SYSDB: sysdb_add_incomplete_group now returns EEXIST with a duplicate GID Related: https://pagure.io/SSSD/sssd/issue/2653 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SYSDB_OPS: Error out on id-collision when adding an incomplete group This situation can be hit when renaming a group. For now, let's just error this out so the caller can handle it properly on its own layer. Related: https://pagure.io/SSSD/sssd/issue/2653 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb custom: completely replace old object instead of merging it This patch is written primary for sudo use case, but it makes sure the we do not merge two record in other parts of the code that uses sysdb_store_custom. 1) If there are two rules with the same cn (possible with multiple search bases or organizational units) we would end up merging those two rules instead of choosing one of them. 2) Also smart refresh would merge the diff insteand of removing the attributes that are no longer present in ldap. Since 1) is a rare use case and it is a misconfiguration we completely replace the old rule with new one. It is simpler to implement and it solves both issues. Resolves: https://pagure.io/SSSD/sssd/issue/3558 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: When marking an entry as expired, also set the originalModifyTimestamp to 1 Resolves: https://pagure.io/SSSD/sssd/issue/3684 If the cleanup task removes a user who was a fully resolved member (not a ghost), but then the group the user was a member of is requested, unless the group had changed, the user doesn't appear as a member of the group again. This is because the modify timestamp would prevent the group from updating and therefore the ghost attribute is not readded. To mitigate this, let's also set the originalModifyTimestamp attribute to 1, so that we never take the optimized path while updating the group. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

