DEBUG: Print simple allow and deny lists For debug purposes, print the simple allow and deny users/groups lists when a sufficient log debug level is set. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Fix minor spelling mistakes in providers/* Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DP: Remove unused attr_type from struct dp_id_data Structure member attr_type was set to BE_ATTR_CORE on all places and there was a single place src/providers/ldap/ldap_id.c where we checked to other values. It is not used anymore; it's better to remove it. Reviewed-by: Michal Židek <mzidek@redhat.com>

DP: rename be_acct_req to dp_id_data Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Rename dp_backend.h to backend.h Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

simple-access-provider: make user grp res more robust Not all user groups need to be resolved if group deny list is empty. Resolves: https://fedorahosted.org/sssd/ticket/2519 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

simple-access-provider: break matching allowed users Stop matching username with names in simple_allow_users after positive match. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

simple access provider: non-existing object Resolves: https://fedorahosted.org/sssd/ticket/2519 Not existing user/group in simple_allow_users/simple_allow_groups should not imply access denied. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

UTIL: rename find_subdomain_by_object_name The function was named "find_subdomain" yet it could find both main domain and subdomain. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

UTIL: rename find_subdomain_by_sid The function was named "find_subdomain" yet it could find both main domain and subdomain. sed 's/find_subdomain_by_sid/find_domain_by_sid/' -i `find . -name "*.[ch]"` Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2)

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 1)

simple provider: obey case sensitivity for subdomain users and groups When comparing username and his groups to access list, we will obey case sensitivity of object from access list. Resolves: https://fedorahosted.org/sssd/ticket/2034

simple provider: support subdomain groups Resolves: https://fedorahosted.org/sssd/ticket/2034

Fix formating of variables with type: gid_t

Fix formating of variables with type: size_t

Convert the simple access check to new error codes https://fedorahosted.org/sssd/ticket/453 It makes sense to keep using the boolean for access granted/denied, but when the user/group is not found, the request would now return ERR_ACCOUNT_UNKNOWN

Fix simple access group control in case-insensitive domains https://fedorahosted.org/sssd/ticket/1713 In the simple access provider, we need to only canonicalize user names when comparing with values in the ACL, not when searching the cache. The sysdb searches might do a base search with a DN constructed with the username which fails if the username is lower case.

Resolve GIDs in the simple access provider Changes the simple access provider's interface to be asynchronous. When the simple access provider encounters a group that has gid, but no meaningful name, it attempts to resolve the name using the be_file_account_request function. Some providers (like the AD provider) might perform initgroups without resolving the group names. In order for the simple access provider to work correctly, we need to resolve the groups before performing the access check. In AD provider, the situation is even more tricky b/c the groups HAVE name, but their name attribute is set to SID and they are set as non-POSIX

Split simple_access_check function out Need to split out the function or new additions to the handler funtion will not allow simple access tests to compile anymore.