Accepting request 77656 from network:ldap

bnc#705768,bnc#709747	
 (forwarded request 77655 from rhafer)

OBS-URL: https://build.opensuse.org/request/show/77656
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=28

0001-sss_client-avoid-leaking-file-descriptors.patch

@@ -0,0 +1,53 @@
+From 151681511c4519463c2fe10c656db29a12c01821 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <ssorce@redhat.com>
+Date: Thu, 28 Jul 2011 15:15:26 -0400
+Subject: sss_client: avoid leaking file descriptors
+
+If a pam or nss module is dlcolse()d and unloaded we were leaking
+the file descriptor used to communicate to sssd in the process.
+
+Make sure the fucntion used to close the socket file descriptor is
+called on dlclose()
+
+Silence autoconf 2.28 warnings (Patch by Jakub Hrozek)
+
+diff --git a/configure.ac b/configure.ac
+index 84b83eb..c0b7f8f 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -170,6 +170,18 @@ AC_CHECK_HEADERS([sys/inotify.h])
+ 
+ AC_CHECK_HEADERS([sasl/sasl.h],,AC_MSG_ERROR([Could not find SASL headers]))
+ 
++AC_CACHE_CHECK([whether compiler supports __attribute__((destructor))],
++               sss_client_cv_attribute_destructor,
++               [AC_COMPILE_IFELSE(
++                    [AC_LANG_SOURCE([__attribute__((destructor)) static void cleanup(void) { }])],
++                    sss_client_cv_attribute_destructor=yes)
++               ])
++
++if test x"$sss_client_cv_attribute_destructor" = xyes ; then
++   AC_DEFINE(HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR, 1,
++             [whether compiler supports __attribute__((destructor))])
++fi
++
+ PKG_CHECK_MODULES([CHECK], [check >= 0.9.5], [have_check=1], [have_check=])
+ if test x$have_check = x; then
+     AC_MSG_WARN([Without the 'CHECK' libraries, you will be unable to run all tests in the 'make check' suite])
+diff --git a/src/sss_client/common.c b/src/sss_client/common.c
+index c17629a..5f6af41 100644
+--- a/src/sss_client/common.c
++++ b/src/sss_client/common.c
+@@ -55,6 +55,9 @@
+ int sss_cli_sd = -1; /* the sss client socket descriptor */
+ struct stat sss_cli_sb; /* the sss client stat buffer */
+ 
++#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR
++__attribute__((destructor))
++#endif
+ static void sss_cli_close_socket(void)
+ {
+     if (sss_cli_sd != -1) {
+-- 
+1.7.3.4
+

0002-Request-password-control-unconditionally-during-bind.patch

@@ -0,0 +1,42 @@
+From 587b013d0b6f8a9411617b5faac2750d2e4b7a5d Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Mon, 1 Aug 2011 15:22:53 +0200
+Subject: Request password control unconditionally during bind
+
+https://fedorahosted.org/sssd/ticket/940
+
+diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
+index cab3657..9d543ec 100644
+--- a/src/providers/ldap/sdap_async_connection.c
++++ b/src/providers/ldap/sdap_async_connection.c
+@@ -437,10 +437,10 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx,
+     state->user_dn = user_dn;
+     state->pw = pw;
+ 
+-    ret = sdap_control_create(state->sh, LDAP_CONTROL_PASSWORDPOLICYREQUEST,
+-                              0, NULL, 0, &ctrls[0]);
++    ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST,
++                                  0, NULL, 0, &ctrls[0]);
+     if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) {
+-        DEBUG(1, ("sdap_control_create failed to create "
++        DEBUG(1, ("sss_ldap_control_create failed to create "
+                   "Password Policy control.\n"));
+         goto fail;
+     }
+@@ -1634,10 +1634,10 @@ static int sdap_rebind_proc(LDAP *ldap, LDAP_CONST char *url, ber_tag_t request,
+     sasl_mech = dp_opt_get_string(p->opts->basic, SDAP_SASL_MECH);
+ 
+     if (sasl_mech == NULL) {
+-        ret = sdap_control_create(p->sh, LDAP_CONTROL_PASSWORDPOLICYREQUEST,
+-                                  0, NULL, 0, &ctrls[0]);
++        ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST,
++                                      0, NULL, 0, &ctrls[0]);
+         if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) {
+-            DEBUG(1, ("sdap_control_create failed to create "
++            DEBUG(1, ("sss_ldap_control_create failed to create "
+                       "Password Policy control.\n"));
+             goto done;
+         }
+-- 
+1.7.3.4
+

