SYSDB: Augment sysdb_try_to_find_expected_dn to match search base as well In cases where the domain name in sssd.conf does not match the AD domain, our previous matching process wouldn't match. This patch augments the matching as follows: - the search base is known to sysdb_try_to_find_expected_dn and is expected to be non-NULL - the existing matching is ran first - during the search base, matching, all the non-DC components are stripped from the search base to 'canonicalize' the search base - if only a single entry that matches with a non-DC DN component (matching with a DC component would mean the DN comes from a different domain) then this entry is a match and is returned Resolves: https://fedorahosted.org/sssd/ticket/3199 Reviewed-by: Sumit Bose <sbose@redhat.com>

LDAP/AD: resolve domain local groups for remote users If a user from a trusted domain in the same forest is a direct or indirect member of domain local groups from the local domain those memberships must be resolved as well. Since those domain local groups are not valid in the trusted domain a DC from the trusted domain which is used to lookup the user data is not aware of them. As a consequence those memberships must be resolved against a local DC in a second step. Resolves https://fedorahosted.org/sssd/ticket/3206 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: add parent_dom to sysdb_get_direct_parents() Currently sysdb_get_direct_parents() only return direct parents from the same domain as the child object. In setups with sub-domains this might not be sufficient. A new option parent_dom is added which allows to specify a domain the direct parents should be lookup up in. If it is NULL the whole cache is searched. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: expose user and group unique IDs through DBus This adds a uniqueID property on User and Group InfoPipe objects. It has a useful value on AD- and IPA-backed domains. For Active Directory, this is the GUID. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

NSS: add user email to fill_orig() The IPA server must send the email address of a user to the clients to allow login by email. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: include email in UPN searches Email addresses and Kerberos user principals names (UPNs) do not only look similar they also can be used to identify a user uniquely. In future this approach should be replace by a more generic one where the attributes which can uniquely identifies a user can be configured to support even a wider range of login names. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: new attribute option ldap_user_email Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

views: properly override group member names Resolves https://fedorahosted.org/sssd/ticket/2948 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: add sysdb_get_user_members_recursively() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Removing of duplication of sysdb_ts_cache_attrs Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>

sysdb: make subdomain calls aware of upn_suffixes sysdb_subdomain_store() and sysdb_update_subdomains() can now update upn_suffixes as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: add UPN suffix support for the master domain sysdb_master_domain_update() and sysdb_master_domain_add_info() are now aware of the UPN suffix attribute. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Upgrade sysdb to use qualified names for users and groups, sudo rules and override objects Runs a sysdb upgrade that changes objects that represent users, groups, sudo rules and overrides to the new schema, which uses the fully qualified names. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Allow passing a context to sysdb upgrade functions We decide on whether to upgrade or not based on a pointer value, not a boolean. This pointer points to a structure that the upgrade invoker (typically the monitor) can use to fill auxilary data the sysdb upgrade has no means of instantiating. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Remove useless parameter from sysdb_init() The function sysdb_init() is never used to allow upgrade, so the allow_upgrade parameter was pointless. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Add a utility function to return a list of qualified names Adds a utility function the LDAP provider can use. This is different from sss_create_internal_fqname_list in the sense that the LDAP provider passes in the attribute name that contains the name attribute value. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: If modifyTimestamp is the same, only update the TS cache Resolves: https://fedorahosted.org/sssd/ticket/2602 If the entry being saved contains the original modifyTimestamp attribute and the modifyTimestamp attribute is the same as the one we already saved to the timestamp cache, only the expire timestamps in the asynchronous timestamp cache will be bumped and the sysdb code will avoid writes to the main cache completely. If the modifyTimestamp is either missing or differs, we assume the entry had changed and do a full write to the main cache. Also amends the generic sysdb_set_attrs* and similar functions that their results is also reflected in the timestamps cache. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Search the timestamp caches in addition to the sysdb cache When a sysdb entry is searched, the sysdb cache is consulted first for users or groups. If an entry is found in the sysdb cache, the attributes from the timestamp cache are merged to return the full and up-to-date set of attributes. The merging is done with a single BASE search which is a direct lookup into the underlying key-value database, so it should be relatively fast. More complex merging is done only for enumeration by filter which is currently done only via the IFP back end and should be quite infrequent, so I hope we can justify a more complex merging there. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Open a timestamps cache for caching domains For all domain types, except the local domain, open a connection to a new ldb file located at /var/lib/sss/db names timestamps_$domain.ldb. Constructs the ldb file path manually in sysdb_check_upgrade_02() but that should be acceptable because nobody should be running such an old cache these days anyway. Reviewed-by: Sumit Bose <sbose@redhat.com>

