LDAP: Augment the sdap_opts structure with a data provider pointer In order to be able to use the Data Provider methods from the SDAP code to e.g. invalidate memcache when needed, add a new field to the sdap_options structure with the data_provider structure pointer. Fill the pointer value for all LDAP-based providers. Related: https://pagure.io/SSSD/sssd/issue/2653 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

providers: Move hostid from ipa to sdap, v2 In the ldap provider, all option names are renamed to ldap_host_*. In the ipa provider the names haven't been changed. Host lookups for both ipa and ldap are handled in the ldap provider. sss_ssh_knownhostsproxy works but hostgroups are still only available in the ipa provider. I've also added some documentation for the ldap provider. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SDAP: Split out utility function sdap_get_object_domain() from sdap_object_in_domain() The DP request that returns a domain of an entry to responder will need this functionality in order to map the original DN of the entry found to a domain name. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

LDAP: Add support for rhost access control This patch implements verification of pam_rhost against rules stored in LDAP entry of a user. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: fix handling of certmap_ctx This patch fixes a use-after-free in the AD provider part and initializes the certmap_ctx with data from the cache at startup. Related to https://pagure.io/SSSD/sssd/issue/3508 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SDAP: Add sdap_domain_copy_search_bases Add function to copy search bases from one sdap_domain to another. Resolves: https://pagure.io/SSSD/sssd/issue/3435 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

IPA: add certmap support Read certificate mapping data from the IPA server and configure the certificate mapping library accordingly. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sdap_extend_map: make sure memory can be freed If there is an error after calling talloc_realloc() the caller cannot free the memory properly because neither src_map nor _map were pointing to a valid memory location. With this patch _map will always point to the current valid location so that it can always be used with talloc_free(). Reviewed-by: Petr Cech <pcech@redhat.com>

SYSDB: Removing of sysdb_try_to_find_expected_dn() Currently in order to match multiple LDAP search results we use two different functions - we have sysdb_try_to_find_expected_dn() but also sdap_object_in_domain(). This patch removes sysdb_try_to_find_expected_dn() and add new sdap_search_initgr_user_in_batch() based on sdap_object_in_domain(). This function covers necessary logic. Resolves: https://fedorahosted.org/sssd/ticket/3230 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: new attribute option ldap_user_email Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Rename dp_backend.h to backend.h Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD: Recognize Windows Server 2016 Even though at this time the MSDN documentation at: https://msdn.microsoft.com/en-us/library/cc223272.aspx still claims that "7" is a value of DS_BEHAVIOR_WINTHRESHOLD, testing with Windows Server 2016 Preview already shows that server reporting a new value of Domain Controller Functionality. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SUDO: be able to parse modifyTimestamp correctly We were unable to parse modifyTimestamp where a non-numeric part (timezone) was involved. The format is YYYYMMDDHHmmssZ. It may also contain fraction or different timezone, everytime separated from the datetime by character. This patch gets the numberic part and then appends the string part again to get value usable in filter. Resolves: https://fedorahosted.org/sssd/ticket/2970 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: Add interface to call into IPA provider from LDAP provider https://fedorahosted.org/sssd/ticket/2522 Adds a pluggable interface that is able to resolve the IPA group's external members. At the moment, the request calls the full be_ interface to make sure all corner cases like id-views are handled internally. Reviewed-by: Sumit Bose <sbose@redhat.com>

Add a new option ldap_group_external_member Required for: https://fedorahosted.org/sssd/ticket/2522 Reviewed-by: Sumit Bose <sbose@redhat.com>

IDMAP: Add support for automatic adding of ranges Resolves: https://fedorahosted.org/sssd/ticket/2188 Reviewed-by: Sumit Bose <sbose@redhat.com>

SUDO: remember usn as number instead of string Reviewed-by: Sumit Bose <sbose@redhat.com>

LDAP: Filter out multiple entries when searching overlapping domains In case domain overlap, we might download multiple objects. To avoid saving them all, we attempt to filter out the objects from foreign domains. We can only do this optimization for non-wildcard lookups. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

LDAP: Move sdap_create_search_base from ldap to sdap code The function shouldn't be placed in the LDAP tree, but in the SDAP tree to make it usable from tests without linking to libraries that are normally linked from LDAP provider (such as confdb) Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SDAP: rename SDAP_CACHE_PURGE_TIMEOUT Enum member SDAP_CACHE_PURGE_TIMEOUT has counter-intuitive name as it's used to access 'ldap_purge_cache_timeout' option. SDAP_CACHE_PURGE_TIMEOUT is more fitting name. Reviewed-by: Petr Cech <pcech@redhat.com>

LDAP: Add the wildcard_limit option Related: https://fedorahosted.org/sssd/ticket/2553 Adds a new wildcard_limit option that is set by default to 1000 (one page). This option limits the number of entries that can by default be returned by a wildcard search. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: add ldap_user_certificate option Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

subdomains: Inherit cleanup period and tokengroup settings from parent domain Allows the administrator to extend the functionality of ldap_purge_cache_timeout, ldap_user_principal and ldap_use_tokengroups to the subdomains. This is a less intrusive way of achieving: https://fedorahosted.org/sssd/ticket/2627 Reviewed-by: Pavel Reichl <preichl@redhat.com>

SDAP: Add sdap_copy_map_entry Reviewed-by: Pavel Reichl <preichl@redhat.com>

LDAP: Rename the _res output parameter to avoid clashing with libresolv in tests Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Skip CHAUTHTOK_PRELIM when using OTPs https://fedorahosted.org/sssd/ticket/2484 When OTPs are used, we can only used each authtoken at most once. When it comes to Kerberos password changes, this was only working previously by accident, because the old authtoken was first used to verify the old password is valid and not expired and then also to acquire a chpass principal. This patch looks at the user object in LDAP to check if the user has any OTPs enabled. If he does, the CHAUTHTOK_PRELIM step is skipped completely so that the OTP can be used to acquire the chpass ticket later. Reviewed-by: Sumit Bose <sbose@redhat.com>

Revert "LDAP: Remove unused option ldap_group_uuid" This reverts commit b5242c146cc0ca96e2b898a74fb060efda15bc77. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Revert "LDAP: Remove unused option ldap_user_uuid" This reverts commit dfb2960ab251f609466fa660449703835c97f99a. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

nss: add SSS_NSS_GETORIGBYNAME request This patch adds a new request to the nss responder which follows the same flow as a SSS_NSSGETSIDBYNAME request but returns more data than just the SID. The data is returned as pairs of \0-terminated strings where the first string is the sysdb attribute name and the second the corresponding value. The main use case is on the FreeIPA server to make additional user and group data available to the extdom plugin which then send this data to SSSD running on FreeIPA clients. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Use the alternative objectclass in group maps. Use the alternative group objectclass in queries. Fixes: https://fedorahosted.org/sssd/ticket/2436 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Add alternative objectClass to group attribute maps In IPA we sometimes need to use posixGroup and sometimes groupOfNames objectclass to query the groups. This patch adds the possibility to specify alternative objectclass in group maps. By default it is only set for IPA. Fixes: https://fedorahosted.org/sssd/ticket/2436 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Add Windows Server 2012 R2 functional level https://fedorahosted.org/sssd/ticket/2418 According to http://msdn.microsoft.com/en-us/library/cc223272.aspx a Windows Server 2012 R2 has a functional level set to '6'. We need to support that value in order for tokenGroups to be functional. For more information on the functional levels, please refer to: http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10%29.aspx Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SDAP: new option - DN to ppolicy on LDAP To check value of pwdLockout attribute on LDAP server, DN of ppolicy must be set. Resolves: https://fedorahosted.org/sssd/ticket/2364 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Revert "IPA: new attribute map for non-posix groups" This reverts commit 4c560e7b98e7ab71d22be24d2fbc468396cb634f.

