Fix minor spelling mistakes Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sysdb: do not use objectClass for users and groups The majority of the object in the SSSD cache are users and groups. If there are many user and groups in the cache the index objects of the objectclass attributes 'user' and 'group' become large because the must hold references to all objects of those object classes. As a result the management of these index objects becomes costly because they must be parsed and split apart quite often. Additionally they are mostly useless because user and groups are lookup up by more specific attributes in general. Only when enumerating all user or groups this kind of index might be useful. There are two way of removing this kind of index from the user and group objects. Either by removing objectClass from the list of indexes and add a new attribute to all other type of object we want and index for. Or by replacing objectClass with a different attribute for the user and group objects. After some testing I think the latter one is the more reliable one and implemented it in this patch. Related to https://pagure.io/SSSD/sssd/issue/3503 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

MEMBEROF: Allow bypassing memberof during upgrade The next sysdb upgrade will be changing memberUid and memberOf attributes as well. To avoid chanding the memberof module just because of an upgrade, add a environment variable that disabled the memberof plugin altogether when set. The variable will be set at the beginning of the upgrade and unset later. Reviewed-by: Sumit Bose <sbose@redhat.com>

Remove misleading comment Function entry_has_objectclass is not used just for users. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

memberof: Don't allocate on NULL when deleting memberUids Reviewed-by: Pavel Březina <pbrezina@redhat.com>

memberof: Fix a memory leak when removing ghost users Reviewed-by: Pavel Březina <pbrezina@redhat.com>

memberof: Don't allocate on a NULL context https://fedorahosted.org/sssd/ticket/2959 In case no previous delete operation occured, the del_ctx->muops pointer we allocate the diff structure was would be NULL, effectivelly leaking the diff array during the memberof processing. Allocating on del_ctx is safer as that pointer is always allocated and prevents the leak. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Fix typos reported by lintian Reviewed-by: Pavel Březina <pbrezina@redhat.com>

memberof: Do not create request with 0 attribute values [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Constraint violation](19) [attribute 'ghost': attribute on 'name=Escalation,cn=groups,cn=LDAP,cn=sysdb' specified, but with 0 values (illegal)] [sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [Constraint violation] [sysdb_set_entry_attr] (0x0040): Error: 14 (Bad address) [sdap_store_group_with_gid] (0x0040): Could not store group Escalation [sdap_save_group] (0x0080): Could not store group with GID: [Bad address] [sdap_save_group] (0x0080): Failed to save group [Escalation]: [Bad address] [sdap_save_groups] (0x0040): Failed to store group 1. Ignoring. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

memberof: check for empty arrays to avoid segfaults The arrays with members to add or delete may be empty, i.e. have 0 entries. In this case further processing should be skipped to avoid segfaults later on. Fixes (hopefully) https://fedorahosted.org/sssd/ticket/2430 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

memberof: Removed unused parameter from mbof_fill_vals_array. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Include ext headers with #include <foo.h> - cont Changing style of including header files from outside of sssd tree - from "header.h" to <header.h>

MEMBEROF: Remove temporary workaround

Every time use permissive control in function memberof_mod. Storing cyclic groups into sysdb can cause adding ghost members, which has already been stored. Function ldb_modify will fail with error [Attribute or value exists]. With permisive control, duplicated attributes will be skipped as if it was never added. https://fedorahosted.org/sssd/ticket/1846

Making the ldb check configurable It is possible to enable/disable checking in LDB memberof plugin whether it was built against the same version of LDB that is present on the system. This feature is turned off by default and enabled in Fedora/RHEL spec file. https://fedorahosted.org/sssd/ticket/1813

memberof: Prevent unneded failure case When deleting a user we would fail the operation completely if the member attribute was not found on one of the groups it was allegedly member of. Failing in this case is unnecessary, and can cause issues. Found trying to upgrade db versione (and failing) on one of my RHEL machines. Also removed a tray \ in the companion function that removes ghost members, that function needs no changes as it was already ignoring this kind of failure.

MEMBEROF: silence compilation warnings src/ldb_modules/memberof.c: In function ‘mbof_get_ghost_from_parent_cb’: src/ldb_modules/memberof.c:3085: warning: declaration of ‘dup’ shadows a global declaration /usr/include/unistd.h:528: warning: shadowed declaration is here src/ldb_modules/memberof.c: In function ‘mbof_inherited_mod’: src/ldb_modules/memberof.c:3253: warning: declaration of ‘dup’ shadows a global declaration /usr/include/unistd.h:528: warning: shadowed declaration is here src/ldb_modules/memberof.c: In function ‘mbof_fill_vals_array’: src/ldb_modules/memberof.c:3786: warning: declaration of ‘index’ shadows a global declaration /usr/include/string.h:489: warning: shadowed declaration is here

MEMBEROF: Fix copy-n-paste error https://fedorahosted.org/sssd/ticket/1703

MEMBEROF: Keep inherited ghost users around on modify operation https://fedorahosted.org/sssd/ticket/1652 It is possible to simply reset the list of ghost users to a different one during a modify operation. It is also actually how we update entries that are expired in the SSSD cache. In this case, we must be careful and retain the ghost users that are not native to the group we are processing but are rather inherited from child groups. The intention of the replace operation after all is to set the list of direct members of that group, not direct and indirect.

MEMBEROF: Implement the modify operation for ghost users Similar to the add and delete operation, we also need to propagate the changes of the ghost user attribute to the parent groups so that if a nested group updates memberships, its parents also get the membership updated.

MEMBEROF: Split the add ghost operation into a separate function This new function will be reused by the modify operation later

MEMBEROF: Split the del ghost attribute op into a reusable function This new function is going to be reused by the modify operation

MEMBEROF: split processing the member modify into a separate function This will allow to process ghost users in a similar fashion

MEMBEROF: Implement delete operation for ghost users https://fedorahosted.org/sssd/ticket/1668 The memberof plugin did only expand the ghost users attribute to parents when adding a nested group, but didn't implement the reverse operation. This bug resulted in users being reported as group members even after the direct parent went away as the expanded ghost attributes were never removed from the parent entry. When a ghost entry is removed from a group, all its parent groups are expired from the cache by setting the expire timestamp to 1. Doing so would force the SSSD to re-read the group next time it is requested in order to make sure its members are really up-to-date.

Avoid duplicating macros This macro is already available in util/util.h which is expicitly included in this file.

MEMBEROF: Do not add the ghost attribute to self When a nested group with ghost users is added, its ghost attribute should propagate within the nested group structure much like the memberuid attribute. Unlike the memberuid attribute, the ghost attribute is only semi-managed by the memberof plugin and added manually to the original entry. This bug caused LDB errors saying that attribute or value already exists when a group with a ghost user was added to the hierarchy as groups were updated with an attribute they already had.

Ghost members - modifications in memberof plugin

memberof: free delete operation apyload once done Large memberof delete operations can cause quite a number of searches and the results are attached to a delop operation structure. Make sure we free this payload once the operation is done and these results are not used anymore so that we get a smaller total memory footprint.

memberof: fix calculation of replaced members We were skipping the check on the next value in the added list when a match was found for the currentr value being checked.

Fix module registration with newer LDB libraries.

Clear up -Wunused-but-set-variable warnings

Sanitize search filters in memberOf plugin

Dead assignments cleanup in memberof module Some assignments deleted, two return value inspections were added. Ticket: #589

Fix memberof calculation when deleting groups With complex hierarchies it could happen that the group just deleted was re-added by mistake to the list of groups a user is member of, causing the user to have a stray memberof value in its entry.

Rename server/ directory to src/ Also update BUILD.txt