UTIL: Add error codes for sysdb too old or too new We used really strange errno codes for detecting whether the database is too old or too new. We should use our sssd-specific error coded instead. Reviewed-by: Sumit Bose <sbose@redhat.com>

sss_override: add certificate support Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: add searches by certificate with overrides Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: add sysdb_attrs_add_base64_blob() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAC: only save PAC blob into the cache Resolves https://fedorahosted.org/sssd/ticket/2158 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sdap: improve filtering of multiple results in GC lookups The Global Catalog of AD contains some information about all users and groups in an AD forest. Users from different domain in the forest can have the same name. The most obvious example is the Administrator user which is present in all domains. Although SSSD uses a domain specific search base for looking up users in the GC the search might still return multiple results if there is a user with the same name in one of the child (or grand-child ...) domains because of the hierarchic nature of the LDAP tree. Limiting the search depth would not help because users can be created in deeply nested OUs. Currently SSSD expects in this case that the user object is store in CN=Users or below. This works for all default users like Administrator but in general users can be created anywhere in the directory tree. If a user is created outside of CN=Users and there is a user with the same name in a child domain the initgroups command to look up the group-memberships of the user fails because it is not clear which of the two results should be used (initgroups for the child domain user works fine). This patch adds an additional scheme to select the right result based on the domain component attribute name 'dc'. This attribute indicates an additional component in the domain name and hence a child domain. So as long as the result contains a dc component following out search base it cannot be the object we are looking for. This scheme includes the old CN=Users based one but since it is more expensive I kept the old scheme which so far worked all the time and only use the new one if the old one fails. Resolves https://fedorahosted.org/sssd/ticket/2961 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

remove user certificate if not found on the server If the user is not found by cert lookup when the user is already cached, two things may happen: 1) cert was removed from the user object 2) user was removed Instead of issuing another cert lookup we will just remove cert attribute from the cache not touching the expiration timestamp so the user may be updated later when needed. Resolves: https://fedorahosted.org/sssd/ticket/2934 Reviewed-by: Sumit Bose <sbose@redhat.com>

Add a new option ldap_group_external_member Required for: https://fedorahosted.org/sssd/ticket/2522 Reviewed-by: Sumit Bose <sbose@redhat.com>

SUDO: make sudo sysdb interface more reusable Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: fix override with the same name If the user name of a AD user is overridden with the name itself in an IPA override object SSSD adds this name twice to the alias list causing an ldb error when trying to write the user object to the cache. As a result the user is not available. This patch makes sure that there are no duplicated alias names. Resolves https://fedorahosted.org/sssd/ticket/2874 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

cache_req: add support for UPN Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Add function to expire entry Ticket: https://fedorahosted.org/sssd/ticket/2676 Added function to expire entry in sysdb using its DN. Reviewed-by: Pavel Reichl <preichl@redhat.com>

SYSDB: prepare for LOCAL view Objects doesn't have to have overrideDN specified when using LOCAL view. Since the view is not stored on the server we do not want to contact LDAP therefore we special case LOCAL view saying that it is OK that this attribute is missing. Preparation for: https://fedorahosted.org/sssd/ticket/2584 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Add functions to look up multiple entries including name and custom filter Related: https://fedorahosted.org/sssd/ticket/2553 Adds new sysdb function: - sysdb_enumpwent_filter - sysdb_enumpwent_filter_with_views - sysdb_enumgrent_filter - sysdb_enumgrent_filter_with_views These are similar to enumeration functions, but optionally allow to specify a filter to be applied on user/group names. Also an additional custom filter can be applied. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sysdb: new attribute lastOnlineAuthWithCurrentToken Introduce new user attribute lastOnlineAuthWithCurrentToken. This attribute behaves similarly to lastOnlineAuth but is set to NULL after password is changed. This attribute is needed for use-case when cached authentication is used, to request online authentication after password is locally changed. Resolves: https://fedorahosted.org/sssd/ticket/1807 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

views: Add is_default_view helper function Ticket: https://fedorahosted.org/sssd/ticket/2641 Reviewed-by: Pavel Reichl <preichl@redhat.com>

sysdb: add sysdb_search_user_by_cert() and sysdb_search_object_by_cert() Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: add ldap_user_certificate option Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Implement org.freedesktop.sssd.infopipe.Cache[.Object] Resolves: https://fedorahosted.org/sssd/ticket/2338 Example use: $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.FindByName \ string:admin object path "/org/freedesktop/sssd/infopipe/Users/ipaldap/397400000" $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Cache.List array [ ] $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users/ipaldap/397400000 \ org.freedesktop.sssd.infopipe.Cache.Object.Store boolean true $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Cache.List array [ object path "/org/freedesktop/sssd/infopipe/Users/ipaldap/397400000" ] $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users/ipaldap/397400000 \ org.freedesktop.sssd.infopipe.Cache.Object.Remove boolean true $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Cache.List array [ ] Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Add realm to sysdb_master_domain_add_info Adding realm to both master domain and subdomain will make it easier to set and select forest roots. Even master domains can be forest members, it's preferable to avoid special-casing as much as possible. Includes a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Store trust direction for subdomains We need to store the subdomain trust direction in order to recover the structure after SSSD restart. The trust direction is a plain uint32_t to avoid leaking the knowledge about AD trust directions to sysdb while at the same time making it easy to compare values between sysdb and LDAP and avoid translating the values. Reviewed-by: Sumit Bose <sbose@redhat.com>

