CONFIG: Add a new option auto_private_groups The auto_private_groups option is used to configure the domain->mpg flag which was already set automatically for subdomains, but for some time was not settable by the admin via the configuration file. The new option name, instead of the old magic_private_groups, was chosen purely because this name would hopefully be better understood by admins. The option doesn't do anything yet, it is just added to all the places a new option should be added to. Related: https://pagure.io/SSSD/sssd/issue/1872 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

CONFIG: Fix schema for try_inotify It is read only from "[sssd]" section. Resolves: https://pagure.io/SSSD/sssd/issue/3511 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DESKPROFILE: Introduce the new IPA session provider In order to provide FleetCommander[0] integration, a session provider has been introduced for IPA. The design of this feature and more technical details can be found at [1] and [2], which are the design pages of both freeIPA and SSSD parts. As there's no way to test freeIPA integration with our upstream tests, no test has been provided yet. Is also worth to mention that the name "deskprofile" has been chosen instead of "fleetcmd" in order to match with the freeIPA plugin. It means that, for consistence, all source files, directories created, options added, functions prefixes and so on are following the choice accordingly. [0]: https://wiki.gnome.org/Projects/FleetCommander [1]: https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki [2]: https://docs.pagure.org/SSSD.sssd/design_pages/fleet_commander_integration.html Resolves: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

CONFIG: Add session_recording section Add information on "session_recording" config section, having three options: "scope", "users", and "groups". The section is intended for disabling session recording ("scope = none", default), enabling session recording for all users ("scope = all"), and enabling it for some specific users and/or groups ("scope = some", "users = <users>", "groups = <groups>"). Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SSSDConfig: Fix saving of debug_level SSSDConfig internally handle debug_level as an integer. But in case of bitmask version of debug_level (>=16) it stored value as a decimal which is confusing e.g. debug_level = 8176 vs. debug_level = 0x1ff0 Resolves: https://pagure.io/SSSD/sssd/issue/3410 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SSSDConfig: Handle integer parsing more leniently debug_level is usually defined as decimal value <= 10 or as a hexadecimal value which is used as a bitmask Parsing of hexadecimal value was partially fixed by commit 7fac271ccebb84743c39f553eb5ec013cf1d10aa but only for sssd domains. It was not fixed for sssd services. File "/usr/share/authconfig/authinfo.py", line 3142, in writeSSSDPAM pam = self.sssdConfig.get_service('pam') File "/usr/lib/python3.6/site-packages/SSSDConfig/__init__.py", line 1620, in get_service service.set_option(opt['name'], opt['value']) File "/usr/lib/python3.6/site-packages/SSSDConfig/__init__.py", line 932, in set_option (option_schema[0], optionname, type(value))) TypeError: Expected <class 'int'> for debug_level, received <class 'str'> Resolves: https://pagure.io/SSSD/sssd/issue/3410 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

CONFIG: Add subdomain_homedir to config locations Option subdomain_homedir was missing from Python config API an cfg_rules leading to config file validation failures. Add this option into the necessary locations similar to other provider-generic domain options. Resolves: https://pagure.io/SSSD/sssd/issue/3389 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

CONFDB: Introduce SSSD domain type to distinguish POSIX and application domains Related to: https://pagure.io/SSSD/sssd/issue/3310 Adds a new option that allows to distinguish domains that do contain POSIX users and groups and those that don't. The POSIX domains are the default. The non-POSIX domains are selected by selecting an "application" type domain. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Add domain_resolution_order config option This is the local equivalent of option of ipaDomainResolutionOrder and has precedence over the ones set on IPA side making the precedence order to be like: Local > View > Globally. As done for the IPA side configurations, the domains which were not explicitly set up will be apennded to the final of the domain_resolution_order list in the very same order they're presented in the "domains" option of [sssd] section in the config file. There's no guarantee of order for the subdomains though. It's also important to mention that no expansion magic is performed on our side. It means that if 'example.com' is set it does *not* stand for all its subdomains DNS wise (like 'foo.example.com', 'bar.example.com', etc). Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

CACHE_REQ: Check the caches first This patch introduces a new configurable option to define whether the responder should query all domains' caches before querying the Data Providers. This new option is called cache_first and, by default, it's disabled, meaning that, for each provider, the responder may contact the cache and the data provider in the same iteration. Co-Author: Pavel Březina <pbrezina@redhat.com> Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

MONITOR: Enable an implicit files domain if one is not configured If SSSD is compiled with --enable-files-domain, the loading of the domains changes such that: * if no domain with id_provider=files exists in the config file, an implicit SSSD files domain is added * this domain is always first in the list The administrator is free to create a files domain in the config file himself and either place it at the end of the list or not enable it at all. Resolves: https://pagure.io/SSSD/sssd/issue/3112 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDER: Shutdown {dbus,socket}-activated responders in case they're idle This commit introduces a new option for the responders called responder_idle_timeout, which specifies the number of seconds that the responder process can be up without being used. The default value is 300 seconds (5 minutes) and can be configured per responder, being 60 seconds the minimum acceptable value. Is important to note that setting "responder_idle_timeout = 0" disables the responder timeout, which makes sense for the responders that always will be running. The shutdown timeout is activated per responder in case the responder has been {dbus,socket}-activated. In case of any commnunication with the responder the timeout is reset thereby ensuring we won't shutdown a responder that is not idle. Setting the responder's last request time is done slightly differently for socket-activated and dbus-activated responders. In both cases it's updated in any internal communication in sbus_message_handler(), but for the socket-activated responders it's also updated when the responder's socket is used. Currently it works properly with all responders but the secrets one, which has a different logic and must be treated separately in case some change is required there. Is worth to mention that this commit does not affect the responders explicitly configured in the "services" line of sssd.conf. Related: https://fedorahosted.org/sssd/ticket/3245 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

CONFIG: Add secrets provider options Related: https://fedorahosted.org/sssd/ticket/3207 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SSSDConfig: Do not fail with nonexisting domains/services dict.keys() returns iterator in python3 and not list Chaging data in dictionary while using iterator fails with "RuntimeError: dictionary changed size during iteration" https://fedorahosted.org/sssd/ticket/3107 Reviewed-by: Michal Židek <mzidek@redhat.com>

MONITOR: Add disable_netlink option Adding a new monitor boolean option to disable netlink support. This will give users more control over sssd state changes without having to modify systemd unit files. Resolves: https://fedorahosted.org/sssd/ticket/3142 Reviewed-by: Petr Cech <pcech@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

MONITOR: Remove leftovers from kill_service Seems that wen I sent the v2 of ac35fe74 I attached the wrong pacth that ended up being pushed. The patch was incomplete as there are still some leftovers. The .po and sssd-docs.pot were not touched as I do believe they are autogenerated from Zanata. Related: https://fedorahosted.org/sssd/ticket/3052 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Petr Čech <pcech@redhat.com>

MONITOR: Remove leftovers from diag_cmd Seems that when I sent the v2 of 7579cf99 I attached the wrong patch that ended up being pushed. That patch was incomplete as there are still some leftovers. Related: https://fedorahosted.org/sssd/ticket/3051 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Petr Čech <pcech@redhat.com>

CONFIG: session_provider does not exist anymore The session_provider used to exist a long time ago when we used to set the SELinux context from it, but the provider had been removed for a long time. We just forgot to remove the value from the config API and the validator. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

CONFIG: selinux_provider is a valid provider type We should not warn about it in the validator and should allow selinux_provider from the config API. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

CONFIG: re_expression is an allowed option for all domains Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

CONFIG: full_name_format is an allowed option for all domains Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

config: Add config_file_version to schema Resolves: https://fedorahosted.org/sssd/ticket/3068 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

config: override_space is monitor's option We read override_space from [sssd] not [nss] section. Resolves: https://fedorahosted.org/sssd/ticket/3068 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DEBUG: Add `debug` alias for debug_level Our users constantly make the mistake of typing `debug = 9` in the sssd.conf instead of `debug_level = 9` as would be correct. This happens frequently-enough that we should just alias it rather than continue to have people make mistakes. Resolves: https://fedorahosted.org/sssd/ticket/2999 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Petr Cech <pcech@redhat.com>