CONFDB: Start a ldb transaction from sss_ldb_modify_permissive() The reason why confdb_expand_app_domains() always fails is because we try to do a ldb_request() without starting a ldb transaction. When we're dealing with ldb_modify(), ldb_add(), ldb_delete() kind of messages, those call ldb_autotransaction_request() which will start a new transaction and treat it properly when doing the ldb_request(). In our case that we're calling ldb_request() by our own, we must ensure that the transaction is started and properly deal with it._ It's never been noticed because in the only place the function is used its errors are ignored. Resolves: https://pagure.io/SSSD/sssd/issue/3660 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Fix minor spelling mistakes Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SYSDB: Use sysdb_domain_dn instead of raw ldb_dn_new_fmt Using ldb should be as much as an implementation detail as possible. Plus, it looks weird if one of the branch uses a sysdb function while another code branch uses a raw ldb call. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SYSDB: Fix sysdb_search_by_name() for looking up groups in MPG domains If a group was being looked by using sysdb_search_by_name() in a MPG domain, the code would search only for group objects -- but in a MPG domain, there may be none, the groups are typically inferred from a user object. This could have caused issues e.g. for IPA code with the following sequence: getent group aduser@windows.domain getent passwd aduser@windows.domain The former would fail to add the fallback subdomain homedir and the latter would then return a user entry without a homedir, with libc falling back to the "/" homedir. Resolves: https://pagure.io/SSSD/sssd/issue/3615 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sysdb: do not use objectClass for users and groups The majority of the object in the SSSD cache are users and groups. If there are many user and groups in the cache the index objects of the objectclass attributes 'user' and 'group' become large because the must hold references to all objects of those object classes. As a result the management of these index objects becomes costly because they must be parsed and split apart quite often. Additionally they are mostly useless because user and groups are lookup up by more specific attributes in general. Only when enumerating all user or groups this kind of index might be useful. There are two way of removing this kind of index from the user and group objects. Either by removing objectClass from the list of indexes and add a new attribute to all other type of object we want and index for. Or by replacing objectClass with a different attribute for the user and group objects. After some testing I think the latter one is the more reliable one and implemented it in this patch. Related to https://pagure.io/SSSD/sssd/issue/3503 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Better debugging for email conflicts Add DEBUG message when conflicts in FQ names or emails are detected. Also improve man page to hint on how to work around issue with conflicting emails. Note: We store emails in two different attributes in sysdb: - SYSDB_USER_EMAIL - SYSDB_NAME_ALIAS - this one is lowercased and used in getpwnam searches. Resolves: https://fedorahosted.org/sssd/ticket/3293 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SYSDB: Remove code causing a covscan warning There's no reason to check for both ret != EOK and sanitized == NULL, as the second should never ever happen. This check is causing a clang warning in our code: Defect type: CLANG_WARNING 1. sssd-1.16.0/src/db/sysdb_ops.c:4223:9: warning: Dereference of undefined pointer value # if (res->count > 1) { # ^~~~~~~~~~ 4. sssd-1.16.0/src/db/sysdb_ops.c:4199:5: note: 'res' declared without an initial value # struct ldb_result *res; # ^~~~~~~~~~~~~~~~~~~~~~ 7. sssd-1.16.0/src/db/sysdb_ops.c:4202:9: note: Assuming 'sid_str' is non-null # if (!sid_str) return EINVAL; # ^~~~~~~~ 10. sssd-1.16.0/src/db/sysdb_ops.c:4202:5: note: Taking false branch # if (!sid_str) return EINVAL; # ^ 13. sssd-1.16.0/src/db/sysdb_ops.c:4205:9: note: Assuming 'tmp_ctx' is non-null # if (!tmp_ctx) { # ^~~~~~~~ 16. sssd-1.16.0/src/db/sysdb_ops.c:4205:5: note: Taking false branch # if (!tmp_ctx) { # ^ 19. sssd-1.16.0/src/db/sysdb_ops.c:4209:11: note: Calling 'sysdb_search_object_by_sid' # ret = sysdb_search_object_by_sid(tmp_ctx, domain, sid_str, NULL, &res); # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 22. sssd-1.16.0/src/db/sysdb_ops.c:4960:12: note: Calling 'sysdb_search_object_by_str_attr' # return sysdb_search_object_by_str_attr(mem_ctx, domain, SYSDB_SID_FILTER, # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 25. sssd-1.16.0/src/db/sysdb_ops.c:4872:5: note: Taking false branch # if (str == NULL) { # ^ 28. sssd-1.16.0/src/db/sysdb_ops.c:4877:9: note: Assuming 'ret' is equal to 0 # if (ret != EOK || sanitized == NULL) { # ^~~~~~~~~~ 31. sssd-1.16.0/src/db/sysdb_ops.c:4877:9: note: Left side of '||' is false 32. sssd-1.16.0/src/db/sysdb_ops.c:4877:23: note: Assuming 'sanitized' is equal to null # if (ret != EOK || sanitized == NULL) { # ^~~~~~~~~~~~~~~~~ 35. sssd-1.16.0/src/db/sysdb_ops.c:4877:5: note: Taking true branch # if (ret != EOK || sanitized == NULL) { # ^ 38. sssd-1.16.0/src/db/sysdb_ops.c:4878:9: note: Left side of '||' is false # DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n"); # ^ 41. sssd-1.16.0/src/util/debug.h:123:9: note: expanded from macro 'DEBUG' # if (DEBUG_IS_SET(__debug_macro_level)) { \ # ^ 44. sssd-1.16.0/src/util/debug.h:135:30: note: expanded from macro 'DEBUG_IS_SET' # #define DEBUG_IS_SET(level) (debug_level & (level) || \ # ^ 47. sssd-1.16.0/src/db/sysdb_ops.c:4878:9: note: Assuming 'debug_level' is not equal to 0 # DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n"); # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 50. sssd-1.16.0/src/util/debug.h:123:9: note: expanded from macro 'DEBUG' # if (DEBUG_IS_SET(__debug_macro_level)) { \ # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 53. sssd-1.16.0/src/util/debug.h:136:30: note: expanded from macro 'DEBUG_IS_SET' # (debug_level == SSSDBG_UNRESOLVED && \ # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 56. sssd-1.16.0/src/db/sysdb_ops.c:4878:9: note: Left side of '&&' is false 57. sssd-1.16.0/src/util/debug.h:123:9: note: expanded from macro 'DEBUG' # if (DEBUG_IS_SET(__debug_macro_level)) { \ # ^ 60. sssd-1.16.0/src/util/debug.h:136:63: note: expanded from macro 'DEBUG_IS_SET' # (debug_level == SSSDBG_UNRESOLVED && \ # ^ 63. sssd-1.16.0/src/db/sysdb_ops.c:4878:9: note: Loop condition is false. Exiting loop 64. sssd-1.16.0/src/util/debug.h:121:35: note: expanded from macro 'DEBUG' # #define DEBUG(level, format, ...) do { \ # ^ 67. sssd-1.16.0/src/db/sysdb_ops.c:4879:9: note: Control jumps to line 4892 # goto done; # ^ 70. sssd-1.16.0/src/db/sysdb_ops.c:4960:12: note: Returning from 'sysdb_search_object_by_str_attr' # return sysdb_search_object_by_str_attr(mem_ctx, domain, SYSDB_SID_FILTER, # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 73. sssd-1.16.0/src/db/sysdb_ops.c:4209:11: note: Returning from 'sysdb_search_object_by_sid' # ret = sysdb_search_object_by_sid(tmp_ctx, domain, sid_str, NULL, &res); # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 76. sssd-1.16.0/src/db/sysdb_ops.c:4211:5: note: Taking false branch # if (ret == ENOENT) { # ^ 79. sssd-1.16.0/src/db/sysdb_ops.c:4217:12: note: Taking false branch # } else if (ret != EOK) { # ^ 82. sssd-1.16.0/src/db/sysdb_ops.c:4223:9: note: Dereference of undefined pointer value # if (res->count > 1) { # ^~~~~~~~~~ # 4221| } # 4222| # 4223|-> if (res->count > 1) { # 4224| DEBUG(SSSDBG_FATAL_FAILURE, "getbysid call returned more than one " \ # 4225| "result !?!\n"); Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SYSDB: Prevent users and groups ID collision in MPG domains except for id_provider=local This commit makes the check when adding an object in a MPG domain stricter in the sense that not only same names are allowed in a MPG domain, but also the same groups are not allowed either. This commit is a backwards-incompatible change, but one that is needed, otherwise requesting the duplicate group first and then requesting the user entry would yield two object when searching by GID. In order to keep backwards-compatibility, this uniqueness is NOT enforced with id_provider=local. This constraint can be removed in the future (or the local provider can be dropped altogether) Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

