SDAP: add enterprise principal strings for user searches Unfortunately principal aliases with an alternative realm are stored in IPA as the string representation of an enterprise principal, i.e. name\@alt.realm@IPA.REALM. To be able to lookup the alternative principal in LDAP properly the UPN search filter is extended to search for this type of name as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DP: rename be_acct_req to dp_id_data Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Rename dp_backend.h to backend.h Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SDAP: Add sdap_or_filters Reviewed-by: Sumit Bose <sbose@redhat.com>

SDAP: rename sdap_get_id_specific_filter More generic name is used now since it is not used only for id filters. Probably all references will be deleted when the code uses sdap_search_in_bases istead of custom search base iterators. Reviewed-by: Sumit Bose <sbose@redhat.com>

SDAP: Add request that iterates over all search bases We often need to iterate over many search bases but we always use mostly copy&paste iterator. This will reduce code duplication and simplify code flow. Reviewed-by: Sumit Bose <sbose@redhat.com>

sudo: remove unused param. in ldap_get_sudo_options Remove unused talloc memory context. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

LDAP: Move sdap_create_search_base from ldap to sdap code The function shouldn't be placed in the LDAP tree, but in the SDAP tree to make it usable from tests without linking to libraries that are normally linked from LDAP provider (such as confdb) Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SDAP: Remove unused function Reviewed-by: Pavel Reichl <preichl@redhat.com>

LDAP: Fetch users and groups using wildcards Related: https://fedorahosted.org/sssd/ticket/2553 Adds handler for the BE_FILTER_WILDCARD in the LDAP provider. So far it's the same code as if enumeration was used, so there are no limits. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: Consolidate SDAP_SASL_REALM/SDAP_KRB5_REALM behaviour Reviewed-by: Sumit Bose <sbose@redhat.com>

Skip enumeration requests in IPA and AD providers as well Checking the enum request in the underlying LDAP provider to skip it might be too late as the richer IPA or AD providers depend on having a useful result when the sdap request finishes. Move the enumeration check earlier instead and allow directly in the IPA or AD handler. Related: https://fedorahosted.org/sssd/ticket/2659 Reviewed-by: Sumit Bose <sbose@redhat.com>

LDAP/AD: do not resolve group members during tokenGroups request During initgroups requests we try to avoid to resolve the complete member list of groups if possible, e.g. if there are no nested groups. The tokenGroups LDAP lookup return the complete list of memberships for a user hence it is not necessary lookup the other group member and un-roll nested groups. With this patch only the group entry is looked up and saved as incomplete group to the cache. This is achieved by adding a new boolean parameter no_members to groups_get_send() and sdap_get_groups_send(). The difference to config options like ldap_group_nesting_level = 0 or ignore_group_members is that if no_members is set to true groups which are missing in the cache are created a incomplete groups. As a result a request to lookup this group will trigger a new LDAP request to resolve the group completely. This way no information is ignored but the time needed to read all data is better distributed between different requests. https://fedorahosted.org/sssd/ticket/2601 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

be_refresh: add sdap_refresh_init Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sdap_handle_acct_req_send: remove be_req be_req was used only as a talloc context for subreq. This memory context was replace by state of the parent request which is more suitable for tevent coding style. This change will allow us to use this function in be_refresh where none be_req is available. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

be_refresh: refresh all domains in backend Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Pass a private context to enumeration ptask instead of hardcoded connection Previously, the sdap-domain enumeration request used a single connection context to download all the data. Now we'd like to use different connections to download different objects, so the ID context is passed in and the request itself decides which connection to use for the sdap-domain enumeration.

sdap: add sdap_domain_get_by_dn() This function will find sdap domain by comparing object dn with domain base dn. Resolves: https://fedorahosted.org/sssd/ticket/2064

dp: convert cleanup task to be_ptask Resolves: https://fedorahosted.org/sssd/ticket/1968

AD: Use the ad_access_filter if it's set Related: https://fedorahosted.org/sssd/ticket/2082 Currently the AD access control only checks if an account has been expired. This patch amends the logic so that if ad_access_filter is set, it is used automatically.

