SYSDB: Read the ldb_message from loop's index counter when reading subdomain UPNs There was a typo in code that read the UPN suffixes from the subdomain ldb_message. As a result, the UPN suffixes from the first domain were always consulted for all domains. Related to: https://pagure.io/SSSD/sssd/issue/3431 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Use sysdb_domain_dn instead of raw ldb_dn_new_fmt Using ldb should be as much as an implementation detail as possible. Plus, it looks weird if one of the branch uses a sysdb function while another code branch uses a raw ldb call. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sysdb: do not use LDB_SCOPE_ONELEVEL Currently the index for one-level searches is a huge blob which maps all parents with all it children. Handling this blob is costly and since all searches using LDB_SCOPE_ONELEVEL also have a filter with indexed attributes a sub-tree search would be more efficient. But since libldb currently first looks at the scope and hence use the one-level index blob we have to explicitly use LDB_SCOPE_SUBTREE in the callers to use the more efficient attribute based inxed. Related to https://pagure.io/SSSD/sssd/issue/3503 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

AD: Remember last site discovered in sysdb This can speed up sssd startup. Resolves: https://pagure.io/SSSD/sssd/issue/3265 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: add functions to get/set client site Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

RESPONDER: Use fqnames as output when needed As some regressions have been caused by not handling properly naming conflicts when using shortnames, last explicitly use fully qualified names as output in the following situations: - domain resolution order is set; - a trusted domain has been using `use_fully_qualified_name = false` In both cases we want to ensure that even handling shortnames as input, the output will always be fully qualified. As part of this patch, our tests ended up being modified to reflect the changes done. In other words, the tests related to shortnames now return expect as return a fully qualified name for trusted domains. Resolves: https://pagure.io/SSSD/sssd/issue/3403 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: Get ipaDomainsResolutionOrder from ipaConfig ipaDomainsResolutionOrder provides a list of domains that have to be looked up firstly during cache_req searches. This commit only fetches this list from the server and stores its value at sysdb so we can make use of it later on this patch series. There are no tests for newly introduced sysdb methods are those are basically only calling sysdb_update_domain_resolution_order(), sysdb_get_domain_resolution_order() and sysdb_get_use_domain_resolution_order() which are have tests written for. Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SUBDOMAINS: Allow use_fully_qualified_names for subdomains Allow option use_fully_qualified_names in subdomain section. This option was recently added to subdomain_inherit. Resolves: https://pagure.io/SSSD/sssd/issue/3337 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

UTIL: Store UPN suffixes when creating a new subdomain We used to store UPN suffixes pointer into the domain structure only if the domain changed, not when a new domain was created. As an effect, the enterprise principals flag was not enabled unless a domain changed, preventing logins with enterprise principals. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Removing of sysdb_try_to_find_expected_dn() Currently in order to match multiple LDAP search results we use two different functions - we have sysdb_try_to_find_expected_dn() but also sdap_object_in_domain(). This patch removes sysdb_try_to_find_expected_dn() and add new sdap_search_initgr_user_in_batch() based on sdap_object_in_domain(). This function covers necessary logic. Resolves: https://fedorahosted.org/sssd/ticket/3230 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Augment sysdb_try_to_find_expected_dn to match search base as well In cases where the domain name in sssd.conf does not match the AD domain, our previous matching process wouldn't match. This patch augments the matching as follows: - the search base is known to sysdb_try_to_find_expected_dn and is expected to be non-NULL - the existing matching is ran first - during the search base, matching, all the non-DC components are stripped from the search base to 'canonicalize' the search base - if only a single entry that matches with a non-DC DN component (matching with a DC component would mean the DN comes from a different domain) then this entry is a match and is returned Resolves: https://fedorahosted.org/sssd/ticket/3199 Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Split sysdb_try_to_find_expected_dn() into smaller functions The function sysdb_try_to_find_expected_dn was performing several matching algorithms and thus it was getting big and hard to extend. This patch doesn't contain any functional changes, only shuffles the code around and splits the monolithic sysdb_try_to_find_expected_dn function into smaller blocks. Reviewed-by: Sumit Bose <sbose@redhat.com>