IPA: new attribute map for non-posix groups Create new set of attributes to be used when processing non-posix groups. Resolves: https://fedorahosted.org/sssd/ticket/2343 Reviewed-by: Michal Židek <mzidek@redhat.com>

LDAP SUDO: sudo provider doesn't fetch 'EntryUSN' The EntryUSN is not fetched by the sudo LDAP provider when it downloads the rules because sudorule_map is missing this attribute. We forgot to add the SDAP_AT_SUDO_RUNAS into sdap_sudorule_attrs when we added support for sudoRunAs. Related to: https://fedorahosted.org/sssd/ticket/2212

LDAP: Remove unused option ldap_user_uuid There is problem with OpenLDAP server and dereferencing of attributes that is not in the schema of the server? sh-4.2$ ldapsearch -x -LLL -h openldap.server.test -b 'dc=example,dc=com' \ -E 'deref=member:uid,dummy_attr' cn=ref_grp Protocol error (2) Additional information: Dereference control: attribute decoding error sh-4.2$ echo $? 2 The attribute nsUniqueID is a 389-only, non-standard attribute. It is an operational attribute that is not in the rfc2307bis nor inetOrgPerson nor posixAccount schema. It was a default value of option ldap_user_uuid, but it was not use anywhere. Resolves: https://fedorahosted.org/sssd/ticket/2383 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Remove unused option ldap_group_uuid Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Remove unused option ldap_netgroup_uuid Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SDAP: Remove unused function sdap_get_msg_dn This function was not used since 2009. Unused and untested function would just rot, better to remove it completely. Reviewed-by: Michal Židek <mzidek@redhat.com>

LDAP: Remove unused output parameter _dn from sdap_parse_entry No caller directly accessed this parameter. Moreover, it seemed useless since the same data is available as SYSDB_ORIGINAL_DN in the attributes. Reviewed-by: Michal Židek <mzidek@redhat.com>

SDAP: Add option to disable use of Token-Groups Disabling use of Token-Groups is mandatory if expansion of nested groups is not desired (ldap_group_nesting_level = 0) for AD provider. Resolves: https://fedorahosted.org/sssd/ticket/2294 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Make LDAP extra attributes available to IPA and AD https://fedorahosted.org/sssd/ticket/2073 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: Make it possible to extend an attribute map https://fedorahosted.org/sssd/ticket/2073 This commit adds a new option ldap_user_extra_attrs that is unset by default. When set, the option contains a list of LDAP attributes the LDAP provider would download and store in addition to the usual set. The list can either contain LDAP attribute names only, or colon-separated tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP attribute name is specified, the attribute is saved to the cache verbatim. Using a custom SSSD attribute name might be required by environments that configure several SSSD domains with different LDAP schemas. Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: Detect the presence of POSIX attributes When the schema is set to AD and ID mapping is not used, there is a one-time check ran when searching for users to detect the presence of POSIX attributes in LDAP. If this check fails, the search fails as if no entry was found and returns a special error code. The sdap_server_opts structure is filled every time a client connects to a server so the posix check boolean is reset to false again on connecting to the server. It might be better to move the check to where the rootDSE is retrieved, but the check depends on several features that are not known to the code that retrieves the rootDSE (or the connection code for example) such as what the attribute mappings are or the authentication method that should be used. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

AD: filter domain local groups for trusted/sub domains In Active Directory groups with a domain local scope should only be used inside of the specific domain. Since SSSD read the group memberships from LDAP server of the user's domain the domain local groups are included in the LDAP result. Those groups should be filtered out if the domain is a sub/trusted domain, i.e. is not the domain the client running SSSD is joined to. The groups will still be in the cache but marked as non-POSIX groups and no GID will be assigned. Fixes https://fedorahosted.org/sssd/ticket/2178

Add new option ldap_group_type

AD: use LDAP for group lookups The group memberships cannot be reliable retrieved from the Global Catalog. By default the memberOf attribute is not replicated to the GC at all and the member attribute is copied from the local LDAP instance to the GC running on the same host, but is only replicated to other GC instances for groups with universal scope. Additionally the tokenGroups attribute contains invalid SIDs when used with the GC for users from a different domains than the GC belongs to. As a result the requests which tries to resolve group-memberships of a AD user have to go to a LDAP server from the domain of the user. Fixes https://fedorahosted.org/sssd/ticket/2161 and https://fedorahosted.org/sssd/ticket/2148 as a side-effect.

