Bug 785908

Summary: ldap_*_search_base doesn't fully limit the group / netgroup search base correctly
Product: Red Hat Enterprise Linux 6 Reporter: Stephen Gallagher <sgallagh>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: apeetham, grajaiya, jgalipea, prc
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.8.0-2.el6.beta2 Doc Type: Bug Fix
Doc Text:
No documentation required
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 11:54:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Stephen Gallagher 2012-01-30 21:06:01 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/960

A group within the ldap_group_search_base can contain a member group which is outside this search base.  When SSSD then pulls down the members of that parent group it should *not* expand the group outside of the group search base.  Currently this appears to get resolved, meaning groups from outside of the group search base are expanded.
Comment 2 Amith 2012-04-27 00:13:15 UTC 
Verified on sssd-1.8.0-22.el6.x86_64.
The beaker script is available at: ​https://svn.devel.redhat.com//repos/SSSDtetframework/branches/sssd-RHEL6.3/Functional/Tests-for-LDAP-ID-and-LDAP-AUTH/bugzilla-automation.sh
The output of the beaker automation script is given below:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Verify BZ release ticket #341 :- ldap_*_search_base dosen't fully limit the group search base
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running '/usr/bin/getent group'
:: [   PASS   ] :: Running '/usr/bin/getent group > /tmp/grp_file'
:: [   PASS   ] :: File '/tmp/grp_file' should contain 'Group111'
:: [   PASS   ] :: File '/tmp/grp_file' should contain 'Group22'
:: [   LOG    ] :: Duration: 30s
:: [   LOG    ] :: Assertions: 16 good, 0 bad
:: [   PASS   ] :: RESULT: Verify BZ release ticket #341 :- ldap_*_search_base dosen't fully limit the group search base

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Verify BZ release ticket #341 :- ldap_*_search_base dosen't fully limit the Netgroup search base
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running '/usr/bin/getent netgroup Seceng'
:: [   PASS   ] :: Running '/usr/bin/getent netgroup Seceng > /tmp/grp_file'
:: [   PASS   ] :: File '/tmp/grp_file' should contain '(h1, QEuser, example.com)'
:: [   PASS   ] :: File '/tmp/grp_file' should not contain '(h3, Coreuser, example.com)'
:: [   LOG    ] :: Duration: 32s
:: [   LOG    ] :: Assertions: 11 good, 0 bad
:: [   PASS   ] :: RESULT: Verify BZ release ticket #341 :- ldap_*_search_base dosen't fully limit the Netgroup search base
Comment 3 Stephen Gallagher 2012-06-12 13:34:09 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation required
Comment 5 errata-xmlrpc 2012-06-20 11:54:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0747.html