AD: Add autofs provider https://fedorahosted.org/sssd/ticket/1632 Adds the possibility to configure: autofs_provider = ad The AD autofs provider uses the rfc2307 (nis*) attribute maps. This is different (at the moment) from using autofs_provider=ldap with ldap_schema=ad. Reviewed-by: Ondrej Valousek <ondrejv2@fedoraproject.org> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

p11: enable ocsp checks This patch enables the Online Certificate Status Protocol in NSS and adds an option to disable it if needed. To make further tuning of certificate verification more easy it is not an option on its own but an option to the new certificate_verification configuration option. Resolves https://fedorahosted.org/sssd/ticket/2812 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SSSD: Add a new option diag_cmd This option is an optional one that is run when a sbus ping times out and before a SIGKILL signal is sent. It is undocumented by default. diag_cmd (string): A command that should be run for diagnostic purpose when an sbus timeout fails. The option value may contain %p which would be expanded for the process ID of the process that timed out Example: pstack %p This setting would print the stackstrace of the service whose ping timed out. Default: not set. Reviewed-by: Petr Cech <pcech@redhat.com>

SSSDConfigTest: Test real config without config_file_version src/config/testconfigs/sssd-valid.conf explicitly contains config_file_version. Recently we changed the default value to 2 and therefore it needn't be listed in configuration file. This patch test real sssd.conf without config_file_version. Reviewed-by: Michal Židek <mzidek@redhat.com>

SSSDConfigTest: Try load saved config Python module SSSDConfig should be able to save configuration file and later load the same configuration file without problem. Unit test for: https://fedorahosted.org/sssd/ticket/2837 Reviewed-by: Michal Židek <mzidek@redhat.com>

SSSDConfig: Do not raise exception if config_file_version is missing Ticket: https://fedorahosted.org/sssd/ticket/2837 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

CONFDB: Assume config file version 2 if missing Default to config file version 2 if the version is not specified explicitly. Ticket: https://fedorahosted.org/sssd/ticket/2688 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DYNDNS: Add a new option dyndns_server Some environments use a different DNS server than identity server. For these environments, it would be useful to be able to override the DNS server used to perform DNS updates. This patch adds a new option dyndns_server that, if set, would be used to hardcode a DNS server address into the nsupdate message. Reviewed-by: Pavel Reichl <preichl@redhat.com>

SSSDConfig: Return correct types in python3 In Python 3, dict.keys() returns a view rather than a list. Since dict keys aren't in any particular order, indexing them doesn't make sense. Resolves: https://fedorahosted.org/sssd/ticket/2699 Reviewed-by: Christian Heimes <cheimes@redhat.com>

PAM: authenticate agains cache Enable authenticating users from cache even when SSSD is in online mode. Introduce new option `cached_auth_timeout`. Resolves: https://fedorahosted.org/sssd/ticket/1807 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

confdb: Add new option subdomain_inherit Adds a new option subdomain_inherit that would allow administrators to pick and choose which option to pass to subdomains. This option is required for: https://fedorahosted.org/sssd/ticket/2644 as a short-term fix. The proper solution is described in: https://fedorahosted.org/sssd/ticket/2599 Reviewed-by: Pavel Reichl <preichl@redhat.com>

krb5: new option krb5_map_user New option `krb5_map_user` providing mapping of ID provider names to Kerberos principals. Resolves: https://fedorahosted.org/sssd/ticket/2509 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SSSDConfigTest: Use unique temporary directory Test SSSDConfigTest is executed twice with make check if python2 and python3 are available. Tests are executed in parallel with new automake and therefore it caused sometimes failures e.g. ERROR: testModifyExistingConfig (__main__.SSSDConfigTestValid) ---------------------------------------------------------------------- Traceback (most recent call last): File "/tmp/sssd/src/config/SSSDConfigTest.py", line 215, in testModifyExistingConfig mode = os.stat(of)[ST_MODE] FileNotFoundError: [Errno 2] No such file or directory: '/tmp/testModifyExistingConfig.conf' Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Add cache_credentials_minimal_first_factor_length config option Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Remove strict requirements of python2 * fix hashbangs * remove strict requirements of python2 in build system Resolves: https://fedorahosted.org/sssd/ticket/2017 Reviewed-by: Petr Viktorin <pviktori@redhat.com>

SSSDConfig: Port missing parts to python3 * fix incompatible imports * fix translation.[u]?gettext * fix dict method has_key * fix octal literals PEP 3127 * long is not defined in python3 Resolves: https://fedorahosted.org/sssd/ticket/2017 Reviewed-by: Petr Viktorin <pviktori@redhat.com>

