Go to file
Alexander Bokovoy 78ad1cfe4f ipa-extdom-extop: refactor nsswitch operations
Refactor nsswitch operations in ipa-extdom-extop plugin to allow use
of timeout-enabled nsswitch calls provided by libsss_nss_idmap.

Standard POSIX nsswitch API has no way to cancel requests which may
cause ipa-extdom-extop requests to hang far too long and potentially
exhaust LDAP server workers. In addition, glibc nsswitch API iterates
through all nsswitch modules one by one and with multiple parallel
requests a lock up may happen in an unrelated nsswitch module like
nss_files.so.2.

A solution to the latter issue is to directly load nss_sss.so.2 plugin
and utilize it. This, however, does not solve a problem with lack of
cancellable API.

With SSSD 1.16.1, libsss_nss_idmap provides a timeout-enabled variant of
nsswitch API that is directly integrated with SSSD client side machinery
used by nss_sss.so.2. As result, this API can be used instead of loading
nss_sss.so.2 directly.

To support older SSSD version, both direct loading of nss_sss.so.2 and
new timeout-enabled API are supported by this changeset. An API to
abstract both is designed to be a mix between internal glibc nsswitch
API and external nsswitch API that libsss_nss_idmap mimics. API does not
expose per-call timeout. Instead, it allows to set a timeout per
nsswitch operation context to reduce requirements on information
a caller has to maintain.

A choice which API to use is made at configure time.

In order to test the API, a cmocka test is updated to explicitly load
nss_files.so.2 as a backend. Since use of nss_sss.so.2 would always
depend on availablility of SSSD, predictable testing would not be
possible without it otherwise. Also, cmocka test does not use
nss_wrapper anymore because nss_wrapper overrides higher level glibc
nsswitch API while we are loading an individual nsswitch module
directly.

As result, cmocka test overrides fopen() call used by nss_files.so.2 to
load /etc/passwd and /etc/group. An overridden version changes paths to
/etc/passwd and /etc/group to a local test_data/passwd and
test_data/group. This way we can continue testing a backend API for
ipa-extdom-extop with the same data as with nss_wrapper.

