This patch should not be pushed to master, but I would like to get it
It should be used to provide a custom build for users experiencing cases
where ldap_search_ext would block (c.f.
would set LDAP_DEBUG_ANY
The attached patch applies cleanly on the RHEL6.1 branch. I also have a
version that applies on master/1.5 if needed.
Finally removes EOK constant from sudo api header. It is not used in
the SUDO code so it does not require their changes.
This does what is requested in the ticket. It seems to be very huge but
in fact it is mainly changing the variable. Basically I tried to get
rid of domain ctx where possible, leave it only in initgroups part and
use command ctx elsewhere.
The in-memory cache is not yet implemented, I want to discuss the
possible ways of doing it.
The basic problem is that we need to get the domain during the request
for default options. How will we do it? I think there are two options:
1. always try to perform the initgroups - find the domain and the check
the in-memory cache (which may be slow if the user is in the last
domain, but that will be probably handled as part of
2. store uid:username = domain in the in-memory cache (same cache as
results or a new one?)
This patch contains a modified version of sysdb_get_sudo_user_info()
where the uid is not mandatory. I want to replace this function with
sysdb_sudo_get_user_groups() (or make it generic and place it in
sysdb_ops?) because the groupnames are the only thing we don't know.
However this requires a modification of the data provider protocol as
well so I'm keeping it for later.
here is the first set of patches for the new sudo clothes. 
As it does not touch the responder, I believe it does not require the
patches from the other preliminary sudo thread (already acked). However
it was written atop them.
This is the main change for the async processing of the sudo rules. It
make sdap_sudo_refresh_send() more generic by adding there two filters:
ldap_filter - used for search in the LDAP
sysdb_filter - used for a deletion of the rules from sysdb
This way we can have many different refresh styles without touching
this fundamental function.
From this patch further the provider will return an error to the
responder making it unusable.
The rest of the patches has a self-describing subject. Don't be afraid
of the count, these patches are very small :-)
The next set of patches is where the fun begin, so be patient :-)
This patch was submitted by Shantanu Goel in a Trac ticket. Sending to
the list for review. I haven't yet had a chance to dig into it myself
yet, but the concept as described in
https://fedorahosted.org/sssd/ticket/1354 is sound, so I'd like to see
this get cleaned up and included.
In order to support the AD Domain\User style and the more usual kerberos
user@realm style, sssd needs per domain re_expression and
Attached is a rough patch implementing per domain qualified user names.
When discussing it on IRC we came up with the following plan: In order
to prevent conflicts between the regular expressions for different
domains, we parse with a domains regular expression and then check that
the resulting domain matches that domain's name.
It's not clear that we should support 'null-domains' in these regular
expressions and sss_parse_name_for_domains(). There's a TODO in the
patch to sort this out. It may be that we choose to have callers of
sss_parse_name_for_domains() which can accept unqualified user domains
use the full input string when parsing into a qualified name fails.
In other words, sss_parse_name_for_domains() would not support
returning a NULL *domain.
The global re_expression and full_name_format options remain as defaults
for the domains.
This patch is especially important for Samba integration. Samba only
allows Domain\User format, with the exception that the slash can be
replaced with another character.
This functionality will be utilized by PAC responder once it lands in the
master branch. One round of review already done by Sumit. Also the patch has
been tested together with the PAC responder.
The query is performed only if there is missing information in the
cache. That means this should be done only once after restart when cache
doesn't exist. All subsequent requests for subdomains won't include the
request for master domain. This is done to save time since it is not possible
to change this information once IPA server is installed.
this patch allows us besides other conversions to convert the dom_sid
structure used by samba to strings and back. This structure is used by
various samba libraries, but there are no public inferfaces for the
conversion. I've seen Simo adding code to the IPA kdb plugin doing these
conversions and I need them for the PAC responder as well. So I thought
it might be useful to put it in a library.