SYSDB: Augment sysdb_try_to_find_expected_dn to match search base as well In cases where the domain name in sssd.conf does not match the AD domain, our previous matching process wouldn't match. This patch augments the matching as follows: - the search base is known to sysdb_try_to_find_expected_dn and is expected to be non-NULL - the existing matching is ran first - during the search base, matching, all the non-DC components are stripped from the search base to 'canonicalize' the search base - if only a single entry that matches with a non-DC DN component (matching with a DC component would mean the DN comes from a different domain) then this entry is a match and is returned Resolves: https://fedorahosted.org/sssd/ticket/3199 Reviewed-by: Sumit Bose <sbose@redhat.com>

LDAP/AD: resolve domain local groups for remote users If a user from a trusted domain in the same forest is a direct or indirect member of domain local groups from the local domain those memberships must be resolved as well. Since those domain local groups are not valid in the trusted domain a DC from the trusted domain which is used to lookup the user data is not aware of them. As a consequence those memberships must be resolved against a local DC in a second step. Resolves https://fedorahosted.org/sssd/ticket/3206 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sdap: make some nested group related calls public sdap_nested_groups_store() and rfc2307bis_nested_groups_send/recv() will be reused for domain local group lookups. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: add parent_dom to sysdb_get_direct_parents() Currently sysdb_get_direct_parents() only return direct parents from the same domain as the child object. In setups with sub-domains this might not be sufficient. A new option parent_dom is added which allows to specify a domain the direct parents should be lookup up in. If it is NULL the whole cache is searched. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Remove double semicolon at the end of line Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sdap_initgr_nested_get_membership_diff: use fully-qualified names I think this is a leftover from the change to use fully-qualified names in sysdb. To verify this you can create a nested group in IPA. Without this patch the id command will only show the groups the user is a direct member of. With the patch the indirect groups memberships should be shown as well. https://fedorahosted.org/sssd/ticket/3163 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Use FQDN when linking parent LDAP groups Resolves: https://fedorahosted.org/sssd/ticket/3093 Because we compare the list of LDAP names with the list of sysdb names, we need to qualify the list of LDAP names before running the diff. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

LDAP: Fix storing initgroups for users with no supplementary groups If there are no supplementary groups, we tried to qualify a NULL pointer to an array which resulted in an error. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SDAP: add enterprise principal strings for user searches Unfortunately principal aliases with an alternative realm are stored in IPA as the string representation of an enterprise principal, i.e. name\@alt.realm@IPA.REALM. To be able to lookup the alternative principal in LDAP properly the UPN search filter is extended to search for this type of name as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: include email in UPN searches Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sdap: Fix ldap_rfc_2307_fallback_to_local_users We wrongly tried to store empty user attributes instead of the local user attributes with ldap_rfc_2307_fallback_to_local_users set to true. This gave us bad initgroups results and caused segfaults. Resolves: https://fedorahosted.org/sssd/ticket/3045 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

fix some 'might be used uninitialized' warnings Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Use fqdns during nested RFC2307 initgroups All user and group names are already qualified at this point, so let's remove the special case that stored users from trusted domains qualified. Reviewed-by: Sumit Bose <sbose@redhat.com>

LDAP: make it clear that sdap_add_incomplete_groups operates on sysdb names Just provides a more descriptive name of a function parameter. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Add a utility function to return a list of qualified names Adds a utility function the LDAP provider can use. This is different from sss_create_internal_fqname_list in the sense that the LDAP provider passes in the attribute name that contains the name attribute value. Reviewed-by: Sumit Bose <sbose@redhat.com>

LDAP: Use shortname for LDAP queries When looking up users or groups by name, we need to user the plain username in the filter. The domain is typically signified by the search base. When looking up by UPN, we can keep using the raw value from the DP. Reviewed-by: Sumit Bose <sbose@redhat.com>

