Bug 2096183
| Summary: | BE_REQ_USER_AND_GROUP LDAP search filter can inadvertently catch multiple overrides | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Anton Bobrov <abobrov> |
| Component: | sssd | Assignee: | Alejandro López <allopez> |
| Status: | VERIFIED --- | QA Contact: | Madhuri <mupadhye> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.5 | CC: | aboscatt, atikhono, grajaiya, lslebodn, mzidek, pbrezina, sgadekar, tmihinto, tscherf |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | sync-to-jira | ||
| Fixed In Version: | sssd-2.9.1-1.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Deadline: | 2023-06-12 | ||
Upstream PR: https://github.com/SSSD/sssd/pull/6671 Pushed PR: https://github.com/SSSD/sssd/pull/6671 * `master` * 99d0ab82e98a8f1e3cab23d871f36b9d890e034c - IPA: Use a more specific filter when searching for BE_REQ_USER_AND_GROUP * 1d69fdb73e5cbaf9789fbb153fa2bc55644e5ec1 - SYSDB: Make enum sysdb_obj_type public * `sssd-2-9` * 3eb4c4a7e146e949e65d60e2912e7e4c834db6b1 - IPA: Use a more specific filter when searching for BE_REQ_USER_AND_GROUP * 58855b712a74b3c7cff3b9dc5daaf4f8b384fa02 - SYSDB: Make enum sysdb_obj_type public |
Description of problem: The customer has observed messages like the one below popping up in the logs: Found [1266] overrides with filter [(&(objectClass=ipaOverrideAnchor)(|(uidNumber=27676)(gidNumber=27676)))], expected only 1. From what I can see the search is done on LDAP base cn=Default Trust View,cn=views,cn=accounts,dc=whatever,dc=man The customer however has a bunch of users that belong to the same primary group and thus do have that gidNumber in their cn=Default Trust View overrides objectClass: ipaOverrideAnchor objectClass: ipaUserOverride gidNumber: 27676 Looking at the sssd code there is BE_REQ_USER_AND_GROUP case that constructs that filter and it looks like its trying to get both user and group overrides in one go, instead of say doing 2 separate search ops or 1 search with more complex filter, based on the fact that it is using the superior ipaOverrideAnchor objectclass and not user or group specific one. @Sumit Bose: "BE_REQ_USER_AND_GROUP is used when it is not clear if a user or a group is looked up, e.g. when you looking up a SID. I agree the LDAP search filter is a bit sloppy and should be more specific like e.g. (|(&(objectClass=ipaUserOverride)(uidNumber=27676))(&(objectClass=ipaGroupOverride)(gidNumber=27676)))"