freeipa

Clone
Source Code
GIT

#5855 method get_primary_key_from_dn does not work for netgroups properly
Closed: Fixed None Opened 7 years ago by mbasti.

Closed: Fixed
Reopen Issue

Method get_primary_key_from_dn always do LDAPSRCH for primary key even if DN contains a primary key for netgroups. This is caused by setting rdn_attribute of netgroups to 'ipauniqueid' but primary key is CN and DN contains only CN attribute not 'ipauniqueid'.

This causes unwanted searches to get CN even if DN already contains CN, see example:

[27/Apr/2016:14:46:47 +0200] conn=28 op=104 SRCH base="cn=hostgroup9,cn=ng,cn=alt,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="cn"

I'm not sure what is wrong here, if implementation of the method or netgroup IPA plugin. But IMO netgroups should not have set rdn_attribute if primary key is present in DN.

Two remarks:

  • cn is multivalued. So it can be useless to search entries with 'cn' rdn but it depends if the CLI requires all the 'cn' values.

  • regarding the performance, lookup of 'cn' entries is a partial contributor of all searches (65000) done by a 'host-find'. Below is the number of searches (first column) and the related base search DN.

    399 cn=hostgroup42,cn=ng,cn=alt,SUFFIX
    399 cn=hostgroup45,cn=ng,cn=alt,SUFFIX
    399 cn=hostgroup47,cn=ng,cn=alt,SUFFIX
    399 cn=hostgroup48,cn=ng,cn=alt,SUFFIX
    399 cn=hostgroup49,cn=ng,cn=alt,SUFFIX
    399 ipaUniqueID=27e63aae-0256-11e6-ac32-001a4a2313e9,cn=hbac,SUFFIX
    399 ipaUniqueID=2e153126-0253-11e6-bd68-001a4a2313e9,cn=hbac,SUFFIX
    399 ipaUniqueID=697e5d86-024a-11e6-9dce-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    399 ipaUniqueID=6ff65dce-024c-11e6-b0aa-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    399 ipaUniqueID=78b2863e-0253-11e6-bd68-001a4a2313e9,cn=hbac,SUFFIX
    399 ipaUniqueID=7be2e41c-0248-11e6-9dce-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    399 ipaUniqueID=7eeb872e-0250-11e6-b9cc-001a4a2313e9,cn=hbac,SUFFIX
    399 ipaUniqueID=86406c2a-024a-11e6-9dce-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    399 ipaUniqueID=8d398b5e-024c-11e6-b0aa-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    399 ipaUniqueID=9a8fd8fe-0246-11e6-9dce-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    399 ipaUniqueID=a350b092-0248-11e6-8634-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    399 ipaUniqueID=b77a8e34-0258-11e6-9dce-001a4a2313e9,cn=hbac,SUFFIX
    399 ipaUniqueID=c64aef5a-025b-11e6-89a6-001a4a2313e9,cn=hbac,SUFFIX
    399 ipaUniqueID=c7493142-0250-11e6-b9cc-001a4a2313e9,cn=hbac,SUFFIX
    399 ipaUniqueID=cbe9685c-0246-11e6-9dce-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    399 ipaUniqueID=cc96b81a-0244-11e6-96db-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    399 ipaUniqueID=e25491e0-0258-11e6-9dce-001a4a2313e9,cn=hbac,SUFFIX
    399 ipaUniqueID=eec75a6e-0255-11e6-ac32-001a4a2313e9,cn=hbac,SUFFIX
    399 ipaUniqueID=f1f6a0ea-025b-11e6-89a6-001a4a2313e9,cn=hbac,SUFFIX
    399 ipaUniqueID=fefb56bc-0244-11e6-96db-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    400 cn=hostgroup12,cn=ng,cn=alt,SUFFIX
    400 cn=hostgroup15,cn=ng,cn=alt,SUFFIX
    400 cn=hostgroup17,cn=ng,cn=alt,SUFFIX
    400 cn=hostgroup18,cn=ng,cn=alt,SUFFIX
    400 cn=hostgroup19,cn=ng,cn=alt,SUFFIX
    400 cn=hostgroup22,cn=ng,cn=alt,SUFFIX
    400 cn=hostgroup25,cn=ng,cn=alt,SUFFIX
    400 cn=hostgroup27,cn=ng,cn=alt,SUFFIX
    400 cn=hostgroup28,cn=ng,cn=alt,SUFFIX
    400 cn=hostgroup29,cn=ng,cn=alt,SUFFIX
    400 cn=hostgroup2,cn=ng,cn=alt,SUFFIX
    400 cn=hostgroup32,cn=ng,cn=alt,SUFFIX
    400 cn=hostgroup35,cn=ng,cn=alt,SUFFIX
    400 cn=hostgroup37,cn=ng,cn=alt,SUFFIX
    400 cn=hostgroup38,cn=ng,cn=alt,SUFFIX
    400 cn=hostgroup39,cn=ng,cn=alt,SUFFIX
    400 cn=hostgroup5,cn=ng,cn=alt,SUFFIX
    400 cn=hostgroup7,cn=ng,cn=alt,SUFFIX