Add ldap_autofs_map_master_name option

sdap: store base dn in sdap_domain Groups may contain members from different domains. Remembering base dn in domain object gives us the ability to simply lookup correct domain by comparing object dn with domain base dn. Resolves: https://fedorahosted.org/sssd/ticket/2064

dp: convert cleanup task to be_ptask Resolves: https://fedorahosted.org/sssd/ticket/1968

LDAP: Use primary cn to search netgroup Resolves: https://fedorahosted.org/sssd/ticket/2075

LDAP: Make the cleanup task reusable for subdomains Instead of always performing the cleanup on the main domain, the task now accepts a sdap_domain structure to perform the cleanup on. This change will make the cleanup task reusable for subdomains.

LDAP: Convert enumeration to the ptask API https://fedorahosted.org/sssd/ticket/1942 Identity providers other than LDAP need to customize the enumeration in different ways while sharing the way the task is scheduled etc. The easiest way to accomplish it is to leverage the recently introduced ptask framework.

LDAP: Move the ldap enum request to its own reusable module The LDAP enumeration was too closely tied to the LDAP identity provider. Because some providers might need special handling such as refresh the master domain record before proceeding with the enumeration itself, this patch splits the request itself to a separate async request and lets the ldap_id_enum.c module only configure this new request. Also move the enum timestamp to sdap_domain to make the enum tracking per sdap domain. The cleanup timestamp will be moved in another patch.

LDAP: Use domain-specific name where appropriate The subdomain users user FQDN in their name attribute. However, handling of whether to use FQDN in the LDAP code was not really good. This patch introduces a utility function and converts code that was relying on user/group names matching to this utility function. This is a temporary fix until we can refactor the sysdb API in #2011.

LDAP: Add utility function sdap_copy_map The AD subdomains will only use default options values. This patch introduces a new utility function sdap_copy_map() that copies the default options map. Subtask of: https://fedorahosted.org/sssd/ticket/1962

Add now options ldap_min_id and ldap_max_id Currently the range for Posix IDs stored in an LDAP server is unbound. This might lead to conflicts in a setup with AD and trusts when the configured domain uses IDs from LDAP. With the two noe options this conflict can be avoided.

A new option krb5_use_kdcinfo https://fedorahosted.org/sssd/ticket/1883 The patch introduces a new Kerberos provider option called krb5_use_kdcinfo. The option is true by default in all providers. When set to false, the SSSD will not create krb5 info files that the locator plugin consumes and the user would have to set up the Kerberos options manually in krb5.conf

LDAP: new SDAP domain structure Previously an sdap_id_ctx was always tied to one domain with a single set of search bases. But with the introduction of Global Catalog lookups, primary domain and subdomains might have different search bases. This patch introduces a new structure sdap_domain that contains an sssd domain or subdomain and a set of search bases. With this patch, there is only one sdap_domain that describes the primary domain.

Adding option to disable retrieving large AD groups. This commit adds new option ldap_disable_range_retrieval with default value FALSE. If this option is enabled, large groups(>1500) will not be retrieved and behaviour will be similar like was before commit ae8d047122c "LDAP: Handle very large Active Directory groups" https://fedorahosted.org/sssd/ticket/1823

Removing unused functions. This patch remove unused functions sdap_parse_user and sdap_parse_group

LDAP: If deref search fails, try again without deref https://fedorahosted.org/sssd/ticket/1660

ldap: Fallback option for rfc2307 schema Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020

Use common error facility instead of sdap_result Simplifies and consolidates error reporting for ldap authentication paths. Adds 3 new error codes: ERR_CHPASS_DENIED - Used when password constraints deny password changes ERR_ACCOUNT_EXPIRED - Account is expired ERR_PASSWORD_EXPIRED - Password is expired

AD: replace GID/UID, do not add another one The code would call sysdb_attrs_add_uint32 which added another UID or GID to the ID=0 we already downloaded from LDAP (0 is the default value) when ID-mapping an entry. This led to funky behaviour later on when we wanted to process the ID.

AD: Detect domain controller compatibility version

Primary server support: new options in krb5 provider This patch adds support for new config options krb5_backup_server and krb5_backup_kpasswd. The description of this option's functionality is included in man page in one of previous patches.