sysdb: sanitize search filter input This patch sanitizes the input for sysdb searches by UPN/email, SID and UUID. This security issue was assigned CVE-2017-12173 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Add sysdb_search_by_orig_dn() Three new methods have been added to sysdb's API in order to perform search by the orig dn (which is quite common in SSSD's code base). A common/base method called sysdb_search_by_orig_dn() is the most important one and then a few other helpers for searching users and groups groups directly. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SYSDB: Introduce _search_{users,groups}_by_timestamp() These new two sysdb methods are going to be used, at least for now, uniquely and exclusively in the cleanup task. The reason for adding those is that during the cleanup task a timestamp search is done in the persistent cache, which doesn't have the updated timestamps, returning then a wrong result that ends up in having all the users being removed from the cache. The persistent cache doesn't have its entries' timestamps updated because those are kept updated in the timestamp cache, therefore these new two methods end up doing: - if the timestamp cache is present: - search for the entries solely in the timestamp cache; - get the needed attributes from these entries from the persistent cache; - otherwise: - search for the entries in the persistent cache; - merge its results with timestamp cache's results; Related: https://pagure.io/SSSD/sssd/issue/3369 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB_OPS: Invalidate a cache entry also in the ts_cache Similarly to what has been in the previous commit (expiring an entry also in the timestamp cache), we should do the same when invalidating an entry. Related: https://pagure.io/SSSD/sssd/issue/3369 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB_OPS: Mark an entry as expired also in the timestamp cache As the cleanup task will start using new methods for searching the users and groups which have to be cleaned up, SSSD starts relying more in a more consistent state of the timestamp cache on pretty much everything related to the cleanup task. One of the things that would cause SSSD some problems is not having the ghost user expired in the persistent cache but not in the timestamp cache. With this patch, the entry is also expired in the timestamp cache when it's present. Related: https://pagure.io/SSSD/sssd/issue/3369 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Return ERR_NO_TS when there's no timestamp cache present This change affects sysdb_search_ts_{users,groups} functions and is mainly needed in order to avoid breaking our current tests due to the changes planned for fixing https://pagure.io/SSSD/sssd/issue/3369. Related: https://pagure.io/SSSD/sssd/issue/3369 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Only generate new UID in local domain To avoid issues where a user with no UID but without the posix=false flag was passed to sysdb, we only allow generating the new ID in the local domain. This might prevent bugs where non-POSIX users would get a UID created by sysdb which might allow accessing resources owned by that UID. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Allow storing non-POSIX users Related to: https://pagure.io/SSSD/sssd/issue/3310 We already do the same for groups. If the user does not have UID number set but does have the POSIX: false attribute set, then we save the user with zero UID and the non-POSIX flag. Reviewed-by: Sumit Bose <sbose@redhat.com>

sss_cert_derb64_to_ldap_filter: add sss_certmap support Use certificate mapping library if available to lookup a user by certificate in LDAP. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

LDAP: always store the certificate from the request Store the certificate used to lookup a user as mapped attribute in the cached user object. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sdap_get_users_send(): new argument mapped_attrs mapped_attrs can be a list of sysdb_attrs which are not available on the server side but should be store with the cached user entry. This is needed e.g. when the input to look up the user in LDAP is not an attribute which is stored in LDAP but some data where LDAP attributes are extracted from. The current use case is the certificate mapping library which can create LDAP search filters based on content of the certificate. To allow upcoming cache lookup to use the input directly it is stored in the user object in the cache. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sysdb: allow multiple results for searches by certificate Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sss_cache: User/groups invalidation in domain cache When a group/users are invalidated from sss_cache, the group/user information in domain and timestamps cache are inconsistent with regard to dataExpireTimestamp attribute. This patch fixes the problem by explicitly invalidating the domain cache's entry when the timestamp cache entry is invalidated by sss_cache call. There is one new function: * sysdb_invalidate_cache_entry() provided for this purpose and used only in sss_cache utility. Resolves: https://fedorahosted.org/sssd/ticket/3164 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SYSDB: When searching for UPNs, search either the whole DB or only the given domain The search-by-UPN functions always searched for the whole domain. In some cases, the caller depends on the result coming from the domain specified by the 'domain' parameter. This is the case in the cache_req code at least. Even though it should be safe to just switch to always searching the whole domain, in order to allow us to examine the code carefully and test each codepath, let's introduce a boolean option to the search functions. Currently it defaults to false in all codepaths and as we test the individual ones, we can flip the option to true until we finally remove the option altogether. Reviewed-by: Sumit Bose <sbose@redhat.com>

Suppres implicit-fallthrough from gcc 7 Some kind of comments are recognized by gcc7 but they are ignored with -Wimplicit-fallthrough=5 and only attributes disable the warning. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

sysdb: Search also aliases in sysdb_search_object_by_name sysdb_search_object_by_name did not work well case insensitive domain. Resolves: https://fedorahosted.org/sssd/ticket/3284 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

cache_req: add object by id This request returns either user or group object. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: add object by name This request returns either user or group object. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SYSDB: Suppress sysdb_delete_ts_entry failed: 0 Reviewed-by: Michal Židek <mzidek@redhat.com>