    400 cn=hostgroup8,cn=ng,cn=alt,SUFFIX
    400 cn=hostgroup9,cn=ng,cn=alt,SUFFIX
    400 ipaUniqueID=073861b6-0246-11e6-8c3d-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    400 ipaUniqueID=11555c46-0244-11e6-841a-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    400 ipaUniqueID=1dfad1f4-0250-11e6-b9cc-001a4a2313e9,cn=hbac,SUFFIX
    400 ipaUniqueID=21fb80ba-024a-11e6-9dce-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    400 ipaUniqueID=296a99f6-024c-11e6-b0aa-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    400 ipaUniqueID=37899108-0248-11e6-9dce-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    400 ipaUniqueID=44198de0-024a-11e6-9dce-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    400 ipaUniqueID=44962a3c-0252-11e6-bd68-001a4a2313e9,cn=hbac,SUFFIX
    400 ipaUniqueID=4a81a7c4-024c-11e6-b0aa-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    400 ipaUniqueID=4b7a906a-0250-11e6-b9cc-001a4a2313e9,cn=hbac,SUFFIX
    400 ipaUniqueID=4d815bb6-0258-11e6-9dce-001a4a2313e9,cn=hbac,SUFFIX
    400 ipaUniqueID=56f2aafc-0248-11e6-9dce-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    400 ipaUniqueID=5a03fc2e-025b-11e6-89a6-001a4a2313e9,cn=hbac,SUFFIX
    400 ipaUniqueID=5aeefb08-0246-11e6-9dce-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    400 ipaUniqueID=765619d0-025a-11e6-9dce-001a4a2313e9,cn=hbac,SUFFIX
    400 ipaUniqueID=784777f2-0246-11e6-9dce-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    400 ipaUniqueID=7f0ac898-0258-11e6-9dce-001a4a2313e9,cn=hbac,SUFFIX
    400 ipaUniqueID=8ad287d4-0257-11e6-9dce-001a4a2313e9,cn=hbac,SUFFIX
    400 ipaUniqueID=8b0750d8-0255-11e6-ac32-001a4a2313e9,cn=hbac,SUFFIX
    400 ipaUniqueID=8ba21e82-025b-11e6-89a6-001a4a2313e9,cn=hbac,SUFFIX
    400 ipaUniqueID=8c32c746-0244-11e6-841a-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    400 ipaUniqueID=9623b1be-024b-11e6-b0aa-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    400 ipaUniqueID=986f7450-0249-11e6-8634-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    400 ipaUniqueID=a08c3244-024f-11e6-b0aa-001a4a2313e9,cn=hbac,SUFFIX
    400 ipaUniqueID=aba54d24-0244-11e6-96db-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    400 ipaUniqueID=b9a5cc26-0255-11e6-ac32-001a4a2313e9,cn=hbac,SUFFIX
    400 ipaUniqueID=cb957ec0-0252-11e6-bd68-001a4a2313e9,cn=hbac,SUFFIX
    400 ipaUniqueID=d308f5fc-0247-11e6-9dce-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    400 ipaUniqueID=f5327e84-0254-11e6-ac32-001a4a2313e9,cn=hbac,SUFFIX
    400 ipaUniqueID=f96e4b10-0252-11e6-bd68-001a4a2313e9,cn=hbac,SUFFIX
    499 ipaUniqueID=048dc0b2-0243-11e6-841a-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    499 ipaUniqueID=0ce6edb6-0242-11e6-841a-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    499 ipaUniqueID=1bfaa814-024d-11e6-b0aa-001a4a2313e9,cn=hbac,SUFFIX
    499 ipaUniqueID=20108404-024e-11e6-b0aa-001a4a2313e9,cn=hbac,SUFFIX
    499 ipaUniqueID=3e602eae-024f-11e6-b0aa-001a4a2313e9,cn=hbac,SUFFIX
    499 ipaUniqueID=5f3a9eaa-0242-11e6-841a-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    499 ipaUniqueID=6369f2b8-0243-11e6-841a-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    499 ipaUniqueID=99c1dd08-024d-11e6-b0aa-001a4a2313e9,cn=hbac,SUFFIX
    499 ipaUniqueID=ac4ed90c-024e-11e6-b0aa-001a4a2313e9,cn=hbac,SUFFIX
    499 ipaUniqueID=cc919aa2-0243-11e6-841a-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    500 ipaUniqueID=02943738-0242-11e6-841a-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    500 ipaUniqueID=05f479e4-024f-11e6-b0aa-001a4a2313e9,cn=hbac,SUFFIX
    500 ipaUniqueID=0b05c49e-024d-11e6-b0aa-001a4a2313e9,cn=hbac,SUFFIX
    500 ipaUniqueID=0e7d4b32-024e-11e6-b0aa-001a4a2313e9,cn=hbac,SUFFIX
    500 ipaUniqueID=17e28f38-024f-11e6-b0aa-001a4a2313e9,cn=hbac,SUFFIX