sysdb: add sysdb_cache_password_ex() Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sdap: properly handle binary objectGuid attribute Although in the initial processing SSSD treats the binary value right at some point it mainly assumes that it is a string. Depending on the value this might end up with the correct binary value stored in the cache but in most cases there will be only a broken entry in the cache. This patch converts the binary value into a string representation which is described in [MS-DTYP] and stores the result in the cache. Resolves https://fedorahosted.org/sssd/ticket/2588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

be_refresh: support groups Resolves: https://fedorahosted.org/sssd/ticket/2346 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

be_refresh: support users Resolves: https://fedorahosted.org/sssd/ticket/2346 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Add UUID when saving incomplete groups Related to: https://fedorahosted.org/sssd/ticket/2571 Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Reduce code duplication in sysdb_gpo.c Two places in sysdb_gpo.c were searching for the GPO result object while the only difference was the attributes searched for. Remove this duplication and make the search function static as it's not used outside the module. Reviewed-by: Pavel Reichl <preichl@redhat.com>

sysdb: fix group members with overridden names Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: sysdb_search_object_by_sid returns ENOENT sysdb_search_object_by_sid returns ENOENT if no results are found. Part od solution for: https://fedorahosted.org/sssd/ticket/1991 Fixes: https://fedorahosted.org/sssd/ticket/2520 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Skip CHAUTHTOK_PRELIM when using OTPs https://fedorahosted.org/sssd/ticket/2484 When OTPs are used, we can only used each authtoken at most once. When it comes to Kerberos password changes, this was only working previously by accident, because the old authtoken was first used to verify the old password is valid and not expired and then also to acquire a chpass principal. This patch looks at the user object in LDAP to check if the user has any OTPs enabled. If he does, the CHAUTHTOK_PRELIM step is skipped completely so that the OTP can be used to acquire the chpass ticket later. Reviewed-by: Sumit Bose <sbose@redhat.com>

LDAP: retain external members When processing group membership check sysdb for group members from extern domain and include them in newly processed group membership as extern members are curently found only when initgroups() is called. Resolves: https://fedorahosted.org/sssd/ticket/2492 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

sysdb: add sysdb_invalidate_overrides() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: add sysdb_delete_view_tree() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: add sysdb_search_object_by_uuid() Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb_add_overrides_to_object: add new parameter and multi-value support With the new parameter an attribute list other than the default one can be used. Override attributes with multiple values (e.g. SSH public keys) are now supported as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Allow calling chown on the sysdb file from monitor Sysdb must be accessible for the nonroot sssd processes. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Add sysdb_get_user_attr_with_views Reviewed-by: Sumit Bose <sbose@redhat.com>

Add sysdb_search_[user|group]_override_attrs_by_name Reviewed-by: Sumit Bose <sbose@redhat.com>

sysdb: add sysdb_enumpw/grent_with_views() Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sysdb: add sysdb_getgrnam_with_views and sysdb_getgrgid_with_views Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sysdb: add sysdb_initgroups_with_views() Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sysdb: add sss_view_ldb_msg_find_element/attr_as_string/uint64 Override-aware replacements for the corresponding ldb_msg_find_* calls. First it is check if an override value is available before the original value is returned. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sysdb: add sysdb_getpwnam/uid_with_views() View-aware drop-in replacements for sysdb_getpwnam() and sysdb_getpwuid(). Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sysdb: add overide lookup calls sysdb_search_user_override_by_name() and sysdb_search_group_override_by_name() search for overrides in the given view. sysdb_add_overrides_to_object() adds the data from the override object to the original object and makes them available for further processing. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sysdb: sysdb_apply_default_override The default view is special in the sense that it is the baseline for every other view and that it always applies even if there is no view defined. To avoid useless additional processing the default view overrides are written directly to the corresponding cached object. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sysdb: add sysdb_attrs_add_val_safe() and sysdb_attrs_add_string_safe() sysdb_attrs_add_val_safe() works like sysdb_attrs_add_val() but checks if the attribute value to add already exists. In this case the value list is not changed. This is useful if values are added from different sources at different times to avoid LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS errors from ldb_modify() later on. sysdb_attrs_add_string_safe() does the same for string arguments Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sysdb: add sysdb_store_override Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: add view support and get view name Related to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sysdb: add sysdb_update_view_name() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

nss: add SSS_NSS_GETORIGBYNAME request This patch adds a new request to the nss responder which follows the same flow as a SSS_NSSGETSIDBYNAME request but returns more data than just the SID. The data is returned as pairs of \0-terminated strings where the first string is the sysdb attribute name and the second the corresponding value. The main use case is on the FreeIPA server to make additional user and group data available to the extdom plugin which then send this data to SSSD running on FreeIPA clients. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

