LDAP: Augment the sdap_opts structure with a data provider pointer In order to be able to use the Data Provider methods from the SDAP code to e.g. invalidate memcache when needed, add a new field to the sdap_options structure with the data_provider structure pointer. Fill the pointer value for all LDAP-based providers. Related: https://pagure.io/SSSD/sssd/issue/2653 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

providers: Move hostid from ipa to sdap, v2 In the ldap provider, all option names are renamed to ldap_host_*. In the ipa provider the names haven't been changed. Host lookups for both ipa and ldap are handled in the ldap provider. sss_ssh_knownhostsproxy works but hostgroups are still only available in the ipa provider. I've also added some documentation for the ldap provider. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DESKPROFILE: Add ipa_deskprofile_request_interval This option has been added to avoid contacting the Data Provider when no rules were found in the previous request. By adding this configurable option we avoid contacting the Data Provider too often in the case described above and also when the server doesn't support Desktop Profile's integration. Resolves: https://pagure.io/SSSD/sssd/issue/3482 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DESKPROFILE: Introduce the new IPA session provider In order to provide FleetCommander[0] integration, a session provider has been introduced for IPA. The design of this feature and more technical details can be found at [1] and [2], which are the design pages of both freeIPA and SSSD parts. As there's no way to test freeIPA integration with our upstream tests, no test has been provided yet. Is also worth to mention that the name "deskprofile" has been chosen instead of "fleetcmd" in order to match with the freeIPA plugin. It means that, for consistence, all source files, directories created, options added, functions prefixes and so on are following the choice accordingly. [0]: https://wiki.gnome.org/Projects/FleetCommander [1]: https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki [2]: https://docs.pagure.org/SSSD.sssd/design_pages/fleet_commander_integration.html Resolves: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA_COMMON: Introduce ipa_get_host_attrs() By adding this method it can reused in the future for new backend modules. Related: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: add ipa_init_get_krb5_auth_ctx() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

ipa: add support for certificate overrides Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA SUDO: download externalUser attribute This allows configuration with id_provider = proxy and sudo_provider = ipa when someone needs to fetch rules for local users. https://fedorahosted.org/sssd/ticket/2972 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA SUDO: Add support for ipaSudoRunAsExt* attributes Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA SUDO: Add ipasudocmd mapping Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA SUDO: Add ipasudocmdgrp mapping Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA SUDO: Add ipasudorule mapping Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Remove the ipa_hbac_treat_deny_as option https://fedorahosted.org/sssd/ticket/2603 Since deny rules are no longer supported on the server, the client should no longer support them either. Remove the option. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

AD/IPA: add krb5_confd_path configuration option With this new parameter the directory where Kerberos configuration snippets are created can be specified. Fixes https://fedorahosted.org/sssd/ticket/2473 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Views: apply user SSH public key override With this patch the SSH public key override attribute is read from the FreeIPA server and saved in the cache with the other override data. Since it is possible to have multiple public SSH keys this override value does not replace any other data but will be added to existing values. Fixes https://fedorahosted.org/sssd/ticket/2454 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: add view support and get view name Related to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: refactor idmap code and add test Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: Enable AD sites when in server mode https://fedorahosted.org/sssd/ticket/1964 Currently the AD sites are enabled unconditionally

IPA: Look up AD users directly if IPA server mode is on https://fedorahosted.org/sssd/ticket/1962 If the ipa_server_mode is selected IPA subdomain user and group lookups are not done with the help of the extdom plugin but directly against AD using the AD ID code.

IPA: Initialize server mode ctx if server mode is on This patch introduces a new structure that holds information about a subdomain and its ad_id_ctx. This structure will be used only in server mode to make it possible to search subdomains with a particular ad_id_ctx. Subtask of: https://fedorahosted.org/sssd/ticket/1962

IPA: Add a server mode option https://fedorahosted.org/sssd/ticket/1993 SSSD needs to know that it is running on an IPA server and should not look up trusted users and groups with the help of the extdom plugin but do the lookups on its own. For this a new boolean configuration option, is introduced which defaults to false but is set to true during ipa-server-install or during updates of the FreeIPA server if it is not already set.

Add support for new ipaRangeType attribute Recent versions of FreeIPA support a range type attribute to allow different type of ranges for sub/trusted-domains. If the attribute is available it will be used, if not the right value is determined with the help of the other idrange attributes. Fixes https://fedorahosted.org/sssd/ticket/1961

Add ipa_idmap_init() Use the sdap_idmap context for the IPA provider as well. https://fedorahosted.org/sssd/ticket/1961

IPA: Do not download or store the member attribute of host groups https://fedorahosted.org/sssd/ticket/1806 The IPA provider attempted to store the original value of member attribute to the cache. That caused the memberof plugin to process the values which was really CPU intensive.

