Warn if IP address is used as option for ipa_server/ad_server GSSAPI is dependent on DNS with hostnames and we should warn about this. Resolves: https://fedorahosted.org/sssd/ticket/2789 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Rename dp_dyndns.h to be_dyndns.h Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD: use krb5_keytab for subdomain initialization During the initialization of AD subdomains parameters like the SASL auth id are determined. Since subdomains use a default set of the AD specific configuration options the default keytab will be used. If krb5_keytab is set in sssd.conf for the AD domain this keytab should be used for the subdomains (domains of the same AD forest) as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: Add autofs provider https://fedorahosted.org/sssd/ticket/1632 Adds the possibility to configure: autofs_provider = ad The AD autofs provider uses the rfc2307 (nis*) attribute maps. This is different (at the moment) from using autofs_provider=ldap with ldap_schema=ad. Reviewed-by: Ondrej Valousek <ondrejv2@fedoraproject.org> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

AD: remove annoying debug message This debug message is mostly a left over from development and doesn't give us any useful information. It is just annoying in the logs. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: Remove unused memory context from ad_user_conn_list Reviewed-by: Petr Cech <pcech@redhat.com>

AD: Consolidate connection list construction on ad_common.c Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: Provide common connection list construction functions https://fedorahosted.org/sssd/ticket/2810 Provides a new AD common function ad_ldap_conn_list() that creates a list of AD connection to use along with properties to avoid mistakes when manually constructing these lists. Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: fix minor memory leak Reviewed-by: Pavel Březina <pbrezina@redhat.com>

AD: Add ad_create_1way_trust_options Related: https://fedorahosted.org/sssd/ticket/2638 For one-way trusts we can assume that AD domain is the same as the Kerberis realm. On the other hand, SASL realm and keytab path are specified, unlike two-way trusts that use the system keytab. Includes a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA/AD: Set up AD domain in ad_create_2way_trust_options Related: https://fedorahosted.org/sssd/ticket/2638 Removed code duplication. Amends unit test to make sure we don't regress. Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: Split off ad_create_default_options Related: https://fedorahosted.org/sssd/ticket/2638 Make the function reusable and add a simple unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: Rename ad_create_default_options to ad_create_2way_trust_options Related: https://fedorahosted.org/sssd/ticket/2638 Better reflects what's going on in the function. Also adds a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: Rename ad_set_ad_id_options to ad_set_sdap_options Related: https://fedorahosted.org/sssd/ticket/2638 The function sets SDAP related options based on the AD ID context options. The name should reflect what the function does. Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: Always get domain-specific ID connection ad_get_dom_ldap_conn() assumed that ad_ctx->ldap_ctx always points at the LDAP connection for the primary domain, however it turns out that this is not always the case. It's currently unclear why, but this connection can sometimes be pointing at a subdomain. Since the value of subdom_id_ctx->ldap_ctx always points to the correct domain (including the primary domain case), there's no benefit to trying to shortcut to the ad_ctx->ldap_ctx when performing this lookup. This patch also makes a minor tweak to the tests so that the primary domain passes the sdap_domain_get() check for validity (since it needs to have a private member assigned). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Add missing new lines to debug messages Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: Never store case_sensitive as "true" to confdb If case_sensitive was set 'true' for AD backend, we ignore it and continue with AD default (false). However we still set confdb to whatever was set in sssd.conf for the responders. We should store to confdb the value that is used by the backend. Also fixes some misleading DEBUG messages in that code area. Reviewed-by: Pavel Reichl <preichl@redhat.com>

case_sensitivity = preserving If case_sensitivity is set to 'preserving', getXXnam returns name attribute in the same format as stored in LDAP. Fixes: https://fedorahosted.org/sssd/ticket/2367 Reviewed-by: Pavel Reichl <preichl@redhat.com>

AD: Initialize user_map_cnt in server mode user_map_cnt was initialized when all the traditional back ends are initialized. However, for the server mode, we simply copy the defaults and the count was left zeroed, which led to crashes. Down the road, we should consider tying the map and the attribute count together (see ticket #2336) Reviewed-by: Pavel Reichl <preichl@redhat.com>

Make LDAP extra attributes available to IPA and AD https://fedorahosted.org/sssd/ticket/2073 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: Make it possible to extend an attribute map https://fedorahosted.org/sssd/ticket/2073 This commit adds a new option ldap_user_extra_attrs that is unset by default. When set, the option contains a list of LDAP attributes the LDAP provider would download and store in addition to the usual set. The list can either contain LDAP attribute names only, or colon-separated tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP attribute name is specified, the attribute is saved to the cache verbatim. Using a custom SSSD attribute name might be required by environments that configure several SSSD domains with different LDAP schemas. Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

DP: Provide separate dp_copy_defaults function https://fedorahosted.org/sssd/ticket/2257 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

AD: Remove unused memory contexts Memory context memctx was unused in functions _ad_servers_init sdap_ad_tokengroups_update_members

AD: Enable fallback to LDAP of trusted domain Since we have the LDAP port of a trusted AD GC always available now, we can always perform a fallback.