NSS: UPN as a template expansion for homedir mappings Fixes: https://fedorahosted.org/sssd/ticket/2340 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: move sysdb_get_real_name() from sysdb.c to sysdb_search.c The sysdb.c should be reserved for utility and setup functions. Search functions belong to sysdb_search.c Keeping functions in specialized modules helps to maintain nice dependencies and in overall makes unit testing easier. Moreover, the function was not unit tested, which needed fixing. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD-GPO resolve conflicting policy settings correctly Resolves: https://fedorahosted.org/sssd/ticket/2437 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

AD-GPO: delete stale GPOs https://fedorahosted.org/sssd/ticket/2431 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: SSS_LDB_SEARCH - macro around ldb_search This patch amends previous patch 5153e8b9793dea1e212ca08af0f77ea1d023cbb7. Macro SSS_LDB_SEARCH is used instead of using fuction sss_ldb_search as a wrapper around ldb_search which could lead to premature expansion of variadic parameters. Part of solution for: https://fedorahosted.org/sssd/ticket/1991 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD-GPO: sysdb_gpo changes for offline gpo support Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD-GPO: add ad_gpo_cache_timeout option Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD-GPO: add sysdb_gpo support for caching gpo version Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SYSDB: sss_ldb_search - wrapper around ldb_search Make sure that if no results were found ENOENT is returned rather than just empty list of results. Resolves: https://fedorahosted.org/sssd/ticket/1991 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Modify declaration of sysdb_search_entry Type of parameter scope was changed s/int/enum ldb_scope/ This patch fixes warning from static analysers: src/db/sysdb_ops.c:228: mixed_enum_type: enumerated type mixed with another type Reviewed-by: Pavel Reichl <preichl@redhat.com>

sysdb: add sysdb_search_user_by_upn() with tests Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: sysdb_search_entry fix memory leak Allocate res on tmp_ctx instead of on mem_ctx. Also use '_' prefix convention for output parameters. Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

SYSDB: utility call sysdb_attrs_add_lower_case_string Resolves: https://fedorahosted.org/sssd/ticket/2056 Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: return SYSDB_NAME from sysdb_initgroups For the GetGroupsList function it would be handy to get the user names as well with a single sysdb_initgroups() call. This patch adds SYSDB_NAME to the default attribute list. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

DB: Add sss_ldb_el_to_string_list

responder: Set forest attribute in AD domains Resolves: https://fedorahosted.org/sssd/ticket/2160

Add sysdb_attrs_get_int32_t

Add new option ldap_group_type

Use lower-case name for case-insensitive searches The patch makes sure that a completely lower-cased version of a fully qualified name is used for case insensitive searches. Currently there are code paths where the domain name was used as configured and was not lower-cased. To make sure this patch does not break with old entries in the cache or case sensitive domains a third template was added to the related filters templates which is either filled with a completely lower-cased version or with the old version. The other two template values are unchanged.

Add sysdb_attrs_add_lc_name_alias

Fix parameter name. We use '_' as prefix for output parameters. In function sysdb_get_rdn we wrongly used this prefix for input parameter, which caused some confusion when reading the code.

Missing parameter name in declaration.

SYSDB: Drop redundant sysdb_ctx parameter from sysdb.c

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2)

SYSDB: Drop the sysdb_ctx parameter from the sysdb_idmap module

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 1)

SYSDB: Drop the sysdb_ctx parameter from the sysdb_search module

SYSDB: Add sysdb_delete_by_sid

IPA: store forest name for forest member domains In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of the forest must be known for a member domain of the forest.

sysdb: sysdb_update_members can take either name or dn We need to work with distinguish names when processing cross-domain membership, because groups and users may be stored in different sysdb tree. Resolves: https://fedorahosted.org/sssd/ticket/2066

krb5: save canonical upn to sysdb If the returned TGT contains a different user principal name (upn) than used in the request, i.e. the upn was canonicalized, we currently save it to sysdb into the same attribute where the upn coming from an LDAP server is stored as well. This means the canonical upn might be overwritten when the user data is re-read from the LDAP server. To avoid this this patch add a new attribute to sysdb where the canonical upn is stored and makes sure it is used when available. Fixes https://fedorahosted.org/sssd/ticket/2060

DB: Add user/group lookup by SID

SYSDB: Store enumerate flag for subdomain

DB: remove unused realm parameter from sysdb_master_domain_add_info The parameter was not used at all.

