Remove double semicolon at the end of line Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: Return partial results from adminlimit exceeded Resolves: https://fedorahosted.org/sssd/ticket/3185 Since commit c420ce830ac0b0b288a2a887ec2cfce5c748018c we try to move to the next server on any error on the connection, which in case there is only one server sends SSSD offline. It's more graceful to try to process the results, same as we already do with sizelimit exceeded. Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SDAP: Fix settig paging attribute in sdap_get_generic_ext_send We should set pagging flag in state and not in local variable which is not read anywhere in the function. Found by clang static analyzer. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

LDAP: Changing of confusing debug message This debug message used to confuse our customer. So this patch changes it. Resolves: https://fedorahosted.org/sssd/ticket/3091 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

LDAP: Decorate the hot paths in the LDAP provider with systemtap probes During performance analysis, the LDAP provider and especially its nested group code proved to be the place where we spend the most time during account requests. Therefore, I decorated the LDAP provider with systemtap probes to be able to observe where the time is spent. The code allows passing of search properties (base, filter, ...) from marks to probes. Where applicable, the probes pass on these arguments to functions and build a human-readable string representation. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

LDAP: Print port in sdap_print_server Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SDAP: Make it possible to silence errors from dereference https://fedorahosted.org/sssd/ticket/2791 When a modern IPA client is connected to an old (3.x) IPA server, the attribute dereferenced during the ID views lookup does not exist, which triggers an error during the dereference processing and also a confusing syslog message. This patch suppresses the syslog message. Reviewed-by: Michal Židek <mzidek@redhat.com>

SDAP: do not fail if refs are found but not processed It is possible to end up with not-processed referrals when using AD provider and ldap_referrals=true. Resolves: https://fedorahosted.org/sssd/ticket/2906 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

DEBUG: Add missing new lines Reviewed-by: Petr Cech <pcech@redhat.com>

SDAP: pass params in sdap_get_and_parse_generic_send Previously some arguments passed to sdap_get_and_parse_generic_send() were ignored. This patch fixes that and passes 'attronly', 'serverctrls' and 'clientctrls' to sdap_get_generic_ext_send(). Reviewed-by: Sumit Bose <sbose@redhat.com>

SDAP: change type of attrsonly in sdap_get_generic_ext_state 'attrsonly' parameter is directly passed to ldap_search_ext() and is describe as: The attrsonly parameter should be set to a non-zero value if only attribute descriptions are wanted. It should be set to zero (0) if both attributes descriptions and attribute values are wanted. Boolean type should be fine for the 'attrsonly' parameter especially since the actual parameter was already set to false in function calls. Reviewed-by: Sumit Bose <sbose@redhat.com>

SDAP: allow_paging in sdap_get_generic_ext_send() Make allow_paging parameter a part of the flag parameter in sdap_get_generic_ext_send(). Reviewed-by: Sumit Bose <sbose@redhat.com>

SDAP: optional warning - sizelimit exceeded in POSIX check Add new parameter 'flags' to sdap_get_generic_ext_send_ext() which can be set to suppress warning about 'sizelimit exceeded'. Resolves: https://fedorahosted.org/sssd/ticket/2804 Reviewed-by: Sumit Bose <sbose@redhat.com>

SDAP: Relax POSIX check Relax the check on UID or GID just to check if at least one of them is present but do not require them to be positive numbers. Add requirement on objectclass attributes to be user or group to make check more reliable. Resolves: https://fedorahosted.org/sssd/ticket/2800

sdap_async: Use specific errmsg when available Ticket: https://fedorahosted.org/sssd/ticket/2762 Use specific errmsg when ldap returns LDAP_CONSTRAINT_VIOLATION code if that specific message is available. Reviewed-by: Pavel Reichl <preichl@redhat.com>

