slapi-nis.git/src, branch bug-idviews-refresh SLAPI-NIS back-sch: cancel memberof retrieval in case of a dirsrv shutdown 2017-11-03T19:56:18+00:00 Alexander Bokovoy abokovoy@redhat.com 2017-11-02T15:14:14+00:00 46649808918c027865dfaf78869aeeaddf97f47c Do not wait for SSSD to become online if directory server is going for shutdown. Since it is guaranteed that SSSD will not be able to function with 389-ds offline, it makes no sense to continue a loop. 
Do not wait for SSSD to become online if directory server is going
for shutdown. Since it is guaranteed that SSSD will not be able to
function with 389-ds offline, it makes no sense to continue a loop.
schema-compat: add support for timeout-based NSS queries with libsss_nss_idmap 2017-11-03T19:56:17+00:00 Alexander Bokovoy abokovoy@redhat.com 2017-11-01T08:29:41+00:00 6fbf5891e9169142fc0ea37eb8f897a645b82d6f In case libsss_nss_idmap provides timeout-enabled NSS API, use it. This solves a problem of too long queries to an NSS backend with traditional POSIX NSS API. In case SSSD takes too long to respond to a query, corresponding 389-ds thread running schema-compat plugin would stuck waiting that response. It can lead to an exhaustion of 389-ds threads. A refactored interface to NSS backends is introduced with this commit. A backend API looks like an API an NSS plugin has to implement in glibc but also allows to handle timeout-based requests internally. If backend implements timeout-enabled calls, then backend_nss_set_timeout() function can be used to modify a per-context state. There is no need for a caller to know whether backend supports timeout-enabled calls because either way these calls are synchronous and backend choice is done at compile-time. schema-compat plugin uses 10 seconds as its default timeout. One can change it via 'slapi-nss-timeout' attribute in the plugin config entry. 
In case libsss_nss_idmap provides timeout-enabled NSS API, use it.
This solves a problem of too long queries to an NSS backend with
traditional POSIX NSS API. In case SSSD takes too long to respond
to a query, corresponding 389-ds thread running schema-compat plugin
would stuck waiting that response. It can lead to an exhaustion of
389-ds threads.

A refactored interface to NSS backends is introduced with this commit.
A backend API looks like an API an NSS plugin has to implement in glibc
but also allows to handle timeout-based requests internally.

If backend implements timeout-enabled calls, then
backend_nss_set_timeout() function can be used to modify a per-context
state. There is no need for a caller to know whether backend supports
timeout-enabled calls because either way these calls are synchronous
and backend choice is done at compile-time.

schema-compat plugin uses 10 seconds as its default timeout. One can
change it via 'slapi-nss-timeout' attribute in the plugin config entry.
track changes to ID overrides and evict map cache entries 2017-10-25T08:21:17+00:00 Alexander Bokovoy abokovoy@redhat.com 2017-09-11T12:33:24+00:00 bcdcb8e762c6a8824ff1dd67f7e068ef519b3952 Plug into a processing of LDAP add/delete/modify to see if an ID override entry was added/deleted/updated. ID overrides aren't directly used to produce map cache entries but when AD user or group is resolved, SSSD on IPA master amends that information with ID Override from a Default Trust View. Since nothing else would remove AD user or group entry from the map cache on ID override change, handle their removal here. Check if we have any nssswitch-generated entry in a map cache that corresponds to this entry. Such entries would be evicted from the map cache to allow their refresh. Allow backends to inspect entries related to a map set Entries may be related to a map set content but not used directly to generate it. An example would be ID overrides in FreeIPA. An addition, removal or change of an ID override in the Default Trust View should be reflected by evicting an entry from the corresponding seti. Let backends to handle exact logic. NIS backend does not support exposing AD users so it provides set of dummy callbacks that always return FALSE (entry is not related). Schema Compat backend, on other hand, does track ID overrides in a Default Trust View in FreeIPA. 
Plug into a processing of LDAP add/delete/modify to see if an ID override entry
was added/deleted/updated. ID overrides aren't directly used to produce
map cache entries but when AD user or group is resolved, SSSD on IPA
master amends that information with ID Override from a Default Trust
View. Since nothing else would remove AD user or group entry from the map cache
on ID override change, handle their removal here.

