7 files changed, 36 insertions, 2 deletions

diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index fefecc03d..a02822481 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -936,6 +936,14 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
         goto done;
     }
 
+    ret = get_entry_as_bool(res->msgs[0], &domain->mpg,
+                            CONFDB_DOMAIN_AUTO_UPG, 0);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE,
+              "Invalid value for %s\n", CONFDB_DOMAIN_AUTO_UPG);
+        goto done;
+    }
+
     if (strcasecmp(domain->provider, "local") == 0) {
         /* If this is the local provider, we need to ensure that
          * no other provider was specified for other types, since
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index bcea99ae4..2539b9069 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -198,6 +198,7 @@
 #define CONFDB_DEFAULT_CACHE_CREDS_MIN_FF_LENGTH 8
 #define CONFDB_DOMAIN_LEGACY_PASS "store_legacy_passwords"
 #define CONFDB_DOMAIN_MPG "magic_private_groups"
+#define CONFDB_DOMAIN_AUTO_UPG "auto_private_groups"
 #define CONFDB_DOMAIN_FQ "use_fully_qualified_names"
 #define CONFDB_DOMAIN_ENTRY_CACHE_TIMEOUT "entry_cache_timeout"
 #define CONFDB_DOMAIN_ACCOUNT_CACHE_EXPIRATION "account_cache_expiration"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index d99b718e0..d2bb709d6 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -195,6 +195,7 @@ option_strings = {
     'cached_auth_timeout' : _('How long can cached credentials be used for cached authentication'),
     'full_name_format' : _('Printf-compatible format for displaying fully-qualified names'),
     're_expression' : _('Regex to parse username and domain'),
+    'auto_private_groups' : _('Whether to automatically create private groups for users'),
 
     # [provider/ipa]
     'ipa_domain' : _('IPA domain'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 4a583bdd3..87d1f6e64 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -624,7 +624,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
             'subdomain_homedir',
             'full_name_format',
             're_expression',
-            'cached_auth_timeout']
+            'cached_auth_timeout',
+            'auto_private_groups']
 
         self.assertTrue(type(options) == dict,
                         "Options should be a dictionary")
@@ -994,7 +995,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
             'subdomain_homedir',
             'full_name_format',
             're_expression',
-            'cached_auth_timeout']
+            'cached_auth_timeout',
+            'auto_private_groups']
 
         self.assertTrue(type(options) == dict,
                         "Options should be a dictionary")
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index e49e8d43f..4e70bf7b6 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -382,6 +382,7 @@ option = cached_auth_timeout
 option = wildcard_limit
 option = full_name_format
 option = re_expression
+option = auto_private_groups
 
 #Entry cache timeouts
 option = entry_cache_user_timeout
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 7f2b8977b..2be2e3e68 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -185,6 +185,7 @@ subdomain_homedir = str, None, false
 cached_auth_timeout = int, None, false
 full_name_format = str, None, false
 re_expression = str, None, false
+auto_private_groups = str, None, false
 
 #Entry cache timeouts
 entry_cache_user_timeout = int, None, false
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 7443f7183..47da07c33 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2823,6 +2823,26 @@ subdomain_inherit = ldap_purge_cache_timeout
                         </para>
                     </listitem>
                 </varlistentry>
+                <varlistentry>
+                    <term>auto_private_groups (string)</term>
+                    <listitem>
+                        <para>
+                            If this option is enabled, SSSD will automatically
+                            create user private groups based on user's
+                            UID number. The GID number is ignored in this case.
+                        </para>
+                        <para>
+                            NOTE: Because the GID number and the user private group
+                            are inferred frm the UID number, it is not supported
+                            to have multiple entries with the same UID or GID number
+                            with this option. In other words, enabling this option
+                            enforces uniqueness across the ID space.
+                        </para>
+                        <para>
+                            Default: False
+                        </para>
+                    </listitem>
+                </varlistentry>
             </variablelist>
         </para>