IPA: sanitize name in override search filter Resolves: https://pagure.io/SSSD/sssd/issue/3545 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

sss_cert_derb64_to_ldap_filter: add sss_certmap support Use certificate mapping library if available to lookup a user by certificate in LDAP. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DP: rename be_acct_req to dp_id_data Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IPA: Use internal fqname format instead of parsing NSS names Parsing the extdom plugin output is an "input" operation from the point of the IPA provider, so we need to parse the name and conversely, internally use only the qualified name. Reviewed-by: Sumit Bose <sbose@redhat.com>

ipa: add support for certificate overrides Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: Use search timeout, not enum timeout for searching overrides Related: https://fedorahosted.org/sssd/ticket/2866 If the LDAP connection is still established when the client moves offline, we rely on the search timeout to find out the client is offline. The override search used the enum timeout defaults to 60 seconds. That caused too long delays in going offline. Reviewed-by: Sumit Bose <sbose@redhat.com>

views: Add is_default_view helper function Ticket: https://fedorahosted.org/sssd/ticket/2641 Reviewed-by: Pavel Reichl <preichl@redhat.com>

IPA: add get_be_acct_req_for_user_name() Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: check overrrides for IPA users as well Currently overrides were only available for sub-domains, e.g. trusted AD domains. With this patch overrides can be used for IPA users as well. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

ipa: add get_be_acct_req_for_uuid() This new call creates the needs data for a lookup by UUID which is needed when trying to find the original object for an IPA override object. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

ipa: fix issues with older servers not supporting views Older FreeIPA servers which do not know about the ipaAssignedIDView attribute will return an error during the LDAP dereference request because SSSD marks LDAP extensions as critical. In this case we keep the view name empty and skip override lookups. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

views: search overrides for user and group requests If the name or the POSIX ID of a user or a group is overridden the search request for those objects have to check the overide objects first before looking up the original objects. This patch adds a new request for the IPA sub-domain users which checks the overrides first if - SSSD is running in ipa-server-mode and a name or a POSIX ID is searched, since we do not override the SIDs we can skip the search in the override tree here - if the responder indicates it has not found the corresponding object in the cache and the input might be an override name or ID and not the original one of an object. If an override object was found the SID is extracted from the anchor attribute and the original object is search by its SID. If no override object was found the original object is search with the original input and finally it is checked if an override object exits for the found object. Relates to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

views: get overrides during user and group lookups With this patch the IPA provider will check if overrides exists for the given view during the lookup of users and groups from trusted domains. In ipa-server-mode the default view is automatically applied and written to the cache. On IPA clients which use the extdom plugin for user and group lookups the override data is saved separately and the original object and the override data are linked with DN attributes for faster reference. Related to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

views: add ipa_get_ad_override_send() Related to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>