sysdb: add UPN suffix support for the master domain sysdb_master_domain_update() and sysdb_master_domain_add_info() are now aware of the UPN suffix attribute. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DP: rename be_acct_req to dp_id_data Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD: process PAC during initgroups request If there is a recently attached PAC blob in the cached user entry the PAC data is used to update the group memberships data of the user. If there is no PAC attached or if it is too old the other configured methods will be used. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

AD: Log SID in debug message Reviewed-by: Pavel Březina <pbrezina@redhat.com>

AD: Remove unused memory context from ad_user_conn_list Reviewed-by: Petr Cech <pcech@redhat.com>

AD: Consolidate connection list construction on ad_common.c Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: Provide common connection list construction functions https://fedorahosted.org/sssd/ticket/2810 Provides a new AD common function ad_ldap_conn_list() that creates a list of AD connection to use along with properties to avoid mistakes when manually constructing these lists. Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: Do not mark the whole back end as offline if subdomain lookup fails Required for: https://fedorahosted.org/sssd/ticket/2637 Rather mark the domain as inactive. It will be marked as active later, in the meantime the main domain can continue to work online and subdomain requests will be answered from cache. The lookup request itself just returns a special error code and lets the caller handle the error code as appropriate (normally by disabling the subdomain temporarily). Reviewed-by: Pavel Březina <pbrezina@redhat.com>

AD: Only ignore errors from SDAP lookups if there's another connection to fallback to Required for: https://fedorahosted.org/sssd/ticket/2637 The AD lookup code honors the ignore_mark_offline flag in the sense that if it's set, the sdap return code is not reported to the upper layer, but EOK is returned as request status and the sdap return code is returned separately. This patch modifies the behaviour further to only apply if there is another connection to fall back to. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SYSDB: Add realm to sysdb_master_domain_add_info Adding realm to both master domain and subdomain will make it easier to set and select forest roots. Even master domains can be forest members, it's preferable to avoid special-casing as much as possible. Includes a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>

Skip enumeration requests in IPA and AD providers as well Checking the enum request in the underlying LDAP provider to skip it might be too late as the richer IPA or AD providers depend on having a useful result when the sdap request finishes. Move the enumeration check earlier instead and allow directly in the IPA or AD handler. Related: https://fedorahosted.org/sssd/ticket/2659 Reviewed-by: Sumit Bose <sbose@redhat.com>

sdap_handle_acct_req_send: remove be_req be_req was used only as a talloc context for subreq. This memory context was replace by state of the parent request which is more suitable for tevent coding style. This change will allow us to use this function in be_refresh where none be_req is available. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: Set dp_error if gc was not used Global catalog was not used in ipa server mode and request failed then dp_error was not set (default is zero). dp_error should not be OK on failed request. [ipa_get_ad_acct_ad_part_done] (0x0040): AD lookup failed: 11 [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: 11 [sdap_id_op_destroy] (0x4000): releasing operation connection [ipa_account_info_error_text] (0x0020): Bug: dp_error is OK on failed request [acctinfo_callback] (0x0100): Request processed. Returned 3,11,Account info lookup failed Reviewed-by: Sumit Bose <sbose@redhat.com>

UTIL: rename find_subdomain_by_name The function was named "find_subdomain" yet it could find both main domain and subdomain. sed 's/find_subdomain_by_name/find_domain_by_name/' -i `find . -name "*.[ch]"` Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

UTIL: rename find_subdomain_by_sid The function was named "find_subdomain" yet it could find both main domain and subdomain. sed 's/find_subdomain_by_sid/find_domain_by_sid/' -i `find . -name "*.[ch]"` Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

ad_handle_acct_info_step: fix typo Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Implemented LDAP component of GPO-based access control Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: Continue if sssd failes to check extra members Reported by scan-build for (mi = 0; group_only[mi]; mi++) { ^~~~~~~~~~ warning: Array access (from variable 'group_only') results in a null pointer dereference It can happend if function ad_group_extra_members fails (ret != EOK) Reviewed-by: Simo Sorce <simo@redhat.com>

AD: Only connect to GC for subdomain users https://fedorahosted.org/sssd/ticket/2251 By connecting to GC for users from both trusted domains and parent domain, we lose the ability to download the shell and homedir if these are used with ID mapping. This patch changes the user lookups only. Changing the logic for all lookups would break cross-domain group memberships, for example. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

ad_account_can_shortcut(): return bool instead of errno Resolves: https://fedorahosted.org/sssd/ticket/2210 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

AD: Remove dead code Reviewed-by: Pavel Březina <pbrezina@redhat.com>

AD: Only download domains that are set to enumerate Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: Detect the presence of POSIX attributes When the schema is set to AD and ID mapping is not used, there is a one-time check ran when searching for users to detect the presence of POSIX attributes in LDAP. If this check fails, the search fails as if no entry was found and returns a special error code. The sdap_server_opts structure is filled every time a client connects to a server so the posix check boolean is reset to false again on connecting to the server. It might be better to move the check to where the rootDSE is retrieved, but the check depends on several features that are not known to the code that retrieves the rootDSE (or the connection code for example) such as what the attribute mappings are or the authentication method that should be used. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

AD: Establish cross-domain memberships after enumeration finishes Because domain enumeration currently works for each domain separately, the code has to establish cross-domain memberships after all domains are enumerated. The code works as follows: 1) check if any *sub*domains were enumerated. If not, do nothing 2) if any of the groups saved had more original members than sysdb members, check if members of these groups can be linked now that all users and groups are saved using the orig_member attribute of the group matched against originalDN member of the user. Related: https://fedorahosted.org/sssd/ticket/2142

AD: Enumerate users from GC, other entities from LDAP

LDAP: Pass a private context to enumeration ptask instead of hardcoded connection Previously, the sdap-domain enumeration request used a single connection context to download all the data. Now we'd like to use different connections to download different objects, so the ID context is passed in and the request itself decides which connection to use for the sdap-domain enumeration.

