CONFDB: Add passwd_files and group_files options Add new options to the files provider allowing an administrator to configure the files provider to read and monitor multiple or non-standard passwd and group file sources. These options default to /etc/passwd and /etc/group when unset. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Fix minor spelling mistakes Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

CONFIG: Add a new option auto_private_groups The auto_private_groups option is used to configure the domain->mpg flag which was already set automatically for subdomains, but for some time was not settable by the admin via the configuration file. The new option name, instead of the old magic_private_groups, was chosen purely because this name would hopefully be better understood by admins. The option doesn't do anything yet, it is just added to all the places a new option should be added to. Related: https://pagure.io/SSSD/sssd/issue/1872 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: Add support for rhost access control This patch implements verification of pam_rhost against rules stored in LDAP entry of a user. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SECRETS: Add a new option to control per-UID limits Adds a new option max_uid_secrets that allows to set a limit of secrets for this particular client so that the user cannot starve other users. Resolves: https://pagure.io/SSSD/sssd/issue/3363 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

DESKPROFILE: Add ipa_deskprofile_request_interval This option has been added to avoid contacting the Data Provider when no rules were found in the previous request. By adding this configurable option we avoid contacting the Data Provider too often in the case described above and also when the server doesn't support Desktop Profile's integration. Resolves: https://pagure.io/SSSD/sssd/issue/3482 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DESKPROFILE: Introduce the new IPA session provider In order to provide FleetCommander[0] integration, a session provider has been introduced for IPA. The design of this feature and more technical details can be found at [1] and [2], which are the design pages of both freeIPA and SSSD parts. As there's no way to test freeIPA integration with our upstream tests, no test has been provided yet. Is also worth to mention that the name "deskprofile" has been chosen instead of "fleetcmd" in order to match with the freeIPA plugin. It means that, for consistence, all source files, directories created, options added, functions prefixes and so on are following the choice accordingly. [0]: https://wiki.gnome.org/Projects/FleetCommander [1]: https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki [2]: https://docs.pagure.org/SSSD.sssd/design_pages/fleet_commander_integration.html Resolves: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sudo: add a threshold option to reduce size of rules refresh filter If a large number of rules is expired at one time the ldap filter may become too large to be processed by server. This commits adds a new option "sudo_threshold" to sudo responder. If the threshold is exceeded a full refreshed is done instead of rules refresh. Resolves: https://pagure.io/SSSD/sssd/issue/3478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

Fix minor typos Merges: https://pagure.io/SSSD/sssd/pull-request/3456 Reviewed-by: Michal Židek <mzidek@redhat.com>

Fix minor typos Merges: https://pagure.io/SSSD/sssd/pull-request/3456 Reviewed-by: Michal Židek <mzidek@redhat.com>

SSSDConfig: Fix saving of debug_level SSSDConfig internally handle debug_level as an integer. But in case of bitmask version of debug_level (>=16) it stored value as a decimal which is confusing e.g. debug_level = 8176 vs. debug_level = 0x1ff0 Resolves: https://pagure.io/SSSD/sssd/issue/3410 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SSSDConfig: Handle integer parsing more leniently debug_level is usually defined as decimal value <= 10 or as a hexadecimal value which is used as a bitmask Parsing of hexadecimal value was partially fixed by commit 7fac271ccebb84743c39f553eb5ec013cf1d10aa but only for sssd domains. It was not fixed for sssd services. File "/usr/share/authconfig/authinfo.py", line 3142, in writeSSSDPAM pam = self.sssdConfig.get_service('pam') File "/usr/lib/python3.6/site-packages/SSSDConfig/__init__.py", line 1620, in get_service service.set_option(opt['name'], opt['value']) File "/usr/lib/python3.6/site-packages/SSSDConfig/__init__.py", line 932, in set_option (option_schema[0], optionname, type(value))) TypeError: Expected <class 'int'> for debug_level, received <class 'str'> Resolves: https://pagure.io/SSSD/sssd/issue/3410 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

CONFIG: Add subdomain_homedir to config locations Option subdomain_homedir was missing from Python config API an cfg_rules leading to config file validation failures. Add this option into the necessary locations similar to other provider-generic domain options. Resolves: https://pagure.io/SSSD/sssd/issue/3389 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

