Bug 950874

Summary: Simple access control always denies uppercased users in case insensitive domain
Product: Red Hat Enterprise Linux 6 Reporter: Kaushik Banerjee <kbanerje>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: high    
Version: 6.5CC: dpal, grajaiya, jgalipea, lslebodn, mkosek, pbrezina
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.9.2-88.el6 Doc Type: Bug Fix
Doc Text:
Previously, simple access control denied access to uppercase users in case-insensitive domains. This update corrects the issue and users with uppercase names are able to log in
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-21 22:16:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 952614    

Description Kaushik Banerjee 2013-04-11 06:36:44 UTC 
Description of problem:
Simple access control always denies uppercased users in case insensitive domain

Version-Release number of selected component (if applicable):
1.9.2-82.4.el6_4

How reproducible:
Always

Steps to Reproduce:
1. On ldap server, the user and group is added as follows:
- On ldap server, the user and group is saved as:
# ldapsearch -x -LLL -b "dc=example,dc=com" uid=User_CS1
dn: uid=User_CS1,ou=Users,dc=example,dc=com
objectClass: posixAccount
objectClass: account
cn: User_CS1
homeDirectory: /home/User_CS1
userPassword:: U2VjcmV0MTIz
uid: User_CS1_Alias
uid: User_CS1
uidNumber: 304560
gidNumber: 304560

# ldapsearch -x -LLL -b "dc=example,dc=com" cn=User_CS1_grp1
dn: cn=User_CS1_grp1,ou=Groups,dc=example,dc=com
objectClass: posixGroup
memberUid: User_CS1
cn: User_CS1_grp1_Alias
cn: User_CS1_grp1
gidNumber: 304560


2. The domain section of sssd.conf has:
[domain/LDAP]
debug_level = 0xFFF0
id_provider = ldap
ldap_uri = ldap://ldapserver.example.com
ldap_search_base = dc=example,dc=com
case_sensitive = false
access_provider = simple
simple_deny_groups = user_cs1_grp1
ldap_tls_cacert = /etc/openldap/certs/cacert.pem 

3. Try to login as the user:
# ssh -l User_CS1 localhost
User_CS1@localhost's password:
Connection closed by ::1


Actual results:
Login fails.
Domain log always shows:
(Thu Apr 11 00:44:12 2013) [sssd[be[LDAP]]] [sysdb_search_user_by_name] (0x0400): No such entry
(Thu Apr 11 00:44:12 2013) [sssd[be[LDAP]]] [simple_check_get_groups_send] (0x0080): No such user user_cs1
(Thu Apr 11 00:44:12 2013) [sssd[be[LDAP]]] [simple_access_check_recv] (0x1000): Access not granted 

Expected results:
Login should succeed.

Additional info:
This was working fine before the Z-Stream upgrade.
Comment 1 Jakub Hrozek 2013-04-11 07:12:50 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1880
Comment 6 Kaushik Banerjee 2013-08-28 11:45:46 UTC 
Verified in version sssd-1.9.2-123.el6

Output from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: case_sensitive15: case_sensitive=false simple_allow_groups = user_cs1_grp1
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Sleeping for 5 seconds
:: [   PASS   ] :: Authentication successful, as expected 
:: [   PASS   ] :: Running 'auth_success user_CS1 Secret123' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 9s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: case_sensitive15: case_sensitive=false simple_allow_groups = user_cs1_grp1

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: case_sensitive16: case_sensitive=false simple_allow_groups = USER_CS2_GRP1
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Sleeping for 5 seconds
:: [   PASS   ] :: Running 'getent group USER_CS2_GRP1' (Expected 0, got 0)
:: [   PASS   ] :: Authentication successful, as expected 
:: [   PASS   ] :: Running 'auth_success USER_CS2 Secret123' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 9s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: case_sensitive16: case_sensitive=false simple_allow_groups = USER_CS2_GRP1
Comment 7 errata-xmlrpc 2013-11-21 22:16:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1680.html