providers: Move hostid from ipa to sdap, v2 In the ldap provider, all option names are renamed to ldap_host_*. In the ipa provider the names haven't been changed. Host lookups for both ipa and ldap are handled in the ldap provider. sss_ssh_knownhostsproxy works but hostgroups are still only available in the ipa provider. I've also added some documentation for the ldap provider. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Better debugging for email conflicts Add DEBUG message when conflicts in FQ names or emails are detected. Also improve man page to hint on how to work around issue with conflicting emails. Note: We store emails in two different attributes in sysdb: - SYSDB_USER_EMAIL - SYSDB_NAME_ALIAS - this one is lowercased and used in getpwnam searches. Resolves: https://fedorahosted.org/sssd/ticket/3293 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

LDAP: Add support for rhost access control This patch implements verification of pam_rhost against rules stored in LDAP entry of a user. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

ldap: Change ldap_user_certificate to userCertificate;binary IPA and AD providers default to userCertificate;binary for the ldap_user_certificate option. It will be good to default that value also for the generic LDAP provider. Resolves: https://pagure.io/SSSD/sssd/issue/3499 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: fix typo in option name in man pages Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

Fix minor typos in docs Merges: https://pagure.io/SSSD/sssd/pull-request/3456 Reviewed-by: Michal Židek <mzidek@redhat.com>

minor typo fixes Merges: https://pagure.io/SSSD/sssd/pull-request/3374 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Justin Stephenson <jstephen@redhat.com>

MAN: Wrong defaults for AD provider ldap_user_name and ldap_group_name have different defalts then what the man page states. Resolves: https://fedorahosted.org/sssd/ticket/3022 Reviewed-by: Sumit Bose <sbose@redhat.com>

MAN: Document the ldap_user_primary_group option Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: new attribute option ldap_user_email Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Change the default rfc2307 autofs attribute mappings Resolves: https://fedorahosted.org/sssd/ticket/2858 The default attribute mappings we used to have: ldap_autofs_map_object_class automountMap ldap_autofs_map_name ou ldap_autofs_entry_object_class automount ldap_autofs_entry_key cn ldap_autofs_entry_value automountInformation Was wrong. Instead, this patch switches to: ldap_autofs_map_object_class nisMap ldap_autofs_map_name nisMapName ldap_autofs_entry_object_class nisObject ldap_autofs_entry_key cn ldap_autofs_entry_value nisMapEntry Which are attributes that are available with servers running the default rfc2307 schema. In addition, this patch adds a syslog and DEBUG message that warns administrators to double-check their configuration. We don't warn when the autofs provider is set to AD, because that one is already correct. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Add a new option ldap_group_external_member Required for: https://fedorahosted.org/sssd/ticket/2522 Reviewed-by: Sumit Bose <sbose@redhat.com>

MAN: Clarify when should TGs be disabled for group nesting restriction Resolves: https://fedorahosted.org/sssd/ticket/2796 Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Striker Leggette <striker@redhat.com>

IPA: Change the default of ldap_user_certificate to userCertificate;binary This is safe from ldb point of view, because ldb gurantees the data is NULL-terminated. We must be careful before we save the data, though. Resolves: https://fedorahosted.org/sssd/ticket/2742 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

man: List alternative schema defaults for LDAP AutoFS parameters ldap_autofs_map_name and ldap_autofs_entry_key have their rfc2307bis defaults listed alongside the rfc2307 defaults. ldap_autofs_entry_object_class has a fixed description and default This patch replaces the other one I posted, implementing the alternative schema defaults Jakub suggested. Regards, Robin McCorkell Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Add the wildcard_limit option Related: https://fedorahosted.org/sssd/ticket/2553 Adds a new wildcard_limit option that is set by default to 1000 (one page). This option limits the number of entries that can by default be returned by a wildcard search. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: add ldap_user_certificate option Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: warn about lockout option being deprecated Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: disable the cleanup task by default Resolves: https://fedorahosted.org/sssd/ticket/2627 The cleanup task was designed to keep the cache size within certain limits. This is how it roughly works now: - find users who have never logged in by default. If account_cache_expiration is set, find users who loggged in later than account_cache_expiration - delete the matching set of users - find groups that have no members - delete the matching set of groups So unless account_cache_expiration is set to something sensible, only empty groups and expired users who never logged in are removed and that's quite a corner case. The above effectivelly walks the whole database, especially the groups step is quite slow with a huge database. The whole cleanup task also runs in a single sysdb transaction, which means all other transactions are blocked while the cleanup task crunches the database. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

