diff --git a/0001-sss_client-avoid-leaking-file-descriptors.patch b/0001-sss_client-avoid-leaking-file-descriptors.patch deleted file mode 100644 index 46aaa28..0000000 --- a/0001-sss_client-avoid-leaking-file-descriptors.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 151681511c4519463c2fe10c656db29a12c01821 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Thu, 28 Jul 2011 15:15:26 -0400 -Subject: sss_client: avoid leaking file descriptors - -If a pam or nss module is dlcolse()d and unloaded we were leaking -the file descriptor used to communicate to sssd in the process. - -Make sure the fucntion used to close the socket file descriptor is -called on dlclose() - -Silence autoconf 2.28 warnings (Patch by Jakub Hrozek) - -diff --git a/configure.ac b/configure.ac -index 84b83eb..c0b7f8f 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -170,6 +170,18 @@ AC_CHECK_HEADERS([sys/inotify.h]) - - AC_CHECK_HEADERS([sasl/sasl.h],,AC_MSG_ERROR([Could not find SASL headers])) - -+AC_CACHE_CHECK([whether compiler supports __attribute__((destructor))], -+ sss_client_cv_attribute_destructor, -+ [AC_COMPILE_IFELSE( -+ [AC_LANG_SOURCE([__attribute__((destructor)) static void cleanup(void) { }])], -+ sss_client_cv_attribute_destructor=yes) -+ ]) -+ -+if test x"$sss_client_cv_attribute_destructor" = xyes ; then -+ AC_DEFINE(HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR, 1, -+ [whether compiler supports __attribute__((destructor))]) -+fi -+ - PKG_CHECK_MODULES([CHECK], [check >= 0.9.5], [have_check=1], [have_check=]) - if test x$have_check = x; then - AC_MSG_WARN([Without the 'CHECK' libraries, you will be unable to run all tests in the 'make check' suite]) -diff --git a/src/sss_client/common.c b/src/sss_client/common.c -index c17629a..5f6af41 100644 ---- a/src/sss_client/common.c -+++ b/src/sss_client/common.c -@@ -55,6 +55,9 @@ - int sss_cli_sd = -1; /* the sss client socket descriptor */ - struct stat sss_cli_sb; /* the sss client stat buffer */ - -+#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR -+__attribute__((destructor)) -+#endif - static void sss_cli_close_socket(void) - { - if (sss_cli_sd != -1) { --- -1.7.3.4 - diff --git a/0002-Request-password-control-unconditionally-during-bind.patch b/0002-Request-password-control-unconditionally-during-bind.patch deleted file mode 100644 index 9992abf..0000000 --- a/0002-Request-password-control-unconditionally-during-bind.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 587b013d0b6f8a9411617b5faac2750d2e4b7a5d Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Mon, 1 Aug 2011 15:22:53 +0200 -Subject: Request password control unconditionally during bind - -https://fedorahosted.org/sssd/ticket/940 - -diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c -index cab3657..9d543ec 100644 ---- a/src/providers/ldap/sdap_async_connection.c -+++ b/src/providers/ldap/sdap_async_connection.c -@@ -437,10 +437,10 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx, - state->user_dn = user_dn; - state->pw = pw; - -- ret = sdap_control_create(state->sh, LDAP_CONTROL_PASSWORDPOLICYREQUEST, -- 0, NULL, 0, &ctrls[0]); -+ ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST, -+ 0, NULL, 0, &ctrls[0]); - if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) { -- DEBUG(1, ("sdap_control_create failed to create " -+ DEBUG(1, ("sss_ldap_control_create failed to create " - "Password Policy control.