certmap: add new library libsss_certmap With this library it would be possible to map certificates and users not only by adding the full certificate to the user's LDAP object but by adding e.g. only parts like the issuer and subject name. Additionally the library is also able to flexible select/match certificates based on values in the certificate. Details about mapping and matching rules can be found in the included man page. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

FILES: Add the files provider Adds a new provider type "files". The provider watches the UNIX password and group databases for changes using inotify and propagates its contents to the sysdb. The files provider is only built on platforms that support the inotify interface, polling or loading the entries on-deman is not supported. During initialization, the files are loaded from the environment variables SSS_FILES_PASSWD and SSS_FILES_GROUP, defaulting to /etc/passwd and /etc/group respectively. Loading the files from environment variables is mostly implemented for tests that need to load nss_wrapped files. The files provider is a bit different from other provider types in the sense that it always enumerates full contents of the database. Therefore, the requests from Data Provider are always just replied to with success. Enumerating the contents is done in full at the moment, all users and all groups are removed and added anew. Modifying the passwd and group databses should be rare enough for this to be justified and we can optimize the code later. Since with large databases, the cache update might take a bit of time, we signal the responders to disable the files domain once we receive the inotify notification and re-enable the files domain after the update is finished. The idea is that the NSS configuration would still contain "files" after "sss" so that if the domain is disabled, libc would fall back to a direct "files" lookup. Resolves: https://fedorahosted.org/sssd/ticket/3262 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

BUILD: Drop libsss_config libsss_config has been used only by OpenLMI and the project has been deprecated making, then, no sense to keep the support on SSSD. Distros that, for some reason, are still packing and distributing OpenLMI can stick to SSSD 1.14 branch. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

dlopen-test: Add check for untested libraries Reviewed-by: Petr Čech <pcech@redhat.com>

dlopen-test: Move libraries to the right "sections" The library winbind_idmap_sss.so is build only when building with samba. The library libdlopen_test_providers.so was moved to the group of libraries build for testing purposes. Reviewed-by: Petr Čech <pcech@redhat.com>

dlopen-test: Add missing libraries to the check list nfsidmap plugin(sss.so) and libsss_cert.so were not checked. Few libraries which are build for testing purposes were added to the list otherwise we would not be able to detect unchecked libraries. Reviewed-by: Petr Čech <pcech@redhat.com>

dlopen-test: Use portable macro for location of .libs Reviewed-by: Petr Čech <pcech@redhat.com>

TESTS: Fix check for py bindings in dlopen tests The current code checks only for "HAVE_PYTHON_BINDINGS", which is not even a valid check. Let's do the proper check according to the python version (HAVE_PYTHON2_BINDINGS or HAVE_PYTHON3_BINDINGS). Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Add winbind idmap plugin With this plugin winbind can use the same id-mapping as SSSD which makes it possible to run both together in a consistent way. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SPEC: Build python3 bindings on available platforms Resolves: https://fedorahosted.org/sssd/ticket/2574 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

UTIL: Fix dependencies of internal sss libraries Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

util: Move semanage related functions to src/util These functions will be reused by IPA provider. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

dlopen test: only test libwbclient when it is build Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Add conditional build for MIT Kerberos localauth plugin This patch adds everything what is needed to build the MIT Kerberos localauth plugin if the used version of MIT Kerberos supports it. It does not implement the plugin. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

libwbclient: SSSD implementation This patch implements the libwbclient API for Samba daemons and utilities. The main purpose is to map Active Directory users and groups identified by their SID to POSIX users and groups identified by their POSIX UIDs and GIDs respectively. The API is not fully implemented because SSSD does not support some AD features like WINS or NTLM. Additionally this implementation has its focus on the file-server use case and hence does not implement some features which might be needed for a domain controller use case. Some API calls are generic and independent of the backend like e.g. converting binary SIDs and GUIDs into a string representation and back or memory allocation and deallocation. These parts are taken from the original Samba sources together with copyright and authors. Files with'_sssd' as part of the name contain the SSSD related calls. Resolves: https://fedorahosted.org/sssd/ticket/1588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

TEST: Add libsss_simpleifp.so to dlopen test Reviewed-by: Sumit Bose <sbose@redhat.com>

BUILD: Make samba4 libraries optional Samba 4 libraries are necessary for building {ad, ipa} provider, but samba4 needn't be available on older distributions. This patch add possibility to build SSSD without {ad, ipa} provider and thus without Samba 4 libraries. The script configure have new argument --with-samba with default value yes. Reviewed-by: Michal Židek <mzidek@redhat.com>

sss_config: build Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

TEST: Add untested libraries into dlopen test Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

dlopen-tests: Check the result of asprintf According to asprintf(3) the content off errmsg is undefined on error, lets set it to NULL.

Add CIFS idmap plugin https://fedorahosted.org/sssd/ticket/1534

tests: Add dlopen test to make sure modules works This tests dlopens and resolves all symbols to make sure there are no missing symbols in our provider modules.