Initial support for IDM IDM Trust #7679
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
justin-stephenson
force-pushed
the
idm_idm_trust_pr
branch
8 times, most recently
from
85a4fb8 to
1807596
Compare
justin-stephenson
changed the title
justin-stephenson
force-pushed
the
idm_idm_trust_pr
branch
from
1807596 to
4cae067
Compare
justin-stephenson
force-pushed
the
idm_idm_trust_pr
branch
from
4cae067 to
9b4566d
Compare
Thank you Tomas. Would you mind commenting in-line on a couple indentation areas that need to be fixed? I didn't go through every line but I scanned the PR again and couldn't find indentation issues. |
Sure, will do... |
justin-stephenson
force-pushed
the
idm_idm_trust_pr
branch
from
9b4566d to
883ea98
Compare
Thank you for pointing out the indentation issues, I had missed several. They should be fixed now, I resolved each conversation for simplicity but feel free to check back to see if I missed anything. |
|
Hi @thalman @danlavu @sumit-bose Gentle reminder ping about reviewing this PR. |
justin-stephenson
force-pushed
the
idm_idm_trust_pr
branch
from
883ea98 to
d0f3ec5
Compare
Similar to AD server/service discovery initialization, Allows callers to provide a service, and not just use "IPA"
IPA subdomain functions often include ad in the name, these functions will now handle IPA and AD subdomains, not only AD.
:feature:SSSD IPA provider now supports IPA subdomains, not only Active Directory. This IPA subdomain support will enable SSSD support of IPA-IPA Trust feature, the full usable feature coming in a later FreeIPA release. Trusted domain configuration options are specified in the 'sssd-ipa' man page.
After b3d7a4f we no longer use the 'upn' variable. During certain codepaths to ipa_s2n_save_objects() SYSDB_UPN is expected to be missing, so no need to check for it.
This gets executed when a one-way or two-way trust ipa is added. Rename this to avoid confusion.
SSSD goes offline in IPA trusted user look due to the IPA user private group:
[ipa_get_ad_acct_ad_part_done] (0x0020): [RID#7] Cannot find a SID.
In IPA-IPA trust, user private groups do not contain a SID. Lookup the
equivalent user object of the same name in IPA and use this SID instead.
Don't fail when processing the IPA user private group retrieved from the IPA server in a trusted user lookup. It is expected this object will have no SID.
justin-stephenson
force-pushed
the
idm_idm_trust_pr
branch
from
f84faff to
48c14d3
Compare
justin-stephenson
added
coverity
alexey-tikhonov
added
coverity
|
Coverity says: snapshot = 88491 But as far as I can tell, that's because this PR wasn't rebased on top of c36c320 |
alexey-tikhonov
added
Ready to push
|
Pushed PR: #7679
|
|
@justin-stephenson, there was a conflict in sssd-2-9. Please open explicit backport PR. |
|
This PR adds support for IDM subdomains, enabling IDM IDM Trust functionality in SSSD. These are building blocks in SSSD to incorporate the IDM IDM Trust feature. Note however that on the freeIPA side development is still ongoing, this means the entire IDM IDM Trust feature (freeIPA + SSSD) is not yet available, and full integration cannot be tested yet. Current testing is being done using COPR packages.