AD: Add a new option to turn off GC lookups SSSD now defaults to using GC by default. For some environments, for instance those that don't or can't replicate the POSIX attributes to Global Catalog, this might not be desirable. This patch introduces a new option ad_enable_gc, that is enabled by default. Setting this option to false makes the SSSD contact only the LDAP port of AD DCs.

AD: Add a utility function to create list of connections ad_id.c and ad_access.c used the same block of code. With the upcoming option to disable GC lookups, we should unify the code in a function to avoid breaking one of the code paths. The same applies for the LDAP connection to the trusted AD DC. Includes a unit test.

AD: Prefer GC port from SRV record We had a hard coded value of Global Catalog port (3268). Informations from SRV record was ignored. This patch prefer port number from SRV record and hard coded value is used only as a fall back if port number was not initialized.

AD: properly intitialize GC from ad_server option

AD: initialize failover with custom realm, domain and failover service This is needed so we can initialize failover using IPA realm and on-the-fly discovered DNS domain. The subdomains discovered on-thefly will use the subdomain name for realm, domain and failover service to avoid conflicts. Subtaks of: https://fedorahosted.org/sssd/ticket/1962

AD: decouple ad_id_ctx initialization The IPA subdomain code will perform lookups on its own in the server mode. For this, the AD provider must offer a way to initialize the ad_id_ctx for external consumers. Subtask of: https://fedorahosted.org/sssd/ticket/1962

AD: kinit with the local DC even when talking to a GC We tried to use the GC address even for kinit which gave us errors like: "Realm not local to KDC while getting initial credentials". This patch adds a new AD_GC service that is only used for ID lookups, any sort of Kerberos operations are done against the local servers.

AD: Fix segfault in DEBUG message

A new option krb5_use_kdcinfo https://fedorahosted.org/sssd/ticket/1883 The patch introduces a new Kerberos provider option called krb5_use_kdcinfo. The option is true by default in all providers. When set to false, the SSSD will not create krb5 info files that the locator plugin consumes and the user would have to set up the Kerberos options manually in krb5.conf

AD: Add additional service to support Global Catalog lookups When fixed host names of AD servers are configured in the config file, we can't know (unlike when service discovery is at play) if the servers are Global Catalogs or not. This patch adds a private data to servers read from the config file that denote whether the server can be tried for contacting the Global Catalog port or just LDAP. The GC or LDAP URIs are generated based on contents of this private data structure. Because SSSD sticks to a working server, we don't have to disable or remove the faulty GC servers from the list.

LDAP: new SDAP domain structure Previously an sdap_id_ctx was always tied to one domain with a single set of search bases. But with the introduction of Global Catalog lookups, primary domain and subdomains might have different search bases. This patch introduces a new structure sdap_domain that contains an sssd domain or subdomain and a set of search bases. With this patch, there is only one sdap_domain that describes the primary domain.

Do not obfuscate calls with booleans Instead of using boolean variables to denote whether the call is adding a primary or a secondary server, use a function wrapper that tells what it's doing by its name.

Fix dyndns timer initialization The dyndns init function was starting the timer even if the updates were set to False. This patch splits the init of dynamic updates and the timer into two functions so that the back end can start the updates separately from reading the options.

Active Directory dynamic DNS updates https://fedorahosted.org/sssd/ticket/1504 Implements dynamic DNS updates for the AD provider. By default, the updates also update the reverse zone and run periodically every 24 hours.

failover: Protect against empty host names Added new parameter to split_on_separator that allows to skip empty values. The whole function was rewritten. Unit test case was added to check the new implementation. https://fedorahosted.org/sssd/ticket/1484

LDAP: Provide a common sdap_set_sasl_options init function The AD and IPA initialization functions shared the same code. This patch moves the code into a common initialization function.

Failover: use _srv_ when no primary server is defined https://fedorahosted.org/sssd/ticket/1521

Fix: IPv6 address with square brackets doesn't work. https://fedorahosted.org/sssd/ticket/1365

Typo in debug message (SSSd -> SSSD). https://fedorahosted.org/sssd/ticket/1434

Consolidation of functions that make realm upper-case

Duplicate detection in fail over did not work. https://fedorahosted.org/sssd/ticket/1472

SRV resolution for backup servers should not be permitted. https://fedorahosted.org/sssd/ticket/1463

Primary server support: AD adaptation This patch adds support for the primary server functionality into AD provider. No backup servers are added at the moment, just the basic support is in place.

AD: Force case-insensitive operation in AD provider

AD: use krb5_keytab for validation and GSSAPI This simplifies configuration by eliminating the need to specifiy both krb5_keytab and ldap_krb5_keytab if the keytab is not located at /etc/krb5.keytab

AD: Add AD auth and chpass providers These new providers take advantage of existing code for the KRB5 provider, providing sensible defaults for operating against an Active Directory 2008 R2 or later server.

AD: Add AD identity provider This new identity provider takes advantage of existing code for the LDAP provider, but provides sensible defaults for operating against an Active Directory 2008 R2 or later server.