LDAP: Only run the POSIX check with a GC connection Previously, we used to run the POSIX check also with an LDAP connection. This was wasteful, but worked, so the waste wasn't the biggest problem -- the approach would only cause problems with the following patch which uses a NULL search base to search the Global Catalog, because searching with a SUBTREE scope and a NULL base returns a referral with an LDAP connection. Instead, this patch uses a heuristics (whether the connection ignores the offline state) to check if the connection is a POSIX one and if it is NOT, then skips the POSIX check. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

LDAP: Extract the check whether to run a POSIX check to a function This will reduce the code duplication in the following patches and will allow to keep all the logic on one place so that when/if we change the code in the future, we only have to change the single place. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

krb5: show error message for krb5_init_context() failures If there are typos in /etc/krb5.conf (or one of the included config snippets) krb5_init_context(), the initial call always needed to do any other operation with libkrb5, fails because /etc/krb5.conf cannot be parsed. Currently the related debug/syslog messages might be misleading, e.g. failed to read keytab. This is because SSSD does not use a global krb5 context but creates a fresh one for every new request or operation (to always use the latest settings from /etc/krb5.conf) and typically there is an error message indicating that the related operation failed but not giving more details. Since krb5_init_context() is fundamental for Kerberos support this patch tries to add as much details as libkrb5 provides in the logs if the call fails. Resolves: https://pagure.io/SSSD/sssd/issue/3586 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com>

UTIL: Remove signal.h from util/util.h signal.h is not used directly by util/util.h. The header file signal.h must be included in 19 files and after removing it from util.h it had to be added only to 12 missing files. And util.util.h is included in 381 files Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

ldap: remove originalMeberOf if there is no memberOf Since originalMemerberOf is not mapped directly to an original attribute and is handled specially it is not automatically removed if there is no memberOf in the original object anymore. This patch put originalMemerberOf on the list of attribute which should be removed in that case. Resolves https://fedorahosted.org/sssd/ticket/2917 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SDAP: Remove unused sdap_id_ctx from sdap_id_conn_cache_create Reviewed-by: Pavel Reichl <preichl@redhat.com>

SDAP: Remove unused function Reviewed-by: Pavel Reichl <preichl@redhat.com>

LDAP: Consolidate SDAP_SASL_REALM/SDAP_KRB5_REALM behaviour Reviewed-by: Sumit Bose <sbose@redhat.com>

LDAP: Fix DEBUG message Reviewed-by: Pavel Březina <pbrezina@redhat.com>

ldap: move domain related content from ldap_common.c to sdap_domain.c Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

ldap: move options related content from ldap_common.c to ldap_options.c Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sdap: move sdap_get_id_specific_filter() to sdap_utils.c Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Update DEBUG* invocations to use new levels Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

LDAP: Pass a private context to enumeration ptask instead of hardcoded connection Previously, the sdap-domain enumeration request used a single connection context to download all the data. Now we'd like to use different connections to download different objects, so the ID context is passed in and the request itself decides which connection to use for the sdap-domain enumeration.

LDAP: Fix error check https://fedorahosted.org/sssd/ticket/2199

SSSD: Improved domain detection A bit more elegant way of detection of what domain the group member belongs to Resolves: https://fedorahosted.org/sssd/ticket/2132

Remove unused variable

Signals: Refactor termination of processes sig_term() was never used as a real signal handler, but only called by tevent signal handlers in the kerberos and ldap children. Also the same code was duplicated with separate local guard variables in other functions. Unify orderly termination handling, between all these functions.

Add ldap_autofs_map_master_name option

sdap: add sdap_domain_get_by_dn() This function will find sdap domain by comparing object dn with domain base dn. Resolves: https://fedorahosted.org/sssd/ticket/2064

sdap: store base dn in sdap_domain Groups may contain members from different domains. Remembering base dn in domain object gives us the ability to simply lookup correct domain by comparing object dn with domain base dn. Resolves: https://fedorahosted.org/sssd/ticket/2064

LDAP: Return correct error code If talloc_array return NULL we should return right error code from function sdap_domain_subdom_add. It might happen that we could return either wrong error code or uninitialized variable ret.

dp: convert cleanup task to be_ptask Resolves: https://fedorahosted.org/sssd/ticket/1968

AD: Use the ad_access_filter if it's set Related: https://fedorahosted.org/sssd/ticket/2082 Currently the AD access control only checks if an account has been expired. This patch amends the logic so that if ad_access_filter is set, it is used automatically.

sdap_domain_add: remove too strict consistency check The check worked for simple setups but fails e.g. in environment with trusts.

LDAP: Deprecate ldap_{user,group}_search_filter

LDAP: sdap_id_setup_tasks accepts a custom enum request AD provider will override the default with its own.

Fix formating of variables with type: long

LDAP: Make sdap_id_setup_tasks reusable for subdomains Instead of always performing the setup for the main domain, the setup can now be performed for subdomains as well.

LDAP: Make the cleanup task reusable for subdomains Instead of always performing the cleanup on the main domain, the task now accepts a sdap_domain structure to perform the cleanup on. This change will make the cleanup task reusable for subdomains.

LDAP: Convert enumeration to the ptask API https://fedorahosted.org/sssd/ticket/1942 Identity providers other than LDAP need to customize the enumeration in different ways while sharing the way the task is scheduled etc. The easiest way to accomplish it is to leverage the recently introduced ptask framework.

AD: Move storing sdap_domain for subdomain to generic LDAP code Makes creating the sdap_domain structure for a subdomain reusable outside AD subdomain code where it was created initially. Subtask of: https://fedorahosted.org/sssd/ticket/1962

A new option krb5_use_kdcinfo https://fedorahosted.org/sssd/ticket/1883 The patch introduces a new Kerberos provider option called krb5_use_kdcinfo. The option is true by default in all providers. When set to false, the SSSD will not create krb5 info files that the locator plugin consumes and the user would have to set up the Kerberos options manually in krb5.conf

LDAP: split a function to create search bases This function will be used later to fill the sdap_domain structures with search bases.

LDAP: new SDAP domain structure Previously an sdap_id_ctx was always tied to one domain with a single set of search bases. But with the introduction of Global Catalog lookups, primary domain and subdomains might have different search bases. This patch introduces a new structure sdap_domain that contains an sssd domain or subdomain and a set of search bases. With this patch, there is only one sdap_domain that describes the primary domain.

LDAP: sdap_id_ctx might contain several connections With some LDAP server implementations, one server might provide different "views" of the identites on different ports. One example is the Active Directory Global catalog. The provider would contact different view depending on which operation it is performing and against which SSSD domain. At the same time, these views run on the same server, which means the same server options, enumeration, cleanup or Kerberos service should be used. So instead of using several different failover ports or several instances of sdap_id_ctx, this patch introduces a new "struct sdap_id_conn_ctx" that contains the connection cache to the particular view and an instance of "struct sdap_options" that contains the URI. No functional changes are present in this patch, currently all providers use a single connection. Multiple connections will be used later in the upcoming patches.

Do not obfuscate calls with booleans Instead of using boolean variables to denote whether the call is adding a primary or a secondary server, use a function wrapper that tells what it's doing by its name.

Handle SID strings in sdap_attrs_get_sid_str() as well This patch add a basic check if the SID returned by the LDAP server is in a string representation. If not it is assumed that a binary SID was returned by the LDAP server which is converted into a string representation which is returned to the caller.

Introduce be_req_terminate() helper Call it everywhere instead of directly dereferencing be_req->fn This is in preparation of making be_req opaque.

Remove sysdb as a be context structure member The sysdb context is already available through the 'domain' structure.

Add domain argument to sysdb_has/set_enumerated()

failover: Protect against empty host names Added new parameter to split_on_separator that allows to skip empty values. The whole function was rewritten. Unit test case was added to check the new implementation. https://fedorahosted.org/sssd/ticket/1484

LDAP: Make it possible to use full principal in ldap_sasl_authid again

LDAP: Checking the principal should not be considered fatal The check is too restrictive as the select_principal_from_keytab can return something else than user requested right now. Consider that user query for host/myserver@EXAMPLE.COM, then the select_principal_from_keytab function will return "myserver" in primary and "EXAMPLE.COM" in realm. So the caller needs to add logic to also break down the principal to get rid of the host/ part. The heuristics would simply get too complex. select_principal_from_keytab will error out anyway if there's no suitable principal at all.

