providers: Move hostid from ipa to sdap, v2 In the ldap provider, all option names are renamed to ldap_host_*. In the ipa provider the names haven't been changed. Host lookups for both ipa and ldap are handled in the ldap provider. sss_ssh_knownhostsproxy works but hostgroups are still only available in the ipa provider. I've also added some documentation for the ldap provider. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Mark globals in ldap_opts.h as extern To avoid collisions when we want to work with them elsewhere in the code. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Add the wildcard_limit option Related: https://fedorahosted.org/sssd/ticket/2553 Adds a new wildcard_limit option that is set by default to 1000 (one page). This option limits the number of entries that can by default be returned by a wildcard search. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: add ldap_user_certificate option Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: disable the cleanup task by default Resolves: https://fedorahosted.org/sssd/ticket/2627 The cleanup task was designed to keep the cache size within certain limits. This is how it roughly works now: - find users who have never logged in by default. If account_cache_expiration is set, find users who loggged in later than account_cache_expiration - delete the matching set of users - find groups that have no members - delete the matching set of groups So unless account_cache_expiration is set to something sensible, only empty groups and expired users who never logged in are removed and that's quite a corner case. The above effectivelly walks the whole database, especially the groups step is quite slow with a huge database. The whole cleanup task also runs in a single sysdb transaction, which means all other transactions are blocked while the cleanup task crunches the database. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Skip CHAUTHTOK_PRELIM when using OTPs https://fedorahosted.org/sssd/ticket/2484 When OTPs are used, we can only used each authtoken at most once. When it comes to Kerberos password changes, this was only working previously by accident, because the old authtoken was first used to verify the old password is valid and not expired and then also to acquire a chpass principal. This patch looks at the user object in LDAP to check if the user has any OTPs enabled. If he does, the CHAUTHTOK_PRELIM step is skipped completely so that the OTP can be used to acquire the chpass ticket later. Reviewed-by: Sumit Bose <sbose@redhat.com>

LDAP: Disable token groups by default We tried to speed up processing of initgroup lookups with tokenGroups even for the LDAP provider (if remote server is Active Directory), but it turns out that there are too many corner cases that we didn't catch during development that break. For instance, groups from other trusted domains might appear in TG and the LDAP provider isn't equipped to handle them. Overall, users who wish to use the added speed benefits of tokenGroups are advised to use the AD provider. Resolves: https://fedorahosted.org/sssd/ticket/2483 Reviewed-by: Michal Židek <mzidek@redhat.com>

Revert "LDAP: Change defaults for ldap_user/group_objectsid" This reverts commit f834f712548db811695ea0fd6d6b31d3bd03e2a3. OpenLDAP server cannot dereference unknown attributes. The attribute objectSID isn't in any standard objectclass on OpenLDAP server. This is a reason why objectSID cannot be set by default in rfc2307 map and rfc2307bis map. It is the same problem as using non standard attribute "nsUniqueId" in ticket https://fedorahosted.org/sssd/ticket/2383 Reviewed-by: Michal Židek <mzidek@redhat.com>

Fix uuid defaults Recently the uuid attributes for user and groups were removed because it was found that there are not used at all and that some of them where causing issues (https://fedorahosted.org/sssd/ticket/2383). The new views/overrides feature of FreeIPA uses the ipaUniqueID attribute to relate overrides with the original IPA objects. The previous two patches revert the removal of the uuid attributes from users and groups with this patch set the default value of these attributes to ipaUniqueID from the IPA provider, to objectGUID for the AD provider and leaves them unset for the general LDAP case to avoid issues like the one from ticket #2383. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Revert "LDAP: Remove unused option ldap_group_uuid" This reverts commit b5242c146cc0ca96e2b898a74fb060efda15bc77. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Revert "LDAP: Remove unused option ldap_user_uuid" This reverts commit dfb2960ab251f609466fa660449703835c97f99a. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

LDAP: Change defaults for ldap_user/group_objectsid Fixes: https://fedorahosted.org/sssd/ticket/2361 Reviewed-by: Pavel Reichl <preichl@redhat.com>

Add alternative objectClass to group attribute maps In IPA we sometimes need to use posixGroup and sometimes groupOfNames objectclass to query the groups. This patch adds the possibility to specify alternative objectclass in group maps. By default it is only set for IPA. Fixes: https://fedorahosted.org/sssd/ticket/2436 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SDAP: Set default value of ldap_user_ssh_public_key to "sshPublicKey" https://fedorahosted.org/sssd/ticket/1560 Reviewed-by: Pavel Reichl <preichl@redhat.com>