LDAP: Rename DP filter value from name to filter_value filter_value is a better name, because we don't look just by name, the same variable is used to look up certificates etc. Reviewed-by: Sumit Bose <sbose@redhat.com>

SDAP: Search functions don't need to construct per-domain names The names are all internally qualified already, no need to distinguish between subdomain users and main domain users. Reviewed-by: Sumit Bose <sbose@redhat.com>

sdap: improve filtering of multiple results in GC lookups The Global Catalog of AD contains some information about all users and groups in an AD forest. Users from different domain in the forest can have the same name. The most obvious example is the Administrator user which is present in all domains. Although SSSD uses a domain specific search base for looking up users in the GC the search might still return multiple results if there is a user with the same name in one of the child (or grand-child ...) domains because of the hierarchic nature of the LDAP tree. Limiting the search depth would not help because users can be created in deeply nested OUs. Currently SSSD expects in this case that the user object is store in CN=Users or below. This works for all default users like Administrator but in general users can be created anywhere in the directory tree. If a user is created outside of CN=Users and there is a user with the same name in a child domain the initgroups command to look up the group-memberships of the user fails because it is not clear which of the two results should be used (initgroups for the child domain user works fine). This patch adds an additional scheme to select the right result based on the domain component attribute name 'dc'. This attribute indicates an additional component in the domain name and hence a child domain. So as long as the result contains a dc component following out search base it cannot be the object we are looking for. This scheme includes the old CN=Users based one but since it is more expensive I kept the old scheme which so far worked all the time and only use the new one if the old one fails. Resolves https://fedorahosted.org/sssd/ticket/2961 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SDAP: rename sdap_get_id_specific_filter More generic name is used now since it is not used only for id filters. Probably all references will be deleted when the code uses sdap_search_in_bases istead of custom search base iterators. Reviewed-by: Sumit Bose <sbose@redhat.com>

initgr: only search for primary group if it is not already cached Related to https://fedorahosted.org/sssd/ticket/2868 Reviewed-by: Pavel Reichl <preichl@redhat.com>

LDAP: remove unused param. in sdap_fallback_local_user Remove unused sdap_options parameter. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SDAP: Log failure from sysdb_handle_original_uuid Reviewed-by: Michal Židek <mzidek@redhat.com>

SDAP: Remove unnecessary argument from sdap_save_user Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: allow initgroups by UUID for FreeIPA users If a FreeIPA user is searched with the help of an override name the UUID from the override anchor is used to search the user. Currently the initgroups request only allows searches by SID or name. With this patch a UUID can be used as well. Related to https://fedorahosted.org/sssd/ticket/2642 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: allow initgroups by SID for AD users If a user from a trusted AD domain is search with the help of an override name the SID from the override anchor is used to search the user in AD. Currently the initgroups request only allows searches by name. With this patch a SID can be used as well. Resolves https://fedorahosted.org/sssd/ticket/2632 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SDAP: Filter ad groups in initgroups Function sdap_add_incomplete_groups stored domain local groups from subdomain as POSIX group, which should not be done. Resolves: https://fedorahosted.org/sssd/ticket/2614 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sdap: properly handle binary objectGuid attribute Although in the initial processing SSSD treats the binary value right at some point it mainly assumes that it is a string. Depending on the value this might end up with the correct binary value stored in the cache but in most cases there will be only a broken entry in the cache. This patch converts the binary value into a string representation which is described in [MS-DTYP] and stores the result in the cache. Resolves https://fedorahosted.org/sssd/ticket/2588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Add missing new lines to debug messages Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP/AD: do not resolve group members during tokenGroups request During initgroups requests we try to avoid to resolve the complete member list of groups if possible, e.g. if there are no nested groups. The tokenGroups LDAP lookup return the complete list of memberships for a user hence it is not necessary lookup the other group member and un-roll nested groups. With this patch only the group entry is looked up and saved as incomplete group to the cache. This is achieved by adding a new boolean parameter no_members to groups_get_send() and sdap_get_groups_send(). The difference to config options like ldap_group_nesting_level = 0 or ignore_group_members is that if no_members is set to true groups which are missing in the cache are created a incomplete groups. As a result a request to lookup this group will trigger a new LDAP request to resolve the group completely. This way no information is ignored but the time needed to read all data is better distributed between different requests. https://fedorahosted.org/sssd/ticket/2601 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Add UUID when saving incomplete groups Related to: https://fedorahosted.org/sssd/ticket/2571 Reviewed-by: Sumit Bose <sbose@redhat.com>

