nss: initialize nss_enum_index in nss_setnetgrent() setnetgrent() is the first call when looking up a netgroup and sets the netgroup name for upcoming getnetgrent() and endnetgrent() calls. Currently the state is reset by calling endnetgrent() but it would be more robust to unconditionally reset the state in setnetgrent() as well in case calling endnetgrent() was forgotten. Related to https://pagure.io/SSSD/sssd/issue/3679 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: do not use objectClass for users and groups The majority of the object in the SSSD cache are users and groups. If there are many user and groups in the cache the index objects of the objectclass attributes 'user' and 'group' become large because the must hold references to all objects of those object classes. As a result the management of these index objects becomes costly because they must be parsed and split apart quite often. Additionally they are mostly useless because user and groups are lookup up by more specific attributes in general. Only when enumerating all user or groups this kind of index might be useful. There are two way of removing this kind of index from the user and group objects. Either by removing objectClass from the list of indexes and add a new attribute to all other type of object we want and index for. Or by replacing objectClass with a different attribute for the user and group objects. After some testing I think the latter one is the more reliable one and implemented it in this patch. Related to https://pagure.io/SSSD/sssd/issue/3503 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

NSS: add support for SSS_NSS_EX_FLAG_INVALIDATE_CACHE The patch adds support for the SSS_NSS_EX_FLAG_INVALIDATE_CACHE flag and makes the existing code more flexible and handle additional flags. If SSS_NSS_EX_FLAG_INVALIDATE_CACHE is set the requested object is only looked up in the cache and if it was found on-disk and memory cache entries will be invalidated. Related to https://pagure.io/SSSD/sssd/issue/2478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

NSS: add support for SSS_NSS_EX_FLAG_NO_CACHE If SSS_NSS_EX_FLAG_NO_CACHE is set the object is refresh by directly looking it up in the backend. Related to https://pagure.io/SSSD/sssd/issue/2478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

NSS: add *_EX version of some requests To be able to send the flags to the SSSD responder new request types with an _EX postfix are added which expect and additional 32bit flag field after the name or the id of the requested object. Related to https://pagure.io/SSSD/sssd/issue/2478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Fix warning declaration of 'index' shadows a global declaration src/responder/common/cache_req/cache_req.c: In function 'cache_req_add_result': src/responder/common/cache_req/cache_req.c:587: error: declaration of 'index' shadows a global declaration /usr/include/string.h:489: error: shadowed declaration is here src/responder/nss/nss_cmd.c:387: error: declaration of 'index' shadows a global declaration /usr/include/string.h:489: error: shadowed declaration is here src/responder/nss/nss_cmd.c: In function 'nss_getent_get_result': src/responder/nss/nss_cmd.c:433: error: declaration of 'index' shadows a global declaration /usr/include/string.h:489: error: shadowed declaration is here src/responder/nss/nss_cmd.c: In function 'nss_endent': src/responder/nss/nss_cmd.c:671: error: declaration of 'index' shadows a global declaration /usr/include/string.h:489: error: shadowed declaration is here src/responder/nss/nss_protocol_netgr.c: In function 'nss_protocol_fill_netgrent': src/responder/nss/nss_protocol_netgr.c:113: error: declaration of 'index' shadows a global declaration /usr/include/string.h:489: error: shadowed declaration is here Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

sss_nss_getlistbycert: return results from multiple domains Currently only the results from one domain were returned although all domains were searched and the results were available. Unit tests are updated to cover this case as well. Resolves https://pagure.io/SSSD/sssd/issue/3393 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

nss-idmap: add sss_nss_getlistbycert() This patch adds a getlistbycert() call to libsss_nss_idmap to make it on par with InfoPipe. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

nss: ensure that SSS_NSS_GETNAMEBYCERT only returns a unique match Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

nss: rewrite nss responder so it uses cache_req Given the size of the current nss responder it was quite impossible to simply switch into using the cache_req interface, especially because most of the code was duplication of cache lookups. This patch completely rewrites the responder from scratch. The amount of code was reduced to less than a half lines of code with no code duplication, better documentation and better maintainability and readability. All functionality should be intact. *Code organization* All protocol (parsing input message and send a reply) is placed in nss_protocol.c. Functions that deals with creating a reply packet are placed into their specific nss_protocol_$object.c files. All supported commands are placed into nss_cmd.c. Functions that deals with cache req are in nss_get_object.c and nss_enum.c. *Code flow for non-enumeration* An nss_getby_$input-type is called for each non-enumeration command. This function parses the input message, creates a cache_req_data structure and issues nss_get_object that calls cache_req. When this request is done nss_getby_done make sure a reply is sent to the client. *Comments on enumeration* I made some effort to make sure enumeration shares the same code for users, groups, services and netgroups. Netgroups now uses nss negative cache instead of implementing its own. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>