#2013 Netgroups should ignore the 'use_fully_qualified_names' setting
Closed: Fixed None Opened 10 years ago by sgallagh.

Netgroups are a special-case when processing. They are capable of containing nested netgroup names in their LDAP objects which have to be returned as-is to libc so that they can also be looked up. What complicates this situation is that netgroups are allowed to contain netgroups from other providers (e.g. a netgroup stored in LDAP may include a netgroup that's stored on the local system in /etc/netgroups).

When a domain has {{{use_fully_qualified_names = True}}}, all lookups that do not contain an SSSD domain name component will skip over that domain while searching for the entry. So the net effect is that if we have an LDAP netgroup named {{{parent}}} that contains another LDAP netgroup named {{{child}}} in a fully-qualified SSSD domain, then doing a lookup of {{{parent@DOMAIN}}} will end up missing the contents of {{{child}}}. This will also result in increased LDAP load, since {{{child}}} will always be missing from the cache.

My recommendation should be that we alter the lookup logic for netgroups (and only netgroups) so that fully-qualified domains are not skipped over when looking up unqualified netgroup names.


Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10.1

Fields changed

owner: somebody => sgallagh
patch: 0 => 1

Moving tickets that didn't make 1.10.1 to the 1.10.2 bucket.

Moving tickets that didn't make 1.10.1 to 1.10.2

milestone: SSSD 1.10.1 => SSSD 1.10.2

resolution: => fixed
status: new => closed

Metadata Update from @sgallagh:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.10.2

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3055

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata