Hi!

On Tue, 16 Jul 2013, Jakub Hrozek wrote:
+AC_ARG_WITH(sss_nss_idmap,
+           AS_HELP_STRING([--with-sss-nss-idmap], [use libsss_nss_idmap]),
+           use_sss_nss_idmap=$withval,use_sss_nss_idmap=AUTO)
+if pkg-config sss_nss_idmap 2> /dev/null ; then
+           if test x$use_sss_nss_idmap != xno ; then
+               AC_DEFINE(HAVE_SSS_NSS_IDMAP,1,[Define if you have 
libsss_nss_idmap.])
+               PKG_CHECK_MODULES(SSS_NSS_IDMAP,sss_nss_idmap)
+           else
+               SSS_NSS_IDMAP_CFLAGS=
+               SSS_NSS_IDMAP_LIBS=
+           fi
+else
+       if test $use_sss_idmap = yes ; then
+               PKG_CHECK_MODULES(SSS_NSS_IDMAP,sss_nss_idmap)
+       else
+               SSS_NSS_IDMAP_CFLAGS=
+               SSS_NSS_IDMAP_LIBS=
+       fi
+fi
+AM_CONDITIONAL([SSS_NSS_IDMAP], [test x$SSS_NSS_IDMAP_LIBS != x])
+AC_SUBST(SSS_NSS_IDMAP_CFLAGS)
+AC_SUBST(SSS_NSS_IDMAP_LIBS)
+
+if x$SSS_NSS_IDMAP_LIBS != x ; then


I think you should use test or square brackets here, otherwise I'm
seeing:

checking for SSS_NSS_IDMAP... yes
./configure: line 12952: x-lsss_nss_idmap: command not found
Thanks, added 'test ...'


+       AC_CHECK_HEADERS(pam.h)

I don't see any pam.h in pam-devel RPM. In SSSD we look for
security/pam_appl.h
Right. Fixed.

--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -51,6 +51,7 @@ nisserver_plugin_la_LIBADD = $(LDAP_LIBS) $(RUNTIME_LIBS) 
$(TIRPC_LIBS) $(LIBWRA

 schemacompat_plugin_la_SOURCES = \
        back-sch.c \
+       back-sch.h \

This file is only added in the second patch, so maybe the whole
Makefile.am hunk should be moved there.
Yes, moved to the second patch.

New patchset is attached.
--
/ Alexander Bokovoy
>From 3e413ce8f71f28b9fd58eb6cd391fd4c3e9cc7fd Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Tue, 16 Jul 2013 13:17:03 +0300
Subject: [PATCH 1/2] configure: add configure checks for sss_idmap and define 
 attribute to lookup sssd

If schema compat plugin configuration has 'schema-compat-lookup-sssd: 
user|group'
then schema compat plugin will perform lookups of users/groups that were not 
found
in the main store using getpwnam_r()/getgrnam_r() and libsss_idmap library.

This is special case to support legacy clients. Schema compat plugin in the
case is assumed to be running on FreeIPA master configured with trusts against
Active Directory and SSSD configure as ipa_server_mode = True.

Additionally, such entries are added to schema compat plugin's map cache and can
be used for authentication purposes. They will use PAM authentication 
pass-through
to system-auth service.
---
 configure.ac | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/configure.ac b/configure.ac
index 8d7cbe1..aac52e2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -309,6 +309,47 @@ AC_SUBST(ASYNCNS_CFLAGS)
 AC_SUBST(ASYNCNS_LIBS)
 fi
 
+AC_ARG_WITH(sss_nss_idmap,
+           AS_HELP_STRING([--with-sss-nss-idmap], [use libsss_nss_idmap]),
+           use_sss_nss_idmap=$withval,use_sss_nss_idmap=AUTO)
+if pkg-config sss_nss_idmap 2> /dev/null ; then
+           if test x$use_sss_nss_idmap != xno ; then
+               AC_DEFINE(HAVE_SSS_NSS_IDMAP,1,[Define if you have 
libsss_nss_idmap.])
+               PKG_CHECK_MODULES(SSS_NSS_IDMAP,sss_nss_idmap)
+           else
+               SSS_NSS_IDMAP_CFLAGS=
+               SSS_NSS_IDMAP_LIBS=
+           fi
+else
+       if test $use_sss_idmap = yes ; then
+               PKG_CHECK_MODULES(SSS_NSS_IDMAP,sss_nss_idmap)
+       else
+               SSS_NSS_IDMAP_CFLAGS=
+               SSS_NSS_IDMAP_LIBS=
+       fi
+fi
+AM_CONDITIONAL([SSS_NSS_IDMAP], [test x$SSS_NSS_IDMAP_LIBS != x])
+AC_SUBST(SSS_NSS_IDMAP_CFLAGS)
+AC_SUBST(SSS_NSS_IDMAP_LIBS)
+
+if test x$SSS_NSS_IDMAP_LIBS != x ; then
+       AC_CHECK_HEADERS(security/pam_appl.h)
+       if test x$ac_cv_header_pam_h = xno ; then
+               use_pam=yes
+       else
+               use_pam=no
+       fi
+
+       if test $use_pam = yes ; then
+               PAM_CFLAGS=
+               PAM_LIBS=-lpam
+       else
+               AC_ERROR([<security/pam_appl.h> not found and it is required 
for SSSD mode])
+       fi
+       AC_SUBST(PAM_CFLAGS)
+       AC_SUBST(PAM_LIBS)
+fi
+
 mylibdir=`eval echo "$libdir" | sed "s,NONE,${ac_default_prefix},g"`
 mylibdir=`eval echo "$mylibdir" | sed "s,NONE,${ac_prefix},g"`
 case "$server" in
@@ -401,6 +442,13 @@ 
AC_DEFINE_UNQUOTED(SCH_CONTAINER_CONFIGURATION_RDN_ATTR,"$rdnattr",
 attrattr=schema-compat-entry-attribute
 AC_DEFINE_UNQUOTED(SCH_CONTAINER_CONFIGURATION_ATTR_ATTR,"$attrattr",
                   [Define to name of the attribute which is used to specify 
attributes to be used when constructing entries.])
+sssdattr=schema-compat-lookup-sssd
+AC_DEFINE_UNQUOTED(SCH_CONTAINER_CONFIGURATION_SSSD_ATTR,"$sssdattr",
+                  [Define to name of the attribute which dictates whether or 
not SSSD on FreeIPA master is consulted about trusted domains' users.])
+sssdminidattr=schema-compat-sssd-min-id
+AC_DEFINE_UNQUOTED(SCH_CONTAINER_CONFIGURATION_SSSD_MIN_ID_ATTR,"$sssdminidattr",
+                  [Define to name of the attribute which is used to define 
lower bound of IDs (uid or gid) looked up through sssd. Everything below is not 
considered belonging to trusted domains.])
+
 
 maxvalue_attr=nis-max-value-size
 AC_DEFINE_UNQUOTED(NIS_PLUGIN_CONFIGURATION_MAXVALUE_ATTR,"$maxvalue_attr",
-- 
1.8.3.1

>From c22dadee3cbbada2763e364e64669e211c456424 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Tue, 16 Jul 2013 13:18:35 +0300
Subject: [PATCH 2/2] schema-compat: add support for querying trusted domain 
 users through SSSD

src/back-sch-sssd.c implements interface to query trusted domain users
and groups on FreeIPA master server via getpwnam_r(), getgrnam_r(),
and libsss_idmap.

src/back-sch-pam.c implements PAM authentication for trusted domain users
using system-auth system service when running on FreeIPA master server.

Schema-compat plugin can be configured to serve trusted domain users
and groups through the plugin configuration entry in directory server:

schema-compat-lookup-sssd: <user|group>
schema-compat-sssd-min-id: <value>

Separate trees should be configured to look up users and groups.
If minimal id value is missing, it will be by default set to 1000.
---
 src/Makefile.am     |   6 +
 src/back-sch-pam.c  | 361 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 src/back-sch-sssd.c | 335 ++++++++++++++++++++++++++++++++++++++++++++++++
 src/back-sch.c      | 242 ++++++++++++++++++++++++++++-------
 src/back-sch.h      |  83 ++++++++++++
 5 files changed, 982 insertions(+), 45 deletions(-)
 create mode 100644 src/back-sch-pam.c
 create mode 100644 src/back-sch-sssd.c
 create mode 100644 src/back-sch.h

diff --git a/src/Makefile.am b/src/Makefile.am
index 6c8666b..59b6948 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -51,6 +51,7 @@ nisserver_plugin_la_LIBADD = $(LDAP_LIBS) $(RUNTIME_LIBS) 
$(TIRPC_LIBS) $(LIBWRA
 
 schemacompat_plugin_la_SOURCES = \
        back-sch.c \
+       back-sch.h \
        backend.h \
        back-shr.c \
        back-shr.h \
@@ -64,6 +65,11 @@ schemacompat_plugin_la_SOURCES = \
        wrap.h
 schemacompat_plugin_la_LIBADD = $(LDAP_LIBS) $(RUNTIME_LIBS) $(LIBPTHREAD) 
$(CONFIGURED_LINK_FLAGS)
 
+if SSS_NSS_IDMAP
+schemacompat_plugin_la_SOURCES += back-sch-sssd.c back-sch-pam.c
+schemacompat_plugin_la_LIBADD += $(SSS_NSS_IDMAP_LIBS) $(PAM_LIBS)
+endif
+
 noinst_LTLIBRARIES = dummy-nis-plugin.la
 dummy_nis_plugin_la_SOURCES = \
        disp-nis.c \
diff --git a/src/back-sch-pam.c b/src/back-sch-pam.c
new file mode 100644
index 0000000..3266261
--- /dev/null
+++ b/src/back-sch-pam.c
@@ -0,0 +1,361 @@
+/** BEGIN COPYRIGHT BLOCK
+ * This Program is free software; you can redistribute it and/or modify it 
under
+ * the terms of the GNU General Public License as published by the Free 
Software
+ * Foundation; version 2 of the License.
+ *
+ * This Program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 
FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more 
details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place, Suite 330, Boston, MA 02111-1307 USA.
+ *
+ * In addition, as a special exception, Red Hat, Inc. gives You the additional
+ * right to link the code of this Program with code not covered under the GNU
+ * General Public License ("Non-GPL Code") and to distribute linked 
combinations
+ * including the two, subject to the limitations in this paragraph. Non-GPL 
Code
+ * permitted under this exception must only link to the code of this Program
+ * through those well defined interfaces identified in the file named EXCEPTION
+ * found in the source code files (the "Approved Interfaces"). The files of
+ * Non-GPL Code may instantiate templates or use macros or inline functions 
from
+ * the Approved Interfaces without causing the resulting work to be covered by
+ * the GNU General Public License. Only Red Hat, Inc. may make changes or
+ * additions to the list of Approved Interfaces. You must obey the GNU General
+ * Public License in all respects for all of the Program code and other code 
used
+ * in conjunction with the Program except the Non-GPL Code covered by this
+ * exception. If you modify this file, you may extend this exception to your
+ * version of the file, but you are not obligated to do so. If you do not wish 
to
+ * provide this exception without modification, you must delete this exception
+ * statement from your version and license this file solely under the GPL 
without
+ * exception.
+ *
+ *
+ * Copyright (C) 2005 Red Hat, Inc.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <sys/types.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#ifdef HAVE_DIRSRV_SLAPI_PLUGIN_H
+#include <nspr.h>
+#include <nss.h>
+#include <dirsrv/slapi-plugin.h>
+#else
+#include <slapi-plugin.h>
+#endif
+
+
+#include <security/pam_appl.h>
+
+/*
+ * PAM is not thread safe.  We have to execute any PAM API calls in
+ * a critical section.  This is the lock that protects that code.
+ */
+static Slapi_Mutex *PAMLock = NULL;
+
+/* Utility struct to wrap strings to avoid mallocs if possible - use
+   stack allocated string space */
+#define MY_STATIC_BUF_SIZE 256
+typedef struct my_str_buf {
+       char fixbuf[MY_STATIC_BUF_SIZE];
+       char *str;
+} MyStrBuf;
+
+static char *
+init_my_str_buf(MyStrBuf *buf, const char *s)
+{
+       PR_ASSERT(buf);
+       if (s && (strlen(s) < sizeof(buf->fixbuf))) {
+               strcpy(buf->fixbuf, s);
+               buf->str = buf->fixbuf;
+       } else {
+               buf->str = slapi_ch_strdup(s);
+               buf->fixbuf[0] = 0;
+       }
+
+       return buf->str;
+}
+
+static void
+delete_my_str_buf(MyStrBuf *buf)
+{
+       if (buf->str != buf->fixbuf) {
+               slapi_ch_free_string(&(buf->str));
+       }
+}
+
+/* for third arg to pam_start */
+struct my_pam_conv_str {
+       Slapi_PBlock *pb;
+       char *pam_identity;
+};
+
+/* returns a berval value as a null terminated string */
+static char *strdupbv(struct berval *bv)
+{
+       char *str = slapi_ch_malloc(bv->bv_len+1);
+       memcpy(str, bv->bv_val, bv->bv_len);
+       str[bv->bv_len] = 0;
+       return str;
+}
+
+static void
+free_pam_response(int nresp, struct pam_response *resp)
+{
+       int ii;
+       for (ii = 0; ii < nresp; ++ii) {
+               if (resp[ii].resp) {
+                       slapi_ch_free((void **)&(resp[ii].resp));
+               }
+       }
+       slapi_ch_free((void **)&resp);
+}
+
+/*
+ * This is the conversation function passed into pam_start().  This is what 
sets the password
+ * that PAM uses to authenticate.  This function is sort of stupid - it 
assumes all echo off
+ * or binary prompts are for the password, and other prompts are for the 
username.  Time will
+ * tell if this is actually the case.
+ */
+static int
+pam_conv_func(int num_msg, const struct pam_message **msg, struct pam_response 
**resp, void *mydata)
+{
+       int ii;
+       struct berval *creds;
+       struct my_pam_conv_str *my_data = (struct my_pam_conv_str *)mydata;
+    struct pam_response *reply;
+       int ret = PAM_SUCCESS;
+
+    if (num_msg <= 0) {
+               return PAM_CONV_ERR;
+       }
+
+       /* empty reply structure */
+    reply = (struct pam_response *)slapi_ch_calloc(num_msg,
+                                                                               
  sizeof(struct pam_response));
+       slapi_pblock_get( my_data->pb, SLAPI_BIND_CREDENTIALS, &creds ); /* the 
password */
+       for (ii = 0; ii < num_msg; ++ii) {
+               /* hard to tell what prompt is for . . . */
+               /* assume prompts for password are either BINARY or ECHO_OFF */
+               if (msg[ii]->msg_style == PAM_PROMPT_ECHO_OFF) {
+                       reply[ii].resp = strdupbv(creds);
+#ifdef LINUX
+               } else if (msg[ii]->msg_style == PAM_BINARY_PROMPT) {
+                       reply[ii].resp = strdupbv(creds);
+#endif
+               } else if (msg[ii]->msg_style == PAM_PROMPT_ECHO_ON) { /* 
assume username */
+                       reply[ii].resp = slapi_ch_strdup(my_data->pam_identity);
+               } else if (msg[ii]->msg_style == PAM_ERROR_MSG) {
+               } else if (msg[ii]->msg_style == PAM_TEXT_INFO) {
+               } else {
+                       ret = PAM_CONV_ERR;
+               }
+       }
+
+       if (ret == PAM_CONV_ERR) {
+               free_pam_response(num_msg, reply);
+               reply = NULL;
+       }
+
+       *resp = reply;
+
+       return ret;
+}
+
+/*
+ * Do the actual work of authenticating with PAM. First, get the PAM identity
+ * based on the method used to convert the BIND identity to the PAM identity.
+ * Set up the structures that pam_start needs and call pam_start().  After
+ * that, call pam_authenticate and pam_acct_mgmt.  Check the various return
+ * values from these functions and map them to their corresponding LDAP BIND
+ * return values.  Return the appropriate LDAP error code.
+ * This function will also set the appropriate LDAP response controls in
+ * the given pblock.
+ * Since this function can be called multiple times, we only want to return
+ * the errors and controls to the user if this is the final call, so the
+ * final_method parameter tells us if this is the last one.  Coupled with
+ * the fallback argument, we can tell if we are able to send the response
+ * back to the client.
+ */
+static int
+do_pam_auth(
+       Slapi_PBlock *pb,
+       char *pam_service, /* name of service for pam_start() */
+       int pw_response_requested, /* do we need to send pwd policy resp 
control */
+       Slapi_Entry *entry
+)
+{
+       MyStrBuf pam_id;
+       const char *binddn = NULL;
+       Slapi_DN *bindsdn = NULL;
+       int rc = PAM_SUCCESS;
+       int retcode = LDAP_SUCCESS;
+       pam_handle_t *pam_handle;
+       struct my_pam_conv_str my_data;
+       struct pam_conv my_pam_conv = {pam_conv_func, NULL};
+       char *errmsg = NULL; /* free with PR_smprintf_free */
+
+       slapi_pblock_get( pb, SLAPI_BIND_TARGET_SDN, &bindsdn );
+       if (NULL == bindsdn) {
+               errmsg = PR_smprintf("Null bind dn");
+               retcode = LDAP_OPERATIONS_ERROR;
+               pam_id.str = NULL; /* initialize pam_id.str */
+               goto done; /* skip the pam stuff */
+       }
+       binddn = slapi_sdn_get_dn(bindsdn);
+
+       char *val = slapi_entry_attr_get_charptr(entry, "uid");
+       init_my_str_buf(&pam_id, val);
+       slapi_ch_free_string(&val);
+
+       if (!pam_id.str) {
+               errmsg = PR_smprintf("Bind DN [%s] is invalid or not found", 
binddn);
+               retcode = LDAP_NO_SUCH_OBJECT; /* user unknown */
+               goto done; /* skip the pam stuff */
+       }
+
+       /* do the pam stuff */
+       my_data.pb = pb;
+       my_data.pam_identity = pam_id.str;
+       my_pam_conv.appdata_ptr = &my_data;
+       slapi_lock_mutex(PAMLock);
+       /* from this point on we are in the critical section */
+       rc = pam_start(pam_service, pam_id.str, &my_pam_conv, &pam_handle);
+
+       if (rc == PAM_SUCCESS) {
+               /* use PAM_SILENT - there is no user interaction at this point 
*/
+               rc = pam_authenticate(pam_handle, 0);
+               /* check different types of errors here */
+               if (rc == PAM_USER_UNKNOWN) {
+                       errmsg = PR_smprintf("User id [%s] for bind DN [%s] 
does not exist in PAM",