MAN: Update ppolicy description Resolves: https://fedorahosted.org/sssd/ticket/2612 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

SDAP: Make StartTLS bind configurable with ldap_opt_timeout Related: https://fedorahosted.org/sssd/ticket/1501 Reviewed-by: Pavel Reichl <preichl@redhat.com>

SDAP: Make password change timeout configurable with ldap_opt_timeout Related: https://fedorahosted.org/sssd/ticket/1501 Reviewed-by: Pavel Reichl <preichl@redhat.com>

SDAP: Make simple bind timeout configurable Resolves: https://fedorahosted.org/sssd/ticket/1501 Reuse the value of sdap_opt_timeout to set a longer bind timeout for user authentication, ID connection authentication and authentication during IPA migration mode. Reviewed-by: Pavel Reichl <preichl@redhat.com>

SDAP: Lock out ssh keys when account naturally expires Resolves: https://fedorahosted.org/sssd/ticket/2534 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SDAP: enable change phase of pw expire policy check Implement new option which does checking password expiration policy in accounting phase. This allows SSSD to issue shadow expiration warning even if alternate authentication method is used. Resolves: https://fedorahosted.org/sssd/ticket/2167 Reviewed-by: Sumit Bose <sbose@redhat.com>

MAN: Remove indentation in element programlistening The indentation is automatically in resulting man page. It isn't necessary to add spaces and moreover it can cause unreadable page asi in case of ad_gpo_map examples. Reviewed-by: Roland Mainz <rmainz@redhat.com>

MAN: Fix a typo Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>

MAN: page edit for ldap_use_tokengroups Resolves: https://fedorahosted.org/sssd/ticket/2448 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

LDAP: Disable token groups by default We tried to speed up processing of initgroup lookups with tokenGroups even for the LDAP provider (if remote server is Active Directory), but it turns out that there are too many corner cases that we didn't catch during development that break. For instance, groups from other trusted domains might appear in TG and the LDAP provider isn't equipped to handle them. Overall, users who wish to use the added speed benefits of tokenGroups are advised to use the AD provider. Resolves: https://fedorahosted.org/sssd/ticket/2483 Reviewed-by: Michal Židek <mzidek@redhat.com>

Revert "LDAP: Change defaults for ldap_user/group_objectsid" This reverts commit f834f712548db811695ea0fd6d6b31d3bd03e2a3. OpenLDAP server cannot dereference unknown attributes. The attribute objectSID isn't in any standard objectclass on OpenLDAP server. This is a reason why objectSID cannot be set by default in rfc2307 map and rfc2307bis map. It is the same problem as using non standard attribute "nsUniqueId" in ticket https://fedorahosted.org/sssd/ticket/2383 Reviewed-by: Michal Židek <mzidek@redhat.com>

Fix uuid defaults Recently the uuid attributes for user and groups were removed because it was found that there are not used at all and that some of them where causing issues (https://fedorahosted.org/sssd/ticket/2383). The new views/overrides feature of FreeIPA uses the ipaUniqueID attribute to relate overrides with the original IPA objects. The previous two patches revert the removal of the uuid attributes from users and groups with this patch set the default value of these attributes to ipaUniqueID from the IPA provider, to objectGUID for the AD provider and leaves them unset for the general LDAP case to avoid issues like the one from ticket #2383. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Revert "LDAP: Remove unused option ldap_group_uuid" This reverts commit b5242c146cc0ca96e2b898a74fb060efda15bc77. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Revert "LDAP: Remove unused option ldap_user_uuid" This reverts commit dfb2960ab251f609466fa660449703835c97f99a. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

