IPA_RULES_COMMON: Introduce ipa_common_get_hostgroupname() By moving the get_ipa_hostgroupname() method from ipa_hbac_hosts.[ch] to ipa_rules_common.[ch] it can be used by both HBAC and, in the future, for new backend modules. The method got renamed to ipa_common_get_hostgroupname() and some coding style changes have been made in order to match with what SSSD follows. Related: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA_ACCESS: Make hbac_get_cache_rules() more generic This method can also be reused in the future for new backend modules. In order to make it more generic, let's just move it to ipa_rules_common.[ch], rename it to ipa_common_get_cached_rules() and make the rule, subtree name and the attributes to be searched new parameters of this method. In order to not be declaring the enourmous list of attributes HBAC uses when calling this method, a new hbac_get_attrs_to_get_cached_rules() method has been introduced. Related: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: Leave only HBAC specific defines in ipa_hbac_private.h The defines that were moved can and will be used by another backend module that will be introduced in the near future. Related: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: Make ipa_hbac_sysdb_save() more generic Although there's no change in the ipa_hbac_sysdb_save() itself, its name has been changed to ipa_common_entries_and_groups_sysdb_save() and its been split out from HBAC related files and moved to the newly created ipa_rules_common.[ch] files, which will also be used in the future for new backend modules. ipa_rules_common.[ch] is not exactly the best name for those files, IMO, but I really cannot come up with something better. Related: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

libipa_hbac: Move the library to src/lib/ipa_hbac Moving the library to the lib directory will force maintainers to think twice about changes, because it would be obvious this is a library. Also don't use includes from sssd source tree paths, but add the util path to Makefile's CFLAGS so that other projects can copy the hbac_evaluator.c file verbatim. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Remove sysdb arg from [ipa_]hbac_sysdb_save() Also make ipa_hbac_save_list() static

Remove sysdb arg from ipa_hbac_service_info_send()

Remove sysdb arg from hbac_*host_attrs_to_rule()

Remove sysdb arg from hbac_service_attrs_to_rule()

Remove sysdb argument from hbac_user_attrs_to_rule()

Add domain arg to sysdb_search_users()

Add domain argument to sysdb_search_custom() Also changes sysdb_search_custom_by_name()

LDAP: Only convert direct parents' ghost attribute to member https://fedorahosted.org/sssd/ticket/1612 This patch changes the handling of ghost attributes when saving the actual user entry. Instead of always linking all groups that contained the ghost attribute with the new user entry, the original member attributes are now saved in the group object and the user entry is only linked with its direct parents. As the member attribute is compared against the originalDN of the user, if either the originalDN or the originalMember attributes are missing, the user object is linked with all the groups as a fallback. The original member attributes are only saved if the LDAP schema supports nesting.

IPA hosts refactoring

Separate the host-retrieval code from IPA HBAC to common IPA code

Implemented support for multiple search bases in HBAC rules and services

Support multiple search bases in HBAC

Add ipa_hbac_support_srchost option to IPA provider don't fetch all host groups if this option is false https://fedorahosted.org/sssd/ticket/1078

Cleanup: Remove unused parameters

HBAC: Use originalMember for identifying hostgroups

HBAC: Use originalMember for identifying servicegroups

Add helper functions for looking up HBAC rule components