freeipa

Clone
Source Code
GIT

#4534 SSSD deref processing fail when entryusn can be read and objectclass doesn't
Closed: Fixed None Opened 9 years ago by mkosek.

Closed: Fixed
Reopen Issue

This is a follow up to changes done in #4521. FreeIPA server now allow by default entryusn and modifytimestamp for all entries. However, as tracked in RHEL downstream Bugzilla, older SSSD clients break as when they do deref call for authenticating user, they get entryusn, but not objectclass attribute.

It would make sense for FreeIPA to either show objectclass, entryusn and modifytimestamp for all entries or for none of them. Without this change, all unpatched SSSD clients will not be able talk to FreeIPA 4.0.x server (or it's replicas).

Discussed on freeipa-devel thread.

Starting review

This is blocking Fedora 21, it needs to be fixed in 4.0.x.

master:

  • 6ce44c4 permission plugin: Auto-add operational atttributes to read permissions
  • 4fac4f4 Allow deleting obsolete permissions; remove operational attribute permissions

ipa-4-1:

  • 477942b permission plugin: Auto-add operational atttributes to read permissions
  • a0e23ce Allow deleting obsolete permissions; remove operational attribute permissions

ipa-4-0:

  • e3e0323 permission plugin: Auto-add operational atttributes to read permissions
  • f47da6a Allow deleting obsolete permissions; remove operational attribute permissions

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1141334 (Fedora)

Metadata Update from @mkosek:
- Issue assigned to pviktori
- Issue set to the milestone: FreeIPA 4.0.3
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
defect
None
None
Access control
None
1
None
None
mkosek
None
https://bugzilla.redhat.com/show_bug.cgi?id=1141334
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.