Python3 support in SSSD https://fedorahosted.org/sssd/ticket/2017

SSSD: Load a user to run a service as from configuration Related: https://fedorahosted.org/sssd/ticket/2370 Adds a option, user to run as, that is specified in the [sssd] section. When this option is specified, SSSD will run as this user and his private group. When these are not specified, SSSD will run as the configure-time user and group (usually root). Currently all services and providers are started as root. There is a temporary svc_supported_as_nonroot() function that returns true for a service if that service runs and was tested as nonroot and false otherwise. Currently this function always returns false, but will be amended in future patches. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

SSS_CACHE: Allow sss_cache tool to flush SSH hosts cache Resolves: https://fedorahosted.org/sssd/ticket/2358 Signed-off-by: Jan Cholasta <jcholast@redhat.com> Reviewed-by: Jan Cholasta <jcholast@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>

Use python2 in shebang for python scripts. https://fedorahosted.org/sssd/ticket/2356 The python scripts are not tested with python3 and /usr/bin/python can be symbolic link to python3 on some distributions. Reviewed-by: Sumit Bose <sbose@redhat.com>

NSS: Add option to expand homedir template format LDAP server can contain template for home directory instead of plain string. This patch adds new expand option "%H", which will be replaced with value from configuration option homedir_substring (from sssd.conf) Resolves: https://fedorahosted.org/sssd/ticket/1853

IFP: use a list of allowed_uids for authentication Similar to the PAC responder, the InfoPipe uses a list of UIDs that are allowed to communicate with the IFP responder. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Stef Walter <stefw@redhat.com>

config API: prepend source dir search path for tests Instead of appending the search patch in the source directory should be prepended. Otherwise the test might find files installed in the default paths of the system first. As a result the compiled python files in the build directory must be remove in the clean target to make 'make distcheck' pass. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SUDO: AD provider This patch adds the sudo target to the AD provider. The main reason is to cover different default settings in the LDAP and AD provider. E.g. the default for ldap_id_mapping is True in the AD provider and False in the LDAP provider. If ldap_id_mapping was not set explicitly in the config file both components worked with different setting. Fixes https://fedorahosted.org/sssd/ticket/2256 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

config API: add missing subdomain target to AD provider test Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

confdb: Make offline timeout configurable Added and documented option offline_timeout. Resolves: https://fedorahosted.org/sssd/ticket/1718

dp: make subdomains refresh interval configurable This patch makes the refresh of available subdomains configurable. New option: subdomain_refresh_interval (undocumented) Resolves: https://fedorahosted.org/sssd/ticket/1968

Add a new option to control subdomain enumeration

A new option krb5_use_kdcinfo https://fedorahosted.org/sssd/ticket/1883 The patch introduces a new Kerberos provider option called krb5_use_kdcinfo. The option is true by default in all providers. When set to false, the SSSD will not create krb5 info files that the locator plugin consumes and the user would have to set up the Kerberos options manually in krb5.conf

back end: add refresh expired records periodic task https://fedorahosted.org/sssd/ticket/1713 Add new option refresh_expired_interval.

Add a domain config attribute for realmd realmd needs to be able to tag various domains with basic info when it configures a domain.

Add 'description' attribute to SSSDConfig API It was mentioned in the manpages, but not accepted by the API

dyndns: new option dyndns_auth This options is mostly provided for future expansion. Currently it is undocumented and both IPA and AD dynamic DNS updates default to GSS-TSIG. Allowed values are GSS-TSIG and none.

dyndns: new option dyndns_force_tcp https://fedorahosted.org/sssd/ticket/1831 Adds a new option that can be used to force nsupdate to only use TCP to communicate with the DNS server.

dyndns: New option dyndns_update_ptr https://fedorahosted.org/sssd/ticket/1832 While some servers, such as FreeIPA allow the PTR record to be synchronized when the forward record is updated, other servers, including Active Directory, require that the PTR record is synchronized manually. This patch adds a new option, dyndns_update_ptr that automatically generates appropriate DNS update message for updating the reverse zone. This option is off by default in the IPA provider. Also renames be_nsupdate_create_msg to be_nsupdate_create_fwd_msg

dyndns: new option dyndns_refresh_interval This new options adds the possibility of updating the DNS entries periodically regardless if they have changed or not. This feature will be useful mainly in AD environments where the Windows clients periodically update their DNS records.

Convert IPA-specific options to be back-end agnostic This patch introduces new options for dynamic DNS updates that are not specific to any back end. The current ipa dyndns options are still usable, just with a deprecation warning.

SUDO: IPA provider This patch added auto configuration SUDO with ipa provider and compat tree. https://fedorahosted.org/sssd/ticket/1733

Allow usage of enterprise principals Enterprise principals are currently most useful for the AD provider and hence enabled here by default while for the other Kerberos based authentication providers they are disabled by default. If additional UPN suffixes are configured for the AD domain the user principal stored in the AD LDAP server might not contain the real Kerberos realm of the AD domain but one of the additional suffixes which might be completely randomly chooses, e.g. are not related to any existing DNS domain. This make it hard for a client to figure out the right KDC to send requests to. To get around this enterprise principals (see http://tools.ietf.org/html/rfc6806 for details) were introduced. Basically a default realm is added to the principal so that the Kerberos client libraries at least know where to send the request to. It is not in the responsibility of the KDC to either handle the request itself, return a client referral if he thinks a different KDC can handle the request or return and error. This feature is also use to allow authentication in AD environments with cross forest trusts. Fixes https://fedorahosted.org/sssd/ticket/1842

Add ignore_group_members option. https://fedorahosted.org/sssd/ticket/1376

SSSDConfig: Locate the force_timeout option in the correct sections

authconfig: allow chpass_provider = proxy https://fedorahosted.org/sssd/ticket/1611

Allow setting the default_shell option per-domain as well https://fedorahosted.org/sssd/ticket/1583

Add new option default_domain_suffix

SSSDConfig: Fix nonfunctional SSSDDomain.remove_provider() Also adds a regression test to the unit test suite. https://fedorahosted.org/sssd/ticket/1388

Primary server support: new options in krb5 provider This patch adds support for new config options krb5_backup_server and krb5_backup_kpasswd. The description of this option's functionality is included in man page in one of previous patches.

Fix SSSDConfigTest

NSS: Add override_shell option If override_shell is specified in the [nss] section, all users managed by SSSD will have their shell set to this value. If it is specified in the [domain/DOMAINNAME] section, it will apply to only that domain (and override the [nss] value, if any). https://fedorahosted.org/sssd/ticket/1087

pac responder: limit access by checking UIDs A check for allowed UIDs is added in the common responder code directly after accept(). If the platform does not support reading the UID of the peer but allowed UIDs are configured, access is denied. Currently only the PAC responder sets the allowed UIDs for a socket. The default is that only root is allowed to access the socket of the PAC responder. Fixes: https://fedorahosted.org/sssd/ticket/1382

AD: Add manpages and SSSDConfig entries

Fix SSSDConfigTest for separate build directories

confdb: add entry_cache_sudo_timeout option

Make the client idle timeout configurable

NSS: Add fallback_homedir option This option is similar to override_homedir, except that it will take effect only for users that do not have an explicit home directory specified in LDAP. https://fedorahosted.org/sssd/ticket/1250

SSSDConfigAPI: Fix missing option in tests

data provider: added subdomains

Make the monitor SIGKILL time configurable https://fedorahosted.org/sssd/ticket/1119

SELinux related attributes added to config API

RESPONDERS: Make the fd_limit setting configurable This code will now attempt first to see if it has privilege to set the value as specified, and if not it will fall back to the previous behavior. So on systems with the CAP_SYS_RESOURCE capability granted to SSSD, it will be able to ignore the limits.conf hard limit. https://fedorahosted.org/sssd/ticket/1197

Add ssh service to sssd.api.conf

Add methods for activating and deactivating services to SSSDConfig

AUTOFS: IPA provider

DP: Add host info handler

Add session target in data provider

AUTOFS: responder

ConfigAPI: add sudo to known services https://fedorahosted.org/sssd/ticket/1144 Squashed patch from Jan Zeleny: Add SUDO provider to the list of available providers in SSSDConfig.py