LDAP: Provide a common sdap_set_sasl_options init function The AD and IPA initialization functions shared the same code. This patch moves the code into a common initialization function.

Fix segfault when ID-mapping an entry without a SID If there was no SID attribute, then we would have detected it by checking the number of values of an element. We would however happily return EOK in that case and save garbage into the sid_str. This was causing segfault when the entry was supposed to be ID-mapped by had no SID.

AUTOFS: Do not fail if search base is not provided

Failover: use _srv_ when no primary server is defined https://fedorahosted.org/sssd/ticket/1521

Fix: IPv6 address with square brackets doesn't work. https://fedorahosted.org/sssd/ticket/1365

Duplicate detection in fail over did not work. https://fedorahosted.org/sssd/ticket/1472

SRV resolution for backup servers should not be permitted. https://fedorahosted.org/sssd/ticket/1463

shadow attributes can contain -1 https://fedorahosted.org/sssd/ticket/1393

Primary server support: new options in krb5 provider This patch adds support for new config options krb5_backup_server and krb5_backup_kpasswd. The description of this option's functionality is included in man page in one of previous patches.

Primary server support: LDAP adaptation This patch adds support for the primary server functionality into LDAP provider. No backup servers are added at the moment, just the basic support is in place.

Primary server support: basic support in failover code Now there are two list of servers for each service. If currently selected server is only backup, then an event will be scheduled which tries to get connection to one of primary servers and if it succeeds, it starts using this server instead of the one which is currently connected to.

LDAP: Rename user and group maps for AD This will eliminate ambiguity for the AD provider

KRB5: Drop memctx parameter of krb5_try_kdcip This function is not supposed to return any newly-allocated memory directly. It was actually leaking the memory for krb5_servers if krb5_kdcip was being used, though it was undetectable because it was allocated on the provided memctx. This patch removes the memctx parameter and allocates krb5_servers temporarily on NULL and ensures that it is freed on all exit conditions. It is not necessary to retain this memory, as dp_opt_set_string() performs a talloc_strdup onto the appropriate context internally. It also updates the DEBUG messages for this function to the appropriate new macro levels.

sudo ldap provider: load host filter configuration on init We need to load host information during provider initialization. Currently it loads only values from configuration files, but it is implemented as an asynchrounous request as it will later try to autodetect these settings (which will need to contact DNS).

Move some debug lines to new debug log levels * These are common lines of debug output when starting up sssd https://bugzilla.redhat.com/show_bug.cgi?id=811113

Add support for filtering atributes This patch adds support for filtering attributes when constructing attribute list from a map for LDAP query.

LDAP: Add attr_count return value to build_attrs_from_map() This is necessary because in several places in the code, we are appending to the attrs returned from this value, and if we relied on the map size macro, we would be appending after the NULL terminator if one or more attributes were defined as NULL.

LDAP: Add helper routine to convert LDAP blob to SID string

Put dp_option maps in their own file There is no functional change due to this patch.

Fix uninitialized variable

LDAP: Add AD 2008r2 schema https://fedorahosted.org/sssd/ticket/1031

IPA: Set the DNS discovery domain to match ipa_domain https://fedorahosted.org/sssd/ticket/1217

Modifications to simplify list_missing_attrs

IPA: Add ipa_parse_search_base() Previously, we were using sdap_parse_search_base() for setting up the search_base objects for use in IPA. However, this was generating unfriendly log messages about unknown search base types. This patch creates a new common_parse_search_base() routine that can be used with either LDAP or IPA providers. https://fedorahosted.org/sssd/ticket/1151

Don't give memory context in confdb where not needed

Add missing breaks to switch statements Coverity #12525 and #12524

LDAP: Add support for SSH user public keys

Update shadowLastChanged attribute during LDAP password change https://fedorahosted.org/sssd/ticket/1019

AUTOFS: LDAP provider

Move BUILD_SUDO outside the generic LDAP source files Avoid #ifdefs in the general part of the code

NSS: Add individual timeouts for entry types https://fedorahosted.org/sssd/ticket/1016

LDAP: Do not fail if RootDSE check cannot determine search bases https://fedorahosted.org/sssd/ticket/1152