LDAP: Add sdap_get_and_parse_generic_send Related: https://fedorahosted.org/sssd/ticket/2553 So far we had a simple sdap_get_generic_send() request that uses the right defaults around the low-level sdap_get_generic_ext_send() request and calls the parser. This patch adds also sdap_get_and_parse_generic_send() that exposes all options that sdap_get_generic_ext_send() offers but also calls the parser. In this patch the function is not used at all. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SDAP: Check return value before using output arguments ==18139== Conditional jump or move depends on uninitialised value(s) ==18139== at 0x14400F1B: generic_ext_search_handler.isra.3 (sdap_async.c:1626) ==18139== by 0x879D7E3: tevent_common_loop_immediate (tevent_immediate.c:135) ==18139== by 0x87A20CD: epoll_event_loop_once (tevent_epoll.c:907) ==18139== by 0x87A07D6: std_event_loop_once (tevent_standard.c:114) ==18139== by 0x879CFBC: _tevent_loop_once (tevent.c:530) ==18139== by 0x879D15A: tevent_common_loop_wait (tevent.c:634) ==18139== by 0x87A0776: std_event_loop_wait (tevent_standard.c:140) ==18139== by 0x5293862: server_loop (server.c:668) ==18139== by 0x10EA41: main (data_provider_be.c:2909 Related tickets: https://fedorahosted.org/sssd/ticket/2645 https://fedorahosted.org/sssd/ticket/2662 Reviewed-by: Pavel Reichl <preichl@redhat.com>

AD GPO: Support processing referrals For GPOs assigned to a site, it's possible that their definition actually exists in another domain. To retrieve this information, we need to follow the referral and perform a base search on another domain controller. Resolves: https://fedorahosted.org/sssd/ticket/2645 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Support returning referral information Some callers may be interested in the raw referral values returned from a lookup. This patch allows interested consumers to get these referrals back and process them if they wish. It does not implement a generic automatic following of referrals. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SDAP: Decorate the sdap_op functions with DEBUG messages Reviewed-by: Pavel Reichl <preichl@redhat.com>

SDAP: Make password change timeout configurable with ldap_opt_timeout Related: https://fedorahosted.org/sssd/ticket/1501 Reviewed-by: Pavel Reichl <preichl@redhat.com>

Add missing new lines to debug messages Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sdap_print_server: use getpeername() to get server address Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Add sdap_deref_search_with_filter_send() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: Do not require a dereference control to be retuned in a reply When we attempt to request attributes that are not present in the dereferenced links, some serves might not send the dereference control back at all. Be permissive and treat the search as if it didn't find anything. Reviewed-by: Pavel Reichl <preichl@redhat.com>

LDAP: Skip dereferenced entries that we are not permitted to read https://fedorahosted.org/sssd/ticket/2421 In case we dereference an entry, for which we have /some/ permissions for reading, but we only request attributes that we can't access, the dereference control only returns the DN. This is also the case with the current version of 389DS for cases where no entries at all are readable. In this case, the server should not return the DN at all, though. This DS bug was tracked as https://fedorahosted.org/389/ticket/47885 Reviewed-by: Michal Židek <mzidek@redhat.com>

LDAP: Don't reuse a single tevent callback for multiple requests Several requests (deref, ASQ and SD) were using the same tevent callback. This worked fine for quite some time, because the callback only used the tevent_req variables. However, a recent patch changed the shared sdap_get_generic_done so that it also longer uses the 'state' variable. At that point, all requsts that re-used the sdap_get_generic_done request started failing becaus the type of the state variable was different. This patch makes sure the callbacks only manipulate their own data types. Moreover, sdap_get_generic_ext_done() was renamed because it's not really a tevent callback. Reviewed-by: Michal Židek <mzidek@redhat.com>

LDAP: Ignore returned referrals if referral support is disabled Reviewed-by: Pavel Reichl <preichl@redhat.com>

