Learn more about these different git repos.
Other Git URLs
Nested groups are not unrolled during the first enumeration causing authentication of the users in nested group to fail, however authentication succeeds after the second enumeration.
sssd-1.5.0-2.el6.x86_64
Always
DS setup: 1. Server setup: (make sure all users have primary group defined) - !SimpleGroup1 => simpleUserA simpleUserB simpleGroup3 - !SimpleGroup2 => simpleUserC simpleUserD - !SimpleGroup3 => simpleUserE
Configure SSSD with "enumerate = true". See additional info for relevant configuration.
restart sssd clearing cache.
Try authenticating with simpleuserE (which is a memberOf simplegroup3 which is a memberOf simplegroup1)
Authentication fails initially and succeeds after the second enumeration.
Authentication should succeed after the first enumeration.
Relevant sssd configuration:
[domain/LDAP] id_provider = ldap auth_provider = ldap ldap_uri = ldaps://rhdsserver.example.com:636 ldap_search_base = dc=example,dc=com ldap_tls_reqcert = demand ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_cacert = /etc/openldap/cacerts/cacert.asc ldap_schema = rfc2307bis
cache_credentials = true enumerate = true debug_level = 9
access_provider = simple simple_allow_groups = simplegroup1
Currently our enumeration logic makes two passes: In the first pass, it creates all of the users in the cache. In the second pass, it creates all of the groups.
We need to split the second pass into a second and third pass, so that we have: - Pass 1: Create users - Pass 2: Create empty groups - Pass 3: Populate group members
The reason some nested groups were not unrolled is that the order of their creation would matter. If they weren't already in the sysdb when another group wanted to add them as a member, they would be overlooked.
Originally reported as https://bugzilla.redhat.com/show_bug.cgi?id=670804
cc: => gsr status: new => assigned
Fixed by c3a2e4a
cc: gsr => resolution: => fixed status: assigned => closed tests: 0 => 1
Fields changed
rhbz: => 0
Metadata Update from @sgallagh: - Issue assigned to sgallagh - Issue set to the milestone: SSSD 1.5.1
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/1821
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.