Use the alternative objectclass in group maps. Use the alternative group objectclass in queries. Fixes: https://fedorahosted.org/sssd/ticket/2436 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: process non-posix nested groups w/o tokenGroups When initgr is performed for AD not supporting tokenGroups, do not filter out groups without gid attribute or with gid equal to zero. Resolves: https://fedorahosted.org/sssd/ticket/2343 Reviewed-by: Michal Židek <mzidek@redhat.com>

IPA: process non-posix nested groups Do not expect objectClass to be posixGroup but rather more general groupofnames. Resolves: https://fedorahosted.org/sssd/ticket/2343 Reviewed-by: Michal Židek <mzidek@redhat.com>

LDAP: If extra_value is 'U' do a UPN search Besides the name the responders always send an extra string attribute to the backends which is so far mostly empty. Since the only difference in the processing of a request for a user name or a user principal name is a different search attribute in the LDAP provider this extra value can be used to indicate the type of the name. Providers which do not support UPN lookup can just ignore this attribute. Related to https://fedorahosted.org/sssd/ticket/1749

LDAP: Enable tokenGroups with Windows Server 2003 According to Microsoft documentation, the tokenGroups attribute is available since Windows 2000: http://msdn.microsoft.com/en-us/library/cc220937.aspx We were not able to test against Windows 2000, though, as we don't have that OS around, so this patch only changes the compatibility level to 2003. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Revert "IPA: process non-posix nested groups" This reverts commit 5197ac634572a2e0f8c7cacad68d5e5336064744.

Revert "IPA: new attribute map for non-posix groups" This reverts commit 4c560e7b98e7ab71d22be24d2fbc468396cb634f.

IPA: process non-posix nested groups If an object can't be resolved as a posix group we then try to resolve it as a non-posix (without the gid attribute) nested group and store it as a group stub into the sysdb. The purpose is to be able to resolve nested posix groups which are members of non-posix groups. Resolves: https://fedorahosted.org/sssd/ticket/2343 Reviewed-by: Michal Židek <mzidek@redhat.com>

IPA: new attribute map for non-posix groups Create new set of attributes to be used when processing non-posix groups. Resolves: https://fedorahosted.org/sssd/ticket/2343 Reviewed-by: Michal Židek <mzidek@redhat.com>

SDAP: fix use after free in async_initgroups Request is freed if creation of subrequest fails and ENOMEM is returned. This would lead to use after free as returned value is checked on caller's side and (already freed) request would be marked as erroneous. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SDAP: reduce code duplicity-rfc2307bis nested groups Move copy&pasted code for iteration of nested groups into separate function. Reviewed-by: Michal Židek <mzidek@redhat.com>

SDAP: Add option to disable use of Token-Groups Disabling use of Token-Groups is mandatory if expansion of nested groups is not desired (ldap_group_nesting_level = 0) for AD provider. Resolves: https://fedorahosted.org/sssd/ticket/2294 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: fix - find primary group by gid Remove premature call of tevent_req_done() from sdap_get_initgr_done(). Request is correctly marked as done at sdap_get_initgr_pgid(). Resolves: https://fedorahosted.org/sssd/ticket/2334 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Make it possible to extend an attribute map https://fedorahosted.org/sssd/ticket/2073 This commit adds a new option ldap_user_extra_attrs that is unset by default. When set, the option contains a list of LDAP attributes the LDAP provider would download and store in addition to the usual set. The list can either contain LDAP attribute names only, or colon-separated tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP attribute name is specified, the attribute is saved to the cache verbatim. Using a custom SSSD attribute name might be required by environments that configure several SSSD domains with different LDAP schemas. Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Update DEBUG* invocations to use new levels Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

