Fix minor spelling mistakes in providers/* Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SDAP: Rename sdap_posix_check to sdap_gc_posix_check Because searching the LDAP port of Active Directory server with a NULL search base yields an error: https://technet.microsoft.com/en-us/library/cc755809(v=ws.10).aspx we changed the POSIX check request to only run against a GC connection in a previous patch. To make it clearer to the caller that this request should only be used with a GC connection, this patch renames the request. There are no functional changes in this patch. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

SDAP: Search with a NULL search base when looking up an ID in the Global Catalog The posix_check request is used to determine whether domains in the forest replicate the POSIX attributes into the Global Catalog. And since the schema modification that replicates the attributes is not per-domain, but per-forest, we don't need to iterate over search bases when checking for the POSIX attribute presence. It is OK to just search with a NULL search base (and it's what Windows clients do, too). Additionally, searching over the whole GC will come handy when implementing the request that located an account's domain. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

LDAP: Only run the POSIX check with a GC connection Previously, we used to run the POSIX check also with an LDAP connection. This was wasteful, but worked, so the waste wasn't the biggest problem -- the approach would only cause problems with the following patch which uses a NULL search base to search the Global Catalog, because searching with a SUBTREE scope and a NULL base returns a referral with an LDAP connection. Instead, this patch uses a heuristics (whether the connection ignores the offline state) to check if the connection is a POSIX one and if it is NOT, then skips the POSIX check. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

LDAP: Extract the check whether to run a POSIX check to a function This will reduce the code duplication in the following patches and will allow to keep all the logic on one place so that when/if we change the code in the future, we only have to change the single place. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

LDAP: Turn group request into user request for MPG domains if needed If the primary group GID or the group name is requested before the user is, we need to also search the user space to save the user in the back end which then allows the responder to generate the group from the user entry. Related: https://pagure.io/SSSD/sssd/issue/1872 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

IPA: fix handling of certmap_ctx This patch fixes a use-after-free in the AD provider part and initializes the certmap_ctx with data from the cache at startup. Related to https://pagure.io/SSSD/sssd/issue/3508 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

ldap: handle certmap errors gracefully Currently the LDAP user lookup request errors out if e.g. there is no matching rule for a certificate. This might cause the related domain to go offline. With this patch the request returns that no user was found for the given certificate but overall result is that the request finishes successfully. Resolves: https://pagure.io/SSSD/sssd/issue/3405 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Relax search filters in application domains Related to: https://pagure.io/SSSD/sssd/issue/3310 If a request comes towards an application domain, we can drop the part of the filter that asserts that the object has a valid UID/GID. Instead, we just search by name. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: add certmap support Read certificate mapping data from the IPA server and configure the certificate mapping library accordingly. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sss_cert_derb64_to_ldap_filter: add sss_certmap support Use certificate mapping library if available to lookup a user by certificate in LDAP. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

LDAP: always store the certificate from the request Store the certificate used to lookup a user as mapped attribute in the cached user object. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sdap_get_users_send(): new argument mapped_attrs mapped_attrs can be a list of sysdb_attrs which are not available on the server side but should be store with the cached user entry. This is needed e.g. when the input to look up the user in LDAP is not an attribute which is stored in LDAP but some data where LDAP attributes are extracted from. The current use case is the certificate mapping library which can create LDAP search filters based on content of the certificate. To allow upcoming cache lookup to use the input directly it is stored in the user object in the cache. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SYSDB: When searching for UPNs, search either the whole DB or only the given domain The search-by-UPN functions always searched for the whole domain. In some cases, the caller depends on the result coming from the domain specified by the 'domain' parameter. This is the case in the cache_req code at least. Even though it should be safe to just switch to always searching the whole domain, in order to allow us to examine the code carefully and test each codepath, let's introduce a boolean option to the search functions. Currently it defaults to false in all codepaths and as we test the individual ones, we can flip the option to true until we finally remove the option altogether. Reviewed-by: Sumit Bose <sbose@redhat.com>

DP: Remove unused attr_type from struct dp_id_data Structure member attr_type was set to BE_ATTR_CORE on all places and there was a single place src/providers/ldap/ldap_id.c where we checked to other values. It is not used anymore; it's better to remove it. Reviewed-by: Michal Židek <mzidek@redhat.com>

LDAP: Remove unused parameter attr_type from groups_get_send Reviewed-by: Michal Židek <mzidek@redhat.com>

