IPA IPA Trust WIP #69
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
justin-stephenson
force-pushed
the
idm_idm_trust_wip
branch
2 times, most recently
from
3d8a8e8 to
e839e60
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
justin-stephenson
force-pushed
the
idm_idm_trust_wip
branch
2 times, most recently
from
46645c8 to
52e5d99
Compare
justin-stephenson
force-pushed
the
idm_idm_trust_wip
branch
2 times, most recently
from
65e1e4e to
7d5560f
Compare
justin-stephenson
force-pushed
the
idm_idm_trust_wip
branch
from
7d5560f to
69edf96
Compare
justin-stephenson
force-pushed
the
idm_idm_trust_wip
branch
from
af0dbe6 to
07d6b31
Compare
| ipa_domain = subdom->name; | ||
| DEBUG(SSSDBG_TRACE_LIBS, "Setting up IPA subdomain %s\n", subdom->name); | ||
|
|
||
| /* FIXME: Duplicated in ipa_options_new() */ |
Check notice
Code scanning / CodeQL
FIXME comment Note
justin-stephenson
force-pushed
the
idm_idm_trust_wip
branch
2 times, most recently
from
d446636 to
672647d
Compare
justin-stephenson
force-pushed
the
idm_idm_trust_wip
branch
2 times, most recently
from
663324e to
f45272d
Compare
justin-stephenson
force-pushed
the
idm_idm_trust_wip
branch
from
f45272d to
69dad15
Compare
justin-stephenson
force-pushed
the
idm_idm_trust_wip
branch
2 times, most recently
from
cd1143e to
6e42f11
Compare
justin-stephenson
force-pushed
the
idm_idm_trust_wip
branch
2 times, most recently
from
6aeca81 to
8eb6d9d
Compare
|
Refactored |
:packaging:Support of OpenSSL older than 1.0.1 was dropped Reviewed-by: Sumit Bose <[email protected]>
The krb5 backend will only returns that Smartcard authentication is available if a Smartcard is present. That means if the user authenticates with a different method and a Smartcard is not present at this time 'sc_allow' will be 'false' and might overwrite a 'true' value written during a previous authentication attempt where a Smartcard was present. To avoid this we only write 'true' values. Since the default if SYSDB_LOCAL_SMARTCARD_AUTH is missing is 'false' local Smartcard authentication (offline) will still only be enabled if online Smartcard authentication was detected. Resolves: SSSD#7532 Reviewed-by: Iker Pedrosa <[email protected]> Reviewed-by: Justin Stephenson <[email protected]>
To allow to lookup group memberships of other objects similar to user objects but with different attribute mappings, e.g. host objects in AD, a new option to provide an alternative attribute map is added. Resolves: SSSD#7590 Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Tomáš Halman <[email protected]>
Use the default AD user attribute map to lookup the group membership of the AD host object. This should help to avoid issues if user attributes are overwritten in the user attribute map. Resolves: SSSD#7590 Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Tomáš Halman <[email protected]>
Reviewed-by: Tomáš Halman <[email protected]>
sss_ssh_knownhosts was only accepting a hostname or IP address, but no port number. Because token %H of ssh(1) could pass a port number, it must be accepted. The %H token can provide the hostname and port number in the following format: hostname canonical.host.name IP-address [hostname]:port [canonical.host.name]:port [IP-address]:port The port is specified only when a non-default port is used. Identifiers without the brackets are also recognized in case a user invokes the tool directly. Reviewed-by: Alexey Tikhonov <[email protected]> Reviewed-by: Tomáš Halman <[email protected]>
with `sss_erase_mem_securely()` Resolves: SSSD#7606 Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Tomáš Halman <[email protected]>
Take a note that usage of cap_dac_override + chown to create cache path components could be changed to use cap_dac_override + (granted anyway) setuid, but not sure if it's worth the trouble. Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Pavel Březina <[email protected]>
'sssd_nss' won't handle this request anyway. Reviewed-by: Iker Pedrosa <[email protected]> Reviewed-by: Pavel Březina <[email protected]>
This is an addition to SSSD#7667 Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Pavel Březina <[email protected]> Reviewed-by: Sumit Bose <[email protected]>
Test transformation of bash-ldap-id-ldap-auth netgroup Reviewed-by: Dan Lavu <[email protected]> Reviewed-by: Iker Pedrosa <[email protected]>
Reviewed-by: Justin Stephenson <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Currently, the test will blindly fail if someone carelessly adds IPA to the topologies. Reviewed-by: Pavel Březina <[email protected]>
Resolves: SSSD#7715 Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Alexey Tikhonov <[email protected]>
Reviewed-by: Shridhar Gadekar <[email protected]>
OSError from 'sss_analyze error list' PermissionError from 'sss_analyze request list' run without sudo Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Tomáš Halman <[email protected]>
It looks like in current code the assumption is that the nsupdate command can just send its debug output into the backend log by duplicating the file descriptor. This won't work since the logs file is opened with O_CLOEXEC so that it is closed when nsupdate is started. Additionally it is questionable if this approach is a good idea because it would lead to a random intermixing of debug information. This patch collects the output on strderr of nsupdate separately and adds it into the backend log similar to the input send to nsupdate. Reviewed-by: Pavel Březina <[email protected]> Reviewed-by: Tomáš Halman <[email protected]>
Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Jakub Vávra <[email protected]>
… empty SSSD fails to store users if any of the requested attribute is empty Reviewed-by: Iker Pedrosa <[email protected]> Reviewed-by: Jakub Vávra <[email protected]>
This fixes mh critical tests that are failing. Reviewed-by: Shridhar Gadekar <[email protected]>
Would reformat system/tests/test_ldap.py Reviewed-by: Alexey Tikhonov <[email protected]> Reviewed-by: Jakub Vávra <[email protected]>
DNS-over-TLS is a new standard for encrypting DNS traffic. SSSD does not implement the DoT itself but relies on other components of the system. This modification allows as to set a DoT for dynamic DNS updates :config: the `dyndns_server` option is extended so it can be in form of URI (dns+tls://1.2.3.4:853#servername). New set of options `dyndns_dot_cacert`, `dyndns_dot_cert` and `dyndns_dot_key` allows to configure DNS-over-TLS communication. :relnote: The DoT for dynamic DNS updates is supported now. It requires new version of `nsupdate` from BIND 9.19+. Reviewed-by: Alexander Bokovoy <[email protected]> Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Pavel Březina <[email protected]>
Similar to AD server/service discovery initialization, Allows callers to provide a service, and not just use "IPA"
ipa_srv_* functions will handle IPA and AD subdomains, not only AD.
After b3d7a4f we no longer use the 'upn' variable. During certain codepaths to ipa_s2n_save_objects() SYSDB_UPN is expected to be missing, so no need to check for it.
This gets executed when a one-way or two-way trust ipa is added. Rename this to avoid confusion.
SSSD goes offline in IPA trusted user look due to the IPA user private group:
[ipa_get_ad_acct_ad_part_done] (0x0020): [RID#7] Cannot find a SID.
In IPA-IPA trust, user private groups do not contain a SID. Lookup the
equivalent user object of the same name in IPA and use this SID instead.
Don't fail when processing the IPA user private group retrieved from the IPA server in a trusted user lookup. It is expected this object will have no SID.
justin-stephenson
force-pushed
the
idm_idm_trust_wip
branch
from
8eb6d9d to
007f3f1
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.