MAN PAGE: modified sssd-ldap.5.xml for sssd ticket #2451 https://fedorahosted.org/sssd/ticket/2451 Added a configuration example at the bottom for 'ldap_access_order = lockout'. Also added a line to note that 'ldap_access_provider = ldap' must be specified for this feature to work. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Change defaults for ldap_user/group_objectsid Fixes: https://fedorahosted.org/sssd/ticket/2361 Reviewed-by: Pavel Reichl <preichl@redhat.com>

MAN: Fix a conversion of seconds to hours Resolves: https://fedorahosted.org/sssd/ticket/2423 Reviewed-by: Pavel Reichl <preichl@redhat.com>

SDAP: Set default value of ldap_user_ssh_public_key to "sshPublicKey" https://fedorahosted.org/sssd/ticket/1560 Reviewed-by: Pavel Reichl <preichl@redhat.com>

MAN: options 'lockout' and 'ldap_pwdlockout_dn' Resolves: https://fedorahosted.org/sssd/ticket/2364 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: Remove unused option ldap_user_uuid There is problem with OpenLDAP server and dereferencing of attributes that is not in the schema of the server? sh-4.2$ ldapsearch -x -LLL -h openldap.server.test -b 'dc=example,dc=com' \ -E 'deref=member:uid,dummy_attr' cn=ref_grp Protocol error (2) Additional information: Dereference control: attribute decoding error sh-4.2$ echo $? 2 The attribute nsUniqueID is a 389-only, non-standard attribute. It is an operational attribute that is not in the rfc2307bis nor inetOrgPerson nor posixAccount schema. It was a default value of option ldap_user_uuid, but it was not use anywhere. Resolves: https://fedorahosted.org/sssd/ticket/2383 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Remove unused option ldap_group_uuid Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Remove unused option ldap_netgroup_uuid Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

MAN: Add reference to manual page sssd-sudo Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

MAN: hint nested groups by simple access provider sssd-ldap hints to use the simple access provider if a nested group membership is needed. Add explicit notice in sssd-simple about support of nested group membership. Resolves: https://fedorahosted.org/sssd/ticket/2308 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

SDAP: Add option to disable use of Token-Groups Disabling use of Token-Groups is mandatory if expansion of nested groups is not desired (ldap_group_nesting_level = 0) for AD provider. Resolves: https://fedorahosted.org/sssd/ticket/2294 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

MAN: Detailed ldap_group_nesting_level option Resolves: https://fedorahosted.org/sssd/ticket/2294 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Make it possible to extend an attribute map https://fedorahosted.org/sssd/ticket/2073 This commit adds a new option ldap_user_extra_attrs that is unset by default. When set, the option contains a list of LDAP attributes the LDAP provider would download and store in addition to the usual set. The list can either contain LDAP attribute names only, or colon-separated tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP attribute name is specified, the attribute is saved to the cache verbatim. Using a custom SSSD attribute name might be required by environments that configure several SSSD domains with different LDAP schemas. Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

MAN: Clarify the ldap_access_filter option further https://fedorahosted.org/sssd/ticket/2235 The memberof example was misleading and was making aministrators think that the ldap_access_filter can resolve nested group memberships. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

Add new option ldap_group_type

Add ldap_autofs_map_master_name option

MAN: Fix refsect-id The refsect id was copied from sssd.conf(5) and was wrong. Fixing the refsect might help us if we ever generate other formats from XML and certainly wouldn't hurt.

man: server side password policies always takes precedence https://fedorahosted.org/sssd/ticket/2091

LDAP: Deprecate ldap_{user,group}_search_filter

MAN: Fix provider man page subtitle

Add now options ldap_min_id and ldap_max_id Currently the range for Posix IDs stored in an LDAP server is unbound. This might lead to conflicts in a setup with AD and trusts when the configured domain uses IDs from LDAP. With the two noe options this conflict can be avoided.

Fix minor typos

A new option krb5_use_kdcinfo https://fedorahosted.org/sssd/ticket/1883 The patch introduces a new Kerberos provider option called krb5_use_kdcinfo. The option is true by default in all providers. When set to false, the SSSD will not create krb5 info files that the locator plugin consumes and the user would have to set up the Kerberos options manually in krb5.conf

man: document the need to set ldap_access_order https://fedorahosted.org/sssd/ticket/1789 ldap_access_order must be set in order to non-default access control options to work. This patch amends the sssd-ldap man page to document this fact with all non-default ldap_access_order options.