Primary server support: new option in ldap provider This patch adds support for new config option ldap_backup_uri. The description of this option's functionality is included in man page in previous patch.

sudo: add host info options Adds some option that allows to manually configure a host filter. ldap_sudo_use_host_filter - if false, we will download all rules regardless their sudoHost attribute ldap_sudo_hostnames - list hostnames and/or fqdn that should be downloaded, separated with spaces ldap_sudo_ip - list of IPv4/6 address and/or network that should be downloaded, separated with spaces ldap_sudo_include_netgroups - include rules that contains netgroup in sudoHost ldap_sudo_include_regexp - include rules that contains regular expression in sudoHost

sudo provider: add ldap_sudo_smart_refresh_interval

ldap provider: add sudo usn value

sudo provider: remove old timer

sudo provider: add ldap_sudo_full_refresh_interval

LDAP: Auto-detect support for the ldap match rule This patch extends the RootDSE lookup so that we will perform a second request to test whether the match rule syntax can be used. If both groups and initgroups are disabled in the configuration, this lookup request can be skipped.

LDAP: Add ldap_*_use_matching_rule_in_chain options

Add support for filtering atributes This patch adds support for filtering attributes when constructing attribute list from a map for LDAP query.

LDAP: Add attr_count return value to build_attrs_from_map() This is necessary because in several places in the code, we are appending to the attrs returned from this value, and if we relied on the map size macro, we would be appending after the NULL terminator if one or more attributes were defined as NULL.

LDAP: Map the user's primaryGroupID

LDAP: Allow setting a default domain for id-mapping slice 0

LDAP: Add autorid compatibility mode

LDAP: Initialize ID mapping when configured

LDAP: Add ID mapping range settings

LDAP: Add id-mapping option

LDAP: Add objectSID config option

Add terminator for sdap_attr_map

IPA hosts refactoring

LDAP: Add support for SSH user public keys

Update shadowLastChanged attribute during LDAP password change https://fedorahosted.org/sssd/ticket/1019

Session target in IPA provider

AUTOFS: LDAP provider

NSS: Add individual timeouts for entry types https://fedorahosted.org/sssd/ticket/1016

LDAP: Add enumeration support for services

LDAP: Add support for service lookups (non-enum)

LDAP: Add option to disable paging control Fixes https://fedorahosted.org/sssd/ticket/967

SUDO Integration - periodical update of rules in data provider https://fedorahosted.org/sssd/ticket/1110 Adds new configuration options: - ldap_sudo_refresh_enabled - enable/disable periodical updates - ldap_sudo_refresh_timeout - rules timeout (refresh period)

SUDO Integration - LDAP configuration options

Add sdap_connection_expire_timeout option https://fedorahosted.org/sssd/ticket/1036

Add ldap_sasl_minssf option https://fedorahosted.org/sssd/ticket/1075

Renamed some LDAP routines These were renamed just ot make sure they are not mistook for IPA netgroup functions.

Cleanup: Remove unused parameters

Support to request canonicalization in LDAP/IPA provider https://fedorahosted.org/sssd/ticket/957

LDAP: Add parser for multiple search bases

Remove unused sdap_options attributes These DNs were never assigned or referenced anywhere.

Improve error message for LDAP password constraint violation https://fedorahosted.org/sssd/ticket/985

Add LDAP provider option to set LDAP_OPT_X_SASL_NOCANON https://fedorahosted.org/sssd/ticket/978

Add LDAP access control based on NDS attributes

Add sockaddr_storage to sdap_service

Use dereference when processing RFC2307bis nested groups Instead of issuing N LDAP requests when processing a group with N users, utilize the dereference functionality to pull down all the members in a single LDAP request. https://fedorahosted.org/sssd/ticket/799

OpenLDAP dereference searches This dereference method is supported at least by OpenLDAP and 389DS/RHDS For more details, see: http://tools.ietf.org/html/draft-masarati-ldap-deref-00

Generic dereference data structures and utilities These will be shared by both dereference methods in a later patch.

