if (!EVP_DigestInit_ex(&alt_ctx, EVP_sha512(), NULL)) { -+ ret = EIO; -+ goto done; -+ } -+ -+ /* Add key. */ -+ EVP_DigestUpdate(&alt_ctx, (const unsigned char *)key, key_len); -+ -+ /* Add salt. */ -+ EVP_DigestUpdate(&alt_ctx, (const unsigned char *)salt, salt_len); -+ -+ /* Add key again. */ -+ EVP_DigestUpdate(&alt_ctx, (const unsigned char *)key, key_len); -+ -+ /* Now get result of this (64 bytes) and add it to the other context. */ -+ EVP_DigestFinal_ex(&alt_ctx, alt_result, &part); -+ -+ /* Add for any character in the key one byte of the alternate sum. */ -+ for (cnt = key_len; cnt > 64; cnt -= 64) { -+ EVP_DigestUpdate(&ctx, alt_result, 64); -+ } -+ EVP_DigestUpdate(&ctx, alt_result, cnt); -+ -+ /* Take the binary representation of the length of the key and for every -+ * 1 add the alternate sum, for every 0 the key. */ -+ for (cnt = key_len; cnt > 0; cnt >>= 1) { -+ if ((cnt & 1) != 0) { -+ EVP_DigestUpdate(&ctx, alt_result, 64); -+ } else { -+ EVP_DigestUpdate(&ctx, (const unsigned char *)key, key_len); -+ } -+ } -+ -+ /* Create intermediate result. */ -+ EVP_DigestFinal_ex(&ctx, alt_result, &part); -+ -+ /* Start computation of P byte sequence. */ -+ if (!EVP_DigestInit_ex(&alt_ctx, EVP_sha512(), NULL)) { -+ ret = EIO; -+ goto done; -+ } -+ -+ /* For every character in the password add the entire password. */ -+ for (cnt = 0; cnt < key_len; cnt++) { -+ EVP_DigestUpdate(&alt_ctx, (const unsigned char *)key, key_len); -+ } -+ -+ /* Finish the digest. */ -+ EVP_DigestFinal_ex(&alt_ctx, temp_result, &part); -+ -+ /* Create byte sequence P. */ -+ cp = p_bytes = alloca(key_len); -+ for (cnt = key_len; cnt >= 64; cnt -= 64) { -+ cp = mempcpy(cp, temp_result, 64); -+ } -+ memcpy(cp, temp_result, cnt); -+ -+ /* Start computation of S byte sequence. */ -+ if (!EVP_DigestInit_ex(&alt_ctx, EVP_sha512(), NULL)) { -+ ret = EIO; -+ goto done; -+ } -+ -+ /* For every character in the password add the entire salt. */ -+ for (cnt = 0; cnt < 16 + alt_result[0]; cnt++) { -+ EVP_DigestUpdate(&alt_ctx, (const unsigned char *)salt, salt_len); -+ } -+ -+ /* Finish the digest. */ -+ EVP_DigestFinal_ex(&alt_ctx, temp_result, &part); -+ -+ /* Create byte sequence S. */ -+ cp = s_bytes = alloca(salt_len); -+ for (cnt = salt_len; cnt >= 64; cnt -= 64) { -+ cp = mempcpy(cp, temp_result, 64); -+ } -+ memcpy(cp, temp_result, cnt); -+ -+ /* Repeatedly run the collected hash value through SHA512 to burn CPU cycles. */ -+ for (cnt = 0; cnt < rounds; cnt++) { -+ -+ if (!EVP_DigestInit_ex(&ctx, EVP_sha512(), NULL)) { -+ ret = EIO; -+ goto done; -+ } -+ -+ /* Add key or last result. */ -+ if ((cnt & 1) != 0) { -+ EVP_DigestUpdate(&ctx, (const unsigned char *)p_bytes, key_len); -+ } else { -+ EVP_DigestUpdate(&ctx, alt_result, 64); -+ } -+ -+ /* Add salt for numbers not divisible by 3. */ -+ if (cnt % 3 != 0) { -+ EVP_DigestUpdate(&ctx, (const unsigned char *)s_bytes, salt_len); -+ } -+ -+ /* Add key for numbers not divisible by 7. */ -+ if (cnt % 7 != 0) { -+ EVP_DigestUpdate(&ctx, (const unsigned char *)p_bytes, key_len); -+ } -+ -+ /* Add key or last result. */ -+ if ((cnt & 1) != 0) { -+ EVP_DigestUpdate(&ctx, alt_result, 64); -+ } else { -+ EVP_DigestUpdate(&ctx, (const unsigned char *)p_bytes, key_len); -+ } -+ -+ /* Create intermediate result. */ -+ EVP_DigestFinal_ex(&ctx, alt_result, &part); -+ } -+ -+ /* Now we can construct the result string. -+ * It consists of three parts. */ -+ if (buflen <= SALT_PREF_SIZE) { -+ ret = ERANGE; -+ goto done; -+ } -+ -+ cp = __stpncpy(buffer, sha512_salt_prefix, SALT_PREF_SIZE); -+ buflen -= SALT_PREF_SIZE; -+ -+ if (rounds_custom) { -+ n = snprintf(cp, buflen, "%s%zu$", -+ sha512_rounds_prefix, rounds); -+ if (n < 0 || n >= buflen) { -+ ret = ERANGE; -+ goto done; -+ } -+ cp += n; -+ buflen -= n; -+ } -+ -+ if (buflen <= salt_len + 1) { -+ ret = ERANGE; -+ goto done; -+ } -+ cp = __stpncpy(cp, salt, salt_len); -+ *cp++ = '$'; -+ buflen -= salt_len + 1; -+ -+ /* fuzzyfill the base 64 string */ -+ p1 = 0; -+ p2 = 21; -+ p3 = 42; -+ for (n = 0; n < 21; n++) { -+ b64_from_24bit(&cp, &buflen, 4, alt_result[p1], alt_result[p2], alt_result[p3]); -+ if (buflen == 0) { -+ ret = ERANGE; -+ goto done; -+ } -+ pt = p1; -+ p1 = p2 + 1; -+ p2 = p3 + 1; -+ p3 = pt + 1; -+ } -+ /* 64th and last byte */ -+ b64_from_24bit(&cp, &buflen, 2, 0, 0, alt_result[p3]); -+ if (buflen == 0) { -+ ret = ERANGE; -+ goto done; -+ } -+ -+ *cp = '\0'; -+ ret = EOK; -+ -+done: -+ /* Clear the buffer for the intermediate result so that people attaching -+ * to processes or reading core dumps cannot get any information. We do it -+ * in this way to clear correct_words[] inside the SHA512 implementation -+ * as well. */ -+ EVP_MD_CTX_cleanup(&ctx); -+ EVP_MD_CTX_cleanup(&alt_ctx); -+ if (p_bytes) memset(p_bytes, '\0', key_len); -+ if (s_bytes) memset(s_bytes, '\0', salt_len); -+ if (copied_key) memset(copied_key, '\0', key_len); -+ if (copied_salt) memset(copied_salt, '\0', salt_len); -+ memset(temp_result, '\0', sizeof(temp_result)); -+ -+ return ret; -+} -+ -+int s3crypt_sha512(TALLOC_CTX *memctx, -+ const char *key, const char *salt, char **_hash) -+{ -+ char *hash; -+ int hlen = (sizeof (sha512_salt_prefix) - 1 -+ + sizeof (sha512_rounds_prefix) + 9 + 1 -+ + strlen (salt) + 1 + 86 + 1); -+ int ret; -+ -+ hash = talloc_size(memctx, hlen); -+ if (!hash) return ENOMEM; -+ -+ ret = sha512_crypt_r(key, salt, hash, hlen); -+ if (ret) return ret; -+ -+ *_hash = hash; -+ return ret; -+} -+ -+#define SALT_RAND_LEN 12 -+ -+int s3crypt_gen_salt(TALLOC_CTX *memctx, char **_salt) -+{ -+ uint8_t rb[SALT_RAND_LEN]; -+ char *salt, *cp; -+ size_t slen; -+ int ret; -+ -+ salt = talloc_size(memctx, SALT_LEN_MAX + 1); -+ if (!salt) { -+ return ENOMEM; -+ } -+ -+ ret = RAND_bytes(rb, SALT_RAND_LEN); -+ if (ret == 0) { -+ return EIO; -+ } -+ -+ slen = SALT_LEN_MAX; -+ cp = salt; -+ b64_from_24bit(&cp, &slen, 4, rb[0], rb[1], rb[2]); -+ b64_from_24bit(&cp, &slen, 4, rb[3], rb[4], rb[5]); -+ b64_from_24bit(&cp, &slen, 4, rb[6], rb[7], rb[8]); -+ b64_from_24bit(&cp, &slen, 4, rb[9], rb[10], rb[11]); -+ *cp = '\0'; -+ -+ *_salt = salt; -+ -+ return EOK; -+} -+ -diff --git a/server/util/sha512crypt.h b/server/util/sha512crypt.h -new file mode 100644 -index 0000000..5512c5d ---- /dev/null -+++ b/server/util/sha512crypt.h -@@ -0,0 +1,4 @@ -+ -+int s3crypt_sha512(TALLOC_CTX *mmectx, -+ const char *key, const char *salt, char **_hash); -+int s3crypt_gen_salt(TALLOC_CTX *memctx, char **_salt); --- -1.7.0.2 - diff --git a/0001-by-default-use-logfiles-for-debug-messages.dif b/0001-by-default-use-logfiles-for-debug-messages.dif new file mode 100644 index 0000000..658fb10 --- /dev/null +++ b/0001-by-default-use-logfiles-for-debug-messages.dif @@ -0,0 +1,24 @@ +From 6a3686dbd6593d1f832231dd3e07fcd03eb9a2e6 Mon Sep 17 00:00:00 2001 +From: Ralf Haferkamp +Date: Mon, 8 Mar 2010 14:42:06 +0100 +Subject: [PATCH] by default use logfiles for debug messages + + + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/server/sysv/SUSE/sssd b/server/sysv/SUSE/sssd +index 34fd837..2f98c21 100644 +--- a/server/sysv/SUSE/sssd ++++ b/server/sysv/SUSE/sssd +@@ -29,7 +29,7 @@ PID_FILE=/var/run/sssd.pid + case "$1" in + start) + echo -n "Starting $prog " +- /sbin/startproc $SSSD -D 2>/dev/null ++ /sbin/startproc $SSSD -f -D 2>/dev/null + rc_status -v + ;; + +-- +1.6.4.2 + diff --git a/0002-Improvements-for-LDAP-Password-Policy-support.patch b/0002-Improvements-for-LDAP-Password-Policy-support.patch deleted file mode 100644 index c155afe..0000000 --- a/0002-Improvements-for-LDAP-Password-Policy-support.patch +++ /dev/null @@ -1,415 +0,0 @@ -From 536c01cf9a04573c2351542fe00973e1538014a5 Mon Sep 17 00:00:00 2001 -From: Ralf Haferkamp -Date: Fri, 12 Mar 2010 10:54:40 +0100 -Subject: [PATCH] Improvements for LDAP Password Policy support - -Display warnings about remaining grace logins and password -expiration to the user, when LDAP Password Policies are used. - -Improved detection if LDAP Password policies are supported by -LDAP Server. ---- - src/providers/ldap/ldap_auth.c | 52 +++++++++++++++++- - src/providers/ldap/sdap.h | 5 ++ - src/providers/ldap/sdap_async.h | 6 ++- - src/providers/ldap/sdap_async_connection.c | 53 +++++++++++++++---- - src/sss_client/pam_sss.c | 82 ++++++++++++++++++++++++++++ - src/sss_client/sss_cli.h | 23 ++++++--- - 6 files changed, 201 insertions(+), 20 deletions(-) - -diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c -index 5228703..8c77e3a 