0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch

@@ -0,0 +1,33 @@
+From d0bf20038fddf5ad296287fb16bc80082088b770 Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Mon, 1 Aug 2011 10:48:06 -0400
+Subject: Allow LDAP to decide when an expiration warning is warranted
+
+Previously, we were only displaying expiration warnings if the
+password was going to expire within a day. We'll allow LDAP to
+make this decision (by whether it passes us the expiration time).
+
+In the future, we can add an option to clamp this down to a
+shorter period if the local admin prefers it.
+
+diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
+index 3c9d760..7fcf985 100644
+--- a/src/responder/pam/pamsrv_cmd.c
++++ b/src/responder/pam/pamsrv_cmd.c
+@@ -409,9 +409,10 @@ static errno_t filter_responses(struct confdb_ctx *cdb,
+                     }
+                     memcpy(&expire_warn, resp->data + sizeof(uint32_t),
+                            sizeof(uint32_t));
+-                    if(expire_warn > pam_expiration_warning * (60 * 60 * 24)) {
+-                        resp->do_not_send_to_client = true;
+-                    }
++                    /* TODO: Add an option to limit the display of the
++                     * expiration warning to a specified number of
++                     * days (e.g. 14)
++                     */
+                     break;
+                 default:
+                     DEBUG(7, ("User info type [%d] not filtered.\n"));
+-- 
+1.7.3.4
+

sssd.changes

@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Tue Aug  2 08:46:53 UTC 2011 - rhafer@suse.de
+
+- Fixed typos in configure args
+- Cherry-picked password policy fixes from 1.5 branch (bnc#705768)
+- switched to fd-leak fix cherry-picked from 1.5 branch
+- Add /usr/sbin to the search path to make configure find nscd
+  (bnc#709747)
+
+-------------------------------------------------------------------
+Fri Jul 29 10:39:51 UTC 2011 - jengelh@medozas.de
+
+- Add patches to fix an fd leak in sssd_pam
+
 -------------------------------------------------------------------
 Thu Jul 28 10:03:32 UTC 2011 - jengelh@medozas.de
 

sssd.spec

@@ -26,6 +26,9 @@ License:        GPLv3+ and LGPLv3+
 Url:            https://fedorahosted.org/sssd/
 Source0:        %{name}-%{version}.tar.bz2
 Source1:        baselibs.conf
+Patch1:         0001-sss_client-avoid-leaking-file-descriptors.patch
+Patch2:         0002-Request-password-control-unconditionally-during-bind.patch
+Patch3:         0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %define servicename sssd
@@ -109,23 +112,27 @@ Security Services Daemon (sssd).
 
 %prep
 %setup -q
+%patch -P 1 -P 2 -P 3 -p1
 
 %build
 autoreconf
 export LDB_LIBS="-lldb"
 export LDB_CFLAGS="-I/usr/include"
+
+# help configure find nscd
+export PATH=$PATH:/usr/sbin/
+
 %configure \
-    --without-tests \
     --with-db-path=%{dbpath} \
     --with-pipe-path=%{pipepath} \
     --with-pubconf-path=%{pubconfpath} \
     --with-init-dir=%{_initrddir} \
     --enable-nsslibdir=/%{_lib} \
     --enable-pammoddir=/%{_lib}/security \
-    --enable-cryptp=yes \
+    --enable-crypto=yes \
     --with-ldb-lib-dir=%{_libdir}/ldb \
     --with-selinux=no \
-    --with-so=suse \
+    --with-os=suse \
     --with-semanage=no
 make %{?_smp_mflags}