LDAP: Rename DP filter value from name to filter_value filter_value is a better name, because we don't look just by name, the same variable is used to look up certificates etc. Reviewed-by: Sumit Bose <sbose@redhat.com>

SDAP: Save user and group aliases qualified When saving users or groups, qualify their names. Otherwise (currently netgroups), store a plain username. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Rename dp_backend.h to backend.h Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SDAP: Make it possible to silence errors from dereference https://fedorahosted.org/sssd/ticket/2791 When a modern IPA client is connected to an old (3.x) IPA server, the attribute dereferenced during the ID views lookup does not exist, which triggers an error during the dereference processing and also a confusing syslog message. This patch suppresses the syslog message. Reviewed-by: Michal Židek <mzidek@redhat.com>

LDAP: Add sdap_lookup_type enum Related: https://fedorahosted.org/sssd/ticket/2553 Change the boolan parameter of sdap_get_users_send and sdap_get_groups_send to a tri-state that controls whether we expect only a single entry (ie don't use the paging control), multiple entries with a search limit (wildcard request) or multiple entries with no limit (enumeration). Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: Add sdap_get_and_parse_generic_send Related: https://fedorahosted.org/sssd/ticket/2553 So far we had a simple sdap_get_generic_send() request that uses the right defaults around the low-level sdap_get_generic_ext_send() request and calls the parser. This patch adds also sdap_get_and_parse_generic_send() that exposes all options that sdap_get_generic_ext_send() offers but also calls the parser. In this patch the function is not used at all. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

AD GPO: Support processing referrals For GPOs assigned to a site, it's possible that their definition actually exists in another domain. To retrieve this information, we need to follow the referral and perform a base search on another domain controller. Resolves: https://fedorahosted.org/sssd/ticket/2645 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: allow initgroups by UUID for FreeIPA users If a FreeIPA user is searched with the help of an override name the UUID from the override anchor is used to search the user. Currently the initgroups request only allows searches by SID or name. With this patch a UUID can be used as well. Related to https://fedorahosted.org/sssd/ticket/2642 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SDAP: Make password change timeout configurable with ldap_opt_timeout Related: https://fedorahosted.org/sssd/ticket/1501 Reviewed-by: Pavel Reichl <preichl@redhat.com>

SDAP: Make simple bind timeout configurable Resolves: https://fedorahosted.org/sssd/ticket/1501 Reuse the value of sdap_opt_timeout to set a longer bind timeout for user authentication, ID connection authentication and authentication during IPA migration mode. Reviewed-by: Pavel Reichl <preichl@redhat.com>

LDAP/AD: do not resolve group members during tokenGroups request During initgroups requests we try to avoid to resolve the complete member list of groups if possible, e.g. if there are no nested groups. The tokenGroups LDAP lookup return the complete list of memberships for a user hence it is not necessary lookup the other group member and un-roll nested groups. With this patch only the group entry is looked up and saved as incomplete group to the cache. This is achieved by adding a new boolean parameter no_members to groups_get_send() and sdap_get_groups_send(). The difference to config options like ldap_group_nesting_level = 0 or ignore_group_members is that if no_members is set to true groups which are missing in the cache are created a incomplete groups. As a result a request to lookup this group will trigger a new LDAP request to resolve the group completely. This way no information is ignored but the time needed to read all data is better distributed between different requests. https://fedorahosted.org/sssd/ticket/2601 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Add sdap_deref_search_with_filter_send() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: If extra_value is 'U' do a UPN search Besides the name the responders always send an extra string attribute to the backends which is so far mostly empty. Since the only difference in the processing of a request for a user name or a user principal name is a different search attribute in the LDAP provider this extra value can be used to indicate the type of the name. Providers which do not support UPN lookup can just ignore this attribute. Related to https://fedorahosted.org/sssd/ticket/1749

Revert "IPA: new attribute map for non-posix groups" This reverts commit 4c560e7b98e7ab71d22be24d2fbc468396cb634f.

IPA: new attribute map for non-posix groups Create new set of attributes to be used when processing non-posix groups. Resolves: https://fedorahosted.org/sssd/ticket/2343 Reviewed-by: Michal Židek <mzidek@redhat.com>

Implemented LDAP component of GPO-based access control Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Detect the presence of POSIX attributes When the schema is set to AD and ID mapping is not used, there is a one-time check ran when searching for users to detect the presence of POSIX attributes in LDAP. If this check fails, the search fails as if no entry was found and returns a special error code. The sdap_server_opts structure is filled every time a client connects to a server so the posix check boolean is reset to false again on connecting to the server. It might be better to move the check to where the rootDSE is retrieved, but the check depends on several features that are not known to the code that retrieves the rootDSE (or the connection code for example) such as what the attribute mappings are or the authentication method that should be used. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

AD: cross-domain membership fix A recent patch directed all call related to group membership lookups to the AD LDAP port to fix an issue related to missing group memberships in the Global Catalog. As a side-effect it broke cross-domain group-memberships because those cannot be resolved by the connection to the LDAP port. The patch tires to fix this by restoring the original behaviour in the top-level lookup calls in the AD provider and switching to the LDAP port only for the LDAP request which is expected to return the full group membership. Additionally this patch contains a related fix for the tokenGroups with Posix attributes patch. The original connection, typically a Global Catalog connection in the AD case is passed down the stack so that the group lookup after the tokenGroups request can run over the same connection.

ad: use tokengroups even when id mapping is disabled https://fedorahosted.org/sssd/ticket/1568

ad: refactor tokengroups initgroups sdap_get_ad_tokengroups_initgroups is split into more parts so it can be reused later.

