Learn more about these different git repos.
Other Git URLs
nss_ldap allows the specification of multiple search bases for users and groups. When multiple bases are used, the search is performed sequentially for each base (stopping if the requested entry is located).
The example use-case that is given is when an app has a hard-coded requirement that users belong to a particular group (e.g. 'oracle'). On different machines with different databases (and therefore different access-control requirements), there needs to be a way to produce a different membership set for the same group name.
The way this is handled classically is to have one branch in LDAP contain all of the common groups (those that do not vary from system to system) and to have other branches that correspond to machines or groups of machines that have specific requirements for a particular group.
The client would then be configured to have a search base for the common groups and secondary (and tertiary, etc.) search base for the specialized groups.
This is something we cannot handle properly right now. Ticket #859 was opened originally to try and get a workaround to behave better, but it is not the correct fix. The problem with that approach is that, while groups list all of the correct users, {{{initgroups()}}} requests on the users do not return all groups. If we handled multiple search bases, we'd have memberOf entries in the SYSDB that would properly handle this.
Moving back to NEEDS_TRIAGE to discuss re-prioritization.
milestone: SSSD Deferred => NEEDS_TRIAGE rhbz: => 736150
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.7.0 priority: major => blocker
We need to make sure to match nss_ldap here.
nss_base_<map> <basedn?scope?filter> Specify the search base, scope and filter to be used for specific maps. (Note that map forms part of the configuration file keyword and is one of passwd, shadow, group, hosts, services, networks, protocols, rpc, ethers, netmasks, bootparams, aliases and netgroup.) The syntax of basedn and scope are the same as for the configuration file options of the same name, with the addition of being able to omit the trailing suffix of the base DN (in which case the global base DN will be appended instead). The filter is a search filter to be added to the default search filter for a specific map, such that the effective filter is the logical intersection of the two. The base DN, scope and filter are separated with literal question marks (?) as given above; this is for compatibility with the DUA configuration profile schema and the ldapprofile tool. This option may be specified multiple times.
So not only do we need to support multiple bases, we need to support independent scope and search filters for each base.
Discussion of how to support this feature is occurring on the sssd-devel mailing list. Archives are available starting here: https://fedorahosted.org/pipermail/sssd-devel/2011-September/006930.html
status: new => assigned
patch: 0 => 1
summary: SSSD should support multiple search bases => [RFE] SSSD should support multiple search bases
Fixed by:
- bbb878fd1bfb49120a0b4fee25eb1ec4de7365e1 - 4d4c5aa6285aa055a4ec780ba47c180106f0926b - 82962098e3848ed039a57522d74fc500bc6df8ad - 09b663e6dfd2ed09cead04f926d3e99e9ac01894 - a0e406e5219068aec1a531e2b09ee30309b266cf - fd94a375467ade9233e34513863571fc51fec2ed - 86e00b950eae9884702ad535e3030b238ec451e3 - 14742d2cf50774ffd94b37a398238e4ce0e4a740 - 38e1ee5d65ade946f1322efa96f69c05e041c57f - 9fcfe80902655f495b7258218fc8114aa5d2c023 - 74a7d5805499a95a868ab4f43f77d34ccf9854a3 - 357efd33759fd1297723d9956a7f77226fe26871 - f26b61dfe246c750a42f1f9fb28f9df5981bc841 - 1bbd4c57fc31cec302244725e698413623818d19
resolution: => fixed status: assigned => closed
rhbz: 736150 => [https://bugzilla.redhat.com/show_bug.cgi?id=736150 736150]
(In #647) This ticket was obsoleted by #868
blockedby: => 647
Metadata Update from @sgallagh: - Issue assigned to sgallagh - Issue marked as depending on: #647 - Issue set to the milestone: SSSD 1.7.0
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/1910
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.