LDAP: Removed unused attr_type from users_get_send Reviewed-by: Michal Židek <mzidek@redhat.com>

LDAP: Fix debug messages after errors in *_get_send Reviewed-by: Michal Židek <mzidek@redhat.com>

SDAP: add enterprise principal strings for user searches Unfortunately principal aliases with an alternative realm are stored in IPA as the string representation of an enterprise principal, i.e. name\@alt.realm@IPA.REALM. To be able to lookup the alternative principal in LDAP properly the UPN search filter is extended to search for this type of name as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: include email in UPN searches Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DP: rename be_acct_req to dp_id_data Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

LDAP: fix typo Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Delete cache entry if not found by UPN Previously, the user account was only looked by name when the LDAP provider didn't match any entry on the server side. This patch removes the entry from the cache with the matching function, either by name or by UPN. Reviewed-by: Sumit Bose <sbose@redhat.com>

LDAP: Use shortname for LDAP queries When looking up users or groups by name, we need to user the plain username in the filter. The domain is typically signified by the search base. When looking up by UPN, we can keep using the raw value from the DP. Reviewed-by: Sumit Bose <sbose@redhat.com>

LDAP: Rename DP filter value from name to filter_value filter_value is a better name, because we don't look just by name, the same variable is used to look up certificates etc. Reviewed-by: Sumit Bose <sbose@redhat.com>

DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

LDAP: Decorate the hot paths in the LDAP provider with systemtap probes During performance analysis, the LDAP provider and especially its nested group code proved to be the place where we spend the most time during account requests. Therefore, I decorated the LDAP provider with systemtap probes to be able to observe where the time is spent. The code allows passing of search properties (base, filter, ...) from marks to probes. Where applicable, the probes pass on these arguments to functions and build a human-readable string representation. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

remove user certificate if not found on the server If the user is not found by cert lookup when the user is already cached, two things may happen: 1) cert was removed from the user object 2) user was removed Instead of issuing another cert lookup we will just remove cert attribute from the cache not touching the expiration timestamp so the user may be updated later when needed. Resolves: https://fedorahosted.org/sssd/ticket/2934 Reviewed-by: Sumit Bose <sbose@redhat.com>

Just return NULL if tevent_req_create() fails In general we just return NULL if tevent_req_create() fails because there is nothing we can do with the request anyway. Especially tevent_req_error() should not be called because it tries to dereference req. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: remove unused param. in sdap_fallback_local_user Remove unused sdap_options parameter. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Update few debug messages It reduces a noise caused by canonicalization of non-existing user. Resolves: https://fedorahosted.org/sssd/ticket/2678 Reviewed-by: Pavel Reichl <preichl@redhat.com>

LDAP: Add sdap_lookup_type enum Related: https://fedorahosted.org/sssd/ticket/2553 Change the boolan parameter of sdap_get_users_send and sdap_get_groups_send to a tri-state that controls whether we expect only a single entry (ie don't use the paging control), multiple entries with a search limit (wildcard request) or multiple entries with no limit (enumeration). Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: Fetch users and groups using wildcards Related: https://fedorahosted.org/sssd/ticket/2553 Adds handler for the BE_FILTER_WILDCARD in the LDAP provider. So far it's the same code as if enumeration was used, so there are no limits. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SDAP: Remove user from cache for missing user in LDAP Function sysdb_get_real_name overrode reurned code LDAP and thus user was not removed from cache after removing it from LDAP. This patch also do not try to set initgroups flag if user does not exist. It reduce some error message. Resolves: https://fedorahosted.org/sssd/ticket/2681 Reviewed-by: Michal Židek <mzidek@redhat.com>

LDAP/IPA: add user lookup by certificate Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

ldap: use proper sysdb name in groups_by_user_done() In a recent change set_initgroups_expire_attribute() was added to groups_by_user_done() to make sure that the initgroups timeout is only added to the user object until all groups added to the cache. This change (and the original code in groups_by_user_done() as well) didn't took sub-domain users into account where the name in sysdb might different form the original request and the domain is not the configured domain. This patch tries to ensure that the right name and domain are used. https://fedorahosted.org/sssd/ticket/2663 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Skip enumeration requests in IPA and AD providers as well Checking the enum request in the underlying LDAP provider to skip it might be too late as the richer IPA or AD providers depend on having a useful result when the sdap request finishes. Move the enumeration check earlier instead and allow directly in the IPA or AD handler. Related: https://fedorahosted.org/sssd/ticket/2659 Reviewed-by: Sumit Bose <sbose@redhat.com>