ipa-server-mode: add IPA group memberships to AD users When IPA trusts an AD domain the AD user or groups can be placed into IPA groups e.g. to put AD users under the control of HBAC. Since IPA group can only have members from the IPA directory tree and the AD users and groups are not stored there a special IPA object called external group was introduced. SIDs of users and groups can be added to the external group and since the external groups are in the IPA directory tree they can be member of IPA groups. To speed things up and to remove some load from the IPA servers SSSD reads all external groups and stores them in memory for some time before rereading the data. Enhances https://fedorahosted.org/sssd/ticket/1962

sysdb_add_incomplete_group: store SID string is available During initgroups request we read the SID of a group from the server but do not save it to the cache. This patch fixes this and might help to avoid an additional lookup of the SID later.

fill_initgr: add original primary GID if available In some cases when MPG domains are used the information about the original primary group of a user cannot be determined by looking at the explicit group memberships. In those cases the GID related to the original primary group is stored in a special attribute of the user object. This patch adds the GID of the original primary group when available and needed. Fixes https://fedorahosted.org/sssd/ticket/2027

sdap_save_user: save original primary GID of subdomain users If ID mapping is enabled we use magic private groups (MPG) for subdomains, i.e. the UID and the primary GID of the user will have the same numerical value. As a consequence the information about the original primary group might get lost because neither in AD domains nor on a typical UNIX system the user is an explicit member of it's primary group. With this patch the mapped GID or the original primary group is saved in the cached user object under a new attribute. Fixes https://fedorahosted.org/sssd/ticket/2027

Save mpg state for subdomains The information of a subdomain will use magic private groups (mpg) or not will be stored together with other information about the domain in the cache.

Add support for new ipaRangeType attribute Recent versions of FreeIPA support a range type attribute to allow different type of ranges for sub/trusted-domains. If the attribute is available it will be used, if not the right value is determined with the help of the other idrange attributes. Fixes https://fedorahosted.org/sssd/ticket/1961

Read SIDs of groups with sysdb_initgroups() as well

sysdb: add sysdb_search_object_by_sid() The patch add a new sysdb to find objects based on their SID. Currently only the basic attributes needed to map SIDs to POSIX IDs and names are requested, but this list can be extended for future use cases.

Remove the alt_db_path parameter of sysdb_init This parameter was never used. https://fedorahosted.org/sssd/ticket/1765

sysdb: try dealing with binary-content attributes https://fedorahosted.org/sssd/ticket/1818 I have here a LDAP user entry which has this attribute loginAllowedTimeMap:: AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA In the function sysdb_attrs_add_string(), called from sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is the wrong thing to do. The result of strlen is then used to populate the .v_length member of a struct ldb_val - and this will set it to zero in this case. (There is also the problem that there may not be a '\0' at all in the blob.) Subsequently, .v_length being 0 makes ldb_modify(), called from sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End result is that users do not get stored in the sysdb, and programs like `id` or `getent ...` show incomplete information. The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave fine, but that may not mean that is the absolute lower boundary of introduction of the problem.

Change the way domains are linked. - Use a double-linked list for domains and subdomains. - Never remove a subdomain, simply mark it as disabled if it becomes unused. - Rework the way subdomains are refreshed. Now sysdb_update_subdomains() actually updates the current subdomains and marks as disabled the ones not found in the sysdb or add new ones found. It never removes them. Removal of missing domains from sysdb is deferred to the providers, which will perform it at refresh time, for the ipa provider that is done by ipa_subdomains_write_mappings() now. sysdb_update_subdomains() is then used to update the memory hierarchy of the subdomains. - Removes sysdb_get_subdomains() - Removes copy_subdomain() - Add sysdb_subdomain_delete()

Remove sysdb_subdom completely struct sss_domain_info is always used to represent domains now. Adjust tests accordingly.

Add sysdb_subdomain_store() function Replaces sysdb_add_subdomain_attributes and is a public sysdb interface.

Refactor sysdb_master_domain_add_info()

Update main domain info in place

Avoid sysdb_subdom in sysdb_get_subdomains()

SYSDB: make the sss_ldb_modify_permissive function public

Tidy up BASE dn macros

Stop creating fake sysdb contexts Now that the sysdb context does not contain anymore domain related data we can simply stop creating faxe sysdb context and just reference the parent context.

