DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IDMAP: Add support for automatic adding of ranges Resolves: https://fedorahosted.org/sssd/ticket/2188 Reviewed-by: Sumit Bose <sbose@redhat.com>

DEBUG: Add missing new lines Reviewed-by: Petr Cech <pcech@redhat.com>

LDAP: check early for missing SID in mapping check Resolves https://fedorahosted.org/sssd/ticket/2830 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Inform about small range size When a returned RID has a higher value than the ldap_idmap_range_size, it means that the administrator did not plan appropriately for the size of their network. We need to alert the admin at a severe notification level that their configuration will fail on entries with a high RID and point them at the explanation in the manual. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SDAP: fix minor memory leak Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SDAP: Fix id mapping with disabled subdomains If subdomains are disabled "subdomain_provider = none" then auto-discovery discovery of domain SID is disabled. It is possible to configure options ldap_idmap_default_domain{,_sid} and id mapping should work. However value of option ldap_idmap_default_domain_sid was not assigned to sss_domain_info for main domain. It was only used for initialisation of sdap_idmap_ctx. As a result of this bug posix attributes were used in ldap filter and id mapping worked just for users with posix attributes. [be_get_account_info] (0x0100): Got request for [0x1001][1][name=user] [be_req_set_domain] (0x0400): Changing request domain from [EXAMPLE.TEST] to [EXAMPLE.TEST] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] [sdap_search_user_next_base] (0x0400): Searching for users with base [DC=EXAMPLE,DC=TEST] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=hdpadmin)(objectclass=user) (sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))] [DC=EXAMPLE,DC=TEST]. [sdap_search_user_process] (0x0400): Search for users, returned 0 results. [sdap_get_users_done] (0x0040): Failed to retrieve users Resolves: https://fedorahosted.org/sssd/ticket/2635 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SYSDB: sysdb_idmap_get_mappings returns ENOENT sysdb_idmap_get_mappings returns ENOENT if no results were found. Part od solution for: https://fedorahosted.org/sssd/ticket/1991 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

sdap_idamp: Fall back to another method if sid is wrong sss_idmap_domain_has_algorithmic_mapping can return also IDMAP_SID_INVALID, but it does not mean that idmaping is unavailable. We should fall back to another method of detection (sss_idmap_domain_by_name_has_algorithmic_mapping) and do not return false immediately. Resolves: https://fedorahosted.org/sssd/ticket/2172

LDAP: update id mapping detection for ldap provider For id_provider ldap, it is only necessary to enable option ldap_id_mapping. It is an regression introduced in the commit d3e1d88ce7de3216a862b Resolves: https://fedorahosted.org/sssd/ticket/2172

SYSDB: Drop the sysdb_ctx parameter from the sysdb_idmap module

sdap_idmap_domain_has_algorithmic_mapping: add domain name argument When libss_idmap was only used to algorithmically map a SID to a POSIX ID a domain SID was strictly necessary and the only information needed to find a domain. With the introduction of external mappings there are cases where a domain SID is not available. Currently we relied on the fact that external mapping was always used as a default if not specific information about the domain was found. The lead to extra CPU cycles and potentially confusing debug messages. Adding the domain name as a search parameter will avoid this.

sdap_idmap: properly handle ranges for external mappings Currently we relied on the fact that external ID mapping is used as default fallback in case of an error and did not properly add subdomains with external ID mapping to the idmap library. If debugging is enabled this leads to irritating debug messages for every user or group lookup. With this patch this subdomains are added to the idmap library. Fixes https://fedorahosted.org/sssd/ticket/2105

sdap_idmap: add sdap_idmap_get_configured_external_range()

util: add sss_idmap_talloc[_free] Remove code duplication.

Fix formating of variables with type: id_t

Add sdap_idmap_domain_has_algorithmic_mapping() This patch implements a wrapper for sss_idmap_domain_has_algorithmic_mapping() for the sdap ID mapping. Fixes https://fedorahosted.org/sssd/ticket/1960

Allow different methods to find new domains for idmapping Currently the range management code is in the generic LDAP provider and can be used by the LDAP and AD provider. New ranges are allocated with the help of a hash value of the domain SID. If the IPA provider cannot find a range for a given domain it cannot allocate a new range on its own but has to look up the idrange objects on the FreeIPA server and use them accordingly. To allow the LDAP, AD and IPA provider to use as much common code as possible a plugin interface, similar to the one used to find the DNS site, to find a missing range would be useful. The default plugin will be used by the LDAP and the AD provider and the IPA provider will implement a plugin to read the data from the server. Fixes https://fedorahosted.org/sssd/ticket/1961

SDAP IDMAP: Add configured domain to idmap context To allow libsss_idmap to manage all id-ranges the id-ranges of the domains configured in sssd.conf which are currently unmanaged must be added to libsss_idmap.

Fail with misconfigured id-mapping ranges https://fedorahosted.org/sssd/ticket/1930 On misconfigured id-mapping range variables, the provider should not start. We were internally correctly setting error code for failure, but interruption of startup was not performed. Also raised the debug level of message for this misconfiguration.

Re-add a useful DEBUG message In commit 46222e5191473f9a46aec581273eb2eef22e23be we removed a very similar DEBUG message while moving the whole piece of code to the idmap library. But it turned out that the DEBUG message was useful while testing the functionality, so this patch adds it back.

libsss_idmap: function to calculate range Calculation of range for domains is moved from sdap_idmap code to sss_idmap code. Some refactoring have been done to allow this move. https://fedorahosted.org/sssd/ticket/1844

Remove sysdb as a be context structure member The sysdb context is already available through the 'domain' structure.

Add domain argument to sysdb_idmap_ funcitons

idmap: Silence DEBUG messages when dealing with built-in SIDs. When converting built-in SID to unix GID/UID a confusing debug message about the failed conversion was printed. This patch special cases these built-in objects. https://fedorahosted.org/sssd/ticket/1593

Slices calculation is alway wrong for default values

AD: autorid compatibility should recommend the use of default domain Previously, we were failing to start if ldap_idmap_autorid_compat was True but the default domain SID was unspecified. This is the recommended configuration, but it is functional without it. There is just a slight risk that the IDs will be inconsistent between machines if the first user requested is not from the default domain. https://fedorahosted.org/sssd/ticket/1530

LDAP: Add helper function to map IDs This function will also auto-create a new ID map if the domain has not been seen previously.

LDAP: Add routine to extract domain SID from an object SID Also makes the domain prefix macros from sss_idmap public.

LDAP: Allow setting a default domain for id-mapping slice 0

LDAP: Add autorid compatibility mode

LDAP: Add helper routines for ID-mapping