Revert "SDAP: Deref needn't be treated as critical" This reverts commit fc8d98c9f0bb26de7be732c3e542b85c8abdba53. The reason why the control was marked critical is that we expect to get it back on reply, or it should fail. We should rather leave the criticality bit and handle the error (by downgrading to not use deref controls) if the server fails. In other words, we should not workaround bugs in any LDAP server. If server claim it support deref control, it should work with critical flag. sh-4.2$ ldapsearch -LLL -h 172.17.0.9 -x -b "" -s base supportedControl dn: supportedControl: 1.3.6.1.4.1.4203.666.5.16 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12 sh-4.2$ grep "1.3.6.1.4.1.4203.666.5.16" /usr/include/ldap.h #define LDAP_CONTROL_X_DEREF "1.3.6.1.4.1.4203.666.5.16" sh-4.2$ ldapsearch -x -LLL -h 172.17.0.9 -b 'dc=example,dc=com' \ -E '!deref=member:cn,uid' \ cn=ref_grp1 cn,uid Critical extension is unavailable (12) Additional information: critical control unavailable in context Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SDAP: Deref needn't be treated as critical The command line utility ldapsearch does not set option LDAP_CONTROL_X_DEREF as critical. sssd performes similar ldap search as following command: sh-4.2$ ldapsearch -x -LLL -h 172.17.0.7 \ -b 'cn=ref_grp1,ou=qagroup,dc=example,dc=com' -E '!deref=member:objectClass,cn,userPassword,gidNumber,member,modifyTimestamp,modifyTimestamp,uid' \ objectClass,cn,userPassword,gidNumber,member,modifyTimestamp,modifyTimestamp,uid Critical extension is unavailable (12) Additional information: critical control unavailable in context The most important is "exclamation mark" before extensions. It indicates criticality. This caused problem when openldap server was older openldap-2.4.23-34.el6. Dereference is performed successfully if extension is not critical: -E 'deref=member:objectClass ... Resolves: https://fedorahosted.org/sssd/ticket/2383 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Dump LDAP server IP address with a high DEBUG level Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: Print referrals for debugging purposes Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SDAP: remove duplicated code Body of functions sdap_x_deref_search_done(), sdap_asq_search_done(), sdap_sd_search_done and sdap_get_generic_done() are the same. Remove code duplication by calling sdap_get_generic_done() from sdap_x_deref_search_done(), sdap_sd_search_done and from sdap_asq_search_done() instead of having two more duplicate implementations. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

LDAP: Remove unused output parameter _dn from sdap_parse_entry No caller directly accessed this parameter. Moreover, it seemed useless since the same data is available as SYSDB_ORIGINAL_DN in the attributes. Reviewed-by: Michal Židek <mzidek@redhat.com>

Implemented LDAP component of GPO-based access control Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sdap: move non async functions from sdap_async.c to sdap_utils.c Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Update DEBUG* invocations to use new levels Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

LDAP: Detect the presence of POSIX attributes When the schema is set to AD and ID mapping is not used, there is a one-time check ran when searching for users to detect the presence of POSIX attributes in LDAP. If this check fails, the search fails as if no entry was found and returns a special error code. The sdap_server_opts structure is filled every time a client connects to a server so the posix check boolean is reset to false again on connecting to the server. It might be better to move the check to where the rootDSE is retrieved, but the check depends on several features that are not known to the code that retrieves the rootDSE (or the connection code for example) such as what the attribute mappings are or the authentication method that should be used. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: Add a new error code for malformed access control filter https://fedorahosted.org/sssd/ticket/2164 The patch adds a new error code and special cases the new code so that access is denied and a nicer log message is shown.

Use sysdb_attrs_add_lc_name_alias to add case-insensitive alias

sdap_get_generic_ext_send: check if we a re still connected At the beginning of a LDAP request we check if we are connecte and have a valid sdap handle. But for some requests more than one LDAP operation, typically a search, is needed. Due to the asynchronous handling of LDAP request it might be possible that a second request might detect a server error and close the connection while the first request just finished one LDAP search and wants to start a new LDAP search. This patch tries to make sure that there is a valid sdap handle before sending a LDAP search to the server. Fixes https://fedorahosted.org/sssd/ticket/2126

Fix formating of variables with ber_ type

print hint about password complexity when new password is rejected https://fedorahosted.org/sssd/ticket/1827

LDAP: store FQDNs for trusted users and groups Because the NSS responder expects the name attribute to contain FQDN, we must save the name as FQDN in the LDAP provider if the domain we save to is a subdomain.

Prevent segfault while processing ASQ request https://fedorahosted.org/sssd/ticket/1950

Adding option to disable retrieving large AD groups. This commit adds new option ldap_disable_range_retrieval with default value FALSE. If this option is enabled, large groups(>1500) will not be retrieved and behaviour will be similar like was before commit ae8d047122c "LDAP: Handle very large Active Directory groups" https://fedorahosted.org/sssd/ticket/1823

Fixing critical format string issues. --missing arguments. --format '%s', but argument is integer. --wrong format string, examle: '%\n'

LDAP: If deref search fails, try again without deref https://fedorahosted.org/sssd/ticket/1660

