diff --git a/.gitignore b/.gitignore index 5fe5218..663f6f5 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/slapi-nis-0.52.tar.gz +SOURCES/slapi-nis-0.54.tar.gz diff --git a/.slapi-nis.metadata b/.slapi-nis.metadata index ada9412..40cb360 100644 --- a/.slapi-nis.metadata +++ b/.slapi-nis.metadata @@ -1 +1 @@ -9785a6f26f6790c97d9837a14eb5979ab3901239 SOURCES/slapi-nis-0.52.tar.gz +038ed249da1dc20d52d6159099835a230e7f9525 SOURCES/slapi-nis-0.54.tar.gz diff --git a/SOURCES/slapi-nis-0.52.tar.gz.sig b/SOURCES/slapi-nis-0.52.tar.gz.sig deleted file mode 100644 index 691b90f..0000000 Binary files a/SOURCES/slapi-nis-0.52.tar.gz.sig and /dev/null differ diff --git a/SOURCES/slapi-nis-0.54.tar.gz.sig b/SOURCES/slapi-nis-0.54.tar.gz.sig new file mode 100644 index 0000000..d6a0bce Binary files /dev/null and b/SOURCES/slapi-nis-0.54.tar.gz.sig differ diff --git a/SOURCES/slapi-nis-ID-views-ignore-searches-for-views-outside-the-subtrees.patch b/SOURCES/slapi-nis-ID-views-ignore-searches-for-views-outside-the-subtrees.patch new file mode 100644 index 0000000..aebb1ef --- /dev/null +++ b/SOURCES/slapi-nis-ID-views-ignore-searches-for-views-outside-the-subtrees.patch @@ -0,0 +1,180 @@ +From 79391fda05fba164af577bd0e08a2807643b7b48 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 28 Oct 2014 10:09:47 +0200 +Subject: [PATCH 1/2] ID views: ignore searches for views outside the subtrees + of schema-compat sets + +schema-compat plugin may provide multiple disjoint subtrees which +can be used to request overridden entries by prefixing the subtree +suffix with a + + cn=,cn=views, + +As subtrees may be disjoint, we cannot rely on the common suffix. Thus, +any attempt to replace target DN and update filter terms must only be +done once we are sure the search will be done in the subtree. + +This optimization prevents mistakenly changing the search filter when +FreeIPA and SSSD search for the ID overrides themselves, as the same +structure of the target DN is used for cn=views,cn=accounts,$SUFFIX +subtree in FreeIPA. This subtree is never handled by slapi-nis and +should be ignored. + +https://bugzilla.redhat.com/show_bug.cgi?id=1157989 +--- + src/back-sch-idview.c | 11 +++++-- + src/back-sch.c | 81 +++++++++++++++++++++++++++++++++++++++++++++------ + 2 files changed, 81 insertions(+), 11 deletions(-) + +diff --git a/src/back-sch-idview.c b/src/back-sch-idview.c +index 5a2b450..a56a9e9 100644 +--- a/src/back-sch-idview.c ++++ b/src/back-sch-idview.c +@@ -334,6 +334,10 @@ idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, struct b + slapi_ber_bvdone(bval); + slapi_ber_bvcpy(bval, slapi_value_get_berval(anchor_val)); + config->override_found = TRUE; ++ slapi_log_error(SLAPI_LOG_PLUGIN, cbdata->state->plugin_desc->spd_id, ++ "Overriding the filter %s with %s=%*s from the override %s\n.", ++ filter_type, filter_type, bval->bv_len, bval->bv_val, ++ slapi_entry_get_dn_const(cbdata->overrides[i])); + break; + } + } +@@ -346,6 +350,11 @@ idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, struct b + slapi_ber_bvdone(bval); + slapi_ber_bvcpy(bval, slapi_value_get_berval(anchor_val)); + config->override_found = TRUE; ++ slapi_log_error(SLAPI_LOG_PLUGIN, cbdata->state->plugin_desc->spd_id, ++ "Overriding the filter %s with %s=%*s from the override %s\n.", ++ filter_type, IPA_IDVIEWS_ATTR_ANCHORUUID, ++ bval->bv_len, bval->bv_val, ++ slapi_entry_get_dn_const(cbdata->overrides[i])); + break; + } + +@@ -366,8 +375,6 @@ idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, struct b + * + * Note that in reality we don't use original value of the uid/cn