-
Notifications
You must be signed in to change notification settings - Fork 238
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssh: use cache_req #127
ssh: use cache_req #127
Conversation
I will review this as these changes make the requested changes to the files provider code on review easier. |
There is a bug when looking up keys for a user from a trusted domain:
|
It should be fixed. Thanks. |
The code looks good to me now but I found one regression - if you set default_domain_suffix to the AD domain and try to look up a host, the ssh responder will query the AD domain. Since hosts can only be placed in the IPA domain, we should ignore the default_domain_suffix for host searches. And one more question is related to the first two patches -- looks like they are legitimate bugs in the 1.14 codebase, should we push them to 1.14 separately? If yes, I would prefer to have some better commit message with steps to reproduce the bug or at least a desription. |
SSH responder returned invalid number of certificates when original ad pubkey attribute was not empty. Since we always return all certificates to the client we should add number of results to the output not override it.
We store fully qualified name in sysdb so there is no need to append the domain part again which result in name@domain@domain string. This field is not actually used in ssh client so it doesn't cause any issue but we should stay correct here.
It is not always desirable to consider default_domain from configuration but expect none instead. For example when we search host certificates. This is currently not used in this patch since host lookups parse name directly with sss_parse_name but it will be used in the next patch.
This will be used in the next plugin "host by name" where it is not desirable to use default domain suffix if set.
Sometime is is desirable to aquire more attribute from user object than SYSDB_PW_ATTRS set. such as user's public key.
Some sysdb methods doesn't return ldb_result as output but return ldb_message instead. Changing sysdb to be consistent is too big so I added this helper function that will wrap resulting message into ldb_result.
This will allow to use cache req even for object that do not use account request such as hosts.
Thanks. Fixed.
Yes, those two patches should be pushed into 1.14. I improved commit message. |
I'm afraid this is still not fixed correctly. Please check this gdb session when I requested an IPA host with a default_domain_suffix pointing to a Windows domain:
|
This is a bigger change since both supported commands could be rewritten for cache_req and the logic could be deleted. I decided to also split the file into more modules and follow similar pattern as with nss responder. Resolves: https://fedorahosted.org/sssd/ticket/1126
Try now. |
On Tue, Feb 07, 2017 at 02:56:00AM -0800, Pavel Březina wrote:
Try now.
thanks, that case is now fixed. I'll run a couple of more tests before
acking.
|
The commit "cache_req: add api to create ldb_result from message" broke integration tests: The following commit fixed that. IMHO changing order should be safe. I tried to run some downstream tests and they failed; need to find a reason |
These patches makes SSH responder use the cache_req interface.
Since this responder uses that same
cache-domain-cache
lookup logicfor host certificates I implemented
host by name
request incache_req
.In order to achieve this I moved data provider lookup function from
cache_req
code into plugins.
The first two patches fixes minor issues in the SSH responder and should be
pushed to earlier versions as well. The first patch fix a little issue
introduced probably by overrides and the second patch removes name qualification
since it is already qualified in the sysdb since fqname patches.