Move domain_to_basedn outside IPA subtree The utility function will be reused to guess search base from the base DN of AD trusted domains.

Convert IPA-specific options to be back-end agnostic This patch introduces new options for dynamic DNS updates that are not specific to any back end. The current ipa dyndns options are still usable, just with a deprecation warning.

Refactor dynamic DNS updates Provides two new layers instead of the previous IPA specific layer: 1) dp_dyndns.c -- a very generic dyndns layer on the DP level. Its purpose it to make it possible for any back end to use dynamic DNS updates. 2) sdap_dyndns.c -- a wrapper around dp_dyndns.c that utilizes some LDAP-specific features like autodetecting the address from the LDAP connection. Also converts the dyndns code to new specific error codes.

SUDO: IPA provider This patch added auto configuration SUDO with ipa provider and compat tree. https://fedorahosted.org/sssd/ticket/1733

DNS sites support - add IPA SRV plugin https://fedorahosted.org/sssd/ticket/1032

Make the SELinux refresh time configurable. Option ipa_selinux_refresh is added to basic ipa options.

Make TTL configurable for dynamic dns updates

Primary server support: new option in IPA provider This patch adds support for new config option ipa_backup_server. The description of this option's functionality is included in man page in one of previous patches.

Primary server support: IPA adaptation This patch adds support for the primary server functionality into IPA provider. No backup servers are added at the moment, just the basic support is in place.

Add support for ID ranges

IPA subdomains - ask for information about master domain The query is performed only if there is missing information in the cache. That means this should be done only once after restart when cache doesn't exist. All subsequent requests for subdomains won't include the request for master domain.

IPA: Add get-domains target

Remove old compatibility tests These are now replaced by the more accurate tests. This patch also drops the runtime option-count check, since we are always performing the more complete check at build-time.

IPA hosts refactoring

AUTOFS: IPA provider

IPA: Add host info handler

Update shadowLastChanged attribute during LDAP password change https://fedorahosted.org/sssd/ticket/1019

Session target in IPA provider

Implemented support for multiple search bases in HBAC rules and services

AUTOFS: LDAP provider

NSS: Add individual timeouts for entry types https://fedorahosted.org/sssd/ticket/1016

IPA: Add support for services lookups (non-enum)

LDAP: Add option to disable paging control Fixes https://fedorahosted.org/sssd/ticket/967

SUDO Integration - periodical update of rules in data provider https://fedorahosted.org/sssd/ticket/1110 Adds new configuration options: - ldap_sudo_refresh_enabled - enable/disable periodical updates - ldap_sudo_refresh_timeout - rules timeout (refresh period)

SUDO Integration - LDAP configuration options

Add sdap_connection_expire_timeout option https://fedorahosted.org/sssd/ticket/1036

Fixed IPA netgroup processing In case IPA netgroup had indirect member hosts, they wouldn't be detected. This patch also modifies debug messages for easier debugging in the future.

Add ldap_sasl_minssf option https://fedorahosted.org/sssd/ticket/1075

Add ipa_hbac_support_srchost option to IPA provider don't fetch all host groups if this option is false https://fedorahosted.org/sssd/ticket/1078

IPA migration fixes * use the id connection for looking up the migration flag * force TLS on the password based authentication connection https://fedorahosted.org/sssd/ticket/924

New IPA ID context

Added and modified options for IPA netgroups

Support to request canonicalization in LDAP/IPA provider https://fedorahosted.org/sssd/ticket/957

Add support to request canonicalization on krb AS requests https://fedorahosted.org/sssd/ticket/957

Add LDAP provider option to set LDAP_OPT_X_SASL_NOCANON https://fedorahosted.org/sssd/ticket/978

Check DNS records before updating https://fedorahosted.org/sssd/ticket/802

Add ipa_hbac_treat_deny_as option By default, we will treat the presence of any DENY rule as denying all users. This option will allow the admin to explicitly ignore DENY rules during a transitional period.

Add ipa_hbac_refresh option This option describes the time between refreshes of the HBAC rules on the IPA server.

