.test_runner_config.yaml

@@ -27,7 +27,13 @@ steps:
   - make V=0 ${make_target} LOG_COMPILE='gdb -return-child-result -ex run -ex "thread apply all bt" -ex "quit" --args'
   builddep:
   - rm -rf /var/cache/dnf/*
+  - echo "fastestmirror = True" >> /etc/dnf/dnf.conf
+  - echo "max_parallel_downloads = 8" >> /etc/dnf/dnf.conf
+  - echo "timeout = 8" >> /etc/dnf/dnf.conf
+  - echo "retries = 20" >> /etc/dnf/dnf.conf
   - "dnf makecache || :"
+  - dnf makecache
+  - cat /var/cache/dnf/fastestmirror.cache
   - dnf -y module enable nodejs:12
   - dnf builddep -y ${builddep_opts} -D "with_wheels 1" --spec freeipa.spec.in --best --allowerasing --setopt=install_weak_deps=False
   - dnf install -y gdb
@@ -50,6 +56,7 @@ steps:
   - ./autogen.sh
   install_packages:
   - sed -i 's/%_install_langs \(.*\)/\0:fr/g' /etc/rpm/macros.image-language-conf
+  - dnf makecache
   - dnf install -y ${container_working_dir}/dist/rpms/*.rpm --best --allowerasing
   - dnf install -y firewalld
   - systemctl --now enable firewalld

ACI.txt

@@ -99,7 +99,7 @@ aci: (targetattr = "ipaexternalmember")(targetfilter = "(objectclass=ipaexternal
 dn: cn=groups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "member")(targetfilter = "(&(!(cn=admins))(objectclass=ipausergroup))")(version 3.0;acl "permission:System: Modify Group Membership";allow (write) groupdn = "ldap:///cn=System: Modify Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=groups,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "cn || description || gidnumber || ipauniqueid || mepmanagedby || objectclass")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Modify Groups";allow (write) groupdn = "ldap:///cn=System: Modify Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "cn || description || gidnumber || ipauniqueid || membermanager || mepmanagedby || objectclass")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Modify Groups";allow (write) groupdn = "ldap:///cn=System: Modify Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=groups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "ipaexternalmember")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read External Group Membership";allow (compare,read,search) userdn = "ldap:///all";)
 dn: dc=ipa,dc=example
@@ -109,7 +109,7 @@ aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser"
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || gidnumber || memberuid || modifytimestamp || objectclass")(target = "ldap:///cn=groups,cn=*,cn=views,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Group Views Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=groups,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "businesscategory || cn || createtimestamp || description || entryusn || gidnumber || ipaexternalmember || ipantsecurityidentifier || ipauniqueid || mepmanagedby || modifytimestamp || o || objectclass || ou || owner || seealso")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";)
+aci: (targetattr = "businesscategory || cn || createtimestamp || description || entryusn || gidnumber || ipaexternalmember || ipantsecurityidentifier || ipauniqueid || membermanager || mepmanagedby || modifytimestamp || o || objectclass || ou || owner || seealso")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=groups,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Remove Groups";allow (delete) groupdn = "ldap:///cn=System: Remove Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=hbac,dc=ipa,dc=example
@@ -169,11 +169,11 @@ aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:S
 dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "member")(targetfilter = "(&(!(cn=ipaservers))(objectclass=ipahostgroup))")(version 3.0;acl "permission:System: Modify Hostgroup Membership";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Modify Hostgroups";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "cn || description || membermanager")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Modify Hostgroups";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "member || memberhost || memberof || memberuser")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroup Membership";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "businesscategory || cn || createtimestamp || description || entryusn || ipauniqueid || modifytimestamp || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroups";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "businesscategory || cn || createtimestamp || description || entryusn || ipauniqueid || membermanager || modifytimestamp || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroups";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=System: Remove Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=views,cn=accounts,dc=ipa,dc=example