+                                                                pam_id.str, 
binddn);
+                       retcode = LDAP_NO_SUCH_OBJECT; /* user unknown */
+               } else if (rc == PAM_AUTH_ERR) {
+                       errmsg = PR_smprintf("Invalid PAM password for user id 
[%s], bind DN [%s]",
+                                                                pam_id.str, 
binddn);
+                       retcode = LDAP_INVALID_CREDENTIALS; /* invalid creds */
+               } else if (rc == PAM_MAXTRIES) {
+                       errmsg = PR_smprintf("Authentication retry limit 
exceeded in PAM for "
+                                                                "user id [%s], 
bind DN [%s]",
+                                                                pam_id.str, 
binddn);
+                       if (pw_response_requested) {
+                               slapi_pwpolicy_make_response_control(pb, -1, 
-1, LDAP_PWPOLICY_ACCTLOCKED);
+                       }
+                       retcode = LDAP_CONSTRAINT_VIOLATION; /* max retries */
+               } else if (rc != PAM_SUCCESS) {
+                       errmsg = PR_smprintf("Unknown PAM error [%s] for user 
id [%s], bind DN [%s]",
+                                                                
pam_strerror(pam_handle, rc), pam_id.str, binddn);
+                       retcode = LDAP_OPERATIONS_ERROR; /* pam config or 
network problem */
+               }
+       }
+
+       /* if user authenticated successfully, see if there is anything we need
+          to report back w.r.t. password or account lockout */
+       if (rc == PAM_SUCCESS) {
+               rc = pam_acct_mgmt(pam_handle, 0);
+               /* check different types of errors here */
+               if (rc == PAM_USER_UNKNOWN) {
+                       errmsg = PR_smprintf("User id [%s] for bind DN [%s] 
does not exist in PAM",
+                                                                pam_id.str, 
binddn);
+                       retcode = LDAP_NO_SUCH_OBJECT; /* user unknown */
+               } else if (rc == PAM_AUTH_ERR) {
+                       errmsg = PR_smprintf("Invalid PAM password for user id 
[%s], bind DN [%s]",
+                                                                pam_id.str, 
binddn);
+                       retcode = LDAP_INVALID_CREDENTIALS; /* invalid creds */
+               } else if (rc == PAM_PERM_DENIED) {
+                       errmsg = PR_smprintf("Access denied for PAM user id 
[%s], bind DN [%s]"
+                                                                " - see 
administrator",
+                                                                pam_id.str, 
binddn);
+                       if (pw_response_requested) {
+                               slapi_pwpolicy_make_response_control(pb, -1, 
-1, LDAP_PWPOLICY_ACCTLOCKED);
+                       }
+                       retcode = LDAP_UNWILLING_TO_PERFORM;
+               } else if (rc == PAM_ACCT_EXPIRED) {
+                       errmsg = PR_smprintf("Expired PAM password for user id 
[%s], bind DN [%s]: "
+                                                                "reset 
required",
+                                                                pam_id.str, 
binddn);
+                       slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRED, 0);
+                       if (pw_response_requested) {
+                               slapi_pwpolicy_make_response_control(pb, -1, 
-1, LDAP_PWPOLICY_PWDEXPIRED);
+                       }
+                       retcode = LDAP_INVALID_CREDENTIALS;
+               } else if (rc == PAM_NEW_AUTHTOK_REQD) { /* handled same way as 
ACCT_EXPIRED */
+                       errmsg = PR_smprintf("Expired PAM password for user id 
[%s], bind DN [%s]: "
+                                                                "reset 
required",
+                                                                pam_id.str, 
binddn);
+                       slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRED, 0);
+                       if (pw_response_requested) {
+                               slapi_pwpolicy_make_response_control(pb, -1, 
-1, LDAP_PWPOLICY_PWDEXPIRED);
+                       }
+                       retcode = LDAP_INVALID_CREDENTIALS;
+               } else if (rc != PAM_SUCCESS) {
+                       errmsg = PR_smprintf("Unknown PAM error [%s] for user 
id [%s], bind DN [%s]",
+                                                                
pam_strerror(pam_handle, rc), pam_id.str, binddn);
+                       retcode = LDAP_OPERATIONS_ERROR; /* unknown */
+               }
+       }
+
+       rc = pam_end(pam_handle, rc);
+       slapi_unlock_mutex(PAMLock);
+       /* not in critical section any more */
+
+done:
+       delete_my_str_buf(&pam_id);
+
+       if ((retcode == LDAP_SUCCESS) && (rc != PAM_SUCCESS)) {
+               errmsg = PR_smprintf("Unknown PAM error [%d] for user id [%s], 
bind DN [%s]",
+                                                        rc, pam_id.str, 
binddn);
+               retcode = LDAP_OPERATIONS_ERROR;
+       }
+
+       if (retcode != LDAP_SUCCESS) {
+               slapi_send_ldap_result(pb, retcode, NULL, errmsg, 0, NULL);
+       }
+
+       if (errmsg) {
+               PR_smprintf_free(errmsg);
+       }
+
+       return retcode;
+}
+
+/*
+ * Entry point into the PAM auth code.  Shields the rest of the app
+ * from PAM API code.  Get our config params, then call the actual
+ * code that does the PAM auth.  Can call that code up to 3 times,
+ * depending on what methods are set in the config.
+ */
+int
+backend_sch_do_pam_auth(Slapi_PBlock *pb, Slapi_Entry *entry)
+{
+       int rc = LDAP_SUCCESS;
+       MyStrBuf pam_service; /* avoid malloc if possible */
+       int pw_response_requested;
+       LDAPControl **reqctrls = NULL;
+
+       if (!PAMLock && !(PAMLock = slapi_new_mutex())) {
+               return LDAP_LOCAL_ERROR;
+       }
+
+       init_my_str_buf(&pam_service, "system-auth");
+
+       slapi_pblock_get (pb, SLAPI_REQCONTROLS, &reqctrls);
+       slapi_pblock_get (pb, SLAPI_PWPOLICY, &pw_response_requested);
+
+       /* figure out which method is the last one - we only return error 
codes, controls
+          to the client and send a response on the last method */
+
+       rc = do_pam_auth(pb, pam_service.str, pw_response_requested, entry);
+
+       delete_my_str_buf(&pam_service);
+
+       return rc;
+}
diff --git a/src/back-sch-sssd.c b/src/back-sch-sssd.c
new file mode 100644
index 0000000..8168675
--- /dev/null
+++ b/src/back-sch-sssd.c
@@ -0,0 +1,335 @@
+/*
+ * Copyright 2008,2009,2010,2011,2012 Red Hat, Inc.
+ *
+ * This Program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This Program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this Program; if not, write to the
+ *
+ *   Free Software Foundation, Inc.
+ *   59 Temple Place, Suite 330
+ *   Boston, MA 02111-1307 USA
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <sys/types.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+#include <pwd.h>
+#include <grp.h>
+
+#ifdef HAVE_DIRSRV_SLAPI_PLUGIN_H
+#include <nspr.h>
+#include <nss.h>
+#include <dirsrv/slapi-plugin.h>
+#else
+#include <slapi-plugin.h>
+#endif
+
+#include <rpc/xdr.h>
+#include <sss_nss_idmap.h>
+
+#include "backend.h"
+#include "back-shr.h"
+#include "plugin.h"
+#include "map.h"
+#include "back-sch.h"
+
+struct backend_search_filter_config {
+       bool_t search_user;
+       bool_t search_group;
+       bool_t search_uid;
+       bool_t search_gid;
+       bool_t name_set;
+       char   *name;
+};
+
+/* Check simple filter to see if it has
+ * (cn|uid|uidNumber|gidNumber=<value>) or (objectClass=posixGroup)
+ * Called by slapi_filter_apply(). */
+static int
+backend_search_filter_has_cn_uid(Slapi_Filter *filter, void *arg)
+{
+       struct backend_search_filter_config *config = arg;
+       struct berval *bval;
+       char *filter_type;
+       int f_choice, rc;
+
+       f_choice = slapi_filter_get_choice(filter);
+       rc = slapi_filter_get_ava(filter, &filter_type, &bval);
+       if ((LDAP_FILTER_EQUALITY == f_choice) && (0 == rc)) {
+               if (0 == strcasecmp(filter_type, "uidNumber")) {
+                       config->search_uid = TRUE;
+                       config->name_set = TRUE;
+               } else if (0 == strcasecmp(filter_type, "gidNumber")) {
+                       config->search_gid = TRUE;
+                       config->name_set = TRUE;
+               } else if (0 == strcasecmp(filter_type, "uid")) {
+                       config->search_user = TRUE;
+                       config->name_set = TRUE;
+               } else if (0 == strcasecmp(filter_type, "cn")) {
+                       config->name_set = TRUE;
+               } else if ((0 == strcasecmp(filter_type, "objectClass")) &&
+                          (0 == strcasecmp(bval->bv_val, "posixGroup"))) {
+                       config->search_group = TRUE;
+               }
+
+               if ((NULL == config->name) && config->name_set) {
+                       config->name = bval->bv_val;
+               }
+       }
+
+       if ((config->search_uid ||
+            config->search_gid ||