Use dereference when processing RFC2307bis nested groups Instead of issuing N LDAP requests when processing a group with N users, utilize the dereference functionality to pull down all the members in a single LDAP request. https://fedorahosted.org/sssd/ticket/799

Add ldap_page_size configuration option

Modify principal selection for keytab authentication Currently we construct the principal as host/fqdn@REALM. The problem with this is that this principal doesn't have to be in the keytab. In that case the provider fails to start. It is better to scan the keytab and find the most suitable principal to use. Only in case no suitable principal is found the backend should fail to start. The second issue solved by this patch is that the realm we are authenticating the machine to can be in general different from the realm our users are part of (in case of cross Kerberos trust). The patch adds new configuration option SDAP_SASL_REALM. https://fedorahosted.org/sssd/ticket/781

Allow new option to specify principal for FAST https://fedorahosted.org/sssd/ticket/700

Add krb5_realm to the basic IPA options Previously, this was only handled by the internal LDAP and Kerberos providers, but this wasn't available early enough to properly handle setting up the krb5_service for failover and creating the krb5info files.

Allow krb5_realm to override ipa_domain It is possible to set up FreeIPA servers where the Kerberos realm differs from the IPA domain name. We need to allow setting the krb5_realm explicitly to handle this.

Add option to disable TLS for LDAP auth Option is named to discourage use in production environments and is intentionally not listed in the SSSDConfig API.

Add ldap_tls_{cert,key,cipher_suite} config options Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

Add ipa_hbac_search_base config option

Add ldap_search_enumeration_timeout config option

Add support for FAST in krb5 provider

Add ldap_chpass_uri config option

Add new account expired rule to LDAP access provider Two new options are added to the LDAP access provider to allow a broader range of access control rules to be evaluated. 'ldap_access_order' makes it possible to run more than one rule. To keep compatibility with older versions the default is 'filter'. This patch adds a new rule 'expire'. 'ldap_account_expire_policy' specifies which LDAP attribute should be used to determine if an account is expired or not. Currently only 'shadow' is supported which evaluates the ldap_user_shadow_expire attribute.

Add support for automatic Kerberos ticket renewal

Add krb5_lifetime option

Add krb5_renewable_lifetime option

Add ldap_deref option

Add option to limit nested groups

Add infrastructure to LDAP provider for netgroup support

Add KDC to the list of LDAP options

Remove krb5_changepw_principal option Fixes: #531

Add ldap_access_filter option This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com

Add support for delayed kinit if offline If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used.

Add ldap_krb5_ticket_lifetime option

Add dynamic DNS updates to FreeIPA This adds two new options: ipa_dyndns_update: Boolean value to select whether this client should automatically update its IP address in FreeIPA DNS. ipa_dyndns_iface: Choose an interface manually to use for updating dynamic DNS. Default is to use the interface associated with the LDAP connection to FreeIPA. This patch supports A and AAAA records. It relies on the presence of the nsupdate tool from the bind-utils package to perform the actual update step. The location of this utility is set at build time, but its availability is determined at runtime (so clients that do not require dynamic update capability do not need to meet this dependency).

New version of IPA auth and password migration The current version modified some global structures to be able to use Kerberos and LDAP authentication during the IPA password migration. This new version only uses tevent requests. Additionally the ipaMigrationEnabled attribute is read from the IPA server to see if password migration is allowed or not.

Revert "Add dynamic DNS updates to FreeIPA" This reverts commit 973b7c27c0b294b8b2f120296f64c6a3a36e44b7. While this patch applied cleanly, it was uncompilable. Reverting until it can be properly merged.

Add dynamic DNS updates to FreeIPA This adds two new options: ipa_dyndns_update: Boolean value to select whether this client should automatically update its IP address in FreeIPA DNS. ipa_dyndns_iface: Choose an interface manually to use for updating dynamic DNS. Default is to use the interface associated with the LDAP connection to FreeIPA. This patch supports A and AAAA records. It relies on the presence of the nsupdate tool from the bind-utils package to perform the actual update step. The location of this utility is set at build time, but its availability is determined at runtime (so clients that do not require dynamic update capability do not need to meet this dependency).

Use service discovery in backends Integrate the failover improvements with our back ends. The DNS domain used in the SRV query is always the SSSD domain name. Please note that this patch changes the default value of ldap_uri from "ldap://localhost" to "NULL" in order to use service discovery with no server set.

Fix LDAP search paths for IPA HBAC - use domain_to_basedn() to construct LDAP search paths for IPA HBAC - move domain_to_basedn() to a separate file to simplify the build of a test

Add krb5_kpasswd to IPA provider The krb5 options were out of sync, causing a runtime abort.

Regression test against RHBZ #576856

Better cleanup task handling Implements a different mechanism for cleanup task. Instead of just deleting expired entries, this patch adds a new option account_cache_expiration for domains. If an entry is expired and the last login was more days in the past that account_cache_expiration, the entry is deleted. Groups are deleted if they are expired and and no user references them (no user has memberof: attribute pointing at that group). The parameter account_cache_expiration is not LDAP-specific, so that other future backends might use the same timeout setting. Fixes: #391

Rename server/ directory to src/ Also update BUILD.txt