API.txt

@@ -1097,7 +1097,7 @@ option: Int('ipasearchrecordslimit?', autofill=False, cli_name='searchrecordslim
 option: Int('ipasearchtimelimit?', autofill=False, cli_name='searchtimelimit')
 option: Str('ipaselinuxusermapdefault?', autofill=False)
 option: Str('ipaselinuxusermaporder?', autofill=False)
-option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'disabled'])
+option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened', u'disabled'])
 option: Str('ipauserobjectclasses*', autofill=False, cli_name='userobjectclasses')
 option: IA5Str('ipausersearchfields?', autofill=False, cli_name='usersearch')
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
@@ -1972,6 +1972,18 @@ option: Str('version?')
 output: Output('completed', type=[<type 'int'>])
 output: Output('failed', type=[<type 'dict'>])
 output: Entry('result')
+command: group_add_member_manager/1
+args: 1,6,3
+arg: Str('cn', cli_name='group_name')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Str('group*', alwaysask=True, cli_name='groups')
+option: Flag('no_members', autofill=True, default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Str('user*', alwaysask=True, cli_name='users')
+option: Str('version?')
+output: Output('completed', type=[<type 'int'>])
+output: Output('failed', type=[<type 'dict'>])
+output: Entry('result')
 command: group_del/1
 args: 1,2,3
 arg: Str('cn+', cli_name='group_name')
@@ -1988,7 +2000,7 @@ output: Output('result', type=[<type 'bool'>])
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
 command: group_find/1
-args: 1,30,4
+args: 1,34,4
 arg: Str('criteria?')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('cn?', autofill=False, cli_name='group_name')
@@ -2001,6 +2013,8 @@ option: Str('in_hbacrule*', cli_name='in_hbacrules')
 option: Str('in_netgroup*', cli_name='in_netgroups')
 option: Str('in_role*', cli_name='in_roles')
 option: Str('in_sudorule*', cli_name='in_sudorules')
+option: Str('membermanager_group*', cli_name='membermanager_groups')
+option: Str('membermanager_user*', cli_name='membermanager_users')
 option: Str('no_group*', cli_name='no_groups')
 option: Flag('no_members', autofill=True, default=True)
 option: Principal('no_service*', cli_name='no_services')
@@ -2011,6 +2025,8 @@ option: Str('not_in_hbacrule*', cli_name='not_in_hbacrules')
 option: Str('not_in_netgroup*', cli_name='not_in_netgroups')
 option: Str('not_in_role*', cli_name='not_in_roles')
 option: Str('not_in_sudorule*', cli_name='not_in_sudorules')
+option: Str('not_membermanager_group*', cli_name='not_membermanager_groups')
+option: Str('not_membermanager_user*', cli_name='not_membermanager_users')
 option: Flag('pkey_only?', autofill=True, default=False)
 option: Flag('posix', autofill=True, cli_name='posix', default=False)
 option: Flag('private', autofill=True, cli_name='private', default=False)
@@ -2057,6 +2073,18 @@ option: Str('version?')
 output: Output('completed', type=[<type 'int'>])
 output: Output('failed', type=[<type 'dict'>])
 output: Entry('result')
+command: group_remove_member_manager/1
+args: 1,6,3
+arg: Str('cn', cli_name='group_name')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Str('group*', alwaysask=True, cli_name='groups')
+option: Flag('no_members', autofill=True, default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Str('user*', alwaysask=True, cli_name='users')
+option: Str('version?')
+output: Output('completed', type=[<type 'int'>])
+output: Output('failed', type=[<type 'dict'>])
+output: Entry('result')
 command: group_show/1
 args: 1,5,3
 arg: Str('cn', cli_name='group_name')
@@ -2442,7 +2470,7 @@ option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate')
 option: Bool('ipakrboktoauthasdelegate?', cli_name='ok_to_auth_as_delegate')
 option: Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth')
 option: Str('ipasshpubkey*', cli_name='sshpubkey')
-option: Str('krbprincipalauthind*', cli_name='auth_ind')
+option: StrEnum('krbprincipalauthind*', cli_name='auth_ind', values=[u'radius', u'otp', u'pkinit', u'hardened'])
 option: Str('l?', cli_name='locality')
 option: Str('macaddress*')
 option: Flag('no_members', autofill=True, default=False)
@@ -2455,7 +2483,7 @@ option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Str('setattr*', cli_name='setattr')
 option: Certificate('usercertificate*', cli_name='certificate')
 option: Str('userclass*', cli_name='class')
-option: Str('userpassword?', cli_name='password')
+option: HostPassword('userpassword?', cli_name='password')
 option: Str('version?')
 output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
@@ -2566,7 +2594,7 @@ output: Output('completed', type=[<type 'int'>])
 output: Output('failed', type=[<type 'dict'>])
 output: Entry('result')
 command: host_find/1
-args: 1,35,4
+args: 1,34,4
 arg: Str('criteria?')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('description?', autofill=False, cli_name='desc')
@@ -2578,7 +2606,7 @@ option: Str('in_netgroup*', cli_name='in_netgroups')
 option: Str('in_role*', cli_name='in_roles')
 option: Str('in_sudorule*', cli_name='in_sudorules')
 option: Str('ipaassignedidview?', autofill=False)
-option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
+option: StrEnum('krbprincipalauthind*', autofill=False, cli_name='auth_ind', values=[u'radius', u'otp', u'pkinit', u'hardened'])
 option: Str('l?', autofill=False, cli_name='locality')
 option: Str('macaddress*', autofill=False)
 option: Str('man_by_host*', cli_name='man_by_hosts')
@@ -2601,7 +2629,6 @@ option: Int('sizelimit?', autofill=False)
 option: Int('timelimit?', autofill=False)
 option: Certificate('usercertificate*', autofill=False, cli_name='certificate')
 option: Str('userclass*', autofill=False, cli_name='class')
-option: Str('userpassword?', autofill=False, cli_name='password')
 option: Str('version?')
 output: Output('count', type=[<type 'int'>])
 output: ListOfEntries('result')
@@ -2619,7 +2646,7 @@ option: Bool('ipakrbokasdelegate?', autofill=False, cli_name='ok_as_delegate')
 option: Bool('ipakrboktoauthasdelegate?', autofill=False, cli_name='ok_to_auth_as_delegate')
 option: Bool('ipakrbrequirespreauth?', autofill=False, cli_name='requires_pre_auth')
 option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
-option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
+option: StrEnum('krbprincipalauthind*', autofill=False, cli_name='auth_ind', values=[u'radius', u'otp', u'pkinit', u'hardened'])
 option: Principal('krbprincipalname*', autofill=False)
 option: Str('l?', autofill=False, cli_name='locality')
 option: Str('macaddress*', autofill=False)
@@ -2634,7 +2661,7 @@ option: Str('setattr*', cli_name='setattr')
 option: Flag('updatedns?', autofill=True, default=False)
 option: Certificate('usercertificate*', autofill=False, cli_name='certificate')
 option: Str('userclass*', autofill=False, cli_name='class')
-option: Str('userpassword?', autofill=False, cli_name='password')
+option: HostPassword('userpassword?', autofill=False, cli_name='password')
 option: Str('version?')
 output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
@@ -2709,6 +2736,18 @@ option: Str('version?')
 output: Output('completed', type=[<type 'int'>])
 output: Output('failed', type=[<type 'dict'>])
 output: Entry('result')
+command: hostgroup_add_member_manager/1
+args: 1,6,3
+arg: Str('cn', cli_name='hostgroup_name')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Str('group*', alwaysask=True, cli_name='groups')
+option: Flag('no_members', autofill=True, default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Str('user*', alwaysask=True, cli_name='users')
+option: Str('version?')
+output: Output('completed', type=[<type 'int'>])
+output: Output('failed', type=[<type 'dict'>])
+output: Entry('result')
 command: hostgroup_del/1
 args: 1,2,3
 arg: Str('cn+', cli_name='hostgroup_name')
@@ -2718,7 +2757,7 @@ output: Output('result', type=[<type 'dict'>])
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: ListOfPrimaryKeys('value')
 command: hostgroup_find/1
-args: 1,21,4
+args: 1,25,4
 arg: Str('criteria?')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('cn?', autofill=False, cli_name='hostgroup_name')
@@ -2729,6 +2768,8 @@ option: Str('in_hbacrule*', cli_name='in_hbacrules')
 option: Str('in_hostgroup*', cli_name='in_hostgroups')
 option: Str('in_netgroup*', cli_name='in_netgroups')
 option: Str('in_sudorule*', cli_name='in_sudorules')
