Fix few bugs/regressions

Resolves: rhbz#1488327 - SELinux is preventing selinux_child from write access on the sock_file system_bus_socket Resolves: rhbz#1490402 - SSSD does not create /var/lib/sss/deskprofile and fails to download desktop profile data Resolves: upstream#3485 - getsidbyid does not work with 1.15.3 Resolves: upstream#3488 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server Resolves: upstream#3501 - Accessing IdM kerberos ticket fails while id mapping is applied
2017-09-11 12:04:54 +02:00 · 2017-09-11 12:04:54 +02:00 · 8eda442b2e
parent fa4807ec45
commit 8eda442b2e
22 changed files with 4583 additions and 1 deletions
--- a/0094-TESTS-Relax-the-assert-in-test_idle_timeout.patch
+++ b/0094-TESTS-Relax-the-assert-in-test_idle_timeout.patch
@ -0,0 +1,79 @@
+From 4d1e380fea70e917cdfba560b899cca2f3e2ffd1 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 29 Aug 2017 11:07:18 +0200
+Subject: [PATCH 094/115] TESTS: Relax the assert in test_idle_timeout
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Resolves:
+    https://pagure.io/SSSD/sssd/issue/3473
+
+We're being quite strict in test_idle_timeout when checking for the
+number of open fds which leads to spurious failures like:
+=================================== FAILURES ===================================
+______________________________ test_idle_timeout _______________________________
+Traceback (most recent call last):
+  File "/var/lib/jenkins/workspace/ci/label/fedora23/src/tests/intg/test_secrets.py", line 427, in test_idle_timeout
+    assert nfds_pre + 1 == nfds_conn
+AssertionError: assert (27 + 1) == 27
+==================== 1 failed, 221 passed in 473.37 seconds ====================
+
+This is just a check that "a" connection was opened, so we don't have to
+check for exact match, but just for larger-or-equal.
+
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
+---
+ src/tests/intg/test_secrets.py | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/src/tests/intg/test_secrets.py b/src/tests/intg/test_secrets.py
+index 15caa69582ea6fe5031df8150343412f0e68bd5e..a145045ee80c06a615c5746678075403df0c791b 100644
+--- a/src/tests/intg/test_secrets.py
+++ b/src/tests/intg/test_secrets.py
+@@ -360,9 +360,9 @@ def test_containers(setup_for_secrets, secrets_cli):
+     assert str(err406.value).startswith("406")
+ 
+ 
+-def get_num_fds(pid):
+def get_fds(pid):
+     procpath = os.path.join("/proc/", str(pid), "fd")
+-    return len([fdname for fdname in os.listdir(procpath)])
+    return os.listdir(procpath)
+ 
+ 
+ @pytest.fixture
+@@ -388,13 +388,14 @@ def test_idle_timeout(setup_for_cli_timeout_test):
+     secpid = setup_for_cli_timeout_test
+     sock_path = get_secrets_socket()
+ 
+-    nfds_pre = get_num_fds(secpid)
+    nfds_pre = get_fds(secpid)
+ 
+     sock = socket.socket(family=socket.AF_UNIX)
+     sock.connect(sock_path)
+     time.sleep(1)
+-    nfds_conn = get_num_fds(secpid)
+-    assert nfds_pre + 1 == nfds_conn
+    nfds_conn = get_fds(secpid)
+    if len(nfds_pre) + 1 < len(nfds_conn):
+        raise Exception("FD difference %s\n", set(nfds_pre) - set(nfds_conn))
+     # With the idle timeout set to 10 seconds, we need to sleep at least 15,
+     # because the internal timer ticks every timeout/2 seconds, so it would
+     # tick at 5, 10 and 15 seconds and the client timeout check uses a
+@@ -402,8 +403,9 @@ def test_idle_timeout(setup_for_cli_timeout_test):
+     # disconnect
+     time.sleep(15)
+ 
+-    nfds_post = get_num_fds(secpid)
+-    assert nfds_pre == nfds_post
+    nfds_post = get_fds(secpid)
+    if len(nfds_pre) != len(nfds_post):
+        raise Exception("FD difference %s\n", set(nfds_pre) - set(nfds_post))
+ 
+ 
+ def run_quota_test(cli, max_secrets, max_payload_size):
+-- 
+2.14.1
+
--- a/0095-IPA-Reword-the-DEBUG-message-about-SRV-resolution-on.patch
+++ b/0095-IPA-Reword-the-DEBUG-message-about-SRV-resolution-on.patch
@ -0,0 +1,35 @@
+From cd2b8fd423c5b6fbc3b9a466a5dedafd06362116 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 15 Aug 2017 09:40:22 +0200
+Subject: [PATCH 095/115] IPA: Reword the DEBUG message about SRV resolution on
+ IDM masters
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/providers/ipa/ipa_init.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
+index 7cae43c065e0cd687a80620faf6a354f001bd41c..3335e3ad23940aa67615c17742b89cf3c36beb6b 100644
+--- a/src/providers/ipa/ipa_init.c
+++ b/src/providers/ipa/ipa_init.c
+@@ -260,9 +260,10 @@ static errno_t ipa_init_server_mode(struct be_ctx *be_ctx,
+     dnsdomain = dp_opt_get_string(be_ctx->be_res->opts, DP_RES_OPT_DNS_DOMAIN);
+ 
+     if (srv_in_server_list(ipa_servers) || sites_enabled) {
+-        DEBUG(SSSDBG_MINOR_FAILURE, "SRV resolution or IPA sites enabled "
+-              "on the IPA server. Site discovery of trusted AD servers "
+-              "might not work.\n");
+        DEBUG(SSSDBG_IMPORTANT_INFO, "SSSD configuration uses either DNS "
+              "SRV resolution or IPA site discovery to locate IPA servers. "
+              "On IPA server itself, it is recommended that SSSD is "
+              "configured to only connect to the IPA server it's running at. ");
+ 
+         /* If SRV discovery is enabled on the server and
+          * dns_discovery_domain is set explicitly, then
+-- 
+2.14.1
+
--- a/0097-SYSDB-Add-sysdb_search_by_orig_dn.patch
+++ b/0097-SYSDB-Add-sysdb_search_by_orig_dn.patch
@ -0,0 +1,156 @@
+From e5c42c2630093d3020b3c4944cce1646325bc236 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
+Date: Fri, 2 Jun 2017 13:26:49 +0200
+Subject: [PATCH 097/115] SYSDB: Add sysdb_search_by_orig_dn()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Three new methods have been added to sysdb's API in order to perform
+search by the orig dn (which is quite common in SSSD's code base).
+
+A common/base method called sysdb_search_by_orig_dn() is the most
+important one and then a few other helpers for searching users and
+groups groups directly.
+
+Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+---
+ src/db/sysdb.h     | 27 ++++++++++++++++------
+ src/db/sysdb_ops.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 86 insertions(+), 7 deletions(-)
+
+diff --git a/src/db/sysdb.h b/src/db/sysdb.h
+index f4cad577b97e737613e11d063fe7a8664faed624..411ee9aededa1d9ee2654d8247e98a38d7666ad2 100644
+--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
+@@ -342,6 +342,12 @@ struct certmap_info {
+     const char **domains;
+ };
+ 
+enum sysdb_member_type {
+    SYSDB_MEMBER_USER,
+    SYSDB_MEMBER_GROUP,
+    SYSDB_MEMBER_NETGROUP,
+    SYSDB_MEMBER_SERVICE,
+};
+ 
+ /* These attributes are stored in the timestamp cache */
+ extern const char *sysdb_ts_cache_attrs[];
+@@ -574,6 +580,20 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain,
+                                      struct sysdb_attrs *override_attrs,
+                                      struct ldb_dn *obj_dn);
+ 
+errno_t sysdb_search_by_orig_dn(TALLOC_CTX *mem_ctx,
+                                struct sss_domain_info *domain,
+                                enum sysdb_member_type type,
+                                const char *member_dn,
+                                const char **attrs,
+                                size_t *msgs_counts,
+                                struct ldb_message ***msgs);
+
+#define sysdb_search_users_by_orig_dn(mem_ctx, domain, member_dn, attrs, msgs_counts, msgs) \
+    sysdb_search_by_orig_dn(mem_ctx, domain, SYSDB_MEMBER_USER, member_dn, attrs, msgs_counts, msgs);
+
+#define sysdb_search_groups_by_orig_dn(mem_ctx, domain, member_dn, attrs, msgs_counts, msgs) \
+    sysdb_search_by_orig_dn(mem_ctx, domain, SYSDB_MEMBER_GROUP, member_dn, attrs, msgs_counts, msgs);
+
+ errno_t sysdb_search_user_override_attrs_by_name(TALLOC_CTX *mem_ctx,
+                                             struct sss_domain_info *domain,
+                                             const char *name,
+@@ -1040,13 +1060,6 @@ int sysdb_store_group(struct sss_domain_info *domain,
+                       uint64_t cache_timeout,
+                       time_t now);
+ 
+-enum sysdb_member_type {
+-    SYSDB_MEMBER_USER,
+-    SYSDB_MEMBER_GROUP,
+-    SYSDB_MEMBER_NETGROUP,
+-    SYSDB_MEMBER_SERVICE,
+-};
+-
+ int sysdb_add_group_member(struct sss_domain_info *domain,
+                            const char *group,
+                            const char *member,
+diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
+index 7ca6575ce75dab7805236c9f48dbf28a2f3946d2..4cfef68239a5f145967c942b1fb6647c5542f019 100644
+--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
+@@ -3236,6 +3236,72 @@ done:
+     return ret;
+ }
+ 
+static int sysdb_cache_search_users(TALLOC_CTX *mem_ctx,
+                                    struct sss_domain_info *domain,
+                                    struct ldb_context *ldb,
+                                    const char *sub_filter,
+                                    const char **attrs,
+                                    size_t *msgs_count,
+                                    struct ldb_message ***msgs);
+
+static int sysdb_cache_search_groups(TALLOC_CTX *mem_ctx,
+                                     struct sss_domain_info *domain,
+                                     struct ldb_context *ldb,
+                                     const char *sub_filter,
+                                     const char **attrs,
+                                     size_t *msgs_count,
+                                     struct ldb_message ***msgs);
+
+errno_t sysdb_search_by_orig_dn(TALLOC_CTX *mem_ctx,
+                                struct sss_domain_info *domain,
+                                enum sysdb_member_type type,
+                                const char *member_dn,
+                                const char **attrs,
+                                size_t *msgs_count,
+                                struct ldb_message ***msgs)
+{
+    TALLOC_CTX *tmp_ctx;
+    char *filter;
+    char *sanitized_dn = NULL;
+    errno_t ret;
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        return ENOMEM;
+    }
+
+    ret = sss_filter_sanitize(tmp_ctx, member_dn, &sanitized_dn);
+    if (ret != EOK) {
+        goto done;
+    }
+
+    filter = talloc_asprintf(tmp_ctx, "(%s=%s)", SYSDB_ORIG_DN, sanitized_dn);
+    if (filter == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    switch (type) {
+    case SYSDB_MEMBER_USER:
+        ret = sysdb_cache_search_users(mem_ctx, domain, domain->sysdb->ldb,
+                                       filter, attrs, msgs_count, msgs);
+        break;
+    case SYSDB_MEMBER_GROUP:
+        ret = sysdb_cache_search_groups(mem_ctx, domain, domain->sysdb->ldb,
+                                        filter, attrs, msgs_count, msgs);
+        break;
+    default:
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Trying to perform a search by orig_dn using a "
+              "non-supported type\n");
+        ret = EINVAL;
+        goto done;
+    }
+
+done:
+    talloc_free(tmp_ctx);
+    return ret;
+}
+ 
+ /* =Custom Store (replaces-existing-data)================== */
+ 
+-- 
+2.14.1
+
--- a/0098-TESTS-Add-tests-for-sysdb_search_-users-groups-_by_o.patch
+++ b/0098-TESTS-Add-tests-for-sysdb_search_-users-groups-_by_o.patch
@ -0,0 +1,112 @@
+From 9a44e78304f09961dea5148667aef24a88f10bb0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
+Date: Thu, 31 Aug 2017 18:37:44 +0200
+Subject: [PATCH 098/115] TESTS: Add tests for
+ sysdb_search_{users,groups}_by_orig_dn()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+---
+ src/tests/sysdb-tests.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 74 insertions(+)
+
+diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
+index c186ed2fbfe8b2ef6e0aab67157217680112b7b6..63572e067b11a7149b872b3a3eae38776e2bcf21 100644
+--- a/src/tests/sysdb-tests.c
+++ b/src/tests/sysdb-tests.c
+@@ -5408,6 +5408,74 @@ START_TEST(test_sysdb_original_dn_case_insensitive)
+ }
+ END_TEST
+ 
+START_TEST(test_sysdb_search_groups_by_orig_dn)
+{
+    errno_t ret;
+    struct sysdb_test_ctx *test_ctx;
+    struct test_data *data;
+    const char *no_attrs[] = { NULL };
+    struct ldb_message **msgs;
+    size_t num_msgs;
+
+    /* Setup */
+    ret = setup_sysdb_tests(&test_ctx);
+    fail_if(ret != EOK, "Could not set up the test");
+
+    data = test_data_new_group(test_ctx, 456789);
+    fail_if(data == NULL);
+
+    data->orig_dn = talloc_asprintf(data, "cn=%s,cn=example,cn=com", data->groupname);
+    fail_if(data->orig_dn == NULL);
+
+    ret = test_add_incomplete_group(data);
+    fail_unless(ret == EOK, "sysdb_add_incomplete_group error [%d][%s]",
+                            ret, strerror(ret));
+
+    ret = sysdb_search_groups_by_orig_dn(test_ctx, data->ctx->domain, data->orig_dn,
+                                         no_attrs, &num_msgs, &msgs);
+    fail_unless(ret == EOK, "cache search error [%d][%s]",
+                            ret, strerror(ret));
+    fail_unless(num_msgs == 1, "Did not find the expected number of entries using "
+                               "sysdb_search_groups_by_orign_dn search");
+}
+END_TEST
+
+START_TEST(test_sysdb_search_users_by_orig_dn)
+{
+    errno_t ret;
+    struct sysdb_test_ctx *test_ctx;
+    struct test_data *data;
+    const char *no_attrs[] = { NULL };
+    struct ldb_message **msgs;
+    size_t num_msgs;
+
+    /* Setup */
+    ret = setup_sysdb_tests(&test_ctx);
+    fail_if(ret != EOK, "Could not set up the test");
+
+    data = test_data_new_user(test_ctx, 456789);
+    fail_if(data == NULL);
+
+    data->orig_dn = talloc_asprintf(data, "cn=%s,cn=example,cn=com", data->username);
+    fail_if(data->orig_dn == NULL);
+
+    ret = sysdb_attrs_add_string(data->attrs, SYSDB_ORIG_DN, data->orig_dn);
+    fail_unless(ret == EOK, "sysdb_attrs_add_string failed with [%d][%s].",
+                ret, strerror(ret));
+
+    ret = test_add_user(data);
+    fail_unless(ret == EOK, "sysdb_add_user error [%d][%s]",
+                            ret, strerror(ret));
+
+    ret = sysdb_search_users_by_orig_dn(test_ctx, data->ctx->domain, data->orig_dn,
+                                        no_attrs, &num_msgs, &msgs);
+    fail_unless(ret == EOK, "cache search error [%d][%s]",
+                            ret, strerror(ret));
+    fail_unless(num_msgs == 1, "Did not find the expected number of entries using "
+                               "sysdb_search_users_by_orign_dn search");
+}
+END_TEST
+
+ START_TEST(test_sysdb_search_sid_str)
+ {
+     errno_t ret;
+@@ -7073,6 +7141,12 @@ Suite *create_sysdb_suite(void)
+     /* Test originalDN searches */
+     tcase_add_test(tc_sysdb, test_sysdb_original_dn_case_insensitive);
+ 
+    /* Test sysdb_search_groups_by_orig_dn */
+    tcase_add_test(tc_sysdb, test_sysdb_search_groups_by_orig_dn);
+
+    /* Test sysdb_search_users_by_orig_dn */
+    tcase_add_test(tc_sysdb, test_sysdb_search_users_by_orig_dn);
+
+     /* Test SID string searches */
+     tcase_add_test(tc_sysdb, test_sysdb_search_sid_str);
+ 
+-- 
+2.14.1
+
--- a/0099-IPA-Use-sysdb_search_-_by_orig_dn-_hbac_users.c.patch
+++ b/0099-IPA-Use-sysdb_search_-_by_orig_dn-_hbac_users.c.patch
@ -0,0 +1,107 @@
+From a5e9d34fd39c0061ca284674a6fd7cad05c6056c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
+Date: Fri, 2 Jun 2017 13:31:43 +0200
+Subject: [PATCH 099/115] IPA: Use sysdb_search_*_by_orig_dn() _hbac_users.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Methods for searching the users, groups and entries by their orig dn
+have been introduced in one of the previous commit.