SDAP: Remove unnecessary argument from sdap_save_user Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SDAP: Set initgroups expire attribute at the end Initgrups consisted of two main steps: 1. store user to cache 2. store all user groups to cache. Previously the attribute SYSDB_INITGR_EXPIRE was set in the first step. So in case of epmty cache and parallel initgroups request in responders there was a small period when SYSDB_INITGR_EXPIRE was valid but groups were not cached. Therefore sometime responder could return zero supplementary groups. This patch moves the setting of initgroups expire attribute from 1st step to the end of 2nd step. In case of parallel initgroups requests in responder there are two other ways how we could get correct results even thought there was a bug. a) Time between two request was too small. User was not stored in cache yet and 2nd request waited for response from DP. b) Time between two request was big enough. All users groups were successfully stored in cache and 2nd request returned correct results. Resolves: https://fedorahosted.org/sssd/ticket/2634 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: allow initgroups by UUID for FreeIPA users If a FreeIPA user is searched with the help of an override name the UUID from the override anchor is used to search the user. Currently the initgroups request only allows searches by SID or name. With this patch a UUID can be used as well. Related to https://fedorahosted.org/sssd/ticket/2642 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: allow initgroups by SID for AD users If a user from a trusted AD domain is search with the help of an override name the SID from the override anchor is used to search the user in AD. Currently the initgroups request only allows searches by name. With this patch a SID can be used as well. Resolves https://fedorahosted.org/sssd/ticket/2632 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Add missing new lines to debug messages Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP/AD: do not resolve group members during tokenGroups request During initgroups requests we try to avoid to resolve the complete member list of groups if possible, e.g. if there are no nested groups. The tokenGroups LDAP lookup return the complete list of memberships for a user hence it is not necessary lookup the other group member and un-roll nested groups. With this patch only the group entry is looked up and saved as incomplete group to the cache. This is achieved by adding a new boolean parameter no_members to groups_get_send() and sdap_get_groups_send(). The difference to config options like ldap_group_nesting_level = 0 or ignore_group_members is that if no_members is set to true groups which are missing in the cache are created a incomplete groups. As a result a request to lookup this group will trigger a new LDAP request to resolve the group completely. This way no information is ignored but the time needed to read all data is better distributed between different requests. https://fedorahosted.org/sssd/ticket/2601 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sdap_handle_acct_req_send: remove be_req be_req was used only as a talloc context for subreq. This memory context was replace by state of the parent request which is more suitable for tevent coding style. This change will allow us to use this function in be_refresh where none be_req is available. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Conditional jump depends on uninitialised value ==31767== at 0x5B66CFC: users_get_posix_check_done (ldap_id.c:346) ==31767== by 0x4DCC6AA: _tevent_req_notify_callback (tevent_req.c:112) ==31767== by 0x4DCC724: tevent_req_finish (tevent_req.c:149) ==31767== by 0x4DCC782: _tevent_req_error (tevent_req.c:167) ==31767== by 0x5B7ED43: sdap_posix_check_done (sdap_async.c:2486) ==31767== by 0x4DCC6AA: _tevent_req_notify_callback (tevent_req.c:112) ==31767== by 0x4DCC724: tevent_req_finish (tevent_req.c:149) ==31767== by 0x4DCC782: _tevent_req_error (tevent_req.c:167) ==31767== by 0x5B7DE37: sdap_get_generic_op_finished (sdap_async.c:1523) ==31767== by 0x5B7D62B: sdap_process_result (sdap_async.c:357) ==31767== by 0x4DCFC1C: tevent_common_loop_timer_delay (tevent_timed.c:341) ==31767== by 0x4DD0E12: epoll_event_loop_once (tevent_epoll.c:911) ==31767== by 0x4DCF23E: std_event_loop_once (tevent_standard.c:114) ==31767== by 0x4DCB38F: _tevent_loop_once (tevent.c:530) ==31767== by 0x4DCB58B: tevent_common_loop_wait (tevent.c:634) ==31767== by 0x4DCF1BE: std_event_loop_wait (tevent_standard.c:140) ==31767== by 0x4DCB627: _tevent_loop_wait (tevent.c:653) ==31767== by 0x489AB98: server_loop (server.c:668) ==31767== by 0x10D035: main (data_provider_be.c:2915) Reviewed-by: Pavel Reichl <preichl@redhat.com>

