IPA: Qualify the externalUser sudo attribute We broke the externalUser support with the introduction of the fully qualified attributes, because the provider was saving the data verbatim, but the sudo responder expects a fully qualified name. Reproducer: on the server: ipa sudocmd-add --desc='For reading log files' /usr/bin/less ipa sudorule-add readfiles ipa sudorule-add-user --users=lcluser ipa sudorule-mod --hostcat=all readfiles then on the client: configure sssd with: id_provider = files sudo_provider = ipa ipa_domain = ipa.test run: sudo useradd lcluser sudo passwd lcluser su - lcluser sudo -l Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

providers: Move hostid from ipa to sdap, v2 In the ldap provider, all option names are renamed to ldap_host_*. In the ipa provider the names haven't been changed. Host lookups for both ipa and ldap are handled in the ldap provider. sss_ssh_knownhostsproxy works but hostgroups are still only available in the ipa provider. I've also added some documentation for the ldap provider. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: Add threshold for sudo searches Apply the sudo threshold to IPA provider sudo command and command group searches to prevent SSSD from creating large search filters. The IPA sudo threshold value will utilize the sudo responder sudo_threshold value. If the threshold is exceeded, a basic search filter will be used as a fallback to retrieve all IPA sudo commands or command groups. Resolves: https://pagure.io/SSSD/sssd/issue/3507 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA_SUDO: Unused value fix Unused value was immediately overwritten. Resolves: https://fedorahosted.org/sssd/ticket/3309 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SUDO: Add skip_entry boolean to sudo conversions Add boolean to convert_attributes function and pass boolean as argument to sudo conversion functions to add logic for skipping unexpected entries like replication conflicts. Resolves: https://fedorahosted.org/sssd/ticket/3288 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Remove double semicolon at the end of line Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: Save sudoUser qualified in the cache When converting from the native IPA schema to the sysdb sudo schema, qualify sudoUser attributes that contain user and group names. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA_SUDO: Prevent dereference of NULL pointer Error: NULL_RETURNS (CWE-476): [#def31] sssd-1.13.4/src/providers/ipa/ipa_sudo_conversion.c:964: returned_null: "ipa_sudo_conv_lookup" returns null. sssd-1.13.4/src/providers/ipa/ipa_sudo_conversion.c:149:9: return_null: Explicitly returning null. sssd-1.13.4/src/providers/ipa/ipa_sudo_conversion.c:964: var_assigned: Assigning: "cmdgroup" = null return value from "ipa_sudo_conv_lookup". sssd-1.13.4/src/providers/ipa/ipa_sudo_conversion.c:966: dereference: Dereferencing a null pointer "cmdgroup". # 964| cmdgroup = ipa_sudo_conv_lookup(conv->cmdgroups, listitem->dn); # 965| # 966|-> ret = add_strings_lists(mem_ctx, values, cmdgroup->expanded, # 967| false, discard_const(&values)); # 968| if (ret != EOK) { Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA SUDO: support old ipasudocmd rdn FreeIPA versions older than 3.1 have rdn sudoCmd instead of ipaUniqueID. Resolves: https://fedorahosted.org/sssd/ticket/2969 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA SUDO: fix typo Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA SUDO: download externalUser attribute This allows configuration with id_provider = proxy and sudo_provider = ipa when someone needs to fetch rules for local users. https://fedorahosted.org/sssd/ticket/2972 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA SUDO: Add support for ipaSudoRunAsExt* attributes Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA SUDO: Implement rules refresh Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA SUDO: Implement full refresh Reviewed-by: Sumit Bose <sbose@redhat.com>