Check if we have any nssswitch-generated entry in a map cache that
corresponds to this entry. Such entries would be evicted from the map
cache to allow their refresh.

Allow backends to inspect entries related to a map set

Entries may be related to a map set content but not used directly to
generate it. An example would be ID overrides in FreeIPA. An addition,
removal or change of an ID override in the Default Trust View should be
reflected by evicting an entry from the corresponding seti.

Let backends to handle exact logic. NIS backend does not support
exposing AD users so it provides set of dummy callbacks that always
return FALSE (entry is not related). Schema Compat backend, on other
hand, does track ID overrides in a Default Trust View in FreeIPA.
Add dummy handler for a related add/delete/modify to NIS plugin 2017-09-12T19:05:42+00:00 Alexander Bokovoy abokovoy@redhat.com 2017-09-12T11:52:21+00:00 79ddc12c93920840e9fbdf5c8ea25db1c4166af5 NIS doesn't need to handle ID overrides, it has to always skip related entries 
NIS doesn't need to handle ID overrides, it has to always skip related entries
Move a helper to build DN to a format.c 2017-09-12T15:52:17+00:00 Alexander Bokovoy abokovoy@redhat.com 2017-09-11T12:32:38+00:00 96ff6873b024718fcbb7b011eee58aab84c3086f 






back-sch-nss: for users with aliases, return alias as uid
2016-08-07T20:27:55+00:00

Alexander Bokovoy
abokovoy@redhat.com

2016-07-27T14:37:14+00:00

e6f9e2c9282905fa41046379e0bc5c2ac82ae3a9

When SSSD resolves AD users on behalf of slapi-nis, it can accept
any user identifier, including user principal name (UPN) which
may be different than the canonical user name which SSSD returns.

As result, the entry created by slapi-nis will be using canonical user
name but the filter for search will refer to the original (aliased)
name. The search will not match the newly created entry.

Fix this issue by returning two values for 'uid' attribute: the
canonical one and the aliased one. This way search will match.

Verified that SSSD with id_provider=ldap happily consumes such entries.
By LDAP schema, 'uid' attribute can have multiple values.

Fixes https://fedorahosted.org/slapi-nis/ticket/12





When SSSD resolves AD users on behalf of slapi-nis, it can accept
any user identifier, including user principal name (UPN) which
may be different than the canonical user name which SSSD returns.

As result, the entry created by slapi-nis will be using canonical user
name but the filter for search will refer to the original (aliased)
name. The search will not match the newly created entry.

Fix this issue by returning two values for 'uid' attribute: the
canonical one and the aliased one. This way search will match.

Verified that SSSD with id_provider=ldap happily consumes such entries.
By LDAP schema, 'uid' attribute can have multiple values.

Fixes https://fedorahosted.org/slapi-nis/ticket/12







back-sch: do not clobber target of the pblock for idview
2016-08-07T20:27:05+00:00

Alexander Bokovoy
abokovoy@redhat.com

2016-07-26T15:11:53+00:00

b59b9c87042cb8f4d99421e101349c5f48f91235

When extracting idview all we care is the DN of new target.
We don't really use the rewritten target as a string anymore,
so there is no need to rewrite the string in the pblock.

This fixes a bug when running with 389-ds 1.3.5.10+ which is more
strict about modification of the values in pblock.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1360245





When extracting idview all we care is the DN of new target.
We don't really use the rewritten target as a string anymore,
so there is no need to rewrite the string in the pblock.

This fixes a bug when running with 389-ds 1.3.5.10+ which is more
strict about modification of the values in pblock.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1360245







Double free on ldap entry during priming
2016-07-13T08:20:12+00:00

Thierry Bordaz
tbordaz@redhat.com

2016-07-12T09:43:28+00:00

66177cbab545374ccc0bcacdd7a8ffea1ca7be6d

During Schema-compat cache priming, If it exists an associated domain
the entry returned by the internal search is freed twice.

