1037653 – Enabling ldap_id_mapping doesn't exclude uidNumber in filter

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter

Summary: Enabling ldap_id_mapping doesn't exclude uidNumber in filter

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-12-03 14:45 UTC by Kaushik Banerjee
Modified:	2020-05-02 17:34 UTC (History)
CC List:	7 users (show)
Fixed In Version:	sssd-1.11.2-37.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 10:30:24 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 3214	0	None	None	None	2020-05-02 17:34:12 UTC
Github	SSSD sssd issues 3217	0	None	None	None	2020-05-02 17:34:30 UTC

Description Kaushik Banerjee 2013-12-03 14:45:24 UTC

Description of problem:
Enabling ldap_id_mapping doesn't exclude uidNumber in filter

Version-Release number of selected component (if applicable):
1.11.2-10

How reproducible:
Always

Steps to Reproduce:
1. sssd.conf domain section:
[domain/ADTEST]
debug_level = 0xFFF0
id_provider = ldap
ldap_uri = ldap://<ad server>
ldap_id_mapping = true
ldap_schema = ad
ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com
ldap_default_authtok = XXXXX

2. Lookup an AD user

Actual results:
User lookup fails. Domain log shows:
(Tue Dec  3 16:19:08 2013) [sssd[be[ADTEST]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=user1_dom1)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][DC=example,DC=com]

Expected results:
User lookup should work

Additional info:

Comment 2 Jakub Hrozek 2013-12-04 22:04:34 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/2172

Comment 3 Dmitri Pal 2013-12-12 14:21:55 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/2175

Comment 4 Jakub Hrozek 2014-01-22 15:59:03 UTC

Fixed upstream:
    master:
        cdcca90249aadb72bf2978a63c202c5b68642224
        1e4a582e29c119e2c0e58a02dcb41b829e6b5e39
        16b27fcceebcbbaeefaf5b9bdf2dec3065adba4a 
    sssd-1-11:
        0a33b13e2125de2be64ba2add63021abfc973492
        507c0d939b7882e5708ac2c7589f67be2af89892
        2e5645a2b50a9cfa96ec68f3b01fe33bb270cfa1

Comment 6 Nirupama Karandikar 2014-01-24 07:15:22 UTC

Looks fixed for user lookups. But group lookups fail.

# rpm -q sssd
sssd-1.11.2-30.el7.x86_64

# getent -s sss group maingroup1
# echo $?
2

Domain log shows:
(Fri Jan 24 12:24:04 2014) [sssd[be[AD]]] [sdap_nested_group_hash_group] (0x0040): sysdb_attrs_get_int32_t failed.
(Fri Jan 24 12:24:04 2014) [sssd[be[AD]]] [sdap_nested_group_send] (0x0020): Unable to insert group into hash table [2]: No such file or directory
(Fri Jan 24 12:24:04 2014) [sssd[be[AD]]] [sdap_nested_done] (0x0020): Nested group processing failed: [2][No such file or directory]

Comment 7 Jakub Hrozek 2014-01-28 12:41:11 UTC

New patches are on the list and updated packages should be coming up shortly.

Comment 8 Jakub Hrozek 2014-01-29 20:11:30 UTC

Two additional fixes landed upstream:

    master:
        21e7b7d99a85b895f99e45d176524033cd40618c
        8c41a21bc98eec99a16258c7b4d79f456d85f856 
    sssd-1-11:
        cb0f731edf9f2d80f4b6f6429a2065fe03ea7872
        5a3c166f6622ffb537d86a5954b29f9c70cabe22

Comment 10 Kaushik Banerjee 2014-02-14 08:58:48 UTC

Verified as per the automation runs of the suites ad_provider/idmap and ad_provider/ldap-krb5.

Tested on build version 1.11.2-40

Comment 11 Ludek Smid 2014-06-13 10:30:24 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.