+
+Let's make use of those whenever it makes sense.
+
+Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+---
+ src/providers/ipa/ipa_hbac_users.c | 28 +++++++---------------------
+ 1 file changed, 7 insertions(+), 21 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_hbac_users.c b/src/providers/ipa/ipa_hbac_users.c
+index af53fa035323a87e4bbaa807db503aab34112e3e..0ed0e7e8ddcf477639ee5f4707acf44afd8f5d1f 100644
+--- a/src/providers/ipa/ipa_hbac_users.c
+++ b/src/providers/ipa/ipa_hbac_users.c
+@@ -171,9 +171,7 @@ hbac_user_attrs_to_rule(TALLOC_CTX *mem_ctx,
+     struct hbac_rule_element *new_users = NULL;
+     struct ldb_message_element *el = NULL;
+     struct ldb_message **msgs = NULL;
+-    char *filter;
+-    char *member_dn;
+-    const char *member_user;
+    const char *member_dn;
+     const char *attrs[] = { SYSDB_NAME, NULL };
+     size_t num_users = 0;
+     size_t num_groups = 0;
+@@ -234,20 +232,11 @@ hbac_user_attrs_to_rule(TALLOC_CTX *mem_ctx,
+     }
+ 
+     for (i = 0; i < el->num_values; i++) {
+-        member_user = (const char *)el->values[i].data;
+-        ret = sss_filter_sanitize(tmp_ctx, member_user, &member_dn);
+-        if (ret != EOK) goto done;
+-
+-        filter = talloc_asprintf(member_dn, "(%s=%s)",
+-                                 SYSDB_ORIG_DN, member_dn);
+-        if (filter == NULL) {
+-            ret = ENOMEM;
+-            goto done;
+-        }
+        member_dn = (const char *)el->values[i].data;
+ 
+         /* First check if this is a user */
+-        ret = sysdb_search_users(tmp_ctx, domain,
+-                                 filter, attrs, &count, &msgs);
+        ret = sysdb_search_users_by_orig_dn(tmp_ctx, domain, member_dn, attrs,
+                                            &count, &msgs);
+         if (ret != EOK && ret != ENOENT) goto done;
+         if (ret == EOK && count == 0) {
+             ret = ENOENT;
+@@ -257,7 +246,6 @@ hbac_user_attrs_to_rule(TALLOC_CTX *mem_ctx,
+             if (count > 1) {
+                 DEBUG(SSSDBG_CRIT_FAILURE,
+                       "Original DN matched multiple users. Skipping \n");
+-                talloc_zfree(member_dn);
+                 continue;
+             }
+ 
+@@ -288,8 +276,8 @@ hbac_user_attrs_to_rule(TALLOC_CTX *mem_ctx,
+             num_users++;
+         } else {
+             /* Check if it is a group instead */
+-            ret = sysdb_search_groups(tmp_ctx, domain, filter, attrs,
+-                                      &count, &msgs);
+            ret = sysdb_search_groups_by_orig_dn(tmp_ctx, domain, member_dn,
+                                                 attrs, &count, &msgs);
+             if (ret != EOK && ret != ENOENT) goto done;
+             if (ret == EOK && count == 0) {
+                 ret = ENOENT;
+@@ -300,7 +288,6 @@ hbac_user_attrs_to_rule(TALLOC_CTX *mem_ctx,
+                     DEBUG(SSSDBG_CRIT_FAILURE,
+                           "Original DN matched multiple groups. "
+                               "Skipping\n");
+-                    talloc_zfree(member_dn);
+                     continue;
+                 }
+ 
+@@ -336,7 +323,7 @@ hbac_user_attrs_to_rule(TALLOC_CTX *mem_ctx,
+                  * we can assume it is a non-POSIX group.
+                  */
+                 ret = get_ipa_groupname(new_users->groups, domain->sysdb,
+-                                        member_user,
+                                        member_dn,
+                                         &new_users->groups[num_groups]);
+                 if (ret == EOK) {
+                     DEBUG(SSSDBG_TRACE_INTERNAL,
+@@ -351,7 +338,6 @@ hbac_user_attrs_to_rule(TALLOC_CTX *mem_ctx,
+                 }
+             }
+         }
+-        talloc_zfree(member_dn);
+     }
+     new_users->names[num_users] = NULL;
+     new_users->groups[num_groups] = NULL;
+-- 
+2.14.1
+
--- a/0100-SDAP-Use-sysdb_search_-_by_orig_dn-in-sdap_async_nes.patch
+++ b/0100-SDAP-Use-sysdb_search_-_by_orig_dn-in-sdap_async_nes.patch
@ -0,0 +1,158 @@
+From 4c508463be960682cf94b4e5a39be2f8f49067c8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
+Date: Fri, 2 Jun 2017 13:35:30 +0200
+Subject: [PATCH 100/115] SDAP: Use sysdb_search_*_by_orig_dn() in
+ sdap_async_nested_groups.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Methods for searching the users, groups and entries by their orig dn
+have been introduced in one of the previous commit.
+
+Let's make use of those whenever it makes sense.
+
+Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+---
+ src/providers/ldap/sdap_async_nested_groups.c | 61 ++++++---------------------
+ 1 file changed, 13 insertions(+), 48 deletions(-)
+
+diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c
+index 3e3329c0e8fba1915e2e065abb0cb3f21be36e6f..9271d8cfe38d11fb1ea14960a997f0deee175b27 100644
+--- a/src/providers/ldap/sdap_async_nested_groups.c
+++ b/src/providers/ldap/sdap_async_nested_groups.c
+@@ -38,11 +38,11 @@
+ #include "providers/ldap/sdap_idmap.h"
+ #include "providers/ipa/ipa_dn.h"
+ 
+-#define sdap_nested_group_sysdb_search_users(domain, filter) \
+-    sdap_nested_group_sysdb_search((domain), (filter), true)
+#define sdap_nested_group_sysdb_search_users(domain, dn) \
+    sdap_nested_group_sysdb_search((domain), (dn), true)
+ 
+-#define sdap_nested_group_sysdb_search_groups(domain, filter) \
+-    sdap_nested_group_sysdb_search((domain), (filter), false)
+#define sdap_nested_group_sysdb_search_groups(domain, dn) \
+    sdap_nested_group_sysdb_search((domain), (dn), false)
+ 
+ enum sdap_nested_group_dn_type {
+     SDAP_NESTED_GROUP_DN_USER,
+@@ -389,7 +389,7 @@ static errno_t sdap_nested_group_external_add(hash_table_t *table,
+ }
+ 
+ static errno_t sdap_nested_group_sysdb_search(struct sss_domain_info *domain,
+-                                              const char *filter,
+                                              const char *dn,
+                                               bool user)
+ {
+     static const char *attrs[] = {SYSDB_CACHE_EXPIRE,
+@@ -403,11 +403,11 @@ static errno_t sdap_nested_group_sysdb_search(struct sss_domain_info *domain,
+     errno_t ret;
+ 
+     if (user) {
+-        ret = sysdb_search_users(NULL, domain, filter, attrs,
+-                                 &count, &msgs);
+        ret = sysdb_search_users_by_orig_dn(NULL, domain, dn, attrs,
+                                            &count, &msgs);
+     } else {
+-        ret = sysdb_search_groups(NULL, domain, filter, attrs,
+-                                  &count, &msgs);
+        ret = sysdb_search_groups_by_orig_dn(NULL, domain, dn, attrs,
+                                             &count, &msgs);
+     }
+     if (ret != EOK) {
+         goto done;
+@@ -451,37 +451,17 @@ sdap_nested_group_check_cache(struct sdap_options *opts,
+                               const char *member_dn,
+                               enum sdap_nested_group_dn_type *_type)
+ {
+-    TALLOC_CTX *tmp_ctx = NULL;
+     struct sdap_domain *sdap_domain = NULL;
+     struct sss_domain_info *member_domain = NULL;
+-    char *sanitized_dn = NULL;
+-    char *filter = NULL;
+     errno_t ret;
+ 
+-    tmp_ctx = talloc_new(NULL);
+-    if (tmp_ctx == NULL) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
+-        return ENOMEM;
+-    }
+-
+-    ret = sss_filter_sanitize(tmp_ctx, member_dn, &sanitized_dn);
+-    if (ret != EOK) {
+-        goto done;
+-    }
+-
+-    filter = talloc_asprintf(tmp_ctx, "(%s=%s)", SYSDB_ORIG_DN, sanitized_dn);
+-    if (filter == NULL) {
+-        ret = ENOMEM;
+-        goto done;
+-    }
+-
+     /* determine correct domain of this member */
+     sdap_domain = sdap_domain_get_by_dn(opts, member_dn);
+     member_domain = sdap_domain == NULL ? domain : sdap_domain->dom;
+ 
+     /* search in users */
+     PROBE(SDAP_NESTED_GROUP_SYSDB_SEARCH_USERS_PRE);
+-    ret = sdap_nested_group_sysdb_search_users(member_domain, filter);
+    ret = sdap_nested_group_sysdb_search_users(member_domain, member_dn);
+     PROBE(SDAP_NESTED_GROUP_SYSDB_SEARCH_USERS_POST);
+     if (ret == EOK || ret == EAGAIN) {
+         /* user found */
+@@ -494,7 +474,7 @@ sdap_nested_group_check_cache(struct sdap_options *opts,
+ 
+     /* search in groups */
+     PROBE(SDAP_NESTED_GROUP_SYSDB_SEARCH_GROUPS_PRE);
+-    ret = sdap_nested_group_sysdb_search_groups(member_domain, filter);
+    ret = sdap_nested_group_sysdb_search_groups(member_domain, member_dn);
+     PROBE(SDAP_NESTED_GROUP_SYSDB_SEARCH_GROUPS_POST);
+     if (ret == EOK || ret == EAGAIN) {
+         /* group found */
+@@ -509,7 +489,6 @@ sdap_nested_group_check_cache(struct sdap_options *opts,
+     ret = ENOENT;
+ 
+ done:
+-    talloc_free(tmp_ctx);
+     return ret;
+ }
+ 
+@@ -2840,8 +2819,6 @@ sdap_nested_group_memberof_dn_by_original_dn(
+                             const char ***_parents)
+ {
+     errno_t ret;
+-    char *sanitized_dn;
+-    char *filter;
+     const char *attrs[] = { SYSDB_NAME,
+                             SYSDB_MEMBEROF,
+                             NULL };
+@@ -2856,20 +2833,8 @@ sdap_nested_group_memberof_dn_by_original_dn(
+         return ENOMEM;
+     }
+ 
+-    ret = sss_filter_sanitize(tmp_ctx, original_dn, &sanitized_dn);
+-    if (ret != EOK) {
+-        DEBUG(SSSDBG_CRIT_FAILURE,
+-                "Cannot sanitize originalDN [%s]\n", original_dn);
+-        goto done;
+-    }
+-
+-    filter = talloc_asprintf(tmp_ctx, "(%s=%s)", SYSDB_ORIG_DN, sanitized_dn);
+-    if (filter == NULL) {
+-        goto done;
+-    }
+-
+-    ret = sysdb_search_groups(tmp_ctx, group_dom, filter, attrs,
+-                              &count, &msgs);
+    ret = sysdb_search_groups_by_orig_dn(tmp_ctx, group_dom, original_dn,
+                                         attrs, &count, &msgs);
+     if (ret != EOK) {
+         goto done;
+     }
+-- 
+2.14.1
+
--- a/0101-SDAP-Use-sysdb_search_-_by_orig_dn-in-sdap_async_gro.patch
+++ b/0101-SDAP-Use-sysdb_search_-_by_orig_dn-in-sdap_async_gro.patch
@ -0,0 +1,81 @@
+From e3d9ce0ac22796cb08ad2daed006021b44b28c69 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
+Date: Fri, 2 Jun 2017 14:12:29 +0200
+Subject: [PATCH 101/115] SDAP: Use sysdb_search_*_by_orig_dn() in
+ sdap_async_groups.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Methods for searching the users, groups and entries by their orig dn
+have been introduced in one of the previous commit.
+
+Let's make use of those whenever it makes sense.