LDAP: Add support for service lookups (non-enum)

LDAP: Add option to disable paging control Fixes https://fedorahosted.org/sssd/ticket/967

Do not use sudo symbols in LDAP provider unconditionally

SUDO Integration - periodical update of rules in data provider https://fedorahosted.org/sssd/ticket/1110 Adds new configuration options: - ldap_sudo_refresh_enabled - enable/disable periodical updates - ldap_sudo_refresh_timeout - rules timeout (refresh period)

SUDO Integration review issues

SUDO Integration - LDAP configuration options

Export the function to convert ldb_result to sysdb_attrs It will be reused later in the sudo responder

Add sdap_connection_expire_timeout option https://fedorahosted.org/sssd/ticket/1036

Add ldap_sasl_minssf option https://fedorahosted.org/sssd/ticket/1075

Modified sdap_parse_search_base()

Support to request canonicalization in LDAP/IPA provider https://fedorahosted.org/sssd/ticket/957

LDAP: Convert ldap_*_search_filter Instead of making this a global option for all user lookups, make it only used if the search base is passed without an explicit filter.

LDAP: Add parser for multiple search bases

Make sdap_get_id_specific_filter() more strict

Fix uninitialized pointer read in sdap_gssapi_get_default_realm() https://fedorahosted.org/sssd/ticket/1003

Use the default Kerberos realm for LDAP with GSSAPI auth https://fedorahosted.org/sssd/ticket/970

Add LDAP provider option to set LDAP_OPT_X_SASL_NOCANON https://fedorahosted.org/sssd/ticket/978

sysdb refactoring: deleted domain variables in sysdb API The patch also updates code using modified functions. Tests have also been adjusted.

fo_get_server_name() getter for a server name Allows to be more concise in tests and more defensive in resolve callbacks

Rename fo_get_server_name to fo_get_server_str_name

Do not add a NULL host parsed from LDAP URI https://fedorahosted.org/sssd/ticket/911

Add LDAP access control based on NDS attributes

Add helper function msgs2attrs_array This function converts a list of ldb_messages into a list of sysdb_attrs.

Use name based URI instead of IP address based URIs

Add sockaddr_storage to sdap_service

Switch resolver to using resolv_hostent and honor TTL

Use escaped IP addresses in LDAP provider

Make "password" the default for ldap_default_authtok_type

Use dereference when processing RFC2307bis nested groups Instead of issuing N LDAP requests when processing a group with N users, utilize the dereference functionality to pull down all the members in a single LDAP request. https://fedorahosted.org/sssd/ticket/799

Add ldap_page_size configuration option

Modify principal selection for keytab authentication Currently we construct the principal as host/fqdn@REALM. The problem with this is that this principal doesn't have to be in the keytab. In that case the provider fails to start. It is better to scan the keytab and find the most suitable principal to use. Only in case no suitable principal is found the backend should fail to start. The second issue solved by this patch is that the realm we are authenticating the machine to can be in general different from the realm our users are part of (in case of cross Kerberos trust). The patch adds new configuration option SDAP_SASL_REALM. https://fedorahosted.org/sssd/ticket/781

Add user and group search LDAP filter options https://fedorahosted.org/sssd/ticket/647

Never remove gecos from the sysdb cache Now that gecos can come from either the 'gecos' or 'cn' attributes, we need to ensure that we never remove it from the cache.

Add host access control support https://fedorahosted.org/sssd/ticket/746

Do not attempt to use START_TLS on SSL connections Not all LDAP servers are capable of handling dual-encryption with both TLS and SSL. https://fedorahosted.org/sssd/ticket/795

Add option to disable TLS for LDAP auth Option is named to discourage use in production environments and is intentionally not listed in the SSSDConfig API.

Delete attributes that are removed from LDAP Sometimes, a value in LDAP will cease to exist (the classic example being shadowExpire). We need to make sure we purge that value from SSSD's sysdb as well. https://fedorahosted.org/sssd/ticket/750

Add ldap_tls_{cert,key,cipher_suite} config options Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

Add LDAP expire policy base RHDS/IPA attribute The attribute nsAccountLock is used by RHDS, IPA and other directory servers to indicate that the account is locked.

