NSS: add support for SSS_NSS_EX_FLAG_INVALIDATE_CACHE The patch adds support for the SSS_NSS_EX_FLAG_INVALIDATE_CACHE flag and makes the existing code more flexible and handle additional flags. If SSS_NSS_EX_FLAG_INVALIDATE_CACHE is set the requested object is only looked up in the cache and if it was found on-disk and memory cache entries will be invalidated. Related to https://pagure.io/SSSD/sssd/issue/2478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

NSS: add *_EX version of some requests To be able to send the flags to the SSSD responder new request types with an _EX postfix are added which expect and additional 32bit flag field after the name or the id of the requested object. Related to https://pagure.io/SSSD/sssd/issue/2478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sss_nss_getlistbycert: return results from multiple domains Currently only the results from one domain were returned although all domains were searched and the results were available. Unit tests are updated to cover this case as well. Resolves https://pagure.io/SSSD/sssd/issue/3393 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

nss-idmap: add sss_nss_getlistbycert() This patch adds a getlistbycert() call to libsss_nss_idmap to make it on par with InfoPipe. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

nss: ensure that SSS_NSS_GETNAMEBYCERT only returns a unique match Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

nss: rewrite nss responder so it uses cache_req Given the size of the current nss responder it was quite impossible to simply switch into using the cache_req interface, especially because most of the code was duplication of cache lookups. This patch completely rewrites the responder from scratch. The amount of code was reduced to less than a half lines of code with no code duplication, better documentation and better maintainability and readability. All functionality should be intact. *Code organization* All protocol (parsing input message and send a reply) is placed in nss_protocol.c. Functions that deals with creating a reply packet are placed into their specific nss_protocol_$object.c files. All supported commands are placed into nss_cmd.c. Functions that deals with cache req are in nss_get_object.c and nss_enum.c. *Code flow for non-enumeration* An nss_getby_$input-type is called for each non-enumeration command. This function parses the input message, creates a cache_req_data structure and issues nss_get_object that calls cache_req. When this request is done nss_getby_done make sure a reply is sent to the client. *Comments on enumeration* I made some effort to make sure enumeration shares the same code for users, groups, services and netgroups. Netgroups now uses nss negative cache instead of implementing its own. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>