attribue. Instead, we use ipaAnchorUUID + * to refer to the original entry. */ +-extern char * +-slapi_filter_to_string( const struct slapi_filter *f, char *buf, size_t bufsize ); + void + idview_replace_filter(struct backend_search_cbdata *cbdata) + { +diff --git a/src/back-sch.c b/src/back-sch.c +index 27d5101..27ac24f 100644 +--- a/src/back-sch.c ++++ b/src/back-sch.c +@@ -1166,6 +1166,44 @@ backend_search_set_cb(const char *group, const char *set, bool_t flag, + return TRUE; + } + ++/* Routines to search if a target DN is within any of the sets we handle */ ++static bool_t ++backend_search_find_set_dn_in_group_cb(const char *group, const char *set, bool_t flag, ++ void *backend_data, void *cb_data) ++{ ++ struct backend_search_cbdata *cbdata; ++ struct backend_set_data *set_data; ++ ++ cbdata = cb_data; ++ set_data = backend_data; ++ ++ if (slapi_sdn_scope_test(cbdata->target_dn, ++ set_data->container_sdn, ++ cbdata->scope) == 1) { ++ cbdata->answer = TRUE; ++ } ++ ++ if (slapi_sdn_compare(set_data->container_sdn, ++ cbdata->target_dn) == 0) { ++ cbdata->answer = TRUE; ++ } ++ ++ return TRUE; ++ ++} ++ ++static bool_t ++backend_search_find_set_dn_cb(const char *group, void *cb_data) ++{ ++ struct backend_search_cbdata *cbdata; ++ ++ cbdata = cb_data; ++ map_data_foreach_map(cbdata->state, group, ++ backend_search_find_set_dn_in_group_cb, cb_data); ++ return TRUE; ++} ++ ++/* Routines to find out the set that has the same group as requested */ + static bool_t + backend_search_find_set_data_in_group_cb(const char *group, const char *set, bool_t flag, + void *backend_data, void *cb_data) +@@ -1340,9 +1378,6 @@ backend_search_cb(Slapi_PBlock *pb) + "searching from \"%s\" for \"%s\" with scope %d%s\n", + cbdata.target, cbdata.strfilter, cbdata.scope, + backend_sch_scope_as_string(cbdata.scope)); +-#ifdef USE_IPA_IDVIEWS +- idview_replace_target_dn(&cbdata.target, &cbdata.idview); +-#endif + cbdata.target_dn = slapi_sdn_new_dn_byval(cbdata.target); + /* Check if there's a backend handling this search. */ + if (!slapi_be_exist(cbdata.target_dn)) { +@@ -1351,19 +1386,47 @@ backend_search_cb(Slapi_PBlock *pb) + "slapi_be_exists(\"%s\") = 0, " + "ignoring search\n", cbdata.target); + slapi_sdn_free(&cbdata.target_dn); ++ return 0; ++ } ++ ++#ifdef USE_IPA_IDVIEWS ++ /* We may have multiple disjoint trees in the sets, search if the target matches any of them ++ * as in general there don't have to be a single subtree (cn=compat,$SUFFIX) for all trees to easily ++ * detect the ID view use. Unless the ID view is within the set we control, don't consider the override */ ++ map_data_foreach_domain(cbdata.state, backend_search_find_set_dn_cb, &cbdata); ++ if (cbdata.answer == FALSE) { ++ idview_replace_target_dn(&cbdata.target, &cbdata.idview); + if (cbdata.idview != NULL) { +- slapi_ch_free_string(&cbdata.target); ++ slapi_sdn_free(&cbdata.target_dn); ++ /* Perform another check, now for rewritten DN */ ++ cbdata.target_dn = slapi_sdn_new_dn_byval(cbdata.target); ++ map_data_foreach_domain(cbdata.state, backend_search_find_set_dn_cb, &cbdata); ++ /* Rewritten DN might still be outside of our trees */ ++ if (cbdata.answer == TRUE) { ++ slapi_log_error(SLAPI_LOG_PLUGIN, cbdata.state->plugin_desc->spd_id, ++ "Use of ID view '%s' is detected, searching from \"%s\" " ++ "for \"%s\" with scope %d%s. Filter may get overridden later.