+
+Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+---
+ src/providers/ldap/sdap_async_groups.c | 23 ++---------------------
+ 1 file changed, 2 insertions(+), 21 deletions(-)
+
+diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
+index 81503798c4abc7598810a2b97b4d03fbebe7f953..536e3f13744c5350eed518c9bd35fd89e0899dc6 100644
+--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
+@@ -2498,14 +2498,12 @@ static errno_t sdap_nested_group_populate_users(TALLOC_CTX *mem_ctx,
+     errno_t ret, sret;
+     struct ldb_message_element *el;
+     const char *username;
+-    char *clean_orig_dn;
+     const char *original_dn;
+     struct sss_domain_info *user_dom;
+     struct sdap_domain *sdap_dom;
+ 
+     TALLOC_CTX *tmp_ctx;
+     struct ldb_message **msgs;
+-    char *filter;
+     const char *sysdb_name;
+     struct sysdb_attrs *attrs;
+     static const char *search_attrs[] = { SYSDB_NAME, NULL };
+@@ -2553,14 +2551,6 @@ static errno_t sdap_nested_group_populate_users(TALLOC_CTX *mem_ctx,
+         }
+         original_dn = (const char *) el->values[0].data;
+ 
+-        ret = sss_filter_sanitize(tmp_ctx, original_dn,
+-                                  &clean_orig_dn);
+-        if (ret != EOK) {
+-            DEBUG(SSSDBG_CRIT_FAILURE,
+-                  "Cannot sanitize originalDN [%s]\n", original_dn);
+-            goto done;
+-        }
+-
+         sdap_dom = sdap_domain_get_by_dn(opts, original_dn);
+         user_dom = sdap_dom == NULL ? domain : sdap_dom->dom;
+ 
+@@ -2573,19 +2563,10 @@ static errno_t sdap_nested_group_populate_users(TALLOC_CTX *mem_ctx,
+         }
+ 
+         /* Check for the specified origDN in the sysdb */
+-        filter = talloc_asprintf(tmp_ctx, "(%s=%s)",
+-                                 SYSDB_ORIG_DN,
+-                                 clean_orig_dn);
+-        if (!filter) {
+-            ret = ENOMEM;
+-            goto done;
+-        }
+         PROBE(SDAP_NESTED_GROUP_POPULATE_SEARCH_USERS_PRE);
+-        ret = sysdb_search_users(tmp_ctx, user_dom, filter,
+-                                 search_attrs, &count, &msgs);
+        ret = sysdb_search_users_by_orig_dn(tmp_ctx, user_dom, original_dn,
+                                            search_attrs, &count, &msgs);
+         PROBE(SDAP_NESTED_GROUP_POPULATE_SEARCH_USERS_POST);
+-        talloc_zfree(filter);
+-        talloc_zfree(clean_orig_dn);
+         if (ret != EOK && ret != ENOENT) {
+             DEBUG(SSSDBG_CRIT_FAILURE, "Error checking cache for user entry\n");
+             goto done;
+-- 
+2.14.1
+
--- a/0102-IPA-Use-sysdb_search_-_by_orig_dn-in-_subdomains_ext.patch
+++ b/0102-IPA-Use-sysdb_search_-_by_orig_dn-in-_subdomains_ext.patch
@ -0,0 +1,55 @@
+From 59db26782d052ddbec633279d08e8627ca57fd41 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
+Date: Fri, 2 Jun 2017 14:16:30 +0200
+Subject: [PATCH 102/115] IPA: Use sysdb_search_*_by_orig_dn() in
+ _subdomains_ext_group.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Methods for searching the users, groups and entries by their orig dn
+have been introduced in one of the previous commit.
+
+Let's make use of those whenever it makes sense.
+
+Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+---
+ src/providers/ipa/ipa_subdomains_ext_groups.c | 12 ++----------
+ 1 file changed, 2 insertions(+), 10 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_subdomains_ext_groups.c b/src/providers/ipa/ipa_subdomains_ext_groups.c
+index 505d89a51423489a5e2c0e09c9aa49d93c15231b..0359e0dedeef8db0da71d16a6f0044e43a7a9840 100644
+--- a/src/providers/ipa/ipa_subdomains_ext_groups.c
+++ b/src/providers/ipa/ipa_subdomains_ext_groups.c
+@@ -315,7 +315,6 @@ static errno_t add_ad_user_to_cached_groups(struct ldb_dn *user_dn,
+     struct sysdb_attrs *user_attrs;
+     size_t msgs_count;
+     struct ldb_message **msgs;
+-    char *subfilter;
+     TALLOC_CTX *tmp_ctx;
+     int ret;
+ 
+@@ -332,15 +331,8 @@ static errno_t add_ad_user_to_cached_groups(struct ldb_dn *user_dn,
+             continue;
+         }
+ 
+-        subfilter = talloc_asprintf(tmp_ctx, "(%s=%s)", SYSDB_ORIG_DN, groups[c]);
+-        if (subfilter == NULL) {
+-            DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
+-            ret = ENOMEM;
+-            goto done;
+-        }
+-
+-        ret = sysdb_search_groups(tmp_ctx, group_dom, subfilter, NULL,
+-                                  &msgs_count, &msgs);
+        ret = sysdb_search_groups_by_orig_dn(tmp_ctx, group_dom, groups[c],
+                                             NULL, &msgs_count, &msgs);
+         if (ret != EOK) {
+             if (ret == ENOENT) {
+                 DEBUG(SSSDBG_TRACE_ALL, "Group [%s] not in the cache.\n",
+-- 
+2.14.1
+
--- a/0103-MAN-Improve-description-of-trusted-domain-section-in.patch
+++ b/0103-MAN-Improve-description-of-trusted-domain-section-in.patch
@ -0,0 +1,67 @@
+From 781d231a12eb0c772353cc15e2c3ae1e7545e663 Mon Sep 17 00:00:00 2001
+From: AmitKumar <amitkuma@redhat.com>
+Date: Tue, 18 Jul 2017 21:03:04 +0530
+Subject: [PATCH 103/115] MAN: Improve description of 'trusted domain section'
+ in sssd.conf's man page
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+PR generated to include explaination for ipa ad trust sssd configuration
+where ad has a child domain. Explanation is added to 'TRUSTED DOMAIN
+SECTION'. Also an example is included to better understanding.
+
+Resolves: https://pagure.io/SSSD/sssd/issue/3399
+
+Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+---
+ src/man/sssd.conf.5.xml | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
+index c26f4a3bac1f009d19d9a5a3a49ad7370ac72791..11a347d29f47923cb87f6adedbf346bde1c19593 100644
+--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
+@@ -3059,6 +3059,8 @@ ldap_user_extra_attrs = phone:telephoneNumber
+             Some options used in the domain section can also be used in the
+             trusted domain section, that is, in a section called
+             <quote>[domain/<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</replaceable>]</quote>.
+            Where DOMAIN_NAME is the actual joined-to base domain. Please refer
+            to examples below for explanation.
+             Currently supported options in the trusted domain section are:
+         </para>
+             <para>ldap_search_base,</para>
+@@ -3077,9 +3079,9 @@ ldap_user_extra_attrs = phone:telephoneNumber
+     </refsect1>
+ 
+     <refsect1 id='example'>
+-        <title>EXAMPLE</title>
+        <title>EXAMPLES</title>
+         <para>
+-            The following example shows a typical SSSD config. It does
+            1. The following example shows a typical SSSD config. It does
+             not describe configuration of the domains themselves - refer to
+             documentation on configuring domains for more details.
+ <programlisting>
+@@ -3107,6 +3109,17 @@ cache_credentials = true
+ min_id = 10000
+ max_id = 20000
+ enumerate = False
+</programlisting>
+        </para>
+        <para>
+            2. The following example shows configuration of IPA AD trust where
+            the AD forest consists of two domains in a parent-child structure.
+            Suppose IPA domain (ipa.com) has trust with AD domain(ad.com).
+            ad.com has child domain (child.ad.com). To enable shortnames in
+            the child domain the following configuration should be used.
+<programlisting>
+[domain/ipa.com/child.ad.com]
+use_fully_qualified_names = false
+ </programlisting>
+         </para>
+     </refsect1>
+-- 
+2.14.1
+
--- a/0104-certmap-add-OpenSSL-implementation.patch
+++ b/0104-certmap-add-OpenSSL-implementation.patch
--- a/0105-MAN-Improve-failover-documentation-by-explaining-the.patch
+++ b/0105-MAN-Improve-failover-documentation-by-explaining-the.patch
@ -0,0 +1,108 @@
+From 3bcf6b17a1bd8fbef99e1f8bfc33f4312b40e48b Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Thu, 29 Jun 2017 16:16:01 +0200
+Subject: [PATCH 105/115] MAN: Improve failover documentation by explaining the
+ timeout better
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/man/include/failover.xml | 56 ++++++++++++++++++++++++++++++++++++++++++++
+ src/man/sssd.conf.5.xml      | 14 +++++++----
+ 2 files changed, 66 insertions(+), 4 deletions(-)
+
+diff --git a/src/man/include/failover.xml b/src/man/include/failover.xml
+index 4865ce2be988b58dbd1c0736b6512f378be80d55..9ab74b1e1eca25aa63383ca575b7723ca7744346 100644
+--- a/src/man/include/failover.xml
+++ b/src/man/include/failover.xml
+@@ -49,4 +49,60 @@
+             every 30 seconds.
+         </para>
+     </refsect2>
+    <refsect2 id='failover_tuning'>
+        <title>Failover time outs and tuning</title>
+        <para>
+            Resolving a server to connect to can be as simple as running
+            a single DNS query or can involve several steps, such as finding
+            the correct site or trying out multiple host names in case some
+            of the configured servers are not reachable. The more complex
+            scenarios can take some time and SSSD needs to balance between
+            providing enough time to finish the resolution process but on
+            the other hand, not trying for too long before falling back
+            to offline mode. If the SSSD debug logs show that the server
+            resolution is timing out before a live server is contacted,
+            you can consider changing the time outs.
+        </para>
+        <para>
+            This section lists the available tunables. Please refer to their
+            description in the
+            <citerefentry>
+                <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum>
+            </citerefentry>,
+            manual page.
+            <variablelist>
+                <varlistentry>
+                    <term>
+                        dns_resolver_op_timeout
+                    </term>
+                    <listitem>
+                        <para>
+                            How long would SSSD talk to a single DNS server.
+                        </para>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>
+                        dns_resolver_timeout
+                    </term>
+                    <listitem>
+                        <para>
+                            How long would SSSD try to resolve a failover
+                            service. This service resolution internally might
+                            include several steps, such as resolving DNS SRV
+                            queries or locating the site.
+                        </para>
+                    </listitem>
+                </varlistentry>
+            </variablelist>
+        </para>
+        <para>
+            For LDAP-based providers, the resolve operation is performed
+            as part of an LDAP connection operation. Thefore, also the
+            <quote>ldap_opt_timeout></quote> timeout should be set to
+            a larger value than <quote>dns_resolver_timeout</quote>
+            which in turn should be set to a larger value than
+            <quote>dns_resolver_op_timeout</quote>.
+        </para>
+    </refsect2>
+ </refsect1>
+diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
+index 11a347d29f47923cb87f6adedbf346bde1c19593..9c9bf894fd725e1406d9217a256e0e13ab49c5f9 100644
+--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
+@@ -2607,10 +2607,16 @@ pam_account_locked_message = Account locked, please contact help desk.
+                     <term>dns_resolver_timeout (integer)</term>
+                     <listitem>
+                         <para>
+-                            Defines the amount of time (in seconds) to wait for a reply from
+-                            the DNS resolver before assuming that it is unreachable. If this
+-                            timeout is reached, the domain will continue to operate in
+-                            offline mode.
+                            Defines the amount of time (in seconds) to
+                            wait for a reply from the internal fail over
+                            service before assuming that the service is
+                            unreachable. If this timeout is reached, the
+                            domain will continue to operate in offline mode.
+                        </para>
+                        <para>
+                            Please see the section <quote>FAILOVER</quote>
+                            for more information about the service
+                            resolution.
+                         </para>
+                         <para>
+                             Default: 6
+-- 
+2.14.1
+
--- a/0106-MAN-Document-that-the-secrets-provider-can-only-be-s.patch
+++ b/0106-MAN-Document-that-the-secrets-provider-can-only-be-s.patch
@ -0,0 +1,65 @@
+From e8bad995fb1219df2a4fef8f55c80284c6ab36d3 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Thu, 1 Jun 2017 10:04:21 +0200
+Subject: [PATCH 106/115] MAN: Document that the secrets provider can only be
+ specified in a per-client section
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3417
+
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
+Reviewed-by: Justin Stephenson <jstephen@redhat.com>
+---
+ src/man/sssd-secrets.5.xml | 27 +++++++++++++++++++--------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/src/man/sssd-secrets.5.xml b/src/man/sssd-secrets.5.xml
+index d43dcf21c6174f0e0780a76d831a1fd957358b51..08ab371c64eb49e4f153bb2183c07681b1050bb0 100644
+--- a/src/man/sssd-secrets.5.xml
+++ b/src/man/sssd-secrets.5.xml
+@@ -128,19 +128,30 @@ systemctl enable sssd-secrets.service
+             </citerefentry> manual page for a complete list. In addition,
+             there are some secrets-specific options as well.
+         </para>
+        <para>
+            The secrets responder is configured with a global
+            <quote>[secrets]</quote> section and an optional per-user
+            <quote>[secrets/users/$uid]</quote> section in
+            <filename>sssd.conf</filename>. Please note that some options,
+            notably as the provider type, can only be specified in the per-user
+            subsections.
+        </para>
+         <variablelist>
+             <varlistentry>
+                 <term>provider (string)</term>
+                 <listitem>
+                 <para>
+-                    This option specifies where should the secrets
+-                    be stored. The secrets responder can configure a
+-                    per-user subsections that define which provider store
+-                    the secrets for this particular user. The per-user
+-                    subsections should contain all options for that user's
+-                    provider. If a per-user section does not exist, the
+-                    global settings from the secret responder's section
+-                    are used.  The following providers are supported:
+                    This option specifies where should the secrets be
+                    stored. The secrets responder can configure a per-user
+                    subsections (e.g. <quote>[secrets/users/123]</quote>
+                    - see bottom of this manual page for a full example
+                    using Custodia for a particular user) that define
+                    which provider store the secrets for this particular
+                    user. The per-user subsections should contain all
+                    options for that user's provider. Please note that
+                    currently the global provider is always local, the
+                    proxy provider can only be specified in a per-user
+                    section. The following providers are supported:
+                     <variablelist>
+                         <varlistentry>
+                             <term>local</term>
+-- 
+2.14.1
+
--- a/0107-SELINUX-Use-getseuserbyname-to-get-IPA-seuser.patch
+++ b/0107-SELINUX-Use-getseuserbyname-to-get-IPA-seuser.patch
@ -0,0 +1,181 @@
+From cfe87ca0c4fded9cbf907697d08fa0e6c8f8ebce Mon Sep 17 00:00:00 2001
+From: Justin Stephenson <jstephen@redhat.com>
+Date: Thu, 9 Mar 2017 17:21:37 -0500
+Subject: [PATCH 107/115] SELINUX: Use getseuserbyname to get IPA seuser
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The libselinux function getseuserbyname is more reliable method to retrieve
+SELinux usernames then functions from libsemanage `semanage_user_query`
+and is recommended by libsemanage developers.