sysdb_master_domain_add_info: properly set do_update do_update should be only set if there is a change, i.e if something was added to the ldb_message. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sysdb: make subdomain calls aware of upn_suffixes sysdb_subdomain_store() and sysdb_update_subdomains() can now update upn_suffixes as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: add UPN suffix support for the master domain sysdb_master_domain_update() and sysdb_master_domain_add_info() are now aware of the UPN suffix attribute. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sdap: improve filtering of multiple results in GC lookups The Global Catalog of AD contains some information about all users and groups in an AD forest. Users from different domain in the forest can have the same name. The most obvious example is the Administrator user which is present in all domains. Although SSSD uses a domain specific search base for looking up users in the GC the search might still return multiple results if there is a user with the same name in one of the child (or grand-child ...) domains because of the hierarchic nature of the LDAP tree. Limiting the search depth would not help because users can be created in deeply nested OUs. Currently SSSD expects in this case that the user object is store in CN=Users or below. This works for all default users like Administrator but in general users can be created anywhere in the directory tree. If a user is created outside of CN=Users and there is a user with the same name in a child domain the initgroups command to look up the group-memberships of the user fails because it is not clear which of the two results should be used (initgroups for the child domain user works fine). This patch adds an additional scheme to select the right result based on the domain component attribute name 'dc'. This attribute indicates an additional component in the domain name and hence a child domain. So as long as the result contains a dc component following out search base it cannot be the object we are looking for. This scheme includes the old CN=Users based one but since it is more expensive I kept the old scheme which so far worked all the time and only use the new one if the old one fails. Resolves https://fedorahosted.org/sssd/ticket/2961 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: Use get_next_domain instead of dom->next Recent get_next_domain refactoring enabled us to use it also for disabled domains. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: Include disabled domains in link_forest_roots Ticket: https://fedorahosted.org/sssd/ticket/2673 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

util: Update get_next_domain's interface Update get next domain to be able to include disbled domains and change the interface to accept flags instead of multiple booleans. Ticket: https://fedorahosted.org/sssd/ticket/2673 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

UTIL: Convert domain->disabled into tri-state with domain states Required for: https://fedorahosted.org/sssd/ticket/2637 This is a first step towards making it possible for domain to be around, but not contacted by Data Provider. Also explicitly create domains as active, previously we only relied on talloc_zero marking dom->disabled as false. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

views: Add is_default_view helper function Ticket: https://fedorahosted.org/sssd/ticket/2641 Reviewed-by: Pavel Reichl <preichl@redhat.com>

SYSDB: Add a forest root attribute to sss_domain_info Instead of complex forest root search methods, establish forest root during subdomain list update. The subdomain code can then just use the forest_root pointer. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Add realm to sysdb_master_domain_add_info Adding realm to both master domain and subdomain will make it easier to set and select forest roots. Even master domains can be forest members, it's preferable to avoid special-casing as much as possible. Includes a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>

UTIL/SYSDB: Move new_subdomain() to sysdb_subdomains.c and make it private In order to make updating the subdomain list a two-step process. Therefore we need to make sure that update_subdomains() is the only interface towards the SSSD that changes the subdomain list. Move the new_subdomain() function to sysdb_subdomains.c and only make it available through a private header so it's usable by unit tests. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Store trust direction for subdomains We need to store the subdomain trust direction in order to recover the structure after SSSD restart. The trust direction is a plain uint32_t to avoid leaking the knowledge about AD trust directions to sysdb while at the same time making it easy to compare values between sysdb and LDAP and avoid translating the values. Reviewed-by: Sumit Bose <sbose@redhat.com>

sysdb: add view data to domains The information about view is read from the cache and added to the domain structs accordingly. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

responder: Set forest attribute in AD domains Resolves: https://fedorahosted.org/sssd/ticket/2160

IPA: store forest name for forest member domains In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of the forest must be known for a member domain of the forest.

Read enumerate state for subdomains from cache The enumerate flag will be read from the cache for subdomains and the domain object will be created accordingly.

SYSDB: Store enumerate flag for subdomain

DB: remove unused realm parameter from sysdb_master_domain_add_info The parameter was not used at all.

DB: Update sss_domain_info with new updated data

Read mpg state for subdomains from cache The mpg flag will be read from the cache for subdomains and the domain object will be created accordingly.

Save mpg state for subdomains The information of a subdomain will use magic private groups (mpg) or not will be stored together with other information about the domain in the cache.