Add domain to some subdomain functions

Add domain arguemnt to sysdb_get_real_name()

Add domain argument to sysdb_idmap_ funcitons

Add domain argument to sysdb_remove_attrs()

Add domain argument to sysdb_has/set_enumerated()

Add domain arg to sysdb_search/delete_netgroup()

Add domain argument to sysdb_delete_group() Also remove sysdb_delete_domgroup()

Add domain argument to sysdb_search_groups()

Add domain argument to sysdb_delete_user() Also remove sysdb_delete_domuser()

Add domain arg to sysdb_search_users()

Add domain to sysdb_delete_custom

Add domain argument to sysdb_search_custom() Also changes sysdb_search_custom_by_name()

Add domain argument to sysdb_store_custom()

Add domain argument to sysdb_cache_auth()

Add domain argument to sysdb_cache_password()

Add domain arg to sysdb group member functions

Add domain argument to sysdb_store_group() Also remove sysdb_store_domgroup()

Add domain argument to sysdb_store_user() Also remove sysdb_store_domuser()

Add domain arguments to sysdb_add_inetgroup fns.

Add domain arguments to sysdb_add_group functions.

Add domain argument to sysdb_add_user()

Add domain argument to sysdb_add_basic_user()

Add domain argument to sysdb_get_new_id()

Add domain argument to sysdb_set_netgroup_attr()

Add domain argument to sysdb_set_group_attr()

Add domain argument to sysdb_set_user_attr()

Add domain arg to sysdb_search_netgroup_by_name()

Add domain to sysdb_search_group_by_gid() Also remove unused sysdb_search_domgroup_by_gid()

Add domain to sysdb_search_group_by_name() Also remove unused sysdb_search_domgroup_by_name()

Add domain to sysdb_search_user_by_uid() Also remove unused sysdb_search_domuser_by_uid()

Add domain to sysdb_search_user_by_name() Also remove unused sysdb_search_domuser_by_name()

Add domain argument to sysdb_get_user_attr()

Add domain argument to sysdb_initgroups()

Add domain option to sysdb_get/netgr/attrs() fns

Pass domain to sysdb_enum<pw/gr>ebt() functions

Pass domain to sysdb_get<pwu/grg><id() functions

Pass domain to sysdb_get<pw/gr>nam() functions Also allows us to remove sysdb_subdom_get<pw/gr>nam() wrappers and restore fqnames proper value in subdomains, by testing for a parent domain being present or not.

Move range objects into their own top-level tree. Storing ranges for multiple domains under any specific domain is somewhat aritrary and unnecessary. Put ranges under cn=ranges,cn=sysdb, without involving any specific domain subtree. This allows us to avoid using sysdb->domain in ranges functions. Also storing other subdomains data under the parent domain tree felt wrong, all other domain specific data is under their own subtree. Moving this data in its own place seems a better solution.

Make sysdb_custom_subtree_dn() require a domain.

Make sysdb_custom_dn() require a domain.

Make sysdb_domain_dn() require a domain.

Make sysdb_netgroup_base_dn() require a domain.

Make sysdb_netgroup_dn() require a domain explictly.

Make sysdb_group_dn() require a domain explictly.

Make sysdb_user_dn() require a domain explictly.

Remove the sysdb_ctx_get_domain() function. We are deprecating sysdb->domain so kill the function that gives access to this member as we should stop relying on it being available (or correct).

Refactor single domain initialization Bring it out of sysdb, which will slowly remove internal dependencies on domains and instead will always require them to be passed by callers.

Refactor sysdb initialization Change the way sysdbs are initialized. Make callers responsible for providing the list of domains. Remove the returned array of sysdb contexts, it was used only by sss_cache and not really necessary there either as that tool can easily iterate the domains. Make sysdb ctx children of their respective domains. Neither sysdb context nor domains are ever freed until a program is done so there shouldn't be any memory hierarchy issue. As plus we simplify the code by removing a destructor and a setter function.

Code can only check for cached passwords Make it clear to the API users that we can not take arbitrary auth tokens. We can only take a password for now so simplify and clarify the interface.

Remove dead netgroup functions

SYSDB: Remove duplicate selinux defines

Remove redundant definition. We had 2 defines for the same class. Consolidate and remove confusion.

LDAP: Only convert direct parents' ghost attribute to member https://fedorahosted.org/sssd/ticket/1612 This patch changes the handling of ghost attributes when saving the actual user entry. Instead of always linking all groups that contained the ghost attribute with the new user entry, the original member attributes are now saved in the group object and the user entry is only linked with its direct parents. As the member attribute is compared against the originalDN of the user, if either the originalDN or the originalMember attributes are missing, the user object is linked with all the groups as a fallback. The original member attributes are only saved if the LDAP schema supports nesting.

Refactor the way subdomain accounts are saved The original sysdb code had a strong assumption that only users from one domain are saved in the databse, with the subdomain feature, we have changed reality, but have not adjusted all the code arund the sysdb calls to not rely on the original assumption. One of the side effects of this incongrunece is that currently group memberships do not return fully qualified names for subdomain users as they should. In oreder to fix this and other potential issues surrounding the violation of the original assumption, we need to fully qualify subdomain user names. By savin them fully qualified we do not risk aliasing local users and have group memberhips or other name based matching code mistake a domain user with subdomain usr or vice versa.

