LDAP: Augment the sdap_opts structure with a data provider pointer In order to be able to use the Data Provider methods from the SDAP code to e.g. invalidate memcache when needed, add a new field to the sdap_options structure with the data_provider structure pointer. Fill the pointer value for all LDAP-based providers. Related: https://pagure.io/SSSD/sssd/issue/2653 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

AD: do not allocate temporary data on long living context Related to https://pagure.io/SSSD/sssd/issue/3639 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Fix minor spelling mistakes in tests/cmocka/* Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sysdb: do not use objectClass for users and groups The majority of the object in the SSSD cache are users and groups. If there are many user and groups in the cache the index objects of the objectclass attributes 'user' and 'group' become large because the must hold references to all objects of those object classes. As a result the management of these index objects becomes costly because they must be parsed and split apart quite often. Additionally they are mostly useless because user and groups are lookup up by more specific attributes in general. Only when enumerating all user or groups this kind of index might be useful. There are two way of removing this kind of index from the user and group objects. Either by removing objectClass from the list of indexes and add a new attribute to all other type of object we want and index for. Or by replacing objectClass with a different attribute for the user and group objects. After some testing I think the latter one is the more reliable one and implemented it in this patch. Related to https://pagure.io/SSSD/sssd/issue/3503 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SUBDOMAINS: Configurable search bases Added new trusted domain section in the sssd.conf were the search bases for the trusted domain can be specified. Resolves: https://pagure.io/SSSD/sssd/issue/2599 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

TEST: create_multidom_test_ctx() extending Function create_multidom_test_ctx() prepares test environment for multidomains. This patch enables setting of different params for each domain. Resolves: https://fedorahosted.org/sssd/ticket/3230 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

tests: add tests for netlogon_get_domain_info Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DP: rename be_acct_req to dp_id_data Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD: use krb5_keytab for subdomain initialization During the initialization of AD subdomains parameters like the SASL auth id are determined. Since subdomains use a default set of the AD specific configuration options the default keytab will be used. If krb5_keytab is set in sssd.conf for the AD domain this keytab should be used for the subdomains (domains of the same AD forest) as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

test_ad_common: Include missing header if building with NSS There was a compile time warning if building with NSS crypto libraries. src/tests/cmocka/test_ad_common.c: In function ‘main’: src/tests/cmocka/test_ad_common.c:873:5: error: implicit declaration of function ‘nspr_nss_cleanu’ [-Werror=implicit-function-declaration] nspr_nss_cleanup(); ^~~~~~~~~~~~~~~~ Reviewed-by: Pavel Reichl <preichl@redhat.com>

AD: process PAC during initgroups request If there is a recently attached PAC blob in the cached user entry the PAC data is used to update the group memberships data of the user. If there is no PAC attached or if it is too old the other configured methods will be used. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

TESTS: global_talloc_context push/pop remove Push/pop global_talloc_context into check_leaks is redudant. It is done in leak_check_setup() and leak_check_teardown() functions in src/tests/check_leaks. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD: Remove unused memory context from ad_user_conn_list Reviewed-by: Petr Cech <pcech@redhat.com>

AD: Consolidate connection list construction on ad_common.c Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: Provide common connection list construction functions https://fedorahosted.org/sssd/ticket/2810 Provides a new AD common function ad_ldap_conn_list() that creates a list of AD connection to use along with properties to avoid mistakes when manually constructing these lists. Reviewed-by: Sumit Bose <sbose@redhat.com>

test_ad_common: Use unique directory for keytabs This patch also improved cleanup. The functions test_ad_create_2way_trust_options created keytab which was used by other following tests test_ldap_conn_list, test_conn_list. The keytab was not removed at the end of al tests. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: Add ad_create_1way_trust_options Related: https://fedorahosted.org/sssd/ticket/2638 For one-way trusts we can assume that AD domain is the same as the Kerberis realm. On the other hand, SASL realm and keytab path are specified, unlike two-way trusts that use the system keytab. Includes a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA/AD: Set up AD domain in ad_create_2way_trust_options Related: https://fedorahosted.org/sssd/ticket/2638 Removed code duplication. Amends unit test to make sure we don't regress. Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: Split off ad_create_default_options Related: https://fedorahosted.org/sssd/ticket/2638 Make the function reusable and add a simple unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: Rename ad_create_default_options to ad_create_2way_trust_options Related: https://fedorahosted.org/sssd/ticket/2638 Better reflects what's going on in the function. Also adds a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: Always get domain-specific ID connection ad_get_dom_ldap_conn() assumed that ad_ctx->ldap_ctx always points at the LDAP connection for the primary domain, however it turns out that this is not always the case. It's currently unclear why, but this connection can sometimes be pointing at a subdomain. Since the value of subdom_id_ctx->ldap_ctx always points to the correct domain (including the primary domain case), there's no benefit to trying to shortcut to the ad_ctx->ldap_ctx when performing this lookup. This patch also makes a minor tweak to the tests so that the primary domain passes the sdap_domain_get() check for validity (since it needs to have a private member assigned). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

tests: convert all unit tests to cmocka 1.0 or later All tests now use the cmocka-1.0-compatible API. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

TOOLS: Always debug to stderr https://fedorahosted.org/sssd/ticket/2348 Programs that are supposed to only be executed on the foreground should log to stderr automatically. Reviewed-by: Michal Židek <mzidek@redhat.com>

AD: Enable fallback to LDAP of trusted domain Since we have the LDAP port of a trusted AD GC always available now, we can always perform a fallback.

AD: Add a new option to turn off GC lookups SSSD now defaults to using GC by default. For some environments, for instance those that don't or can't replicate the POSIX attributes to Global Catalog, this might not be desirable. This patch introduces a new option ad_enable_gc, that is enabled by default. Setting this option to false makes the SSSD contact only the LDAP port of AD DCs.

AD: Add a utility function to create list of connections ad_id.c and ad_access.c used the same block of code. With the upcoming option to disable GC lookups, we should unify the code in a function to avoid breaking one of the code paths. The same applies for the LDAP connection to the trusted AD DC. Includes a unit test.