Change the way domains are linked. - Use a double-linked list for domains and subdomains. - Never remove a subdomain, simply mark it as disabled if it becomes unused. - Rework the way subdomains are refreshed. Now sysdb_update_subdomains() actually updates the current subdomains and marks as disabled the ones not found in the sysdb or add new ones found. It never removes them. Removal of missing domains from sysdb is deferred to the providers, which will perform it at refresh time, for the ipa provider that is done by ipa_subdomains_write_mappings() now. sysdb_update_subdomains() is then used to update the memory hierarchy of the subdomains. - Removes sysdb_get_subdomains() - Removes copy_subdomain() - Add sysdb_subdomain_delete()

Remove sysdb_subdom completely struct sss_domain_info is always used to represent domains now. Adjust tests accordingly.

Add sysdb_subdomain_store() function Replaces sysdb_add_subdomain_attributes and is a public sysdb interface.

Refactor sysdb_master_domain_add_info()

Update main domain info in place

Avoid sysdb_subdom in sysdb_get_subdomains()

Stop creating fake sysdb contexts Now that the sysdb context does not contain anymore domain related data we can simply stop creating faxe sysdb context and just reference the parent context.

Kill sysdb->domain Finally remove this upside-down dependency.

Move mpg flag to the domain where it belongs A sysdb contains now multiple domains, but the mpg property is a property of a specific domain not of the underlying database.

Add domain to some subdomain functions

Add domain argument to sysdb_delete_group() Also remove sysdb_delete_domgroup()

Add domain argument to sysdb_delete_user() Also remove sysdb_delete_domuser()

Add domain argument to sysdb_store_group() Also remove sysdb_store_domgroup()

Add domain argument to sysdb_store_user() Also remove sysdb_store_domuser()

Add domain to sysdb_search_group_by_gid() Also remove unused sysdb_search_domgroup_by_gid()

Add domain to sysdb_search_group_by_name() Also remove unused sysdb_search_domgroup_by_name()

Add domain to sysdb_search_user_by_uid() Also remove unused sysdb_search_domuser_by_uid()

Add domain to sysdb_search_user_by_name() Also remove unused sysdb_search_domuser_by_name()

Pass domain to sysdb_get<pw/gr>nam() functions Also allows us to remove sysdb_subdom_get<pw/gr>nam() wrappers and restore fqnames proper value in subdomains, by testing for a parent domain being present or not.

LDAP: Only convert direct parents' ghost attribute to member https://fedorahosted.org/sssd/ticket/1612 This patch changes the handling of ghost attributes when saving the actual user entry. Instead of always linking all groups that contained the ghost attribute with the new user entry, the original member attributes are now saved in the group object and the user entry is only linked with its direct parents. As the member attribute is compared against the originalDN of the user, if either the originalDN or the originalMember attributes are missing, the user object is linked with all the groups as a fallback. The original member attributes are only saved if the LDAP schema supports nesting.

Refactor the way subdomain accounts are saved The original sysdb code had a strong assumption that only users from one domain are saved in the databse, with the subdomain feature, we have changed reality, but have not adjusted all the code arund the sysdb calls to not rely on the original assumption. One of the side effects of this incongrunece is that currently group memberships do not return fully qualified names for subdomain users as they should. In oreder to fix this and other potential issues surrounding the violation of the original assumption, we need to fully qualify subdomain user names. By savin them fully qualified we do not risk aliasing local users and have group memberhips or other name based matching code mistake a domain user with subdomain usr or vice versa.

sysdb_master_domain_get_info: fix copy-and-paste error

SYSDB: NULL-terminate the output of sysdb_get_{ranges,subdomains}

Unify usage of sysdb transactions (part 2).

Change refreshing of subdomains This patch keeps a local copy of the subdomains in the ipa subdomains plugin context. This has 2 advantages: 1. allows to check if anything changed w/o always hitting the sysdb. 2. later will allows us to dump this information w/o having to retrieve it again. The timestamp also allows to avoid refreshing too often.

Add realm paramter to subdomain list This will be used later for setting domain_realm mappings in krb5.conf

Fix return error and debug message The debuf message was trying to print the number of returned entries, but no integer was provided. Return ENOENT as the error for when there are no entries, not EINVAL.

Use ldb_msg_add_string with bare strings

Fix wrong elements used in comparison

Fix double semi-colons

80 columns police

Change subdomain_info Rename the structure to use a standard name prefix so it is properly name-spaced, in preparation for changing the structure itself.

IPA subdomains - ask for information about master domain The query is performed only if there is missing information in the cache. That means this should be done only once after restart when cache doesn't exist. All subsequent requests for subdomains won't include the request for master domain.

Sysdb routines for subdomains