    500 ipaUniqueID=2b06f61c-024f-11e6-b0aa-001a4a2313e9,cn=hbac,SUFFIX
    500 ipaUniqueID=3d80e6d8-0243-11e6-841a-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    500 ipaUniqueID=403c9f9e-0242-11e6-841a-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    500 ipaUniqueID=48d617a6-0243-11e6-841a-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    500 ipaUniqueID=49888810-0242-11e6-841a-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    500 ipaUniqueID=53ee2fda-0242-11e6-841a-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    500 ipaUniqueID=5582c7ce-0243-11e6-841a-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    500 ipaUniqueID=69112f60-024d-11e6-b0aa-001a4a2313e9,cn=hbac,SUFFIX
    500 ipaUniqueID=756aeab6-024e-11e6-b0aa-001a4a2313e9,cn=hbac,SUFFIX
    500 ipaUniqueID=78056108-024d-11e6-b0aa-001a4a2313e9,cn=hbac,SUFFIX
    500 ipaUniqueID=8666f9e0-024e-11e6-b0aa-001a4a2313e9,cn=hbac,SUFFIX
    500 ipaUniqueID=88a346d8-024d-11e6-b0aa-001a4a2313e9,cn=hbac,SUFFIX
    500 ipaUniqueID=98ec222a-024e-11e6-b0aa-001a4a2313e9,cn=hbac,SUFFIX
    500 ipaUniqueID=a37d566a-0243-11e6-841a-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    500 ipaUniqueID=afedafd0-0243-11e6-841a-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    500 ipaUniqueID=be2631d0-0243-11e6-841a-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    500 ipaUniqueID=e2b5ad1a-0242-11e6-841a-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    500 ipaUniqueID=eb8e2d5e-024c-11e6-b0aa-001a4a2313e9,cn=hbac,SUFFIX
    500 ipaUniqueID=ec25ec1a-024d-11e6-b0aa-001a4a2313e9,cn=hbac,SUFFIX
    500 ipaUniqueID=ed980192-0242-11e6-841a-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    500 ipaUniqueID=f02ab220-0241-11e6-841a-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    500 ipaUniqueID=f8a79656-0242-11e6-841a-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    500 ipaUniqueID=f8d5a1f0-0241-11e6-841a-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    500 ipaUniqueID=fb772a7c-024c-11e6-b0aa-001a4a2313e9,cn=hbac,SUFFIX
    500 ipaUniqueID=fd26d344-024d-11e6-b0aa-001a4a2313e9,cn=hbac,SUFFIX
    800 ipaUniqueID=06b145cc-024c-11e6-b0aa-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    800 ipaUniqueID=18a2ae3c-0248-11e6-9dce-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    800 ipaUniqueID=1c6180d8-0258-11e6-9dce-001a4a2313e9,cn=hbac,SUFFIX
    800 ipaUniqueID=20529b3a-0246-11e6-8c3d-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    800 ipaUniqueID=25bbb560-025b-11e6-89a6-001a4a2313e9,cn=hbac,SUFFIX
    800 ipaUniqueID=2b37c586-0244-11e6-841a-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    800 ipaUniqueID=2d112198-0255-11e6-ac32-001a4a2313e9,cn=hbac,SUFFIX
    800 ipaUniqueID=3d970e7e-0246-11e6-9dce-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    800 ipaUniqueID=5afe45b8-0255-11e6-ac32-001a4a2313e9,cn=hbac,SUFFIX
    800 ipaUniqueID=6e590712-0244-11e6-841a-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    800 ipaUniqueID=6e9879b6-0252-11e6-bd68-001a4a2313e9,cn=hbac,SUFFIX
    800 ipaUniqueID=9dae2778-0252-11e6-bd68-001a4a2313e9,cn=hbac,SUFFIX
    800 ipaUniqueID=c6731e00-024f-11e6-b9cc-001a4a2313e9,cn=hbac,SUFFIX
    800 ipaUniqueID=caf8170e-024b-11e6-b0aa-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    800 ipaUniqueID=cba35934-025a-11e6-9dce-001a4a2313e9,cn=hbac,SUFFIX
    800 ipaUniqueID=d1ef52a4-0249-11e6-8634-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    800 ipaUniqueID=d8bbd5f4-0257-11e6-9dce-001a4a2313e9,cn=hbac,SUFFIX
    800 ipaUniqueID=f1a08ac2-024f-11e6-b9cc-001a4a2313e9,cn=hbac,SUFFIX
    800 ipaUniqueID=fa481b02-0247-11e6-9dce-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
    800 ipaUniqueID=ffa6aa12-0249-11e6-9dce-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX

Replying to [comment:1 tbordaz]:

Two remarks:

  • cn is multivalued. So it can be useless to search entries with 'cn' rdn but it depends if the CLI requires all the 'cn' values.

API requires 'cn' as primary key for netgroups, so there should be only one 'cn' value, AFAIK IPA doesn't allow multivalued primary keys.

  • regarding the performance, lookup of 'cn' entries is a partial contributor of all searches (65000) done by a 'host-find'. Below is the number of searches (first column) and the related base search DN.

{{{
399 cn=hostgroup42,cn=ng,cn=alt,SUFFIX
399 cn=hostgroup45,cn=ng,cn=alt,SUFFIX
399 cn=hostgroup47,cn=ng,cn=alt,SUFFIX
399 cn=hostgroup48,cn=ng,cn=alt,SUFFIX

... SNIP ....

800 ipaUniqueID=fa481b02-0247-11e6-9dce-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX
800 ipaUniqueID=ffa6aa12-0249-11e6-9dce-001a4a2313e9,cn=sudorules,cn=sudo,SUFFIX

}}}

Searches of hostgroups are part of this bug, because they are actually unneeded, primary key ('cn' attribute) is located in DN, thus there should not be additional search.

searches for sudorules and hbac rules are actually needed, because DN contains 'ipauniqueid' but primary key is 'cn', thus we need do ldapsearch for 'cn' attribute. This can be solved by caching, but it is different issue not related to this bug.

Note that we may have corner case with conflict entries. If a same hostgroup DN (e.g. cn=hostgroup42,cn=ng,cn=alt,SUFFIX) is added on separated instances one of the hostgroup will be renamed 'nsuniqueid=xxxx+cn=hostgroup42,cn=ng,cn=alt,SUFFIX'.

Both entries can be identical or completely different groups, the point is that they were created with the same name.

In case of conflict entry, it will be more difficult to find the primary_key in the RDN and may worth to do a search to be sure of the primary_key

The behavior described in description - "cn being present in dn" is true only for netgroups created automatically from hostgroups. But if you create a new netgroup using netgroup-add then its dn is e.g., ipaUniqueID=7af0d450-0fc3-11e6-9e09-001a4a2314ab,cn=ng,cn=alt,$SUFFIX and then the behavior is correct.

per triage: get_primary_key_from_dn should be overridden in netgroup plugin to handle it

4.4.0 was released, moving open tickets to 4.4.1

master:

  • 003b364 netgroup: avoid extraneous LDAP search when retrieving primary key from DN

ipa-4-4:

  • 85b9805 netgroup: avoid extraneous LDAP search when retrieving primary key from DN

Metadata Update from @mbasti:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.4.2
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
https://github.com/freeipa/freeipa/pull/68
performance
no
None
None
0
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.