+option: Str('membermanager_group*', cli_name='membermanager_groups')
+option: Str('membermanager_user*', cli_name='membermanager_users')
 option: Str('no_host*', cli_name='no_hosts')
 option: Str('no_hostgroup*', cli_name='no_hostgroups')
 option: Flag('no_members', autofill=True, default=True)
@@ -2736,6 +2777,8 @@ option: Str('not_in_hbacrule*', cli_name='not_in_hbacrules')
 option: Str('not_in_hostgroup*', cli_name='not_in_hostgroups')
 option: Str('not_in_netgroup*', cli_name='not_in_netgroups')
 option: Str('not_in_sudorule*', cli_name='not_in_sudorules')
+option: Str('not_membermanager_group*', cli_name='not_membermanager_groups')
+option: Str('not_membermanager_user*', cli_name='not_membermanager_users')
 option: Flag('pkey_only?', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Int('sizelimit?', autofill=False)
@@ -2772,6 +2815,18 @@ option: Str('version?')
 output: Output('completed', type=[<type 'int'>])
 output: Output('failed', type=[<type 'dict'>])
 output: Entry('result')
+command: hostgroup_remove_member_manager/1
+args: 1,6,3
+arg: Str('cn', cli_name='hostgroup_name')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Str('group*', alwaysask=True, cli_name='groups')
+option: Flag('no_members', autofill=True, default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Str('user*', alwaysask=True, cli_name='users')
+option: Str('version?')
+output: Output('completed', type=[<type 'int'>])
+output: Output('failed', type=[<type 'dict'>])
+output: Entry('result')
 command: hostgroup_show/1
 args: 1,5,3
 arg: Str('cn', cli_name='hostgroup_name')
@@ -4494,7 +4549,7 @@ option: StrEnum('ipakrbauthzdata*', cli_name='pac_type', values=[u'MS-PAC', u'PA
 option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate')
 option: Bool('ipakrboktoauthasdelegate?', cli_name='ok_to_auth_as_delegate')
 option: Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth')
-option: Str('krbprincipalauthind*', cli_name='auth_ind')
+option: StrEnum('krbprincipalauthind*', cli_name='auth_ind', values=[u'radius', u'otp', u'pkinit', u'hardened'])
 option: Flag('no_members', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Str('setattr*', cli_name='setattr')
@@ -4630,7 +4685,7 @@ arg: Str('criteria?')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: StrEnum('ipakrbauthzdata*', autofill=False, cli_name='pac_type', values=[u'MS-PAC', u'PAD', u'NONE'])
 option: Principal('krbcanonicalname?', autofill=False, cli_name='canonical_principal')
-option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
+option: StrEnum('krbprincipalauthind*', autofill=False, cli_name='auth_ind', values=[u'radius', u'otp', u'pkinit', u'hardened'])
 option: Principal('krbprincipalname*', autofill=False, cli_name='principal')
 option: Str('man_by_host*', cli_name='man_by_hosts')
 option: Flag('no_members', autofill=True, default=True)
@@ -4654,7 +4709,7 @@ option: StrEnum('ipakrbauthzdata*', autofill=False, cli_name='pac_type', values=
 option: Bool('ipakrbokasdelegate?', autofill=False, cli_name='ok_as_delegate')
 option: Bool('ipakrboktoauthasdelegate?', autofill=False, cli_name='ok_to_auth_as_delegate')
 option: Bool('ipakrbrequirespreauth?', autofill=False, cli_name='requires_pre_auth')
-option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
+option: StrEnum('krbprincipalauthind*', autofill=False, cli_name='auth_ind', values=[u'radius', u'otp', u'pkinit', u'hardened'])
 option: Principal('krbprincipalname*', autofill=False, cli_name='principal')
 option: Flag('no_members', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
@@ -4902,7 +4957,7 @@ option: Str('initials?', autofill=True)
 option: Str('ipasshpubkey*', cli_name='sshpubkey')
 option: Str('ipatokenradiusconfiglink?', cli_name='radius')
 option: Str('ipatokenradiususername?', cli_name='radius_username')
-option: StrEnum('ipauserauthtype*', cli_name='user_auth_type', values=[u'password', u'radius', u'otp'])
+option: StrEnum('ipauserauthtype*', cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened'])
 option: DateTime('krbpasswordexpiration?', cli_name='password_expiration')
 option: DateTime('krbprincipalexpiration?', cli_name='principal_expiration')
 option: Principal('krbprincipalname*', autofill=True, cli_name='principal')
@@ -5014,7 +5069,7 @@ option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
 option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
 option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
 option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username')
-option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp'])
+option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened'])
 option: DateTime('krbpasswordexpiration?', autofill=False, cli_name='password_expiration')
 option: DateTime('krbprincipalexpiration?', autofill=False, cli_name='principal_expiration')
 option: Principal('krbprincipalname*', autofill=False, cli_name='principal')
@@ -5077,7 +5132,7 @@ option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
 option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
 option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
 option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username')
-option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp'])
+option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened'])
 option: DateTime('krbpasswordexpiration?', autofill=False, cli_name='password_expiration')
 option: DateTime('krbprincipalexpiration?', autofill=False, cli_name='principal_expiration')
 option: Principal('krbprincipalname*', autofill=False, cli_name='principal')
@@ -5977,7 +6032,7 @@ option: Str('initials?', autofill=True)
 option: Str('ipasshpubkey*', cli_name='sshpubkey')
 option: Str('ipatokenradiusconfiglink?', cli_name='radius')
 option: Str('ipatokenradiususername?', cli_name='radius_username')
-option: StrEnum('ipauserauthtype*', cli_name='user_auth_type', values=[u'password', u'radius', u'otp'])
+option: StrEnum('ipauserauthtype*', cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened'])
 option: DateTime('krbpasswordexpiration?', cli_name='password_expiration')
 option: DateTime('krbprincipalexpiration?', cli_name='principal_expiration')
 option: Principal('krbprincipalname*', autofill=True, cli_name='principal')
@@ -6106,7 +6161,7 @@ option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
 option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
 option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
 option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username')
-option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp'])
+option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened'])
 option: DateTime('krbpasswordexpiration?', autofill=False, cli_name='password_expiration')
 option: DateTime('krbprincipalexpiration?', autofill=False, cli_name='principal_expiration')
 option: Principal('krbprincipalname*', autofill=False, cli_name='principal')
@@ -6172,7 +6227,7 @@ option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
 option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
 option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
 option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username')
-option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp'])
+option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened'])
 option: DateTime('krbpasswordexpiration?', autofill=False, cli_name='password_expiration')
 option: DateTime('krbprincipalexpiration?', autofill=False, cli_name='principal_expiration')
 option: Principal('krbprincipalname*', autofill=False, cli_name='principal')
@@ -6740,11 +6795,13 @@ default: env/1
 default: group/1
 default: group_add/1
 default: group_add_member/1
+default: group_add_member_manager/1
 default: group_del/1
 default: group_detach/1
 default: group_find/1
 default: group_mod/1
 default: group_remove_member/1
+default: group_remove_member_manager/1
 default: group_show/1
 default: hbacrule/1
 default: hbacrule_add/1
@@ -6797,10 +6854,12 @@ default: host_show/1
 default: hostgroup/1
 default: hostgroup_add/1
 default: hostgroup_add_member/1
+default: hostgroup_add_member_manager/1
 default: hostgroup_del/1
 default: hostgroup_find/1
 default: hostgroup_mod/1
 default: hostgroup_remove_member/1
+default: hostgroup_remove_member_manager/1
 default: hostgroup_show/1
 default: i18n_messages/1
 default: idoverridegroup/1

