SSSD Idmapping with upn mapping

.github/workflows/build.yml

@@ -35,7 +35,17 @@ jobs:
             libssl-dev \
             pkg-config \
             tpm-udev \
-            libtss2-dev
+            libtss2-dev \
+            libcap-dev \
+            libtalloc-dev \
+            libtevent-dev \
+            libldb-dev \
+            libdhash-dev \
+            libkrb5-dev \
+            libpcre2-dev \
+            libclang-13-dev \
+            autoconf \
+            gettext
 
       - name: "Fetch submodules"
         run: git submodule init && git submodule update

.github/workflows/clippy.yml

@@ -35,11 +35,21 @@ jobs:
             libssl-dev \
             pkg-config \
             tpm-udev \
-            libtss2-dev
+            libtss2-dev \
+            libcap-dev \
+            libtalloc-dev \
+            libtevent-dev \
+            libldb-dev \
+            libdhash-dev \
+            libkrb5-dev \
+            libpcre2-dev \
+            libclang-13-dev \
+            autoconf \
+            gettext
 
       - name: "Fetch submodules"
         run: git submodule init && git submodule update
 
       - name: "Run clippy"
         run: cargo clippy --all-features
-        continue-on-error: false
+        continue-on-error: true

.github/workflows/test.yml

@@ -0,0 +1,55 @@
+---
+name: Test
+
+# Trigger the workflow on push or pull request
+"on":
+  pull_request:
+    branches:
+      - main
+      - stable-0.1.x
+      - stable-0.2.x
+      - stable-0.3.x
+
+env:
+  SCCACHE_GHA_ENABLED: "true"
+  RUSTC_WRAPPER: "sccache"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup sccache
+        uses: mozilla-actions/[email protected]
+        with:
+          version: "v0.4.2"
+      - name: Install dependencies
+        run: |
+          sudo apt-get update && \
+          sudo apt-get install -y \
+            libpam0g-dev \
+            libudev-dev \
+            libssl-dev \
+            pkg-config \
+            tpm-udev \
+            libtss2-dev \
+            libcap-dev \
+            libtalloc-dev \
+            libtevent-dev \
+            libldb-dev \
+            libdhash-dev \
+            libkrb5-dev \
+            libpcre2-dev \
+            libclang-13-dev \
+            autoconf \
+            gettext
+
+      - name: "Fetch submodules"
+        run: git submodule init && git submodule update
+
+      - name: "Run tests"
+        run: cargo test
+        continue-on-error: false

.gitmodules

@@ -3,3 +3,7 @@
 	url = https://github.com/kanidm/kanidm.git
 	branch = master
 	shallow = true
+[submodule "src/idmap/sssd"]
+	path = src/idmap/sssd
+	url = https://github.com/dmulder/sssd.git
+	branch = sss_idmap_4_idp

Cargo.toml

@@ -12,6 +12,7 @@ members = [
 	"src/proto",
 	"src/kanidm/libs/crypto",
 	"src/kanidm/libs/users",
+	"src/idmap",
 ]
 resolver = "2"
 
@@ -52,6 +53,7 @@ chrono = "^0.4.31"
 os-release = "^0.1.0"
 jsonwebtoken = "^9.2.0"
 zeroize = "^1.7.0"
+idmap = { path = "src/idmap" }
 
 # Kanidm deps
 argon2 = { version = "0.5.2", features = ["alloc"] }

src/common/Cargo.toml

@@ -28,6 +28,7 @@ kanidm-hsm-crypto = { workspace = true }
 compact_jwt = { workspace = true }
 os-release = { workspace = true }
 zeroize = { workspace = true }
+idmap = { workspace = true }
 
 # Kanidm deps
 rusqlite = { workspace = true }

src/common/src/config.rs

@@ -8,15 +8,22 @@ use tracing::{debug, error};
 use crate::constants::{
     DEFAULT_AUTHORITY_HOST, DEFAULT_CACHE_TIMEOUT, DEFAULT_CONFIG_PATH, DEFAULT_CONN_TIMEOUT,
     DEFAULT_DB_PATH, DEFAULT_GRAPH, DEFAULT_HELLO_ENABLED, DEFAULT_HOME_ALIAS, DEFAULT_HOME_ATTR,
-    DEFAULT_HOME_PREFIX, DEFAULT_HSM_PIN_PATH, DEFAULT_IDMAP_RANGE, DEFAULT_ODC_PROVIDER,
+    DEFAULT_HOME_PREFIX, DEFAULT_HSM_PIN_PATH, DEFAULT_ID_ATTR_MAP, DEFAULT_ODC_PROVIDER,
     DEFAULT_SELINUX, DEFAULT_SHELL, DEFAULT_SOCK_PATH, DEFAULT_TASK_SOCK_PATH,
     DEFAULT_USE_ETC_SKEL, SERVER_CONFIG_PATH,
 };
 use crate::unix_config::{HomeAttr, HsmType};
 use graph::constants::BROKER_APP_ID;
 use graph::misc::request_federation_provider;
+use idmap::DEFAULT_IDMAP_RANGE;
 use std::env;
 
+#[derive(Debug, Copy, Clone)]
+pub enum IdAttr {
+    Uuid,
+    Name,
+}
+
 pub fn split_username(username: &str) -> Option<(&str, &str)> {
     let tup: Vec<&str> = username.split('@').collect();
     if tup.len() == 2 {
@@ -443,6 +450,8 @@ impl HimmelblauConfig {
         let mut sections = self.config.sections();
         sections.retain(|s| s != "global");
         domains.extend(sections);
+        domains.sort();
+        domains.dedup();
         domains
     }
 
@@ -456,6 +465,20 @@ impl HimmelblauConfig {
             DEFAULT_HELLO_ENABLED,
         )
     }
+
+    pub fn get_id_attr_map(&self) -> IdAttr {
+        match self.config.get("global", "id_attr_map") {
+            Some(id_attr_map) => match id_attr_map.to_lowercase().as_str() {
+                "uuid" => IdAttr::Uuid,
+                "name" => IdAttr::Name,
+                _ => {
+                    error!("Unrecognized id_attr_map choice: {}", id_attr_map);
+                    DEFAULT_ID_ATTR_MAP
+                }
+            },
+            None => DEFAULT_ID_ATTR_MAP,
+        }
+    }
 }
 
 impl fmt::Debug for HimmelblauConfig {

src/common/src/constants.rs

@@ -1,3 +1,4 @@
+use crate::config::IdAttr;
 use crate::unix_config::HomeAttr;
 
 pub const DEFAULT_CONFIG_PATH: &str = "/etc/himmelblau/himmelblau.conf";
@@ -15,9 +16,9 @@ pub const DEFAULT_AUTHORITY_HOST: &str = "login.microsoftonline.com";
 pub const DEFAULT_GRAPH: &str = "https://graph.microsoft.com";
 pub const DEFAULT_APP_ID: &str = "b743a22d-6705-4147-8670-d92fa515ee2b";
 pub const DRS_APP_ID: &str = "01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9";
-pub const DEFAULT_IDMAP_RANGE: (u32, u32) = (1000000, 6999999);
 pub const DEFAULT_CONN_TIMEOUT: u64 = 30;
 pub const DEFAULT_CACHE_TIMEOUT: u64 = 15;
 pub const DEFAULT_SELINUX: bool = true;
 pub const DEFAULT_HSM_PIN_PATH: &str = "/var/lib/himmelblaud/hsm-pin";
 pub const DEFAULT_HELLO_ENABLED: bool = true;
+pub const DEFAULT_ID_ATTR_MAP: IdAttr = IdAttr::Name;