SDAP: new option - DN to ppolicy on LDAP To check value of pwdLockout attribute on LDAP server, DN of ppolicy must be set. Resolves: https://fedorahosted.org/sssd/ticket/2364 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: Remove unused option ldap_user_uuid There is problem with OpenLDAP server and dereferencing of attributes that is not in the schema of the server? sh-4.2$ ldapsearch -x -LLL -h openldap.server.test -b 'dc=example,dc=com' \ -E 'deref=member:uid,dummy_attr' cn=ref_grp Protocol error (2) Additional information: Dereference control: attribute decoding error sh-4.2$ echo $? 2 The attribute nsUniqueID is a 389-only, non-standard attribute. It is an operational attribute that is not in the rfc2307bis nor inetOrgPerson nor posixAccount schema. It was a default value of option ldap_user_uuid, but it was not use anywhere. Resolves: https://fedorahosted.org/sssd/ticket/2383 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Remove unused option ldap_group_uuid Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Remove unused option ldap_netgroup_uuid Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sudo: fetch sudoRunAs attribute This attribute was used in pre 1.7 versions of sudo and it is now deprecated by sudoRunAsUser and sudoRunAsGroup. However, some users still use this attribute so we need to support it to ensure backward compatibility. This patch makes sure that this attribute is downloaded if present and provided to sudo. Sudo than decides how to handle it. The new mapping option is not present in a man page since this attribute is deprecated in sudo for a very long time. Resolves: https://fedorahosted.org/sssd/ticket/2212 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PROVIDERS: Add ldap_common.h to opts.h of each provider the opts.h files were consuming some #defines from ldap_common.h (such as SSS_LDAP_SRV_NAME) without including ldap_common.h. That's bad practice and break programs that wish to just include the opts.h header. Reviewed-by: Michal Židek <mzidek@redhat.com>

SDAP: Add option to disable use of Token-Groups Disabling use of Token-Groups is mandatory if expansion of nested groups is not desired (ldap_group_nesting_level = 0) for AD provider. Resolves: https://fedorahosted.org/sssd/ticket/2294 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Make it possible to extend an attribute map https://fedorahosted.org/sssd/ticket/2073 This commit adds a new option ldap_user_extra_attrs that is unset by default. When set, the option contains a list of LDAP attributes the LDAP provider would download and store in addition to the usual set. The list can either contain LDAP attribute names only, or colon-separated tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP attribute name is specified, the attribute is saved to the cache verbatim. Using a custom SSSD attribute name might be required by environments that configure several SSSD domains with different LDAP schemas. Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: require attribute groupType for AD groups Commit 8280c5213094 introduced filtering local groups for trusted/sub domains, but attribute groupType was not available with configuration id_provide ldap and ldap_schema ad. Resolves: https://fedorahosted.org/sssd/ticket/2172

Add new option ldap_group_type

Add ldap_autofs_map_master_name option

Add now options ldap_min_id and ldap_max_id Currently the range for Posix IDs stored in an LDAP server is unbound. This might lead to conflicts in a setup with AD and trusts when the configured domain uses IDs from LDAP. With the two noe options this conflict can be avoided.

A new option krb5_use_kdcinfo https://fedorahosted.org/sssd/ticket/1883 The patch introduces a new Kerberos provider option called krb5_use_kdcinfo. The option is true by default in all providers. When set to false, the SSSD will not create krb5 info files that the locator plugin consumes and the user would have to set up the Kerberos options manually in krb5.conf

Adding option to disable retrieving large AD groups. This commit adds new option ldap_disable_range_retrieval with default value FALSE. If this option is enabled, large groups(>1500) will not be retrieved and behaviour will be similar like was before commit ae8d047122c "LDAP: Handle very large Active Directory groups" https://fedorahosted.org/sssd/ticket/1823

ldap: Fallback option for rfc2307 schema Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020

Fix default upper limit of slices https://fedorahosted.org/sssd/ticket/1537 changes upper limit of slices to 2000200000 in providers code and manpage.

Flip the default value of ldap_initgroups_use_matching_rule_in_chain https://fedorahosted.org/sssd/ticket/1535

Change default for ldap_idmap_range_min to 200000 https://fedorahosted.org/sssd/ticket/1462

Rename SYSDB_SUDO_CACHE_AT_OC to SYSDB_SUDO_CACHE_OC It does not contain name of the object class attribute but the value itself. I renamed it to avoid confusion.

Primary server support: new options in krb5 provider This patch adds support for new config options krb5_backup_server and krb5_backup_kpasswd. The description of this option's functionality is included in man page in one of previous patches.

Primary server support: new option in ldap provider This patch adds support for new config option ldap_backup_uri. The description of this option's functionality is included in man page in previous patch.

LDAP: Rename user and group maps for AD This will eliminate ambiguity for the AD provider

sudo: add host info options Adds some option that allows to manually configure a host filter. ldap_sudo_use_host_filter - if false, we will download all rules regardless their sudoHost attribute ldap_sudo_hostnames - list hostnames and/or fqdn that should be downloaded, separated with spaces ldap_sudo_ip - list of IPv4/6 address and/or network that should be downloaded, separated with spaces ldap_sudo_include_netgroups - include rules that contains netgroup in sudoHost ldap_sudo_include_regexp - include rules that contains regular expression in sudoHost

sudo provider: add ldap_sudo_smart_refresh_interval

ldap provider: add sudo usn value

sudo provider: remove old timer

sudo provider: add ldap_sudo_full_refresh_interval

LDAP: Auto-detect support for the ldap match rule This patch extends the RootDSE lookup so that we will perform a second request to test whether the match rule syntax can be used. If both groups and initgroups are disabled in the configuration, this lookup request can be skipped.

LDAP: Add ldap_*_use_matching_rule_in_chain options

LDAP: Map the user's primaryGroupID

LDAP: Allow setting a default domain for id-mapping slice 0

LDAP: Add autorid compatibility mode

LDAP: Add ID mapping range settings

LDAP: Add id-mapping option

LDAP: Add objectSID config option

Add terminator for sdap_attr_map

Add terminator for dp_option

Put dp_option maps in their own file There is no functional change due to this patch.