Initial support for IDM IDM Trust #7679
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
justin-stephenson
force-pushed
the
idm_idm_trust_pr
branch
8 times, most recently
from
85a4fb8 to
1807596
Compare
justin-stephenson
changed the title
justin-stephenson
force-pushed
the
idm_idm_trust_pr
branch
from
1807596 to
4cae067
Compare
justin-stephenson
force-pushed
the
idm_idm_trust_pr
branch
from
4cae067 to
9b4566d
Compare
Thank you Tomas. Would you mind commenting in-line on a couple indentation areas that need to be fixed? I didn't go through every line but I scanned the PR again and couldn't find indentation issues. |
Sure, will do... |
justin-stephenson
force-pushed
the
idm_idm_trust_pr
branch
from
9b4566d to
883ea98
Compare
Thank you for pointing out the indentation issues, I had missed several. They should be fixed now, I resolved each conversation for simplicity but feel free to check back to see if I missed anything. |
|
Hi @thalman @danlavu @sumit-bose Gentle reminder ping about reviewing this PR. |
justin-stephenson
force-pushed
the
idm_idm_trust_pr
branch
from
883ea98 to
d0f3ec5
Compare
|
I'm removing myself as a reviewer; I don't know enough C to provide feedback. |
|
'no-backport' or 'sssd-2-9'? |
justin-stephenson
added
branch: sssd-2-9
branch: sssd-2-10
and removed
no-backport
I added the backport labels. I'm not 100% sure about this but as I understand it we need to backport this IDM subdomain code to allow older clients to resolve trusted IDM users (but IDM servers will need to be on a more recent version to contain the newer trust attributes for IDM IDM Trust) |
|
Ok, but definitely not sssd-2-10 |
|
If it would be backported to 2.9, it needs to be present in 2.10 as well. Any reason why it shouldn't? |
sssd-2-10 is in maintenance mode, bugfixes only (last upstream release - 2.10.2 - planned upcoming weeks). |
|
@sumit-bose Have you noticed any issues when testing this code? |
Similar to AD server/service discovery initialization, Allows callers to provide a service, and not just use "IPA"
IPA subdomain functions often include ad in the name, these functions will now handle IPA and AD subdomains, not only AD.
After b3d7a4f we no longer use the 'upn' variable. During certain codepaths to ipa_s2n_save_objects() SYSDB_UPN is expected to be missing, so no need to check for it.
This gets executed when a one-way or two-way trust ipa is added. Rename this to avoid confusion.
SSSD goes offline in IPA trusted user look due to the IPA user private group:
[ipa_get_ad_acct_ad_part_done] (0x0020): [RID#7] Cannot find a SID.
In IPA-IPA trust, user private groups do not contain a SID. Lookup the
equivalent user object of the same name in IPA and use this SID instead.
Don't fail when processing the IPA user private group retrieved from the IPA server in a trusted user lookup. It is expected this object will have no SID.
justin-stephenson
force-pushed
the
idm_idm_trust_pr
branch
from
d0f3ec5 to
219146b
Compare
|
Rebased, no changes. |
This PR adds support for IDM subdomains, enabling IDM IDM Trust functionality in SSSD. These are building blocks in SSSD to incorporate the IDM IDM Trust feature. Note however that on the freeIPA side development is still ongoing, this means the entire IDM IDM Trust feature (freeIPA + SSSD) is not yet available, and full integration cannot be tested yet. Current testing is being done using COPR packages.