Initial support for IDM IDM Trust by justin-stephenson · Pull Request #7679 · SSSD/sssd

justin-stephenson · 2024-11-01T18:09:05Z

This PR adds support for IDM subdomains, enabling IDM IDM Trust functionality in SSSD. These are building blocks in SSSD to incorporate the IDM IDM Trust feature. Note however that on the freeIPA side development is still ongoing, this means the entire IDM IDM Trust feature (freeIPA + SSSD) is not yet available, and full integration cannot be tested yet. Current testing is being done using COPR packages.

+}
+
+errno_t
+ipa_set_search_bases(struct ipa_options *ipa_opts,


+
 static void
-ipa_get_ad_acct_ad_part_done(struct tevent_req *subreq)
+ipa_get_trusted_acct_part_done(struct tevent_req *subreq)


thalman

Looks good. Nitpicking - You have broken indentation in many places. Maybe some of them are intentional. Please check it.

justin-stephenson · 2024-12-09T19:01:01Z

Looks good. Nitpicking - You have broken indentation in many places. Maybe some of them are intentional. Please check it.

Thank you Tomas. Would you mind commenting in-line on a couple indentation areas that need to be fixed? I didn't go through every line but I scanned the PR again and couldn't find indentation issues.

thalman · 2024-12-17T13:31:23Z

Looks good. Nitpicking - You have broken indentation in many places. Maybe some of them are intentional. Please check it.

Thank you Tomas. Would you mind commenting in-line on a couple indentation areas that need to be fixed? I didn't go through every line but I scanned the PR again and couldn't find indentation issues.

Sure, will do...

thalman

I believe that in some cases you broke the indentation on purpose for better readability. Feel free to resolve those conversations.

justin-stephenson · 2024-12-18T14:51:25Z

I believe that in some cases you broke the indentation on purpose for better readability. Feel free to resolve those conversations.

Thank you for pointing out the indentation issues, I had missed several. They should be fixed now, I resolved each conversation for simplicity but feel free to check back to see if I missed anything.

justin-stephenson · 2025-01-08T16:00:37Z

Hi @thalman @danlavu @sumit-bose Gentle reminder ping about reviewing this PR.

thalman

LGTM, please fix that one indentation.

Similar to AD server/service discovery initialization, Allows callers to provide a service, and not just use "IPA"

IPA subdomain functions often include ad in the name, these functions will now handle IPA and AD subdomains, not only AD.

:feature:SSSD IPA provider now supports IPA subdomains, not only Active Directory. This IPA subdomain support will enable SSSD support of IPA-IPA Trust feature, the full usable feature coming in a later FreeIPA release. Trusted domain configuration options are specified in the 'sssd-ipa' man page.

After b3d7a4f we no longer use the 'upn' variable. During certain codepaths to ipa_s2n_save_objects() SYSDB_UPN is expected to be missing, so no need to check for it.

This gets executed when a one-way or two-way trust ipa is added. Rename this to avoid confusion.

SSSD goes offline in IPA trusted user look due to the IPA user private group: [ipa_get_ad_acct_ad_part_done] (0x0020): [RID#7] Cannot find a SID. In IPA-IPA trust, user private groups do not contain a SID. Lookup the equivalent user object of the same name in IPA and use this SID instead.

Don't fail when processing the IPA user private group retrieved from the IPA server in a trusted user lookup. It is expected this object will have no SID.

alexey-tikhonov · 2025-02-15T10:24:14Z

Coverity says:

Newly Detected: 1

snapshot = 88491

But as far as I can tell, that's because this PR wasn't rebased on top of c36c320

alexey-tikhonov · 2025-02-17T11:37:28Z

Pushed PR: #7679

master
- 3c87b81 - man: IPA subdomain changes to sssd-ipa
- 129b549 - AD: Remove unused AD_AT_TRUST_TYPE attribute
- de4cea5 - ipa s2n: Ignore trusted IPA user private group
- b63321c - Handle missing SID for user private group
- 4eb75cc - ipa: Rename ipa_create_ad_1way_trust_ctx()
- f085fe0 - ipa s2n: Remove check for SYSDB_UPN
- 4378ea6 - ipa: Support ipa subdomain account info requests
- dc7e280 - ipa: Add ipa subdomain provider initialization
- 0862fcb - ipa: Make ipa server ad* functions generic
- 1b0c620 - ad: Combine 1+2way trust options creation functions
- 70daa00 - ipa: Make ipa_service_init() like ad_failover_init()
- 8879cf8 - Rename struct ipa_ad_server_ctx, and add id_ctx union member
- e87cc2c - SYSDB: Store IPA trust type

alexey-tikhonov · 2025-02-17T11:37:51Z

@justin-stephenson, there was a conflict in sssd-2-9. Please open explicit backport PR.

justin-stephenson · 2025-02-17T14:30:15Z

@justin-stephenson, there was a conflict in sssd-2-9. Please open explicit backport PR.