AD: cross-domain membership fix A recent patch directed all call related to group membership lookups to the AD LDAP port to fix an issue related to missing group memberships in the Global Catalog. As a side-effect it broke cross-domain group-memberships because those cannot be resolved by the connection to the LDAP port. The patch tires to fix this by restoring the original behaviour in the top-level lookup calls in the AD provider and switching to the LDAP port only for the LDAP request which is expected to return the full group membership. Additionally this patch contains a related fix for the tokenGroups with Posix attributes patch. The original connection, typically a Global Catalog connection in the AD case is passed down the stack so that the group lookup after the tokenGroups request can run over the same connection.

ad: use tokengroups even when id mapping is disabled https://fedorahosted.org/sssd/ticket/1568

ad: refactor tokengroups initgroups sdap_get_ad_tokengroups_initgroups is split into more parts so it can be reused later.

rfc2307bis_nested_groups_send: reuse search base If there are multiple members in the sdom list, always the search base of the first entry were used.

Remove unused parameter from sdap_save_user

SYSDB: Drop redundant sysdb_ctx parameter from sysdb.c

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2)

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 1)

SYSDB: Drop the sysdb_ctx parameter from the sysdb_search module

sdap_idmap_domain_has_algorithmic_mapping: add domain name argument When libss_idmap was only used to algorithmically map a SID to a POSIX ID a domain SID was strictly necessary and the only information needed to find a domain. With the introduction of external mappings there are cases where a domain SID is not available. Currently we relied on the fact that external mapping was always used as a default if not specific information about the domain was found. The lead to extra CPU cycles and potentially confusing debug messages. Adding the domain name as a search parameter will avoid this.

LDAP: Allow searching subdomain during RFC2307bis initgroups Related: https://fedorahosted.org/sssd/ticket/2070 Until now, the POSIX-compliant initgroups would only be able to search the parent domain. Since we want to allow using POSIX attributes from AD subdomains as well, we should allow searching a custom sdap_domain.

LDAP: Require ID numbers when ID mapping is off Related: https://fedorahosted.org/sssd/ticket/2070 When searching for users and groups without the use of ID mapping, make sure the UIDs and GIDs are included in the search. This will make the SSSD seemigly "miss" entries when searching in Global Catalog in the scenario where the POSIX attributes are not replicated to the GC.

sysdb: get_sysdb_grouplist() can return either names or dn We need to work with distinguish names when processing cross-domain membership, because groups and users may be stored in different sysdb tree. Resolves: https://fedorahosted.org/sssd/ticket/2066

Fix formating of variables with type: size_t

sysdb_add_incomplete_group: store SID string is available During initgroups request we read the SID of a group from the server but do not save it to the cache. This patch fixes this and might help to avoid an additional lookup of the SID later.

save_rfc2307bis_user_memberships: use fq names for subdomains For subdomains the group names must be expanded to fully qualified names to be able to find existing groups or properly add new ones.

sdap_add_incomplete_groups: use fully qualified name if needed For subdomains the group names must be expanded to fully qualified names to be able to find existing groups or properly add new ones.

sdap_get_initgr_done: use the right SID to get a GID

Fix memory context for a state member primary_name was allocated on a temporary memory context but as it is a member of the state struct it should belong to the memory context of the state.

LDAP: Use domain-specific name where appropriate The subdomain users user FQDN in their name attribute. However, handling of whether to use FQDN in the LDAP code was not really good. This patch introduces a utility function and converts code that was relying on user/group names matching to this utility function. This is a temporary fix until we can refactor the sysdb API in #2011.