Add LDAP expire policy based on AD attributes The second bit of userAccountControl is used to determine if the account is enabled or disabled. accountExpires is checked to see if the account is expired.

Add ldap_search_enumeration_timeout config option

Convert obfuscated password once at startup

Add authorizedService support https://fedorahosted.org/sssd/ticket/670

Start first enumeration immediately Previously, we would wait for ten seconds before starting an enumeration. However, this meant that on the first startup (before we had run our first enumeration) there was a ten-second window where clients would immediately get back a response with no entries instead of blocking until the enumeration completed. With this patch, SSSD will now run an enumeration immediately upon startup. Further startups will retain the ten-second delay so as not to slow down system bootups. https://fedorahosted.org/sssd/ticket/616

Fix uninitialized value error in sdap_account_expired_shadow() https://fedorahosted.org/sssd/ticket/726

Replace krb5_kdcip by krb5_server in LDAP provider

ldap: Use USN entries if available. Otherwise fallback to the default modifyTimestamp indicator

ldap: add checks to determine if USN features are available.

Add ldap_chpass_uri config option

Add new account expired rule to LDAP access provider Two new options are added to the LDAP access provider to allow a broader range of access control rules to be evaluated. 'ldap_access_order' makes it possible to run more than one rule. To keep compatibility with older versions the default is 'filter'. This patch adds a new rule 'expire'. 'ldap_account_expire_policy' specifies which LDAP attribute should be used to determine if an account is expired or not. Currently only 'shadow' is supported which evaluates the ldap_user_shadow_expire attribute.

Make string_to_shadowpw_days() public

Allow protocol fallback for SRV queries https://fedorahosted.org/sssd/ticket/691

Properly document ldap_purge_cache_timeout Also allow it to be disabled entirely

Make ldap_search_base a non-mandatory option

Add ldap_deref option

Add option to limit nested groups

Add infrastructure to LDAP provider for netgroup support

Initialize kerberos service for GSSAPI

Add KDC to the list of LDAP options

Remove remainder of now unused global LDAP connection handle.

Add dns_discovery_domain option The service discovery used to use the SSSD domain name to perform DNS queries. This is not an optimal solution, for example from the point of view of authconfig. This patch introduces a new option "dns_discovery_domain" that allows to set the domain part of a DNS SRV query. If this option is not set, the default behavior is to use the domain part of the machine's hostname. Fixes: #479

Disable connection callbacks when going online Under certain circumstances, the openldap libraries will continue internally trying to reconnect to a connection lost (as during a cable-pull test). We need to drop the reconnection callbacks when marking the backend offline in order to guarantee that they are not called with an invalid sdap_handle.

Add ldap_access_filter option This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com

Add offline callback to disconnect global SDAP handle

Add ldap_krb5_ticket_lifetime option

Use service discovery in backends Integrate the failover improvements with our back ends. The DNS domain used in the SRV query is always the SSSD domain name. Please note that this patch changes the default value of ldap_uri from "ldap://localhost" to "NULL" in order to use service discovery with no server set.

Better handle sdap_handle memory from callers. Always just mark the sdap_handle as not connected and let later _send() functions to take care of freeing the handle before reconnecting. Introduce restart functions to avoid calling _send() functions in _done() functions error paths as this would have the same effect as directly freeing the sdap_handle and cause access to freed memory in sdap_handle_release() By freeing sdap_handle only in the connection _recv() function we guarantee it can never be done within sdap_handle_release() but only in a following event.

Fix check for values of expiration limits There were inconsistencies between what sssd.conf manpage said and what the code enforces.

Better cleanup task handling Implements a different mechanism for cleanup task. Instead of just deleting expired entries, this patch adds a new option account_cache_expiration for domains. If an entry is expired and the last login was more days in the past that account_cache_expiration, the entry is deleted. Groups are deleted if they are expired and and no user references them (no user has memberof: attribute pointing at that group). The parameter account_cache_expiration is not LDAP-specific, so that other future backends might use the same timeout setting. Fixes: #391

Do not check entries during cleanup task Do not attempt to validate expired entries in cache, just delete them. Also increase the cache timeouts. Fixes: #331

Rename server/ directory to src/ Also update BUILD.txt