\n")); - goto fail; - } -@@ -1634,10 +1634,10 @@ static int sdap_rebind_proc(LDAP *ldap, LDAP_CONST char *url, ber_tag_t request, - sasl_mech = dp_opt_get_string(p->opts->basic, SDAP_SASL_MECH); - - if (sasl_mech == NULL) { -- ret = sdap_control_create(p->sh, LDAP_CONTROL_PASSWORDPOLICYREQUEST, -- 0, NULL, 0, &ctrls[0]); -+ ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST, -+ 0, NULL, 0, &ctrls[0]); - if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) { -- DEBUG(1, ("sdap_control_create failed to create " -+ DEBUG(1, ("sss_ldap_control_create failed to create " - "Password Policy control.\n")); - goto done; - } --- -1.7.3.4 - diff --git a/0004-avoid-hard-crypto-dep.diff b/0004-avoid-hard-crypto-dep.diff new file mode 100644 index 0000000..9710e7f --- /dev/null +++ b/0004-avoid-hard-crypto-dep.diff @@ -0,0 +1,40 @@ +From: Jan Engelhardt +Date: 2012-03-11 21:45:34.708782973 +0100 + +build: restore libcrypto support in the autotools files. + +References: https://bugzilla.redhat.com/show_bug.cgi?id=802169 + +--- + configure.ac | 1 + + src/external/crypto.m4 | 4 ++-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +Index: sssd-1.8.0/configure.ac +=================================================================== +--- sssd-1.8.0.orig/configure.ac ++++ sssd-1.8.0/configure.ac +@@ -210,6 +210,7 @@ if test x$HAVE_SYSTEMD_UNIT != x; then + fi + + AM_CHECK_NSS ++AM_CHECK_LIBCRYPTO + AM_CONDITIONAL([HAVE_NSS], [test x"$NSS_CFLAGS" != x]) + + AC_CHECK_HEADERS([sys/inotify.h]) +Index: sssd-1.8.0/src/external/crypto.m4 +=================================================================== +--- sssd-1.8.0.orig/src/external/crypto.m4 ++++ sssd-1.8.0/src/external/crypto.m4 +@@ -1,9 +1,9 @@ + AC_DEFUN([AM_CHECK_NSS], +- [PKG_CHECK_MODULES([NSS],[nss]) ++ [PKG_CHECK_MODULES([NSS],[nss],[:],[:]) + AC_DEFINE_UNQUOTED(HAVE_NSS, 1, [Build with NSS crypto back end]) + ]) + + AC_DEFUN([AM_CHECK_LIBCRYPTO], +- [PKG_CHECK_MODULES([CRYPTO],[libcrypto]) ++ [PKG_CHECK_MODULES([CRYPTO],[libcrypto],[:],[:]) + AC_DEFINE_UNQUOTED(HAVE_LIBCRYPTO, 1, [Build with libcrypt crypto back end]) + ]) diff --git a/0005-implicit-decl.diff b/0005-implicit-decl.diff new file mode 100644 index 0000000..01ebb41 --- /dev/null +++ b/0005-implicit-decl.diff @@ -0,0 +1,28 @@ +From: Jan Engelhardt +Date: 2012-03-11 23:31:50.889566758 +0100 + +build: resolve compiler warnings about implicitly-defined functions + +crypto_sha512crypt.c: In function 'sha512_crypt_r': +crypto_sha512crypt.c:200:9: warning: implicit declaration of + function 'mempcpy' [-Wimplicit-function-declaration] +crypto_sha512crypt.c:200:14: warning: incompatible implicit + declaration of built-in function 'mempcpy' [enabled by default] +crypto_sha512crypt.c:221:14: warning: incompatible implicit + declaration of built-in function 'mempcpy' [enabled by default] +--- + src/util/crypto/libcrypto/crypto_sha512crypt.c | 1 + + 1 file changed, 1 insertion(+) + +Index: sssd-1.8.0/src/util/crypto/libcrypto/crypto_sha512crypt.c +=================================================================== +--- sssd-1.8.0.orig/src/util/crypto/libcrypto/crypto_sha512crypt.c ++++ sssd-1.8.0/src/util/crypto/libcrypto/crypto_sha512crypt.c +@@ -10,6 +10,7 @@ + /* SHA512-based Unix crypt implementation. + Released into the Public Domain by Ulrich Drepper . */ + ++#define _GNU_SOURCE 1 /* mempcpy */ + #include + #include + #include diff --git a/sssd-1.5.11.tar.bz2 b/sssd-1.5.11.tar.bz2 deleted file mode 100644 index de4bb56..0000000 --- a/sssd-1.5.11.