providers: Move hostid from ipa to sdap, v2 In the ldap provider, all option names are renamed to ldap_host_*. In the ipa provider the names haven't been changed. Host lookups for both ipa and ldap are handled in the ldap provider. sss_ssh_knownhostsproxy works but hostgroups are still only available in the ipa provider. I've also added some documentation for the ldap provider. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Add support for rhost access control This patch implements verification of pam_rhost against rules stored in LDAP entry of a user. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

DESKPROFILE: Add ipa_deskprofile_request_interval This option has been added to avoid contacting the Data Provider when no rules were found in the previous request. By adding this configurable option we avoid contacting the Data Provider too often in the case described above and also when the server doesn't support Desktop Profile's integration. Resolves: https://pagure.io/SSSD/sssd/issue/3482 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DESKPROFILE: Introduce the new IPA session provider In order to provide FleetCommander[0] integration, a session provider has been introduced for IPA. The design of this feature and more technical details can be found at [1] and [2], which are the design pages of both freeIPA and SSSD parts. As there's no way to test freeIPA integration with our upstream tests, no test has been provided yet. Is also worth to mention that the name "deskprofile" has been chosen instead of "fleetcmd" in order to match with the freeIPA plugin. It means that, for consistence, all source files, directories created, options added, functions prefixes and so on are following the choice accordingly. [0]: https://wiki.gnome.org/Projects/FleetCommander [1]: https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki [2]: https://docs.pagure.org/SSSD.sssd/design_pages/fleet_commander_integration.html Resolves: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Use correct spelling of override Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: new attribute option ldap_user_email Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

ipa: add support for certificate overrides Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA SUDO: download externalUser attribute This allows configuration with id_provider = proxy and sudo_provider = ipa when someone needs to fetch rules for local users. https://fedorahosted.org/sssd/ticket/2972 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Add a new option ldap_group_external_member Required for: https://fedorahosted.org/sssd/ticket/2522 Reviewed-by: Sumit Bose <sbose@redhat.com>

IDMAP: Add support for automatic adding of ranges Resolves: https://fedorahosted.org/sssd/ticket/2188 Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA SUDO: Add support for ipaSudoRunAsExt* attributes Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA SUDO: Add ipasudocmd mapping Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA SUDO: Add ipasudocmdgrp mapping Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA SUDO: Add ipasudorule mapping Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Mark globals in ipa_opts.h as extern To avoid collisions when we want to work with them elsewhere in the code. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>