SYSDB: Adding message to inform which cache is used Resolves: https://fedorahosted.org/sssd/ticket/3060 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Remove double semicolon at the end of line Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SYSDB: Removing of unused parameter There were unused parameter struct ldb_message *cached_group in sysdb_store_group_attrs(). This parameter was introduced by 40de79d69860ec7f04bf7795bd88b641ec42fd23 SYSDB: Check if group attributes differ before saving a group Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Fix error handling in sysdb_get_user_members_recursively We ignored failures from sysdb_search_entry Reviewed-by: Petr Čech <pcech@redhat.com>

SYSDB: Avoid optimisation with modifyTimestamp for users The usage of modifyTimestamp needn't be a reliable way for detecting of changes in user entry in LDAP. The authorisation need to rely current data from LDAP and therefore we will temporary disable optimisation with modifyTimestamp and we will rather rely on deep comparison of attributes. In he future, it might be changed and responders might control the optimization level. Resolves: https://fedorahosted.org/sssd/ticket/3110 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Fix setting dataExpireTimestamp if sysdb is supposed to set the current time sysdb is already able to retrieve the current timestamp if the caller doesn't specify it. However, for the timestamp cache this came too late and the timestamp cache used zero as the 'now' time. Resolves: https://fedorahosted.org/sssd/ticket/3064 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SYSDB: Sanitize dn in sysdb_get_user_members_recursively There was a crash in nss responder when a group contained a user with special charactes which shoudl be sanitized before using in filter. ==31651== Conditional jump or move depends on uninitialised value(s) ==31651== at 0x8BEA7DE: _talloc_steal_loc (talloc.c:1215) ==31651== by 0x5264889: sysdb_get_user_members_recursively (sysdb_ops.c:4759) ==31651== by 0x5278F61: sysdb_add_group_member_overrides (sysdb_views.c:1375) ==31651== by 0x526677C: sysdb_getgrnam_with_views (sysdb_search.c:799) ==31651== by 0x1172F6: nss_cmd_getgrnam_search (nsssrv_cmd.c:3168) ==31651== by 0x119C67: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1382) ==31651== by 0x10FD14: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:916) ==31651== by 0x12898B: sss_dp_internal_get_done (responder_dp.c:791) ==31651== by 0x58FF861: complete_pending_call_and_unlock (dbus-connection.c:2314) ==31651== by 0x5902B50: dbus_connection_dispatch (dbus-connection.c:4580) ==31651== by 0x527F261: sbus_dispatch (sssd_dbus_connection.c:96) ==31651== by 0x89D8B4E: tevent_common_loop_timer_delay (tevent_timed.c:341) Resolves: https://fedorahosted.org/sssd/ticket/3121 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sysdb: include email in UPN searches Email addresses and Kerberos user principals names (UPNs) do not only look similar they also can be used to identify a user uniquely. In future this approach should be replace by a more generic one where the attributes which can uniquely identifies a user can be configured to support even a wider range of login names. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: add sysdb_get_user_members_recursively() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Do not try to modify ts cache for unsupported DNs Only users and groups have timestamp data in separate cache. It caused false positive warnings for autofs, netgroup ... Reviewed-by: Petr Čech <pcech@redhat.com>

SYSDB: convert sysdb_group_membership_mod to operate on qualified names This patch infers the member domain from the FQDN to allow the function to add group members from different domains. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: Use ldb_result as output in sysdb_search_ts_{users,groups} Passing address of unsigned to the output argument size_t causes access out of boundaries for type unsigned and and wrong data on big endian. It looks like functions sysdb_search_ts_{users,groups} need to store results in structure ldb_result anyway for further processing. Therefore it will be better to convert output arguments size_t* + ldb_message*** into structure ldb_result and avoid using additional helper variable with type size_t before each invocation of these functions. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Only update user attributes if needed Resolves: https://fedorahosted.org/sssd/ticket/2602 Uses the same logic as previously used for updating group entries to only update user attributes if the group entry actually changed. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Refactor sysdb_store_user Splits sysdb_store_user internals to two functions because the original function either creates a new user or updates an existing one. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Check if group attributes differ before saving a group Adds a new function sysdb_entry_attrs_diff() used in group saving code. This function is used to check if the result of updating a group would result in actually changing the sysdb entry -- often, we would try to dump the same data to the cache during update. If that's the case, the update code now only updates the timestamp cache, avoiding costly writes. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: If modifyTimestamp is the same, only update the TS cache Resolves: https://fedorahosted.org/sssd/ticket/2602 If the entry being saved contains the original modifyTimestamp attribute and the modifyTimestamp attribute is the same as the one we already saved to the timestamp cache, only the expire timestamps in the asynchronous timestamp cache will be bumped and the sysdb code will avoid writes to the main cache completely. If the modifyTimestamp is either missing or differs, we assume the entry had changed and do a full write to the main cache. Also amends the generic sysdb_set_attrs* and similar functions that their results is also reflected in the timestamps cache. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Search the timestamp caches in addition to the sysdb cache When a sysdb entry is searched, the sysdb cache is consulted first for users or groups. If an entry is found in the sysdb cache, the attributes from the timestamp cache are merged to return the full and up-to-date set of attributes. The merging is done with a single BASE search which is a direct lookup into the underlying key-value database, so it should be relatively fast. More complex merging is done only for enumeration by filter which is currently done only via the IFP back end and should be quite infrequent, so I hope we can justify a more complex merging there. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Wrap sysdb_store_group in a transaction and split it into smaller functions sysdb_store_group can do several things -- add, rename or update a group. It's important they are all done in a single transaction (even though the caller should typically start a transaction of his own). Also split the sysdb_store_group function into two, one that only stores a new group and one that changes attributes of an existing group to keep the flow easy and avoid two labels in a single function. Reviewed-by: Sumit Bose <sbose@redhat.com>