Use common error facility instead of sdap_result Simplifies and consolidates error reporting for ldap authentication paths. Adds 3 new error codes: ERR_CHPASS_DENIED - Used when password constraints deny password changes ERR_ACCOUNT_EXPIRED - Account is expired ERR_PASSWORD_EXPIRED - Password is expired

sysdb: try dealing with binary-content attributes https://fedorahosted.org/sssd/ticket/1818 I have here a LDAP user entry which has this attribute loginAllowedTimeMap:: AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA In the function sysdb_attrs_add_string(), called from sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is the wrong thing to do. The result of strlen is then used to populate the .v_length member of a struct ldb_val - and this will set it to zero in this case. (There is also the problem that there may not be a '\0' at all in the blob.) Subsequently, .v_length being 0 makes ldb_modify(), called from sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End result is that users do not get stored in the sysdb, and programs like `id` or `getent ...` show incomplete information. The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave fine, but that may not mean that is the absolute lower boundary of introduction of the problem.

Change pam data auth tokens. Use the new authtok abstraction and interfaces throught the code.

AD: Detect domain controller compatibility version

Fixed wrong number in shadowLastChange The attribute is supposed to contain number of days since the epoch, not the number of seconds.

LDAP: Auto-detect support for the ldap match rule This patch extends the RootDSE lookup so that we will perform a second request to test whether the match rule syntax can be used. If both groups and initgroups are disabled in the configuration, this lookup request can be skipped.

Ghost members - removed sdap_check_aliases() This function is no longer necessary because we don't have fake user entries any more. The original purpose of this function was to check if there are fake user entries for particular user and, if yes, to update its membership.

Warn to syslog when dereference requests fail

LDAP: Handle very large Active Directory groups Active Directory 2008R2 allows only 1500 group members to be retrieved in a single lookup. However, when we hit such a situation, we can take advantage of the ASQ lookups, which are not similarly limited. With this patch, we will add any members found by ASQ that were not found by the initial lookup so we will end with a complete group listing. https://fedorahosted.org/sssd/ticket/783

Special-case LDAP_SIZELIMIT_EXCEEDED Previous version of the SSSD did not abort the async LDAP search operation on errors. In cases where the request ended in progress, such as when the paging was very strictly limited, the old versions at least returned partial data. This patch special-cases the LDAP_SIZELIMIT_EXCEEDED error to avoid a user-visible regression. https://fedorahosted.org/sssd/ticket/1322

Read sysdb attribute name, not LDAP attribute map name https://fedorahosted.org/sssd/ticket/1320

sdap_check_aliases must not error when detects the same user https://fedorahosted.org/sssd/ticket/1307

Prevent printing NULL from DEBUG messages

LDAP: Add better error logging when ldap_result() fails

LDAP: Only use paging control on requests for multiple entries The paging control can cause issues on servers that put limits on how many paging controls can be active at one time (on some servers, it is limited to one per connection). We need to reduce our usage so that we only activate the paging control when making a request that may return an arbitrary number of results. https://fedorahosted.org/sssd/ticket/1202 phase one

End request if ldap_parse_result fails

Update shadowLastChanged attribute during LDAP password change https://fedorahosted.org/sssd/ticket/1019

LDAP: Add option to disable paging control Fixes https://fedorahosted.org/sssd/ticket/967

Use the case sensitivity flag in the LDAP provider

Refactor saving sdap entities There was too much code duplication between sdap_save_{user,group,netgroup}. This patch removes the most egregious ones.

Cleanup: Remove unused parameters

Prevent printing NULL in several places of LDAP provider

Remove confusing do-while loop The deref processing would return a single control back. The do-while loop was harmless but confusing.

Use LDAPDerefSpec properly ldap_create_deref_control_value expects an array of LDAPDerefSpec structures with LDAPDerefSpec.derefAttr == NULL as a sentinel. We were passing a single instance of a LDAPDerefSpec structure. https://fedorahosted.org/sssd/ticket/1050

Store name aliases for users, groups Also checks fake users for aliases when storing a real users so that getgrnam for a RFC2307 group that references a user by his secondary name followed by getpwnam for this user by his primary name works

Keep deref controls until the whole request is finished https://fedorahosted.org/sssd/ticket/989 John Hodrien found out that when paging is used while dereferencing an entry, sssd_be may segfault on the second page. This was because paging returned the control to sdap_generic_search multiple times but sssd was freeing dereference control after the first search invocation. The subsequend sdap searched accessed memory that was already freed.