Replace SDAP_ID_MAPPING checks with sdap_idmap_domain_has_algorithmic_mapping Currently the decision if external or algorithmic mapping should be used in the LDAP or AD provider was based on the value of the ldap_id_mapping config option. Since now all information about ID mapping is handled by libsss_idmap the check for this options can be replace with a call which checks the state via libss_idmap. https://fedorahosted.org/sssd/ticket/1961

LDAP: return sdap search return code to ID By default, the LDAP searches delete the entry from cache if it wasn't found during a search. But if a search wants to try both Global Catalog and LDAP, for example, it might be beneficial to have an option to only delete the entry from cache after the last operation fails to prevent unnecessary memberof operations for example.

LDAP: new SDAP domain structure Previously an sdap_id_ctx was always tied to one domain with a single set of search bases. But with the introduction of Global Catalog lookups, primary domain and subdomains might have different search bases. This patch introduces a new structure sdap_domain that contains an sssd domain or subdomain and a set of search bases. With this patch, there is only one sdap_domain that describes the primary domain.

LDAP: Pass in a connection to ID functions Instead of using the default connection from the sdap_id_ctx, allow the caller to specify which connection shall be used for this particular request. Again, no functional change is present in this patch, just another parameter is added.

LDAP: If deref search fails, try again without deref https://fedorahosted.org/sssd/ticket/1660

ldap: Fallback option for rfc2307 schema Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020

Removing unused declaration of functions and variable. Variables dir_cc and file_cc are used in three modules: krb5_common.c, krb5_utils.c, krb5_child-test.c, therefore should be declared with extern in krb5_utils.h.

Fix initialization of multiple variables

Remove sysdb as a be context structure member The sysdb context is already available through the 'domain' structure.

LDAP: avoid complex realloc logic in save_rfc2307bis_group_memberships https://fedorahosted.org/sssd/ticket/1761 The function tried to be smart and realloc only when needed, but that only lead to hard-to find bugs where the logic would not allocate the proper space. Remove the reallocation and prefer readability over speed in this case.

Add domain arguemnt to sysdb_get_real_name()

Add domain arg to sysdb group member functions

Add domain arguments to sysdb_add_group functions.

Add domain to sysdb_search_group_by_name() Also remove unused sysdb_search_domgroup_by_name()

Add domain to sysdb_search_user_by_name() Also remove unused sysdb_search_domuser_by_name()

LDAP: remove dead assignment

LDAP: Continue adjusting group membership even if there is nothing to add https://fedorahosted.org/sssd/ticket/1695

sdap_add_incomplete_groups(): fix ret may be uninitialized warning

AD: Optimize initgroups lookups with tokenGroups https://fedorahosted.org/sssd/ticket/1355

Unify usage of sysdb transactions Removing bad examples of usage of sysdb_transaction_start/commit/end functions and making it more consistent (all files except of src/db/sysdb_*.c).

Remove compilation warning: ret may be uninitialized

Process all groups from a single nesting level https://bugzilla.redhat.com/show_bug.cgi?id=846664 If the first group was cached when processing the nested group membership, we would call tevent_req_done, effectivelly marking the whole nesting level as done.

When ldap_group_nesting_level was reached, the LDAP provider tried to link group members with groups outside nesting limit. https://fedorahosted.org/sssd/ticket/1194

LDAP: Auto-detect support for the ldap match rule This patch extends the RootDSE lookup so that we will perform a second request to test whether the match rule syntax can be used. If both groups and initgroups are disabled in the configuration, this lookup request can be skipped.

LDAP: Add support for AD chain matching extension in initgroups

LDAP: Make sdap_initgr_common_store() non-static Move it to a private header so it can be reused by other initgroups C files.

