DP: rename be_acct_req to dp_id_data Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Rename dp_dyndns.h to be_dyndns.h Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD_PROVIDER: Fix constant char * This patch fixes loading of ad_domain option. It is declared like const, co we should use dp_opt_get_cstring() instead of dp_opt_get_string(). Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: add task to renew the machine account password if needed AD expects its clients to renew the machine account password on a regular basis, be default every 30 days. Even if a client does not renew the password it might not cause issues because AD does not enforce the renewal. But the password age might be used to identify unused machine accounts in large environments which might get disabled or deleted automatically. With this patch SSSD calls an external program to check the age of the machine account password and renew it if needed. Currently 'adcli' is used as external program which is able to renew the password since version 0.8.0. Resolves https://fedorahosted.org/sssd/ticket/1041 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: Add autofs provider https://fedorahosted.org/sssd/ticket/1632 Adds the possibility to configure: autofs_provider = ad The AD autofs provider uses the rfc2307 (nis*) attribute maps. This is different (at the moment) from using autofs_provider=ldap with ldap_schema=ad. Reviewed-by: Ondrej Valousek <ondrejv2@fedoraproject.org> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

AD: send less logs to syslog Create new callback that handles logging messages in cyrus sasl library. Resolves: https://fedorahosted.org/sssd/ticket/2561 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Add missing new lines to debug messages Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

be_refresh: add sdap_refresh_init Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: support for AD site override Override AD site found during DNS discovery. Resolves: https://fedorahosted.org/sssd/ticket/2486 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

AD-GPO: processing changes for gpo_map_* options Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD-GPO: add ad_gpo_cache_timeout option Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Implemented LDAP component of GPO-based access control Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SUDO: AD provider This patch adds the sudo target to the AD provider. The main reason is to cover different default settings in the LDAP and AD provider. E.g. the default for ldap_id_mapping is True in the AD provider and False in the LDAP provider. If ldap_id_mapping was not set explicitly in the config file both components worked with different setting. Fixes https://fedorahosted.org/sssd/ticket/2256 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

LDAP: Pass a private context to enumeration ptask instead of hardcoded connection Previously, the sdap-domain enumeration request used a single connection context to download all the data. Now we'd like to use different connections to download different objects, so the ID context is passed in and the request itself decides which connection to use for the sdap-domain enumeration.

AD: Add a utility function to create list of connections ad_id.c and ad_access.c used the same block of code. With the upcoming option to disable GC lookups, we should unify the code in a function to avoid breaking one of the code paths. The same applies for the LDAP connection to the trusted AD DC. Includes a unit test.

AD: cross-domain membership fix A recent patch directed all call related to group membership lookups to the AD LDAP port to fix an issue related to missing group memberships in the Global Catalog. As a side-effect it broke cross-domain group-memberships because those cannot be resolved by the connection to the LDAP port. The patch tires to fix this by restoring the original behaviour in the top-level lookup calls in the AD provider and switching to the LDAP port only for the LDAP request which is expected to return the full group membership. Additionally this patch contains a related fix for the tokenGroups with Posix attributes patch. The original connection, typically a Global Catalog connection in the AD case is passed down the stack so that the group lookup after the tokenGroups request can run over the same connection.

AD: Add extended access filter https://fedorahosted.org/sssd/ticket/2082 Adds a new option that allows the admin to specify a LDAP access filter that can be applied globally, per-domain or per-forest.

AD: Search GC by default during access control, fall back to LDAP Resolves: https://fedorahosted.org/sssd/ticket/2082 In order to allow the ad_access_filter option to work for subdomain users as well, the Global Catalog must be searched. This patch adds a wrapper request atop sdap_access_send that selects the right connection (GC or LDAP) and optionally falls back to LDAP.

AD: Use the ad_access_filter if it's set Related: https://fedorahosted.org/sssd/ticket/2082 Currently the AD access control only checks if an account has been expired. This patch amends the logic so that if ad_access_filter is set, it is used automatically.

AD: Download master domain info when enumerating https://fedorahosted.org/sssd/ticket/2068 With the current design, downloading master domain data was tied to subdomains refresh, triggered by responders. But because enumeration is a background task that can't be triggered on its own, we can't rely on responders to download the master domain data and we need to check the master domain on each enumeration request.

AD: async request to retrieve master domain info Adds a reusable async request to download the master domain info.

LDAP: Make sdap_id_setup_tasks reusable for subdomains Instead of always performing the setup for the main domain, the setup can now be performed for subdomains as well.

