TESTS: Extending sysdb sudo store tests We covered diference between case sensitive and case insensitive domains. If domain is case insensitive we add lowercase form of sudoUser to local sysdb cache. Resolves: https://fedorahosted.org/sssd/ticket/3203 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sudo: solve problems with fully qualified names sudo expects the same name in sudo rule as login name. Therefore if fully qualified name is used or even enforced by setting use_fully_qualified_names to true or by forcing default domain with default_domain_suffix sssd is able to correctly return the rules but sudo can't match the user with contect of sudoUser attribute since it is not qualified. This patch changes the rules on the fly to avoid using names at all. We do this in two steps: 1. We fetch all rules that match current user name, id or groups and replace sudoUser attribute with sudoUser: #uid. 2. We fetch complementry rules that contain netgroups since it is expected we don't have infromation about existing netgroups in cache, sudo still needs to evaluate it for us if needed. This patch also remove test for sysdb_get_sudo_filter since it wasn't sufficient anyway and I did not rewrite it since I don't thing it is a good thing to have filter tests that depends on exact filter order. Resolves: https://fedorahosted.org/sssd/ticket/2919 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: If modifyTimestamp is the same, only update the TS cache Resolves: https://fedorahosted.org/sssd/ticket/2602 If the entry being saved contains the original modifyTimestamp attribute and the modifyTimestamp attribute is the same as the one we already saved to the timestamp cache, only the expire timestamps in the asynchronous timestamp cache will be bumped and the sysdb code will avoid writes to the main cache completely. If the modifyTimestamp is either missing or differs, we assume the entry had changed and do a full write to the main cache. Also amends the generic sysdb_set_attrs* and similar functions that their results is also reflected in the timestamps cache. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Search the timestamp caches in addition to the sysdb cache When a sysdb entry is searched, the sysdb cache is consulted first for users or groups. If an entry is found in the sysdb cache, the attributes from the timestamp cache are merged to return the full and up-to-date set of attributes. The merging is done with a single BASE search which is a direct lookup into the underlying key-value database, so it should be relatively fast. More complex merging is done only for enumeration by filter which is currently done only via the IFP back end and should be quite infrequent, so I hope we can justify a more complex merging there. Reviewed-by: Sumit Bose <sbose@redhat.com>

TESTS: Test of sysdb_search_sudo_rules There are tests functions of sysdb_sudo_rules. Resolves: https://fedorahosted.org/sssd/ticket/2081 Reviewed-by: Pavel Březina <pbrezina@redhat.com>