AD: fall back to LDAP if GC is not available. AD provider went offline if the Global Catalog could not be connected although there was also the LDAP port available. With this patch, AD provider will fall back to the LDAP port before going offline. New boolean flag ignore_mark_offline was added to structure sdap_id_conn_ctx If this flag is enabled function be_mark_offline will not be called. Resolves: https://fedorahosted.org/sssd/ticket/2104

AD: Download master domain info when enumerating https://fedorahosted.org/sssd/ticket/2068 With the current design, downloading master domain data was tied to subdomains refresh, triggered by responders. But because enumeration is a background task that can't be triggered on its own, we can't rely on responders to download the master domain data and we need to check the master domain on each enumeration request.

LDAP: sdap_id_setup_tasks accepts a custom enum request AD provider will override the default with its own.

LDAP: Store cleanup timestamp after initial cleanup When the SSSD changes serves (and hence lastUSN) we perform a cleanup as well. However, after recent changes, we didn't set the cleanup timestamp correctly, which made the lastUSN logic fail.

LDAP: Make sdap_id_setup_tasks reusable for subdomains Instead of always performing the setup for the main domain, the setup can now be performed for subdomains as well.

LDAP: Make the cleanup task reusable for subdomains Instead of always performing the cleanup on the main domain, the task now accepts a sdap_domain structure to perform the cleanup on. This change will make the cleanup task reusable for subdomains.

LDAP: Make cleanup synchronous The LDAP cleanup request was asynchronous for no good reason, probably a leftover from the days of async sysdb. This patch makes it sychronous again, removing a lot of uneeded code.

LDAP: Convert enumeration to the ptask API https://fedorahosted.org/sssd/ticket/1942 Identity providers other than LDAP need to customize the enumeration in different ways while sharing the way the task is scheduled etc. The easiest way to accomplish it is to leverage the recently introduced ptask framework.

LDAP: Move the ldap enum request to its own reusable module The LDAP enumeration was too closely tied to the LDAP identity provider. Because some providers might need special handling such as refresh the master domain record before proceeding with the enumeration itself, this patch splits the request itself to a separate async request and lets the ldap_id_enum.c module only configure this new request. Also move the enum timestamp to sdap_domain to make the enum tracking per sdap domain. The cleanup timestamp will be moved in another patch.

AD: Move storing sdap_domain for subdomain to generic LDAP code Makes creating the sdap_domain structure for a subdomain reusable outside AD subdomain code where it was created initially. Subtask of: https://fedorahosted.org/sssd/ticket/1962

providers: refresh expired netgroups https://fedorahosted.org/sssd/ticket/1713

LDAP: split a function to create search bases This function will be used later to fill the sdap_domain structures with search bases.

LDAP: return sdap search return code to ID By default, the LDAP searches delete the entry from cache if it wasn't found during a search. But if a search wants to try both Global Catalog and LDAP, for example, it might be beneficial to have an option to only delete the entry from cache after the last operation fails to prevent unnecessary memberof operations for example.

LDAP: new SDAP domain structure Previously an sdap_id_ctx was always tied to one domain with a single set of search bases. But with the introduction of Global Catalog lookups, primary domain and subdomains might have different search bases. This patch introduces a new structure sdap_domain that contains an sssd domain or subdomain and a set of search bases. With this patch, there is only one sdap_domain that describes the primary domain.

LDAP: Pass in a connection to ID functions Instead of using the default connection from the sdap_id_ctx, allow the caller to specify which connection shall be used for this particular request. Again, no functional change is present in this patch, just another parameter is added.

LDAP: Refactor account info handler into a tevent request The sdap account handler was a function with its own private callback that directly called the back end handlers. This patch refactors the handler into a new tevent request that the current sdap handler calls. This refactoring would allow the caller to specify a custom sdap connection for use by the handler and optionally retry the same request with another connection inside a single per-provider handler. No functional changes are present in this patch.

LDAP: sdap_id_ctx might contain several connections With some LDAP server implementations, one server might provide different "views" of the identites on different ports. One example is the Active Directory Global catalog. The provider would contact different view depending on which operation it is performing and against which SSSD domain. At the same time, these views run on the same server, which means the same server options, enumeration, cleanup or Kerberos service should be used. So instead of using several different failover ports or several instances of sdap_id_ctx, this patch introduces a new "struct sdap_id_conn_ctx" that contains the connection cache to the particular view and an instance of "struct sdap_options" that contains the URI. No functional changes are present in this patch, currently all providers use a single connection. Multiple connections will be used later in the upcoming patches.