+            config->search_user ||
+            config->search_group) && (config->name != NULL)) {
+               return SLAPI_FILTER_SCAN_STOP;
+       }
+       return SLAPI_FILTER_SCAN_CONTINUE;
+}
+
+static Slapi_Entry *
+backend_retrieve_user_entry_from_sssd(char *user_name, bool_t is_uid,
+                                struct backend_set_data *set_data,
+                                struct backend_search_cbdata *cbdata)
+{
+       struct passwd pwd, *result;
+       Slapi_Entry *entry;
+       int rc;
+       enum sss_id_type id_type;
+       char *sid_str;
+
+       if (set_data->sssd_buffer == NULL) {
+               return NULL;
+       }
+
+       if (is_uid) {
+               rc = getpwuid_r(atoi(user_name), &pwd,
+                               set_data->sssd_buffer,
+                               set_data->sssd_buffer_len, &result);
+       } else {
+               rc = getpwnam_r(user_name, &pwd,
+                               set_data->sssd_buffer,
+                               set_data->sssd_buffer_len, &result);
+       }
+       if ((result == NULL) || (rc != 0)) {
+               return NULL;
+       }
+
+       if (pwd.pw_uid < cbdata->sssd_min_id) {
+               return NULL;
+       }
+
+       entry = slapi_entry_alloc();
+       if (entry == NULL) {
+               return NULL;
+       }
+
+       slapi_entry_add_string(entry,
+                              "objectClass", "top");
+       slapi_entry_add_string(entry,
+                              "objectClass", "posixAccount");
+       slapi_entry_add_string(entry,
+                              "objectClass", "extensibleObject");
+       slapi_entry_add_string(entry,
+                              "uid", user_name);
+       slapi_entry_attr_set_int(entry,
+                                "uidNumber", pwd.pw_uid);
+       slapi_entry_attr_set_int(entry,
+                                "gidNumber", pwd.pw_gid);
+       slapi_entry_add_string(entry,
+                              "gecos", pwd.pw_gecos);
+       if (strlen(pwd.pw_gecos) > 0) {
+               slapi_entry_add_string(entry,
+                                      "cn", pwd.pw_gecos);
+       } else {
+               slapi_entry_add_string(entry,
+                                      "cn", user_name);
+       }
+
+       slapi_entry_add_string(entry,
+                              "homeDirectory", pwd.pw_dir);
+       slapi_entry_add_string(entry,
+                              "loginShell", pwd.pw_shell);
+       slapi_entry_set_sdn(entry, set_data->container_sdn);
+       slapi_entry_set_dn(entry, slapi_ch_smprintf("uid=%s,%s",
+                       user_name, slapi_sdn_get_dn(set_data->container_sdn)));
+
+       rc = sss_nss_getsidbyid(pwd.pw_uid, &sid_str, &id_type);
+       if ((rc == 0) && (sid_str != NULL)) {
+               slapi_entry_add_string(entry, "objectClass", "ipaNTUserAttrs");
+               slapi_entry_add_string(entry, "ipaNTSecurityIdentifier", 
sid_str);
+               free(sid_str);
+       }
+
+
+       return entry;
+}
+
+
+static Slapi_Entry *
+backend_retrieve_group_entry_from_sssd(char *group_name, bool_t is_gid,
+                                struct backend_set_data *set_data,
+                                struct backend_search_cbdata *cbdata)
+{
+       struct group grp, *result;
+       const char *sdn;
+       Slapi_Entry *entry;
+       int rc, i;
+       enum sss_id_type id_type;
+       char *sid_str;
+
+       if (set_data->sssd_buffer == NULL) {
+               return NULL;
+       }
+
+       if (is_gid) {
+               rc = getgrgid_r(atoi(group_name), &grp,
+                               set_data->sssd_buffer,
+                               set_data->sssd_buffer_len, &result);
+       } else {
+               rc = getgrnam_r(group_name, &grp,
+                               set_data->sssd_buffer,
+                               set_data->sssd_buffer_len, &result);
+       }
+       if ((result == NULL) || (rc != 0)) {
+               return NULL;
+       }
+
+       if (grp.gr_gid < cbdata->sssd_min_id) {
+               return NULL;
+       }
+
+       entry = slapi_entry_alloc();
+       if (entry == NULL) {
+               return NULL;
+       }
+
+       slapi_entry_add_string(entry,
+                              "objectClass", "top");
+       slapi_entry_add_string(entry,
+                              "objectClass", "posixGroup");
+       slapi_entry_add_string(entry,
+                              "objectClass", "extensibleObject");
+       slapi_entry_add_string(entry,
+                              "cn", group_name);
+       slapi_entry_attr_set_int(entry,
+                                "gidNumber", grp.gr_gid);
+
+       slapi_entry_set_sdn(entry, set_data->container_sdn);
+       slapi_entry_set_dn(entry,
+                          slapi_ch_smprintf("cn=%s,%s", group_name,
+                                            
slapi_sdn_get_dn(set_data->container_sdn)));
+
+       if (grp.gr_mem) {
+               if (set_data->sssd_relevant_set != NULL) {
+                       sdn = 
slapi_sdn_get_dn(set_data->sssd_relevant_set->container_sdn);
+               } else {
+                       sdn = slapi_sdn_get_dn(set_data->container_sdn);
+               }
+               for (i=0; grp.gr_mem[i]; i++) {
+                       slapi_entry_add_string(entry, "memberUid",
+                               slapi_ch_smprintf("uid=%s,%s", grp.gr_mem[i], 
sdn));
+               }
+       }
+
+       rc = sss_nss_getsidbyid(grp.gr_gid, &sid_str, &id_type);
+       if ((rc == 0) && (sid_str != NULL)) {
+               slapi_entry_add_string(entry, "objectClass", "ipaNTGroupAttrs");
+               slapi_entry_add_string(entry, "ipaNTSecurityIdentifier", 
sid_str);
+               free(sid_str);
+       }
+
+       return entry;
+}
+
+static void
+backend_search_sssd_send_entry(struct backend_set_data *set_data,
+                              struct backend_search_cbdata *cbdata,
+                              Slapi_Entry *entry)
+{
+       char *ndn;
+       if (entry) {
+               slapi_entry_add_string(entry,
+                                      "schema-compat-origin", "sssd");
+               cbdata->matched = TRUE;
+               ndn = slapi_entry_get_ndn(entry);
+               backend_set_entry(cbdata->pb, entry, set_data);
+               slapi_send_ldap_search_entry(cbdata->pb, entry,
+                                            NULL, cbdata->attrs,
+                                            cbdata->attrsonly);
+               cbdata->n_entries++;
+               if (cbdata->closest_match) {
+                       free(cbdata->closest_match);
+               }
+               cbdata->closest_match = strdup(ndn);
+               /* Entry is created, cache it via map. 
+                * Next request will be served from the cache */
+               //backend_set_entry(cbdata->pb, entry, set_data);
+               slapi_entry_free(entry);
+       }
+}
+
+/* Check filter for a component like (uid=<value>) and if found,
+ * perform look up against SSSD and create entry based on that */
+void
+backend_search_sssd(struct backend_set_data *set_data,
+                   struct backend_search_cbdata *cbdata)
+{
+       int result, rc;
+       Slapi_Entry *entry;
+       struct backend_search_filter_config config = {FALSE, FALSE, FALSE, 
FALSE, FALSE, NULL};
+
+       /* There was no match but we asked to check SSSD */
+       /* First, we search the filter to see if it includes cn|uid=<value> 
check */
+       result = slapi_filter_apply(cbdata->filter,
+                      backend_search_filter_has_cn_uid, &config, &rc);
+       if ((result != SLAPI_FILTER_SCAN_STOP) ||
+           (NULL == config.name)) {
+               return;
+       }
+
+       /* Drop irrelevant requests. Each set only works with a single type */
+       if ((cbdata->check_sssd == SCH_SSSD_GROUP) &&
+           (config.search_uid || config.search_user)) {
+               return;
+       }
+
+       if ((cbdata->check_sssd == SCH_SSSD_USER) &&
+           (config.search_gid || config.search_group)) {
+               return;
+       }
+
+       if ((config.search_gid || config.search_uid) &&
+           (atol(config.name) < set_data->sssd_min_id)) {
+               return;
+       }
+
+       if ((config.search_group || config.search_gid) &&
+           (NULL != config.name)) {
+               entry = backend_retrieve_group_entry_from_sssd(config.name,
+                                               config.search_gid, set_data, 
cbdata);
+               backend_search_sssd_send_entry(set_data, cbdata, entry);
+               return;
+       }
+
+       if ((config.search_user || config.search_uid) &&
+           (NULL != config.name)) {
+               entry = backend_retrieve_user_entry_from_sssd(config.name,
+                                               config.search_uid, set_data, 
cbdata);
+               backend_search_sssd_send_entry(set_data, cbdata, entry);
+       }
+}
diff --git a/src/back-sch.c b/src/back-sch.c
index 142bdb9..a235998 100644
--- a/src/back-sch.c
+++ b/src/back-sch.c
@@ -50,23 +50,10 @@
 #include "format.h"
 #include "plugin.h"
 #include "map.h"
+#include "back-sch.h"
 