Adding option to disable retrieving large AD groups. This commit adds new option ldap_disable_range_retrieval with default value FALSE. If this option is enabled, large groups(>1500) will not be retrieved and behaviour will be similar like was before commit ae8d047122c "LDAP: Handle very large Active Directory groups" https://fedorahosted.org/sssd/ticket/1823

ldap: Fallback option for rfc2307 schema Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020

Remove enumerate=true from man sssd-ldap https://fedorahosted.org/sssd/ticket/1737

sudo manpage: clarify that sudoHost may contain wildcards and not regular expression https://fedorahosted.org/sssd/ticket/1690

LDAP: Make it possible to use full principal in ldap_sasl_authid again

MAN: document the ldap_sasl_realm option The option was completely undocumented.

man: Note that automounter must be restarted to re-read the master map https://fedorahosted.org/sssd/ticket/1563

manpage: ldap_access_filter is not always mandatory https://fedorahosted.org/sssd/ticket/1540

Flip the default value of ldap_initgroups_use_matching_rule_in_chain https://fedorahosted.org/sssd/ticket/1535

sudo and autofs search bases should not be marked experimental https://fedorahosted.org/sssd/ticket/1541

Document ldap_chpass_update_last_change Add the option to the manual page and the configAPI https://fedorahosted.org/sssd/ticket/1494

sssd-ldap manpage: ldap_scheme formatting fixes https://fedorahosted.org/sssd/ticket/1483 ldap schemes now displayed as bullet list

autofs, sudo, ssh and PAC are not experimental anymore

MAN: Improve description of ldap_*_search_base options It was ambiguous that these options supported the new multiple search base format, as well as the search filters.

MAN: Fix minor typo in ldap_search_base section

Change default value of ldap_sasl_string to host/hostname@REALM in man page. https://fedorahosted.org/sssd/ticket/1464

Primary server support: new options in krb5 provider This patch adds support for new config options krb5_backup_server and krb5_backup_kpasswd. The description of this option's functionality is included in man page in one of previous patches.

Primary server support: new option in ldap provider This patch adds support for new config option ldap_backup_uri. The description of this option's functionality is included in man page in previous patch.

sudo ldap provider: support autoconfiguration of hostnames https://fedorahosted.org/sssd/ticket/1420 sudoHost attribute may contain hostname or fqdn of the machine. Sudo itself supports only one hostname and its fqdn - the one that is returned by gethostbyname(). This patch implements autoconfiguration of hostname and fqdn if it has not been set manually by ldap_sudo_hostnames option.

MAN: Unify "SEE ALSO" sections

sudo: manpage updated Removes old options and adds new ones.

LDAP: Auto-detect support for the ldap match rule This patch extends the RootDSE lookup so that we will perform a second request to test whether the match rule syntax can be used. If both groups and initgroups are disabled in the configuration, this lookup request can be skipped.

LDAP: Add ldap_*_use_matching_rule_in_chain options

MAN: Add manpage for ID mapping

LDAP: Add objectSID config option

Two manual pages fixes

Fix erronous reference to the 'allow' access_provider * Should be 'permit' instead https://fedorahosted.org/sssd/ticket/1295 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

MAN: Add ldap_sasl_minssf to the manpage

MAN: Improve ldap_disable_paging documentation

man: document that referral chasing might bring performance penalty https://fedorahosted.org/sssd/ticket/1265

LDAP: Add AD 2008r2 schema https://fedorahosted.org/sssd/ticket/1031

fix typos in manual

Two sssd-ldap manual pages fixes Reported by Marco Pizzoli

LDAP: Add support for SSH user public keys

Update shadowLastChanged attribute during LDAP password change https://fedorahosted.org/sssd/ticket/1019

AUTOFS: LDAP provider

LDAP: Add new options for service maps Adds the new service map options to the SSSDConfig API and the manpages.