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:08291561197651ebe3ebee9ca993ebdcebdfe4fb10a0bab3f72ea75f21363e34 -size 1353669 diff --git a/sssd-1.8.0.tar.bz2 b/sssd-1.8.0.tar.bz2 new file mode 100644 index 0000000..77d917e --- /dev/null +++ b/sssd-1.8.0.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:09f5e6d9f4ab7f7ad8d2cbe818f22de416963d62b995d030ecfdd34c55e56059 +size 1733496 diff --git a/sssd.changes b/sssd.changes index 1c89c43..743805a 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Sun Mar 11 18:36:44 UTC 2012 - jengelh@medozas.de + +- Update to new upstream release 1.8.0 +* Support for the service map in NSS +* Support for setting default SELinux user context from FreeIPA +* Support for retrieving SSH user and host keys from LDAP +* Support for caching autofs LDAP requests +* Support for caching SUDO rules +* Include the IPA AutoFS provider +* Fixed several memory-corruption bugs +* Fixed a regression in the proxy provider + ------------------------------------------------------------------- Wed Oct 19 13:56:57 UTC 2011 - rhafer@suse.de diff --git a/sssd.spec b/sssd.spec index 4ea61d9..e743bab 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,7 +1,7 @@ # # spec file for package sssd # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -14,23 +14,20 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # - - - Name: sssd -Version: 1.5.11 -Release: 2 -Group: System/Daemons +Version: 1.8.0 +Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ +Group: System/Daemons Url: https://fedorahosted.org/sssd/ Source0: %{name}-%{version}.tar.bz2 Source1: baselibs.conf -Patch1: 0001-sss_client-avoid-leaking-file-descriptors.patch -Patch2: 0002-Request-password-control-unconditionally-during-bind.patch Patch3: 0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch +Patch4: 0004-avoid-hard-crypto-dep.diff +Patch5: 0005-implicit-decl.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build -%if %suse_version > 1140 +%if %suse_version >= 1210 %{?systemd_requires} %endif @@ -47,38 +44,53 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build %endif ### Build Dependencies ### +%if 0%{?suse_version} >= 1210 +BuildRequires: pkgconfig(collection) >= 0.5.1 +BuildRequires: pkgconfig(dbus-1) +BuildRequires: pkgconfig(dhash) >= 0.4.2 +BuildRequires: pkgconfig(ini_config) >= 0.6.1 +BuildRequires: pkgconfig(ldb) >= 0.9.2 +BuildRequires: pkgconfig(libcares) +BuildRequires: pkgconfig(libcrypto) +BuildRequires: pkgconfig(libnl-1) >= 1.1 +BuildRequires: pkgconfig(libpcre) >= 7 +BuildRequires: pkgconfig(popt) +BuildRequires: pkgconfig(python) +BuildRequires: pkgconfig(talloc) +BuildRequires: pkgconfig(tdb) >= 1.1.3 +BuildRequires: pkgconfig(tevent) +%else +BuildRequires: dbus-1-devel +BuildRequires: libcares-devel +BuildRequires: libcollection-devel >= 0.5.1 +BuildRequires: libdhash-devel >= 0.4.2 +BuildRequires: libini_config-devel >= 0.6.1 +BuildRequires: libldb-devel >= 0.9.2 +BuildRequires: libnl-devel >= 1.1 +BuildRequires: libopenssl-devel +BuildRequires: libtalloc-devel +BuildRequires: libtdb-devel >= 1.1.3 +BuildRequires: libtevent-devel +BuildRequires: pcre-devel >= 7 +BuildRequires: popt-devel +BuildRequires: python-devel +%endif BuildRequires: autoconf BuildRequires: automake +BuildRequires: bind-utils +BuildRequires: docbook-xsl-stylesheets +BuildRequires: krb5-devel BuildRequires: libtool -BuildRequires: m4 -BuildRequires: popt-devel -BuildRequires: libtalloc-devel -BuildRequires: libtevent-devel -BuildRequires: libtdb-devel -BuildRequires: libldb-devel -BuildRequires: libxslt +BuildRequires: libunistring-devel +# wants: xmllint, xsltproc BuildRequires: libxml2 -BuildRequires: libcares-devel -BuildRequires: dbus-1-devel +BuildRequires: libxslt +BuildRequires: nscd BuildRequires: openldap2-devel BuildRequires: pam-devel BuildRequires: pkg-config -BuildRequires: pcre-devel -BuildRequires: docbook-xsl-stylesheets -BuildRequires: krb5-devel -BuildRequires: python-devel -BuildRequires: bind-utils -BuildRequires: nscd -BuildRequires: libpath_utils-devel -BuildRequires: libdhash-devel -BuildRequires: libini_config-devel -BuildRequires: libcollection-devel -BuildRequires: libref_array-devel -%if %suse_version > 1140 +%if %suse_version >= 1210 BuildRequires: systemd -BuildRequires: libnl-1_1-devel -%else -BuildRequires: libnl-devel %endif %description @@ -89,8 +101,8 @@ account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA. %package ipa-provider -License: GPL-3.0+ and LGPL-3.0+ Summary: FreeIPA provider plugin for sssd +License: GPL-3.0+ and LGPL-3.0+ Group: System/Daemons Requires: sssd = %{version} @@ -99,8 +111,8 @@ This package provide the FreeIPA provider plugin for the System Security Services Daemon (sssd). %package tools -License: GPL-3.0+ and LGPL-3.0+ Summary: Commandline tools for sssd +License: GPL-3.0+ and LGPL-3.0+ Group: System/Management Requires: sssd = %{version} @@ -108,9 +120,38 @@ Requires: sssd = %{version} The packages contains commandline tools for managing users and groups using the "local" id provider of the System Security Services Daemon (sssd). -%package -n python-sssd-config +%package -n libipa_hbac0 +Summary: FreeIPA HBAC Evaluator library +License: LGPL-3.0+ +Group: System/Libraries + +%description -n libipa_hbac0 +Utility library to validate FreeIPA HBAC rules for authorization +requests. + +%package -n libipa_hbac-devel +Summary: Development files for the FreeIPA HBAC Evaluator library +License: LGPL-3.0+ +Group: Development/Libraries/C and C++ +Requires: libipa_hbac0 = %version + +%description -n libipa_hbac-devel +Utility library to validate FreeIPA HBAC rules for authorization +requests. + +%package -n python-ipa_hbac +Summary: Python bindings for the FreeIPA HBAC Evaluator library License: GPL-3.0+ and LGPL-3.0+ +Group: Development/Libraries/Python +%py_requires + +%description -n python-ipa_hbac +The python-ipa_hbac package contains the bindings so that libipa_hbac +can be used by Python applications. + +%package -n python-sssd-config Summary: Python API for configuring sssd +License: GPL-3.0+ and LGPL-3.0+ Group: Development/Libraries/Python %{py_requires} @@ -120,15 +161,21 @@ Security Services Daemon (sssd). %prep %setup -q -%patch -P 1 -P 2 -P 3 -p1 +%patch -P 3 -P 4 -P 5 -p1 %build autoreconf +%if 0%{?suse_version} < 1210 +# pkgconfig file not present export LDB_LIBS="-lldb" -export LDB_CFLAGS="-I/usr/include" +export LDB_CFLAGS=" " +export LDB_DIR="%_libdir/ldb" +%else +export LDB_DIR="$(pkg-config ldb --variable=modulesdir)" +%endif # help configure find nscd -export PATH=$PATH:/usr/sbin/ +export PATH="$PATH:/usr/sbin" %configure \ --with-db-path=%{dbpath} \ @@ -137,8 +184,7 @@ export PATH=$PATH:/usr/sbin/ --with-init-dir=%{_initrddir} \ --enable-nsslibdir=/%{_lib} \ --enable-pammoddir=/%{_lib}/security \ - --enable-crypto=yes \ - --with-ldb-lib-dir=%{_libdir}/ldb \ + --with-ldb-lib-dir="$LDB_DIR" \ --with-selinux=no \ --with-os=suse \ --with-semanage=no @@ -149,9 +195,9 @@ make install DESTDIR=$RPM_BUILD_ROOT # Copy default sssd.conf file install -d $RPM_BUILD_ROOT/%{_sysconfdir}/sssd -install -m600 src/examples/sssd.