Contributors.txt

@@ -15,6 +15,7 @@ Developers:
 	Alexander Bokovoy
 	Alexander Koksharov
 	Alexander Scheel
+	Alexandre Mulatinho
 	Alexey Slaykovsky
 	Amit Kumar
 	Ana Krivokapić
@@ -25,6 +26,8 @@ Developers:
 	Benjamin Drung
 	Brian Cook
 	Brian J. Murrell
+	Cédric Jeanneret
+	Changmin Teng
 	Christian Heimes
 	Christian Hermann
 	David Kreitschmann
@@ -89,6 +92,7 @@ Developers:
 	Martin Nagy
 	Matt Rogers
 	Michael Simacek
+	Michal Polovka
 	Michal Reznik
 	Michal Židek
 	Milan Kubík
@@ -96,6 +100,7 @@ Developers:
 	Nalin Dahyabhai
 	Nathan Kinder
 	Nathaniel McCallum
+	ndehadra
 	Nick Hatch
 	Nikhil Dehadrai
 	Nikolai Kondrashov
@@ -117,6 +122,7 @@ Developers:
 	Petr Špaček
 	Petr Viktorin
 	Petr Voborník
+	Rafael Guterres Jeffman
 	realsobek
 	René Genz
 	Rich Megginson
@@ -128,6 +134,7 @@ Developers:
 	Serhii Tsymbaliuk
 	shanyin
 	Simo Sorce
+	Spencer E. Olson
 	Stanislav Laznicka
 	Stanislav Levin
 	Stephen Gallagher
@@ -144,6 +151,7 @@ Developers:
 	Tibor Dudlák
 	Timo Aaltonen
 	Tomáš Babej
+	Tomas Halman
 	Tomáš Křížek
 	Varun Mylaraiah
 	W. Michael Petullo
@@ -189,6 +197,7 @@ Translators:
 	Jake Li
 	Jérôme Fenal
 	Josef Hruška
+	Manuela Silva
 	Marco Aurélio Krause
 	Martin Bašti
 	Martin Kosek