NSS: Add individual timeouts for entry types https://fedorahosted.org/sssd/ticket/1016

SUDO Integration review issues

Use the case sensitivity flag in responders

Add support to request canonicalization on krb AS requests https://fedorahosted.org/sssd/ticket/957

Added krb5_fast_principal to SSSDConfig API

Add missing options to sssd.api.conf

DEBUG timestamps offer higher precision - SSSDConfig updated https://fedorahosted.org/sssd/ticket/956

Add option to specify the kerberos replay cache dir Adds a configure option to set the distribution default as well as an sssd.conf option to override it. https://fedorahosted.org/sssd/ticket/980

Add a new option to override home directory value https://fedorahosted.org/sssd/ticket/551

Add a new option to override primary GID number https://fedorahosted.org/sssd/ticket/742

Add "description" option to SSSDConfig API https://fedorahosted.org/sssd/ticket/850

Configuration parsing updates These changes are all related to following ticket: https://fedorahosted.org/sssd/ticket/763 Changes in SSSDConfig.py merge old and new domain record instead of just deleting the old and inserting the new one. The old approach let to loss of some information like comments and blank lines in the config file. Changes in API config were performed so our Python scripts (like sss_obfuscate) don't add extra config options to the config file.

Add support for krb5 access provider to SSSDConfig API

Do not force a default for debug_level

Add support for FAST in krb5 provider

Add support for automatic Kerberos ticket renewal

Add krb5_lifetime option

Add krb5_renewable_lifetime option

Option krb5_server is now used to store a list of KDCs instead of krb5_kdcip. For the time being, if krb5_server is not found, still falls back to krb5_kdcip with a warning. If both options are present in config file, krb5_server has a higher priority. Fixes: #543

Rewrite toplevel Makefile There is no longer a need to have nested Makefiles and configure scripts. This patch combines the src/ Makefile and configure.ac into the root.

Add dns_discovery_domain option The service discovery used to use the SSSD domain name to perform DNS queries. This is not an optimal solution, for example from the point of view of authconfig. This patch introduces a new option "dns_discovery_domain" that allows to set the domain part of a DNS SRV query. If this option is not set, the default behavior is to use the domain part of the machine's hostname. Fixes: #479

Remove references to the DP service from the SSSDConfig API tests

Handle (ignore) unknown options in get_domain() and get_service() We will now eliminate any unknown options and providers to guarantee that the domain is safe for use.

Remove krb5_changepw_principal option Fixes: #531

Change default min_id to 1 Also update manpage for min_id/max_id to be more clear about how it relates to primary GID.

Add ldap_access_filter option This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com

Add support for delayed kinit if offline If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used.

SSSDConfigAPI fixes * add forgotten ldap_dns_service option * sync IPA and LDAP options (ldap_pwd_policy and ldap_tls_cacertdir) * ldap_uri is no longer mandatory for LDAP provider - the default is to use service discovery with no address set now. Ditto for krb5_kdcip and ipa_server

Make krb5_kpasswd available for any krb5 provider Previously, the option krb5_kpasswd was only available if 'chpass_provider = krb5' was specified explicitly. Now it will be available also if 'auth_provider = krb5'. This option was also missing from the IPA options, so I have added it there as well

Add dns_resolver_timeout option We had a hard-coded timeout of five seconds for DNS lookups in the async resolver. This patch adds an option 'dns_resolver_timeout' to specify this value (Default: 5)

Add regression test for https://fedorahosted.org/sssd/ticket/441

Ensure the SSSDConfig creates sssd.conf with the correct mode

Add krb5_kpasswd option

Add simple access provider

Make filter_users and filter_groups also per-domain Fixes: #290

Better cleanup task handling Implements a different mechanism for cleanup task. Instead of just deleting expired entries, this patch adds a new option account_cache_expiration for domains. If an entry is expired and the last login was more days in the past that account_cache_expiration, the entry is deleted. Groups are deleted if they are expired and and no user references them (no user has memberof: attribute pointing at that group). The parameter account_cache_expiration is not LDAP-specific, so that other future backends might use the same timeout setting. Fixes: #391

Restrict family lookups Adds a new option that tells resolver which address family to prefer or use exclusively. Fixes: #404

Rename server/ directory to src/ Also update BUILD.txt