\n", ++ cbdata.idview, cbdata.target, cbdata.strfilter, cbdata.scope, ++ backend_sch_scope_as_string(cbdata.scope)); ++ } else { ++ slapi_sdn_free(&cbdata.target_dn); ++ slapi_ch_free_string(&cbdata.target); ++ slapi_ch_free_string(&cbdata.idview); ++ slapi_log_error(SLAPI_LOG_PLUGIN, ++ cbdata.state->plugin_desc->spd_id, ++ "The search base didn't match any of the containers, " ++ "ignoring search\n"); ++ return 0; ++ } + } +- slapi_ch_free_string(&cbdata.idview); +-#ifdef USE_IPA_IDVIEWS +- idview_free_overrides(&cbdata); +-#endif +- return 0; + } ++ cbdata.answer = FALSE; ++#endif + + /* Walk the list of groups. */ + wrap_inc_call_level(); + #ifdef USE_IPA_IDVIEWS ++ /* Filter replacement requires increased call level as we may fetch overrides and thus come back here */ + idview_replace_filter(&cbdata); + #endif + if (map_rdlock() == 0) { +-- +2.1.0 + diff --git a/SOURCES/slapi-nis-schema-compat-support-ID-overrides-in-bind-callback.patch b/SOURCES/slapi-nis-schema-compat-support-ID-overrides-in-bind-callback.patch new file mode 100644 index 0000000..afc5c4d --- /dev/null +++ b/SOURCES/slapi-nis-schema-compat-support-ID-overrides-in-bind-callback.patch @@ -0,0 +1,257 @@ +From 5f5f302e97560b05b154473f562410733e0b775b Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 28 Oct 2014 11:16:50 +0200 +Subject: [PATCH 2/2] schema-compat: support ID overrides in bind callback + +If RDN of the bind DN is overridden within the ID view, rewrite the +target to use original value of the uid attribute. + +If original uid attribute is not available, fail the search and thus +the whole bind request by claiming that bind DN does not exist. +--- + src/back-sch-idview.c | 86 ++++++++++++++++++++++++++++++++++----------------- + src/back-sch.c | 57 +++++++++++++++++++++++++++++----- + src/back-sch.h | 4 +++ + 3 files changed, 111 insertions(+), 36 deletions(-) + +diff --git a/src/back-sch-idview.c b/src/back-sch-idview.c +index a56a9e9..f1150cd 100644 +--- a/src/back-sch-idview.c ++++ b/src/back-sch-idview.c +@@ -290,21 +290,15 @@ idview_replace_target_dn(char **target, char **idview) + } + } + +-static int +-idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, struct berval *bval, struct backend_search_filter_config *config) ++int ++idview_replace_bval_by_override(const char *bval_usage, const char *attr_name, ++ struct berval *bval, struct backend_search_cbdata *cbdata) + { + int res, i; +- Slapi_Value *filter_val, *value, *anchor_val; ++ Slapi_Value *attr_val, *value, *anchor_val; + Slapi_Attr *anchor, *attr = NULL; +- struct backend_search_cbdata *cbdata = (struct backend_search_cbdata *) config->callback_data; +- +- if (cbdata == NULL || cbdata->idview == NULL) { +- return SLAPI_FILTER_SCAN_CONTINUE; +- } +- +- if (filter_type == NULL || config->name == NULL) { +- return SLAPI_FILTER_SCAN_CONTINUE; +- } ++ bool_t uid_override_found = FALSE; ++ bool_t anchor_override_found = FALSE; + + if (cbdata->overrides == NULL) { + /* Only retrieve overrides for the view first time when neccessary */ +@@ -312,31 +306,34 @@ idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, struct b + } + + if (cbdata->overrides == NULL) { +- return SLAPI_FILTER_SCAN_CONTINUE; ++ return 0; + } + +- filter_val = slapi_value_new_berval(bval); ++ attr_val = slapi_value_new_berval(bval); ++ slapi_log_error(SLAPI_LOG_FATAL, cbdata->state->plugin_desc->spd_id, ++ "Searching for an override of the %s %s with %s=%*s from the overrides\n.", ++ bval_usage, attr_name, attr_name, (int) bval->bv_len, bval->bv_val); + + /* If filter contains an attribute name which is overridden in the view and filter value + * corresponds to the override, replace the filter by (ipaAnchorUUID=...) from the override + * to point to the original because otherwise an entry will not be found in the slapi-nis map */ + for(i=0; cbdata->overrides[i] != NULL; i++) { +- res = slapi_entry_attr_find(cbdata->overrides[i], filter_type, &attr); ++ res = slapi_entry_attr_find(cbdata->overrides[i], attr_name, &attr); + if ((res == 0) && (attr != NULL)) { + res = slapi_attr_first_value(attr, &value); +- res = slapi_value_compare(attr, value, filter_val); ++ res = slapi_value_compare(attr, value, attr_val); + if (res == 0) { + /* For uid overrides we should have ipaOriginalUID in the override */ +- if (strcasecmp(filter_type, "uid") == 0) { ++ if (strcasecmp(attr_name, "uid") == 0) { + res = slapi_entry_attr_find(cbdata->overrides[i], IPA_IDVIEWS_ATTR_ORIGINALUID, &anchor); + if (res == 0) { + res = slapi_attr_first_value(anchor, &anchor_val); + slapi_ber_bvdone(bval); + slapi_ber_bvcpy(bval, slapi_value_get_berval(anchor_val)); +- config->override_found = TRUE; +- slapi_log_error(SLAPI_LOG_PLUGIN, cbdata->state->plugin_desc->spd_id, +- "Overriding the filter %s with %s=%*s from the override %s\n.", +- filter_type, filter_type, bval->bv_len, bval->bv_val, ++ uid_override_found = TRUE; ++ slapi_log_error(SLAPI_LOG_FATAL, cbdata->state->plugin_desc->spd_id, ++ "Overriding the %s %s with %s=%*s from the override %s\n.", ++ bval_usage, attr_name, attr_name, (int) bval->bv_len, bval->bv_val, + slapi_entry_get_dn_const(cbdata->overrides[i])); + break; + } +@@ -346,14 +343,13 @@ idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, struct b + res = slapi_entry_attr_find(cbdata->overrides[i], IPA_IDVIEWS_ATTR_ANCHORUUID, &anchor); + if (res == 0) { + res = slapi_attr_first_value(anchor, &anchor_val); +- slapi_filter_changetype(filter, IPA_IDVIEWS_ATTR_ANCHORUUID); + slapi_ber_bvdone(bval); + slapi_ber_bvcpy(bval, slapi_value_get_berval(anchor_val)); +- config->override_found = TRUE; +- slapi_log_error(SLAPI_LOG_PLUGIN, cbdata->state->plugin_desc->spd_id, +- "Overriding the filter %s with %s=%*s from the override %s\n.", +- filter_type, IPA_IDVIEWS_ATTR_ANCHORUUID, +- bval->bv_len, bval->bv_val, ++ anchor_override_found = TRUE; ++ slapi_log_error(SLAPI_LOG_FATAL, cbdata->state->plugin_desc->spd_id, ++ "Overriding the %s %s with %s=%*s from the override %s\n.", ++ bval_usage, attr_name, IPA_IDVIEWS_ATTR_ANCHORUUID, ++ (int) bval->bv_len, bval->bv_val, + slapi_entry_get_dn_const(cbdata->overrides[i])); + break; + } +@@ -362,7 +358,41 @@ idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, struct b + } + } + +- slapi_value_free(&filter_val); ++ slapi_value_free(&attr_val); ++ ++ if (uid_override_found) { ++ return 1; ++ } ++ ++ if (anchor_override_found) { ++ return 2; ++ } ++ ++ return 0; ++} ++ ++static int ++idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, ++ struct berval *bval, struct backend_search_filter_config *config) ++{ ++ int res; ++ struct backend_search_cbdata *cbdata = (struct backend_search_cbdata *) config->callback_data; ++ ++ if (cbdata == NULL || cbdata->idview == NULL) { ++ return SLAPI_FILTER_SCAN_CONTINUE; ++ } ++ ++ if (filter_type == NULL || config->name == NULL) { ++ return SLAPI_FILTER_SCAN_CONTINUE; ++ } ++ ++ res = idview_replace_bval_by_override("filter", filter_type, bval, cbdata); ++ ++ if (res == 2) { ++ slapi_filter_changetype(filter, IPA_IDVIEWS_ATTR_ANCHORUUID); ++ } ++ ++ config->override_found = (res != 0); + + return SLAPI_FILTER_SCAN_CONTINUE; + +diff --git a/src/back-sch.c b/src/back-sch.c +index 27ac24f..2388d2f 100644 +--- a/src/back-sch.c ++++ b/src/back-sch.c +@@ -1631,7 +1631,6 @@ static void + backend_locate(Slapi_PBlock *pb, struct backend_entry_data **data, const char **group, const char**set) + { + struct