Display more information on DB version mismatch https://fedorahosted.org/sssd/ticket/1589 Added check for determining, whether database version is higher or lower than expected. To distinguish it from other errors it uses following retun values (further used for appropriate error message): EMEDIUMTYPE for lower version than expected EUCLEAN for higher version than expected When SSSD or one of it's tools fails on DB version mismatch, new error message is showed suggesting how to proceed.

SYSDB: Remove unused macros

Add pac_user_get_grp_info() to read current group memberships To be able to efficiently store group memberships we need to know the current memberships of a user. sysdb_initgroups() is used to read the user entry together with all groups the user is a member of. Some of the group attributes are kept to avoid additional lookups and speed up further processing. Currently sysdb_initgroups() does not return the original DN of the group. Since it is needed to remove memberships later on it is added to the list of requested attributes

sysdb: add sysdb_base_dn() Add a help function which returns the ldb_dn object for the base dn of the cache.

DB: Use TALLOC_CTX for talloc context A couple of sysdb functions used "void *" in place of a TALLOC_CTX.

SYSDB: Remove unnecessary domain parameter from several sysdb calls The domain can be read from the sysdb object. Removing the domain string makes the API more self-contained.

AUTOFS: Add entry objects below map objects https://fedorahosted.org/sssd/ticket/1506 Changes how the new autofs entry objects are handled. Instead of creating the entry on the cn=autofs,cn=custom level, the entry is created below the map it belongs to.

SYSDB: Make sysdb_attrs_get_el_int() public Also rename it to sysdb_attrs_get_el_ext()

Remove redefinition of some SYSDB_* macros

Change refreshing of subdomains This patch keeps a local copy of the subdomains in the ipa subdomains plugin context. This has 2 advantages: 1. allows to check if anything changed w/o always hitting the sysdb. 2. later will allows us to dump this information w/o having to retrieve it again. The timestamp also allows to avoid refreshing too often.

Add realm paramter to subdomain list This will be used later for setting domain_realm mappings in krb5.conf

Change subdomain_info Rename the structure to use a standard name prefix so it is properly name-spaced, in preparation for changing the structure itself.

Modify priority evaluation in SELinux user maps The functionality now is following: When rule is being matched, its priority is determined as a combination of user and host specificity (host taking preference). After the rule is matched in provider, only its host priority is stored in sysdb for later usage. When rules are matched in the responder, their user priority is determined. After that their host priority is retrieved directly from sysdb and sum of both priorities is user to determine whether to use that rule or not. If more rules have the same priority, the order given in IPA config is used. https://fedorahosted.org/sssd/ticket/1360 https://fedorahosted.org/sssd/ticket/1395

Add function sysdb_attrs_copy_values() This function copies all values from one sysdb_attrs structure to another

Add support for ID ranges

IPA subdomains - ask for information about master domain The query is performed only if there is missing information in the cache. That means this should be done only once after restart when cache doesn't exist. All subsequent requests for subdomains won't include the request for master domain.

Ghost members - modifications in sysdb Deleted sysdb_add_fake_user(): This function is no longer used. Modified sysdb_add_user(): When user object is added to sysdb, it is important to iterate over all groups that might have its name or any of its aliases as ghost member and replace this ghost membership by a real one. This will eliminate duplicite memberships.

Ghost members - add the ghost attribute to sysdb

LDAP: Map the user's primaryGroupID

LDAP: Enable looking up ID-mapped users by name

SYSDB: Add sysdb routines for ID-mapping

LDAP: Add objectSID config option

Sysdb routines for subdomains

Removed unused function sysdb_attrs_users_from_ldb_vals()

Search netgroups by alias, too https://fedorahosted.org/sssd/ticket/1228

Remove sysdb_get_ctx_from_list()

Keep sysdb context in domain info struct

Delete missing attributes from netgroups to be stored https://fedorahosted.org/sssd/ticket/1136

IPA hosts refactoring

LDAP: Add support for SSH user public keys

Added some SELinux-related sysdb routines

Renamed some sysdb constants for their wider usage

AUTOFS: sysdb interface

SYSDB: Add sysdb_attrs_get_uint16_t

SYSDB: extend sysdb_store_service() to accept additional attributes

sysdb_get_bool() and sysdb_get_bool() functions

Export the function to convert ldb_result to sysdb_attrs It will be reused later in the sudo responder

Use the case sensitivity flag in the LDAP provider

sysdb_get_real_name helper function

Added and modified options for IPA netgroups

SysDB commands that save lastUpdate allows this value to be passed in https://fedorahosted.org/sssd/ticket/836

Return users and groups based on alias https://fedorahosted.org/sssd/ticket/926

Add a sysdb_get_direct_parents function

Add sysdb interface to get name aliases

Remaining memory context variables renamed memctx to mem_ctx tmpctx to tmp_ctx

sysdb refactoring: memory context deleted This patch deletes memory context parameter in those places in sysdb where it is not necessary. The code using modified functions has been updated. Tests updated as well.

sysdb refactoring: deleted domain variables in sysdb API The patch also updates code using modified functions. Tests have also been adjusted.