sysdb: add sysdb_{add,replace,delete}_ulong() As the add_ulong() convenience can add, replace or remove a unsigned long according to the operation received as its argument, some confusion can easily happen due to its misleading name. In order to improve the explicitness of our code, let's introduce sysdb_add_ulong(), sysdb_replace_ulong() and sysdb_delete_ulong(). These new functions are basically wrappers of add_ulong() (now sysdb_ldb_msg_ulong_helper()), calling it using the proper flag according to each function. Any code previously using add_ulong() is now adapted to use these brand new functions. Related: https://fedorahosted.org/sssd/ticket/1656 Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org> Reviewed-by: Petr Cech <pcech@redhat.com>

sysdb: move add_ulong() convenience to sysdb.c Considering that sysdb.c is about utilities around our cache and that sysdb_ops.c is about operations on objects, seems that add_ulong() could fit better in sysdb.c. This move is a suggestion from Jakub Hrozek. Related: https://fedorahosted.org/sssd/ticket/1656 Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org> Reviewed-by: Petr Cech <pcech@redhat.com>

sysdb: add sysdb_{add,replace,delete}_string() As the add_string() convenience can add, replace or delete a string according to the operation received as its argument, some confusion can easily happen due to its misleading name. In order to improve the explicitness of our code, let's introduce sysdb_add_string(), sysdb_replace_string() and sysdb_delete_string(). These new functions are basically wrappers of add_string() (now sysdb_ldb_msg_string_helper()), calling it using the proper flag according to each function. Any code previously using add_string() is now adapted to use these brand new functions. Resolves: https://fedorahosted.org/sssd/ticket/1656 Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org> Reviewed-by: Petr Cech <pcech@redhat.com>

sysdb: move add_string() convenience to sysdb.c Considering that sysdb.c is about utilities around our cache and that sysdb_ops.c is about operations on objects, seems that add_string() could fit better in sysdb.c. This move is a suggestion from Jakub Hrozek. Related: https://fedorahosted.org/sssd/ticket/1656 Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org> Reviewed-by: Petr Cech <pcech@redhat.com>

remove user certificate if not found on the server If the user is not found by cert lookup when the user is already cached, two things may happen: 1) cert was removed from the user object 2) user was removed Instead of issuing another cert lookup we will just remove cert attribute from the cache not touching the expiration timestamp so the user may be updated later when needed. Resolves: https://fedorahosted.org/sssd/ticket/2934 Reviewed-by: Sumit Bose <sbose@redhat.com>

nss: fix UPN lookups for sub-domain users Reviewed-by: Sumit Bose <sbose@redhat.com>

fix ldb_search usage Reviewed-by: Sumit Bose <sbose@redhat.com>

cache_req: add support for UPN Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Add function to expire entry Ticket: https://fedorahosted.org/sssd/ticket/2676 Added function to expire entry in sysdb using its DN. Reviewed-by: Pavel Reichl <preichl@redhat.com>

Minor code improvements pam_helpers.h had to be included after util.h. Removed exara empty line. Fixed code alignment Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: add sysdb_search_user_by_cert() and sysdb_search_object_by_cert() Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: Do not print verbose DEBUG messages from providers that don't set UUID https://fedorahosted.org/sssd/ticket/2666 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

2FA offline auth Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sysdb: add sysdb_cache_password_ex() Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sysdb: Add cache_expire to the default sysdb_search_object_by_str_attr set Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sdap: properly handle binary objectGuid attribute Although in the initial processing SSSD treats the binary value right at some point it mainly assumes that it is a string. Depending on the value this might end up with the correct binary value stored in the cache but in most cases there will be only a broken entry in the cache. This patch converts the binary value into a string representation which is described in [MS-DTYP] and stores the result in the cache. Resolves https://fedorahosted.org/sssd/ticket/2588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Log reason in debug message why ldb_modify failed Reviewed-by: Sumit Bose <sbose@redhat.com>

sysdb: use sysdb_user/group_dn Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Add UUID when saving incomplete groups Related to: https://fedorahosted.org/sssd/ticket/2571 Reviewed-by: Sumit Bose <sbose@redhat.com>

sysdb: remove ghosts in all sub-domains as well If a user is a member is a group in a different sub-domain, e.g with universal groups in AD, the ghost attribute might not be properly removed from the group object if the user is resolved. The reason is that only groups from the domain of the user were search for ghost attributes. This patch increases the search-base to all sub-domains of the configured SSSD domain. Resolves https://fedorahosted.org/sssd/ticket/2567 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: sysdb_search_object_by_sid returns ENOENT sysdb_search_object_by_sid returns ENOENT if no results are found. Part od solution for: https://fedorahosted.org/sssd/ticket/1991 Fixes: https://fedorahosted.org/sssd/ticket/2520 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

