Accepting request 77656 from network:ldap

bnc#705768,bnc#709747	
 (forwarded request 77655 from rhafer)

OBS-URL: https://build.opensuse.org/request/show/77656
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=28
This commit is contained in:
Sascha Peilicke 2011-08-02 11:56:12 +00:00 committed by Git OBS Bridge
commit 1419b73cee
5 changed files with 152 additions and 3 deletions

View File

@ -0,0 +1,53 @@
From 151681511c4519463c2fe10c656db29a12c01821 Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Thu, 28 Jul 2011 15:15:26 -0400
Subject: sss_client: avoid leaking file descriptors
If a pam or nss module is dlcolse()d and unloaded we were leaking
the file descriptor used to communicate to sssd in the process.
Make sure the fucntion used to close the socket file descriptor is
called on dlclose()
Silence autoconf 2.28 warnings (Patch by Jakub Hrozek)
diff --git a/configure.ac b/configure.ac
index 84b83eb..c0b7f8f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -170,6 +170,18 @@ AC_CHECK_HEADERS([sys/inotify.h])
AC_CHECK_HEADERS([sasl/sasl.h],,AC_MSG_ERROR([Could not find SASL headers]))
+AC_CACHE_CHECK([whether compiler supports __attribute__((destructor))],
+ sss_client_cv_attribute_destructor,
+ [AC_COMPILE_IFELSE(
+ [AC_LANG_SOURCE([__attribute__((destructor)) static void cleanup(void) { }])],
+ sss_client_cv_attribute_destructor=yes)
+ ])
+
+if test x"$sss_client_cv_attribute_destructor" = xyes ; then
+ AC_DEFINE(HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR, 1,
+ [whether compiler supports __attribute__((destructor))])
+fi
+
PKG_CHECK_MODULES([CHECK], [check >= 0.9.5], [have_check=1], [have_check=])
if test x$have_check = x; then
AC_MSG_WARN([Without the 'CHECK' libraries, you will be unable to run all tests in the 'make check' suite])
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
index c17629a..5f6af41 100644
--- a/src/sss_client/common.c
+++ b/src/sss_client/common.c
@@ -55,6 +55,9 @@
int sss_cli_sd = -1; /* the sss client socket descriptor */
struct stat sss_cli_sb; /* the sss client stat buffer */
+#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR
+__attribute__((destructor))
+#endif
static void sss_cli_close_socket(void)
{
if (sss_cli_sd != -1) {
--
1.7.3.4

View File

@ -0,0 +1,42 @@
From 587b013d0b6f8a9411617b5faac2750d2e4b7a5d Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 1 Aug 2011 15:22:53 +0200
Subject: Request password control unconditionally during bind
https://fedorahosted.org/sssd/ticket/940
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index cab3657..9d543ec 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -437,10 +437,10 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx,
state->user_dn = user_dn;
state->pw = pw;
- ret = sdap_control_create(state->sh, LDAP_CONTROL_PASSWORDPOLICYREQUEST,
- 0, NULL, 0, &ctrls[0]);
+ ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST,
+ 0, NULL, 0, &ctrls[0]);
if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) {
- DEBUG(1, ("sdap_control_create failed to create "
+ DEBUG(1, ("sss_ldap_control_create failed to create "
"Password Policy control.\n"));
goto fail;
}
@@ -1634,10 +1634,10 @@ static int sdap_rebind_proc(LDAP *ldap, LDAP_CONST char *url, ber_tag_t request,
sasl_mech = dp_opt_get_string(p->opts->basic, SDAP_SASL_MECH);
if (sasl_mech == NULL) {
- ret = sdap_control_create(p->sh, LDAP_CONTROL_PASSWORDPOLICYREQUEST,
- 0, NULL, 0, &ctrls[0]);
+ ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST,
+ 0, NULL, 0, &ctrls[0]);
if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) {
- DEBUG(1, ("sdap_control_create failed to create "
+ DEBUG(1, ("sss_ldap_control_create failed to create "
"Password Policy control.\n"));
goto done;
}
--
1.7.3.4

