Learn more about these different git repos.
Other Git URLs
1.6.0 is failing to find groups. When a user logs in, sssd queries for which group they are a member of with:
(&(memberUid=testuser)(objectClass=posixGroup)(cn=*)(gidNumber>=1))
In OpenLDAP (and possibly other LDAP servers) the gidNumber is not an ORDERING attribute. This search is returning no results, so sssd thinks the user has no groups. Removing (gidNumber>=1) or changing it to (!(gidNumber=1)) gets the list of groups returned. I've attached a patch to do the latter in the two obvious places in the code (ldap_id.c and sdap_async_accounts.c.)
I'm not sure if the two uses of >= in providers/ldap/ldap_id_enum.c also needs looking at. Their existence doesn't seem to be causing me problems or I'm not hitting those blocks due to the if statements.
(setting version blank as 1.6.0 isn't listed yet)
attachment ldap-gidNumber-search.patch
Fields changed
component: SSSD => LDAP Provider priority: critical => blocker version: => 1.6.0
This is a regression caused by b00113f
I only tested with 389 where gidNumber has ORDERING apparently.
This needs fixing in the 1.5 branch as well.
keywords: => Regression
milestone: NEEDS_TRIAGE => SSSD 1.5.12 owner: somebody => jhrozek
patch: 0 => 1 status: new => assigned
fixed in master: 86d7790
fixed in sssd-1-6: 9357219
fixed in sssd-1-5: 6266793
resolution: => fixed status: assigned => closed
rhbz: => 0
Metadata Update from @dpiddock: - Issue assigned to jhrozek - Issue set to the milestone: SSSD 1.5.12
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/1993
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.