LDAP: retain external members When processing group membership check sysdb for group members from extern domain and include them in newly processed group membership as extern members are curently found only when initgroups() is called. Resolves: https://fedorahosted.org/sssd/ticket/2492 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

sysdb: add sysdb_search_object_by_uuid() Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sid2name: return name without views applied Make sure that the original name of an object without any overrides applied is returned by sid2name requests. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sysdb: sysdb_search_group_by_name should work like sysdb_search_user_by_name Currently sysdb_search_group_by_name uses an optimization which might fail in case-insensitive environments. The DN of the group object is generated with the help of the given name. Since the DN is case-sensitive a group lookup will fail if different cases are used. sysdb_search_user_by_name already handles case-insensitive searches well and sysdb_search_group_by_name should use the same scheme. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: Write additional attrs in sysdb_add_user In the uid=0 case (to obtain new free id) only uidNumber and gidNumber attributes got written, but not the additonal provided attributes like alias or others. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: SSS_LDB_SEARCH - macro around ldb_search This patch amends previous patch 5153e8b9793dea1e212ca08af0f77ea1d023cbb7. Macro SSS_LDB_SEARCH is used instead of using fuction sss_ldb_search as a wrapper around ldb_search which could lead to premature expansion of variadic parameters. Part of solution for: https://fedorahosted.org/sssd/ticket/1991 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SYSDB: Clarify sss_ldb_modify_permissive returns ldb error code Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SYSDB: augmented logging when adding new group This patch adds some more log messages to functionality of storing groups into sysdb. As these functions are low level and failures are often handled on higher levels the commonly chosen level is SSSDBG_TRACE_LIBS. Resolves: https://fedorahosted.org/sssd/ticket/2239 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: sss_ldb_search - wrapper around ldb_search Make sure that if no results were found ENOENT is returned rather than just empty list of results. Resolves: https://fedorahosted.org/sssd/ticket/1991 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Modify declaration of sysdb_search_entry Type of parameter scope was changed s/int/enum ldb_scope/ This patch fixes warning from static analysers: src/db/sysdb_ops.c:228: mixed_enum_type: enumerated type mixed with another type Reviewed-by: Pavel Reichl <preichl@redhat.com>

sysdb: add sysdb_search_user_by_upn() with tests Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: sysdb_search_custom fix memory leak Add temporally talloc context to allocate basedn on. Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

SYSDB: sysdb_search_entry fix memory leak Allocate res on tmp_ctx instead of on mem_ctx. Also use '_' prefix convention for output parameters. Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

SDAP: augmented logging for group saving Related: https://fedorahosted.org/sssd/ticket/2239 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Update DEBUG* invocations to use new levels Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Use lower-case name for case-insensitive searches The patch makes sure that a completely lower-cased version of a fully qualified name is used for case insensitive searches. Currently there are code paths where the domain name was used as configured and was not lower-cased. To make sure this patch does not break with old entries in the cache or case sensitive domains a third template was added to the related filters templates which is either filled with a completely lower-cased version or with the old version. The other two template values are unchanged.

SYSDB: missing conversion of LDB error to errno

SYSDB: typos & debug macro constants

SYSDB: Sanitize filter before removing ghost attrs sysdb_add_user fails with EIO if enumeration is disabled and user contains backslashes. We try to remove ghost attributes from groups with disabled enumeration, but unsanitized filter is used to find ghost attributes "(|(ghost=usr\\\\002)" and ldb cannot parse this filter. Resolves: https://fedorahosted.org/sssd/ticket/2163

SYSDB: Sanitize filter before sysdb_search_groups sysdb_delete_user fails with EIO if user does not exist and contains backslashes. ldb could not parse filter (&(objectclass=group)(ghost=usr\\\\001)), because ghost value was not sanitized Resolves: https://fedorahosted.org/sssd/ticket/2163

SYSDB: Drop redundant sysdb_ctx parameter from sysdb.c

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2)

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 1)

SYSDB: Add sysdb_delete_by_sid

sysdb: sysdb_update_members can take either name or dn We need to work with distinguish names when processing cross-domain membership, because groups and users may be stored in different sysdb tree. Resolves: https://fedorahosted.org/sssd/ticket/2066

Fix formating of variables with type: gid_t

Fix formating of variables with type: uid_t

Fix formating of variables with type: size_t

DB: Rise search functions debug levels

DB: Add user/group lookup by SID

sysdb_search_group_by_gid: obtain gid instead of uid

sysdb_add_incomplete_group: store SID string is available During initgroups request we read the SID of a group from the server but do not save it to the cache. This patch fixes this and might help to avoid an additional lookup of the SID later.

DB: sysdb_search_user_by_name: search by both name and alias

sysdb: add sysdb_search_object_by_sid() The patch add a new sysdb to find objects based on their SID. Currently only the basic attributes needed to map SIDs to POSIX IDs and names are requested, but this list can be extended for future use cases.

Only try to relink ghost users if we're not enumerating https://fedorahosted.org/sssd/ticket/1893 When SSSD is not enumerating (which is the default), we are trying to link any "ghost" entries with a newly created user entry. However, when enumeration is on, this means a spurious search on adding any user.