LDAP: Split out a request to search for a user w/o saving Related: https://fedorahosted.org/sssd/ticket/2077 Certain situations require that a user entry is downloaded for further inpection, but not saved to the sysdb right away. This patch splits the previously monolithic request into one that just downloads the data and one that uses the new one to download and save the user.

LDAP: store FQDNs for trusted users and groups Because the NSS responder expects the name attribute to contain FQDN, we must save the name as FQDN in the LDAP provider if the domain we save to is a subdomain.

LDAP: new SDAP domain structure Previously an sdap_id_ctx was always tied to one domain with a single set of search bases. But with the introduction of Global Catalog lookups, primary domain and subdomains might have different search bases. This patch introduces a new structure sdap_domain that contains an sssd domain or subdomain and a set of search bases. With this patch, there is only one sdap_domain that describes the primary domain.

LDAP: Pass in a connection to ID functions Instead of using the default connection from the sdap_id_ctx, allow the caller to specify which connection shall be used for this particular request. Again, no functional change is present in this patch, just another parameter is added.

sdap: add sdap_connect_host request Create connection to specified LDAP server without using any failover stuff.

Use common error facility instead of sdap_result Simplifies and consolidates error reporting for ldap authentication paths. Adds 3 new error codes: ERR_CHPASS_DENIED - Used when password constraints deny password changes ERR_ACCOUNT_EXPIRED - Account is expired ERR_PASSWORD_EXPIRED - Password is expired

Add domain to sysdb_search_user_by_name() Also remove unused sysdb_search_domuser_by_name()

Change pam data auth tokens. Use the new authtok abstraction and interfaces throught the code.

AD: Optimize initgroups lookups with tokenGroups https://fedorahosted.org/sssd/ticket/1355

LDAP: Add support for AD chain matching extension in initgroups

LDAP: Add support for AD chain matching extension in group lookups

LDAP: Add ldap_*_use_matching_rule_in_chain options

Ghost members - removed sdap_check_aliases() This function is no longer necessary because we don't have fake user entries any more. The original purpose of this function was to check if there are fake user entries for particular user and, if yes, to update its membership.

LDAP: Only use paging control on requests for multiple entries The paging control can cause issues on servers that put limits on how many paging controls can be active at one time (on some servers, it is limited to one per connection). We need to reduce our usage so that we only activate the paging control when making a request that may return an arbitrary number of results. https://fedorahosted.org/sssd/ticket/1202 phase one

Update shadowLastChanged attribute during LDAP password change https://fedorahosted.org/sssd/ticket/1019

LDAP: Add enumeration support for services

LDAP: Add support for service lookups (non-enum)

Use the case sensitivity flag in the LDAP provider

Refactor saving sdap entities There was too much code duplication between sdap_save_{user,group,netgroup}. This patch removes the most egregious ones.

Provide means of forcing TLS and GSSAPI enabled/disabled for sdap connections

Support to request canonicalization in LDAP/IPA provider https://fedorahosted.org/sssd/ticket/957

LDAP: Add support for multiple search bases for group enumeration

LDAP: Add support for multiple search bases for user enumeration

LDAP: Support multiple group search bases (non-enumeration, RFC2307)

LDAP: Support multiple netgroup search bases

LDAP: Support multiple user search bases (non-enumeration)

Store name aliases for users, groups Also checks fake users for aliases when storing a real users so that getgrnam for a RFC2307 group that references a user by his secondary name followed by getpwnam for this user by his primary name works

Allow turning dereference off by setting the threshold to 0

Use ldap_init_fd() instead of ldap_initialize() if available

Generic dereference search A generic wrapper around ASQ and OpenLDAP dereference searches. https://fedorahosted.org/sssd/ticket/635

Add the user's primary group to the initgroups lookup The user may not be a direct member of their primary group, but we still want to make sure that group is cached on the system.

Add timeout parameter to sdap_get_generic_send()

ldap: add checks to determine if USN features are available.

Implement netgroup support for LDAP provider

Initialize kerberos service for GSSAPI

Store rootdse supported features in sdap_handler

LDAP connection usage tracking, sharing and failover retry framework.

GSSAPI ticket expiry time is returned from ldap_child and stored in sdap_handle for future reference.

Add ldap_krb5_ticket_lifetime option

Improvements for LDAP Password Policy support Display warnings about remaining grace logins and password expiration to the user, when LDAP Password Policies are used. Improved detection if LDAP Password policies are supported by LDAP Server.

Rename server/ directory to src/ Also update BUILD.txt