Remove append_attrs_to_array This function was not used anywhere

Add ldap_page_size configuration option

Modify principal selection for keytab authentication Currently we construct the principal as host/fqdn@REALM. The problem with this is that this principal doesn't have to be in the keytab. In that case the provider fails to start. It is better to scan the keytab and find the most suitable principal to use. Only in case no suitable principal is found the backend should fail to start. The second issue solved by this patch is that the realm we are authenticating the machine to can be in general different from the realm our users are part of (in case of cross Kerberos trust). The patch adds new configuration option SDAP_SASL_REALM. https://fedorahosted.org/sssd/ticket/781

Add value of the last USN to server configuration Related: https://fedorahosted.org/sssd/ticket/734

Don't pass NULL to printf for TLS errors https://fedorahosted.org/sssd/ticket/643

Add host access control support https://fedorahosted.org/sssd/ticket/746

Add option to disable TLS for LDAP auth Option is named to discourage use in production environments and is intentionally not listed in the SSSDConfig API.

Add ldap_tls_{cert,key,cipher_suite} config options Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

Add LDAP expire policy base RHDS/IPA attribute The attribute nsAccountLock is used by RHDS, IPA and other directory servers to indicate that the account is locked.

Add LDAP expire policy based on AD attributes The second bit of userAccountControl is used to determine if the account is enabled or disabled. accountExpires is checked to see if the account is expired.

Add ldap_search_enumeration_timeout config option

Add authorizedService support https://fedorahosted.org/sssd/ticket/670

Replace krb5_kdcip by krb5_server in LDAP provider

ldap: Use USN entries if available. Otherwise fallback to the default modifyTimestamp indicator

ldap: add checks to determine if USN features are available.

Add ldap_chpass_uri config option

Add new account expired rule to LDAP access provider Two new options are added to the LDAP access provider to allow a broader range of access control rules to be evaluated. 'ldap_access_order' makes it possible to run more than one rule. To keep compatibility with older versions the default is 'filter'. This patch adds a new rule 'expire'. 'ldap_account_expire_policy' specifies which LDAP attribute should be used to determine if an account is expired or not. Currently only 'shadow' is supported which evaluates the ldap_user_shadow_expire attribute.

Use (default)namingContext to set empty search bases

Add defaultNamingContext to RootDSE attributes

Add ldap_deref option

Add option to limit nested groups

Add infrastructure to LDAP provider for netgroup support

Initialize kerberos service for GSSAPI

Add KDC to the list of LDAP options

Check if control is supported before using it.

Revert "Make ldap bind asynchronous" This reverts 56d8d19ac9d857580a233d8264e851883b883c67

Store rootdse supported features in sdap_handler

Make ldap bind asynchronous Every ldap function that could possibly create a new connection is now wrapped in a tevent_req. If the connection is created, we will call the function again after the socket is ready for writing.

GSSAPI ticket expiry time is returned from ldap_child and stored in sdap_handle for future reference.

Fix broken build against older versions of OpenLDAP OpenLDAP < 2.4 used LDAP_OPT_ERROR_STRING. It was changed to LDAP_OPT_DIAGNOSTIC_MESSAGE in 2.4. This patch will allow the TLS error messages to be displayed on either version.

Add ldap_access_filter option This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com

Add ldap_krb5_ticket_lifetime option

Use service discovery in backends Integrate the failover improvements with our back ends. The DNS domain used in the SRV query is always the SSSD domain name. Please note that this patch changes the default value of ldap_uri from "ldap://localhost" to "NULL" in order to use service discovery with no server set.

Avoid freeing sdap_handle too early Prevent freeing the sdap_handle by failing in the destructor if we are trying to recurse.

Make the handling of fd events opaque Depending on the version of the OpenLDAP libraries we use two different schemes to find the file descriptor of the connection to the LDAP server. This patch removes the related ifdefs from the main code and introduces helper functions which can handle the specific cases.

Improvements for LDAP Password Policy support Display warnings about remaining grace logins and password expiration to the user, when LDAP Password Policies are used. Improved detection if LDAP Password policies are supported by LDAP Server.

Better cleanup task handling Implements a different mechanism for cleanup task. Instead of just deleting expired entries, this patch adds a new option account_cache_expiration for domains. If an entry is expired and the last login was more days in the past that account_cache_expiration, the entry is deleted. Groups are deleted if they are expired and and no user references them (no user has memberof: attribute pointing at that group). The parameter account_cache_expiration is not LDAP-specific, so that other future backends might use the same timeout setting. Fixes: #391

Rename server/ directory to src/ Also update BUILD.txt