Use SSSD specific errors for offline auth This prevents reportin false errors when internal functions return a generic EINVAL or EACCES that should just be treated as internal errors.

SYSDB: make the sss_ldb_modify_permissive function public

Move mpg flag to the domain where it belongs A sysdb contains now multiple domains, but the mpg property is a property of a specific domain not of the underlying database.

Add domain argument to sysdb_remove_attrs()

Add domain arg to sysdb_search/delete_netgroup()

Add domain argument to sysdb_delete_group() Also remove sysdb_delete_domgroup()

Add domain argument to sysdb_search_groups()

Add domain argument to sysdb_delete_user() Also remove sysdb_delete_domuser()

Add domain arg to sysdb_search_users()

Add domain to sysdb_delete_custom

Add domain argument to sysdb_search_custom() Also changes sysdb_search_custom_by_name()

Add domain argument to sysdb_store_custom()

Add domain argument to sysdb_cache_auth()

Add domain argument to sysdb_cache_password()

Add domain arg to sysdb group member functions

Add domain argument to sysdb_store_group() Also remove sysdb_store_domgroup()

Add domain argument to sysdb_store_user() Also remove sysdb_store_domuser()

Add domain arguments to sysdb_add_inetgroup fns.

Add domain arguments to sysdb_add_group functions.

Add domain argument to sysdb_add_user()

Add domain argument to sysdb_add_basic_user()

Add domain argument to sysdb_get_new_id()

Add domain argument to sysdb_set_netgroup_attr()

Add domain argument to sysdb_set_group_attr()

Add domain argument to sysdb_set_user_attr()

Add domain arg to sysdb_search_netgroup_by_name()

Add domain to sysdb_search_group_by_gid() Also remove unused sysdb_search_domgroup_by_gid()

Add domain to sysdb_search_group_by_name() Also remove unused sysdb_search_domgroup_by_name()

Add domain to sysdb_search_user_by_uid() Also remove unused sysdb_search_domuser_by_uid()

Add domain to sysdb_search_user_by_name() Also remove unused sysdb_search_domuser_by_name()

Make sysdb_custom_subtree_dn() require a domain.

Make sysdb_custom_dn() require a domain.

Make sysdb_domain_dn() require a domain.

Make sysdb_netgroup_dn() require a domain explictly.

Make sysdb_group_dn() require a domain explictly.

Make sysdb_user_dn() require a domain explictly.

Change pam data auth tokens. Use the new authtok abstraction and interfaces throught the code.

Code can only check for cached passwords Make it clear to the API users that we can not take arbitrary auth tokens. We can only take a password for now so simplify and clarify the interface.

Remove dead netgroup functions

SYSDB: split sysdb_add_user The function itself was very long (more than 300 lines) and hard to read, this patch splits it to three logical blocks.

SYSDB: Modify ghosts in permissive mode https://fedorahosted.org/sssd/ticket/1714 The attempt to delete all ghosts for users name and aliases was failing, resulting into failure of whole user-add operation. In permissive mode, the attempts to delete non-existent entries are not interpreted as error.

SYSDB: Move misplaced assignment

SYSDB: Don't operate with aliases same as name fixes https://fedorahosted.org/sssd/ticket/1628 When user's alias is same as it's name, don't use it for searching in sysdb, and for deleting.

LDAP: Only convert direct parents' ghost attribute to member https://fedorahosted.org/sssd/ticket/1612 This patch changes the handling of ghost attributes when saving the actual user entry. Instead of always linking all groups that contained the ghost attribute with the new user entry, the original member attributes are now saved in the group object and the user entry is only linked with its direct parents. As the member attribute is compared against the originalDN of the user, if either the originalDN or the originalMember attributes are missing, the user object is linked with all the groups as a fallback. The original member attributes are only saved if the LDAP schema supports nesting.

SYSDB: Use the add_string convenience functions for managing ghost user attribute Using the convenience function instead of low-level ldb calls makes the code more compact and more readable.

SYSDB: Remove unnecessary domain parameter from several sysdb calls The domain can be read from the sysdb object. Removing the domain string makes the API more self-contained.

AUTOFS: Add entry objects below map objects https://fedorahosted.org/sssd/ticket/1506 Changes how the new autofs entry objects are handled. Instead of creating the entry on the cn=autofs,cn=custom level, the entry is created below the map it belongs to.

DB: Cancel transaction in sysdb_store_user if sysdb_add_user fails

SYSDB: Commit transaction in sysdb_store_user

Unify usage of sysdb transactions (part 2).

SYSDB: Use ldb_msg_add_string for simple string additions

SYSDB: Check the return value

Cast uid_t to unsigned long long in DEBUG messages

SYSDB: Reduce noise level of debug messages in lookups

Ghost members - modifications in sysdb Deleted sysdb_add_fake_user(): This function is no longer used. Modified sysdb_add_user(): When user object is added to sysdb, it is important to iterate over all groups that might have its name or any of its aliases as ghost member and replace this ghost membership by a real one. This will eliminate duplicite memberships.