Makefile.pythonscripts.am

 # special handling of Python scripts with auto-generated shebang line
 $(PYTHON_SHEBANG):%: %.in Makefile
-	$(AM_V_GEN)sed -e 's|^#!/usr/bin/python3.*|#!$(PYTHON) -E|g' $< > $@
+	$(AM_V_GEN)sed -e 's|^#!/usr/bin/python3.*|#!$(PYTHON) -I|g' $< > $@
 	$(AM_V_GEN)chmod +x $@
 
 .PHONY: python_scripts_sub

VERSION.m4

@@ -21,7 +21,7 @@
 ########################################################
 define(IPA_VERSION_MAJOR, 4)
 define(IPA_VERSION_MINOR, 8)
-define(IPA_VERSION_RELEASE, 1)
+define(IPA_VERSION_RELEASE, 2)
 
 ########################################################
 # For 'pre' releases the version will be               #
@@ -86,9 +86,8 @@ define(IPA_DATA_VERSION, 20100614120000)
 #                                                      #
 ########################################################
 define(IPA_API_VERSION_MAJOR, 2)
-define(IPA_API_VERSION_MINOR, 233)
-# Last change: Added service_add_smb command
-
+define(IPA_API_VERSION_MINOR, 235)
+# Last change: Add memberManager to groups.
 
 ########################################################
 # Following values are auto-generated from values above

client/man/default.conf.5

@@ -77,6 +77,9 @@ Specifies the hostname of the dogtag CA server. The default is the hostname of t
 .B ca_port <port>
 Specifies the insecure CA end user port. The default is 8080.
 .TP
+.B certmonger_wait_timeout <seconds>
+The time to wait for a certmonger request to complete during installation. The default value is 300 seconds.
+.TP
 .B context <context>
 Specifies the context that IPA is being executed in. IPA may operate differently depending on the context. The current defined contexts are cli and server. Additionally this value is used to load /etc/ipa/\fBcontext\fR.conf to provide context\-specific configuration. For example, if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server, add the verbose option to \fI/etc/ipa/cli.conf\fR.
 .TP
@@ -98,6 +101,9 @@ Specifies whether an IPA client should attempt to fall back and try other servic
 .B host <hostname>
 Specifies the local system hostname.
 .TP
+.B http_timeout <seconds>
+Timeout for HTTP blocking requests (e.g. connection). The default value is 30 seconds.
+.TP
 .B in_server <boolean>
 Specifies whether requests should be forwarded to an IPA server or handled locally. This is used internally by IPA in a similar way as context. The same IPA framework is used by the ipa command\-line tool and the server. This setting tells the framework whether it should execute the command as if on the server or forward it via XML\-RPC to a remote server.
 .TP
@@ -160,6 +166,9 @@ Specifies the name of the CA back end to use. The current options are \fBdogtag\
 .B realm <realm>
 Specifies the Kerberos realm.
 .TP
+.B replication_wait_timeout <seconds>
+The time to wait for a new entry to be replicated during replica installation. The default value is 300 seconds.
+.TP
 .B server <hostname>
 Specifies the IPA Server hostname.
 .TP

client/man/ipa-getkeytab.1

@@ -69,11 +69,11 @@ Valid values depend on the Kerberos library version and configuration.
 Common values are:
 aes256\-cts
 aes128\-cts
-des3\-hmac\-sha1
+aes256\-sha2
+aes128\-sha2
+camellia256\-cts\-cmac
+camellia128\-cts\-cmac
 arcfour\-hmac
-des\-hmac\-sha1
-des\-cbc\-md5
-des\-cbc\-crc
 .TP
 \fB\-s ipaserver\fR
 The IPA server to retrieve the keytab from (FQDN). If this option is not
@@ -88,11 +88,9 @@ This options returns a description of the permitted encryption types, like this:
 Supported encryption types:
 AES\-256 CTS mode with 96\-bit SHA\-1 HMAC
 AES\-128 CTS mode with 96\-bit SHA\-1 HMAC
-Triple DES cbc mode with HMAC/sha1
+AES\-128 CTS mode with 128\-bit SHA\-256 HMAC
+AES\-256 CTS mode with 192\-bit SHA\-384 HMAC
 ArcFour with HMAC/md5
-DES cbc mode with CRC\-32
-DES cbc mode with RSA\-MD5
-DES cbc mode with RSA\-MD4
 .TP
 \fB\-P, \-\-password\fR
 Use this password for the key instead of one randomly generated.
@@ -124,10 +122,10 @@ against a FreeIPA server more recent than version 3.3. The user requesting the
 keytab must have access to the keys for this operation to succeed.
 .SH "EXAMPLES"
 Add and retrieve a keytab for the NFS service principal on
-the host foo.example.com and save it in the file /tmp/nfs.keytab and retrieve just the des\-cbc\-crc key.
+the host foo.example.com and save it in the file /tmp/nfs.keytab and retrieve just the aes256\-sha2 key.
 
 .nf
-   # ipa\-getkeytab \-p nfs/foo.example.com \-k /tmp/nfs.keytab \-e des\-cbc\-crc
+   # ipa\-getkeytab \-p nfs/foo.example.com \-k /tmp/nfs.keytab \-e aes\-sha2
 .fi
 
 Add and retrieve a keytab for the ldap service principal on

configure.ac

@@ -231,6 +231,9 @@ AM_COND_IF([BUILD_IPA_CERTAUTH_PLUGIN], [
                [AC_MSG_WARN([Cannot build IPA KDB certauth plugin])])
 ])
 
