IDMAP: Prevent colision for explicitly defined slice. Currently it happens for default domain, if someone configures different ldap_idmap_default_domain_sid for two domains in sssd.conf. There is no check preventing this in sdap_idmap.c, it's simply: sdap_idmap_add_domain(idmap_ctx, dom_name,sid_str, 0). However, I believe here is the best place to check it since there may be different use of sss_idmap_calculate_ranges in the future. Reviewed-by: Sumit Bose <sbose@redhat.com>

Moving headers used by both server and client to special folder These are the header files which are used by both client and server: src/util/io.h src/util/murmurhash3.h src/util/util_safealign.h This patch is about moving these header files to special folder (src/shared). It will be easier to identify these headers when looking for them in the src tree. util_safalign.h is renamed as safalign.h because util_ namespace is appropriate when this file belonged to the util's folder which is no longer the case. Resolves: https://pagure.io/SSSD/sssd/issue/1898 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

idmap_error_string: add missing descriptions Related to https://pagure.io/SSSD/sssd/issue/1960 Related to https://pagure.io/SSSD/sssd/issue/1938 Related to https://pagure.io/SSSD/sssd/issue/1844 Related to https://pagure.io/SSSD/sssd/issue/1593 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Remove double semicolon at the end of line Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IDMAP: Make parameter names more descriptive Domain SID (not name) is part of identification string for helper range in generate_sec_slice_name(). Use more generic name for range identifier when calculating range for new slice in sss_idmap_calculate_range(). Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IDMAP: Add minor performance improvements Some ID ranges are precalculated when ID mapping is being initialized. This patch utilizes these (helper) ranges when new domains are generated if appropriate. Reviewed-by: Sumit Bose <sbose@redhat.com>

IDMAP: Fix minor memory leak Reviewed-by: Michal Židek <mzidek@redhat.com>

IDMAP: Add support for automatic adding of ranges Resolves: https://fedorahosted.org/sssd/ticket/2188 Reviewed-by: Sumit Bose <sbose@redhat.com>

IDMAP: New structure for domain range params Create new internal structure idmap_range_params by merging ID mapping range relevant fields from idmap_domain_info and remove corrsponding fields. Resolves: https://fedorahosted.org/sssd/ticket/2188 Reviewed-by: Sumit Bose <sbose@redhat.com>

IDMAP: Fix computing max id for slice range Max value of id mapping range was 1 unit too high. Resolves: https://fedorahosted.org/sssd/ticket/2922 Reviewed-by: Sumit Bose <sbose@redhat.com>

IDMAP: add sss_idmap_check_collision(_ex) Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

idmap: add API to free allocated SIDs

idmap: add sss_idmap_domain_by_name_has_algorithmic_mapping()

idmap: allow ranges with external mapping to overlap If POSIX IDs are managed externally e.g. by AD it might be possible that the IDs are centrally manages for the whole forest. Hence there might not be a single ID range for each member domain in the forest but only a single ID range for the whole forest. This means that we have to allow collisions if ID ranges in this case. Unit tests are added to make sure that the collisions are only allowed for external mappings.

idmap: fix a memory leak if a collision is detected

idmap: add internal function to free a domain struct

idmap: add sss_idmap_domain_has_algorithmic_mapping With this call it can be checked if for a given domain algorithmic mapping is available or if the ID must be read from an external source. The default if an error occurs or no matching range was found is false, i.e external mapping, to meet the requirements for simple LDAP based domains where only external mapping is available. Fixes https://fedorahosted.org/sssd/ticket/1960

idmap: add calls to check if ID mapping conforms to ranges When ID are mapped externally it must be checked if the extern ID falls into the right configured range to avoid ID conflicts. Fixes https://fedorahosted.org/sssd/ticket/1960

idmap: allow NULL domain sid for external mappings Since it is planned that the LDAP based ID providers (LDAP, AD, IPA) will always use libsss_idmap to map ID or get information about how to map it, it must be possible to add domains to libsss_idmap which do not have a SID or where is SID is not known when external mapping is used. Algorithmic mapping always requires a domain SID. Fixes https://fedorahosted.org/sssd/ticket/1960

idmap: add option to indicate external_mapping The idea is that ranges for IDs from AD can be used in libsss_idmap as well, but whenever a mapping is requested for this range a specific error code IDMAP_EXTERNAL is returned to tell SSSD to do an AD lookup. This way SSSD does not need to inspect the ranges itself but all is done inside if libsss_idmap. Fixes https://fedorahosted.org/sssd/ticket/1960

idmap: add optional unique range id To be able to detect configuration changes in idranges managed by FreeIPA an identifier should be stored on the client together with the other idrange related data. Fixes https://fedorahosted.org/sssd/ticket/1979

idmap: allow first RID to be set Currently libss_idmap implicitly assumes that the RID 0 is always mapped to the first ID of the given range. This is not the case anymore when multiple ranges are used e.g. for trusted domains in FreeIPA. A new call sss_idmap_add_domain_ex() was added which can take the first RID as an argument. This new call will get more options with other patches hence I didn't change the library version with this patch. Fixes https://fedorahosted.org/sssd/ticket/1938

IDMAP: Fix variable initialization Before the recent changes, the variable was set to 0 too because it used to be part of a structure allocated with talloc_zero.

libsss_idmap: function to calculate range Calculation of range for domains is moved from sdap_idmap code to sss_idmap code. Some refactoring have been done to allow this move. https://fedorahosted.org/sssd/ticket/1844

IDMAP: add sss_idmap_smb_sid_to_unix() To avoid a conversion on the caller side a new call is added to libsss_idmap which converts a Samba dom_sid structure to a Posix ID.

Dereference after null check in sss_idmap_sid_to_unix https://fedorahosted.org/sssd/ticket/1684

idmap: Silence DEBUG messages when dealing with built-in SIDs. When converting built-in SID to unix GID/UID a confusing debug message about the failed conversion was printed. This patch special cases these built-in objects. https://fedorahosted.org/sssd/ticket/1593

Rename struct dom_sid to struct sss_dom_sid To avoid conflicts with struct dom_sid used by samba the sss_ prefix is added to the struct used by libsss_idmap.

LDAP: Add routine to extract domain SID from an object SID Also makes the domain prefix macros from sss_idmap public.

Allow different SID representations in libidmap Besides as strings it is now possible to use binary SIDs or a struct containing all SID information. Functions to convert between these formats are added as well.

Add idmap library