100644 ---- a/src/providers/ldap/ldap_auth.c -+++ b/src/providers/ldap/ldap_auth.c -@@ -7,6 +7,7 @@ - Sumit Bose - - Copyright (C) 2008 Red Hat -+ Copyright (C) 2010, rhafer@suse.de, Novell Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by -@@ -135,6 +136,39 @@ static errno_t check_pwexpire_shadow(struct spwd *spwd, time_t now, - return EOK; - } - -+static errno_t check_pwexpire_ldap(struct pam_data *pd, -+ struct sdap_ppolicy_data *ppolicy, -+ enum sdap_result *result) -+{ -+ if (ppolicy->grace > 0 || ppolicy->expire > 0) { -+ uint32_t *data; -+ uint32_t *ptr; -+ -+ data = talloc_size(pd, 2* sizeof(uint32_t)); -+ if (data == NULL) { -+ DEBUG(1, ("talloc_size failed.\n")); -+ return ENOMEM; -+ } -+ -+ ptr = data; -+ if (ppolicy->grace > 0) { -+ *ptr = SSS_PAM_USER_INFO_GRACE_LOGIN; -+ ptr++; -+ *ptr = ppolicy->grace; -+ } else if (ppolicy->expire > 0) { -+ *ptr = SSS_PAM_USER_INFO_EXPIRE_WARN; -+ ptr++; -+ *ptr = ppolicy->expire; -+ } -+ -+ pam_add_response(pd, SSS_PAM_USER_INFO, 2* sizeof(uint32_t), -+ (uint8_t*)data); -+ } -+ -+ *result = SDAP_AUTH_SUCCESS; -+ return EOK; -+} -+ - static errno_t string_to_shadowpw_days(const char *s, long *d) - { - long l; -@@ -569,8 +603,15 @@ static void auth_bind_user_done(struct tevent_req *subreq) - struct auth_state *state = tevent_req_data(req, - struct auth_state); - int ret; -- -- ret = sdap_auth_recv(subreq, &state->result); -+ struct sdap_ppolicy_data *ppolicy; -+ -+ ret = sdap_auth_recv(subreq, state, &state->result, &ppolicy); -+ if (ppolicy != NULL) { -+ DEBUG(9,("Found ppolicy data, " -+ "assuming LDAP password policies are active.\n")); -+ state->pw_expire_type = PWEXPIRE_LDAP_PASSWORD_POLICY; -+ state->pw_expire_data = ppolicy; -+ } - talloc_zfree(subreq); - if (ret) { - tevent_req_error(req, ret); -@@ -960,6 +1001,13 @@ static void sdap_pam_auth_done(struct tevent_req *req) - } - break; - case PWEXPIRE_LDAP_PASSWORD_POLICY: -+ ret = check_pwexpire_ldap(state->pd, pw_expire_data, &result); -+ if (ret != EOK) { -+ DEBUG(1, ("check_pwexpire_ldap failed.\n")); -+ state->pd->pam_status = PAM_SYSTEM_ERR; -+ goto done; -+ } -+ break; - case PWEXPIRE_NONE: - break; - default: -diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h -index 007185f..f0e345e 100644 ---- a/src/providers/ldap/sdap.h -+++ b/src/providers/ldap/sdap.h -@@ -85,6 +85,11 @@ struct sdap_service { - char *uri; - }; - -+struct sdap_ppolicy_data { -+ int grace; -+ int expire; -+}; -+ - #define SYSDB_SHADOWPW_LASTCHANGE "shadowLastChange" - #define SYSDB_SHADOWPW_MIN "shadowMin" - #define SYSDB_SHADOWPW_MAX "shadowMax" -diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h -index 3c52d23..888df6b 100644 ---- a/src/providers/ldap/sdap_async.h -+++ b/src/providers/ldap/sdap_async.h -@@ -76,7 +76,11 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, - const char *user_dn, - const char *authtok_type, - struct dp_opt_blob authtok); --int sdap_auth_recv(struct tevent_req *req, enum sdap_result *result); -+ -+int sdap_auth_recv(struct tevent_req *req, -+ TALLOC_CTX *memctx, -+ enum sdap_result *result, -+ struct sdap_ppolicy_data **ppolicy); - - struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - struct tevent_context *ev, -diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c -index 586733f..f8c6956 100644 ---- a/src/providers/ldap/sdap_async_connection.c -+++ b/src/providers/ldap/sdap_async_connection.c -@@ -4,6 +4,7 @@ - Async LDAP Helper routines - - Copyright (C) Simo Sorce - 2009 -+ Copyright (C) 2010, rhafer@suse.de, Novell Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by -@@ -278,6 +279,7 @@ struct simple_bind_state { - struct sdap_op *op; - - struct sdap_msg *reply; -+ struct sdap_ppolicy_data *ppolicy; - int result; - }; - -@@ -401,6 +403,7 @@ static void simple_bind_done(struct sdap_op *op, - - if (response_controls == NULL) { - DEBUG(5, ("Server returned no controls.\n")); -+ state->ppolicy = NULL; - } else { - for (c = 0; response_controls[c] != NULL; c++) { - DEBUG(9, ("Server returned control [%s].\n", -@@ -420,12 +423,30 @@ static void simple_bind_done(struct sdap_op *op, - DEBUG(7, ("Password Policy Response: expire [%d] grace [%d] " - "error [%s].