+AM_CONDITIONAL([BUILD_IPA_KDCPOLICY_PLUGIN],
+               [test x$have_kdcpolicy_plugin = xyes])
+
 dnl ---------------------------------------------------------------------------
 dnl - Check for program paths
 dnl ---------------------------------------------------------------------------

daemons/ipa-kdb/Makefile.am

@@ -46,6 +46,10 @@ if BUILD_IPA_CERTAUTH_PLUGIN
 ipadb_la_SOURCES += ipa_kdb_certauth.c
 endif
 
+if BUILD_IPA_KDCPOLICY_PLUGIN
+ipadb_la_SOURCES += ipa_kdb_kdcpolicy.c
+endif
+
 ipadb_la_LDFLAGS = 		\
 	-avoid-version 		\
 	-module			\
@@ -85,6 +89,10 @@ if BUILD_IPA_CERTAUTH_PLUGIN
 ipa_kdb_tests_SOURCES += ipa_kdb_certauth.c
 endif
 
+if BUILD_IPA_KDCPOLICY_PLUGIN
+ipa_kdb_tests_SOURCES += ipa_kdb_kdcpolicy.c
+endif
+
 ipa_kdb_tests_CFLAGS = $(CMOCKA_CFLAGS)
 ipa_kdb_tests_LDADD =          \
        $(CMOCKA_LIBS)          \

daemons/ipa-kdb/ipa_kdb.c

@@ -24,6 +24,7 @@
 #include <sys/utsname.h>
 
 #include "ipa_kdb.h"
+#include "ipa_krb5.h"
 
 #define IPADB_GLOBAL_CONFIG_CACHE_TIME 60
 
@@ -193,6 +194,8 @@ static const struct {
     { "password", IPADB_USER_AUTH_PASSWORD },
     { "radius", IPADB_USER_AUTH_RADIUS },
     { "otp", IPADB_USER_AUTH_OTP },
+    { "pkinit", IPADB_USER_AUTH_PKINIT },
+    { "hardened", IPADB_USER_AUTH_HARDENED },
     { }
 };
 
@@ -586,8 +589,9 @@ static krb5_error_code ipadb_init_module(krb5_context kcontext,
 
     ret = ipadb_get_connection(ipactx);
     if (ret != 0) {
-        /* not a fatal failure, as the LDAP server may be temporarily down */
-        /* TODO: spam syslog with this error */
+        /* Not a fatal failure, as the LDAP server may be temporarily down. */
+        krb5_klog_syslog(LOG_INFO,
+                         "Didn't connect to LDAP on startup: %d", ret);
     }
 
     kerr = krb5_db_set_context(kcontext, ipactx);

daemons/ipa-kdb/ipa_kdb.exports

@@ -4,6 +4,7 @@ EXPORTED {
 	global:
 		kdb_function_table;
 		certauth_ipakdb_initvt;
+		kdcpolicy_ipakdb_initvt;
 
 	# everything else is local
 	local:

daemons/ipa-kdb/ipa_kdb.h

@@ -90,6 +90,8 @@ enum ipadb_user_auth {
   IPADB_USER_AUTH_PASSWORD = 1 << 1,
   IPADB_USER_AUTH_RADIUS   = 1 << 2,
   IPADB_USER_AUTH_OTP      = 1 << 3,
+  IPADB_USER_AUTH_PKINIT   = 1 << 4,
+  IPADB_USER_AUTH_HARDENED = 1 << 5,
 };
 
 struct ipadb_global_config {
@@ -139,6 +141,7 @@ struct ipadb_e_data {
     time_t last_admin_unlock;
     char **authz_data;
     bool has_tktpolaux;
+    enum ipadb_user_auth user_auth;
 };
 
 struct ipadb_context *ipadb_get_context(krb5_context kcontext);

daemons/ipa-kdb/ipa_kdb_audit_as.c

@@ -20,7 +20,6 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
-#include <syslog.h>
 #include "ipa_kdb.h"
 #include "ipa_pwd.h"
 

daemons/ipa-kdb/ipa_kdb_certauth.c

@@ -39,7 +39,6 @@
 
 #include <errno.h>
 //#include <krb5/certauth_plugin.h>
-#include <syslog.h>
 #include <sss_certmap.h>
 
 #include "ipa_krb5.h"

