Ticket #951 (closed defect: fixed)

Opened 4 years ago

Last modified 4 years ago

sssd 1.6.0 fails to find groups with OpenLDAP server

Reported by: dpiddock Owned by: jhrozek
Priority: blocker Milestone: SSSD 1.5.12
Component: LDAP Provider Version: 1.6.0
Keywords: Regression Cc:
Blocked By: Blocking:
Sensitive: Tests Updated: no
Coverity Bug: Patch Submitted: yes
Red Hat Bugzilla: 0 Design link:
Feature Milestone:
Design review: Fedora test page:
Chosen: Candidate to push out:
Release Notes:
Temp mark:

Description

1.6.0 is failing to find groups. When a user logs in, sssd queries for which group they are a member of with:

(&(memberUid=testuser)(objectClass=posixGroup)(cn=*)(gidNumber>=1))

In OpenLDAP (and possibly other LDAP servers) the gidNumber is not an ORDERING attribute. This search is returning no results, so sssd thinks the user has no groups. Removing (gidNumber>=1) or changing it to (!(gidNumber=1)) gets the list of groups returned. I've attached a patch to do the latter in the two obvious places in the code (ldap_id.c and sdap_async_accounts.c.)

I'm not sure if the two uses of >= in providers/ldap/ldap_id_enum.c also needs looking at. Their existence doesn't seem to be causing me problems or I'm not hitting those blocks due to the if statements.

(setting version blank as 1.6.0 isn't listed yet)

Attachments

ldap-gidNumber-search.patch (1.1 KB) - added by dpiddock 4 years ago.

Change History

Changed 4 years ago by dpiddock

comment:1 Changed 4 years ago by sgallagh

  • Component changed from SSSD to LDAP Provider
  • Version set to 1.6.0
  • Priority changed from critical to blocker

comment:2 Changed 4 years ago by jhrozek

This is a regression caused by b00113f8d5fcaf405364dfb5bc28a8076b6c10bd

I only tested with 389 where gidNumber has ORDERING apparently.

This needs fixing in the 1.5 branch as well.

comment:3 Changed 4 years ago by sgallagh

  • Keywords Regression added

comment:4 Changed 4 years ago by sgallagh

  • Owner changed from somebody to jhrozek
  • Milestone changed from NEEDS_TRIAGE to SSSD 1.5.12

comment:5 Changed 4 years ago by jhrozek

  • Status changed from new to assigned
  • Patch Submitted set

comment:6 Changed 4 years ago by jhrozek

  • Status changed from assigned to closed
  • Resolution set to fixed

comment:7 Changed 4 years ago by dpal

  • Red Hat Bugzilla set to 0
Note: See TracTickets for help on using tickets.