slapi-nis: resolve IPA groups with fully qualified suffix
With SSSD 1.14+ there is a logic change to handling of a default domain
suffix.
SSSD has two different formats to handle: the input and output. The
input format is parsed into (name,domain) tuples with the re_expression
option and the output is formatted with the full_name_format option.
Because of the way SSSD used to store the usernames in sysdb, it was
tied to the full_name_format option, just changing the output format
changed the way the names are stored internally. SSSD changed the cache
to always store names in a unified format (foo@bar) and use the
full_name_format only for output, as it should be.
This changed a logic of use_fully_qualified_names=True. It now mandates
that the /input/ contains both the name and the domain part and then
SSSD formats the output using the full_name_format option. The
default_domain_suffix is a hack that just appends its value to an
unqualified input, making all queries for "foo" into "foo@bar".
In new SSSD if configuration contains:
default_domain_suffix = win.domain
full_name_format = $1 # only name
then a request for "foo" will internally turn into "foo@win.domain" but
return "foo" on the output. However, queries for IPA's foo will have to
be qualified by the admin manually like "foo@ipa.domain" otherwise sssd
doesn't know which foo you meant.
Support this logic by querying associatedDomain attribute of the
restricted bases of the data set. IPA stores this information in the
$SUFFIX base dn (dc=example,dc=com) and configures slapi-nis with
restricted base set to $SUFFIX (and the plugin config). While
associatedDomain attribute is multivalued, the $SUFFIX object always has
a single value corresponding to the IPA domain name that is the same as
SSSD domain suffix.