+Replace get_seuser function with getseuserbyname.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3308
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+Reviewed-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ Makefile.am                       |  1 +
+ src/providers/ipa/selinux_child.c | 12 +++----
+ src/util/sss_semanage.c           | 73 ---------------------------------------
+ src/util/util.h                   |  2 --
+ 4 files changed, 7 insertions(+), 81 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index cb5c405a453cacbe5c2464ea09c0e6353253a789..42d7e4a1751202cb47658c37d38487c558b780af 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -4107,6 +4107,7 @@ selinux_child_LDADD = \
+     $(POPT_LIBS) \
+     $(DHASH_LIBS) \
+     $(SEMANAGE_LIBS) \
+    $(SELINUX_LIBS) \
+     $(NULL)
+ endif
+ 
+diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
+index f8dd3954a7244df2dcbb910aabf8888f41306c09..073475094ee491bd5453898c6ba65214fa14fe59 100644
+--- a/src/providers/ipa/selinux_child.c
+++ b/src/providers/ipa/selinux_child.c
+@@ -27,6 +27,7 @@
+ #include <unistd.h>
+ #include <sys/stat.h>
+ #include <popt.h>
+#include <selinux/selinux.h>
+ 
+ #include "util/util.h"
+ #include "util/child_common.h"
+@@ -172,11 +173,10 @@ static bool seuser_needs_update(struct input_buffer *ibuf)
+     char *db_mls_range = NULL;
+     errno_t ret;
+ 
+-    ret = get_seuser(ibuf, ibuf->username, &db_seuser, &db_mls_range);
+    ret = getseuserbyname(ibuf->username, &db_seuser, &db_mls_range);
+     DEBUG(SSSDBG_TRACE_INTERNAL,
+-          "get_seuser: ret: %d msg: [%s] seuser: %s mls: %s\n",
+-          ret, sss_strerror(ret),
+-          db_seuser ? db_seuser : "unknown",
+          "getseuserbyname: ret: %d seuser: %s mls: %s\n",
+          ret, db_seuser ? db_seuser : "unknown",
+           db_mls_range ? db_mls_range : "unknown");
+     if (ret == EOK && db_seuser && db_mls_range &&
+             strcmp(db_seuser, ibuf->seuser) == 0 &&
+@@ -188,8 +188,8 @@ static bool seuser_needs_update(struct input_buffer *ibuf)
+         needs_update = false;
+     }
+ 
+-    talloc_free(db_seuser);
+-    talloc_free(db_mls_range);
+    free(db_seuser);
+    free(db_mls_range);
+     return needs_update;
+ }
+ 
+diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c
+index 0da97aad4d8eba733b131c2749932e03ca4242c4..37278cc986a1ea49dc2218a635d52b9d54ca089d 100644
+--- a/src/util/sss_semanage.c
+++ b/src/util/sss_semanage.c
+@@ -382,73 +382,6 @@ done:
+     sss_semanage_close(handle);
+     return ret;
+ }
+-
+-int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name,
+-               char **_seuser, char **_mls_range)
+-{
+-    errno_t ret;
+-    const char *seuser;
+-    const char *mls_range;
+-    semanage_handle_t *sm_handle = NULL;
+-    semanage_seuser_t *sm_user = NULL;
+-    semanage_seuser_key_t *sm_key = NULL;
+-
+-    ret = sss_semanage_init(&sm_handle);
+-    if (ret == ERR_SELINUX_NOT_MANAGED) {
+-        goto done;
+-    } else if (ret != EOK) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n");
+-        goto done;
+-    }
+-
+-    ret = semanage_seuser_key_create(sm_handle, login_name, &sm_key);
+-    if (ret != EOK) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create key for %s\n", login_name);
+-        ret = EIO;
+-        goto done;
+-    }
+-
+-    ret = semanage_seuser_query(sm_handle, sm_key, &sm_user);
+-    if (ret < 0) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot query for %s\n", login_name);
+-        ret = EIO;
+-        goto done;
+-    }
+-
+-    seuser = semanage_seuser_get_sename(sm_user);
+-    if (seuser != NULL) {
+-        *_seuser = talloc_strdup(mem_ctx, seuser);
+-        if (*_seuser == NULL) {
+-            ret = ENOMEM;
+-            goto done;
+-        }
+-        DEBUG(SSSDBG_OP_FAILURE,
+-              "SELinux user for %s: %s\n", login_name, *_seuser);
+-    } else {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get sename for %s\n", login_name);
+-    }
+-
+-    mls_range = semanage_seuser_get_mlsrange(sm_user);
+-    if (mls_range != NULL) {
+-        *_mls_range = talloc_strdup(mem_ctx, mls_range);
+-        if (*_mls_range == NULL) {
+-            ret = ENOMEM;
+-            goto done;
+-        }
+-        DEBUG(SSSDBG_OP_FAILURE,
+-              "SELinux range for %s: %s\n", login_name, *_mls_range);
+-    } else {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get mlsrange for %s\n", login_name);
+-    }
+-
+-    ret = EOK;
+-done:
+-    semanage_seuser_key_free(sm_key);
+-    semanage_seuser_free(sm_user);
+-    sss_semanage_close(sm_handle);
+-    return ret;
+-}
+-
+ #else /* HAVE_SEMANAGE */
+ int set_seuser(const char *login_name, const char *seuser_name,
+                const char *mls)
+@@ -460,10 +393,4 @@ int del_seuser(const char *login_name)
+ {
+     return EOK;
+ }
+-
+-int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name,
+-               char **_seuser, char **_mls_range)
+-{
+-    return EOK;
+-}
+ #endif  /* HAVE_SEMANAGE */
+diff --git a/src/util/util.h b/src/util/util.h
+index 3d8bfe4795e976294b565c0869e3b842cf318efd..37383011763a9a2a3c2c066215e3ed94aca77308 100644
+--- a/src/util/util.h
+++ b/src/util/util.h
+@@ -650,8 +650,6 @@ errno_t restore_creds(struct sss_creds *saved_creds);
+ int set_seuser(const char *login_name, const char *seuser_name,
+                const char *mlsrange);
+ int del_seuser(const char *login_name);
+-int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name,
+-               char **_seuser, char **_mls_range);
+ 
+ /* convert time from generalized form to unix time */
+ errno_t sss_utc_to_time_t(const char *str, const char *format, time_t *unix_time);
+-- 
+2.14.1
+
--- a/0108-certmap-Suppress-warning-Wmissing-braces.patch
+++ b/0108-certmap-Suppress-warning-Wmissing-braces.patch
@ -0,0 +1,51 @@
+From 22abbb479e00438ec4ab19735824cc6e79dd9aaf Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Wed, 6 Sep 2017 07:35:46 +0200
+Subject: [PATCH 108/115] certmap: Suppress warning Wmissing-braces
+
+Older version of gcc(e.g. gcc-4.8.5-11.el7) had a false positive warning
+with c99 struct initialisation "{ 0 }".
+https://gcc.gnu.org/bugzilla/show_bug.cgi?id=53119
+https://gcc.gnu.org/bugzilla/show_bug.cgi?id=64709
+
+  CC       src/lib/certmap/libsss_certmap_la-sss_cert_content_nss.lo
+
+src/lib/certmap/sss_cert_content_nss.c:
+    In function 'add_pkinit_princ_to_san_list':
+src/lib/certmap/sss_cert_content_nss.c:475:12:
+    error: missing braces around initializer [-Werror=missing-braces]
+     struct kerberos_principal_name kname = { 0 };
+            ^
+src/lib/certmap/sss_cert_content_nss.c:475:12:
+    error: (near initialization for 'kname.realm') [-Werror=missing-braces]
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/lib/certmap/sss_cert_content_nss.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/certmap/sss_cert_content_nss.c b/src/lib/certmap/sss_cert_content_nss.c
+index 9b9409797228e906ce59de2472677cb292692610..925124ccd505cc474e338e676ef2bc20c135dd6c 100644
+--- a/src/lib/certmap/sss_cert_content_nss.c
+++ b/src/lib/certmap/sss_cert_content_nss.c
+@@ -472,10 +472,16 @@ static int add_pkinit_princ_to_san_list(TALLOC_CTX *mem_ctx,
+ {
+     struct san_list *i = NULL;
+     SECStatus rv;
+-    struct kerberos_principal_name kname = { 0 };
+    /* To avoid 'Wmissing-braces' warnings with older versions of
+     * gcc kerberos_principal_name cannot be initialized with { 0 }
+     * but must be initialized with memset().
+     */
+    struct kerberos_principal_name kname;
+     int ret;
+     size_t c;
+ 
+    memset(&kname, 0, sizeof(kname));
+
+     rv = SEC_ASN1DecodeItem(pool, &kname,
+                             kerberos_principal_name_template,
+                             &(current->name.OthName.name));
+-- 
+2.14.1
+
--- a/0109-cache_req-Look-for-name-attribute-also-in-nss_cmd_ge.patch
+++ b/0109-cache_req-Look-for-name-attribute-also-in-nss_cmd_ge.patch
@ -0,0 +1,61 @@
+From 2e72ababbbadda4c4036f99528460c1d595e0941 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Mon, 21 Aug 2017 11:42:43 +0200
+Subject: [PATCH 109/115] cache_req: Look for name attribute also in
+ nss_cmd_getsidbyid
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We always check negcache after getting data from backend since commit
+4c09cd008967c5c0ec358dc658ffc6fc1cef2697 because we usually do have a name
+in begging of requests "* by ID".
+
+We were not interested in name in request sid by id before. However, function
+cache_req_search_ncache_filter always expect name otherwise it returns
+ERR_INTERNAL.
+
+[sssd[nss]] [cache_req_set_plugin] (0x2000): CR #8: Setting "Object by ID" plugin
+[sssd[nss]] [cache_req_send] (0x0400): CR #8: New request 'Object by ID'
+[sssd[nss]] [cache_req_select_domains] (0x0400): CR #8: Performing a multi-domain search
+[sssd[nss]] [cache_req_search_domains] (0x0400): CR #8: Search will check the cache and check the data provider
+[sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain sssdad2012r2.com type POSIX is valid
+[sssd[nss]] [cache_req_set_domain] (0x0400): CR #8: Using domain [sssdad2012r2.com]
+[sssd[nss]] [cache_req_search_send] (0x0400): CR #8: Looking up ID:233600513@sssdad2012r2.com
+[sssd[nss]] [cache_req_search_ncache] (0x0400): CR #8: Checking negative cache for [ID:233600513@sssdad2012r2.com]
+[sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/UID/sssdad2012r2.com/233600513]
+[sssd[nss]] [cache_req_search_ncache] (0x0400): CR #8: [ID:233600513@sssdad2012r2.com] is not present in negative cache
+[sssd[nss]] [cache_req_search_cache] (0x0400): CR #8: Looking up [ID:233600513@sssdad2012r2.com] in cache
+[sssd[nss]] [cache_req_search_send] (0x0400): CR #8: Returning [ID:233600513@sssdad2012r2.com] from cache
+[sssd[nss]] [cache_req_search_ncache_filter] (0x0400): CR #8: Filtering out results by negative cache
+[sssd[nss]] [cache_req_search_ncache_filter] (0x0020): CR #8: sss_get_name_from_msg() returned NULL, which should never happen in this scenario!
+[sssd[nss]] [cache_req_process_result] (0x0400): CR #8: Finished: Error 1432158209: Internal Error
+[sssd[nss]] [nss_protocol_done] (0x4000): Sending reply: error [1432158209]: Internal Error
+[sssd[nss]] [client_recv] (0x0200): Client disconnected!
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3485
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/responder/common/cache_req/cache_req_data.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/responder/common/cache_req/cache_req_data.c b/src/responder/common/cache_req/cache_req_data.c
+index 8726e139ffeaaf876f162f6048c86c2145db8662..48264a321dc603f9708ba71c44542363b11a71ba 100644
+--- a/src/responder/common/cache_req/cache_req_data.c
+++ b/src/responder/common/cache_req/cache_req_data.c
+@@ -26,7 +26,9 @@ static const char **
+ cache_req_data_create_attrs(TALLOC_CTX *mem_ctx,
+                             const char **requested)
+ {
+-    static const char *defattrs[] = { SYSDB_DEFAULT_ATTRS };
+    static const char *defattrs[] = { SYSDB_DEFAULT_ATTRS, SYSDB_NAME,
+                                      OVERRIDE_PREFIX SYSDB_NAME,
+                                      SYSDB_DEFAULT_OVERRIDE_NAME };
+     static size_t defnum = sizeof(defattrs) / sizeof(defattrs[0]);
+     const char **attrs;
+     size_t reqnum;
+-- 
+2.14.1
+
--- a/0110-ipa-make-sure-view-name-is-initialized-at-startup.patch
+++ b/0110-ipa-make-sure-view-name-is-initialized-at-startup.patch
@ -0,0 +1,59 @@
+From f00591a4615720640cf01b1c408315b57dd397dc Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 31 Aug 2017 22:30:25 +0200
+Subject: [PATCH 110/115] ipa: make sure view name is initialized at startup
+
+sysdb_master_domain_update() can only set the view name properly if it was not
+set before but it might be called multiple times before the view name is
+available if the cache is empty. Since ipa_apply_view() keeps track if
+the view name was already set at startup or not the name can safely be
+cleaned here before sysdb_master_domain_update() is called.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3501
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+---
+ src/providers/ipa/ipa_subdomains.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
+index 7f8bcdbad3e8375c8d56a51a7ac615b29ee0457d..8a4657bc0f0d3fdc1ef3acece532942ea94daa66 100644
+--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
+@@ -780,6 +780,18 @@ done:
+     return ret;
+ }
+ 
+static void clean_view_name(struct sss_domain_info *domain)
+{
+    struct sss_domain_info *dom = domain;
+
+    while (dom) {
+        dom->has_views = false;
+        talloc_free(discard_const(dom->view_name));
+        dom->view_name = NULL;
+        dom = get_next_domain(dom, SSS_GND_DESCEND);
+    }
+}
+
+ static errno_t ipa_apply_view(struct sss_domain_info *domain,
+                               struct ipa_id_ctx *ipa_id_ctx,
+                               const char *view_name,
+@@ -872,7 +884,12 @@ static errno_t ipa_apply_view(struct sss_domain_info *domain,
+     }
+ 
+     if (!read_at_init) {
+-        /* refresh view data of all domains at startup */
+        /* refresh view data of all domains at startup, since
+         * sysdb_master_domain_update and sysdb_update_subdomains might have
+         * been called earlier without the proper view name the name is
+         * cleaned here before the calls. This is acceptable because this is
+         * the initial setup (!read_at_init).  */
+        clean_view_name(domain);
+         ret = sysdb_master_domain_update(domain);
+         if (ret != EOK) {
+             DEBUG(SSSDBG_OP_FAILURE, "sysdb_master_domain_update failed "
+-- 
+2.14.1
+
--- a/0111-DP-Add-Generic-DP-Request-Probes.patch
+++ b/0111-DP-Add-Generic-DP-Request-Probes.patch
@ -0,0 +1,212 @@
+From d46d59e78600aa72176df7217c94743b7e71881a Mon Sep 17 00:00:00 2001
+From: Justin Stephenson <jstephen@redhat.com>
+Date: Wed, 3 May 2017 16:36:57 -0400
+Subject: [PATCH 111/115] DP: Add Generic DP Request Probes
+
+Add the ability to analyze performance and monitor Data Provider
+requests at a high-level, probes fire when a request is sent and when
+a request is completed.
