TESTING only#8596
Draft
justin-stephenson wants to merge 83 commits intoSSSD:masterfrom
Draft
Conversation
…ider (cherry picked from commit 0f5f3b6)
so it can be directly modified
…can easily pass new fctx
So it can be modified later.
…kup and user authentication
…pec file Add the sssd-minimal provider package to the spec file following the same pattern as other providers (ldap, ipa, ad, etc.). This packages the libsss_minimal.so library that was added in recent commits. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
And also disable codeql for the minimal provider. The provider is for testing only, it does not make sense to fix any issue there.
This crafts and implements the new failover interface, it does not provide complete implementation of the failover mechanism yet. It brings the code to a state were the public and private interfaces are stable, working and testable so the following tasks can be split and work on in parallel. What is missing at this state: - server configuration and discovery (failover_server_group/batch/vtable_op) - server selection mechanism (sss_failover_vtable_op_server_next) - kerberos authentication - sharing servers between IPA/AD LDAP and KDC - online/offline callbacks (resolve callback should not be needed) But especially it is possible to start refactoring SSSD code to start using the new failover implementation.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a new failover mechanism for SSSD, replacing the previous connection management and retry logic. It includes the addition of a new failover framework, updates to the AD and LDAP providers to utilize this framework, and significant refactoring of the data provider interface to simplify error handling. A critical bug was identified in the AD provider initialization where the Global Catalog failover context was not being correctly validated.
| init_ctx->gc_fctx = sssm_ad_init_failover(init_ctx, be_ctx, | ||
| init_ctx->id_ctx->sdap_id_ctx->opts, | ||
| "AD_GC", 3268); | ||
| if (init_ctx->fctx == NULL) { |
There was a problem hiding this comment.
The condition if (init_ctx->fctx == NULL) is checked twice for the same variable init_ctx->fctx instead of checking init_ctx->gc_fctx for the second initialization. This is a critical bug as it prevents proper error handling for the Global Catalog failover context initialization.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
justin-stephenson
force-pushed
the
failover_justin_port_ldap_and_ad
branch
8 times, most recently
from
1bdc462 to
d5a524a
Compare
justin-stephenson
force-pushed
the
failover_justin_port_ldap_and_ad
branch
4 times, most recently
from
969e9e4 to
ccef551
Compare
justin-stephenson
force-pushed
the
failover_justin_port_ldap_and_ad
branch
5 times, most recently
from
ff6f8cd to
a5eaab0
Compare
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Add @pytest.mark.flaky(reruns=3) using the existing flaky marker Signed-off-by: Madhuri Upadhye <mupadhye@redhat.com> Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Jakub Vávra <jvavra@redhat.com>
Ported following test case: - kpasswd: BZ 847039: login works when krb5_kpasswd is unresolvable (kpasswd not needed for auth). - high UID: BZ 798655: auth and logs stay clean with a setuid(-1) helper process running. - password change: GH 677: SSH passwd with chpass_provider=krb5 logs initial auth in krb5_child.log. Signed-off-by: Madhuri Upadhye <mupadhye@redhat.com> Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Scott Poore <spoore@redhat.com>
test_kcm__tgt_renewal_updates_ticket_as_configured no longer uses a fixed sleep(5) and flaky retries. The test now polls klist every 0.5s and asserts renewal by checking that TGT start or end time advances, with a detailed failure message that prints both initial and last timestamps. To match KCM renewal behavior (renewal only starts after roughly half the ticket lifetime), the test uses a short renewable ticket (-r 5s -l 5s) and a bounded polling window (9s) so it stays fast while still waiting long enough for renewal to be attempted. Also removed the temporary CI comment and the flaky marker from this test. Assited by: Cursor(Claude Opus 4.6) Signed-off-by: Madhuri Upadhye <mupadhye@redhat.com> Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Scott Poore <spoore@redhat.com>
Reviewed-by: Scott Poore <spoore@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>
This crafts and implements the new failover interface, it does not provide complete implementation of the failover mechanism yet. It brings the code to a state were the public and private interfaces are stable, working and testable so the following tasks can be split and work on in parallel. What is missing at this state: - server configuration and discovery (failover_server_group/batch/vtable_op) - server selection mechanism (sss_failover_vtable_op_server_next) - kerberos authentication - sharing servers between IPA/AD LDAP and KDC - online/offline callbacks (resolve callback should not be needed) But especially it is possible to start refactoring SSSD code to start using the new failover implementation.
Assisted by: Claude code (Sonnet 4.6)
In low level ldap search functions
The data provider handler methods now return a single output argument. Remove 'dp_error/dp_err' and 'error_message' usage across provider code. The getAccountDomain method still needs to return 'domain_name' string. Assisted by: Claude code (Sonnet 4.6)
- Servers are hardcoded
This will be done differently inside the failover code
justin-stephenson
force-pushed
the
failover_justin_port_ldap_and_ad
branch
from
4a1f8b6 to
f974135
Compare
To allow system tests to run in upstream PRCI
** Temporary commit as each provider is ported to new failover ** These provider tests will often fail because they have not yet been ported to the new failover code, and they call into ldap functions which are utilizing the new failover. For example crash in : #0 0x00007fdb8d72cb41 in sss_failover_transaction_ex_send () from /usr/lib64/sssd/libsss_ldap_common.so #1 0x00007fdb8d72ccbd in sss_failover_transaction_send () from /usr/lib64/sssd/libsss_ldap_common.so #2 0x00007fdb8d6e367b in groups_by_user_send () from /usr/lib64/sssd/libsss_ldap_common.so #3 0x00007fdb8d6e6a88 in sdap_handle_acct_req_send () from /usr/lib64/sssd/libsss_ldap_common.so #4 0x00007fdb8d799076 in ipa_id_get_account_info_get_original_step () from /usr/lib64/sssd/libsss_ipa.so #5 0x00007fdb8d7a038b in ipa_id_get_account_info_send () from /usr/lib64/sssd/libsss_ipa.so #6 0x00007fdb8d7a2560 in ipa_account_info_send () from /usr/lib64/sssd/libsss_ipa.so #7 0x00007fdb8d7a2877 in ipa_account_info_handler_send () from /usr/lib64/sssd/libsss_ipa.so
* test_failover tests are expected to fail due to failover interface changes. * test_logging 'offline' tests and test_autofs__propagate_offline_status_for_multiple_domains fail because they are asserting offline related log messages which are not in the new failover code. * test_ad__user_authentication_when_provider_is_set_to_ldap_with_gss_spnego(samba) test fails because failover service finds hard-coded LDAP servers when trying to lookup LDAP service, it should re-use dc.samba.test * test_multithreaded_pac_client - see https://redhat.atlassian.net/browse/IDM-6014
After switching to new failover code, processing offline gpos function was no longer reached if backend is offline during AD access checks.
justin-stephenson
force-pushed
the
failover_justin_port_ldap_and_ad
branch
from
f974135 to
cb6d470
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
13 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.