Include sudo manual pages only conditionally

SUDO Integration - manual page https://fedorahosted.org/sssd/ticket/1109

LDAP: Add option to disable paging control Fixes https://fedorahosted.org/sssd/ticket/967

Support search bases in RFC2307bis enumeration https://fedorahosted.org/sssd/ticket/960

Add sdap_connection_expire_timeout option https://fedorahosted.org/sssd/ticket/1036

Added and modified options for IPA netgroups

Fix typos in manual pages

Support to request canonicalization in LDAP/IPA provider https://fedorahosted.org/sssd/ticket/957

LDAP: Update manpages with multiple search base information

man page fix (lists are comma-separated) https://fedorahosted.org/sssd/ticket/1024

Allow turning dereference off by setting the threshold to 0

Add LDAP provider option to set LDAP_OPT_X_SASL_NOCANON https://fedorahosted.org/sssd/ticket/978

Add LDAP access control based on NDS attributes

Changing default to Default for consistency

Add more detail to ldap_uri manpage entry

Make "password" the default for ldap_default_authtok_type

Use dereference when processing RFC2307bis nested groups Instead of issuing N LDAP requests when processing a group with N users, utilize the dereference functionality to pull down all the members in a single LDAP request. https://fedorahosted.org/sssd/ticket/799

Add ldap_page_size configuration option

Add user and group search LDAP filter options https://fedorahosted.org/sssd/ticket/647

Add host access control support https://fedorahosted.org/sssd/ticket/746

Add ldap_tls_{cert,key,cipher_suite} config options Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

Add LDAP expire policy base RHDS/IPA attribute The attribute nsAccountLock is used by RHDS, IPA and other directory servers to indicate that the account is locked.

Add LDAP expire policy based on AD attributes The second bit of userAccountControl is used to determine if the account is enabled or disabled. accountExpires is checked to see if the account is expired.

Add ldap_search_enumeration_timeout config option

Add authorizedService support https://fedorahosted.org/sssd/ticket/670

Replace krb5_kdcip by krb5_server in LDAP provider

Add ldap_chpass_uri config option

Add new account expired rule to LDAP access provider Two new options are added to the LDAP access provider to allow a broader range of access control rules to be evaluated. 'ldap_access_order' makes it possible to run more than one rule. To keep compatibility with older versions the default is 'filter'. This patch adds a new rule 'expire'. 'ldap_account_expire_policy' specifies which LDAP attribute should be used to determine if an account is expired or not. Currently only 'shadow' is supported which evaluates the ldap_user_shadow_expire attribute.

Allow protocol fallback for SRV queries https://fedorahosted.org/sssd/ticket/691

Fix man page Currently sssd does not support authentication via GSSAPI. I think it is not necessary to support it, because if GSSAPI is possible Kerberos should be use for authentication.

Properly document ldap_purge_cache_timeout Also allow it to be disabled entirely

Review comments for namingContexts patches

Make ldap_search_base a non-mandatory option

Add ldap_deref option

Move all references to ldap_<entity>_search_base to "advanced" section The <entity> can be one of user, group or netgroup. The references were removed from example configuration and they were moved from section Configuration options to section Advanced options. Ticket: #607

Add option to limit nested groups

Add infrastructure to LDAP provider for netgroup support

Add KDC to the list of LDAP options

Man pages should mention supported providers Each back end can support id, auth or access provider, but each back end supports different subset of these. Man pages should describe which providers are supported by each back end. Ticket: #615

Deobfuscate password in back ends When obfuscated password is used in config file, the LDAP backend converts it back to clear text and uses it to authenticate to the server.

Reviewed sssd-ldap man page Some config options updated, newly documented 12 new options.

Standardize on correct spelling of "principal" for krb5 https://fedorahosted.org/sssd/ticket/542

Add ldap_access_filter option This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com

Add ldap_krb5_ticket_lifetime option

Use service discovery in backends Integrate the failover improvements with our back ends. The DNS domain used in the SRV query is always the SSSD domain name. Please note that this patch changes the default value of ldap_uri from "ldap://localhost" to "NULL" in order to use service discovery with no server set.

Rename server/ directory to src/ Also update BUILD.txt