 #define SCH_CONTAINER_CONFIGURATION_FILTER "(&(" 
SCH_CONTAINER_CONFIGURATION_GROUP_ATTR "=*)(" 
SCH_CONTAINER_CONFIGURATION_BASE_ATTR "=*)(" 
SCH_CONTAINER_CONFIGURATION_FILTER_ATTR "=*)(" 
SCH_CONTAINER_CONFIGURATION_RDN_ATTR "=*))"
 
-/* The data we ask the map cache to keep, for us, for each set. */
-struct backend_set_data {
-       struct backend_shr_set_data common;
-       /* Schema compatibility-specific data. */
-       Slapi_DN *container_sdn;
-       char *rdn_format;
-       char **attribute_format;
-       bool_t check_access;
-};
-struct backend_entry_data {
-       Slapi_DN *original_entry_dn;
-       Slapi_Entry *e;
-};
-
 /* Read the name of the NIS master. A dummy function for the schema
  * compatibility plugin. */
 void
@@ -98,9 +85,18 @@ backend_set_config_free_config_contents(void *data)
                format_free_ref_attr_list(set_data->common.ref_attr_list);
                format_free_ref_attr_list(set_data->common.inref_attr_list);
                free(set_data->common.entry_filter);
+               if (set_data->check_sssd != SCH_SSSD_NONE) {
+                       /* Remove association to another set (groups/users) */
+                       if ((set_data->sssd_relevant_set != NULL) &&
+                           (set_data->sssd_relevant_set->sssd_relevant_set == 
set_data)) {
+                               set_data->sssd_relevant_set->sssd_relevant_set 
= NULL;
+                               set_data->sssd_relevant_set = NULL;
+                       }
+               }
                slapi_sdn_free(&set_data->container_sdn);
                free(set_data->rdn_format);
                backend_shr_free_strlist(set_data->attribute_format);
+               free(set_data->sssd_buffer);
        }
 }
 void
@@ -146,6 +142,12 @@ backend_copy_set_config(const struct backend_set_data 
*data)
        ret->rdn_format = strdup(data->rdn_format);
        ret->attribute_format = backend_shr_dup_strlist(data->attribute_format);
        ret->check_access = data->check_access;
+       ret->check_sssd = data->check_sssd;
+       ret->sssd_min_id = data->sssd_min_id;
+       ret->sssd_buffer = data->sssd_buffer;
+       ret->sssd_buffer_len = data->sssd_buffer_len;
+       ret->sssd_relevant_set = data->sssd_relevant_set;
+
        if ((ret->common.group == NULL) ||
            (ret->common.set == NULL) ||
            (ret->common.bases == NULL) ||
@@ -164,7 +166,7 @@ backend_set_config_read_config(struct plugin_state *state, 
Slapi_Entry *e,
                               const char *group, const char *container,
                               bool_t *flag, struct backend_shr_set_data **pret)
 {
-       char **bases, *entry_filter, **attributes, *rdn_format, *dn;
+       char **bases, *entry_filter, **attributes, *rdn_format, *dn, 
*sssd_min_id, *check_sssd;
        bool_t check_access;
        struct backend_set_data ret;
        Slapi_DN *tmp_sdn;
@@ -179,6 +181,10 @@ backend_set_config_read_config(struct plugin_state *state, 
Slapi_Entry *e,
        check_access = backend_shr_get_vattr_boolean(state, e,
                                                     