LDAP: Add helper function to get list of a user's groups from sysdb

LDAP: Fix incorrect switch statement in sdap_get_initgr_done() SDAP_SCHEMA_AD needs to be calling sdap_initgr_rfc2307bis_recv(), not sdap_initgr_nested_recv(). By coincidence both recv functions happened to be identical, but if one or the other changed, this would break unexpectedly.

Utilize attribute exclusion in LDAP initgroups Previous patch added the possibility to exclude some attributes from a map when building an attribute list to be sent to server. The original reason for this functionality is the code handling LDAP initgroups. In this code, there is no need to fetch members of groups in question. This can save some performance since the list of members can be pretty long in some cases. This case apllies only to RFC2307 and generic RFC2307bis, it doesn't apply for IPA schema.

Add support for filtering atributes This patch adds support for filtering attributes when constructing attribute list from a map for LDAP query.

Ghost members - removed sdap_check_aliases() This function is no longer necessary because we don't have fake user entries any more. The original purpose of this function was to check if there are fake user entries for particular user and, if yes, to update its membership.

LDAP: Add attr_count return value to build_attrs_from_map() This is necessary because in several places in the code, we are appending to the attrs returned from this value, and if we relied on the map size macro, we would be appending after the NULL terminator if one or more attributes were defined as NULL.

LDAP: Treat groups with unmappable SIDs as non-POSIX groups

LDAP: Add helper function to map IDs This function will also auto-create a new ID map if the domain has not been seen previously.

LDAP: Add helper routine to convert LDAP blob to SID string

Fix nested groups processing Instead of keeping the number of parent groups in "state" and having to reset the count when moving to another group on the same level, keep track of the all groups on a particular level along with their parents and parent count.

Use proper errno code

Modifications to simplify list_missing_attrs

LDAP: Only use paging control on requests for multiple entries The paging control can cause issues on servers that put limits on how many paging controls can be active at one time (on some servers, it is limited to one per connection). We need to reduce our usage so that we only activate the paging control when making a request that may return an arbitrary number of results. https://fedorahosted.org/sssd/ticket/1202 phase one

LDAP: Properly assign orig_dn This was only used for properly identifying debug messages.

Fix memory hierarchy when processing nested group memberships https://fedorahosted.org/sssd/ticket/1186

LDAP: Fix incorrect search timeouts

LDAP: Do not fail if RootDSE check cannot determine search bases https://fedorahosted.org/sssd/ticket/1152

Use the case sensitivity flag in the LDAP provider

Use dereference during IPA provider initgroups https://fedorahosted.org/sssd/ticket/1099

Cleanup: Remove unused parameters

Squash transactions in sdap_initgr_common_store https://fedorahosted.org/sssd/ticket/1053

Use correct state struct in sdap_initgr_rfc2307bis_next_base

Fix segfault in sdap_get_initgr_user

LDAP: Add multiple search bases for initgroups (RFC2307bis groups)

LDAP: Add multiple search bases for initgroups (RFC2307 groups)

LDAP: Add multiple search bases for initgroups (users)

Steal result onto mem_ctx in sdap_initgr_nested_get_direct_parents

RFC2307bis initgroups: fix nested groups processing Due to incorrectly written loop, SSSD would go into infitite loop if it processed the same group on two different levels of membership.

Plug memory leaks in LDAP provider

Cancel transactions correctly during initgroups

Use fewer transactions during IPA initgroups

Use fewer transactions during RFC2307bis initgroups

Utility functions for LDAP nested schema initgroups

SysDB commands that save lastUpdate allows this value to be passed in https://fedorahosted.org/sssd/ticket/836

Store name aliases for users, groups Also checks fake users for aliases when storing a real users so that getgrnam for a RFC2307 group that references a user by his secondary name followed by getpwnam for this user by his primary name works

Add a sysdb_get_direct_parents function

Moved some functions in sdap_async_initgroups

sdap_async_accounts.c split The file has been split in three: sdap_async_users.c sdap_async_groups.c sdap_async_initgroups.c https://fedorahosted.org/sssd/ticket/864