Fix minor spelling mistakes in providers/* Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IPA: Only attempt migration for the joined domain After the recent changes in commit a5e134b22aa27ff6cd66a7ff47089788ebc098a1 to fix ticket #3394, the PAM_CRED_ERR error would try to start migration for any account. Further down the request, a sysdb search would try to find the user in the joined domain only because the migration code presumes the user is in the IPA domain which would error out and return System Error to the PAM client. This patch changes the migration somewhat to only attempt the migration for IPA users. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Remove unnecessary sys/param.h They are mostly required for macros MAX/MIN which were not used in these modules. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

IPA: Fix uninitialized pointer read (UNINIT) We try to release sdap_handle in the function sdap_cli_connect_recv. Therefore we might try to release memory which does not belong to us due to uninitialized pointer. 2070 if (gsh) { 6. read_parm: Reading a parameter value. 2071 if (*gsh) { 2072 talloc_zfree(*gsh); 2073 } Found by Coverity Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

KRB5: Add and use krb5_auth_queue_send to queue requests by default Resolves: https://fedorahosted.org/sssd/ticket/2701 Previously, only the krb5 provides used to queue requests, which resulted in concurrent authentication requests stepping on one another. This patch queues requests by default. Reviewed-by: Sumit Bose <sbose@redhat.com>

Add pre-auth request Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SDAP: Make simple bind timeout configurable Resolves: https://fedorahosted.org/sssd/ticket/1501 Reuse the value of sdap_opt_timeout to set a longer bind timeout for user authentication, ID connection authentication and authentication during IPA migration mode. Reviewed-by: Pavel Reichl <preichl@redhat.com>

Update DEBUG* invocations to use new levels Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 1)

IPA: Remove unused memory context. Parameter mem_ctx was unused in static function get_password_migration_flag_recv

Include header file in implementation module. Declarations of public functions was in header files, but header files was not included in implementation file.

LDAP: sdap_id_ctx might contain several connections With some LDAP server implementations, one server might provide different "views" of the identites on different ports. One example is the Active Directory Global catalog. The provider would contact different view depending on which operation it is performing and against which SSSD domain. At the same time, these views run on the same server, which means the same server options, enumeration, cleanup or Kerberos service should be used. So instead of using several different failover ports or several instances of sdap_id_ctx, this patch introduces a new "struct sdap_id_conn_ctx" that contains the connection cache to the particular view and an instance of "struct sdap_options" that contains the URI. No functional changes are present in this patch, currently all providers use a single connection. Multiple connections will be used later in the upcoming patches.

Making the authtok structure really opaque. Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830

Use common error facility instead of sdap_result Simplifies and consolidates error reporting for ldap authentication paths. Adds 3 new error codes: ERR_CHPASS_DENIED - Used when password constraints deny password changes ERR_ACCOUNT_EXPIRED - Account is expired ERR_PASSWORD_EXPIRED - Password is expired

Add be_req_get_data() helper funciton. In preparation for making struct be_req opaque.

Add be_req_get_be_ctx() helper. In preparation for making be_req opaque

Introduce be_req_terminate() helper Call it everywhere instead of directly dereferencing be_req->fn This is in preparation of making be_req opaque.

Remove sysdb as a be context structure member The sysdb context is already available through the 'domain' structure.

Add domain to sysdb_search_user_by_name() Also remove unused sysdb_search_domuser_by_name()

Change pam data auth tokens. Use the new authtok abstraction and interfaces throught the code.

krb5_auth_send: check for sub-domains If there is an authentication request for a user from a sub-domain a temporary sysdb context is generated to allow lookups in the corresponding sub-tree in the cache.

Basic support for subdomains in auth provider

Make password migration code use the IPA config retrieval code

IPA migration fixes * use the id connection for looking up the migration flag * force TLS on the password based authentication connection https://fedorahosted.org/sssd/ticket/924

Provide means of forcing TLS and GSSAPI enabled/disabled for sdap connections

sysdb refactoring: deleted domain variables in sysdb API The patch also updates code using modified functions. Tests have also been adjusted.

Use realm for basedn instead of IPA domain https://fedorahosted.org/sssd/ticket/807

Add timeout parameter to sdap_get_generic_send()

ldap: add checks to determine if USN features are available.

Store rootdse supported features in sdap_handler

Cleaned some dead assignments Two needless assignments were deleted, two were complemented with code checking function results. Ticket: #582

Avoid potential NULL dereference https://fedorahosted.org/sssd/ticket/506

New version of IPA auth and password migration The current version modified some global structures to be able to use Kerberos and LDAP authentication during the IPA password migration. This new version only uses tevent requests. Additionally the ipaMigrationEnabled attribute is read from the IPA server to see if password migration is allowed or not.

Rename server/ directory to src/ Also update BUILD.txt