LDAP: Don't abort request if no id mapping domain matches If an ID was requested from the back end, but no ID mapping domain matched, the request ended with a scary error message. It's better to treat the request as if no such ID was found in the domain Related: https://fedorahosted.org/sssd/ticket/2200

AD: Don't fail the request if ad_account_can_shortcut fails

responder: Set forest attribute in AD domains Resolves: https://fedorahosted.org/sssd/ticket/2160

AD: Add a utility function to create list of connections ad_id.c and ad_access.c used the same block of code. With the upcoming option to disable GC lookups, we should unify the code in a function to avoid breaking one of the code paths. The same applies for the LDAP connection to the trusted AD DC. Includes a unit test.

AD: cross-domain membership fix A recent patch directed all call related to group membership lookups to the AD LDAP port to fix an issue related to missing group memberships in the Global Catalog. As a side-effect it broke cross-domain group-memberships because those cannot be resolved by the connection to the LDAP port. The patch tires to fix this by restoring the original behaviour in the top-level lookup calls in the AD provider and switching to the LDAP port only for the LDAP request which is expected to return the full group membership. Additionally this patch contains a related fix for the tokenGroups with Posix attributes patch. The original connection, typically a Global Catalog connection in the AD case is passed down the stack so that the group lookup after the tokenGroups request can run over the same connection.

AD: Don't mark domain as enumerated twice The domain was already marked as enumerated using sysdb_set_enumerated in the enumeration request itself.

AD: use LDAP for group lookups The group memberships cannot be reliable retrieved from the Global Catalog. By default the memberOf attribute is not replicated to the GC at all and the member attribute is copied from the local LDAP instance to the GC running on the same host, but is only replicated to other GC instances for groups with universal scope. Additionally the tokenGroups attribute contains invalid SIDs when used with the GC for users from a different domains than the GC belongs to. As a result the requests which tries to resolve group-memberships of a AD user have to go to a LDAP server from the domain of the user. Fixes https://fedorahosted.org/sssd/ticket/2161 and https://fedorahosted.org/sssd/ticket/2148 as a side-effect.

SYSDB: Drop redundant sysdb_ctx parameter from sysdb.c

free idmapped SIDs correctly Resolves: https://fedorahosted.org/sssd/ticket/2133

ad: shortcut if possible during get object by ID or SID When getByID or getBySID comes from responder, the request doesn't necessarily have to contain correct domain, since responder iterates over all domains until it finds a match. Every domain has its own ID range, so we can simply shortcut if domain does not match and avoid LDAP round trip. Responder will continue with next domain until it finds the correct one.

AD: fall back to LDAP if GC is not available. AD provider went offline if the Global Catalog could not be connected although there was also the LDAP port available. With this patch, AD provider will fall back to the LDAP port before going offline. New boolean flag ignore_mark_offline was added to structure sdap_id_conn_ctx If this flag is enabled function be_mark_offline will not be called. Resolves: https://fedorahosted.org/sssd/ticket/2104

AD: talk to GC first even for local domain objects Related: https://fedorahosted.org/sssd/ticket/2070 Since we are recommending to configure the POSIX attributes so that they are replicated to the Global Catalog, we can start connecting to the GC by default even for local users. If the object is not matches in the GC, there is a possibility to fall back to LDAP.

AD: Failure to get flat name is not fatal https://fedorahosted.org/sssd/ticket/2067 Some AD or AD-like servers do not contain the netlogon attribute in the master domain name. Instead of failing completely, we should just abort the master domain request and carry on. The only functionality we miss would be getting users by domain flat name.

AD: Download master domain info when enumerating https://fedorahosted.org/sssd/ticket/2068 With the current design, downloading master domain data was tied to subdomains refresh, triggered by responders. But because enumeration is a background task that can't be triggered on its own, we can't rely on responders to download the master domain data and we need to check the master domain on each enumeration request.

IPA: Look up AD users directly if IPA server mode is on https://fedorahosted.org/sssd/ticket/1962 If the ipa_server_mode is selected IPA subdomain user and group lookups are not done with the help of the extdom plugin but directly against AD using the AD ID code.

AD ID lookups - choose GC or LDAP as appropriate https://fedorahosted.org/sssd/ticket/1557 Some lookups should be performed from GC only -- for example trusted users are only present in the Global Catalog, while some lookups should be performed from LDAP only as not all objects or attributes are replicated to Global Catalog. This patch adds a generic failover mechanism for identity lookups in the AD provider that allows to choose the appropriate source and even fail over to the other source if available.

LDAP: Pass in a connection to ID functions Instead of using the default connection from the sdap_id_ctx, allow the caller to specify which connection shall be used for this particular request. Again, no functional change is present in this patch, just another parameter is added.

Add be_req_get_be_ctx() helper. In preparation for making be_req opaque

AD context was set to null due to type mismatch

AD: Add AD identity provider This new identity provider takes advantage of existing code for the LDAP provider, but provides sensible defaults for operating against an Active Directory 2008 R2 or later server.