AD: use GC for SID requests as well If a universal group is looked up by SID the cross-domain members must be resolved with the help of the Global Catalog. Related to https://fedorahosted.org/sssd/ticket/2514 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: add support for lookups by UUID Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Use the alternative objectclass in group maps. Use the alternative group objectclass in queries. Fixes: https://fedorahosted.org/sssd/ticket/2436 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: If extra_value is 'U' do a UPN search Besides the name the responders always send an extra string attribute to the backends which is so far mostly empty. Since the only difference in the processing of a request for a user name or a user principal name is a different search attribute in the LDAP provider this extra value can be used to indicate the type of the name. Providers which do not support UPN lookup can just ignore this attribute. Related to https://fedorahosted.org/sssd/ticket/1749

Revert "IPA: new attribute map for non-posix groups" This reverts commit 4c560e7b98e7ab71d22be24d2fbc468396cb634f.

IPA: new attribute map for non-posix groups Create new set of attributes to be used when processing non-posix groups. Resolves: https://fedorahosted.org/sssd/ticket/2343 Reviewed-by: Michal Židek <mzidek@redhat.com>

IPA: Rename label in users_get_send/groups_get_send Resolves: https://fedorahosted.org/sssd/ticket/2209 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

LDAP: Make it possible to extend an attribute map https://fedorahosted.org/sssd/ticket/2073 This commit adds a new option ldap_user_extra_attrs that is unset by default. When set, the option contains a list of LDAP attributes the LDAP provider would download and store in addition to the usual set. The list can either contain LDAP attribute names only, or colon-separated tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP attribute name is specified, the attribute is saved to the cache verbatim. Using a custom SSSD attribute name might be required by environments that configure several SSSD domains with different LDAP schemas. Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Update DEBUG* invocations to use new levels Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

LDAP: Detect the presence of POSIX attributes When the schema is set to AD and ID mapping is not used, there is a one-time check ran when searching for users to detect the presence of POSIX attributes in LDAP. If this check fails, the search fails as if no entry was found and returns a special error code. The sdap_server_opts structure is filled every time a client connects to a server so the posix check boolean is reset to false again on connecting to the server. It might be better to move the check to where the rootDSE is retrieved, but the check depends on several features that are not known to the code that retrieves the rootDSE (or the connection code for example) such as what the attribute mappings are or the authentication method that should be used. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: Don't abort request if no id mapping domain matches If an ID was requested from the back end, but no ID mapping domain matched, the request ended with a scary error message. It's better to treat the request as if no such ID was found in the domain Related: https://fedorahosted.org/sssd/ticket/2200

Remove unused parameter from sdap_save_user

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2)

free idmapped SIDs correctly Resolves: https://fedorahosted.org/sssd/ticket/2133

free sid obtained from sss_idmap_unix_to_sid()

LDAP: Delete entry by SID if not found In case the entry was deleted from the server, the search didn't notice and kept returning the cached data.

sdap_idmap_domain_has_algorithmic_mapping: add domain name argument When libss_idmap was only used to algorithmically map a SID to a POSIX ID a domain SID was strictly necessary and the only information needed to find a domain. With the introduction of external mappings there are cases where a domain SID is not available. Currently we relied on the fact that external mapping was always used as a default if not specific information about the domain was found. The lead to extra CPU cycles and potentially confusing debug messages. Adding the domain name as a search parameter will avoid this.

LDAP: handle SID requests if noexist_delete is set Fixes https://fedorahosted.org/sssd/ticket/2116

LDAP: Require ID numbers when ID mapping is off Related: https://fedorahosted.org/sssd/ticket/2070 When searching for users and groups without the use of ID mapping, make sure the UIDs and GIDs are included in the search. This will make the SSSD seemigly "miss" entries when searching in Global Catalog in the scenario where the POSIX attributes are not replicated to the GC.

Enable removing nonexisting dn in sdap_handle_account_info Change was introduced in commit ca344fde

LDAP: When resolving a SID, search for groups first, then users https://fedorahosted.org/sssd/ticket/1997 Most of the time, the SIDs are resolved as a call coming from the PAC responder during initgroups. In that case at least, it makes sense to search for group matching that SID first, then users. We may consider making this behaviour configurable ie for the server mode where typically the users should be queried first.

