Ticket #926 (closed defect: fixed)

Opened 3 years ago

Last modified 2 years ago

Multi-value names for users - Does not work anymore

Reported by: slydini Owned by: jhrozek
Priority: blocker Milestone: SSSD 1.5.14
Component: LDAP Provider Version: 1.5.7
Keywords: Cc:
Blocked By: Blocking:
Tests Updated: no Coverity Bug:
Patch Submitted: yes Red Hat Bugzilla: 733382, 738629, 738621
Design link:
Feature Milestone:
Design review: Fedora test page:
Chosen: Candidate to push out:
Release Notes:

Description

Hello,

We have a big problem with sssd from version 1.5.x (RHEL 6.1 & Fedora 15) and not with version 1.2.1 (RHEL 6.0). We can no longer use sssd (1.5.x) with our LDAP directory, it does not work.

This is due to an addition, see the mail from Stephen Gallagher:

http://www.mail-archive.com/sssd-devel@lists.fedorahosted.org/msg05524.html (Patch 0003)

When searching the primary name of a username, it works well for a DN based on the style:

dn: uid=barras, ou=users, o=epfl, c=ch

but the DN for our organization is:

dn: cn=Benjamin Barras,ou=dit-sb,ou=p-dit,ou=p,o=epfl,c=ch

and as the attribute "uid" is multi-valued:

uid: barras uid: barras@dit-sb (this one just for administrative raison)

this version of sssd wants to find a primary name. As our RDN uses the attribute "cn", it does not match (see log) but in fact, we doesn't want to use a primary name, but only the uid that we give (in this case uid=barras).

We have approximately 12000 entries in our ldap directory and it works from many years ago.

Actually, we modify ours configurations systems for do not use SSSD but nss-pam-pam_ldap and ldapd which work well from many years.

Best regards, Benjamin Barras

Attachments

ldap-epfl.log (6.3 KB) - added by slydini 3 years ago.
/var/log/sssd/sssd_default.log

Change History

Changed 3 years ago by slydini

/var/log/sssd/sssd_default.log

comment:1 Changed 3 years ago by jhrozek

The "uid" attribute that holds the user name is multivalued, so SSSD needs some mechanism to pick the right value. Currently, we try to match the "uid" value (or whatever else holds the user name) against the RDN to choose the right name. In your case, that doesn't hold as the RDN contains a different attribute.

We can't just pick the first value as some other software does, because there is no guarantee on the order of attributes returned from LDAP (although in practice the attributes /tend/ to be returned in the same order as they are stored)

I would actually suggest to treat this directory configuration as not supportable.

*If* we want to support this configuration, we could reuse a similar hack as Samba did at one point and deterministically pick something like "alphabetically smallest" -- see smbldap_talloc_smallest_attribute() in Samba tree. This would be still a gross hack, but at least we wouldn't get different names for the same user..

comment:2 Changed 3 years ago by dpal

  • Milestone changed from NEEDS_TRIAGE to SSSD 1.7.0

comment:3 Changed 3 years ago by jhrozek

  • Owner changed from somebody to jhrozek

comment:4 Changed 3 years ago by jhrozek

The scope of this ticket to just picking the first value if the RDN doesn't match.

A followup ticket for another methods of fallback is https://fedorahosted.org/sssd/ticket/959

comment:5 Changed 3 years ago by jhrozek

  • Patch Submitted set
  • Status changed from new to assigned

comment:6 Changed 3 years ago by sgallagh

  • Milestone changed from SSSD 1.7.0 to SSSD 1.5.13
  • Red Hat Bugzilla set to 733382

comment:7 Changed 3 years ago by sgallagh

  • Resolution set to fixed
  • Status changed from assigned to closed

comment:8 Changed 3 years ago by sgallagh

  • Resolution fixed deleted
  • Milestone changed from SSSD 1.5.13 to SSSD 1.5.14
  • Component changed from SSSD to LDAP Provider
  • Status changed from closed to reopened

comment:10 Changed 3 years ago by jhrozek

  • Red Hat Bugzilla changed from 733382 to 733382,738629,738621

comment:11 Changed 2 years ago by mkosek

  • Red Hat Bugzilla changed from 733382,738629,738621 to [https://bugzilla.redhat.com/show_bug.cgi?id=733382 733382], [https://bugzilla.redhat.com/show_bug.cgi?id=738629 738629], [https://bugzilla.redhat.com/show_bug.cgi?id=738621 738621]
Note: See TracTickets for help on using tickets.