baseldap: allow rejecting unknown objects instead of adding to an external attr

IPA traditionally allowed to add names not found in IPA LDAP to external
attributes. This is used to allow, for example, a local system user or
group be present in a SUDO rule.

With membership validator, we can actually check validity of the names
against both IPA users/groups and users/groups from trusted domains.
If in future we decide to reject a local system's objects, then all it
would take is to switch reject_failures to True.

Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

ipaserver/plugins/baseldap.py

@@ -436,7 +436,7 @@ def pre_callback_process_external_objects(member_attr, object_desc,
 
 def add_external_post_callback(ldap, dn, entry_attrs, failed, completed,
                                memberattr, membertype, externalattr,
-                               normalize=True):
+                               normalize=True, reject_failures=False):
     """
     Takes the following arguments:
         failed - the list of failed entries, these are candidates for possible
@@ -477,8 +477,10 @@ def add_external_post_callback(ldap, dn, entry_attrs, failed, completed,
                 member_dn not in members):
                 # Not an IPA entry, only add if it has been marked
                 # as an external entry during the pre-callback validation
-                if not entry[1].startswith(EXTERNAL_OBJ_PREFIX):
-                    # Really a failure
+                # or if we are not asked to reject failures
+                if (reject_failures and not entry[1].startswith(
+                        EXTERNAL_OBJ_PREFIX)):
+
                     failed_entries.append(membername)
                     continue
                 if normalize: