providers: drop ldap_{init,}groups_use_matching_rule_in_chain support

Resolves:
https://pagure.io/SSSD/sssd/issue/3492

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

src/config/SSSDConfig/__init__.py.in

@@ -405,8 +405,6 @@ option_strings = {
     'ldap_idmap_default_domain_sid' : _('SID of the default domain for ID-mapping'),
     'ldap_idmap_helper_table_size' : _('Number of secondary slices'),
 
-    'ldap_groups_use_matching_rule_in_chain' : _('Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups'),
-    'ldap_initgroups_use_matching_rule_in_chain' : _('Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups'),
     'ldap_use_tokengroups' : _('Whether to use Token-Groups'),
     'ldap_min_id' : _('Set lower boundary for allowed IDs from the LDAP server'),
     'ldap_max_id' : _('Set upper boundary for allowed IDs from the LDAP server'),

src/config/cfg_rules.ini

@@ -611,7 +611,6 @@ option = ldap_group_objectsid
 option = ldap_group_search_base
 option = ldap_group_search_filter
 option = ldap_group_search_scope
-option = ldap_groups_use_matching_rule_in_chain
 option = ldap_group_type
 option = ldap_group_uuid
 option = ldap_idmap_autorid_compat
@@ -623,7 +622,6 @@ option = ldap_idmap_range_max
 option = ldap_idmap_range_min
 option = ldap_idmap_range_size
 option = ldap_id_use_start_tls
-option = ldap_initgroups_use_matching_rule_in_chain
 option = ldap_krb5_init_creds
 option = ldap_krb5_keytab
 option = ldap_krb5_ticket_lifetime

src/config/etc/sssd.api.d/sssd-ad.conf

@@ -129,8 +129,6 @@ ldap_idmap_autorid_compat = bool, None, false
 ldap_idmap_default_domain = str, None, false
 ldap_idmap_default_domain_sid = str, None, false
 ldap_idmap_helper_table_size = int, None, false
-ldap_groups_use_matching_rule_in_chain = bool, None, false
-ldap_initgroups_use_matching_rule_in_chain = bool, None, false
 ldap_use_tokengroups = bool, None, false
 ldap_rfc2307_fallback_to_local_users = bool, None, false
 ldap_pwdlockout_dn = str, None, false

src/config/etc/sssd.api.d/sssd-ipa.conf

@@ -135,8 +135,6 @@ ldap_idmap_autorid_compat = bool, None, false
 ldap_idmap_default_domain = str, None, false
 ldap_idmap_default_domain_sid = str, None, false
 ldap_idmap_helper_table_size = int, None, false
-ldap_groups_use_matching_rule_in_chain = bool, None, false
-ldap_initgroups_use_matching_rule_in_chain = bool, None, false
 ldap_use_tokengroups = bool, None, false
 ldap_rfc2307_fallback_to_local_users = bool, None, false
 ipa_server_mode = bool, None, false

src/config/etc/sssd.api.d/sssd-ldap.conf

@@ -122,8 +122,6 @@ ldap_idmap_autorid_compat = bool, None, false
 ldap_idmap_default_domain = str, None, false
 ldap_idmap_default_domain_sid = str, None, false
 ldap_idmap_helper_table_size = int, None, false
-ldap_groups_use_matching_rule_in_chain = bool, None, false
-ldap_initgroups_use_matching_rule_in_chain = bool, None, false
 ldap_use_tokengroups = bool, None, false
 ldap_rfc2307_fallback_to_local_users = bool, None, false
 ldap_min_id = int, None, false

src/man/sssd-ldap.5.xml

@@ -1057,65 +1057,6 @@
                     </listitem>
                 </varlistentry>
 
-                <varlistentry>
-                    <term>ldap_groups_use_matching_rule_in_chain</term>
-                    <listitem>
-                        <para>
-                            This option tells SSSD to take advantage of an
-                            Active Directory-specific feature which may speed
-                            up group lookup operations on deployments with
-                            complex or deep nested groups.
-                        </para>
-                        <para>
-                            In most common cases, it is best to leave this
-                            option disabled. It generally only provides a
-                            performance increase on very complex nestings.
-                        </para>
-                        <para>
-                            If this option is enabled, SSSD will use it if it
-                            detects that the server supports it during initial
-                            connection. So "True" here essentially means
-                            "auto-detect".
-                        </para>
-                        <para>
-                            Note: This feature is currently known to work only
-                            with Active Directory 2008 R1 and later. See
-                            <ulink url="http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx">
-                            MSDN(TM) documentation</ulink> for more details.
-                        </para>
-                        <para>
-                            Default: False
-                        </para>
-                    </listitem>
-                </varlistentry>
-
-                <varlistentry>
-                    <term>ldap_initgroups_use_matching_rule_in_chain</term>
-                    <listitem>
-                        <para>
-                            This option tells SSSD to take advantage of an
-                            Active Directory-specific feature which might speed
-                            up initgroups operations (most notably when
-                            dealing with complex or deep nested groups).
-                        </para>
-                        <para>
-                            If this option is enabled, SSSD will use it if it
-                            detects that the server supports it during initial
-                            connection. So "True" here essentially means
-                            "auto-detect".
-                        </para>
-                        <para>
-                            Note: This feature is currently known to work only
-                            with Active Directory 2008 R1 and later. See
-                            <ulink url="http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx">
-                            MSDN(TM) documentation</ulink> for more details.
-                        </para>
-                        <para>
-                            Default: False
-                        </para>
-                    </listitem>
-                </varlistentry>
-
                 <varlistentry>
                     <term>ldap_use_tokengroups</term>
                     <listitem>

src/providers/ad/ad_opts.c

@@ -140,8 +140,6 @@ struct dp_option ad_def_ldap_opts[] = {
     { "ldap_idmap_default_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_idmap_helper_table_size", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
-    { "ldap_groups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
-    { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_use_tokengroups", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE},
     { "ldap_rfc2307_fallback_to_local_users", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },

src/providers/ipa/ipa_opts.c

@@ -152,8 +152,6 @@ struct dp_option ipa_def_ldap_opts[] = {
     { "ldap_idmap_default_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_idmap_helper_table_size", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
-    { "ldap_groups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
-    { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_use_tokengroups", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE},
     { "ldap_rfc2307_fallback_to_local_users", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },

src/providers/ldap/ldap_opts.c

@@ -113,8 +113,6 @@ struct dp_option default_basic_opts[] = {
     { "ldap_idmap_default_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_idmap_helper_table_size", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
-    { "ldap_groups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
-    { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_use_tokengroups", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE},
     { "ldap_rfc2307_fallback_to_local_users", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },

src/providers/ldap/sdap.h

@@ -227,8 +227,6 @@ enum sdap_basic_opt {
     SDAP_IDMAP_DEFAULT_DOMAIN,
     SDAP_IDMAP_DEFAULT_DOMAIN_SID,
     SDAP_IDMAP_EXTRA_SLICE_INIT,
-    SDAP_AD_MATCHING_RULE_GROUPS,
-    SDAP_AD_MATCHING_RULE_INITGROUPS,
     SDAP_AD_USE_TOKENGROUPS,
     SDAP_RFC2307_FALLBACK_TO_LOCAL_USERS,
     SDAP_DISABLE_RANGE_RETRIEVAL,

src/providers/ldap/sdap_async.c

@@ -847,7 +847,6 @@ struct sdap_get_rootdse_state {
 };
 
 static void sdap_get_rootdse_done(struct tevent_req *subreq);
-static void sdap_get_matching_rule_done(struct tevent_req *subreq);
 
 struct tevent_req *sdap_get_rootdse_send(TALLOC_CTX *memctx,
                                          struct tevent_context *ev,
@@ -899,8 +898,6 @@ struct tevent_req *sdap_get_rootdse_send(TALLOC_CTX *memctx,
 /* This is not a real attribute, it's just there to avoid
  * actually pulling real data down, to save bandwidth
  */
-#define SDAP_MATCHING_RULE_TEST_ATTR "sssmatchingruletest"
-
 static void sdap_get_rootdse_done(struct tevent_req *subreq)
 {
     struct tevent_req *req = tevent_req_callback_data(subreq,
@@ -910,8 +907,6 @@ static void sdap_get_rootdse_done(struct tevent_req *subreq)
     struct sysdb_attrs **results;
     size_t num_results;
     int ret;
-    const char *filter;
-    const char *attrs[] = { SDAP_MATCHING_RULE_TEST_ATTR, NULL };
 
     ret = sdap_get_generic_recv(subreq, state, &num_results, &results);
     talloc_zfree(subreq);
@@ -940,81 +935,14 @@ static void sdap_get_rootdse_done(struct tevent_req *subreq)
 