Use correct spelling of override Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

secrets: allow to configure certificate check Some users may want to use TLS with unverified peer (for example if they use self-signed certificate) or if unverified hostname (if certificate hostname does not match with the real hostname). On the other side it may be useful to point to a directory containing custom certificate authorities. This patch add three new options to secrets responder: verify_peer => peer's certificate must be valid verify_host => hostnames must match capath => path to directory containing CA certs cacert => ca certificate cert => client certificate key => client private key Resolves: https://pagure.io/SSSD/sssd/issue/3192 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: Add application services Related to: https://pagure.io/SSSD/sssd/issue/3310 Adds a new PAM responder option 'pam_app_services'. This option can hold a list of PAM services that are allowed to contact the application non-POSIX domains. These services are NOT allowed to contact any of the POSIX domains. Reviewed-by: Sumit Bose <sbose@redhat.com>

CONFDB: Introduce SSSD domain type to distinguish POSIX and application domains Related to: https://pagure.io/SSSD/sssd/issue/3310 Adds a new option that allows to distinguish domains that do contain POSIX users and groups and those that don't. The POSIX domains are the default. The non-POSIX domains are selected by selecting an "application" type domain. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Add domain_resolution_order config option This is the local equivalent of option of ipaDomainResolutionOrder and has precedence over the ones set on IPA side making the precedence order to be like: Local > View > Globally. As done for the IPA side configurations, the domains which were not explicitly set up will be apennded to the final of the domain_resolution_order list in the very same order they're presented in the "domains" option of [sssd] section in the config file. There's no guarantee of order for the subdomains though. It's also important to mention that no expansion magic is performed on our side. It means that if 'example.com' is set it does *not* stand for all its subdomains DNS wise (like 'foo.example.com', 'bar.example.com', etc). Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SSSDConfig: Python 3.6 invalid escape sequence deprecation fix https://docs.python.org/3/whatsnew/3.6.html#deprecated-python-behavior Merges: https://pagure.io/SSSD/sssd/pull-request/3346 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

CACHE_REQ: Check the caches first This patch introduces a new configurable option to define whether the responder should query all domains' caches before querying the Data Providers. This new option is called cache_first and, by default, it's disabled, meaning that, for each provider, the responder may contact the cache and the data provider in the same iteration. Co-Author: Pavel Březina <pbrezina@redhat.com> Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

MONITOR: Enable an implicit files domain if one is not configured If SSSD is compiled with --enable-files-domain, the loading of the domains changes such that: * if no domain with id_provider=files exists in the config file, an implicit SSSD files domain is added * this domain is always first in the list The administrator is free to create a files domain in the config file himself and either place it at the end of the list or not enable it at all. Resolves: https://pagure.io/SSSD/sssd/issue/3112 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDER: Shutdown {dbus,socket}-activated responders in case they're idle This commit introduces a new option for the responders called responder_idle_timeout, which specifies the number of seconds that the responder process can be up without being used. The default value is 300 seconds (5 minutes) and can be configured per responder, being 60 seconds the minimum acceptable value. Is important to note that setting "responder_idle_timeout = 0" disables the responder timeout, which makes sense for the responders that always will be running. The shutdown timeout is activated per responder in case the responder has been {dbus,socket}-activated. In case of any commnunication with the responder the timeout is reset thereby ensuring we won't shutdown a responder that is not idle. Setting the responder's last request time is done slightly differently for socket-activated and dbus-activated responders. In both cases it's updated in any internal communication in sbus_message_handler(), but for the socket-activated responders it's also updated when the responder's socket is used. Currently it works properly with all responders but the secrets one, which has a different logic and must be treated separately in case some change is required there. Is worth to mention that this commit does not affect the responders explicitly configured in the "services" line of sssd.conf. Related: https://fedorahosted.org/sssd/ticket/3245 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SECRETS: Add configurable payload size limit of a secret Resolves: https://fedorahosted.org/sssd/ticket/3169 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: add pam_response_filter option Currently the main use-case for this new option is to not set the KRB5CCNAME environment varible for services like 'sudo-i'. Resolves https://fedorahosted.org/sssd/ticket/2296 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SECRETS: Add a configurable limit of secrets that can be stored Related: https://fedorahosted.org/sssd/ticket/3169 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SECRETS: Add a configurable depth limit for nested containers Resolves: https://fedorahosted.org/sssd/ticket/3168 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

