51ca387 baseldap: allow rejecting unknown objects instead of adding to an external attr

1 file Authored by abbra 3 years ago, Committed by rcritten 3 years ago,
    baseldap: allow rejecting unknown objects instead of adding to an external attr
    
    IPA traditionally allowed to add names not found in IPA LDAP to external
    attributes. This is used to allow, for example, a local system user or
    group be present in a SUDO rule.
    
    With membership validator, we can actually check validity of the names
    against both IPA users/groups and users/groups from trusted domains.
    If in future we decide to reject a local system's objects, then all it
    would take is to switch reject_failures to True.
    
    Fixes: https://pagure.io/freeipa/issue/3226
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>