Bug 1037653

Summary: Enabling ldap_id_mapping doesn't exclude uidNumber in filter
Product: Red Hat Enterprise Linux 7 Reporter: Kaushik Banerjee <kbanerje>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED CURRENTRELEASE QA Contact: Kaushik Banerjee <kbanerje>
Severity: medium Docs Contact:
Priority: high    
Version: 7.0CC: dpal, grajaiya, jgalipea, lslebodn, mkosek, nkarandi, pbrezina
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.11.2-37.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 10:30:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kaushik Banerjee 2013-12-03 14:45:24 UTC 
Description of problem:
Enabling ldap_id_mapping doesn't exclude uidNumber in filter

Version-Release number of selected component (if applicable):
1.11.2-10

How reproducible:
Always

Steps to Reproduce:
1. sssd.conf domain section:
[domain/ADTEST]
debug_level = 0xFFF0
id_provider = ldap
ldap_uri = ldap://<ad server>
ldap_id_mapping = true
ldap_schema = ad
ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com
ldap_default_authtok = XXXXX

2. Lookup an AD user

Actual results:
User lookup fails. Domain log shows:
(Tue Dec  3 16:19:08 2013) [sssd[be[ADTEST]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=user1_dom1)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][DC=example,DC=com]

Expected results:
User lookup should work

Additional info:
Comment 2 Jakub Hrozek 2013-12-04 22:04:34 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2172
Comment 3 Dmitri Pal 2013-12-12 14:21:55 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2175
Comment 4 Jakub Hrozek 2014-01-22 15:59:03 UTC 
Fixed upstream:
    master:
        cdcca90249aadb72bf2978a63c202c5b68642224
        1e4a582e29c119e2c0e58a02dcb41b829e6b5e39
        16b27fcceebcbbaeefaf5b9bdf2dec3065adba4a 
    sssd-1-11:
        0a33b13e2125de2be64ba2add63021abfc973492
        507c0d939b7882e5708ac2c7589f67be2af89892
        2e5645a2b50a9cfa96ec68f3b01fe33bb270cfa1
Comment 6 Nirupama Karandikar 2014-01-24 07:15:22 UTC 
Looks fixed for user lookups. But group lookups fail.

# rpm -q sssd
sssd-1.11.2-30.el7.x86_64

# getent -s sss group maingroup1
# echo $?
2

Domain log shows:
(Fri Jan 24 12:24:04 2014) [sssd[be[AD]]] [sdap_nested_group_hash_group] (0x0040): sysdb_attrs_get_int32_t failed.
(Fri Jan 24 12:24:04 2014) [sssd[be[AD]]] [sdap_nested_group_send] (0x0020): Unable to insert group into hash table [2]: No such file or directory
(Fri Jan 24 12:24:04 2014) [sssd[be[AD]]] [sdap_nested_done] (0x0020): Nested group processing failed: [2][No such file or directory]
Comment 7 Jakub Hrozek 2014-01-28 12:41:11 UTC 
New patches are on the list and updated packages should be coming up shortly.
Comment 8 Jakub Hrozek 2014-01-29 20:11:30 UTC 
Two additional fixes landed upstream:

    master:
        21e7b7d99a85b895f99e45d176524033cd40618c
        8c41a21bc98eec99a16258c7b4d79f456d85f856 
    sssd-1-11:
        cb0f731edf9f2d80f4b6f6429a2065fe03ea7872
        5a3c166f6622ffb537d86a5954b29f9c70cabe22
Comment 10 Kaushik Banerjee 2014-02-14 08:58:48 UTC 
Verified as per the automation runs of the suites ad_provider/idmap and ad_provider/ldap-krb5.

Tested on build version 1.11.2-40
Comment 11 Ludek Smid 2014-06-13 10:30:24 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.