Fixes https://pagure.io/freeipa/issue/5464

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2017-11-30 11:38:03 +02:00
asn1 fix minor spelling mistakes 2017-05-19 09:52:46 +02:00
client ipa-getkeytab man page: add more details about the -r option 2017-11-08 08:00:18 +01:00
contrib logging: do not reference loggers in arguments and attributes 2017-07-14 15:55:59 +02:00
daemons ipa-extdom-extop: refactor nsswitch operations 2017-11-30 11:38:03 +02:00
doc logging: do not reference loggers in arguments and attributes 2017-07-14 15:55:59 +02:00
init Move tmpfiles.d configuration handling back to spec file 2017-08-30 13:05:23 +02:00
install Require UTF-8 fs encoding 2017-11-21 16:13:28 +01:00
ipaclient Support sqlite NSSDB 2017-11-16 12:17:01 +01:00
ipalib ipalib/frontend.py output_for_cli loops optimization 2017-11-23 19:18:43 +01:00
ipaplatform Support sqlite NSSDB 2017-11-16 12:17:01 +01:00
ipapython Fix ca less IPA install on fips mode 2017-11-27 17:51:03 +01:00
ipaserver Fix dict iteration bug in dnsrecord_show 2017-11-27 11:46:54 +01:00
ipatests test_dns_plugin: cope with missing IPv6 in Travis 2017-11-29 15:55:00 +02:00
po fix minor spelling mistakes 2017-05-19 09:52:46 +02:00
pypi Use namespace-aware meta importer for ipaplatform 2017-11-15 14:17:24 +01:00
util C compilation fixes and hardening 2017-03-01 10:38:01 +01:00
.freeipa-pr-ci.yaml prci: define testing topologies 2017-11-23 19:13:06 +01:00
.git-commit-template git-commit-template: update ticket url to use pagure.io instead of fedorahosted.org 2017-03-28 13:10:08 +02:00
.gitignore Use namespace-aware meta importer for ipaplatform 2017-11-15 14:17:24 +01:00
.mailmap Update Contributors.txt 2017-02-23 10:16:44 +01:00
.test_runner_config_py3_temp.yaml travis-ci: collect logs from cmocka tests 2017-11-29 15:55:00 +02:00
.test_runner_config.yaml travis-ci: collect logs from cmocka tests 2017-11-29 15:55:00 +02:00
.tox-install.sh tox testing support for client wheel packages 2017-04-12 16:53:22 +02:00
.travis_run_task.sh Run tox tests for PyPI packages on Travis 2017-11-20 17:01:59 +01:00
.travis.yml Use Python 3 on Travis 2017-11-23 18:31:30 +01:00
.wheelconstraints.in Change the requirements for pylint in wheel 2017-09-08 15:42:07 +02:00
ACI.txt Add --password-expiration to allow admin to force user password expiration 2017-03-31 12:19:40 +02:00
API.txt parameters: introduce CertificateSigningRequest 2017-10-25 09:44:37 +02:00
autogen.sh build tweaks - use automake's foreign mode, avoid creating empty files to satisfy gnu mode - run autoreconf -f to ensure that everything matches 2010-11-29 11:39:55 -05:00
BUILD.txt Build: allow to build only py2 rpms for fedora 2017-06-20 12:36:29 +02:00
configure.ac ipa-extdom-extop: refactor nsswitch operations 2017-11-30 11:38:03 +02:00
Contributors.txt Contributors.txt: update 2017-09-01 14:38:37 +02:00
COPYING Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
COPYING.openssl Add a clear OpenSSL exception. 2015-02-23 16:25:54 +01:00
freeipa.spec.in ipa-extdom-extop: refactor nsswitch operations 2017-11-30 11:38:03 +02:00
ipa Use entry_points for ipa CLI 2017-04-11 13:29:50 +02:00
ipasetup.py.in Use namespace-aware meta importer for ipaplatform 2017-11-15 14:17:24 +01:00
make-doc Make an ipa-tests package 2013-06-17 19:22:50 +02:00
make-test Use pytest conftest.py and drop pytest.ini 2017-01-05 17:37:02 +01:00
makeaci Remove ignore_import_errors 2017-11-15 11:06:53 +01:00
makeapi Remove ignore_import_errors 2017-11-15 11:06:53 +01:00
Makefile.am Use namespace-aware meta importer for ipaplatform 2017-11-15 14:17:24 +01:00
Makefile.python.am Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb 2017-03-15 13:48:23 +01:00
makerpms.sh makerpms.sh: make git checkout optional 2017-08-18 11:46:13 +02:00
pylint_plugins.py Use namespace-aware meta importer for ipaplatform 2017-11-15 14:17:24 +01:00
pylintrc Use namespace-aware meta importer for ipaplatform 2017-11-15 14:17:24 +01:00
README.md README: Fix trailing whitespace 2017-07-21 09:47:36 +02:00
server.m4 ipa-extdom-extop: refactor nsswitch operations 2017-11-30 11:38:03 +02:00
tox.ini Slim down dependencies 2017-05-09 17:17:29 +02:00
VERSION.m4 VERSION: set 4.6 git snapshot 2017-09-01 14:39:22 +02:00
zanata.xml Zanata: exlude testing ipa.pot file 2016-11-21 14:47:47 +01:00

FreeIPA Server

FreeIPA allows Linux administrators to centrally manage identity, authentication and access control aspects of Linux and UNIX systems by providing simple to install and use command line and web based managment tools.

FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.

FreeIPA can seamlessly integrate into an Active Directory environment via cross-realm Kerberos trust or user synchronization.

Benefits

FreeIPA:

  • Allows all your users to access all the machines with the same credentials and security settings
  • Allows users to access personal files transparently from any machine in an authenticated and secure way
  • Uses an advanced grouping mechanism to restrict network access to services and files only to specific users
  • Allows central management of security mechanisms like passwords, SSH Public Keys, SUDO rules, Keytabs, Access Control Rules
  • Enables delegation of selected administrative tasks to other power users
  • Integrates into Active Directory environments

Components

The FreeIPA project provides unified installation and management tools for the following components:

Project Website

Releases, announcements and other information can be found on the IPA server project page at http://www.freeipa.org/ .

Documentation

The most up-to-date documentation can be found at http://freeipa.org/page/Documentation .

Quick Start

To get started quickly, start here: http://www.freeipa.org/page/Quick_Start_Guide

For developers

Licensing

Please see the file called COPYING.

Contacts