CONFIG: Add secrets provider options Related: https://fedorahosted.org/sssd/ticket/3207 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SSSDConfig: Do not fail with nonexisting domains/services dict.keys() returns iterator in python3 and not list Chaging data in dictionary while using iterator fails with "RuntimeError: dictionary changed size during iteration" https://fedorahosted.org/sssd/ticket/3107 Reviewed-by: Michal Židek <mzidek@redhat.com>

PROXY: Adding proxy_max_children option The new option 'proxy_max_children' is applicable in domain section. Default value is 10. Resolves: https://fedorahosted.org/sssd/ticket/3153 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

MONITOR: Add disable_netlink option Adding a new monitor boolean option to disable netlink support. This will give users more control over sssd state changes without having to modify systemd unit files. Resolves: https://fedorahosted.org/sssd/ticket/3142 Reviewed-by: Petr Cech <pcech@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

MONITOR: Remove leftovers from kill_service Seems that wen I sent the v2 of ac35fe74 I attached the wrong pacth that ended up being pushed. The patch was incomplete as there are still some leftovers. The .po and sssd-docs.pot were not touched as I do believe they are autogenerated from Zanata. Related: https://fedorahosted.org/sssd/ticket/3052 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Petr Čech <pcech@redhat.com>

MONITOR: Remove leftovers from diag_cmd Seems that when I sent the v2 of 7579cf99 I attached the wrong patch that ended up being pushed. That patch was incomplete as there are still some leftovers. Related: https://fedorahosted.org/sssd/ticket/3051 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Petr Čech <pcech@redhat.com>

CONFIG: session_provider does not exist anymore The session_provider used to exist a long time ago when we used to set the SELinux context from it, but the provider had been removed for a long time. We just forgot to remove the value from the config API and the validator. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

CONFIG: selinux_provider is a valid provider type We should not warn about it in the validator and should allow selinux_provider from the config API. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

AD_PROVIDER: Add ad_enabled_domains option Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

CONFIG: re_expression is an allowed option for all domains Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

CONFIG: full_name_format is an allowed option for all domains Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

LDAP: new attribute option ldap_user_email Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

config: Fix user_attributes Fixes: https://fedorahosted.org/sssd/ticket/3068 Option user_attributes is also available in NSS responder, but not in PAC responder. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

config: override_space is monitor's option We read override_space from [sssd] not [nss] section. Resolves: https://fedorahosted.org/sssd/ticket/3068 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Monitor: Remove ping infrastructure Now thast services use an internal watchdog we do not need pings anymore, this will cut down the chatter and allow more flexible process management, for example socket activation and exit-on-idle. Resolves: https://fedorahosted.org/sssd/ticket/2921 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DEBUG: Add `debug` alias for debug_level Our users constantly make the mistake of typing `debug = 9` in the sssd.conf instead of `debug_level = 9` as would be correct. This happens frequently-enough that we should just alias it rather than continue to have people make mistakes. Resolves: https://fedorahosted.org/sssd/ticket/2999 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Petr Cech <pcech@redhat.com>

RESPONDERS: Negative caching of local users This patch adds new option 'neg_cache_locals_timeout' into section of NSS responder. It allows negative caching of local groups and users. Default value is 0 which means no caching. Resolves: https://fedorahosted.org/sssd/ticket/2928 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

p11: add missing man page entry and config API The pam_cert_auth and pam_cert_db_path option where missing in the config API and had no man page entries. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAC: only save PAC blob into the cache Resolves https://fedorahosted.org/sssd/ticket/2158 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Add a new option ldap_group_external_member Required for: https://fedorahosted.org/sssd/ticket/2522 Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: Pass account lockout status and display message Tested against Windows Server 2012. Resolves: https://fedorahosted.org/sssd/ticket/2839 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IDMAP: Add support for automatic adding of ranges Resolves: https://fedorahosted.org/sssd/ticket/2188 Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: add task to renew the machine account password if needed AD expects its clients to renew the machine account password on a regular basis, be default every 30 days. Even if a client does not renew the password it might not cause issues because AD does not enforce the renewal. But the password age might be used to identify unused machine accounts in large environments which might get disabled or deleted automatically. With this patch SSSD calls an external program to check the age of the machine account password and renew it if needed. Currently 'adcli' is used as external program which is able to renew the password since version 0.8.0. Resolves https://fedorahosted.org/sssd/ticket/1041 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