This was introduced in order for slapi-nis to resolve IPA groups with
fully qualified suffix. To support SSSD 1.14+ change of logic to handle
a default domain suffix.





During Schema-compat cache priming, If it exists an associated domain
the entry returned by the internal search is freed twice.

This was introduced in order for slapi-nis to resolve IPA groups with
fully qualified suffix. To support SSSD 1.14+ change of logic to handle
a default domain suffix.







Declare int backend_init_extop for reuse in plug-sch.c
2016-06-20T18:48:05+00:00

Alexander Bokovoy
abokovoy@redhat.com

2016-06-20T18:45:37+00:00

11df81960498e3e570e2ba46a2e80b7549fd16c1












slapi-nis: resolve IPA groups with fully qualified suffix
2016-06-20T18:48:05+00:00

Alexander Bokovoy
abokovoy@redhat.com

2016-06-15T09:15:46+00:00

0a5e61c042679679646f6f8f673028f8fbcf3ea7

With SSSD 1.14+ there is a logic change to handling of a default domain
suffix.

SSSD has two different formats to handle: the input and output. The
input format is parsed into (name,domain) tuples with the re_expression
option and the output is formatted with the full_name_format option.

Because of the way SSSD used to store the usernames in sysdb, it was
tied to the full_name_format option, just changing the output format
changed the way the names are stored internally. SSSD changed the cache
to always store names in a unified format (foo@bar) and use the
full_name_format only for output, as it should be.

This changed a logic of use_fully_qualified_names=True. It now mandates
that the /input/ contains both the name and the domain part and then
SSSD formats the output using the full_name_format option. The
default_domain_suffix is a hack that just appends its value to an
unqualified input, making all queries for "foo" into "foo@bar".

In new SSSD if configuration contains:
    default_domain_suffix = win.domain
    full_name_format = $1 # only name

then a request for "foo" will internally turn into "foo@win.domain" but
return "foo" on the output. However, queries for IPA's foo will have to
be qualified by the admin manually like "foo@ipa.domain" otherwise sssd
doesn't know which foo you meant.

Support this logic by querying associatedDomain attribute of the
restricted bases of the data set. IPA stores this information in the
$SUFFIX base dn (dc=example,dc=com) and configures slapi-nis with
restricted base set to $SUFFIX (and the plugin config). While
associatedDomain attribute is multivalued, the $SUFFIX object always has
a single value corresponding to the IPA domain name that is the same as
SSSD domain suffix.





With SSSD 1.14+ there is a logic change to handling of a default domain
suffix.

SSSD has two different formats to handle: the input and output. The
input format is parsed into (name,domain) tuples with the re_expression
option and the output is formatted with the full_name_format option.

Because of the way SSSD used to store the usernames in sysdb, it was
tied to the full_name_format option, just changing the output format
changed the way the names are stored internally. SSSD changed the cache
to always store names in a unified format (foo@bar) and use the
full_name_format only for output, as it should be.

This changed a logic of use_fully_qualified_names=True. It now mandates
that the /input/ contains both the name and the domain part and then
SSSD formats the output using the full_name_format option. The
default_domain_suffix is a hack that just appends its value to an
unqualified input, making all queries for "foo" into "foo@bar".

In new SSSD if configuration contains:
    default_domain_suffix = win.domain
    full_name_format = $1 # only name

then a request for "foo" will internally turn into "foo@win.domain" but
return "foo" on the output. However, queries for IPA's foo will have to
be qualified by the admin manually like "foo@ipa.domain" otherwise sssd
doesn't know which foo you meant.

Support this logic by querying associatedDomain attribute of the
restricted bases of the data set. IPA stores this information in the
$SUFFIX base dn (dc=example,dc=com) and configures slapi-nis with
restricted base set to $SUFFIX (and the plugin config). While
associatedDomain attribute is multivalued, the $SUFFIX object always has
a single value corresponding to the IPA domain name that is the same as
SSSD domain suffix.