slapi-nis.git, branch slapi-nis-ad

WIP: bump version

2013-08-06T11:24:43+00:00

sch-ipa.txt: add documentation about trusted domains support for FreeIPA

2013-08-06T11:24:42+00:00

slapi-nis.spec: add dependencies to SSSD and PAM components

2013-08-06T11:24:42+00:00

back-sch.c: authenticate users through PAM system-auth service

2013-08-06T11:24:42+00:00

Since trusted domain users do not exist in the LDAP tree, their authentication
is handed over to PAM stack with the hope that PAM is set up properly to
authenticate them.

Additionally, this patch completely refactors authentication for the original DNs
that *are* located in the LDAP tree. Previous way to handle it was through
referrals being sent back. However, this method does not work at all.

Instead, we set SLAPI_BIND_TARGET_DN to the entry's original DN and hand over
pre-bind processing to other directory server's plugins. If slapi-nis set up
with a higher precedence to them, authentication will be handled by others.

back-sch.c: search users and groups through NSSWITCH

2013-08-06T11:24:42+00:00

Schema-compat plugin can be configured to serve users and groups through the
plugin configuration entry in directory server:

schema-compat-lookup-nsswitch: 
schema-compat-nsswitch-min-id: 

Separate trees should be configured to look up users and groups.
If minimal id value is missing, it will default to 1000.

src/Makefile.am: add back-sch-nss.c and back-sch-pam.c to build

2013-08-06T11:24:42+00:00

schema-compat: add support for authenticating users through PAM

2013-08-06T11:24:42+00:00

src/back-sch-pam.c implements PAM authentication for users not found in the LDAP tree
using system-auth system service when running on FreeIPA master server.

schema-compat: add support for querying users and groups through NSSWITCH

2013-08-06T11:24:42+00:00

src/back-sch-nss.c implements interface to query users and groups on FreeIPA
master server via getpwnam_r(), getgrnam_r(), and libsss_idmap.

back-sch: use plugin configuration to decide whether NSSWITCH should be consulted

2013-08-06T10:03:35+00:00

When one instance of schema compat plugin is configured to consult NSSWITCH,
promote its configuration to the backend.

Default to not looking into NSSWITCH.

configure: add configure checks for sss_idmap and define attribute to lookup nsswitch

2013-08-06T10:03:35+00:00

If schema compat plugin configuration has 'schema-compat-lookup-nsswitch: user|group'
then schema compat plugin will perform lookups of users/groups that were not found
in the main store using getpwnam_r()/getgrnam_r() and libsss_nss_idmap library.

This is special case to support legacy clients. Schema compat plugin in the
case is assumed to be running on FreeIPA master configured with trusts against
Active Directory and SSSD 1.11+ configured as ipa_server_mode = True.

Additionally, such entries are added to schema compat plugin's map cache and can
be used for authentication purposes. They will use PAM authentication pass-through
to 'system-auth' service.