Replace SDAP_ID_MAPPING checks with sdap_idmap_domain_has_algorithmic_mapping Currently the decision if external or algorithmic mapping should be used in the LDAP or AD provider was based on the value of the ldap_id_mapping config option. Since now all information about ID mapping is handled by libsss_idmap the check for this options can be replace with a call which checks the state via libss_idmap. https://fedorahosted.org/sssd/ticket/1961

LDAP: Retry SID search based on result of LDAP search, not the return code

LDAP: return sdap search return code to ID By default, the LDAP searches delete the entry from cache if it wasn't found during a search. But if a search wants to try both Global Catalog and LDAP, for example, it might be beneficial to have an option to only delete the entry from cache after the last operation fails to prevent unnecessary memberof operations for example.

LDAP: new SDAP domain structure Previously an sdap_id_ctx was always tied to one domain with a single set of search bases. But with the introduction of Global Catalog lookups, primary domain and subdomains might have different search bases. This patch introduces a new structure sdap_domain that contains an sssd domain or subdomain and a set of search bases. With this patch, there is only one sdap_domain that describes the primary domain.

LDAP: Pass in a connection to ID functions Instead of using the default connection from the sdap_id_ctx, allow the caller to specify which connection shall be used for this particular request. Again, no functional change is present in this patch, just another parameter is added.

LDAP: Refactor account info handler into a tevent request The sdap account handler was a function with its own private callback that directly called the back end handlers. This patch refactors the handler into a new tevent request that the current sdap handler calls. This refactoring would allow the caller to specify a custom sdap connection for use by the handler and optionally retry the same request with another connection inside a single per-provider handler. No functional changes are present in this patch.

LDAP: sdap_id_ctx might contain several connections With some LDAP server implementations, one server might provide different "views" of the identites on different ports. One example is the Active Directory Global catalog. The provider would contact different view depending on which operation it is performing and against which SSSD domain. At the same time, these views run on the same server, which means the same server options, enumeration, cleanup or Kerberos service should be used. So instead of using several different failover ports or several instances of sdap_id_ctx, this patch introduces a new "struct sdap_id_conn_ctx" that contains the connection cache to the particular view and an instance of "struct sdap_options" that contains the URI. No functional changes are present in this patch, currently all providers use a single connection. Multiple connections will be used later in the upcoming patches.

Intermittent fix for get_user_and_group_users_done users_get_recv() never returns ENOENT. In general it should return EOK in the case no matching user was found. But since I forget to handle a SID based filter properly in sdap_get_users_process() an error is returned in this case which makes get_user_and_group_users_done() work as expected with this patch. There is an upcoming enhancement to users_get_recv() which I'm planning to use for a full fix.

Remove unneeded comment

Add SID related requests to the LDAP provider The patch adds support for BE_REQ_BY_SECID and BE_REQ_USER_AND_GROUP to the LDAP provider. Since the AD and the IPA provider use the same code they support those request now as well. Besides allowing that users and groups can be searched by the SID as well the new request allows to search users and groups in one run, i.e. if there is not user matching the search criteria groups are searched as well.

Add secid filter to responder-dp protocol This patch add a new filter type to the data-provider interface which can be used for SID-based lookups.

ldap: Fallback option for rfc2307 schema Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020

Add be_req_get_data() helper funciton. In preparation for making struct be_req opaque.

Add be_req_get_be_ctx() helper. In preparation for making be_req opaque

Remove sysdb as a be context structure member The sysdb context is already available through the 'domain' structure.

Add domain argument to sysdb_delete_group() Also remove sysdb_delete_domgroup()

Add domain argument to sysdb_delete_user() Also remove sysdb_delete_domuser()

Fix comment on wrong line

Use an entry type mask macro to filter entry types Avoids hardcoding magic numbers everywhere and self documents why a mask is being applied.

LDAP: Remove double break

Add ignore_group_members option. https://fedorahosted.org/sssd/ticket/1376

Clean up cache on server reinitialization https://fedorahosted.org/sssd/ticket/734 We successfully detect when the server is reinitialized by testing the new lastUSN value. The maximum USN values are set to zero, but the current cache content remains. This patch removes records that were deleted from the server. It uses the following approach: 1. remove entryUSN attribute from all entries 2. run enumeration 3. remove records that doesn't have entryUSN attribute updated We don't need to do this for sudo rules, they will be refreshed automatically during next smart/full refresh, or when an expired rule is deleted.

ldap provider: add sudo usn value

Add support for filtering atributes This patch adds support for filtering attributes when constructing attribute list from a map for LDAP query.

