ipa: add SYSDB_USER_MAPPED_CERT for certs in idoverrides Recent changes to support a rule based mapping between users and certificates were not properly added for the case where a certificate was added to an idoverride for a user. As a result authentication with the certificate from the idoveride was not possible. With this patch the certificate from to idoveride is properly added to the cache. Related to https://pagure.io/SSSD/sssd/issue/3603 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: Fixed subdomain typo Reviewed-by: Amith Kumar <apeetham@redhat.com>

IPA: Include SYSDB_OBJECTCATEGORY, not OBJECTCLASS in cache search results The function get_object_from_cache() returns an ldb_message that is passed to apply_subdomain_homedir() which expects SYSDB_OBJECTCATEGORY to be present in the message, otherwise it errors out. However, get_object_from_cache() was reading only SYSDB_OBJECTCLASS. This patch changes get_object_from_cache() to ready SYSDB_OBJECTCATEGORY. Resolves: https://pagure.io/SSSD/sssd/issue/3599 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

sysdb: do not use objectClass for users and groups The majority of the object in the SSSD cache are users and groups. If there are many user and groups in the cache the index objects of the objectclass attributes 'user' and 'group' become large because the must hold references to all objects of those object classes. As a result the management of these index objects becomes costly because they must be parsed and split apart quite often. Additionally they are mostly useless because user and groups are lookup up by more specific attributes in general. Only when enumerating all user or groups this kind of index might be useful. There are two way of removing this kind of index from the user and group objects. Either by removing objectClass from the list of indexes and add a new attribute to all other type of object we want and index for. Or by replacing objectClass with a different attribute for the user and group objects. After some testing I think the latter one is the more reliable one and implemented it in this patch. Related to https://pagure.io/SSSD/sssd/issue/3503 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: enable AD user lookup by certificate Without this the lookup by certificate for AD users on an IPA client will just error out. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: allow muliple users mapped to a certificate Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: When searching for UPNs, search either the whole DB or only the given domain The search-by-UPN functions always searched for the whole domain. In some cases, the caller depends on the result coming from the domain specified by the 'domain' parameter. This is the case in the cache_req code at least. Even though it should be safe to just switch to always searching the whole domain, in order to allow us to examine the code carefully and test each codepath, let's introduce a boolean option to the search functions. Currently it defaults to false in all codepaths and as we test the individual ones, we can flip the option to true until we finally remove the option altogether. Reviewed-by: Sumit Bose <sbose@redhat.com>

DP: Remove unused attr_type from struct dp_id_data Structure member attr_type was set to BE_ATTR_CORE on all places and there was a single place src/providers/ldap/ldap_id.c where we checked to other values. It is not used anymore; it's better to remove it. Reviewed-by: Michal Židek <mzidek@redhat.com>

Remove double semicolon at the end of line Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: Check the return value of sss_parse_internal_fqname We should fail the request if sss_parse_internal_fqname() fails. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IPA: fix lookup by UPN for subdomains Currently the user name used in the extdom exop request is unconditionally set to the short name. While this is correct for the general name based lookups it breaks UPN/email based lookups where the name part after the @-sign might not match to domain name. I guess this was introduce during the sysdb refactoring. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: expand ghost members of AD groups in server-mode Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DP: rename be_acct_req to dp_id_data Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IPA: make get_object_from_cache() aware of UPN searches Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: add missing user name to homedir_ctx Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: Use internal fqname format instead of parsing NSS names Parsing the extdom plugin output is an "input" operation from the point of the IPA provider, so we need to parse the name and conversely, internally use only the qualified name. Reviewed-by: Sumit Bose <sbose@redhat.com>

UTIL: expand_homedir_template manages usernames internally expand_homedir_template() can be considered an outward-facing interface, therefore the function and its input structure will accept the internal name format and parse it internally into a username and domain component. Reviewed-by: Sumit Bose <sbose@redhat.com>

DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IPA: allow lookups by cert in sub-domains on the client Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

ipa: add support for certificate overrides Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: resolve PAC for trusted users on IPA clients Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: Add interface to call into IPA provider from LDAP provider https://fedorahosted.org/sssd/ticket/2522 Adds a pluggable interface that is able to resolve the IPA group's external members. At the moment, the request calls the full be_ interface to make sure all corner cases like id-views are handled internally. Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: Provide common connection list construction functions https://fedorahosted.org/sssd/ticket/2810 Provides a new AD common function ad_ldap_conn_list() that creates a list of AD connection to use along with properties to avoid mistakes when manually constructing these lists. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Retry fetching keytab if IPA user lookup fails Required for: https://fedorahosted.org/sssd/ticket/2639 Instead of calling ipa_get_ad_acct_send directly, call a new request ipa_srv_ad_acct_send. The new request wraps ipa_get_ad_acct_send and either tries to request a new keytab every time the lookup fails but the domain is online. be_mark_dom_offline() is called when the retry fails with the new code. The retry tries to re-setup the trusted domain. With two-way setups, the request is a no-op. With one-way trust setups, the request re-fetches new keytab unconditionally. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Do not allow the AD lookup code to set backend as offline in server mode https://fedorahosted.org/sssd/ticket/2637 In server mode, we should not allow the AD lookups to set the backend offline. Rather just let them report an error and deal with the error separately. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: Improve messages about failures Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP/IPA: add user lookup by certificate Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: Don't override homedir with subdomain_homedir Resolves: https://fedorahosted.org/sssd/ticket/2583 Reviewed-by: Michal Židek <mzidek@redhat.com>

IPA: search for overrides during initgroups in sever mode After the group memberships of a user from a trusted domain are read it must be checked if there are overrides for the discovered groups to be able to return the right gid or name to the caller. Related to https://fedorahosted.org/sssd/ticket/2633 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: do initgroups if extdom exop supports it Newer versions of the extdom plugin return the full list of group-memberships during a user lookup request. With these version there is no need to reject a initgroups request for sub/trusted-domain users anymore. This is e.g. useful for callers which call getgrouplist() directly without calling getpwnam() before. Additionally it helps if for some reasons the lifetime of the user entry and the lifetime of the initgroups data is different. Related to https://fedorahosted.org/sssd/ticket/2633 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: allow initgroups by SID for AD users If a user from a trusted AD domain is search with the help of an override name the SID from the override anchor is used to search the user in AD. Currently the initgroups request only allows searches by name. With this patch a SID can be used as well. Resolves https://fedorahosted.org/sssd/ticket/2632 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: use GC for SID requests as well If a universal group is looked up by SID the cross-domain members must be resolved with the help of the Global Catalog. Related to https://fedorahosted.org/sssd/ticket/2514 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: resolve IPA group-memberships for AD users So far only for initgroups requests the IPA group memberships where resolved for AD users and due to 6fac5e5f0c54a0f92872ce1450606cfcb577a920 those memberships are not overridden by other request. But it turned out that the originalMemberOf attributes related to the IPA group memberships can be overridden by user lookups. Since the originalMemberOf attribute is important in the HBAC evaluation this patch makes sure that the originalMemberOf attribute is not removed but updated during user lookups. Related to https://fedorahosted.org/sssd/ticket/2560 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: resolve ghost members if a non-default view is applied Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: check overrrides for IPA users as well Currently overrides were only available for sub-domains, e.g. trusted AD domains. With this patch overrides can be used for IPA users as well. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: make get_object_from_cache() public Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: Rename user_dom into obj_dom There was a variable in the IPA subdomain code named user_dom, however, it was used in code that processes both users and groups, which was confusing. Reviewed-by: Pavel Reichl <preichl@redhat.com>