SCH_CONTAINER_CONFIGURATION_ACCESS_ATTR,
                                                     TRUE);
+       check_sssd = backend_shr_get_vattr_str(state, e,
+                                                  
SCH_CONTAINER_CONFIGURATION_SSSD_ATTR);
+       sssd_min_id = backend_shr_get_vattr_str(state, e,
+                                              
SCH_CONTAINER_CONFIGURATION_SSSD_MIN_ID_ATTR);
        attributes = backend_shr_get_vattr_strlist(state, e,
                                                   
SCH_CONTAINER_CONFIGURATION_ATTR_ATTR);
        /* Populate the returned structure. */
@@ -213,6 +219,51 @@ backend_set_config_read_config(struct plugin_state *state, 
Slapi_Entry *e,
        ret.rdn_format = rdn_format;
        ret.attribute_format = attributes;
        ret.check_access = check_access;
+
+       if (check_sssd != NULL) {
+               if (strcasecmp(check_sssd, "group") == 0) {
+                       ret.check_sssd = SCH_SSSD_GROUP;
+               } else if (strcasecmp(check_sssd, "user") == 0) {
+                       ret.check_sssd = SCH_SSSD_USER;
+               } else {
+                       ret.check_sssd = SCH_SSSD_NONE;
+               }
+       } else {
+               ret.check_sssd = SCH_SSSD_NONE;
+       }
+       ret.sssd_buffer = NULL;
+
+       /* Make sure we don't return system users/groups
+        * by limiting lower bound on searches */
+       ret.sssd_min_id = 1000; /* default in Fedora */
+       if (sssd_min_id != NULL) {
+               ret.sssd_min_id = atol(sssd_min_id);
+       }
+
+       if (ret.sssd_min_id == 0) {
+               /* enforce id in case of an error or too low limit */
+               ret.sssd_min_id = 1000;
+       }
+
+       if (ret.check_sssd != SCH_SSSD_NONE) {
+               /* Auto-populate attributes based on selected SSSD tree
+                * and add special attribute to track whether the entry 
requires PAM-based bind */
+               backend_shr_add_strlist(&ret.attribute_format, 
"objectClass=extensibleObject");
+               backend_shr_add_strlist(&ret.attribute_format, 
"schema-compat-origin=%{schema-compat-origin}");
+               backend_shr_add_strlist(&ret.attribute_format, 
"ipaNTSecurityIdentifier=%{ipaNTSecurityIdentifier}");
+
+               /* Allocate buffer to be used for getpwnam_r/getgrnam_r 
requests */
+               if (ret.check_sssd == SCH_SSSD_USER) {
+                       ret.sssd_buffer_len = sysconf(_SC_GETPW_R_SIZE_MAX);
+               } else {
+                       ret.sssd_buffer_len = sysconf(_SC_GETGR_R_SIZE_MAX);
+               }
+               if ((long) ret.sssd_buffer_len == -1 )
+                       ret.sssd_buffer_len = 16384;
+               ret.sssd_buffer = malloc(ret.sssd_buffer_len);
+       }
+
+       ret.sssd_relevant_set = NULL;
        *pret = backend_copy_set_config(&ret);
        free(ret.common.group);
        free(ret.common.set);
@@ -315,7 +366,7 @@ backend_entry_get_usn(Slapi_PBlock *pb, Slapi_Entry *e,
 }
 
 /* Add operational attributes to a synthetic entry. */
-static void
+void
 backend_set_operational_attributes(Slapi_Entry *e,
                                   struct plugin_state *state,
                                   time_t timestamp,
@@ -879,25 +930,6 @@ backend_update_params(Slapi_PBlock *pb, struct 
plugin_state *state)
        slapi_entry_free(our_entry);
 }
 
-/* Intercept a search request, and if it belongs to one of our compatibility
- * trees, answer from our cache before letting the default database have a
- * crack at it. */
-struct backend_search_cbdata {
-       Slapi_PBlock *pb;
-       struct plugin_state *state;
-       char *target, *strfilter, **attrs;
-       int scope, sizelimit, timelimit, attrsonly;
-       bool_t check_access;
-       Slapi_DN *target_dn;
-       Slapi_Filter *filter;
-
-       bool_t answer;
-       int result;
-       bool_t matched;
-       char *closest_match, *text;
-       int n_entries;
-};
-
 static bool_t
 backend_should_descend(Slapi_DN *this_dn, Slapi_DN *target_dn, int scope)
 {
@@ -993,11 +1025,17 @@ backend_search_set_cb(const char *group, const char 
*set, bool_t flag,
        struct backend_set_data *set_data;
        Slapi_Entry *set_entry;
        int result, n_entries;
+       int n_entries_sssd;
        const char *ndn;
 
        cbdata = cb_data;
        set_data = backend_data;
        cbdata->check_access = set_data->check_access;
+       cbdata->check_sssd = set_data->check_sssd;
+       cbdata->sssd_min_id = set_data->sssd_min_id;
+       /* If any entries were actually returned by the descending callback,
+        * avoid to look up in sssd even if this set is marked to look up */
+       n_entries_sssd = cbdata->n_entries;
 
        /* Check the set itself, unless it's also the group, in which case we
         * already evaluated it for this search. */
@@ -1054,6 +1092,15 @@ backend_search_set_cb(const char *group, const char 
*set, bool_t flag,
                                          backend_search_entry_cb, cbdata);
        }
 
+#ifdef HAVE_SSS_NSS_IDMAP
+       /* If we didn't find an exact match for the entry but asked to look up 
SSSD,
+        * then try to search SSSD and if successful, return that entry */
+       if ((n_entries_sssd == cbdata->n_entries) &&
+           (cbdata->check_sssd != SCH_SSSD_NONE)) {
+               backend_search_sssd(set_data, cbdata);
+       }
+#endif
+
        /* If we didn't find an exact match for the entry, then store this
         * container's DN as the closest match. */
        if ((!cbdata->matched) &&
@@ -1409,6 +1456,7 @@ backend_bind_cb(Slapi_PBlock *pb)
        struct berval ref;
        struct berval *urls[] = {&ref, NULL};
        const char *ndn;
+       char *is_sssd_origin = NULL;
 