+
+Request name, domain, target, method, and return code information
+is passed as target variables to the systemtap probe tapsets which
+can be used in systemtap scripts.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3061
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+---
+ Makefile.am                              |  9 +++++
+ src/providers/data_provider/dp_request.c |  5 +++
+ src/systemtap/sssd.stp.in                | 18 +++++++++
+ src/systemtap/sssd_functions.stp         | 68 ++++++++++++++++++++++++++++++++
+ src/systemtap/sssd_probes.d              |  5 +++
+ 5 files changed, 105 insertions(+)
+
+diff --git a/Makefile.am b/Makefile.am
+index 42d7e4a1751202cb47658c37d38487c558b780af..f61560135f3bf233a71bf219c4a773d3dcc03ab0 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -1587,6 +1587,9 @@ sssd_be_LDADD = \
+ sssd_be_LDFLAGS = \
+     -Wl,--version-script,$(srcdir)/src/providers/sssd_be.exports \
+     -export-dynamic
+if BUILD_SYSTEMTAP
+sssd_be_LDADD += stap_generated_probes.lo
+endif
+ 
+ if BUILD_PYTHON_BINDINGS
+ sss_obfuscate_pythondir = $(sbindir)
+@@ -1893,6 +1896,9 @@ libdlopen_test_providers_la_LIBADD = \
+     $(SSSD_LIBS) \
+     $(CARES_LIBS) \
+     $(SSSD_INTERNAL_LTLIBS)
+if BUILD_SYSTEMTAP
+libdlopen_test_providers_la_LIBADD += stap_generated_probes.lo
+endif
+ libdlopen_test_providers_la_LDFLAGS = \
+     -shared \
+     -avoid-version \
+@@ -3317,6 +3323,9 @@ test_dp_request_LDADD = \
+     $(LIBADD_DL) \
+     libsss_test_common.la \
+     $(NULL)
+if BUILD_SYSTEMTAP
+test_dp_request_LDADD += stap_generated_probes.lo
+endif
+ 
+ test_dp_builtin_SOURCES = \
+     src/providers/data_provider/dp_modules.c \
+diff --git a/src/providers/data_provider/dp_request.c b/src/providers/data_provider/dp_request.c
+index 6c0a0b72dc958ca4160c9f2f134405a515769fe9..a6bc020e0649760c46637d6f90569248792f7f04 100644
+--- a/src/providers/data_provider/dp_request.c
+++ b/src/providers/data_provider/dp_request.c
+@@ -27,6 +27,7 @@
+ #include "providers/backend.h"
+ #include "util/dlinklist.h"
+ #include "util/util.h"
+#include "util/probes.h"
+ 
+ struct dp_req {
+     struct data_provider *provider;
+@@ -309,6 +310,7 @@ struct tevent_req *dp_req_send(TALLOC_CTX *mem_ctx,
+         goto immediately;
+     }
+ 
+    PROBE(DP_REQ_SEND, domain, dp_req->name, target, method);
+     state->dp_req = dp_req;
+     if (_request_name != NULL) {
+         request_name = talloc_strdup(mem_ctx, dp_req->name);
+@@ -363,6 +365,9 @@ static void dp_req_done(struct tevent_req *subreq)
+     talloc_zfree(subreq);
+     state->dp_req->handler_req = NULL;
+ 
+    PROBE(DP_REQ_DONE, state->dp_req->name, state->dp_req->target,
+          state->dp_req->method, ret, sss_strerror(ret));
+
+     DP_REQ_DEBUG(SSSDBG_TRACE_FUNC, state->dp_req->name,
+                  "Request handler finished [%d]: %s", ret, sss_strerror(ret));
+ 
+diff --git a/src/systemtap/sssd.stp.in b/src/systemtap/sssd.stp.in
+index 199916383105c34e60f3cb9b06d04d6c483b9712..25a68cd04e4df529b113055f6c3968fb8d71b168 100644
+--- a/src/systemtap/sssd.stp.in
+++ b/src/systemtap/sssd.stp.in
+@@ -254,3 +254,21 @@ probe sdap_nested_group_process_recv = process("@libdir@/sssd/libsss_ldap_common
+     probestr = sprintf("-> %s(orig_dn=[%s])",
+                        $$name, orig_dn);
+ }
+
+## Data Provider Request Probes
+probe dp_req_send = process("@libexecdir@/sssd/sssd_be").mark("dp_req_send")
+{
+    dp_req_domain = user_string($arg1, "NULL");
+    dp_req_name = user_string($arg2, "NULL");
+    dp_req_target = $arg3;
+    dp_req_method = $arg4;
+}
+
+probe dp_req_done = process("@libexecdir@/sssd/sssd_be").mark("dp_req_done")
+{
+    dp_req_name = user_string($arg1, "NULL");
+    dp_req_target = $arg2;
+    dp_req_method = $arg3;
+    dp_ret = $arg4;
+    dp_errorstr = user_string($arg5, "NULL");
+}
+diff --git a/src/systemtap/sssd_functions.stp b/src/systemtap/sssd_functions.stp
+index bad194eadb1b7154e85bb05c42240323896abe45..e249aac986969e21b8c251e642324e85b74cf3c8 100644
+--- a/src/systemtap/sssd_functions.stp
+++ b/src/systemtap/sssd_functions.stp
+@@ -1,3 +1,13 @@
+// constants
+global TARGET_ID=0, TARGET_AUTH=1, TARGET_ACCESS=2, TARGET_CHPASS=3,
+       TARGET_SUDO=4, TARGET_AUTOFS=5, TARGET_SELINUX=6, TARGET_HOSTID=7,
+       TARGET_SUBDOMAINS=8, TARGET_SENTINEL=9
+
+global METHOD_CHECK_ONLINE=0, METHOD_ACCOUNT_HANDLER=1, METHOD_AUTH_HANDLER=2,
+       METHOD_ACCESS_HANDLER=3, METHOD_SELINUX_HANDLER=4, METHOD_SUDO_HANDLER=5,
+       METHOD_AUTOFS_HANDLER=6, METHOD_HOSTID_HANDLER=7, METHOD_DOMAINS_HANDLER=8,
+       METHOD_SENTINEL=9
+
+ function acct_req_desc(entry_type)
+ {
+     if (entry_type == 0x0001) {
+@@ -64,3 +74,61 @@ function sssd_acct_req_probestr(fc_name, entry_type, filter_type,
+                        filter_value, extra_value)
+     return probestr
+ }
+
+function dp_target_str(target)
+{
+    if (target == TARGET_ID) {
+        str_target = "ID"
+    } else if (target == TARGET_AUTH) {
+        str_target = "AUTH"
+    } else if (target == TARGET_ACCESS) {
+        str_target = "ACCESS"
+    } else if (target == TARGET_CHPASS) {
+        str_target = "CHPASS"
+    } else if (target == TARGET_SUDO) {
+        str_target = "SUDO"
+    } else if (target == TARGET_AUTOFS) {
+        str_target = "AUTOFS"
+    } else if (target == TARGET_SELINUX) {
+        str_target = "SELINUX"
+    } else if (target == TARGET_HOSTID) {
+        str_target = "HOSTID"
+    } else if (target == TARGET_SUBDOMAINS) {
+        str_target = "SUBDOMAINS"
+    } else if (target == TARGET_SENTINEL) {
+        str_target = "TARGET_SENTINEL"
+    } else {
+        str_target = "UNKNOWN"
+    }
+
+    return str_target
+}
+
+function dp_method_str(method)
+{
+    if (method == METHOD_CHECK_ONLINE) {
+        str_method = "Check Online"
+    } else if (method == METHOD_ACCOUNT_HANDLER) {
+        str_method = "Account Handler"
+    } else if (method == METHOD_AUTH_HANDLER) {
+        str_method = "Auth Handler"
+    } else if (method == METHOD_ACCESS_HANDLER) {
+        str_method = "Access Handler"
+    } else if (method == METHOD_SELINUX_HANDLER) {
+        str_method = "SELinux Handler"
+    } else if (method == METHOD_SUDO_HANDLER) {
+        str_method = "Sudo Handler"
+    } else if (method == METHOD_AUTOFS_HANDLER) {
+        str_method = "Autofs Handler"
+    } else if (method == METHOD_HOSTID_HANDLER) {
+        str_method = "HostID Handler"
+    } else if (method == METHOD_DOMAINS_HANDLER) {
+        str_method = "Domains Handler"
+    } else if (method == METHOD_SENTINEL) {
+        str_method = "Method Sentinel"
+    } else {
+        str_method = "UNKNOWN"
+    }
+
+    return str_method
+}
+diff --git a/src/systemtap/sssd_probes.d b/src/systemtap/sssd_probes.d
+index 33339b415cd084d2a9348a5cd5f46065c0504233..c0d526871e1a8e5a4ccbac427a239b9525130578 100644
+--- a/src/systemtap/sssd_probes.d
+++ b/src/systemtap/sssd_probes.d
+@@ -65,4 +65,9 @@ provider sssd {
+     probe sdap_nested_group_sysdb_search_groups_post();
+     probe sdap_nested_group_populate_search_users_pre();
+     probe sdap_nested_group_populate_search_users_post();
+
+    probe dp_req_send(const char *domain, const char *dp_req_name,
+                      int target, int method);
+    probe dp_req_done(const char *dp_req_name, int target, int method,
+                      int ret, const char *errorstr);
+ }
+-- 
+2.14.1
+
--- a/0112-CONTRIB-Add-DP-Request-analysis-script.patch
+++ b/0112-CONTRIB-Add-DP-Request-analysis-script.patch
@ -0,0 +1,142 @@
+From 1182dd93a5a6bb18943284273f7fd59b83468843 Mon Sep 17 00:00:00 2001
+From: Justin Stephenson <jstephen@redhat.com>
+Date: Fri, 5 May 2017 12:13:19 -0400
+Subject: [PATCH 112/115] CONTRIB: Add DP Request analysis script
+
+Run this script using stap as root and Ctrl-C to print the summary
+report
+   stap -v /usr/share/sssd/systemtap/dp_request.stp
+
+This script will use the data provider request probe markers to provide
+elapsed time of each request and more information about the slowest
+request in the summary report.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3061
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+---
+ Makefile.am                      |  1 +
+ contrib/sssd.spec.in             |  1 +
+ contrib/systemtap/dp_request.stp | 85 ++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 87 insertions(+)
+ create mode 100644 contrib/systemtap/dp_request.stp
+
+diff --git a/Makefile.am b/Makefile.am
+index f61560135f3bf233a71bf219c4a773d3dcc03ab0..f99649e924672ceeba8d8653178030e6d1805f4a 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -1257,6 +1257,7 @@ dist_systemtap_tap_DATA = \
+ dist_sssdtapscript_DATA = \
+     contrib/systemtap/id_perf.stp \
+     contrib/systemtap/nested_group_perf.stp \
+    contrib/systemtap/dp_request.stp \
+     $(NULL)
+ 
+ stap_generated_probes.h: $(srcdir)/src/systemtap/sssd_probes.d
+diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
+index 43b853bb523bb212316f3d0046da6b88e4505ad2..e921a352eee6c9a6584292ba8ae5fad1639db57d 100644
+--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
+@@ -1003,6 +1003,7 @@ done
+ %dir %{_datadir}/sssd/systemtap
+ %{_datadir}/sssd/systemtap/id_perf.stp
+ %{_datadir}/sssd/systemtap/nested_group_perf.stp
+%{_datadir}/sssd/systemtap/dp_request.stp
+ %dir %{_datadir}/systemtap
+ %dir %{_datadir}/systemtap/tapset
+ %{_datadir}/systemtap/tapset/sssd.stp
+diff --git a/contrib/systemtap/dp_request.stp b/contrib/systemtap/dp_request.stp
+new file mode 100644
+index 0000000000000000000000000000000000000000..0fa108263e297bca94673414b057b7320334a369
+--- /dev/null
+++ b/contrib/systemtap/dp_request.stp
+@@ -0,0 +1,85 @@
+/* Start Run with:
+ *   stap -v dp_request.stp
+ *
+ * Then reproduce slow login or id/getent in another terminal.
+ * Ctrl-C running stap once login completes.
+ *
+ * Probe tapsets are in /usr/share/systemtap/tapset/sssd.stp
+ */
+
+
+global num_dp_requests
+
+global time_in_dp_req
+global elapsed_time
+global dp_req_send_start
+global dp_req_send_end
+
+/* Used for tracking slowest request as tz_ctime() only converts seconds, not ms */
+global dp_req_send_sec_start
+global dp_req_send_sec_end
+
+global slowest_req_name
+global slowest_req_target
+global slowest_req_method
+global slowest_req_time = 0
+global slowest_req_start_time
+global slowest_req_end_time
+
+function print_report()
+{
+	printf("\nEnding Systemtap Run - Providing Summary\n")
+	printf("Total Number of DP requests: [%d]\n", num_dp_requests)
+	printf("Total time in DP requests: [%s]\n", msecs_to_string(time_in_dp_req))
+	printf("Slowest request data:\n")
+	printf("\tRequest: [%s]\n", slowest_req_name)
+	printf("\tTarget:  [%s]\n", dp_target_str(slowest_req_target))
+	printf("\tMethod:  [%s]\n", dp_method_str(slowest_req_method))
+	printf("\tStart Time: [%s]\n", tz_ctime(slowest_req_start_time))
+	printf("\tEnd Time: [%s]\n", tz_ctime(slowest_req_end_time))
+	printf("\tDuration: [%s]\n\n", msecs_to_string(slowest_req_time))
+}
+
+probe dp_req_send
+{
+	dp_req_send_start = gettimeofday_ms()
+	dp_req_send_sec_start = gettimeofday_s()
+
+	printf("\t--> DP Request [%s] sent for domain [%s]\n", dp_req_name, dp_req_domain)
+	printf("\t--> Target: [%s] - Method: [%s]\n", dp_target_str(dp_req_target), dp_method_str(dp_req_method))
+
+	num_dp_requests++
+}
+
+probe dp_req_done
+{
+	dp_req_send_end = gettimeofday_ms()
+	dp_req_send_sec_end = gettimeofday_s()
+	elapsed_time = (dp_req_send_end - dp_req_send_start)
+
+	printf("\t\t DP Request [%s] finished with return code [%d]: [%s]\n",
+	        dp_req_name, dp_ret, dp_errorstr)
+	printf("\t\t Elapsed time [%s]\n\n", msecs_to_string(elapsed_time))
+
+	/* Track slowest request information */
+	if (elapsed_time > slowest_req_time) {
+		slowest_req_time = elapsed_time
+		slowest_req_name = dp_req_name
+		slowest_req_method = dp_req_method
+		slowest_req_target = slowest_req_target
+		slowest_req_start_time = dp_req_send_sec_start
+		slowest_req_end_time = dp_req_send_sec_end
+	}
+
+	time_in_dp_req += (dp_req_send_end - dp_req_send_start)
+}
+
+probe begin
+{
+	printf("\t*** Beginning run! ***\n")
+}
+
+probe end
+{
+    print_report()
+}
+-- 
+2.14.1
+
--- a/0113-MAN-Add-sssd-systemtap-man-page.patch
+++ b/0113-MAN-Add-sssd-systemtap-man-page.patch
@ -0,0 +1,491 @@
+From f199c749197532fd3380fa6f5d9f7a579879c21a Mon Sep 17 00:00:00 2001
+From: Justin Stephenson <jstephen@redhat.com>
+Date: Mon, 29 May 2017 14:32:51 -0400
+Subject: [PATCH 113/115] MAN: Add sssd-systemtap man page
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Provide information for administrators and users to utilize
+SSSD systemtap infrastructure.