#7842

github-advanced-security AI found potential problems Nov 1, 2024

View reviewed changes

justin-stephenson force-pushed the idm_idm_trust_pr branch 8 times, most recently from 85a4fb8 to 1807596 Compare November 5, 2024 21:19

justin-stephenson changed the title ~~Draft - Initial support for IDM IDM Trust~~ Initial support for IDM IDM Trust Nov 6, 2024

justin-stephenson marked this pull request as ready for review November 6, 2024 16:09

justin-stephenson added the Waiting for review label Nov 6, 2024

andreboscatto assigned thalman, danlavu and sumit-bose Nov 7, 2024

andreboscatto requested review from danlavu, sumit-bose and thalman November 7, 2024 13:39

justin-stephenson force-pushed the idm_idm_trust_pr branch from 1807596 to 4cae067 Compare November 7, 2024 16:58

justin-stephenson force-pushed the idm_idm_trust_pr branch from 4cae067 to 9b4566d Compare December 5, 2024 13:59

thalman reviewed Dec 6, 2024

View reviewed changes

Comment thread src/providers/ipa/ipa_subdomains.h

thalman requested changes Dec 17, 2024

View reviewed changes

justin-stephenson force-pushed the idm_idm_trust_pr branch from 9b4566d to 883ea98 Compare December 18, 2024 14:49

thalman reviewed Jan 10, 2025

View reviewed changes

Comment thread src/providers/ipa/ipa_subdomains_ext_groups.c Outdated

thalman reviewed Jan 10, 2025

View reviewed changes

justin-stephenson force-pushed the idm_idm_trust_pr branch from 883ea98 to d0f3ec5 Compare January 10, 2025 16:14

justin-stephenson added 13 commits February 14, 2025 10:25

SYSDB: Store IPA trust type

52517f3

Rename struct ipa_ad_server_ctx, and add id_ctx union member

9e1f91d

ipa: Make ipa_service_init() like ad_failover_init()

f01c3f5

Similar to AD server/service discovery initialization, Allows callers to provide a service, and not just use "IPA"

ad: Combine 1+2way trust options creation functions

2d87ed0

ipa: Make ipa server ad* functions generic

dd803a9

IPA subdomain functions often include ad in the name, these functions will now handle IPA and AD subdomains, not only AD.

ipa: Support ipa subdomain account info requests

522c93c

ipa s2n: Remove check for SYSDB_UPN

f7f7622

After b3d7a4f we no longer use the 'upn' variable. During certain codepaths to ipa_s2n_save_objects() SYSDB_UPN is expected to be missing, so no need to check for it.

ipa: Rename ipa_create_ad_1way_trust_ctx()

752f175

This gets executed when a one-way or two-way trust ipa is added. Rename this to avoid confusion.

ipa s2n: Ignore trusted IPA user private group

aa088e1

Don't fail when processing the IPA user private group retrieved from the IPA server in a trusted user lookup. It is expected this object will have no SID.

AD: Remove unused AD_AT_TRUST_TYPE attribute

409ca34

man: IPA subdomain changes to sssd-ipa

48c14d3

justin-stephenson force-pushed the idm_idm_trust_pr branch from f84faff to 48c14d3 Compare February 14, 2025 15:26

justin-stephenson added coverity Trigger a coverity scan and removed coverity Trigger a coverity scan labels Feb 14, 2025

alexey-tikhonov added coverity Trigger a coverity scan and removed coverity Trigger a coverity scan labels Feb 15, 2025

alexey-tikhonov added Ready to push and removed Ready to push backport-to-sssd-2-9 labels Feb 15, 2025

alexey-tikhonov added Pushed and removed Accepted Ready to push labels Feb 17, 2025

alexey-tikhonov closed this Feb 17, 2025

Conversation

justin-stephenson commented Nov 1, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Check warning

Check warning

thalman left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

justin-stephenson commented Dec 9, 2024

Uh oh!

thalman commented Dec 17, 2024

Uh oh!

thalman left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

justin-stephenson commented Dec 18, 2024

Uh oh!

justin-stephenson commented Jan 8, 2025

Uh oh!

Uh oh!

thalman left a comment

Choose a reason for hiding this comment

Uh oh!

alexey-tikhonov commented Feb 15, 2025

Uh oh!

alexey-tikhonov commented Feb 17, 2025

Uh oh!

alexey-tikhonov commented Feb 17, 2025

Uh oh!

justin-stephenson commented Feb 17, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

justin-stephenson commented Nov 1, 2024 •

edited

Loading