SYSDB: Handle user and group renames better Fixes a regression in the local domain tools where sss_groupadd no longer detected a GID duplicate. The check for EEXIST is moved one level up into more high level function. The patch also adds the same rename support for users. I found it odd that we allowed a rename of groups but not users. There is a catch when storing a user -- his cached password would be gone. I think that renaming a user is such a rare operation that it's not severe, plus there is a warning in the logs.

SYSDB: Add better error logging to sysdb_set_entry_attr()

Fix typo in debug message

Delete missing attributes from netgroups to be stored https://fedorahosted.org/sssd/ticket/1136

Don't give memory context in confdb where not needed

AUTOFS: sysdb interface

SYSDB: Remove code duplication between member_add and member_del

SYSDB: extend sysdb_store_service() to accept additional attributes

SYSDB: Move add_string and add_ulong to sysdb_private.h

SYSDB: Make ENOENT log messages less threatening Previously, they were reported with the prefix "Error:" which caused confusion among end-users while debugging.

Handle group renaming correctly https://fedorahosted.org/sssd/ticket/1040

Plug memory leaks in sysdb_ops https://fedorahosted.org/sssd/ticket/1051

SysDB commands that save lastUpdate allows this value to be passed in https://fedorahosted.org/sssd/ticket/836

Use explicit base 10 for converting strings to integers https://fedorahosted.org/sssd/ticket/1013

Multiline macro cleanup This is mostly a cosmetic patch. The purpose of wrapping a multi-line macro in a do { } while(0) is to make the macro usable as a regular statement, not a compound statement. When the while(0) is terminated with a semicolon, the do { } while(0); block becomes a compound statement again.

sysdb refactoring: memory context deleted This patch deletes memory context parameter in those places in sysdb where it is not necessary. The code using modified functions has been updated. Tests updated as well.

sysdb refactoring: deleted domain variables in sysdb API The patch also updates code using modified functions. Tests have also been adjusted.

sysdb refactoring: renamed ctx variable to sysdb

Non-posix group processing - sysdb changes

Change sysdb_add_fake_user to add OriginalDN RFC2307bis code relies heavily on originalDN, so the fake users need to have an option to store it, too.

Some minor fixes and changes in sysdb_ops

Add a function for searching netgroups with custom filter

Add originalDN to fake groups

Do not try to delete sysbd memberOf attribute

Delete attributes that are removed from LDAP Sometimes, a value in LDAP will cease to exist (the classic example being shadowExpire). We need to make sure we purge that value from SSSD's sysdb as well. https://fedorahosted.org/sssd/ticket/750

Do not throw a DP error when a netgroup is not found https://fedorahosted.org/sssd/ticket/775

Work around libldb bug Libldb performs non-indexed searches for ONELEVEL requests. We'll use SUBTREE instead to reduce the performance hit substantially

Fix const cast warning for sysdb_update_members

Modify sysdb_[add|remove]_group_member to accept users and groups Previously, it assumed that all members were users. This changes the interface so that either a user or a group can be specified. Also, it eliminates the need for a memory context to be passed, since the internal memory should be self-contained.

sysdb interface for adding fake users

sysdb interface for adding incomplete groups Useful for optimizing the initgroups operation.

Do not fail if netgroup exists just update the attributes

Netgroups sysdb API

Fix missing variable substitution in DEBUG message

Define objectclass with a constant Use a #define instead of hardcoded string

Move crypto functions into its own subdir A refactoring patch that creates a common util/crypto subdir with per-implementation subdirectories for each underlying crypto library supported by SSSD.

Add sysdb_update_members function This function will take a user, a list of groups that this user should be added to and a list of groups the user should be removed from and will recursively call sysdb_[add|remove]_group_member Includes a unit test

Add support for delayed kinit if offline If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used.

sysdb: add automatic transactions where needed Only functions that do multiple operations need explicit transactions as ldb_add/ldb_modify/ldb_delete already start transactions automatically intenrally.

sysdb: remove sysdb_check_handle not used anymore

sysdb: convert sysdb_cache_auth

sysdb: convert sysdb_search_groups

sysdb: delete sysdb_delete_group

sysdb: convert sysdb_delete_user

sysdb: convert sysdb_search_users

sysdb remove sldb_request_send, not used anymore

sysdb: convert sysdb_asq_search

sysdb: convert sysdb_store_custom

sysdb: convert sysdb_search_custom

sysdb: convert sysdb_cache_password

sysdb: convert sysdb_mod/add/remove_group_member

sysdb: convert sysdb_store/add(_basic)_group

sysdb: convert sysdb_store/add(_basic)_user

sysdb: convert sysdb_get_new_id

sysdb: convert sysdb_set_entry/user/group_attr

sysdb: convert sysdb_search_group_by_name/gid

sysdb: convert sysdb_search_user_by_name/uid

sysdb: convert sysdb_search_entry and sysdb_delete_recursive

sysdb: convert sysdb_delete_custom

sysdb: use sysdb_delete_entry in recursive delete

sysdb: convert sysdb_delete_entry

Add forgotten \n in DEBUG statements Logs from confdb with missing '\n' in the DEBUG statements annoyed me so I decided to fix them. I also made a quick grep through the code and found other places so I fixed them too.

Rename server/ directory to src/ Also update BUILD.txt