        if (wrap_get_call_level() > 0) {
                return 0;
@@ -1418,18 +1466,59 @@ backend_bind_cb(Slapi_PBlock *pb)
        map_rdlock();
        backend_locate(pb, &data);
        if (data != NULL) {
-               ndn = slapi_sdn_get_ndn(data->original_entry_dn);
-               ref.bv_len = strlen("ldap:///";) + strlen(ndn);
-               ref.bv_val = malloc(ref.bv_len + 1);
-               if (ref.bv_val != NULL) {
-                       sprintf(ref.bv_val, "ldap:///%s";, ndn);
-                       slapi_send_ldap_result(pb, LDAP_REFERRAL,
-                                              NULL, NULL, 0, urls);
-                       free(ref.bv_val);
+#ifdef HAVE_SSS_NSS_IDMAP
+               is_sssd_origin = slapi_entry_attr_get_charptr(data->e, 
"schema-compat-origin");
+               if ((is_sssd_origin != NULL) &&
+                   (strcasecmp(is_sssd_origin, "sssd") == 0)) {
+                       ret = backend_sch_do_pam_auth(pb, data->e);
+                       if (ret != 0) {
+                               slapi_send_ldap_result(pb, 
LDAP_INVALID_CREDENTIALS,
+                                                      NULL, NULL, 0, NULL);
+                               ret = -1;
+                       } else {
+                               /*
+                                * If bind succeeded, change authentication 
information associated
+                                * with this connection.
+                                */
+                               if (ret == LDAP_SUCCESS) {
+                                       ndn = 
slapi_ch_strdup(slapi_sdn_get_ndn(data->original_entry_dn));
+                                       if ((slapi_pblock_set(pb, 
SLAPI_CONN_DN, (void*)ndn) != 0) ||
+                                           (slapi_pblock_set(pb, 
SLAPI_CONN_AUTHMETHOD, SLAPD_AUTH_SIMPLE) != 0)) {
+                                               ret = LDAP_OPERATIONS_ERROR;
+                                       } else {
+                                               LDAPControl **reqctrls = NULL;
+                                               slapi_pblock_get(pb, 
SLAPI_REQCONTROLS, &reqctrls);
+                                               if 
(slapi_control_present(reqctrls, LDAP_CONTROL_AUTH_REQUEST, NULL, NULL)) {
+                                                       
slapi_add_auth_response_control(pb, ndn);
+                                               }
+                                       }
+                               }
+
+                               if (ret == LDAP_SUCCESS) {
+                                       /* we are handling the result */
+                                       slapi_send_ldap_result(pb, ret, NULL, 
NULL, 0, NULL);
+                                       /* tell bind code we handled the result 
*/
+                                       ret = 0;
+                               }
+                       }
                } else {
-                       slapi_send_ldap_result(pb, LDAP_BUSY,
-                                              NULL, NULL, 0, NULL);
+#endif
+                       ndn = slapi_sdn_get_ndn(data->original_entry_dn);
+                       ref.bv_len = strlen("ldap:///";) + strlen(ndn);
+                       ref.bv_val = malloc(ref.bv_len + 1);
+                       if (ref.bv_val != NULL) {
+                               sprintf(ref.bv_val, "ldap:///%s";, ndn);
+                               slapi_send_ldap_result(pb, LDAP_REFERRAL,
+                                                      NULL, NULL, 0, urls);
+                               free(ref.bv_val);
+                       } else {
+                               slapi_send_ldap_result(pb, LDAP_BUSY,
+                                                      NULL, NULL, 0, NULL);
+                       }
+#ifdef HAVE_SSS_NSS_IDMAP
                }
+               free(is_sssd_origin);
+#endif
                ret = -1;
        } else {
                if (backend_check_scope_pb(pb)) {
@@ -1488,11 +1577,74 @@ backend_check_empty(struct plugin_state *state,
        }
 }
 
+struct backend_start_fixup_cbdata {
+       Slapi_PBlock *pb;
+       struct plugin_state *state;
+       struct backend_set_data *groups;
+       struct backend_set_data *users;
+};
+
+static bool_t
+backend_start_fixup_sssd_cb(const char *group, const char *set, bool_t flag,
+                     void *backend_data, void *cb_data)
+{
+       struct backend_start_fixup_cbdata *cbdata;
+       struct backend_set_data *set_data;
+
+       cbdata = cb_data;
+       set_data = backend_data;
+
+       switch (set_data->check_sssd) {
+               case SCH_SSSD_NONE:
+                       break;
+               case SCH_SSSD_USER:
+                       cbdata->groups = set_data;
+                       break;
+               case SCH_SSSD_GROUP:
+                       cbdata->users = set_data;
+                       break;
+               default:
+                       break;
+       }
+
+       return TRUE;
+}
+
+static bool_t
+backend_start_fixup_cb(const char *group, void *cb_data)
+{
+       struct backend_start_fixup_cbdata *cbdata;
+       cbdata = cb_data;
+       map_data_foreach_map(cbdata->state, group,
+                            backend_start_fixup_sssd_cb, cbdata);
+       if ((cbdata->groups != NULL) &&
+           (cbdata->users != NULL)) {
+               cbdata->groups->sssd_relevant_set = cbdata->users;
+               cbdata->users->sssd_relevant_set = cbdata->groups;
+       }
+       return TRUE;
+}
+
 /* Populate our data cache. */
 void
 backend_startup(Slapi_PBlock *pb, struct plugin_state *state)
 {
+       struct backend_start_fixup_cbdata cbdata;
        backend_shr_startup(state, pb, SCH_CONTAINER_CONFIGURATION_FILTER);
+       /* Walk the list of groups and perform fixups for the cases where
+        * some sets depend on others. Right now following fixups are done:
+        * -- SSSD searches for the group tree should know user tree DN to
+        *    produce proper membership
+        */
+       cbdata.state = state;
+       cbdata.pb = pb;
+       cbdata.groups = NULL;
+       cbdata.users = NULL;
+       wrap_inc_call_level();
+       map_rdlock();
+       map_data_foreach_domain(state, backend_start_fixup_cb, &cbdata);
+       map_unlock();
+       wrap_dec_call_level();
 }
 
 int
diff --git a/src/back-sch.h b/src/back-sch.h
new file mode 100644
index 0000000..85ea86f
--- /dev/null
+++ b/src/back-sch.h
@@ -0,0 +1,83 @@
+/*
+ * Copyright 2013 Red Hat, Inc.
+ *
+ * This Program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This Program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this Program; if not, write to the
+ *
+ *   Free Software Foundation, Inc.
+ *   59 Temple Place, Suite 330
+ *   Boston, MA 02111-1307 USA
+ *
+ */
+
+#ifndef back_sch_h
+#define back_sch_h
+
+enum sch_search_sssd_t {
+       SCH_SSSD_NONE = 0,
+       SCH_SSSD_USER,
+       SCH_SSSD_GROUP
+};
+
+/* The data we ask the map cache to keep, for us, for each set. */
+struct backend_set_data {
+       struct backend_shr_set_data common;
+       /* Schema compatibility-specific data. */
+       Slapi_DN *container_sdn;
+       char *rdn_format;
+       char **attribute_format;
+       bool_t check_access;
+       enum sch_search_sssd_t check_sssd;
+       long sssd_min_id;
+       char *sssd_buffer;
+       ssize_t sssd_buffer_len;
+       struct backend_set_data *sssd_relevant_set;
+};
+
+struct backend_entry_data {
+       Slapi_DN *original_entry_dn;
+       Slapi_Entry *e;
+};
+
+/* Intercept a search request, and if it belongs to one of our compatibility
+ * trees, answer from our cache before letting the default database have a
+ * crack at it. */
+struct backend_search_cbdata {
+       Slapi_PBlock *pb;
+       struct plugin_state *state;
+       char *target, *strfilter, **attrs;
+       int scope, sizelimit, timelimit, attrsonly;
+       bool_t check_access;
+       enum sch_search_sssd_t check_sssd;
+       Slapi_DN *target_dn;
+       Slapi_Filter *filter;
+       long sssd_min_id;
+
+       bool_t answer;
+       int result;
+       bool_t matched;
+       char *closest_match, *text;
+       int n_entries;
+};
+
+void backend_search_sssd(struct backend_set_data *set_data,
+                        struct backend_search_cbdata *cbdata);
+
+void backend_set_operational_attributes(Slapi_Entry *e,
+                                       struct plugin_state *state,
+                                       time_t timestamp,
+                                       int n_subordinates,
+                                       const char *usn);
+int backend_sch_do_pam_auth(Slapi_PBlock *pb, Slapi_Entry *entry);
+
+
+#endif
-- 
1.8.3.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to