p11: enable ocsp checks This patch enables the Online Certificate Status Protocol in NSS and adds an option to disable it if needed. To make further tuning of certificate verification more easy it is not an option on its own but an option to the new certificate_verification configuration option. Resolves https://fedorahosted.org/sssd/ticket/2812 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SSSD: Add a new option diag_cmd This option is an optional one that is run when a sbus ping times out and before a SIGKILL signal is sent. It is undocumented by default. diag_cmd (string): A command that should be run for diagnostic purpose when an sbus timeout fails. The option value may contain %p which would be expanded for the process ID of the process that timed out Example: pstack %p This setting would print the stackstrace of the service whose ping timed out. Default: not set. Reviewed-by: Petr Cech <pcech@redhat.com>

SSSDConfig: Do not raise exception if config_file_version is missing Ticket: https://fedorahosted.org/sssd/ticket/2837 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: Make p11_child timeout configurable Ticket: https://fedorahosted.org/sssd/ticket/2773 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>

CONFDB: Assume config file version 2 if missing Default to config file version 2 if the version is not specified explicitly. Ticket: https://fedorahosted.org/sssd/ticket/2688 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DYNDNS: Add a new option dyndns_server Some environments use a different DNS server than identity server. For these environments, it would be useful to be able to override the DNS server used to perform DNS updates. This patch adds a new option dyndns_server that, if set, would be used to hardcode a DNS server address into the nsupdate message. Reviewed-by: Pavel Reichl <preichl@redhat.com>

sudo: use "higher value wins" when ordering rules This commit changes the default ordering logic (lower value wins) to a correct one that is used by native ldap support. It also adds a new option sudo_inverse_order to switch to the original SSSD (incorrect) behaviour if needed. Resolves: https://fedorahosted.org/sssd/ticket/2682 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SSSDConfig: Return correct types in python3 In Python 3, dict.keys() returns a view rather than a list. Since dict keys aren't in any particular order, indexing them doesn't make sense. Resolves: https://fedorahosted.org/sssd/ticket/2699 Reviewed-by: Christian Heimes <cheimes@redhat.com>

ssh: generate public keys from certificate Resolves: https://fedorahosted.org/sssd/ticket/2711 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Add the wildcard_limit option Related: https://fedorahosted.org/sssd/ticket/2553 Adds a new wildcard_limit option that is set by default to 1000 (one page). This option limits the number of entries that can by default be returned by a wildcard search. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

PAM: authenticate agains cache Enable authenticating users from cache even when SSSD is in online mode. Introduce new option `cached_auth_timeout`. Resolves: https://fedorahosted.org/sssd/ticket/1807 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: add ldap_user_certificate option Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

adding ldap_user_auth_type where missing Reviewed-by: Pavel Březina <pbrezina@redhat.com>

confdb: Add new option subdomain_inherit Adds a new option subdomain_inherit that would allow administrators to pick and choose which option to pass to subdomains. This option is required for: https://fedorahosted.org/sssd/ticket/2644 as a short-term fix. The proper solution is described in: https://fedorahosted.org/sssd/ticket/2599 Reviewed-by: Pavel Reichl <preichl@redhat.com>

krb5: new option krb5_map_user New option `krb5_map_user` providing mapping of ID provider names to Kerberos principals. Resolves: https://fedorahosted.org/sssd/ticket/2509 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: Remove the ipa_hbac_treat_deny_as option https://fedorahosted.org/sssd/ticket/2603 Since deny rules are no longer supported on the server, the client should no longer support them either. Remove the option. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

PAM: new option pam_account_expired_message This option sets string to be printed when authenticating using SSH keys and account is expired. Resolves: https://fedorahosted.org/sssd/ticket/2050 Reviewed-by: Sumit Bose <sbose@redhat.com>

SSSDConfig: Port missing parts to python3 * fix incompatible imports * fix translation.[u]?gettext * fix dict method has_key * fix octal literals PEP 3127 * long is not defined in python3 Resolves: https://fedorahosted.org/sssd/ticket/2017 Reviewed-by: Petr Viktorin <pviktori@redhat.com>