Improve error message for LDAP password constraint violation https://fedorahosted.org/sssd/ticket/985

Allow turning dereference off by setting the threshold to 0

sss_ldap_err2string() - ldap_err2string() to sss_ldap_err2string() https://fedorahosted.org/sssd/ticket/986

New DEBUG facility - conversion https://fedorahosted.org/sssd/ticket/925 Conversion of the old debug_level format to the new one. (only where it was necessary) Removed: SSS_DEFAULT_DEBUG_LEVEL (completely replaced with SSSDBG_DEFAULT)

Fix uninitialized pointer read in sdap_x_deref_parse_entry https://fedorahosted.org/sssd/ticket/877

Fix bad comparison in sdap_has_deref_support https://fedorahosted.org/sssd/ticket/876

Generic dereference search A generic wrapper around ASQ and OpenLDAP dereference searches. https://fedorahosted.org/sssd/ticket/635

OpenLDAP dereference searches This dereference method is supported at least by OpenLDAP and 389DS/RHDS For more details, see: http://tools.ietf.org/html/draft-masarati-ldap-deref-00

Add support for Attribute Scoped Queries For more details on ASQ, see: http://msdn.microsoft.com/en-us/library/aa366976%28VS.85%29.aspx http://msdn.microsoft.com/en-us/library/aa746418%28v=VS.85%29.aspx

Generic dereference data structures and utilities These will be shared by both dereference methods in a later patch.

sdap_get_generic_ext Add a private sdap_get_generic_ext_send()/_recv() request that exposes more of ldap_search_ext options, in particular the server contols. The existing sdap_generic_search_send()/_recv() request is now a thin wrapper around the new _ext request. The other important change is that an entry parsing is a callback now. That was done in order to allow custom parsing for results such as OpenLDAP deref or Attribute Scoped Queries.

Do not leak LDAP paging controls

Add ldap_page_size configuration option

Enable paging support for LDAP

Log the LDAP message type we're processing

Don't pass NULL to printf for TLS errors https://fedorahosted.org/sssd/ticket/643

Release handle if not connected

Add timeout parameter to sdap_get_generic_send()

ldap: add checks to determine if USN features are available.

Review comments for namingContexts patches

Use (default)namingContext to set empty search bases

Add defaultNamingContext to RootDSE attributes

Add some missing ldap_memfree()

Check if control is supported before using it.

Revert "Make ldap bind asynchronous" This reverts 56d8d19ac9d857580a233d8264e851883b883c67

Make ldap bind asynchronous Every ldap function that could possibly create a new connection is now wrapped in a tevent_req. If the connection is created, we will call the function again after the socket is ready for writing.

Properly handle errors from a password change operation

Log TLS errors to syslog Also adds support for detecting LDAPS errors by adding a check for SDAP_DIAGNOSTIC_MESSAGE after ldap_search_ext()

Remove remainder of now unused global LDAP connection handle.

Make RootDSE optional In violation of the standard, some LDAP servers control access to the RootDSE, thus preventing us from being able to read it before performing a bind. This patch will allow us to continue on if the RootDSE was inaccessible. All of the places that we use the return value of the RootDSE after this are already checked for NULL and use sane defaults if the RootDSE is unavailable

Add explicit requests for several operational attrs Operational attributes are not returned in searched requests unless explicitly requested according to RFC 4512 section 5.1. Therefore to get several standard attributes of root DSE we have to request for them. The requested attrs are: - altServer - namingContexts - supportedControl - supportedExtension - supportedFeatures - supportedLDAPVersion - supportedSASLMechanisms Signed-off-by: Alexander Gordeev <lasaine@lvk.cs.msu.su>

Use all available servers in LDAP provider

Avoid freeing sdap_handle too early Prevent freeing the sdap_handle by failing in the destructor if we are trying to recurse.

Make the handling of fd events opaque Depending on the version of the OpenLDAP libraries we use two different schemes to find the file descriptor of the connection to the LDAP server. This patch removes the related ifdefs from the main code and introduces helper functions which can handle the specific cases.

Lower debug level of unexpected LDAP result codes

Rename server/ directory to src/ Also update BUILD.txt