[sudo-workers] Support for SSSD as a data source

[Pavel Březina]

Hello,
I'm one of the developers of SSSD [1]. I've been working with Daniel
Kopeček on integrating sudo with SSSD for past several months and now
it's in the form that is ready for deployment. It is already a part of
Fedora 17, and the current enhanced version will be part of Fedora 18
and RHEL 6.4. We would like to bring our patches to upstream sudo as
well so more distributions can easily benefit from this feature.

I'm sending the patches in attachment.

It adds a new nsswitch.conf data source called "sss", which when
present enables SSSD support which works pretty much the same way the
"ldap" source does.

Originally, we wanted to create our own plugin via the plugin API you
have introduced in sudo 1.8. Unfortunately we didn't find a reasonable
way how to reuse the evaluation logic from sudoers plugin.

Thus we chose to add our own data source to the sudoers plugin
and linked directly between sudo and the SSSD. However, that added a
direct dependency between sudo and SSSD, which raises the maintenance
costs significantly. So we modified it to avoid linking against our
library and use dlopen() instead. We know that this is a very hackish
solution, but it was the best we could do without touching a huge part
of sudo source codes.

We kindly ask you to consider making these patches a part of sudo
upstream. We are ready to discuss any objections and eventually help
you with suggested modifications.

Regards,
Pavel Březina.

[1] https://fedorahosted.org/sssd