IPA: Don't fail the request when BE doesn't find the object The IPA subdomain code treated ENOENT as a fatal error, which resulted in a loud error message and the whole request being aborted. This patch ignores ENOENT. Reviewed-by: Pavel Reichl <preichl@redhat.com>

ipa: fix issues with older servers not supporting views Older FreeIPA servers which do not know about the ipaAssignedIDView attribute will return an error during the LDAP dereference request because SSSD marks LDAP extensions as critical. In this case we keep the view name empty and skip override lookups. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

views: search overrides for user and group requests If the name or the POSIX ID of a user or a group is overridden the search request for those objects have to check the overide objects first before looking up the original objects. This patch adds a new request for the IPA sub-domain users which checks the overrides first if - SSSD is running in ipa-server-mode and a name or a POSIX ID is searched, since we do not override the SIDs we can skip the search in the override tree here - if the responder indicates it has not found the corresponding object in the cache and the input might be an override name or ID and not the original one of an object. If an override object was found the SID is extracted from the anchor attribute and the original object is search by its SID. If no override object was found the original object is search with the original input and finally it is checked if an override object exits for the found object. Relates to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

views: get overrides during user and group lookups With this patch the IPA provider will check if overrides exists for the given view during the lookup of users and groups from trusted domains. In ipa-server-mode the default view is automatically applied and written to the cache. On IPA clients which use the extdom plugin for user and group lookups the override data is saved separately and the original object and the override data are linked with DN attributes for faster reference. Related to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: make IPA ID context available to extdom client code Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: Use GC for group lookups in server mode https://fedorahosted.org/sssd/ticket/2412 Even though AD trusts often work with POSIX attributes which are normally not replicated to GC, our group lookups are smart since commit 008e1ee835602023891ac45408483d87f41e4d5c and look up the group itself using the LDAP connection and only use the GC connection to look up the members. Reviewed-by: Pavel Reichl <preichl@redhat.com>

IPA: handle searches by SID in apply_subdomain_homedir https://fedorahosted.org/sssd/ticket/2391 apply_subdomain_homedir() didn't handle the situation where an entity that doesn't match was requested from the cache. For user and group lookups this wasn't a problem because the negative match was caught sooner. But SID lookups can match either user or group. When a group SID was requested, the preceding LDAP request matched the SID and stored the group in the cache. Then apply_subdomain_homedir() only tried to search user by SID, didn't find the entry and accessed a NULL pointer. A simple reproducer is: $ python >>> import pysss_nss_idmap >>> pysss_nss_idmap.getnamebysid(group_sid) The group_sid can be anything, including Domain Users (XXX-513) Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

UTIL: rename find_subdomain_by_name The function was named "find_subdomain" yet it could find both main domain and subdomain. sed 's/find_subdomain_by_name/find_domain_by_name/' -i `find . -name "*.[ch]"` Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

NSS: Add option to expand homedir template format LDAP server can contain template for home directory instead of plain string. This patch adds new expand option "%H", which will be replaced with value from configuration option homedir_substring (from sssd.conf) Resolves: https://fedorahosted.org/sssd/ticket/1853

NSS: Refactor expand_homedir_template Function expand_homedir_template had lot of parameters. After adding new expand option, all function call should be rewritten, (usually argument NULL will be added) This patch wraps all necessary arguments to structure.

ipa subdomains provider: make sure search by SID works for homedir Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: Use GC for AD initgroup requests Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

ipa-server-mode: use lower-case user name for home dir In older IPA server versions where the AD users where looked up by winbind the user name component of the home directory path was always lower case. This still holds for IPA clients as well. To avoid regression this patch makes the user name component lower case as well. Fixes https://fedorahosted.org/sssd/ticket/2263 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: Don't fail if apply_subdomain_homedir returns ENOENT Reviewed-by: Pavel Reichl <preichl@redhat.com>

IPA: Don't call tevent_req_post outside _send Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

LDAP: Detect the presence of POSIX attributes When the schema is set to AD and ID mapping is not used, there is a one-time check ran when searching for users to detect the presence of POSIX attributes in LDAP. If this check fails, the search fails as if no entry was found and returns a special error code. The sdap_server_opts structure is filled every time a client connects to a server so the posix check boolean is reset to false again on connecting to the server. It might be better to move the check to where the rootDSE is retrieved, but the check depends on several features that are not known to the code that retrieves the rootDSE (or the connection code for example) such as what the attribute mappings are or the authentication method that should be used. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