AD: Cast SASL callbacks to propper type The initialization of ad_sasl_callbacks raised an incompatible pointer type warning. This was caused because the cyrus-sasl API hasa changed. The callback function list needs to be cast now.

sssd_ad: Add hackish workaround for sasl ad_compat This tries to set the ad_compat option for sasl, by working around the openldap/sasl initialization as openldap does not allow us to pass down to sasl our own getopt callback. Resolves: https://fedorahosted.org/sssd/ticket/2040

KRB5: Do not send PAC in server mode The krb5 child contacts the PAC responder for any user except for the IPA native users if the PAC is configured. This works fine for the general case but the ipa_server_mode is a special one. The PAC responder is there, but since in the server mode we should be operating as AD provider default, the PAC shouldn't be analyzed either in this case.

AD: initialize failover with custom realm, domain and failover service This is needed so we can initialize failover using IPA realm and on-the-fly discovered DNS domain. The subdomains discovered on-thefly will use the subdomain name for realm, domain and failover service to avoid conflicts. Subtaks of: https://fedorahosted.org/sssd/ticket/1962

AD: decouple ad_id_ctx initialization The IPA subdomain code will perform lookups on its own in the server mode. For this, the AD provider must offer a way to initialize the ad_id_ctx for external consumers. Subtask of: https://fedorahosted.org/sssd/ticket/1962

Fix allocation check

Fix allocation check in the AD provider https://fedorahosted.org/sssd/ticket/1976

providers: refresh expired netgroups https://fedorahosted.org/sssd/ticket/1713

AD: Add additional service to support Global Catalog lookups When fixed host names of AD servers are configured in the config file, we can't know (unlike when service discovery is at play) if the servers are Global Catalogs or not. This patch adds a private data to servers read from the config file that denote whether the server can be tried for contacting the Global Catalog port or just LDAP. The GC or LDAP URIs are generated based on contents of this private data structure. Because SSSD sticks to a working server, we don't have to disable or remove the faulty GC servers from the list.

LDAP: sdap_id_ctx might contain several connections With some LDAP server implementations, one server might provide different "views" of the identites on different ports. One example is the Active Directory Global catalog. The provider would contact different view depending on which operation it is performing and against which SSSD domain. At the same time, these views run on the same server, which means the same server options, enumeration, cleanup or Kerberos service should be used. So instead of using several different failover ports or several instances of sdap_id_ctx, this patch introduces a new "struct sdap_id_conn_ctx" that contains the connection cache to the particular view and an instance of "struct sdap_options" that contains the URI. No functional changes are present in this patch, currently all providers use a single connection. Multiple connections will be used later in the upcoming patches.

Remove unneeded parameter of setup_child and namespace it setup_child() was accepting a parameter it didn't use. Also the function name was too generic, so I added a sdap prefix.

AD: read flat name and SID of the AD domain For various features either the flat/short/NetBIOS domain name or the domain SID is needed. Since the responders already try to do a subdomain lookup when and known domain name is encountered I added a subdomain lookup to the AD provider which currently only reads the SID from the base DN and the NetBIOS name from a reply of a LDAP ping. The results are written to the cache to have them available even if SSSD is started in offline mode. Looking up trusted domains can be added later. Since all the needed responder code is already available from the corresponding work for the IPA provider this patch fixes https://fedorahosted.org/sssd/ticket/1468

AD: Always initialize ID mapping Because we now always store SIDs in the LDAP provider, we also need to always initialize the ID mapping context even if ID mapping itself is off.

Active Directory dynamic DNS updates https://fedorahosted.org/sssd/ticket/1504 Implements dynamic DNS updates for the AD provider. By default, the updates also update the reverse zone and run periodically every 24 hours.

DNS sites support - add AD SRV plugin https://fedorahosted.org/sssd/ticket/1032

DNS sites support - use SRV DNS lookup plugin in all providers https://fedorahosted.org/sssd/ticket/1032 We set a plugin during an initialization of ID provider, which is an authoritative provider for a plugin choice. The plugin is set only once. When other provider is initalized (e.g. id = IPA, sudo = LDAP), we do not overwrite the plugin. Since sssm_*_id_init() is called from all module constructors, this patch relies on the fact, that ID provider is initialized before all other providers.

AD context was set to null due to type mismatch

Primary server support: new option in AD provider This patch adds support for new config option ad_backup_server. The description of this option's functionality is included in man page in one of previous patches.

Primary server support: AD adaptation This patch adds support for the primary server functionality into AD provider. No backup servers are added at the moment, just the basic support is in place.

AD: Add AD access-control provider This patch adds support for checking whether a user is expired or disabled in AD.

AD: Add AD auth and chpass providers These new providers take advantage of existing code for the KRB5 provider, providing sensible defaults for operating against an Active Directory 2008 R2 or later server.

AD: Add AD identity provider This new identity provider takes advantage of existing code for the LDAP provider, but provides sensible defaults for operating against an Active Directory 2008 R2 or later server.