#769 LDAP provider and dynlist overlay
Closed: Invalid None Opened 13 years ago by dserre.

When using openldap with dynlist overlay, the results of getent group somegroup is not stable, members disappears even if no change have been done in the ldap database.
The command id returns an erroneous group membership for members that are missing in somegroup.

A ldapsearch give correct list of members and ldapcompare is always TRUE on missing members.

The daemon must be restarted to get back correct list of group members.

sssd configuration:

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_uri = ldap://localhost
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = demand
cache_credentials = true
enumerate = true

ldap overlay configuration:

dn: olcOverlay={0}dynlist
objectClass: olcOverlayConfig
objectClass: olcDynamicList
olcOverlay: {0}dynlist
olcDlAttrSet: {0}groupOfURLs memberURL member
structuralObjectClass: olcDynamicList

There are numerous problems with enumerate=true that we are currently investigating (among them is that it is far too slow, so you may just be missing the entries)

Can you disable enumeration and tell me if you have issues with any direct lookups?

On the other hand, can you tell me if you have reason to believe that this problem is specific to dynlist usage?

Fields changed

component: SSSD => LDAP Provider

Replying to [comment:2 sgallagh]:

I disabled enumeration and the problem is still there and worsened as restarting the daemon do not restore an accurate memberlist for these groups.

I believe that the problem is specific to dynlist usage because a copy of the same group with a static group member list gives always the same accurate results while issuing a getent group <static group> or id <member uid>.

When using a group defined as a dynamic group with the dynlist overlay, the member list changes (some members disappears) and this group membership also disappears from the group list of the id <member uid> command result on those members.

In the same time, ldapsearch gives a correct list of members, ldapcompare is always TRUE on missing members.

upgrade: => 0

Could you please provide some additional information? Ideally the output of ldapsearch compared with SSSD would have helpful.

Also, SSSD debug logs at level 6 or higher would be useful to see if we're getting errors.

Fields changed

owner: somebody => sbose

Needs more investigation down the road...

milestone: NEEDS_TRIAGE => SSSD 1.6.0

Fields changed

milestone: SSSD 1.6.0 => SSSD 1.7.0

Fields changed

milestone: SSSD 1.8.0 => SSSD 1.7.0
patch: => 0

Fields changed

owner: sbose => jhrozek

We need more information about what is going on there. Deferring for now as other issues have higher priority.

milestone: SSSD 1.7.0 => SSSD Deferred
rhbz: =>

Fields changed

rhbz: => 0

Fields changed

blockedby: =>
blocking: =>
changelog: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: => 0
review: => 1
selected: =>
sensitive: => 0

Since this issue is over 5 years old, I would suggest to just close it. If anyone is experiencing this bug, please reopen the ticket.

Fields changed

resolution: => worksforme
status: new => closed

Metadata Update from @dserre:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD Patches welcome

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/1811

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata