SYSDB_VIEWS: Remove sshPublicKey attribute when it's not set We have to explicitly remove 'sshPublicKey' attribute from an override in case it's not set, otherwise we may ended up in a situation where a ssh key is removed from IPA but it'll still be present in SSSD's server cache, allowing then users to ssh to a machine even having a key that has already been removed from IPA. Related: https://pagure.io/SSSD/sssd/issue/3602 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

overrides: fixes for sysdb_invalidate_overrides() There were two issues in sysdb_invalidate_overrides(). First, SYSDB_CACHE_EXPIRE was only reset for the entry in the data cache but not in the timestamp cache. Second, if one of the steps in the combined replace and delete operation failed no change was committed to the cache. If, for whatever reasons, a user or group object didn't had SYSDB_OVERRIDE_DN set the delete failed and hence SYSDB_CACHE_EXPIRE wasn't reset as well. To make sure the cache is in a consistent state after a view change the replace and the delete operations are don in two steps. Related to https://pagure.io/SSSD/sssd/issue/3579 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

Fix minor spelling mistakes Merges: https://pagure.io/SSSD/sssd/pull-request/3556 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Use correct spelling of override Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

overrides: add certificates to mapped attribute Certificates in overrides are explicitly used to map users to certificates, so we add them to SYSDB_USER_MAPPED_CERT as well. Resolves https://pagure.io/SSSD/sssd/issue/3373 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: Get ipaDomainsResolutionOrder from IPA ID View ipaDomainsResolutionOrder provides a list of domains that have to be looked up firstly during cache_req searches. This commit only fetches this list from the server and stores its value at sysdb so we can make use of it later on this patch series. There are no tests for newly introduced sysdb methods are those are basically only calling sysdb_update_domain_resolution_order(), sysdb_get_domain_resolution_order() and sysdb_get_use_domain_resolution_order() which are have tests written for. Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sss_cert_derb64_to_ldap_filter: add sss_certmap support Use certificate mapping library if available to lookup a user by certificate in LDAP. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SYSDB: Fix error handling in sysdb_get_user_members_recursively We ignored failures from sysdb_search_entry Reviewed-by: Petr Čech <pcech@redhat.com>

views: properly override group member names Resolves https://fedorahosted.org/sssd/ticket/2948 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

views: allow override added for non-default views at runtime Currently a new override for a non-default view cannot be displayed at run-time. It even does not only require a restart but the view must be un-applied and applied again to make the changes visible. This patch fixes this and makes non-default view behave like the default view where the data from a newly added override are displayed after the cached entry of the related object is expired. Resolves https://fedorahosted.org/sssd/ticket/3092 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SYSDB: Construct internal fqnames, not NSS names in sysdb_add_group_member_overrides Because all users and groups are stored the same way in sysdb, we can avoid parsing and unparsing the name with NSS functions and instead just grab the name from the FQDN in the cache. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: add_name_and_aliases_for_name_override no longer needs to special case subdomain users All user and group names use the same unified format in the cache, so there's no need to special-case subdomains and create different names for the main domain and a subdomain. Reviewed-by: Sumit Bose <sbose@redhat.com>

sysdb: add searches by certificate with overrides Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

views: fix two typos in debug messages Reviewed-by: Sumit Bose <sbose@redhat.com>

views: do not require overrideDN in grous when LOCAL view is set Resolves: https://fedorahosted.org/sssd/ticket/2790 Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: prepare for LOCAL view Objects doesn't have to have overrideDN specified when using LOCAL view. Since the view is not stored on the server we do not want to contact LDAP therefore we special case LOCAL view saying that it is OK that this attribute is missing. Preparation for: https://fedorahosted.org/sssd/ticket/2584 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: enhance ipa_initgr_get_overrides_send() This patch makes ipa_initgr_get_overrides_send() public and add support to search overrides by UUID or by SID. Related to https://fedorahosted.org/sssd/ticket/2633 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Add missing new lines to debug messages Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Log reason in debug message why ldb_modify failed Reviewed-by: Sumit Bose <sbose@redhat.com>

sysdb: fix group members with overridden names Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: do not try to add override gid twice By default user and group overrides use the same attribute name for the GID and this cause SSSD machinery to add the same value twice which cause an error in ldb_add() or ldm_modify(). Related to https://fedorahosted.org/sssd/ticket/2514 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

views: allow view name change at startup Currently some manual steps are needed on a FreeIPA to switch from one view to another. With this patch the IPA provider checks at startup if the view name changed and does the needed steps automatically. Besides saving the new view name this includes removing the old view data and marking the user and group entries as invalid. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: add sysdb_invalidate_overrides() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: add sysdb_delete_view_tree() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Views: apply user SSH public key override With this patch the SSH public key override attribute is read from the FreeIPA server and saved in the cache with the other override data. Since it is possible to have multiple public SSH keys this override value does not replace any other data but will be added to existing values. Fixes https://fedorahosted.org/sssd/ticket/2454 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb_add_overrides_to_object: add new parameter and multi-value support With the new parameter an attribute list other than the default one can be used. Override attributes with multiple values (e.g. SSH public keys) are now supported as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Fix debug messages - trailing '.' Fix debug messages where '\n' was wrongly followed by '.'. Reviewed-by: Sumit Bose <sbose@redhat.com>

Add sysdb_search_[user|group]_override_attrs_by_name Reviewed-by: Sumit Bose <sbose@redhat.com>

sysdb: add sysdb_getgrnam_with_views and sysdb_getgrgid_with_views Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sysdb: add sss_view_ldb_msg_find_element/attr_as_string/uint64 Override-aware replacements for the corresponding ldb_msg_find_* calls. First it is check if an override value is available before the original value is returned. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sysdb: add sysdb_getpwnam/uid_with_views() View-aware drop-in replacements for sysdb_getpwnam() and sysdb_getpwuid(). Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sysdb: add overide lookup calls sysdb_search_user_override_by_name() and sysdb_search_group_override_by_name() search for overrides in the given view. sysdb_add_overrides_to_object() adds the data from the override object to the original object and makes them available for further processing. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sysdb: sysdb_apply_default_override The default view is special in the sense that it is the baseline for every other view and that it always applies even if there is no view defined. To avoid useless additional processing the default view overrides are written directly to the corresponding cached object. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sysdb: add sysdb_store_override Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sysdb: add sysdb_update_view_name() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>