Remove unneeded parameter of setup_child and namespace it setup_child() was accepting a parameter it didn't use. Also the function name was too generic, so I added a sdap prefix.

LDAP: Provide a common sdap_set_sasl_options init function The AD and IPA initialization functions shared the same code. This patch moves the code into a common initialization function.

Clean up cache on server reinitialization https://fedorahosted.org/sssd/ticket/734 We successfully detect when the server is reinitialized by testing the new lastUSN value. The maximum USN values are set to zero, but the current cache content remains. This patch removes records that were deleted from the server. It uses the following approach: 1. remove entryUSN attribute from all entries 2. run enumeration 3. remove records that doesn't have entryUSN attribute updated We don't need to do this for sudo rules, they will be refreshed automatically during next smart/full refresh, or when an expired rule is deleted.

Primary server support: LDAP adaptation This patch adds support for the primary server functionality into LDAP provider. No backup servers are added at the moment, just the basic support is in place.

sudo ldap provider: load host filter configuration on init We need to load host information during provider initialization. Currently it loads only values from configuration files, but it is implemented as an asynchrounous request as it will later try to autodetect these settings (which will need to contact DNS).

LDAP: Add helper routine to convert LDAP blob to SID string

LDAP: Enable looking up ID-mapped users by name

Modifications to simplify list_missing_attrs

IPA: Add ipa_parse_search_base() Previously, we were using sdap_parse_search_base() for setting up the search_base objects for use in IPA. However, this was generating unfriendly log messages about unknown search base types. This patch creates a new common_parse_search_base() routine that can be used with either LDAP or IPA providers. https://fedorahosted.org/sssd/ticket/1151

AUTOFS: IPA provider

AUTOFS: LDAP provider

Move BUILD_SUDO outside the generic LDAP source files Avoid #ifdefs in the general part of the code

LDAP: Add support for service lookups (non-enum)

SUDO Integration - periodical update of rules in data provider https://fedorahosted.org/sssd/ticket/1110 Adds new configuration options: - ldap_sudo_refresh_enabled - enable/disable periodical updates - ldap_sudo_refresh_timeout - rules timeout (refresh period)

Pass sdap_id_ctx to online check from IPA provider

SUDO integration - LDAP provider

SUDO Integration - LDAP configuration options

Fix sdap_id_ctx/ipa_id_ctx mismatch in IPA provider This was causing a segfault during HBAC processing and any ID lookups except for netgroups

Modified sdap_parse_search_base()

Renamed some LDAP routines These were renamed just ot make sure they are not mistook for IPA netgroup functions.

LDAP: Add parser for multiple search bases

Make sdap_get_id_specific_filter() more strict

Add helper function msgs2attrs_array This function converts a list of ldb_messages into a list of sysdb_attrs.

Add user and group search LDAP filter options https://fedorahosted.org/sssd/ticket/647

Do not attempt to use START_TLS on SSL connections Not all LDAP servers are capable of handling dual-encryption with both TLS and SSL. https://fedorahosted.org/sssd/ticket/795

Delete attributes that are removed from LDAP Sometimes, a value in LDAP will cease to exist (the classic example being shadowExpire). We need to make sure we purge that value from SSSD's sysdb as well. https://fedorahosted.org/sssd/ticket/750

Remove unused member of a struct

ldap: Use USN entries if available. Otherwise fallback to the default modifyTimestamp indicator

ldap: remove variable that was never assigned nor used

Add ldap_chpass_uri config option

Make string_to_shadowpw_days() public

Add check_online method to LDAP ID provider

Implement netgroup support for LDAP provider

Initialize kerberos service for GSSAPI

Store rootdse supported features in sdap_handler

Remove remainder of now unused global LDAP connection handle.

Use new LDAP connection framework to get group account info from LDAP.

Use new LDAP connection framework to get user account info from LDAP.

LDAP connection usage tracking, sharing and failover retry framework.

Add ldap_access_filter option This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com

Add offline callback to disconnect global SDAP handle

Use service discovery in backends Integrate the failover improvements with our back ends. The DNS domain used in the SRV query is always the SSSD domain name. Please note that this patch changes the default value of ldap_uri from "ldap://localhost" to "NULL" in order to use service discovery with no server set.

Rename server/ directory to src/ Also update BUILD.txt