LDAP: Augment the sdap_opts structure with a data provider pointer In order to be able to use the Data Provider methods from the SDAP code to e.g. invalidate memcache when needed, add a new field to the sdap_options structure with the data_provider structure pointer. Fill the pointer value for all LDAP-based providers. Related: https://pagure.io/SSSD/sssd/issue/2653 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

AD: Remember last site discovered in sysdb This can speed up sssd startup. Resolves: https://pagure.io/SSSD/sssd/issue/3265 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: fix handling of certmap_ctx This patch fixes a use-after-free in the AD provider part and initializes the certmap_ctx with data from the cache at startup. Related to https://pagure.io/SSSD/sssd/issue/3508 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SDAP: Add sdap_domain_copy_search_bases Add function to copy search bases from one sdap_domain to another. Resolves: https://pagure.io/SSSD/sssd/issue/3435 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SERVER_MODE: Update sdap lists for each ad_ctx We use separate AD context for each subdomain in the server mode. Every such context has it's own sdap_domain list witch represents sdap options such as filter and search bases for every domain. However AD context can only fully initialize sdap_domain structure for the same domain for which the whole context was created, which resulted in the other sdap_domain structures to be have automaticily detected settings. This can cause problems if user is member of groups from multiple domains. Resolves: https://pagure.io/SSSD/sssd/issue/3381 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SDAP: Fix handling of search bases We were rewriting the sdap_domain's search bases for only the first sdap_domain in the list, which does not work for subdomains. Also when search bases were already initialized in sdap_domain_subdom_add, we should only rewrite them when they were explicitly set in sssd.conf. Resolves: https://pagure.io/SSSD/sssd/issue/3351 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

UTIL: Introduce subdomain_create_conf_path() This is a utility function that replaces the create_subdom_conf_path(). Differently than the latter, it only takes one parameter and is going to be used in a few different places (thus adding it to util.h). Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukas Slebodnik <lslebodn@redhat.com>

IPA: add certmap support Read certificate mapping data from the IPA server and configure the certificate mapping library accordingly. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SUBDOMAINS: Allow options ad(_backup)_server Allow following options in the subdomain section: ad_server ad_backup_server Resolves: https://pagure.io/SSSD/sssd/issue/2599 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SUBDOMAINS: Configurable search bases Added new trusted domain section in the sssd.conf were the search bases for the trusted domain can be specified. Resolves: https://pagure.io/SSSD/sssd/issue/2599 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

data_provider: Fix typo in DEBUG message Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

failover: mark subdomain service with sd_ prefix Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: Changing of confusing debug message This debug message used to confuse our users. So this patch changes it. Old version: "Trust direction of %s is %s\n" New version: "Trust type of [%s]: %s\n" Resolves: https://fedorahosted.org/sssd/ticket/3090 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD: use krb5_keytab for subdomain initialization During the initialization of AD subdomains parameters like the SASL auth id are determined. Since subdomains use a default set of the AD specific configuration options the default keytab will be used. If krb5_keytab is set in sssd.conf for the AD domain this keytab should be used for the subdomains (domains of the same AD forest) as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: use forest name when looking up the Global Catalog Resolves https://fedorahosted.org/sssd/ticket/3015 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

util: Update get_next_domain's interface Update get next domain to be able to include disbled domains and change the interface to accept flags instead of multiple booleans. Ticket: https://fedorahosted.org/sssd/ticket/2673 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: Change ipa_server_trust_add_send request to be reusable from ID code Required for: https://fedorahosted.org/sssd/ticket/2639 Expose a request ipa_server_trusted_dom_setup_send that sets up a trusted domain. The setup might include actions like retrieving a keytab for one-way trusts. Creating the AD ID context for the trused domain is now done in the caller of this new request. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Always re-fetch the keytab from the IPA server Even if a keytab for one-way trust exists, re-fetch the keytab again and try to use it. Fall back to the previous one if it exists. This is in order to allow the admin to re-establish the trust keytabs with a simple sssd restart. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: Handle sssd-owned keytabs when running as root https://fedorahosted.org/sssd/ticket/2718 This patch handles the case where the keytab is created with sssd:sssd ownership (perhaps by the IPA oddjob script) but SSSD runs as root, which is the default in many distributions. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

IPA: Better debugging Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

IPA: Utility function for setting up one-way trust context Related: https://fedorahosted.org/sssd/ticket/2638 Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Do not set AD_KRB5_REALM twice Related: https://fedorahosted.org/sssd/ticket/2638 Both the AD common code and ipa_ad_ctx_new() used set AD_KRB5_REALM. As verified by unit tests, we don't need to set the parameter twice. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA/AD: Set up AD domain in ad_create_2way_trust_options Related: https://fedorahosted.org/sssd/ticket/2638 Removed code duplication. Amends unit test to make sure we don't regress. Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: Rename ad_create_default_options to ad_create_2way_trust_options Related: https://fedorahosted.org/sssd/ticket/2638 Better reflects what's going on in the function. Also adds a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Fetch keytab for 1way trusts Uses the ipa-getkeytab call to retrieve keytabs for one-way trust relationships. https://fedorahosted.org/sssd/ticket/2636 Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Make constructing an IPA server mode context async Refactoring in preparation for requesting the keytab in future patches. Currently it's a fake async that just marks the request as done. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Include ipaNTTrustDirection in the attribute set for trusted domains Allows to distinguish the trust directions for trusted domains. For domains where we don't know the direction in server mode, we assume two-way trusts. Member domains do not have the direction, but rather the forest root direction is used. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Move server-mode functions to a separate module There is already quite a few functions that are server-mode specific and there will be even more with one-way trusts. Split the server-mode specific functions into a separate module. Reviewed-by: Sumit Bose <sbose@redhat.com>