daemons/ipa-kdb/ipa_kdb_kdcpolicy.c

+/*
+ * Copyright (C) 2018  FreeIPA Contributors see COPYING for license
+ */
+
+#include <errno.h>
+#include <syslog.h>
+#include <krb5/kdcpolicy_plugin.h>
+
+#include "ipa_krb5.h"
+#include "ipa_kdb.h"
+
+static krb5_error_code
+ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
+                       const krb5_kdc_req *request,
+                       const krb5_db_entry *client,
+                       const krb5_db_entry *server,
+                       const char *const *auth_indicators,
+                       const char **status, krb5_deltat *lifetime_out,
+                       krb5_deltat *renew_lifetime_out)
+{
+    krb5_error_code kerr;
+    enum ipadb_user_auth ua;
+    struct ipadb_e_data *ied;
+    int valid_auth_indicators = 0;
+
+    *status = NULL;
+    *lifetime_out = 0;
+    *renew_lifetime_out = 0;
+
+    krb5_klog_syslog(LOG_INFO, "IPA kdcpolicy: checking AS-REQ.");
+
+    ied = (struct ipadb_e_data *)client->e_data;
+    if (ied == NULL || ied->magic != IPA_E_DATA_MAGIC) {
+        /* e-data is not availble, getting user auth from LDAP */
+        krb5_klog_syslog(LOG_INFO, "IPA kdcpolicy: client e_data not availble. Try fetching...");
+        kerr = ipadb_get_principal(context, request->client, KRB5_KDB_FLAG_ALIAS_OK, &client);
+        if (kerr != 0) {
+            krb5_klog_syslog(LOG_ERR, "IPA kdcpolicy: ipadb_find_principal failed.");
+            return kerr;
+        }
+
+        ied = (struct ipadb_e_data *)client->e_data;
+        if (ied == NULL && ied->magic != IPA_E_DATA_MAGIC) {
+            krb5_klog_syslog(LOG_ERR, "IPA kdcpolicy: client e_data fetching failed.");
+            return EINVAL;
+        }
+    }
+
+    ua = ied->user_auth;
+    
+    /* If no mechanisms are set, allow every auth method */
+    if (ua == IPADB_USER_AUTH_NONE) {
+        return 0;
+    }
+
+    /* For each auth indicator, see if it is allowed for that user */
+    for (int i = 0; auth_indicators[i] != NULL; i++) {
+        const char *auth_indicator = auth_indicators[i];
+
+        if (strcmp(auth_indicator, "otp") == 0) {
+            valid_auth_indicators++;
+            if (!(ua & IPADB_USER_AUTH_OTP)) {
+                *status = "OTP pre-authentication not allowed for this user.";
+                return KRB5KDC_ERR_POLICY;
+            }
+        } else if (strcmp(auth_indicator, "radius") == 0) {
+            valid_auth_indicators++;
+            if (!(ua & IPADB_USER_AUTH_RADIUS)) {
+                *status = "OTP pre-authentication not allowed for this user.";
+                return KRB5KDC_ERR_POLICY;
+            }
+        } else if (strcmp(auth_indicator, "pkinit") == 0) {
+            valid_auth_indicators++;
+            if (!(ua & IPADB_USER_AUTH_PKINIT)) {
+                *status = "PKINIT pre-authentication not allowed for this user.";
+                return KRB5KDC_ERR_POLICY;
+            }
+        } else if (strcmp(auth_indicator, "hardened") == 0) {
+            valid_auth_indicators++;
+            /* Allow hardened even if only password pre-auth is allowed */
+            if (!(ua & (IPADB_USER_AUTH_HARDENED | IPADB_USER_AUTH_PASSWORD))) {
+                *status = "Password pre-authentication not not allowed for this user.";
+                return KRB5KDC_ERR_POLICY;
+            }
+        }
+    }
+
+    /* There is no auth indicator assigned for non-hardened password authentication
+     * so we assume password is used when no supported indicator exists */
+    if (!valid_auth_indicators) {
+        if (!(ua & IPADB_USER_AUTH_PASSWORD)) {
+            *status = "Non-hardened password authentication not allowed for this user.";
+            return KRB5KDC_ERR_POLICY;
+        }
+    }
+
+    return 0;
+}
+
+static krb5_error_code
+ipa_kdcpolicy_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata,
+                        const krb5_kdc_req *request,
+                        const krb5_db_entry *server,
+                        const krb5_ticket *ticket,
+                        const char *const *auth_indicators,
+                        const char **status, krb5_deltat *lifetime_out,
+                        krb5_deltat *renew_lifetime_out)
+{
+    *status = NULL;
+    *lifetime_out = 0;
+    *renew_lifetime_out = 0;
+
+    krb5_klog_syslog(LOG_INFO, "IPA kdcpolicy: checking TGS-REQ.");
+
+    return 0;
+}
+
+krb5_error_code kdcpolicy_ipakdb_initvt(krb5_context context,
+                                        int maj_ver, int min_ver,
+                                        krb5_plugin_vtable vtable)
+{
+    krb5_kdcpolicy_vtable vt;
+
+    if (maj_ver != 1)
+        return KRB5_PLUGIN_VER_NOTSUPP;
+
+    vt = (krb5_kdcpolicy_vtable)vtable;
+    vt->name = "ipakdb";
+    vt->init = NULL;
+    vt->fini = NULL;
+    vt->check_as = ipa_kdcpolicy_check_as;
+    vt->check_tgs = ipa_kdcpolicy_check_tgs;
+    return 0;
+}

daemons/ipa-kdb/ipa_kdb_mspac.c

@@ -25,7 +25,6 @@
 #include "ipa_kdb.h"
 #include "ipa_mspac.h"
 #include <talloc.h>
-#include <syslog.h>
 #include <unicase.h>
 #include "util/time.h"
 #include "gen_ndr/ndr_krb5pac.h"

daemons/ipa-kdb/ipa_kdb_principals.c

@@ -21,6 +21,7 @@
  */
 
 #include "ipa_kdb.h"
+#include "ipa_krb5.h"
 #include <unicase.h>
 
 /*
@@ -318,15 +319,6 @@ static void ipadb_validate_radius(struct ipadb_context *ipactx,
         ldap_value_free_len(vals);
 }
 
-static void ipadb_validate_password(struct ipadb_context *ipactx,
-                                    LDAPMessage *lentry,
-                                    enum ipadb_user_auth *ua)
-{
-    /* If no mechanisms are set, use password. */
-    if (*ua == IPADB_USER_AUTH_NONE)
-        *ua |= IPADB_USER_AUTH_PASSWORD;
-}
-
 static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
                                                 LDAPMessage *lentry)
 {
@@ -354,7 +346,6 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
     /* Perform flag validation. */
     ipadb_validate_otp(ipactx, lentry, &ua);
     ipadb_validate_radius(ipactx, lentry, &ua);
-    ipadb_validate_password(ipactx, lentry, &ua);
 