View File

@ -0,0 +1,33 @@
From d0bf20038fddf5ad296287fb16bc80082088b770 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Mon, 1 Aug 2011 10:48:06 -0400
Subject: Allow LDAP to decide when an expiration warning is warranted
Previously, we were only displaying expiration warnings if the
password was going to expire within a day. We'll allow LDAP to
make this decision (by whether it passes us the expiration time).
In the future, we can add an option to clamp this down to a
shorter period if the local admin prefers it.
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 3c9d760..7fcf985 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -409,9 +409,10 @@ static errno_t filter_responses(struct confdb_ctx *cdb,
}
memcpy(&expire_warn, resp->data + sizeof(uint32_t),
sizeof(uint32_t));
- if(expire_warn > pam_expiration_warning * (60 * 60 * 24)) {
- resp->do_not_send_to_client = true;
- }
+ /* TODO: Add an option to limit the display of the
+ * expiration warning to a specified number of
+ * days (e.g. 14)
+ */
break;
default:
DEBUG(7, ("User info type [%d] not filtered.\n"));
--
1.7.3.4

View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Tue Aug 2 08:46:53 UTC 2011 - rhafer@suse.de
- Fixed typos in configure args
- Cherry-picked password policy fixes from 1.5 branch (bnc#705768)
- switched to fd-leak fix cherry-picked from 1.5 branch
- Add /usr/sbin to the search path to make configure find nscd
(bnc#709747)
-------------------------------------------------------------------
Fri Jul 29 10:39:51 UTC 2011 - jengelh@medozas.de
- Add patches to fix an fd leak in sssd_pam
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Jul 28 10:03:32 UTC 2011 - jengelh@medozas.de Thu Jul 28 10:03:32 UTC 2011 - jengelh@medozas.de

View File

@ -26,6 +26,9 @@ License: GPLv3+ and LGPLv3+
Url: https://fedorahosted.org/sssd/ Url: https://fedorahosted.org/sssd/
Source0: %{name}-%{version}.tar.bz2 Source0: %{name}-%{version}.tar.bz2
Source1: baselibs.conf Source1: baselibs.conf
Patch1: 0001-sss_client-avoid-leaking-file-descriptors.patch
Patch2: 0002-Request-password-control-unconditionally-during-bind.patch
Patch3: 0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define servicename sssd %define servicename sssd
@ -109,23 +112,27 @@ Security Services Daemon (sssd).
%prep %prep
%setup -q %setup -q
%patch -P 1 -P 2 -P 3 -p1
%build %build
autoreconf autoreconf
export LDB_LIBS="-lldb" export LDB_LIBS="-lldb"
export LDB_CFLAGS="-I/usr/include" export LDB_CFLAGS="-I/usr/include"
# help configure find nscd
export PATH=$PATH:/usr/sbin/
%configure \ %configure \
--without-tests \
--with-db-path=%{dbpath} \ --with-db-path=%{dbpath} \
--with-pipe-path=%{pipepath} \ --with-pipe-path=%{pipepath} \
--with-pubconf-path=%{pubconfpath} \ --with-pubconf-path=%{pubconfpath} \
--with-init-dir=%{_initrddir} \ --with-init-dir=%{_initrddir} \
--enable-nsslibdir=/%{_lib} \ --enable-nsslibdir=/%{_lib} \
--enable-pammoddir=/%{_lib}/security \ --enable-pammoddir=/%{_lib}/security \
--enable-cryptp=yes \ --enable-crypto=yes \
--with-ldb-lib-dir=%{_libdir}/ldb \ --with-ldb-lib-dir=%{_libdir}/ldb \
--with-selinux=no \ --with-selinux=no \
--with-so=suse \ --with-os=suse \
--with-semanage=no --with-semanage=no
make %{?_smp_mflags} make %{?_smp_mflags}