LDAP: Add attr_count return value to build_attrs_from_map() This is necessary because in several places in the code, we are appending to the attrs returned from this value, and if we relied on the map size macro, we would be appending after the NULL terminator if one or more attributes were defined as NULL.

LDAP: Enable looking up id-mapped groups by GID

LDAP: Allow looking up ID-mapped groups by name

LDAP: Enable looking up id-mapped users by UID

LDAP: Add enumeration support for services

LDAP: Add support for service lookups (non-enum)

Pass sdap_id_ctx to online check from IPA provider

Provide means of forcing TLS and GSSAPI enabled/disabled for sdap connections

Fix sdap_id_ctx/ipa_id_ctx mismatch in IPA provider This was causing a segfault during HBAC processing and any ID lookups except for netgroups

Renamed some LDAP routines These were renamed just ot make sure they are not mistook for IPA netgroup functions.

LDAP: Add support for multiple search bases for group enumeration

LDAP: Add support for multiple search bases for user enumeration

LDAP: Convert ldap_*_search_filter Instead of making this a global option for all user lookups, make it only used if the search base is passed without an explicit filter.

LDAP: Support multiple group search bases (non-enumeration, RFC2307)

LDAP: Support multiple user search bases (non-enumeration)

Use explicit base 10 for converting strings to integers https://fedorahosted.org/sssd/ticket/1013

sysdb refactoring: memory context deleted This patch deletes memory context parameter in those places in sysdb where it is not necessary. The code using modified functions has been updated. Tests updated as well.

sysdb refactoring: deleted domain variables in sysdb API The patch also updates code using modified functions. Tests have also been adjusted.

Fix returning groups when gidNumber attribute is not ordered https://fedorahosted.org/sssd/ticket/951

Explicitly ignore groups with gidNumber=0 https://fedorahosted.org/sssd/ticket/916

Fixed lastUSN checking improvements This patch fixes some issues with setting lastUSN attribute and it adds check against the highest user/group USN after enumeration to keep better track of the real highest USN. Optimal solution here would be to schedule a check of rootDSE entry right after the enumeration finishes, but for the moment this is good enough.

Add last usn checking after reconnection When reconnecting to the LDAP server supporting USNs (either because of new incomming id operation or invokation of callback responsible for checking status of the backend), detect whether the highest USN is lower than the one SSSD has recorded. If so, setup enumeration/cleanup to refresh potentionally changed account information in the SSSD cache. Related ticket: https://fedorahosted.org/sssd/ticket/734

Add user and group search LDAP filter options https://fedorahosted.org/sssd/ticket/647

Do not throw a DP error when failing to delete a nonexistent entity

Require existence of GID number and name in group searches https://fedorahosted.org/sssd/ticket/824

Remove cached user entry if initgroups returns ENOENT This behavior was present for getpwnam() but was lacking for initgroups.

Add the user's primary group to the initgroups lookup The user may not be a direct member of their primary group, but we still want to make sure that group is cached on the system.

Add timeout parameter to sdap_get_generic_send()

ldap: add checks to determine if USN features are available.

Add a special filter type to handle enumerations

Add check_online method to LDAP ID provider

Sanitize search filters in LDAP provider

Always use uint32_t for UID/GID numbers

Use unsigned long for conversion to id_t We used strtol() on a number of places to convert into uid_t or gid_t from a string representation such as LDAP attribute, but on some platforms, unsigned long might be necessary to store big id_t values. This patch converts to using strtoul() instead.

Implement netgroup support for LDAP provider

Request all group attributes during initgroups processing We tried to be too clever and only requested the name of the group, but we require the objectClass to validate the results. https://fedorahosted.org/sssd/ticket/622

Use new LDAP connection framework to get user account groups from LDAP.

Use new LDAP connection framework to get group account info from LDAP.

Use new LDAP connection framework to get user account info from LDAP.

Fix segfault in GSSAPI reconnect code Also clean up some duplicated code into a single common routine sdap_account_info_common_done()

Better handle sdap_handle memory from callers. Always just mark the sdap_handle as not connected and let later _send() functions to take care of freeing the handle before reconnecting. Introduce restart functions to avoid calling _send() functions in _done() functions error paths as this would have the same effect as directly freeing the sdap_handle and cause access to freed memory in sdap_handle_release() By freeing sdap_handle only in the connection _recv() function we guarantee it can never be done within sdap_handle_release() but only in a following event.

sysdb: delete sysdb_delete_group

sysdb: convert sysdb_delete_user

Rename server/ directory to src/ Also update BUILD.txt