SSSDConfig: Remove unused exception name "except ValueError, e:" was the syntax used for what is normally written as "except ValueError as e:" in modern Python. The old syntax is still supported in python2 for backwards compatibility. This means "except ValueError, KeyError:" is not equivalent to "except (ValueError, KeyError):" but to "except ValueError as KeyError:" and variable with name "KeyError" was not used in exception handler. Resolves: https://fedorahosted.org/sssd/ticket/2017 Reviewed-by: Petr Viktorin <pviktori@redhat.com>

AD: add new option ad_site This option overrides a result of the automatic site discovery. Resolves: https://fedorahosted.org/sssd/ticket/2486 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

AD/IPA: add krb5_confd_path configuration option With this new parameter the directory where Kerberos configuration snippets are created can be specified. Fixes https://fedorahosted.org/sssd/ticket/2473 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Revert "LDAP: Remove unused option ldap_group_uuid" This reverts commit b5242c146cc0ca96e2b898a74fb060efda15bc77. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Revert "LDAP: Remove unused option ldap_user_uuid" This reverts commit dfb2960ab251f609466fa660449703835c97f99a. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SSSD: Load a user to run a service as from configuration Related: https://fedorahosted.org/sssd/ticket/2370 Adds a option, user to run as, that is specified in the [sssd] section. When this option is specified, SSSD will run as this user and his private group. When these are not specified, SSSD will run as the configure-time user and group (usually root). Currently all services and providers are started as root. There is a temporary svc_supported_as_nonroot() function that returns true for a service if that service runs and was tested as nonroot and false otherwise. Currently this function always returns false, but will be amended in future patches. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

IPA: add view support and get view name Related to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

PAM: new options pam_trusted_users & pam_public_domains pam_public_domains option is a list of numerical UIDs or user names that are trusted. pam_public_domains option is a list of domains accessible even for untrusted users. Based on: https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD-GPO: config changes for gpo_map_* options Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SDAP: new option - DN to ppolicy on LDAP To check value of pwdLockout attribute on LDAP server, DN of ppolicy must be set. Resolves: https://fedorahosted.org/sssd/ticket/2364 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Only replace space with the specified substitution https://fedorahosted.org/sssd/ticket/2397 - make sss_replace_whitespaces only replace space (' ') not any whitespace - make sss_replace_whitespaces only replace a single char, not the whole string - rename CONFDB_NSS_OVERRIDE_DEFAULT_WHITESPACE to CONFDB_NSS_OVERRIDE_DEFAULT_SPACE - rename the override_default_whitespace option to override_space - rename sss_replace_whitespaces() to sss_replace_space() - rename sss_reverse_replace_whitespaces() to sss_reverse_replace_space() - rename nctx->override_default_wsp_str to nctx->override_space - make the return value of sss_replace_space non-const to avoid freeing the result without compilation warnings Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD-GPO: add ad_gpo_cache_timeout option Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

NSS: Replace spaces with specified string in names. This patch add possibility to replace whitespace in user and group names with a specified string. With string "-", sssd will return the same result as winbind enabled option "winbind normalize names" Resolves: https://fedorahosted.org/sssd/ticket/1854 Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>

LDAP: Remove unused option ldap_user_uuid There is problem with OpenLDAP server and dereferencing of attributes that is not in the schema of the server? sh-4.2$ ldapsearch -x -LLL -h openldap.server.test -b 'dc=example,dc=com' \ -E 'deref=member:uid,dummy_attr' cn=ref_grp Protocol error (2) Additional information: Dereference control: attribute decoding error sh-4.2$ echo $? 2 The attribute nsUniqueID is a 389-only, non-standard attribute. It is an operational attribute that is not in the rfc2307bis nor inetOrgPerson nor posixAccount schema. It was a default value of option ldap_user_uuid, but it was not use anywhere. Resolves: https://fedorahosted.org/sssd/ticket/2383 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Remove unused option ldap_group_uuid Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Remove unused option ldap_netgroup_uuid Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sudo: fetch sudoRunAs attribute This attribute was used in pre 1.7 versions of sudo and it is now deprecated by sudoRunAsUser and sudoRunAsGroup. However, some users still use this attribute so we need to support it to ensure backward compatibility. This patch makes sure that this attribute is downloaded if present and provided to sudo. Sudo than decides how to handle it. The new mapping option is not present in a man page since this attribute is deprecated in sudo for a very long time. Resolves: https://fedorahosted.org/sssd/ticket/2212 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SDAP: Add option to disable use of Token-Groups Disabling use of Token-Groups is mandatory if expansion of nested groups is not desired (ldap_group_nesting_level = 0) for AD provider. Resolves: https://fedorahosted.org/sssd/ticket/2294 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: Per-attribute ACL for users Introduces a new option called user_attributes that allows to specify which user attributes are allowed to be queried from the IFP responder. By default only the default POSIX set is allowed, this option allows to either add other attributes (+attrname) or remove them from the default set (-attrname). Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Implemented LDAP component of GPO-based access control Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: use a list of allowed_uids for authentication Similar to the PAC responder, the InfoPipe uses a list of UIDs that are allowed to communicate with the IFP responder. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Stef Walter <stefw@redhat.com>

