SDAP: Properly handle group id-collision when renaming incomplete groups Resolves: https://pagure.io/SSSD/sssd/issue/2653 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: do not use objectClass for users and groups The majority of the object in the SSSD cache are users and groups. If there are many user and groups in the cache the index objects of the objectclass attributes 'user' and 'group' become large because the must hold references to all objects of those object classes. As a result the management of these index objects becomes costly because they must be parsed and split apart quite often. Additionally they are mostly useless because user and groups are lookup up by more specific attributes in general. Only when enumerating all user or groups this kind of index might be useful. There are two way of removing this kind of index from the user and group objects. Either by removing objectClass from the list of indexes and add a new attribute to all other type of object we want and index for. Or by replacing objectClass with a different attribute for the user and group objects. After some testing I think the latter one is the more reliable one and implemented it in this patch. Related to https://pagure.io/SSSD/sssd/issue/3503 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Fixed typo in debug output Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SYSDB: When searching for UPNs, search either the whole DB or only the given domain The search-by-UPN functions always searched for the whole domain. In some cases, the caller depends on the result coming from the domain specified by the 'domain' parameter. This is the case in the cache_req code at least. Even though it should be safe to just switch to always searching the whole domain, in order to allow us to examine the code carefully and test each codepath, let's introduce a boolean option to the search functions. Currently it defaults to false in all codepaths and as we test the individual ones, we can flip the option to true until we finally remove the option altogether. Reviewed-by: Sumit Bose <sbose@redhat.com>

DP: rename be_acct_req to dp_id_data Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD: No need to separately qualify subdomain users anymore All usernames across SSSD are stored in the same manner, so there's no need to create per-domain names anymore. Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: process PAC during initgroups request If there is a recently attached PAC blob in the cached user entry the PAC data is used to update the group memberships data of the user. If there is no PAC attached or if it is too old the other configured methods will be used. Reviewed-by: Pavel Březina <pbrezina@redhat.com>