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+---
+ contrib/sssd.spec.in         |   1 +
+ src/man/Makefile.am          |   9 +-
+ src/man/include/seealso.xml  |   6 +
+ src/man/po/po4a.cfg          |   1 +
+ src/man/sssd-systemtap.5.xml | 386 +++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 402 insertions(+), 1 deletion(-)
+ create mode 100644 src/man/sssd-systemtap.5.xml
+
+diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
+index e921a352eee6c9a6584292ba8ae5fad1639db57d..eae36c594b814e7c47c1f867757cd07e291f04b8 100644
+--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
+@@ -1008,6 +1008,7 @@ done
+ %dir %{_datadir}/systemtap/tapset
+ %{_datadir}/systemtap/tapset/sssd.stp
+ %{_datadir}/systemtap/tapset/sssd_functions.stp
+%{_mandir}/man5/sssd-systemtap.5*
+ %endif
+ 
+ %if (0%{?install_pcscd_polkit_rule} == 1)
+diff --git a/src/man/Makefile.am b/src/man/Makefile.am
+index 0e35ac277658e76ca8346a077a6931bc5c95ae23..15022c4fe24a28395335a74104d0970a356fe496 100644
+--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
+@@ -30,6 +30,9 @@ endif
+ if BUILD_SECRETS
+ KCM_CONDS = ;with_kcm
+ endif
+if BUILD_SYSTEMTAP
+STAP_CONDS = ;with_stap
+endif
+ if GPO_DEFAULT_ENFORCING
+ GPO_CONDS = ;gpo_default_enforcing
+ else
+@@ -43,7 +46,7 @@ FILES_CONDS = ;enable_files_domain
+ else
+ FILES_CONDS = ;no_enable_files_domain
+ endif
+-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SEC_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SEC_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)
+ 
+ 
+ #Special Rules:
+@@ -92,6 +95,10 @@ if BUILD_KCM
+ man_MANS += sssd-kcm.8
+ endif
+ 
+if BUILD_SYSTEMTAP
+man_MANS += sssd-systemtap.5
+endif
+
+ if BUILD_NFS_IDMAP
+ man_MANS += sss_rpcidmapd.5
+ endif
+diff --git a/src/man/include/seealso.xml b/src/man/include/seealso.xml
+index 9b9a72ce257a9487f445bd40e7658259f091a01f..52798e460e0a00ab436a4f4fa071cee104e1bb8b 100644
+--- a/src/man/include/seealso.xml
+++ b/src/man/include/seealso.xml
+@@ -97,5 +97,11 @@
+                 <refentrytitle>sss_rpcidmapd</refentrytitle>
+                 <manvolnum>5</manvolnum>
+             </citerefentry>
+            <phrase condition="with_stap">
+                <citerefentry>
+                    <refentrytitle>sssd-systemtap</refentrytitle>
+                    <manvolnum>5</manvolnum>
+                </citerefentry>
+            </phrase>
+         </para>
+     </refsect1>
+diff --git a/src/man/po/po4a.cfg b/src/man/po/po4a.cfg
+index e9492cfe1525b2f5e1f2a18b7703afd15b5f8fde..7fd4e3881c74be99405c6af26f59543e1d8c19c6 100644
+--- a/src/man/po/po4a.cfg
+++ b/src/man/po/po4a.cfg
+@@ -33,6 +33,7 @@
+ [type:docbook] sssd-secrets.5.xml $lang:$(builddir)/$lang/sssd-secrets.5.xml
+ [type:docbook] sssd-session-recording.5.xml $lang:$(builddir)/$lang/sssd-session-recording.5.xml
+ [type:docbook] sssd-kcm.8.xml $lang:$(builddir)/$lang/sssd-kcm.8.xml
+[type:docbook] sssd-systemtap.5.xml $lang:$(builddir)/$lang/sssd-systemtap.5.xml
+ [type:docbook] include/service_discovery.xml $lang:$(builddir)/$lang/include/service_discovery.xml opt:"-k 0"
+ [type:docbook] include/upstream.xml $lang:$(builddir)/$lang/include/upstream.xml opt:"-k 0"
+ [type:docbook] include/failover.xml $lang:$(builddir)/$lang/include/failover.xml opt:"-k 0"
+diff --git a/src/man/sssd-systemtap.5.xml b/src/man/sssd-systemtap.5.xml
+new file mode 100644
+index 0000000000000000000000000000000000000000..f7b04e0aff983ad47e0354e2fa700809f4702670
+--- /dev/null
+++ b/src/man/sssd-systemtap.5.xml
+@@ -0,0 +1,386 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+    <refmeta>
+        <refentrytitle>sssd-systemtap</refentrytitle>
+        <manvolnum>5</manvolnum>
+        <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
+    </refmeta>
+
+    <refnamediv id='name'>
+        <refname>sssd-systemtap</refname>
+        <refpurpose>SSSD systemtap information</refpurpose>
+    </refnamediv>
+
+    <refsect1 id='description'>
+        <title>DESCRIPTION</title>
+        <para>
+            This manual page provides information about
+            the systemtap functionality
+            in
+            <citerefentry>
+                <refentrytitle>sssd</refentrytitle>
+                <manvolnum>8</manvolnum>
+            </citerefentry>.
+       </para>
+        <para>
+            SystemTap Probe points have been added into various
+            locations in SSSD code to assist in troubleshooting
+            and analyzing performance related issues.
+       </para>
+        <para>
+            <itemizedlist>
+                <listitem>
+                    <para>
+                        Sample SystemTap scripts are
+                        provided in /usr/share/sssd/systemtap/
+                    </para>
+                </listitem>
+                <listitem>
+                    <para>
+                        Probes and miscellaneous functions are
+                        defined in /usr/share/systemtap/tapset/sssd.stp
+                        and /usr/share/systemtap/tapset/sssd_functions.stp
+                        respectively.
+                    </para>
+                </listitem>
+            </itemizedlist>
+        </para>
+    </refsect1>
+
+    <refsect1 id='probe-points'>
+        <title>PROBE POINTS</title>
+        <para>
+            The information below lists the probe points and arguments available
+            in the following format:
+        </para>
+            <variablelist>
+                <varlistentry>
+                    <term>probe $name</term>
+                    <listitem>
+                        <para>
+                            Description of probe point
+                        </para>
+                        <programlisting>
+variable1:datatype
+variable2:datatype
+variable3:datatype
+...
+                        </programlisting>
+                    </listitem>
+                </varlistentry>
+            </variablelist>
+
+        <refsect2 id='database-transaction-probes'>
+            <title>Database Transaction Probes</title>
+            <para>
+              <variablelist>
+                <varlistentry>
+                    <term>probe sssd_transaction_start</term>
+                    <listitem>
+                        <para>
+                            Start of a sysdb transaction, probes the
+                            sysdb_transaction_start() function.
+                        </para>
+                        <programlisting>
+nesting:integer
+probestr:string
+                        </programlisting>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>probe sssd_transaction_cancel</term>
+                    <listitem>
+                        <para>
+                            Cancellation of a sysdb transaction,
+                            probes the sysdb_transaction_cancel()
+                            function.
+                        </para>
+                        <programlisting>
+nesting:integer
+probestr:string
+                        </programlisting>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>probe sssd_transaction_commit_before</term>
+                    <listitem>
+                        <para>
+                            Probes the sysdb_transaction_commit_before()
+                            function.
+                        </para>
+                        <programlisting>
+nesting:integer
+probestr:string
+                        </programlisting>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>probe sssd_transaction_commit_after</term>
+                    <listitem>
+                        <para>
+                            Probes the sysdb_transaction_commit_after()
+                            function.
+                        </para>
+                        <programlisting>
+nesting:integer
+probestr:string
+                        </programlisting>
+                    </listitem>
+                </varlistentry>
+              </variablelist>
+            </para>
+        </refsect2>
+
+        <refsect2 id='ldap-search-probes'>
+            <title>LDAP Search Probes</title>
+            <para>
+              <variablelist>
+                <varlistentry>
+                    <term>probe sdap_search_send</term>
+                    <listitem>
+                        <para>
+                            Probes the sdap_get_generic_ext_send()
+                            function.
+                        </para>
+                        <programlisting>
+base:string
+scope:integer
+filter:string
+probestr:string
+                        </programlisting>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>probe sdap_search_recv</term>
+                    <listitem>
+                        <para>
+                            Probes the sdap_get_generic_ext_recv()
+                            function.
+                        </para>
+                        <programlisting>
+base:string
+scope:integer
+filter:string
+probestr:string
+                        </programlisting>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>probe sdap_deref_send</term>
+                    <listitem>
+                        <para>
+                            Probes the sdap_deref_search_send()
+                            function.
+                        </para>
+                        <programlisting>
+base_dn:string
+deref_attr:string
+probestr:string
+                        </programlisting>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>probe sdap_deref_recv</term>
+                    <listitem>
+                        <para>
+                            Probes the sdap_deref_search_recv()
+                            function.
+                        </para>
+                        <programlisting>
+base:string
+scope:integer
+filter:string
+probestr:string
+                        </programlisting>
+                    </listitem>
+                </varlistentry>
+              </variablelist>
+            </para>
+        </refsect2>
+
+       <refsect2 id='ldap-account-req-probes'>
+           <title>LDAP Account Request Probes</title>
+           <para>
+             <variablelist>
+               <varlistentry>
+                   <term>probe sdap_acct_req_send</term>
+                   <listitem>
+                       <para>
+                           Probes the sdap_acct_req_send()
+                           function.
+                       </para>
+                       <programlisting>
+entry_type:int
+filter_type:int
+filter_value:string
+extra_value:string
+                       </programlisting>
+                   </listitem>
+               </varlistentry>
+               <varlistentry>
+                   <term>probe sdap_acct_req_recv</term>
+                   <listitem>
+                       <para>
+                           Probes the sdap_acct_req_recv()
+                           function.
+                       </para>
+                       <programlisting>
+entry_type:int
+filter_type:int
+filter_value:string
+extra_value:string
+                       </programlisting>
+                   </listitem>
+               </varlistentry>
+            </variablelist>
+        </para>
+        </refsect2>
+
+       <refsect2 id='ldap-user-search-probes'>
+           <title>LDAP User Search Probes</title>
+           <para>
+             <variablelist>
+               <varlistentry>
+                   <term>probe sdap_search_user_send</term>
+                   <listitem>
+                       <para>
+                           Probes the sdap_search_user_send()
+                           function.
+                       </para>
+                       <programlisting>
+filter:string
+                       </programlisting>
+                   </listitem>
+               </varlistentry>
+               <varlistentry>
+                   <term>probe sdap_search_user_recv</term>
+                   <listitem>
+                       <para>
+                           Probes the sdap_search_user_recv()
+                           function.
+                       </para>
+                       <programlisting>
+filter:string
+                       </programlisting>
+                   </listitem>
+               </varlistentry>
+               <varlistentry>
+                   <term>probe sdap_search_user_save_begin</term>
+                   <listitem>
+                       <para>
+                           Probes the sdap_search_user_save_begin()
+                           function.
+                       </para>
+                       <programlisting>
+filter:string
+                       </programlisting>
+                   </listitem>
+               </varlistentry>
+               <varlistentry>
+                   <term>probe sdap_search_user_save_end</term>
+                   <listitem>
+                       <para>
+                           Probes the sdap_search_user_save_end()
+                           function.
+                       </para>
+                       <programlisting>
+filter:string
+                       </programlisting>
+                   </listitem>
+               </varlistentry>
+            </variablelist>
+        </para>
+        </refsect2>
+
+       <refsect2 id='data-provider-request-probes'>
+           <title>Data Provider Request Probes</title>
+           <para>
+             <variablelist>
+               <varlistentry>
+                   <term>probe dp_req_send</term>
+                   <listitem>
+                       <para>
+                           A Data Provider request is submitted.
+                       </para>
+                       <programlisting>
+dp_req_domain:string
+dp_req_name:string
+dp_req_target:int
+dp_req_method:int
+                       </programlisting>
+                   </listitem>
+               </varlistentry>
+               <varlistentry>
+                   <term>probe dp_req_done</term>
+                   <listitem>
+                       <para>
+                           A Data Provider request is completed.
+                       </para>
+                       <programlisting>
+dp_req_name:string
+dp_req_target:int
+dp_req_method:int
+dp_ret:int
+dp_errorstr:string
+                       </programlisting>
+                   </listitem>
+               </varlistentry>
+            </variablelist>
+        </para>
+        </refsect2>
+
+    <refsect2 id='miscellaneous-functions'>
+        <title>MISCELLANEOUS FUNCTIONS</title>
+        <para>
+            The information below lists the probe points and arguments available
+            in the following format:
+        </para>
+            <variablelist>
+                <varlistentry>
+                    <term>function acct_req_desc(entry_type)</term>
+                    <listitem>
+                        <para>
+                            Convert entry_type to string and return string
+                        </para>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>function sssd_acct_req_probestr(fc_name, entry_type,
+                          filter_type, filter_value, extra_value)</term>
+                    <listitem>
+                        <para>
+                            Create probe string based on filter type
+                        </para>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>function dp_target_str(target)</term>
+                    <listitem>
+                        <para>
+                            Convert target to string and return string
+                        </para>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>function dp_method_str(target)</term>
+                    <listitem>
+                        <para>
+                            Convert method to string and return string
+                        </para>
+                    </listitem>
+                </varlistentry>
+            </variablelist>
+    </refsect2>
+
+    </refsect1>
+
+	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
+
+</refentry>
+</reference>
+-- 
+2.14.1
+
--- a/0114-TESTS-Use-NULL-for-pointer-not-0.patch
+++ b/0114-TESTS-Use-NULL-for-pointer-not-0.patch
@ -0,0 +1,48 @@
+From 280f69cf2ef63b47e2c7d4b745de36970a79a518 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Thu, 7 Sep 2017 11:01:21 +0200
+Subject: [PATCH 114/115] TESTS: Use NULL for pointer, not 0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+---
+ src/tests/cmocka/test_sysdb_sudo.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/tests/cmocka/test_sysdb_sudo.c b/src/tests/cmocka/test_sysdb_sudo.c
+index 34afe120d97e99e3213a85bf7489a5e0f6309e4b..5cd348259fc8ccef888772a497feb7b674b3fa0a 100644
+--- a/src/tests/cmocka/test_sysdb_sudo.c
+++ b/src/tests/cmocka/test_sysdb_sudo.c
+@@ -457,7 +457,7 @@ void test_get_sudo_user_info(void **state)
+ 
+     /* User 1 has group. */
+     ret = sysdb_get_sudo_user_info(test_ctx, test_ctx->tctx->dom,
+-                                   users[1].name, 0, &groupnames);
+                                   users[1].name, NULL, &groupnames);
+     assert_int_equal(ret, EOK);
+     assert_string_equal(groupnames[0], TEST_GROUP_NAME);
+ 
+@@ -473,7 +473,7 @@ void test_get_sudo_user_info_nogroup(void **state)
+ 
+     /* User 0 hasn't group. */
+     ret = sysdb_get_sudo_user_info(test_ctx, test_ctx->tctx->dom,
+-                                   users[0].name, 0, &groupnames);
+                                   users[0].name, NULL, &groupnames);
+     assert_int_equal(ret, EOK);
+     assert_null(groupnames);
+ 
+@@ -488,7 +488,7 @@ void test_get_sudo_nouser(void **state)
+                                                          struct sysdb_test_ctx);
+ 
+     ret = sysdb_get_sudo_user_info(test_ctx, test_ctx->tctx->dom,
+-                                   TEST_USER_NON_EXIST, 0, &groupnames);
+                                   TEST_USER_NON_EXIST, NULL, &groupnames);
+     assert_int_equal(ret, ENOENT);
+ }
+ 
+-- 
+2.14.1
+
--- a/0115-SUDO-Use-initgr_with_views-when-looking-up-a-sudo-us.patch
+++ b/0115-SUDO-Use-initgr_with_views-when-looking-up-a-sudo-us.patch
@ -0,0 +1,597 @@
+From dee665060ba71ff61ad223e755ae61441118fbba Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 22 Aug 2017 22:32:19 +0200
+Subject: [PATCH 115/115] SUDO: Use initgr_with_views when looking up a sudo
+ user
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The sudo responder code didn't take views into account when looking for
+rules, which resulted in sudo rules being ignored if the user's name was
+overriden.