LDAP: Make it possible to extend an attribute map https://fedorahosted.org/sssd/ticket/2073 This commit adds a new option ldap_user_extra_attrs that is unset by default. When set, the option contains a list of LDAP attributes the LDAP provider would download and store in addition to the usual set. The list can either contain LDAP attribute names only, or colon-separated tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP attribute name is specified, the attribute is saved to the cache verbatim. Using a custom SSSD attribute name might be required by environments that configure several SSSD domains with different LDAP schemas. Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

ConfigAPI: Add two missing AD options Reviewed-by: Sumit Bose <sbose@redhat.com>

config API: read only specific files from schemaplugindir Currently the config API read any file in the schema plugin dir, typically /usr/share/sssd/sssd.api.d. If there are any unexpected files, like e.g. editor copies or backups, the python code might break because it cannot parse the files. With this patch only files matching the pattern '^sssd-.*\.conf$' are read from this directory. Additionally this patch contains a file which will break the config API self test if it is not filtered out correctly. Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

Add new option ldap_group_type

dp: make subdomains refresh interval configurable This patch makes the refresh of available subdomains configurable. New option: subdomain_refresh_interval (undocumented) Resolves: https://fedorahosted.org/sssd/ticket/1968

Add a new option to control subdomain enumeration

Add now options ldap_min_id and ldap_max_id Currently the range for Posix IDs stored in an LDAP server is unbound. This might lead to conflicts in a setup with AD and trusts when the configured domain uses IDs from LDAP. With the two noe options this conflict can be avoided.

A new option krb5_use_kdcinfo https://fedorahosted.org/sssd/ticket/1883 The patch introduces a new Kerberos provider option called krb5_use_kdcinfo. The option is true by default in all providers. When set to false, the SSSD will not create krb5 info files that the locator plugin consumes and the user would have to set up the Kerberos options manually in krb5.conf

back end: add refresh expired records periodic task https://fedorahosted.org/sssd/ticket/1713 Add new option refresh_expired_interval.

Adding option to disable retrieving large AD groups. This commit adds new option ldap_disable_range_retrieval with default value FALSE. If this option is enabled, large groups(>1500) will not be retrieved and behaviour will be similar like was before commit ae8d047122c "LDAP: Handle very large Active Directory groups" https://fedorahosted.org/sssd/ticket/1823

dyndns: new option dyndns_auth This options is mostly provided for future expansion. Currently it is undocumented and both IPA and AD dynamic DNS updates default to GSS-TSIG. Allowed values are GSS-TSIG and none.

dyndns: new option dyndns_force_tcp https://fedorahosted.org/sssd/ticket/1831 Adds a new option that can be used to force nsupdate to only use TCP to communicate with the DNS server.

dyndns: New option dyndns_update_ptr https://fedorahosted.org/sssd/ticket/1832 While some servers, such as FreeIPA allow the PTR record to be synchronized when the forward record is updated, other servers, including Active Directory, require that the PTR record is synchronized manually. This patch adds a new option, dyndns_update_ptr that automatically generates appropriate DNS update message for updating the reverse zone. This option is off by default in the IPA provider. Also renames be_nsupdate_create_msg to be_nsupdate_create_fwd_msg

dyndns: new option dyndns_refresh_interval This new options adds the possibility of updating the DNS entries periodically regardless if they have changed or not. This feature will be useful mainly in AD environments where the Windows clients periodically update their DNS records.

Convert IPA-specific options to be back-end agnostic This patch introduces new options for dynamic DNS updates that are not specific to any back end. The current ipa dyndns options are still usable, just with a deprecation warning.