Added sysdb_ctx_get_domain function

sysdb refactoring: renamed ctx variable to sysdb

Non-posix group processing - sysdb changes

Added sysdb_attrs_get_bool() function

Change sysdb_add_fake_user to add OriginalDN RFC2307bis code relies heavily on originalDN, so the fake users need to have an option to store it, too.

Add a function for searching netgroups with custom filter

Make sysdb_ctx_list public structure Also create a routine to initialize it

Add host access control support https://fedorahosted.org/sssd/ticket/746

Add sysdb_attrs_primary_name_list() routine This routine will replace the use of sysdb_attrs_to_list() for any case where we're trying to get the name of the entry. It's a necessary precaution in case the name is multi-valued.

Add originalDN to fake groups

Add sysdb_attrs_primary_name() This function will check a sysdb_attrs struct for the primary name of the entity it represents. If there are multiple entries, it will pick the one that matches the RDN. If none match, it will throw an error.

Create sysdb_get_rdn() function This function takes a DN formatted string and returns the RDN value from it.

Delete attributes that are removed from LDAP Sometimes, a value in LDAP will cease to exist (the classic example being shadowExpire). We need to make sure we purge that value from SSSD's sysdb as well. https://fedorahosted.org/sssd/ticket/750

Add authorizedService support https://fedorahosted.org/sssd/ticket/670

Add sysdb_has_enumerated and sysdb_set_enumerated helper functions Includes a unit test

Fix const cast issue with sysdb_attrs_users_from_str_list

Fix const cast warning for sysdb_update_members

Add sysdb utility function for sanitizing DN

Always use uint32_t for UID/GID numbers

Modify sysdb_[add|remove]_group_member to accept users and groups Previously, it assumed that all members were users. This changes the interface so that either a user or a group can be specified. Also, it eliminates the need for a memory context to be passed, since the internal memory should be self-contained.

sysdb interface for adding fake users

sysdb interface for adding incomplete groups Useful for optimizing the initgroups operation.

Add sysdb_attrs_get_ulong utility function

Implement netgroup support for LDAP provider

Also return member groups to the client

Add sysdb_netgroup_base_dn()

Netgroups sysdb API

Define objectclass with a constant Use a #define instead of hardcoded string

Add sysdb_update_members function This function will take a user, a list of groups that this user should be added to and a list of groups the user should be removed from and will recursively call sysdb_[add|remove]_group_member Includes a unit test

Add sysdb_group_dn_name utility function

Add sysdb_attrs_to_list() utility function

Add sysdb_attrs_get_string_array()

Add ldap_access_filter option This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com

Add support for delayed kinit if offline If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used.

sysydb: Finally stop using a common event context This commit completes the migration to a synchronous sysdb

sysdb: remove remaining traces of sysdb_handle

sysdb: remove obsolete helpers from sysdb

sysdb: convert sysdb_initgroups

sysdb: convert sysdb_enumgrent

sysdb: convert sysdb_enumpwent

sysdb: convert sysdb_get_user_attr

sysdb: convert sysdb_getgrgid

sysdb: convert sysdb_getgrnam

sysdb: convert sysdb_getpwuid

sysdb: convert sysdb_getpwnam

sysdb: remove async transactions not used anymore

sysdb: add synchronous transaction functions

sysdb: convert sysdb_cache_auth

sysdb: convert sysdb_search_groups

sysdb: delete sysdb_delete_group

sysdb: convert sysdb_delete_user

sysdb: convert sysdb_search_users

sysdb: convert sysdb_asq_search

sysdb: convert sysdb_store_custom

sysdb: convert sysdb_search_custom

sysdb: convert sysdb_cache_password

sysdb: convert sysdb_mod/add/remove_group_member

sysdb: convert sysdb_store/add(_basic)_group

sysdb: convert sysdb_store/add(_basic)_user

sysdb: convert sysdb_get_new_id

sysdb: convert sysdb_set_entry/user/group_attr

sysdb: convert sysdb_search_group_by_name/gid

sysdb: convert sysdb_search_user_by_name/uid

sysdb: convert sysdb_search_entry and sysdb_delete_recursive

sysdb: convert sysdb_delete_custom

sysdb: convert sysdb_delete_entry

Rename server/ directory to src/ Also update BUILD.txt