     return ua;
 }
@@ -554,6 +545,17 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
         return KRB5_KDB_DBNOTINITED;
     }
     lcontext = ipactx->lcontext;
+    if (!lcontext) {
+        krb5_klog_syslog(LOG_INFO,
+                         "No LDAP connection in ipadb_parse_ldap_entry(); retrying...\n");
+        ret = ipadb_get_connection(ipactx);
+        if (ret != 0) {
+            krb5_klog_syslog(LOG_ERR,
+                             "No LDAP connection on retry in ipadb_parse_ldap_entry()!\n");
+            kerr = KRB5_KDB_INTERNAL_ERROR;
+            goto done;
+        }
+    }
 
     entry->magic = KRB5_KDB_MAGIC_NUMBER;
     entry->len = KRB5_KDB_V1_BASE_LENGTH;
@@ -708,13 +710,6 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
                                       &res_key_data, &result, &mkvno);
     switch (ret) {
     case 0:
-        /* Only set a principal's key if password auth should be used. */
-        if (!(ua & IPADB_USER_AUTH_PASSWORD)) {
-            /* This is the same behavior as ENOENT below. */
-            ipa_krb5_free_key_data(res_key_data, result);
-            break;
-        }
-
         entry->key_data = res_key_data;
         entry->n_key_data = result;
         if (mkvno) {
@@ -851,6 +846,8 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
         ied->authz_data = authz_data_list;
     }
 
+    ied->user_auth = ua;
+
     /* If enabled, set the otp user string, enabling otp. */
     if (ua & IPADB_USER_AUTH_OTP) {
         kerr = ipadb_set_tl_data(entry, KRB5_TL_STRING_ATTRS,
@@ -1057,7 +1054,7 @@ static krb5_flags maybe_require_preauth(struct ipadb_context *ipactx,
     struct ipadb_e_data *ied;
 
     config = ipadb_get_global_config(ipactx);
-    if (config->disable_preauth_for_spns) {
+    if (config && config->disable_preauth_for_spns) {
         ied = (struct ipadb_e_data *)entry->e_data;
         if (ied && ied->ipa_user != true) {
             /* not a user, assume SPN */

daemons/ipa-sam/ipa_sam.c

@@ -498,9 +498,24 @@ done:
 	return unix_dn;
 }
 
+/* Samba removed unixid_* helpers in c906153cc7af21abe508ddd30c447642327d6a5d */
+static void ipasam_unixid_from_uid(struct unixid *id, uint32_t some_uid)
+{
+       if (id) {
+               id->id = some_uid;
+               id->type = ID_TYPE_UID;
+       }
+}
 
 
 
+static void ipasam_unixid_from_gid(struct unixid *id, uint32_t some_gid)
+{
+       if (id) {
+               id->id = some_gid;
+               id->type = ID_TYPE_GID;
+       }
+}
 
 static bool ldapsam_extract_rid_from_entry(LDAP *ldap_struct,
 					   LDAPMessage *entry,
@@ -858,7 +873,7 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods,
 			goto done;
 		}
 
-		unixid_from_gid(id, strtoul(gid_str, NULL, 10));
+		ipasam_unixid_from_gid(id, strtoul(gid_str, NULL, 10));
 
 		idmap_cache_set_sid2unixid(sid, id);
 
@@ -876,7 +891,7 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods,
 		goto done;
 	}
 
-	unixid_from_uid(id, strtoul(value, NULL, 10));
+	ipasam_unixid_from_uid(id, strtoul(value, NULL, 10));
 
 	idmap_cache_set_sid2unixid(sid, id);
 
@@ -964,7 +979,7 @@ static bool ipasam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
 
 	sid_copy(sid, user_sid);
 
-	unixid_from_uid(&id, uid);
+	ipasam_unixid_from_uid(&id, uid);
 
 	idmap_cache_set_sid2unixid(sid, &id);
 
@@ -1080,7 +1095,7 @@ found:
 
 	sid_copy(sid, group_sid);
 
-	unixid_from_gid(&id, gid);
+	ipasam_unixid_from_gid(&id, gid);
 
 	idmap_cache_set_sid2unixid(sid, &id);
 
@@ -3260,7 +3275,7 @@ static int ipasam_get_sid_by_gid(struct ipasam_private *ipasam_state,
 	}
 	sid_copy(_sid, sid);
 
-	unixid_from_gid(&id, gid);
+	ipasam_unixid_from_gid(&id, gid);
 
 	idmap_cache_set_sid2unixid(sid, &id);
 
@@ -3322,7 +3337,7 @@ static int ipasam_get_primary_group_sid(TALLOC_CTX *mem_ctx,
 		}
 	}
 
-	unixid_from_gid(&id, gid);
+	ipasam_unixid_from_gid(&id, gid);
 
 	idmap_cache_set_sid2unixid(group_sid, &id);
 

daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom.h

@@ -35,6 +35,9 @@ enum nss_status {
     NSS_STATUS_RETURN
 };
 
+/* default NSS operation timeout 10s (ipaExtdomMaxNssTimeout) */
+#define DEFAULT_MAX_NSS_TIMEOUT (10*1000)
+
 /* NSS backend operations implemented using either nss_sss.so.2 or libsss_nss_idmap API */
 struct nss_ops_ctx;
 
@@ -42,6 +45,7 @@ int back_extdom_init_context(struct nss_ops_ctx **nss_context);
 void back_extdom_free_context(struct nss_ops_ctx **nss_context);
 void back_extdom_set_timeout(struct nss_ops_ctx *nss_context,
                              unsigned int timeout);
+unsigned int back_extdom_get_timeout(struct nss_ops_ctx *nss_context);
 void back_extdom_evict_user(struct nss_ops_ctx *nss_context,
                             const char *name);
 void back_extdom_evict_group(struct nss_ops_ctx *nss_context,