     DEBUG(SSSDBG_TRACE_INTERNAL, "Got rootdse\n");
 
-    /* Auto-detect the LDAP matching rule if requested */
-    if ((!dp_opt_get_bool(state->opts->basic,
-                          SDAP_AD_MATCHING_RULE_INITGROUPS))
-            && !dp_opt_get_bool(state->opts->basic,
-                                SDAP_AD_MATCHING_RULE_GROUPS)) {
-        /* This feature is disabled for both groups
-         * and initgroups. Skip the auto-detection
-         * lookup.
-         */
-        DEBUG(SSSDBG_TRACE_INTERNAL,
-              "Skipping auto-detection of match rule\n");
-        tevent_req_done(req);
-        return;
-    }
-
-    DEBUG(SSSDBG_TRACE_INTERNAL,
-          "Auto-detecting support for match rule\n");
-
-    /* Create a filter using the matching rule. It need not point
-     * at any valid data. We're only going to be looking for the
-     * error code.
-     */
-    filter = "("SDAP_MATCHING_RULE_TEST_ATTR":"
-             SDAP_MATCHING_RULE_IN_CHAIN":=)";
-
-    /* Perform a trivial query with the matching rule in play.
-     * If it returns success, we know it is available. If it
-     * returns EIO, we know it isn't.
+    /* This feature is disabled for both groups
+     * and initgroups. Skip the auto-detection
+     * lookup.
      */
-    subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh,
-                                   "", LDAP_SCOPE_BASE, filter, attrs, NULL,
-                                   0, dp_opt_get_int(state->opts->basic,
-                                                     SDAP_SEARCH_TIMEOUT),
-                                   false);
-    if (!subreq) {
-        tevent_req_error(req, ENOMEM);
-        return;
-    }
-    tevent_req_set_callback(subreq, sdap_get_matching_rule_done, req);
-}
-
-static void sdap_get_matching_rule_done(struct tevent_req *subreq)
-{
-    errno_t ret;
-    struct tevent_req *req = tevent_req_callback_data(subreq,
-                                                      struct tevent_req);
-    struct sdap_get_rootdse_state *state = tevent_req_data(req,
-                                             struct sdap_get_rootdse_state);
-    size_t num_results;
-    struct sysdb_attrs **results;
-
-    ret = sdap_get_generic_recv(subreq, state, &num_results, &results);
-    talloc_zfree(subreq);
-    if (ret == EOK) {
-        /* The search succeeded */
-        state->opts->support_matching_rule = true;
-    } else if (ret == EIO) {
-        /* The search failed. Disable support for
-         * matching rule lookups.
-         */
-        state->opts->support_matching_rule = false;
-    } else {
-        DEBUG(SSSDBG_MINOR_FAILURE,
-              "Unexpected error while testing for matching rule support\n");
-        tevent_req_error(req, ret);
-        return;
-    }
-
-    DEBUG(SSSDBG_CONF_SETTINGS,
-          "LDAP server %s the matching rule extension\n",
-          state->opts->support_matching_rule
-              ? "supports"
-              : "does not support");
-
+    DEBUG(SSSDBG_TRACE_INTERNAL,
+          "Skipping auto-detection of match rule\n");
     tevent_req_done(req);
+    return;
 }
 
 int sdap_get_rootdse_recv(struct tevent_req *req,

src/providers/ldap/sdap_async.h

@@ -367,21 +367,6 @@ sdap_get_ad_match_rule_members_recv(struct tevent_req *req,
                                     size_t *num_users,
                                     struct sysdb_attrs ***users);
 
-struct tevent_req *
-sdap_get_ad_match_rule_initgroups_send(TALLOC_CTX *mem_ctx,
-                                       struct tevent_context *ev,
-                                       struct sdap_options *opts,
-                                       struct sysdb_ctx *sysdb,
-                                       struct sss_domain_info *domain,
-                                       struct sdap_handle *sh,
-                                       const char *name,
-                                       const char *orig_dn,
-                                       int timeout);
-
-errno_t
-sdap_get_ad_match_rule_initgroups_recv(struct tevent_req *req);
-
-
 struct tevent_req *
 sdap_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx,
                                     struct tevent_context *ev,