DNS sites support - add AD SRV plugin https://fedorahosted.org/sssd/ticket/1032

Allow usage of enterprise principals Enterprise principals are currently most useful for the AD provider and hence enabled here by default while for the other Kerberos based authentication providers they are disabled by default. If additional UPN suffixes are configured for the AD domain the user principal stored in the AD LDAP server might not contain the real Kerberos realm of the AD domain but one of the additional suffixes which might be completely randomly chooses, e.g. are not related to any existing DNS domain. This make it hard for a client to figure out the right KDC to send requests to. To get around this enterprise principals (see http://tools.ietf.org/html/rfc6806 for details) were introduced. Basically a default realm is added to the principal so that the Kerberos client libraries at least know where to send the request to. It is not in the responsibility of the KDC to either handle the request itself, return a client referral if he thinks a different KDC can handle the request or return and error. This feature is also use to allow authentication in AD environments with cross forest trusts. Fixes https://fedorahosted.org/sssd/ticket/1842

DNS sites support - add IPA SRV plugin https://fedorahosted.org/sssd/ticket/1032

Make the SELinux refresh time configurable. Option ipa_selinux_refresh is added to basic ipa options.

Add ignore_group_members option. https://fedorahosted.org/sssd/ticket/1376

Make TTL configurable for dynamic dns updates

SSH: Expire hosts in known_hosts

Document ldap_chpass_update_last_change Add the option to the manual page and the configAPI https://fedorahosted.org/sssd/ticket/1494

Add new option default_domain_suffix

SSSDConfig: Fix nonfunctional SSSDDomain.remove_provider() Also adds a regression test to the unit test suite. https://fedorahosted.org/sssd/ticket/1388

Primary server support: new option in AD provider This patch adds support for new config option ad_backup_server. The description of this option's functionality is included in man page in one of previous patches.

Primary server support: new option in IPA provider This patch adds support for new config option ipa_backup_server. The description of this option's functionality is included in man page in one of previous patches.

Primary server support: new options in krb5 provider This patch adds support for new config options krb5_backup_server and krb5_backup_kpasswd. The description of this option's functionality is included in man page in one of previous patches.

Primary server support: new option in ldap provider This patch adds support for new config option ldap_backup_uri. The description of this option's functionality is included in man page in previous patch.

NSS: Add override_shell option If override_shell is specified in the [nss] section, all users managed by SSSD will have their shell set to this value. If it is specified in the [domain/DOMAINNAME] section, it will apply to only that domain (and override the [nss] value, if any). https://fedorahosted.org/sssd/ticket/1087

pac responder: limit access by checking UIDs A check for allowed UIDs is added in the common responder code directly after accept(). If the platform does not support reading the UID of the peer but allowed UIDs are configured, access is denied. Currently only the PAC responder sets the allowed UIDs for a socket. The default is that only root is allowed to access the socket of the PAC responder. Fixes: https://fedorahosted.org/sssd/ticket/1382

AD: Add manpages and SSSDConfig entries

sudo: add host info options Adds some option that allows to manually configure a host filter. ldap_sudo_use_host_filter - if false, we will download all rules regardless their sudoHost attribute ldap_sudo_hostnames - list hostnames and/or fqdn that should be downloaded, separated with spaces ldap_sudo_ip - list of IPv4/6 address and/or network that should be downloaded, separated with spaces ldap_sudo_include_netgroups - include rules that contains netgroup in sudoHost ldap_sudo_include_regexp - include rules that contains regular expression in sudoHost

sudo: clean up

sudo provider: add ldap_sudo_smart_refresh_interval

sudo provider: remove old timer

sudo provider: add ldap_sudo_full_refresh_interval

confdb: add entry_cache_sudo_timeout option

Add support for ID ranges

Make the client idle timeout configurable

LDAP: Add ldap_*_use_matching_rule_in_chain options

Allow fast memcache timeout to be configurable https://fedorahosted.org/sssd/ticket/1318

IPA subdomains - ask for information about master domain The query is performed only if there is missing information in the cache. That means this should be done only once after restart when cache doesn't exist. All subsequent requests for subdomains won't include the request for master domain.

Fix the default sssd.conf path

SSSDConfig: Make default config and schema file locations configurable https://fedorahosted.org/sssd/ticket/1008