\n", pp_expire, pp_grace, - ldap_passwordpolicy_err2txt(pp_error))); -- -- if ((state->result == LDAP_SUCCESS && -- (pp_error == PP_changeAfterReset || pp_grace > 0)) || -- (state->result == LDAP_INVALID_CREDENTIALS && -- pp_error == PP_passwordExpired ) ) { -- DEBUG(4, ("User must set a new password.\n")); -+ state->ppolicy = talloc(state, struct sdap_ppolicy_data); -+ if (state->ppolicy == NULL) { -+ DEBUG(1, ("talloc failed.\n")); -+ ret = ENOMEM; -+ goto done; -+ } -+ state->ppolicy->grace = pp_grace; -+ state->ppolicy->expire = pp_expire; -+ if (state->result == LDAP_SUCCESS) { -+ if (pp_error == PP_changeAfterReset) { -+ DEBUG(4, ("Password was reset. " -+ "User must set a new password.\n")); -+ state->result = LDAP_X_SSSD_PASSWORD_EXPIRED; -+ } else if (pp_grace > 0) { -+ DEBUG(4, ("Password expired. " -+ "[%d] grace logins remaining.\n", pp_grace)); -+ } else if (pp_expire > 0) { -+ DEBUG(4, ("Password will expire in [%d] seconds.\n", -+ pp_expire)); -+ } -+ } else if (state->result == LDAP_INVALID_CREDENTIALS && -+ pp_error == PP_passwordExpired) { -+ DEBUG(4, -+ ("Password expired user must set a new password.\n")); - state->result = LDAP_X_SSSD_PASSWORD_EXPIRED; - } - } -@@ -446,7 +467,10 @@ done: - } - } - --static int simple_bind_recv(struct tevent_req *req, int *ldaperr) -+static int simple_bind_recv(struct tevent_req *req, -+ TALLOC_CTX *memctx, -+ int *ldaperr, -+ struct sdap_ppolicy_data **ppolicy) - { - struct simple_bind_state *state = tevent_req_data(req, - struct simple_bind_state); -@@ -455,6 +479,7 @@ static int simple_bind_recv(struct tevent_req *req, int *ldaperr) - TEVENT_REQ_RETURN_ON_ERROR(req); - - *ldaperr = state->result; -+ *ppolicy = talloc_steal(memctx, state->ppolicy); - return EOK; - } - -@@ -704,6 +729,7 @@ int sdap_kinit_recv(struct tevent_req *req, enum sdap_result *result) - struct sdap_auth_state { - const char *user_dn; - struct berval pw; -+ struct sdap_ppolicy_data *ppolicy; - - int result; - bool is_sasl; -@@ -766,8 +792,9 @@ static void sdap_auth_done(struct tevent_req *subreq) - - if (state->is_sasl) { - ret = sasl_bind_recv(subreq, &state->result); -+ state->ppolicy = NULL; - } else { -- ret = simple_bind_recv(subreq, &state->result); -+ ret = simple_bind_recv(subreq, state, &state->result, &state->ppolicy); - } - if (ret != EOK) { - tevent_req_error(req, ret); -@@ -777,7 +804,10 @@ static void sdap_auth_done(struct tevent_req *subreq) - tevent_req_done(req); - } - --int sdap_auth_recv(struct tevent_req *req, enum sdap_result *result) -+int sdap_auth_recv(struct tevent_req *req, -+ TALLOC_CTX *memctx, -+ enum sdap_result *result, -+ struct sdap_ppolicy_data **ppolicy) - { - struct sdap_auth_state *state = tevent_req_data(req, - struct sdap_auth_state); -@@ -785,6 +815,9 @@ int sdap_auth_recv(struct tevent_req *req, enum sdap_result *result) - *result = SDAP_ERROR; - TEVENT_REQ_RETURN_ON_ERROR(req); - -+ if (ppolicy != NULL) { -+ *ppolicy = talloc_steal(memctx, state->ppolicy); -+ } - switch (state->result) { - case LDAP_SUCCESS: - *result = SDAP_AUTH_SUCCESS; -@@ -1078,7 +1111,7 @@ static void sdap_cli_auth_done(struct tevent_req *subreq) - enum sdap_result result; - int ret; - -- ret = sdap_auth_recv(subreq, &result); -+ ret = sdap_auth_recv(subreq, NULL, &result, NULL); - talloc_zfree(subreq); - if (ret) { - tevent_req_error(req, ret); -diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c -index 2ba6f15..07ed4e7 100644 ---- a/src/sss_client/pam_sss.c -+++ b/src/sss_client/pam_sss.c -@@ -3,6 +3,7 @@ - Sumit Bose - - Copyright (C) 2009 Red Hat -+ Copyright (C) 2010, rhafer@suse.de, Novell Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU Lesser General Public License as published by -@@ -436,6 +437,81 @@ static int user_info_offline_auth(pam_handle_t *pamh, size_t buflen, - return PAM_SUCCESS; - } - -+static int user_info_grace_login(pam_handle_t *pamh, -+ size_t buflen, -+ uint8_t *buf) -+{ -+ int ret; -+ uint32_t grace; -+ char user_msg[256]; -+ -+ if (buflen != 2* sizeof(uint32_t)) { -+ D(("User info response data has the wrong size")); -+ return PAM_BUF_ERR; -+ } -+ memcpy(&grace, buf + sizeof(uint32_t), sizeof(uint32_t)); -+ ret = snprintf(user_msg, sizeof(user_msg), -+ _("Your password has expired. " -+ "You have %d grace login(s) remaining."), -+ grace); -+ if (ret < 0 || ret >= sizeof(user_msg)) { -+ D(("snprintf failed.")); -+ return PAM_SYSTEM_ERR; -+ } -+ ret = do_pam_conversation(pamh, PAM_TEXT_INFO, user_msg, NULL, NULL); -+ -+ if (ret != PAM_SUCCESS) { -+ D(("do_pam_conversation failed.")); -+ return PAM_SYSTEM_ERR; -+ } -+ -+ return PAM_SUCCESS; -+} -+ -+#define MINSEC 60 -+#define HOURSEC (60*MINSEC) -+#define DAYSEC (24*HOURSEC) -+static int user_info_expire_warn(pam_handle_t *pamh, -+ size_t buflen, -+ uint8_t *buf) -+{ -+ int ret; -+ uint32_t expire; -+ char user_msg[256]; -+ const char* unit="second(s)"; -+ -+ if (buflen != 2* sizeof(uint32_t)) { -+ D(("User info response data has the wrong size")); -+ return PAM_BUF_ERR; -+ } -+ memcpy(&expire, buf + sizeof(uint32_t), sizeof(uint32_t)); -+ if (expire >= DAYSEC) { -+ expire /= DAYSEC; -+ unit = "day(s)"; -+ } else if (expire >= HOURSEC) { -+ expire /= HOURSEC; -+ unit = "hour(s)"; -+ } else if (expire >= MINSEC) { -+ expire /= MINSEC; -+ unit = "minute(s)"; -+ } -+ -+ ret = snprintf(user_msg, sizeof(user_msg), -+ _("Your password will expire in %d %s."), expire, unit); -+ if (ret < 0 || ret >= sizeof(user_msg)) { -+ D(("snprintf failed.")); -+ return PAM_SYSTEM_ERR; -+ } -+ ret = do_pam_conversation(pamh, PAM_TEXT_INFO, user_msg, NULL, NULL); -+ -+ if (ret != PAM_SUCCESS) { -+ D(("do_pam_conversation failed.")); -+ return PAM_SYSTEM_ERR; -+ } -+ -+ return PAM_SUCCESS; -+} -+ - static int user_info_offline_auth_delayed(pam_handle_t *pamh, size_t buflen, - uint8_t *buf) - { -@@ -563,6 +639,12 @@ static int eval_user_info_response(pam_handle_t *pamh, size_t buflen, - case SSS_PAM_USER_INFO_OFFLINE_AUTH: - ret = user_info_offline_auth(pamh, buflen, buf); - break; -+ case SSS_PAM_USER_INFO_GRACE_LOGIN: -+ ret = user_info_grace_login(pamh, buflen, buf); -+ break; -+ case SSS_PAM_USER_INFO_EXPIRE_WARN: -+ ret = user_info_expire_warn(pamh, buflen, buf); -+ break; - case SSS_PAM_USER_INFO_OFFLINE_AUTH_DELAYED: - ret = user_info_offline_auth_delayed(pamh, buflen, buf); - break; -diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h -index 2edd158..f387265 100644 ---- a/src/sss_client/sss_cli.h -+++ b/src/sss_client/sss_cli.h -@@ -377,13 +377,22 @@ enum user_info_type { - * possible to change the password while - * the system is offline. This message - * is generated by the PAM responder. */ -- SSS_PAM_USER_INFO_CHPASS_ERROR /**< Tell the user that a password change -- * failed and optionally give a reason. -- * @param Size of the message as unsigned -- * 32-bit integer value. A value of 0 -- * indicates that no message is following. -- * @param String with the specified -- * length. */ -+ SSS_PAM_USER_INFO_CHPASS_ERROR, /**< Tell the user that a password change -+ * failed and optionally give a reason. -+ * @param Size of the message as unsigned -+ * 32-bit integer value. A value of 0 -+ * indicates that no message is following. -+ * @param String with the specified -+ * length. */ -+ SSS_PAM_USER_INFO_GRACE_LOGIN, /**< Warn the user that the password is -+ * expired and inform about the remaining -+ * number of grace logins. -+ * @param The number of remaining grace -+ * logins as uint32_t */ -+ SSS_PAM_USER_INFO_EXPIRE_WARN /**< Warn the user that the password will -+ * expire soon. -+ * @param Number of seconds before the user's -+ * password will expire. */ - }; - /** - * @} --- -1.7.0.2 - diff --git a/0003-ldap-provider-ld-flags.patch b/0003-ldap-provider-ld-flags.patch deleted file mode 100644 index 087ae76..0000000 --- a/0003-ldap-provider-ld-flags.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 840bb425fe0cb6f4904d5610ffd1fdfd9eed235d Mon Sep 17 00:00:00 2001 -From: Ralf Haferkamp -Date: Wed, 31 Mar 2010 10:40:13 +0200 -Subject: [PATCH] ldap provider ld flags - -The LDAP provider needs to be linked against libdhash ---- - src/Makefile.am | 2 ++ - 1 files changed, 2 insertions(+), 0 deletions(-) - -diff --git a/src/Makefile.am b/src/Makefile.am -index 6d46cda..6f14eee 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -717,9 +717,11 @@ libsss_ldap_la_SOURCES = \ - util/sss_krb5.c - libsss_ldap_la_CFLAGS = \ - $(AM_CFLAGS) \ -+ $(DHASH_CFLAGS) \ - $(LDAP_CFLAGS) \ - $(KRB5_CFLAGS) - libsss_ldap_la_LIBADD = \ -+ $(DHASH_LIBS) \ - $(OPENLDAP_LIBS) \ - $(KRB5_LIBS) - libsss_ldap_la_LDFLAGS = \ --- -1.7.0.2 - diff --git a/0004-init-script-dependencies.patch b/0004-init-script-dependencies.patch deleted file mode 100644 index 326a9c2..0000000 --- a/0004-init-script-dependencies.patch +++ /dev/null @@ -1,29 +0,0 @@ -From b9090cb4d12147267a4fb1ad9bb74bb226bcbe34 Mon Sep 17 00:00:00 2001 -From: Ralf Haferkamp -Date: Wed, 31 Mar 2010 12:21:21 +0200 -Subject: [PATCH] init script dependencies - ---- - src/sysv/SUSE/sssd | 4 ++-- - 1 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/sysv/SUSE/sssd b/src/sysv/SUSE/sssd -index 2f98c21..262ecde 100644 ---- a/src/sysv/SUSE/sssd -+++ b/src/sysv/SUSE/sssd -@@ -1,10 +1,10 @@ - #!/bin/sh - ### BEGIN INIT INFO - # Provides: sssd --# Required-Start: $remote_fs $time -+# Required-Start: $network $remote_fs $time - # Should-Start: $syslog - # Should-Stop: $syslog --# Required-Stop: $remote_fs -+# Required-Stop: $network $remote_fs $time - # Default-Start: 3 5 - # Default-Stop: 0 1 2 4 6 - # Short-Description: System Security Services Daemon --- -1.7.0.2 - diff --git a/baselibs.conf b/baselibs.conf deleted file mode 100644 index 22e0a35..0000000 --- a/baselibs.conf +++ /dev/null @@ -1,4 +0,0 @@ -sssd - supplements "packageand(sssd:pam-)" - supplements "packageand(sssd:glibc-)" - -/usr/lib(64)?/* diff --git a/sssd-1.0.5.tar.gz b/sssd-1.0.5.tar.gz new file mode 100644 index 0000000..e895b79 --- /dev/null +++ b/sssd-1.0.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2f3a8dca78a14b03e1a273fa7cfe5598120b83aa7477ab4c467a7dcd655c9017 +size 2688987 diff --git a/sssd-1.1.0.tar.gz b/sssd-1.1.0.tar.gz deleted file mode 100644 index 8d8f9d4..0000000 --- a/sssd-1.1.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6b7805445f2f04505c26186d112bf3c53f6fd0e374a7ded476bfc1185b7c13be -size 2838565 diff --git a/sssd.changes b/sssd.changes index 2cf79d0..22304b5 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,31 +1,3 @@ -------------------------------------------------------------------- -Wed Mar 31 14:02:43 UTC 2010 - rhafer@novell.com - -- Package pam- and nss-Modules as baselibs -- cleaned up file list and dependencies -- fixed init script dependencies - -------------------------------------------------------------------- -Wed Mar 31 07:57:25 UTC 2010 - rhafer@novell.com - -- Updated to 1.1.0 - * Support for IPv6 - * Support for LDAP referrals - * Offline failed login counter - * Fix for the long-standing cache cleanup performance issues - * libini_config, libcollection, libdhash, libref_array and - libpath_utils are now built as shared libraries for general - consumption (libref_array and libpath_utils are currently not - packaged, as no component in sssd links against them) - * Users get feedback from PAM if they authenticated offline - * Native local backend now has a utility to show nested memberships - (sss_groupshow) - * New "simple" access provider for easy restriction of users -- Backported libcrypto support from master to avoid Mozilla NSS - dependency -- Backported password policy improvments for LDAP provider from - master - ------------------------------------------------------------------- Mon Mar 8 14:06:29 UTC 2010 - rhafer@novell.com diff --git a/sssd.spec b/sssd.spec index 081deb4..2c2cf63 100644 --- a/sssd.spec +++ b/sssd.spec @@ -18,25 +18,18 @@ Name: sssd -Version: 1.1.0 -Release: 0 +Version: 1.0.5 +Release: 2 Group: System/Daemons Summary: System Security Services Daemon -License: GPLv3+ and LGPLv3+ -URL: https://fedorahosted.org/sssd/ -Source0: %{name}-%{version}.tar.gz -Source1: baselibs.conf -Patch1: 0001-Added-option-to-use-libcrypto-instead-of-NSS.patch -Patch2: 0002-Improvements-for-LDAP-Password-Policy-support.patch -Patch3: 0003-ldap-provider-ld-flags.patch -Patch4: 0004-init-script-dependencies.