Bug 1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter
Summary: Enabling ldap_id_mapping doesn't exclude uidNumber in filter
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-12-03 14:45 UTC by Kaushik Banerjee
Modified: 2020-05-02 17:34 UTC (History)
7 users (show)

Fixed In Version: sssd-1.11.2-37.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 10:30:24 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3214 0 None None None 2020-05-02 17:34:12 UTC
Github SSSD sssd issues 3217 0 None None None 2020-05-02 17:34:30 UTC

Description Kaushik Banerjee 2013-12-03 14:45:24 UTC 
Description of problem:
Enabling ldap_id_mapping doesn't exclude uidNumber in filter

Version-Release number of selected component (if applicable):
1.11.2-10

How reproducible:
Always

Steps to Reproduce:
1. sssd.conf domain section:
[domain/ADTEST]
debug_level = 0xFFF0
id_provider = ldap
ldap_uri = ldap://<ad server>
ldap_id_mapping = true
ldap_schema = ad
ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com
ldap_default_authtok = XXXXX

2. Lookup an AD user

Actual results:
User lookup fails. Domain log shows:
(Tue Dec  3 16:19:08 2013) [sssd[be[ADTEST]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=user1_dom1)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][DC=example,DC=com]

Expected results:
User lookup should work

Additional info:
Comment 2 Jakub Hrozek 2013-12-04 22:04:34 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2172
Comment 3 Dmitri Pal 2013-12-12 14:21:55 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2175
Comment 4 Jakub Hrozek 2014-01-22 15:59:03 UTC 
Fixed upstream:
    master:
        cdcca90249aadb72bf2978a63c202c5b68642224
        1e4a582e29c119e2c0e58a02dcb41b829e6b5e39
        16b27fcceebcbbaeefaf5b9bdf2dec3065adba4a 
    sssd-1-11:
        0a33b13e2125de2be64ba2add63021abfc973492
        507c0d939b7882e5708ac2c7589f67be2af89892
        2e5645a2b50a9cfa96ec68f3b01fe33bb270cfa1
Comment 6 Nirupama Karandikar 2014-01-24 07:15:22 UTC 
Looks fixed for user lookups. But group lookups fail.

# rpm -q sssd
sssd-1.11.2-30.el7.x86_64

# getent -s sss group maingroup1
# echo $?
2

Domain log shows:
(Fri Jan 24 12:24:04 2014) [sssd[be[AD]]] [sdap_nested_group_hash_group] (0x0040): sysdb_attrs_get_int32_t failed.
(Fri Jan 24 12:24:04 2014) [sssd[be[AD]]] [sdap_nested_group_send] (0x0020): Unable to insert group into hash table [2]: No such file or directory
(Fri Jan 24 12:24:04 2014) [sssd[be[AD]]] [sdap_nested_done] (0x0020): Nested group processing failed: [2][No such file or directory]
Comment 7 Jakub Hrozek 2014-01-28 12:41:11 UTC 
New patches are on the list and updated packages should be coming up shortly.
Comment 8 Jakub Hrozek 2014-01-29 20:11:30 UTC 
Two additional fixes landed upstream:

    master:
        21e7b7d99a85b895f99e45d176524033cd40618c
        8c41a21bc98eec99a16258c7b4d79f456d85f856 
    sssd-1-11:
        cb0f731edf9f2d80f4b6f6429a2065fe03ea7872
        5a3c166f6622ffb537d86a5954b29f9c70cabe22
Comment 10 Kaushik Banerjee 2014-02-14 08:58:48 UTC 
Verified as per the automation runs of the suites ad_provider/idmap and ad_provider/ldap-krb5.

Tested on build version 1.11.2-40
Comment 11 Ludek Smid 2014-06-13 10:30:24 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.