+
+Please see the ticket for a detailed info on how to reproduce the bug.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3488
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/db/sysdb_sudo.c                        |  89 ++++++++++-----
+ src/db/sysdb_sudo.h                        |   6 +-
+ src/responder/sudo/sudosrv_get_sudorules.c |  45 +++++---
+ src/responder/sudo/sudosrv_private.h       |   2 +-
+ src/tests/cmocka/test_sysdb_sudo.c         | 170 ++++++++++++++++++++++++++++-
+ 5 files changed, 259 insertions(+), 53 deletions(-)
+
+diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
+index 97a1bee99c0255579f42cc7263d3d755429cd417..ff8c95105ad8d4c7d36d5bf5c3005bcc8ff93040 100644
+--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
+@@ -370,38 +370,58 @@ sysdb_sudo_filter_netgroups(TALLOC_CTX *mem_ctx,
+ errno_t
+ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
+                          struct sss_domain_info *domain,
+-                         const char *username, uid_t *_uid,
+-                         char ***groupnames)
+                         const char *username,
+                         const char **_orig_name,
+                         uid_t *_uid,
+                         char ***_groupnames)
+ {
+     TALLOC_CTX *tmp_ctx;
+     errno_t ret;
+-    struct ldb_message *msg;
+     struct ldb_message *group_msg = NULL;
+    struct ldb_result *res;
+     char **sysdb_groupnames = NULL;
+     const char *primary_group = NULL;
+-    struct ldb_message_element *groups;
+     uid_t uid = 0;
+     gid_t gid = 0;
+     size_t num_groups = 0;
+-    int i;
+-    const char *attrs[] = { SYSDB_MEMBEROF,
+-                            SYSDB_GIDNUM,
+-                            SYSDB_UIDNUM,
+-                            NULL };
+    const char *groupname;
+     const char *group_attrs[] = { SYSDB_NAME,
+                                   NULL };
+    const char *orig_name;
+ 
+     tmp_ctx = talloc_new(NULL);
+     NULL_CHECK(tmp_ctx, ret, done);
+ 
+-    ret = sysdb_search_user_by_name(tmp_ctx, domain, username, attrs, &msg);
+    /*
+     * Even though we lookup initgroups with views, we don't want to use
+     * overridden group names/gids since the rules contains the original
+     * values.
+     */
+    ret = sysdb_initgroups_with_views(tmp_ctx, domain, username, &res);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_CRIT_FAILURE, "Error looking up user %s\n", username);
+         goto done;
+     }
+ 
+    if (res->count == 0) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "No such user %s\n", username);
+        ret = ENOENT;
+        goto done;
+    }
+
+    /* Even though the database might be queried with the overriden name,
+     * the original name must be used in the filter later on
+     */
+    orig_name = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, NULL);
+    if (orig_name == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "No original name?\n");
+        ret = EINVAL;
+        goto done;
+    }
+    DEBUG(SSSDBG_TRACE_FUNC, "original name: %s\n", orig_name);
+
+     if (_uid != NULL) {
+-        uid = ldb_msg_find_attr_as_uint64(msg, SYSDB_UIDNUM, 0);
+        uid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_UIDNUM, 0);
+         if (!uid) {
+             DEBUG(SSSDBG_CRIT_FAILURE, "A user with no UID?\n");
+             ret = EIO;
+@@ -409,35 +429,40 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
+         }
+     }
+ 
+-    /* resolve secondary groups */
+-    if (groupnames != NULL) {
+-        groups = ldb_msg_find_element(msg, SYSDB_MEMBEROF);
+-        if (!groups || groups->num_values == 0) {
+    /* get secondary group names */
+    if (_groupnames != NULL) {
+        if (res->count < 2) {
+             /* No groups for this user in sysdb currently */
+             sysdb_groupnames = NULL;
+             num_groups = 0;
+         } else {
+-            num_groups = groups->num_values;
+-            sysdb_groupnames = talloc_array(tmp_ctx, char *, num_groups + 1);
+            sysdb_groupnames = talloc_zero_array(tmp_ctx, char *, res->count);
+             NULL_CHECK(sysdb_groupnames, ret, done);
+ 
+-            /* Get a list of the groups by groupname only */
+-            for (i = 0; i < groups->num_values; i++) {
+-                ret = sysdb_group_dn_name(domain->sysdb,
+-                                          sysdb_groupnames,
+-                                          (const char *)groups->values[i].data,
+-                                          &sysdb_groupnames[i]);
+-                if (ret != EOK) {
+-                    ret = ENOMEM;
+-                    goto done;
+            /* Start counting from 1 to exclude the user entry */
+            num_groups = 0;
+            for (size_t i = 1; i < res->count; i++) {
+                groupname = ldb_msg_find_attr_as_string(res->msgs[i],
+                                                        SYSDB_NAME,
+                                                        NULL);
+                if (groupname == NULL) {
+                    DEBUG(SSSDBG_MINOR_FAILURE, "A group with no name?");
+                    continue;
+                 }
+
+                sysdb_groupnames[num_groups] = talloc_strdup(sysdb_groupnames,
+                                                             groupname);
+                if (sysdb_groupnames[num_groups] == NULL) {
+                    DEBUG(SSSDBG_MINOR_FAILURE, "Cannot strdup %s\n", groupname);
+                    continue;
+                }
+                num_groups++;
+             }
+-            sysdb_groupnames[groups->num_values] = NULL;
+         }
+     }
+ 
+     /* resolve primary group */
+-    gid = ldb_msg_find_attr_as_uint64(msg, SYSDB_GIDNUM, 0);
+    gid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_GIDNUM, 0);
+     if (gid != 0) {
+         ret = sysdb_search_group_by_gid(tmp_ctx, domain, gid, group_attrs,
+                                         &group_msg);
+@@ -468,12 +493,16 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
+ 
+     ret = EOK;
+ 
+    if (orig_name != NULL) {
+        *_orig_name = talloc_steal(mem_ctx, orig_name);
+    }
+
+     if (_uid != NULL) {
+         *_uid = uid;
+     }
+ 
+-    if (groupnames != NULL) {
+-        *groupnames = talloc_steal(mem_ctx, sysdb_groupnames);
+    if (_groupnames != NULL) {
+        *_groupnames = talloc_steal(mem_ctx, sysdb_groupnames);
+     }
+ done:
+     talloc_free(tmp_ctx);
+diff --git a/src/db/sysdb_sudo.h b/src/db/sysdb_sudo.h
+index 0c75d78eb8bfc5f6c7d484bf17f7a0a68f7fd044..4770c889789d9805b19a2d419bb73b5880ca3f74 100644
+--- a/src/db/sysdb_sudo.h
+++ b/src/db/sysdb_sudo.h
+@@ -120,8 +120,10 @@ sysdb_sudo_filter_netgroups(TALLOC_CTX *mem_ctx,
+ errno_t
+ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
+                          struct sss_domain_info *domain,
+-                         const char *username, uid_t *_uid,
+-                         char ***groupnames);
+                         const char *username,
+                         const char **_orig_name,
+                         uid_t *_uid,
+                         char ***_groupnames);
+ 
+ errno_t sysdb_sudo_set_last_full_refresh(struct sss_domain_info *domain,
+                                          time_t value);
+diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c
+index 3272e634d895acf4854309371779a00cf1525126..a420c76fb39757eba817120ab2045b319dd48f94 100644
+--- a/src/responder/sudo/sudosrv_get_sudorules.c
+++ b/src/responder/sudo/sudosrv_get_sudorules.c
+@@ -193,7 +193,8 @@ static errno_t sudosrv_expired_rules(TALLOC_CTX *mem_ctx,
+ 
+ static errno_t sudosrv_cached_rules_by_user(TALLOC_CTX *mem_ctx,
+                                             struct sss_domain_info *domain,
+-                                            uid_t uid,
+                                            uid_t cli_uid,
+                                            uid_t orig_uid,
+                                             const char *username,
+                                             char **groupnames,
+                                             struct sysdb_attrs ***_rules,
+@@ -224,7 +225,7 @@ static errno_t sudosrv_cached_rules_by_user(TALLOC_CTX *mem_ctx,
+         return ENOMEM;
+     }
+ 
+-    filter = sysdb_sudo_filter_user(tmp_ctx, username, groupnames, uid);
+    filter = sysdb_sudo_filter_user(tmp_ctx, username, groupnames, orig_uid);
+     if (filter == NULL) {
+         ret = ENOMEM;
+         goto done;
+@@ -236,7 +237,7 @@ static errno_t sudosrv_cached_rules_by_user(TALLOC_CTX *mem_ctx,
+         goto done;
+     }
+ 
+-    val = talloc_asprintf(tmp_ctx, "#%"SPRIuid, uid);
+    val = talloc_asprintf(tmp_ctx, "#%"SPRIuid, cli_uid);
+     if (val == NULL) {
+         ret = ENOMEM;
+         goto done;
+@@ -301,7 +302,8 @@ static errno_t sudosrv_cached_rules_by_ng(TALLOC_CTX *mem_ctx,
+ 
+ static errno_t sudosrv_cached_rules(TALLOC_CTX *mem_ctx,
+                                     struct sss_domain_info *domain,
+-                                    uid_t uid,
+                                    uid_t cli_uid,
+                                    uid_t orig_uid,
+                                     const char *username,
+                                     char **groups,
+                                     bool inverse_order,
+@@ -323,13 +325,15 @@ static errno_t sudosrv_cached_rules(TALLOC_CTX *mem_ctx,
+         return ENOMEM;
+     }
+ 
+-    ret = sudosrv_cached_rules_by_user(tmp_ctx, domain, uid, username, groups,
+    ret = sudosrv_cached_rules_by_user(tmp_ctx, domain,
+                                       cli_uid, orig_uid, username, groups,
+                                        &user_rules, &num_user_rules);
+     if (ret != EOK) {
+         goto done;
+     }
+ 
+-    ret = sudosrv_cached_rules_by_ng(tmp_ctx, domain, uid, username, groups,
+    ret = sudosrv_cached_rules_by_ng(tmp_ctx, domain,
+                                     orig_uid, username, groups,
+                                      &ng_rules, &num_ng_rules);
+     if (ret != EOK) {
+         goto done;
+@@ -410,7 +414,8 @@ static errno_t sudosrv_cached_defaults(TALLOC_CTX *mem_ctx,
+ static errno_t sudosrv_fetch_rules(TALLOC_CTX *mem_ctx,
+                                    enum sss_sudo_type type,
+                                    struct sss_domain_info *domain,
+-                                   uid_t uid,
+                                   uid_t cli_uid,
+                                   uid_t orig_uid,
+                                    const char *username,
+                                    char **groups,
+                                    bool inverse_order,
+@@ -428,7 +433,8 @@ static errno_t sudosrv_fetch_rules(TALLOC_CTX *mem_ctx,
+               username, domain->name);
+         debug_name = "rules";
+ 
+-        ret = sudosrv_cached_rules(mem_ctx, domain, uid, username, groups,
+        ret = sudosrv_cached_rules(mem_ctx, domain,
+                                   cli_uid, orig_uid, username, groups,
+                                    inverse_order, &rules, &num_rules);
+ 
+         break;
+@@ -616,13 +622,16 @@ struct sudosrv_get_rules_state {
+     struct tevent_context *ev;
+     struct resp_ctx *rctx;
+     enum sss_sudo_type type;
+-    uid_t uid;
+    uid_t cli_uid;
+     const char *username;
+     struct sss_domain_info *domain;
+     char **groups;
+     bool inverse_order;
+     int threshold;
+ 
+    uid_t orig_uid;
+    const char *orig_username;
+
+     struct sysdb_attrs **rules;
+     uint32_t num_rules;
+ };
+@@ -634,7 +643,7 @@ struct tevent_req *sudosrv_get_rules_send(TALLOC_CTX *mem_ctx,
+                                           struct tevent_context *ev,
+                                           struct sudo_ctx *sudo_ctx,
+                                           enum sss_sudo_type type,
+-                                          uid_t uid,
+                                          uid_t cli_uid,
+                                           const char *username)
+ {
+     struct sudosrv_get_rules_state *state;
+@@ -651,7 +660,7 @@ struct tevent_req *sudosrv_get_rules_send(TALLOC_CTX *mem_ctx,
+     state->ev = ev;
+     state->rctx = sudo_ctx->rctx;
+     state->type = type;
+-    state->uid = uid;
+    state->cli_uid = cli_uid;
+     state->inverse_order = sudo_ctx->inverse_order;
+     state->threshold = sudo_ctx->threshold;
+ 
+@@ -702,7 +711,9 @@ static void sudosrv_get_rules_initgr_done(struct tevent_req *subreq)
+     talloc_zfree(result);
+ 
+     ret = sysdb_get_sudo_user_info(state, state->domain, state->username,
+-                                   NULL, &state->groups);
+                                   &state->orig_username,
+                                   &state->orig_uid,
+                                   &state->groups);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to obtain user groups [%d]: %s\n",
+               ret, sss_strerror(ret));
+@@ -711,7 +722,8 @@ static void sudosrv_get_rules_initgr_done(struct tevent_req *subreq)
+ 
+     subreq = sudosrv_refresh_rules_send(state, state->ev, state->rctx,
+                                         state->domain, state->threshold,
+-                                        state->uid, state->username,
+                                        state->orig_uid,
+                                        state->orig_username,
+                                         state->groups);
+     if (subreq == NULL) {
+         ret = ENOMEM;
+@@ -748,8 +760,11 @@ static void sudosrv_get_rules_done(struct tevent_req *subreq)
+               "in cache.\n");
+     }
+ 
+-    ret = sudosrv_fetch_rules(state, state->type, state->domain, state->uid,
