mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
78ad1cfe4f
Refactor nsswitch operations in ipa-extdom-extop plugin to allow use of timeout-enabled nsswitch calls provided by libsss_nss_idmap. Standard POSIX nsswitch API has no way to cancel requests which may cause ipa-extdom-extop requests to hang far too long and potentially exhaust LDAP server workers. In addition, glibc nsswitch API iterates through all nsswitch modules one by one and with multiple parallel requests a lock up may happen in an unrelated nsswitch module like nss_files.so.2. A solution to the latter issue is to directly load nss_sss.so.2 plugin and utilize it. This, however, does not solve a problem with lack of cancellable API. With SSSD 1.16.1, libsss_nss_idmap provides a timeout-enabled variant of nsswitch API that is directly integrated with SSSD client side machinery used by nss_sss.so.2. As result, this API can be used instead of loading nss_sss.so.2 directly. To support older SSSD version, both direct loading of nss_sss.so.2 and new timeout-enabled API are supported by this changeset. An API to abstract both is designed to be a mix between internal glibc nsswitch API and external nsswitch API that libsss_nss_idmap mimics. API does not expose per-call timeout. Instead, it allows to set a timeout per nsswitch operation context to reduce requirements on information a caller has to maintain. A choice which API to use is made at configure time. In order to test the API, a cmocka test is updated to explicitly load nss_files.so.2 as a backend. Since use of nss_sss.so.2 would always depend on availablility of SSSD, predictable testing would not be possible without it otherwise. Also, cmocka test does not use nss_wrapper anymore because nss_wrapper overrides higher level glibc nsswitch API while we are loading an individual nsswitch module directly. As result, cmocka test overrides fopen() call used by nss_files.so.2 to load /etc/passwd and /etc/group. An overridden version changes paths to /etc/passwd and /etc/group to a local test_data/passwd and test_data/group. This way we can continue testing a backend API for ipa-extdom-extop with the same data as with nss_wrapper. Fixes https://pagure.io/freeipa/issue/5464 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com>
FreeIPA Server
FreeIPA allows Linux administrators to centrally manage identity, authentication and access control aspects of Linux and UNIX systems by providing simple to install and use command line and web based managment tools.
FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.
FreeIPA can seamlessly integrate into an Active Directory environment via cross-realm Kerberos trust or user synchronization.
Benefits
FreeIPA:
- Allows all your users to access all the machines with the same credentials and security settings
- Allows users to access personal files transparently from any machine in an authenticated and secure way
- Uses an advanced grouping mechanism to restrict network access to services and files only to specific users
- Allows central management of security mechanisms like passwords, SSH Public Keys, SUDO rules, Keytabs, Access Control Rules
- Enables delegation of selected administrative tasks to other power users
- Integrates into Active Directory environments
Components
The FreeIPA project provides unified installation and management tools for the following components:
- LDAP Server - based on the 389 project
- KDC - based on MIT Kerberos implementation
- PKI based on Dogtag project
- Samba libraries for Active Directory integration
- DNS Server based on BIND and the Bind-DynDB-LDAP plugin
Project Website
Releases, announcements and other information can be found on the IPA server project page at http://www.freeipa.org/ .
Documentation
The most up-to-date documentation can be found at http://freeipa.org/page/Documentation .
Quick Start
To get started quickly, start here: http://www.freeipa.org/page/Quick_Start_Guide
For developers
- Building FreeIPA from source
- http://www.freeipa.org/page/Build
- See the BUILD.txt file in the source root directory
Licensing
Please see the file called COPYING.
Contacts
- If you want to be informed about new code releases, bug fixes, security fixes, general news and information about the IPA server subscribe to the freeipa-announce mailing list at https://www.redhat.com/mailman/listinfo/freeipa-interest/ .
- If you have a bug report please submit it at: https://pagure.io/freeipa/issues
- If you want to participate in actively developing IPA please subscribe to the freeipa-devel mailing list at https://www.redhat.com/mailman/listinfo/freeipa-devel/ or join us in IRC at irc://irc.freenode.net/freeipa