AD: support for subdomain_homedir Homedir is defaultly set accordingly to subdomain_homedir for users from AD. Resolves: https://fedorahosted.org/sssd/ticket/2169

ipa-server-mode: add IPA group memberships to AD users When IPA trusts an AD domain the AD user or groups can be placed into IPA groups e.g. to put AD users under the control of HBAC. Since IPA group can only have members from the IPA directory tree and the AD users and groups are not stored there a special IPA object called external group was introduced. SIDs of users and groups can be added to the external group and since the external groups are in the IPA directory tree they can be member of IPA groups. To speed things up and to remove some load from the IPA servers SSSD reads all external groups and stores them in memory for some time before rereading the data. Enhances https://fedorahosted.org/sssd/ticket/1962

Fix possible dereference of a NULL pointer. We check if function ipa_get_ad_id_ctx returns NULL, but function ipa_get_ad_id_ctx could never return NULL. This issue was found by scan-build.

IPA: Look up AD users directly if IPA server mode is on https://fedorahosted.org/sssd/ticket/1962 If the ipa_server_mode is selected IPA subdomain user and group lookups are not done with the help of the extdom plugin but directly against AD using the AD ID code.

Replace new_subdomain() with find_subdomain_by_name() new_subdomain() will create a new domain object and should not be used anymore in the priovder code directly. Instead a reference to the domain from the common domain object should be used.

LDAP: sdap_id_ctx might contain several connections With some LDAP server implementations, one server might provide different "views" of the identites on different ports. One example is the Active Directory Global catalog. The provider would contact different view depending on which operation it is performing and against which SSSD domain. At the same time, these views run on the same server, which means the same server options, enumeration, cleanup or Kerberos service should be used. So instead of using several different failover ports or several instances of sdap_id_ctx, this patch introduces a new "struct sdap_id_conn_ctx" that contains the connection cache to the particular view and an instance of "struct sdap_options" that contains the URI. No functional changes are present in this patch, currently all providers use a single connection. Multiple connections will be used later in the upcoming patches.

Add SID related lookups to IPA subdomains This patch add the functionality to handle lookup by SIDs and lookups for SIDs to the subdomain branch of the IPA ID provider.

Use struct to hold different types of request parameters Currently the POSIX ID or the user name are passed in different parameters to some calls. The method will get cumbersome and error-prone if new parameters like, e.g. the SID, are added. This patch adds a union to hold the different kind of parameters.

Remove unused attribute list

Add realm info to sss_domain_info

Use an entry type mask macro to filter entry types Avoids hardcoding magic numbers everywhere and self documents why a mask is being applied.

Fix ipa_subdomain_id names and tevent_req style

Clarify debug message about initgroups and subdomains The initgroups request is not handled by the IPA provider for subdomain users on purpose because the group membership information is not available on the IPA server but will be directly written to the cache when the PAC of the user is processed. The old generic debug message "Invalid sub-domain request type" might be misleading. This patch adds a specific message for the initgroups case "Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache." and increase the debug level so that typically this message is not shown anymore because it is expected behaviour. Fixes https://fedorahosted.org/sssd/ticket/1610

Allow extdom exop to return flat domain name as well There are case where the extdom extended operation will return the flat or NetBIOS name of a domain instead of the DNS domain name. If this name is available for the current domain we accept it as well. Related to https://fedorahosted.org/sssd/ticket/1561

Add support for filtering atributes This patch adds support for filtering attributes when constructing attribute list from a map for LDAP query.

LDAP: Add attr_count return value to build_attrs_from_map() This is necessary because in several places in the code, we are appending to the attrs returned from this value, and if we relied on the map size macro, we would be appending after the NULL terminator if one or more attributes were defined as NULL.

Add ID operations in subdomains