backend_locate_cbdata cbdata; +- char *idview = NULL; + + slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &cbdata.state); + if (cbdata.state->plugin_base == NULL) { +@@ -1640,22 +1639,64 @@ backend_locate(Slapi_PBlock *pb, struct backend_entry_data **data, const char ** + return; + } + slapi_pblock_get(pb, SLAPI_TARGET_DN, &cbdata.target); +-#ifdef USE_IPA_IDVIEWS +- idview_replace_target_dn(&cbdata.target, &idview); +-#endif ++ + cbdata.target_dn = slapi_sdn_new_dn_byval(cbdata.target); + cbdata.entry_data = NULL; + cbdata.entry_group = NULL; + cbdata.entry_set = NULL; + map_data_foreach_map(cbdata.state, NULL, backend_locate_cb, &cbdata); ++#ifdef USE_IPA_IDVIEWS ++ /* In case nothing was found but we are operating on the ID override, ++ * rebuild the target's RDN to use original attribute's value */ ++ if (cbdata.entry_data == NULL) { ++ char *idview = NULL; ++ char *target, *original_target; ++ target = original_target = slapi_ch_strdup(cbdata.target); ++ idview_replace_target_dn(&target, &idview); ++ if (target != original_target) { ++ slapi_ch_free_string(&original_target); ++ } ++ if (idview != NULL) { ++ char *rdnstr; ++ char *val; ++ struct berval bval; ++ int res; ++ struct backend_search_cbdata scbdata; ++ Slapi_RDN *rdn = slapi_rdn_new_all_dn(target); ++ if (rdn != NULL) { ++ res = slapi_rdn_get_first(rdn, &rdnstr, &val); ++ if (res == 1) { ++ bval.bv_len = strlen(val) + 1; ++ bval.bv_val = slapi_ch_strdup(val); ++ memset(&scbdata, 0, sizeof(scbdata)); ++ scbdata.idview = idview; ++ scbdata.target = target; ++ scbdata.pb = pb; ++ scbdata.state = cbdata.state; ++ scbdata.target_dn = slapi_sdn_new_dn_byval(target); ++ res = idview_replace_bval_by_override("rdn", rdnstr, &bval, &scbdata); ++ /* only accept uid overrides */ ++ if (res == 1) { ++ slapi_rdn_remove_index(rdn, 1); ++ slapi_rdn_add(rdn, "uid", bval.bv_val); ++ slapi_sdn_free(&cbdata.target_dn); ++ cbdata.target_dn = slapi_sdn_set_rdn(scbdata.target_dn, rdn); ++ map_data_foreach_map(cbdata.state, NULL, backend_locate_cb, &cbdata); ++ } ++ slapi_ber_bvdone(&bval); ++ slapi_rdn_free(&rdn); ++ idview_free_overrides(&scbdata); ++ } ++ } ++ } ++ slapi_ch_free_string(&target); ++ slapi_ch_free_string(&idview); ++ } ++#endif + *data = cbdata.entry_data; + *group = cbdata.entry_group; + *set = cbdata.entry_set; + slapi_sdn_free(&cbdata.target_dn); +- if (idview != NULL) { +- slapi_ch_free_string(&cbdata.target); +- } +- slapi_ch_free_string(&idview); + } + + /* Check if the target DN is part of this group's tree. If it is, return an +diff --git a/src/back-sch.h b/src/back-sch.h +index 9f0b201..26e12d1 100644 +--- a/src/back-sch.h ++++ b/src/back-sch.h +@@ -131,6 +131,10 @@ void idview_process_overrides(struct backend_search_cbdata *cbdata, + Slapi_Entry *entry); + void idview_replace_target_dn(char **target, char **idview); + void idview_replace_filter(struct backend_search_cbdata *cbdata); ++/* Takes struct berval value of an attribute attr_name and replaces it with an override ++ * Returns 0 if no override was found, 1 for 'uid' replacement, 2 for ipaAnchorUUID replacement */ ++int idview_replace_bval_by_override(const char *bval_usage, const char *attr_name, ++ struct berval *bval, struct backend_search_cbdata *cbdata); + #endif + + #endif +-- +2.1.0 + diff --git a/SOURCES/slapi-nis-use-slapi_entry_find_attr.patch b/SOURCES/slapi-nis-use-slapi_entry_find_attr.patch new file mode 100644 index 0000000..f8a175a --- /dev/null +++ b/SOURCES/slapi-nis-use-slapi_entry_find_attr.patch @@ -0,0 +1,44 @@ +From ef62d2313145ccb69bc0974fcbab2c5d9b627f37 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 14 Oct 2014 17:25:46 +0300 +Subject: [PATCH 3/3] Use slapi_entry_find_attr instead of + slapi_entry_attr_exists + +To keep slapi-nis code portable to older versions of 389-ds-base, +avoid using slapi_entry_attr_exists() as it was only introduced in +389-ds-base 1.3.3.0. +--- + src/back-sch.