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-build +# The entire source code is GPLv3+ except replace/ which is LGPLv3+ +License: GPLv3+ and LGPLv3+ +Url: https://fedorahosted.org/sssd/ +Source0: %{name}-%{version}.tar.gz +Patch0: 0001-by-default-use-logfiles-for-debug-messages.dif +BuildRoot: %{_tmppath}/%{name}-%{version}-build -%define dhash_version 0.4.0 -%define path_utils_version 0.2.0 -%define collection_version 0.4.0 -%define ini_config_version 0.4.0 -%define refarray_version 0.1.0 +### Patches ### ### Dependencies ### %define servicename sssd @@ -45,26 +38,29 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build %define pipepath %{sssdstatedir}/pipes ### Build Dependencies ### -BuildRequires: autoconf -BuildRequires: automake -BuildRequires: libtool -BuildRequires: m4 -BuildRequires: popt-devel -BuildRequires: libtalloc-devel -BuildRequires: libtevent-devel -BuildRequires: libtdb-devel -BuildRequires: libldb-devel -BuildRequires: dbus-1-devel -BuildRequires: openldap2-devel -BuildRequires: pam-devel -BuildRequires: pkg-config -BuildRequires: pcre-devel -BuildRequires: libxslt -BuildRequires: libxml2 -BuildRequires: docbook-xsl-stylesheets -BuildRequires: krb5-devel -BuildRequires: libcares-devel -BuildRequires: python-devel + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool +BuildRequires: m4 +BuildRequires: popt-devel +BuildRequires: libtalloc-devel +BuildRequires: libtevent-devel +BuildRequires: libtdb-devel +BuildRequires: libldb-devel +BuildRequires: dbus-1-devel +BuildRequires: openldap2-devel +BuildRequires: pam-devel +BuildRequires: pkg-config +BuildRequires: mozilla-nss-devel +BuildRequires: mozilla-nspr-devel +BuildRequires: pcre-devel +BuildRequires: libxslt +BuildRequires: libxml2 +BuildRequires: docbook-xsl-stylesheets +BuildRequires: krb5-devel +BuildRequires: libcares-devel +BuildRequires: python-devel %description Provides a set of daemons to manage access to remote directories and @@ -103,78 +99,11 @@ Group: Development/Libraries/Python Provide python module to access and manage configuration of the System Security Services Daemon (sssd). -%package -n libdhash1 -Summary: Dynamic hash table -Group: Development/Libraries/C and C++ -Version: %{dhash_version} -License: LGPLv3+ - -%description -n libdhash1 -A hash table which will dynamically resize to achieve optimal storage & access -time properties - -%package -n libdhash-devel -Summary: Development files for libdhash -Group: Development/Libraries/C and C++ -Version: %{dhash_version} -Requires: libdhash1 = %{dhash_version} -License: LGPLv3+ - -%description -n libdhash-devel -A hash table which will dynamically resize to achieve optimal storage & access -time properties - -%package -n libcollection1 -Summary: Collection data-type for C -Group: Development/Libraries/C and C++ -Version: %{collection_version} -License: LGPLv3+ - -%description -n libcollection1 -A data-type to collect data in a heirarchical structure for easy iteration -and serialization - -%package -n libcollection-devel -Summary: Development files for libcollection -Group: Development/Libraries/C and C++ -Version: %{collection_version} -Requires: libcollection1 = %{collection_version} -License: LGPLv3+ - -%description -n libcollection-devel -A data-type to collect data in a heirarchical structure for easy iteration -and serialization - -%package -n libini_config1 -Summary: INI file parser for C -Group: Development/Libraries/C and C++ -Version: %{ini_config_version} -License: LGPLv3+ - -%description -n libini_config1 -Library to process config files in INI format into a libcollection data -structure - -%package -n libini_config-devel -Summary: Development files for libini_config -Group: Development/Libraries/C and C++ -Version: %{ini_config_version} -Requires: libini_config1 = %{ini_config_version} -License: LGPLv3+ - -%description -n libini_config-devel -Library to process config files in INI format into a libcollection data -structure - %prep %setup -q -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 +%patch0 -p1 %build -autoreconf export LDB_LIBS="-lldb" export LDB_CFLAGS="-I/usr/include" %configure \ @@ -183,7 +112,6 @@ export LDB_CFLAGS="-I/usr/include" --with-pipe-path=%{pipepath} \ --with-init-dir=%{_initrddir} \ --enable-nsslibdir=/%{_lib} \ - --enable-cryptp=yes \ --with-ldb-lib-dir=%{_libdir}/ldb \ --with-selinux=no @@ -196,85 +124,41 @@ rm -rf $RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT # Copy default sssd.conf file -install -d $RPM_BUILD_ROOT/%{_sysconfdir}/sssd -install -m600 src/examples/sssd.