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf +install -m600 src/examples/sssd-example.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf install src/sysv/SUSE/sssd $RPM_BUILD_ROOT%{_sysconfdir}/init.d/sssd -%if %suse_version > 1140 +%if %suse_version >= 1210 install -d $RPM_BUILD_ROOT/%{_unitdir} install src/sysv/systemd/sssd.service $RPM_BUILD_ROOT/%{_unitdir}/sssd.service %endif @@ -173,10 +219,7 @@ rm -rf \ %find_lang %{name} --all-name -%clean -rm -rf $RPM_BUILD_ROOT - -%if %suse_version > 1140 +%if %suse_version >= 1210 %pre %service_add_pre sssd.service @@ -184,13 +227,13 @@ rm -rf $RPM_BUILD_ROOT %post /sbin/ldconfig -%if %suse_version > 1140 +%if %suse_version >= 1210 %service_add_post sssd.service %endif %preun %stop_on_removal sssd -%if %suse_version > 1140 +%if %suse_version >= 1210 %service_del_preun sssd.service %endif @@ -198,15 +241,19 @@ rm -rf $RPM_BUILD_ROOT /sbin/ldconfig %restart_on_update sssd %insserv_cleanup -%if %suse_version > 1140 +%if %suse_version >= 1210 %service_del_postun sssd.service %endif +%post -n libipa_hbac0 -p /sbin/ldconfig + +%postun -n libipa_hbac0 -p /sbin/ldconfig + %files -f sssd.lang %defattr(-,root,root,-) %doc COPYING %{_initrddir}/%{name} -%if %suse_version > 1140 +%if %suse_version >= 1210 %{_unitdir}/sssd.service %endif %{_sbindir}/sssd @@ -229,35 +276,23 @@ rm -rf $RPM_BUILD_ROOT %attr(750,root,root) %dir %{_var}/log/%{name} %dir %{_sysconfdir}/sssd %config(noreplace) %{_sysconfdir}/sssd/sssd.conf -%config %{_sysconfdir}/sssd/sssd.api.conf -%attr(700,root,root) %dir %{_sysconfdir}/sssd/sssd.api.d -%config %{_sysconfdir}/sssd/sssd.api.d/sssd-krb5.conf -%config %{_sysconfdir}/sssd/sssd.api.d/sssd-ldap.conf -%config %{_sysconfdir}/sssd/sssd.api.d/sssd-local.conf -%config %{_sysconfdir}/sssd/sssd.api.d/sssd-proxy.conf -%config %{_sysconfdir}/sssd/sssd.api.d/sssd-simple.conf /%{_lib}/libnss_sss.so.2 /%{_lib}/security/pam_sss.so %{_mandir}/man5/sssd-krb5.* %{_mandir}/man5/sssd-ldap.* %{_mandir}/man5/sssd-simple.* %{_mandir}/man5/sssd.conf.* +%_datadir/sssd +%exclude %_datadir/sssd/sssd.api.d/sssd-ipa.conf %files tools %defattr(-,root,root,-) -%dir %{_mandir}/cs -%dir %{_mandir}/cs/man8 -%dir %{_mandir}/uk -%dir %{_mandir}/uk/man8 -%dir %{_mandir}/es -%dir %{_mandir}/es/man8 -%dir %{_mandir}/nl -%dir %{_mandir}/nl/man8 -%{_mandir}/man8/* -%{_mandir}/cs/man8/* -%{_mandir}/uk/man8/* -%{_mandir}/es/man8/* -%{_mandir}/nl/man8/* +%_mandir/man8/* +%dir %_mandir/?? +%dir %_mandir/??/man* +%_mandir/??/man8/* +%{_sbindir}/sss_cache +%{_sbindir}/sss_debuglevel %{_sbindir}/sss_useradd %{_sbindir}/sss_userdel %{_sbindir}/sss_usermod @@ -269,14 +304,32 @@ rm -rf $RPM_BUILD_ROOT %files ipa-provider %defattr(-,root,root,-) -%config %{_sysconfdir}/sssd/sssd.api.d/sssd-ipa.conf +%dir %_datadir/sssd +%dir %_datadir/sssd/sssd.api.d +%_datadir/sssd/sssd.api.d/sssd-ipa.conf %{_libdir}/sssd/libsss_ipa* %{_mandir}/man5/sssd-ipa.* +%files -n libipa_hbac0 +%defattr(-,root,root) +%_libdir/libipa_hbac.so.0* + +%files -n libipa_hbac-devel +%defattr(-,root,root) +%_includedir/ipa_hbac.h +%_libdir/libipa_hbac.so +%_libdir/pkgconfig/ipa_hbac.pc + +%files -n python-ipa_hbac +%defattr(-,root,root) +%python_sitearch/pyhbac.so + %files -n python-sssd-config -%defattr(-,root,root,-) -%{python_sitearch}/pysss.so -%{python_sitelib}/*.py* -%{python_sitelib}/*.egg-info +%defattr(-,root,root) +%python_sitearch/pysss.so +%python_sitelib/SSSDConfig*.py* +%python_sitelib/SSSDConfig*.egg-info +%python_sitelib/ipachangeconf.py* +%python_sitelib/sssd_upgrade_config.py* %changelog