Bug 648150

Summary: ldap_netgroup_search_base not working
Product: [Fedora] Fedora Reporter: Moritz Baumann <baumanmo>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dpal, jhrozek, sbose, sgallagh, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-1.4.1-1.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-16 23:19:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
output of make check none

Description Moritz Baumann 2010-10-31 09:59:58 UTC
Description of problem:

The field ldap_netgroup_search_base does not get evaluated. Instead ldap_search_base appears to be used.

from man sssd-ldap:
      ldap_netgroup_search_base (string)
           An optional base DN to restrict netgroup searches to a specific
           subtree.


Version-Release number of selected component (if applicable):

RHEL 6 beta2 with ding-libs-0.1.2-3.fc15.src.rpm, sssd-1.4.0-2.fc15.src.rpm from rawhide.


How reproducible:
   always 

Steps to Reproduce:
1. rebuild ding-libs-0.1.2-3.fc15.src.rpm, sssd-1.4.0-2.fc15.src.rpm on
system and install it (I was runnign RHEL6 beta2 refresh)
2. in /etc/sssd/sssd.conf have
   ldap_schema = rfc2307
   ldap_search_base = ou=isg,ou=inf,ou=auth,o=ethz,c=ch
   ldap_user_search_base = ou=users,ou=isg,ou=inf,ou=auth,o=ethz,c=ch
   ldap_group_search_base = ou=group,ou=inf,ou=auth,o=ethz,c=ch
   ldap_netgroup_search_base = ou=netgroup,ou=inf,ou=auth,o=ethz,c=ch
3. configure sssd.conf with the lines above (+ have a otherwise running
config)
4. in /etc/nsswitch.conf change settings to netgroup:  files sss
5. restart service sssd
6. do your netgroup query and watch how it uses ldap_search_base rather than
ldap_netgroup_search_base (getent netgroup baumanmo in my example)


Actual results:

/var/log/sssd/sssd_D.ETHZ.CH.log shows after a "getent netgroup baumanmo":


(Sun Oct 31 10:25:14 2010) [sssd[be[D.ETHZ.CH]]] [sdap_get_generic_send] (6):
calling ldap_search_ext with
[(&(cn=baumanmo)(objectclass=nisNetgroup))][ou=isg,ou=inf,ou=auth,o=ethz,c=ch].


Expected results:

/var/log/sssd/sssd_D.ETHZ.CH.log shows after a "getent netgroup baumanmo":

(Sun Oct 31 10:25:14 2010) [sssd[be[D.ETHZ.CH]]] [sdap_get_generic_send] (6):
calling ldap_search_ext with
[(&(cn=baumanmo)(objectclass=nisNetgroup))][ou=netgroup,ou=inf,ou=auth,o=ethz,c=ch].


Additional info:

I have reported this bug as a comment to https://bugzilla.redhat.com/show_bug.cgi?id=645726. 
Please feel free to to delete that remark if inappropriate there.

Comment 1 Moritz Baumann 2010-10-31 14:27:31 UTC
diff -Nur sssd-1.4.0/src/providers/ldap/sdap_async_netgroups.c sssd-1.4.0.patch/src/providers/ldap/sdap_async_netgroups.c
--- sssd-1.4.0/src/providers/ldap/sdap_async_netgroups.c        2010-10-18 20:03:45.000000000 +0200
+++ sssd-1.4.0.patch/src/providers/ldap/sdap_async_netgroups.c  2010-10-31 14:57:51.963194696 +0100
@@ -603,7 +603,7 @@
 
     subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh,
                                    dp_opt_get_string(state->opts->basic,
-                                                     SDAP_SEARCH_BASE),
+                                                     SDAP_NETGROUP_SEARCH_BASE),
                                    LDAP_SCOPE_SUBTREE,
                                    state->filter, state->attrs,
                                    state->opts->netgroup_map,

builds on my fedora13 (with new ding-libs) but I have no ldap here to test.

does not passes the test suite on my RHEL6 Beta2 at work.

Comment 2 Dmitri Pal 2010-11-01 03:59:54 UTC
https://fedorahosted.org/sssd/ticket/661

Comment 3 Sumit Bose 2010-11-01 08:02:36 UTC
Your patch is obviously correct. Can you explain what you mean by "does not passes the test suite on my RHEL6 Beta2 at work." Does it mean 'make check' returns an error?

Thank you for sending this patch to sssd-devel.org. I will change it to a git-formatted patch and add you as the author.

Comment 4 Moritz Baumann 2010-11-01 09:06:07 UTC
Created attachment 456822 [details]
output of make check

Comment 5 Moritz Baumann 2010-11-01 09:19:37 UTC
interestingly these tests run fine when I build the rpm as root, but not when running as normal user.

Comment 6 Sumit Bose 2010-11-01 09:28:23 UTC
I can see a similar output if I run the test as a normal user, but tests_sysdb/tests_conf.ldb is owned by root. Can you remove everything in test_sysdb/ and run the test as a normal user again?

Comment 7 Moritz Baumann 2010-11-01 10:52:06 UTC
I'm not sure I understand.

I downloaded the src.rpm added the patch as patch0:

added a %patch0 -p1

and did a rpmbuild --ba.

This whole thing I did once as regular user (so all files belonged to baumanmo)

and once as root, so all files belonged to root.

The rpmbuild as root works, and the tests fail as user.

Comment 8 Sumit Bose 2010-11-01 14:45:41 UTC
Can you check if your spec file uses '--with-test-dir=/dev/shm' to speed up the 'make check' run? If yes, either remove this option or remove the /dev/shm/tests_sysdb/ directory before starting a new 'rpmbuild -ba'

Comment 9 Moritz Baumann 2010-11-01 16:14:16 UTC
yes the specfile from rawide had a --with-test-dir=/dev/shm. 

Removing this lead to a fine build.

Thanks,
Moritz

Comment 10 Fedora Update System 2010-11-05 18:34:36 UTC
sssd-1.4.1-1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/sssd-1.4.1-1.fc14

Comment 11 Fedora Update System 2010-11-06 23:40:55 UTC
sssd-1.4.1-1.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update sssd'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/sssd-1.4.1-1.fc14

Comment 12 Fedora Update System 2010-11-16 23:19:27 UTC
sssd-1.4.1-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.