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf -install src/sysv/SUSE/sssd $RPM_BUILD_ROOT%{_sysconfdir}/init.d/sssd +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sssd +install -m600 server/examples/sssd.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf +install server/sysv/SUSE/sssd $RPM_BUILD_ROOT%{_sysconfdir}/init.d/sssd ln -sf ../../etc/init.d/sssd $RPM_BUILD_ROOT/usr/sbin/rcsssd # Remove .la files created by libtool rm -f \ $RPM_BUILD_ROOT/%{_lib}/libnss_sss.la \ $RPM_BUILD_ROOT/%{_lib}/security/pam_sss.la \ - $RPM_BUILD_ROOT/%{_libdir}/*.la \ $RPM_BUILD_ROOT/%{_libdir}/ldb/memberof.la \ $RPM_BUILD_ROOT/%{_libdir}/python2.6/site-packages/pysss.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ldap.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_proxy.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_krb5.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ipa.la \ - $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_simple.la \ $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la -rm $RPM_BUILD_ROOT/%{_libdir}/*.a %find_lang sss_daemon -#%find_lang sss_client -#cat sss_client.lang >> sss_daemon.lang - -install -d $RPM_BUILD_ROOT/%{_docdir}/dhash -mv $RPM_BUILD_ROOT/%{_datarootdir}/doc/dhash/* $RPM_BUILD_ROOT/%{_docdir}/dhash - -# remove currently unused libraries -rm -f \ - $RPM_BUILD_ROOT/%{_libdir}/libref_array.* \ - $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/ref_array.pc \ - $RPM_BUILD_ROOT/%{_prefix}/include/ref_array*.h \ - $RPM_BUILD_ROOT/%{_libdir}/libpath_utils.* \ - $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/path_utils.pc \ - $RPM_BUILD_ROOT/%{_prefix}/include/path_utils.h - - - +%find_lang sss_client +cat sss_client.lang >> sss_daemon.lang %clean rm -rf $RPM_BUILD_ROOT -%post -p /sbin/ldconfig - -%preun -%stop_on_removal sssd - -%postun -/sbin/ldconfig -%restart_on_update sssd -%insserv_cleanup - -%post -n libdhash1 -p /sbin/ldconfig - -%postun -n libdhash1 -p /sbin/ldconfig - -%post -n libcollection1 -p /sbin/ldconfig - -%postun -n libcollection1 -p /sbin/ldconfig - -%post -n libini_config1 -p /sbin/ldconfig - -%postun -n libini_config1 -p /sbin/ldconfig - %files -f sss_daemon.lang %defattr(-,root,root,-) %doc COPYING %{_initrddir}/%{name} %{_sbindir}/sssd %{_sbindir}/rcsssd -%dir %{_libdir}/%{name} -%dir %{_libexecdir}/%{name} -%{_libexecdir}/%{name}/sss* -%{_libexecdir}/%{name}/*_child -%{_libexecdir}/%{name}/upgrade_config.py +%{_libexecdir}/%{servicename}/ +%dir %{_libdir}/%{name}/ %{_libdir}/%{name}/libsss_krb5* %{_libdir}/%{name}/libsss_ldap* %{_libdir}/%{name}/libsss_proxy* -%{_libdir}/%{name}/libsss_simple* %{_libdir}/ldb/memberof.so %{_libdir}/krb5/plugins/libkrb5/* %dir %{sssdstatedir} @@ -290,12 +174,10 @@ rm -rf $RPM_BUILD_ROOT %config %{_sysconfdir}/sssd/sssd.api.d/sssd-ldap.conf %config %{_sysconfdir}/sssd/sssd.api.d/sssd-local.conf %config %{_sysconfdir}/sssd/sssd.api.d/sssd-proxy.conf -%config %{_sysconfdir}/sssd/sssd.api.d/sssd-simple.conf /%{_lib}/libnss_sss.so.2 /%{_lib}/security/pam_sss.so %{_mandir}/man5/sssd-krb5.* %{_mandir}/man5/sssd-ldap.* -%{_mandir}/man5/sssd-simple.* %{_mandir}/man5/sssd.conf.* %files tools @@ -307,7 +189,6 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/sss_groupadd %{_sbindir}/sss_groupdel %{_sbindir}/sss_groupmod -%{_sbindir}/sss_groupshow %files ipa-provider %defattr(-,root,root,-) @@ -321,35 +202,15 @@ rm -rf $RPM_BUILD_ROOT %{python_sitelib}/*.py* %{python_sitelib}/*.egg-info -%files -n libdhash1 -%defattr(-,root,root,-) -%{_libdir}/libdhash.so.* +%post +/sbin/ldconfig -%files -n libdhash-devel -%defattr(-,root,root,-) -%{_libdir}/libdhash.so -%{_libdir}/pkgconfig/dhash.pc -%{_prefix}/include/dhash.h -%doc %{_docdir}/dhash +%preun +%stop_on_removal sssd -%files -n libini_config1 -%defattr(-,root,root,-) -%{_libdir}/libini_config.so.* - -%files -n libini_config-devel -%defattr(-,root,root,-) -%{_libdir}/libini_config.so -%{_libdir}/pkgconfig/ini_config.pc -%{_prefix}/include/ini_config.h - -%files -n libcollection1 -%defattr(-,root,root,-) -%{_libdir}/libcollection.so.* - -%files -n libcollection-devel -%defattr(-,root,root,-) -%{_libdir}/libcollection.so -%{_libdir}/pkgconfig/collection.pc -%{_prefix}/include/collection*.h +%postun +/sbin/ldconfig +%restart_on_update sssd +%insserv_cleanup %changelog