+-                              state->username, state->groups,
+    ret = sudosrv_fetch_rules(state, state->type, state->domain,
+                              state->cli_uid,
+                              state->orig_uid,
+                              state->orig_username,
+                              state->groups,
+                               state->inverse_order,
+                               &state->rules, &state->num_rules);
+ 
+diff --git a/src/responder/sudo/sudosrv_private.h b/src/responder/sudo/sudosrv_private.h
+index c76bdd3955bc29b7ba2cda58c503a4c616d7e63a..164f033c0eae2af6f3184c8927b1b7c6cf57afd4 100644
+--- a/src/responder/sudo/sudosrv_private.h
+++ b/src/responder/sudo/sudosrv_private.h
+@@ -71,7 +71,7 @@ struct tevent_req *sudosrv_get_rules_send(TALLOC_CTX *mem_ctx,
+                                           struct tevent_context *ev,
+                                           struct sudo_ctx *sudo_ctx,
+                                           enum sss_sudo_type type,
+-                                          uid_t uid,
+                                          uid_t cli_uid,
+                                           const char *username);
+ 
+ errno_t sudosrv_get_rules_recv(TALLOC_CTX *mem_ctx,
+diff --git a/src/tests/cmocka/test_sysdb_sudo.c b/src/tests/cmocka/test_sysdb_sudo.c
+index 5cd348259fc8ccef888772a497feb7b674b3fa0a..1f8432395595c3d0981624d1788230a7e3812de8 100644
+--- a/src/tests/cmocka/test_sysdb_sudo.c
+++ b/src/tests/cmocka/test_sysdb_sudo.c
+@@ -40,6 +40,10 @@
+ #define TEST_GROUP_NAME "test_sudo_group"
+ #define TEST_GID 10001
+ 
+#define OVERRIDE_USER_NAME "user_test"
+#define OVERRIDE_GROUP_NAME "group_sudo_test"
+#define OVERRIDE_UID 2112
+
+ struct test_user {
+     const char *name;
+     uid_t uid;
+@@ -186,6 +190,52 @@ static int test_sysdb_teardown(void **state)
+     return 0;
+ }
+ 
+static int test_sysdb_views_setup(void **state)
+{
+    struct sysdb_test_ctx *test_ctx;
+    errno_t ret;
+
+    assert_true(leak_check_setup());
+
+    test_ctx = talloc_zero(global_talloc_context, struct sysdb_test_ctx);
+    assert_non_null(test_ctx);
+
+    test_dom_suite_setup(TESTS_PATH);
+
+    test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH, TEST_CONF_DB,
+                                         TEST_DOM_NAME, "ipa", NULL);
+    assert_non_null(test_ctx->tctx);
+
+    create_groups(test_ctx->tctx->dom);
+    create_users(test_ctx->tctx->dom);
+
+    ret = sysdb_update_view_name(test_ctx->tctx->dom->sysdb, SYSDB_LOCAL_VIEW_NAME);
+    assert_int_equal(ret, EOK);
+    sysdb_master_domain_update(test_ctx->tctx->dom);
+
+    reset_ldb_errstrings(test_ctx->tctx->dom);
+    check_leaks_push(test_ctx);
+
+    *state = (void *)test_ctx;
+    return 0;
+}
+
+static int test_sysdb_views_teardown(void **state)
+{
+    struct sysdb_test_ctx *test_ctx;
+
+    test_ctx = talloc_get_type_abort(*state, struct sysdb_test_ctx);
+
+    test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME);
+
+    reset_ldb_errstrings(test_ctx->tctx->dom);
+    assert_true(check_leaks_pop(test_ctx));
+    talloc_zfree(test_ctx);
+    assert_true(leak_check_teardown());
+
+    return 0;
+}
+
+ void test_store_sudo(void **state)
+ {
+     errno_t ret;
+@@ -452,44 +502,146 @@ void test_get_sudo_user_info(void **state)
+ {
+     errno_t ret;
+     char **groupnames = NULL;
+    const char *orig_username;
+     struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state,
+                                                          struct sysdb_test_ctx);
+ 
+     /* User 1 has group. */
+-    ret = sysdb_get_sudo_user_info(test_ctx, test_ctx->tctx->dom,
+-                                   users[1].name, NULL, &groupnames);
+    ret = sysdb_get_sudo_user_info(test_ctx, test_ctx->tctx->dom, users[1].name,
+                                   &orig_username, NULL, &groupnames);
+     assert_int_equal(ret, EOK);
+     assert_string_equal(groupnames[0], TEST_GROUP_NAME);
+    assert_string_equal(orig_username, users[1].name);
+ 
+     talloc_zfree(groupnames);
+    talloc_zfree(orig_username);
+}
+
+void test_get_overriden_sudo_user_info(void **state)
+{
+    errno_t ret;
+    char **groupnames = NULL;
+    const char *orig_username;
+    uid_t orig_uid;
+    struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state,
+                                                         struct sysdb_test_ctx);
+
+    char *strdn;
+    char *safe_dn;
+    char *anchor;
+    char *group_fqname;
+    char *user_fqname;
+    struct sysdb_attrs *attrs;
+    struct ldb_dn *ldb_dn;
+
+    attrs = sysdb_new_attrs(test_ctx);
+    assert_non_null(attrs);
+
+    /* Override user's name and primary UID */
+    user_fqname = sss_create_internal_fqname(test_ctx,
+                                             OVERRIDE_USER_NAME,
+                                             test_ctx->tctx->dom->name);
+    assert_non_null(user_fqname);
+
+    ldb_dn = sysdb_user_dn(attrs, test_ctx->tctx->dom, users[1].name);
+    assert_non_null(ldb_dn);
+    strdn = sysdb_user_strdn(attrs, test_ctx->tctx->dom->name, users[1].name);
+    assert_non_null(strdn);
+    ret = sysdb_dn_sanitize(attrs, strdn, &safe_dn);
+    assert_int_equal(ret, EOK);
+    anchor = talloc_asprintf(attrs, ":%s:%s", SYSDB_LOCAL_VIEW_NAME, safe_dn);
+    assert_non_null(anchor);
+
+    ret = sysdb_attrs_add_string(attrs, SYSDB_OVERRIDE_ANCHOR_UUID, anchor);
+    assert_int_equal(ret, EOK);
+    ret = sysdb_attrs_add_string(attrs, SYSDB_NAME, user_fqname);
+    assert_int_equal(ret, EOK);
+    ret = sysdb_attrs_add_uint32(attrs, SYSDB_UIDNUM, OVERRIDE_UID);
+    assert_int_equal(ret, EOK);
+
+    ret = sysdb_store_override(test_ctx->tctx->dom, SYSDB_LOCAL_VIEW_NAME,
+                               SYSDB_MEMBER_USER, attrs, ldb_dn);
+    assert_int_equal(ret, EOK);
+    talloc_zfree(attrs);
+
+    /* Override user's secondary group name */
+    attrs = sysdb_new_attrs(test_ctx);
+    assert_non_null(attrs);
+
+    group_fqname = sss_create_internal_fqname(test_ctx,
+                                              OVERRIDE_GROUP_NAME,
+                                              test_ctx->tctx->dom->name);
+    assert_non_null(group_fqname);
+
+    ldb_dn = sysdb_group_dn(attrs, test_ctx->tctx->dom, TEST_GROUP_NAME);
+    assert_non_null(ldb_dn);
+    strdn = sysdb_group_strdn(attrs, test_ctx->tctx->dom->name, TEST_GROUP_NAME);
+    assert_non_null(strdn);
+    ret = sysdb_dn_sanitize(attrs, strdn, &safe_dn);
+    assert_int_equal(ret, EOK);
+    anchor = talloc_asprintf(attrs, ":%s:%s", SYSDB_LOCAL_VIEW_NAME, safe_dn);
+    assert_non_null(anchor);
+
+    ret = sysdb_attrs_add_string(attrs, SYSDB_OVERRIDE_ANCHOR_UUID, anchor);
+    assert_int_equal(ret, EOK);
+    ret = sysdb_attrs_add_string(attrs, SYSDB_NAME, group_fqname);
+    assert_int_equal(ret, EOK);
+
+    ret = sysdb_store_override(test_ctx->tctx->dom, SYSDB_LOCAL_VIEW_NAME,
+                               SYSDB_MEMBER_GROUP, attrs, ldb_dn);
+    assert_int_equal(ret, EOK);
+
+    /* User must be searchable by their overriden name */
+    ret = sysdb_get_sudo_user_info(test_ctx, test_ctx->tctx->dom, user_fqname,
+                                   &orig_username, &orig_uid, &groupnames);
+    assert_int_equal(ret, EOK);
+
+    /* sysdb_get_sudo_user_info must return the original values, not the
+     * overriden one */
+    assert_string_equal(groupnames[0], TEST_GROUP_NAME);
+    assert_string_equal(orig_username, users[1].name);
+    assert_int_equal(orig_uid, users[1].uid);
+
+    talloc_zfree(groupnames);
+    talloc_zfree(orig_username);
+    talloc_zfree(attrs);
+    talloc_zfree(user_fqname);
+    talloc_zfree(group_fqname);
+ }
+ 
+ void test_get_sudo_user_info_nogroup(void **state)
+ {
+     errno_t ret;
+     char **groupnames = NULL;
+    const char *orig_username;
+     struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state,
+                                                          struct sysdb_test_ctx);
+ 
+     /* User 0 hasn't group. */
+-    ret = sysdb_get_sudo_user_info(test_ctx, test_ctx->tctx->dom,
+-                                   users[0].name, NULL, &groupnames);
+    ret = sysdb_get_sudo_user_info(test_ctx, test_ctx->tctx->dom, users[0].name,
+                                   &orig_username, NULL, &groupnames);
+     assert_int_equal(ret, EOK);
+     assert_null(groupnames);
+    assert_string_equal(orig_username, users[0].name);
+ 
+     talloc_zfree(groupnames);
+    talloc_zfree(orig_username);
+ }
+ 
+ void test_get_sudo_nouser(void **state)
+ {
+     errno_t ret;
+     char **groupnames = NULL;
+    const char *orig_username = NULL;
+     struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state,
+                                                          struct sysdb_test_ctx);
+ 
+     ret = sysdb_get_sudo_user_info(test_ctx, test_ctx->tctx->dom,
+-                                   TEST_USER_NON_EXIST, NULL, &groupnames);
+                                   TEST_USER_NON_EXIST,
+                                   &orig_username, NULL, &groupnames);
+     assert_int_equal(ret, ENOENT);
+    assert_null(orig_username);
+    assert_null(groupnames);
+ }
+ 
+ void test_set_sudo_rule_attr_add(void **state)
+@@ -849,6 +1001,14 @@ int main(int argc, const char *argv[])
+                                         test_sysdb_setup,
+                                         test_sysdb_teardown),
+ 
+        /* The override tests use a different setup/teardown because loading
+         * the view allocates some data on the confdb and domain pointers,
+         * which would confuse the leak check
+         */
+        cmocka_unit_test_setup_teardown(test_get_overriden_sudo_user_info,
+                                        test_sysdb_views_setup,
+                                        test_sysdb_views_teardown),
+
+         /* sysdb_set_sudo_rule_attr() */
+         cmocka_unit_test_setup_teardown(test_set_sudo_rule_attr_add,
+                                         test_sysdb_setup,
+-- 
+2.14.1
+
--- a/sssd.spec
+++ b/sssd.spec
@ -32,7 +32,7 @@

 Name: sssd
 Version: 1.15.3
-Release: 3%{?dist}
+Release: 4%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@ -134,6 +134,27 @@ Patch0090: 0090-SECRETS-Use-separate-quotas-for-kcm-and-secrets-hive.patch
 Patch0091: 0091-TESTS-Test-that-ccaches-can-be-stored-after-max_secr.patch
 Patch0092: 0092-SECRETS-Add-a-new-option-to-control-per-UID-limits.patch
 Patch0093: 0093-SECRETS-Support-0-as-unlimited-for-the-quotas.patch
+Patch0094: 0094-TESTS-Relax-the-assert-in-test_idle_timeout.patch
+Patch0095: 0095-IPA-Reword-the-DEBUG-message-about-SRV-resolution-on.patch
+Patch0097: 0097-SYSDB-Add-sysdb_search_by_orig_dn.patch
+Patch0098: 0098-TESTS-Add-tests-for-sysdb_search_-users-groups-_by_o.patch
+Patch0099: 0099-IPA-Use-sysdb_search_-_by_orig_dn-_hbac_users.c.patch
+Patch0100: 0100-SDAP-Use-sysdb_search_-_by_orig_dn-in-sdap_async_nes.patch
+Patch0101: 0101-SDAP-Use-sysdb_search_-_by_orig_dn-in-sdap_async_gro.patch
+Patch0102: 0102-IPA-Use-sysdb_search_-_by_orig_dn-in-_subdomains_ext.patch
+Patch0103: 0103-MAN-Improve-description-of-trusted-domain-section-in.patch
+Patch0104: 0104-certmap-add-OpenSSL-implementation.patch
+Patch0105: 0105-MAN-Improve-failover-documentation-by-explaining-the.patch
+Patch0106: 0106-MAN-Document-that-the-secrets-provider-can-only-be-s.patch
+Patch0107: 0107-SELINUX-Use-getseuserbyname-to-get-IPA-seuser.patch
+Patch0108: 0108-certmap-Suppress-warning-Wmissing-braces.patch
+Patch0109: 0109-cache_req-Look-for-name-attribute-also-in-nss_cmd_ge.patch
+Patch0110: 0110-ipa-make-sure-view-name-is-initialized-at-startup.patch
+Patch0111: 0111-DP-Add-Generic-DP-Request-Probes.patch
+Patch0112: 0112-CONTRIB-Add-DP-Request-analysis-script.patch
+Patch0113: 0113-MAN-Add-sssd-systemtap-man-page.patch
+Patch0114: 0114-TESTS-Use-NULL-for-pointer-not-0.patch
+Patch0115: 0115-SUDO-Use-initgr_with_views-when-looking-up-a-sudo-us.patch
 Patch0502: 0502-SYSTEMD-Use-capabilities.patch

 ### Dependencies ###
@ -920,6 +941,7 @@ done
 %attr(700,root,root) %dir %{dbpath}
 %attr(755,root,root) %dir %{mcpath}
 %attr(700,root,root) %dir %{secdbpath}
+%attr(755,root,root) %dir %{deskprofilepath}
 %ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/passwd
 %ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/group
 %ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/initgroups
@ -958,10 +980,12 @@ done
 %dir %{_datadir}/sssd/systemtap
 %{_datadir}/sssd/systemtap/id_perf.stp
 %{_datadir}/sssd/systemtap/nested_group_perf.stp
+%{_datadir}/sssd/systemtap/dp_request.stp
 %dir %{_datadir}/systemtap
 %dir %{_datadir}/systemtap/tapset
 %{_datadir}/systemtap/tapset/sssd.stp
 %{_datadir}/systemtap/tapset/sssd_functions.stp
+%{_mandir}/man5/sssd-systemtap.5*


 %files ldap -f sssd_ldap.lang
@ -1330,6 +1354,17 @@ fi
                                %{_libdir}/%{name}/modules/libwbclient.so

 %changelog
+* Mon Sep 11 2017 Lukas Slebodnik <lslebodn@redhat.com> - 1.15.3-4
+- Resolves: rhbz#1488327 - SELinux is preventing selinux_child from write
+                           access on the sock_file system_bus_socket
+- Resolves: rhbz#1490402 - SSSD does not create /var/lib/sss/deskprofile and
+                           fails to download desktop profile data
+- Resolves: upstream#3485 - getsidbyid does not work with 1.15.3
+- Resolves: upstream#3488 - SUDO doesn't work for IPA users on IPA clients
+                            after applying ID Views for them in IPA server
+- Resolves: upstream#3501 - Accessing IdM kerberos ticket fails while id
+                            mapping is applied
+
 * Fri Sep 01 2017 Lukas Slebodnik <lslebodn@redhat.com> - 1.15.3-3
 - Backport few upstream patches/fixes