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/back-sch.c b/src/back-sch.c +index 27d5101..0177ed3 100644 +--- a/src/back-sch.c ++++ b/src/back-sch.c +@@ -997,9 +997,11 @@ backend_search_entry_cb(const char *domain, const char *map, bool_t secure, + { + Slapi_DN *sdn; + Slapi_Entry *entry; ++ Slapi_Attr *attr = NULL; + struct backend_search_cbdata *cbdata; + struct backend_entry_data *entry_data; + int result; ++ bool_t is_attr_exists = FALSE; + + cbdata = cb_data; + entry_data = backend_data; +@@ -1042,7 +1044,10 @@ backend_search_entry_cb(const char *domain, const char *map, bool_t secure, + idview_process_overrides(cbdata, key, map, domain, entry); + } + +- if (slapi_entry_attr_exists(entry, IPA_IDVIEWS_ATTR_ANCHORUUID) == 1) { ++ /* slapi_entry_attr_exists() was introduced only in https://fedorahosted.org/389/ticket/47710 */ ++ is_attr_exists = slapi_entry_attr_find(entry, IPA_IDVIEWS_ATTR_ANCHORUUID, &attr) == 0; ++ ++ if (is_attr_exists == TRUE) { + slapi_entry_attr_delete(entry, IPA_IDVIEWS_ATTR_ANCHORUUID); + slapi_entry_delete_string(entry, "objectClass", "ipaOverrideTarget"); + } +-- +2.1.0 + diff --git a/SPECS/slapi-nis.spec b/SPECS/slapi-nis.spec index 82ac5fd..ff006cd 100644 --- a/SPECS/slapi-nis.spec +++ b/SPECS/slapi-nis.spec @@ -10,20 +10,23 @@ %endif Name: slapi-nis -Version: 0.52 -Release: 4%{?dist} +Version: 0.54 +Release: 2%{?dist} Summary: NIS Server and Schema Compatibility plugins for Directory Server Group: System Environment/Daemons License: GPLv2 URL: http://slapi-nis.fedorahosted.org/ Source0: https://fedorahosted.org/releases/s/l/slapi-nis/slapi-nis-%{version}.tar.gz Source1: https://fedorahosted.org/releases/s/l/slapi-nis/slapi-nis-%{version}.tar.gz.sig +Patch0: slapi-nis-use-slapi_entry_find_attr.patch +Patch1: slapi-nis-ID-views-ignore-searches-for-views-outside-the-subtrees.patch +Patch2: slapi-nis-schema-compat-support-ID-overrides-in-bind-callback.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: 389-ds-base-devel, %{ldap_impl}-devel BuildRequires: nspr-devel, nss-devel, /usr/bin/rpcgen %if 0%{?fedora} > 18 || 0%{?rhel} > 6 BuildRequires: libsss_nss_idmap-devel -%define sss_nss_opts --with-sss-nss-idmap +%define sss_nss_opts --with-sss-nss-idmap --with-idviews %else %define sss_nss_opts %{nil} %endif @@ -55,6 +58,9 @@ for attributes from multiple entries in the tree. %prep %setup -q +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 %build %configure --disable-static --with-tcp-wrappers --with-ldap=%{ldap_impl} \ @@ -85,6 +91,22 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/nisserver-plugin-defs %changelog +* Thu Oct 30 2014 Alexander Bokovoy - 0.54-2 +- Complete ID views support to BIND operation +- Ignore ID views outside schema-compat subtrees +- Use 389-ds API compatible with RHEL 7.0 +- Resolves: #1151436 + +* Mon Oct 13 2014 Alexander Bokovoy - 0.54-1 +- Add support for IDM's ID views +- Allow searching SSSD-provided users as memberUid case-insensitevly +- Resolves: #1151436 + +* Tue Sep 9 2014 Nalin Dahyabhai - 0.52-5 +- backport correction to the default settings for hosts.byname and + hosts.byaddr NIS maps, so that their data items start with the host's + address rather than a name (#1090948) + * Fri Jan 24 2014 Daniel Mach - 0.52-4 - Mass rebuild 2014-01-24