1746951 – ipa-extdom-extop plugin doesn't allow @ in group name

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1746951 - ipa-extdom-extop plugin doesn't allow @ in group name

Summary: ipa-extdom-extop plugin doesn't allow @ in group name

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Tomas Halman
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1383520
TreeView+	depends on / blocked

Reported:	2019-08-29 14:55 UTC by Tomas Halman
Modified:	2023-09-07 20:30 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-04-28 15:43:29 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1383520	1	medium	CLOSED	Regular expression used in sssd.conf not being able to consume an @-sign in the user/group name.	2024-03-25 15:01:31 UTC
Red Hat Issue Tracker	FREEIPA-10080	0	None	None	None	2023-06-26 15:17:20 UTC
Red Hat Issue Tracker	RHELPLAN-26602	0	None	None	None	2023-06-26 15:14:43 UTC
Red Hat Product Errata	RHEA-2020:1640	0	None	None	None	2020-04-28 15:43:59 UTC

Description Tomas Halman 2019-08-29 14:55:41 UTC

Description of problem:

The ipa-extdom-extop plugin has just one method for resolving group names and user name '@' character is used for detecting user principal name which may have alternative suffixes.

Username (the short part before @) can't contain '@' but group name can. This shared logic doesn't work for groups like my@group.

Protocol for SSSD<->ipa-extdom-extop communication protocol has to be extended to add separated calls for user and group resolution.

This change will also improve the response time in groupname resolution because the original call tries resolve the name as username and when it fails it tries to resolve it as groupname.

Comment 1 Florence Blanc-Renaud 2019-09-23 08:54:57 UTC

Fixed upstream:
master:
https://github.com/freeipa/freeipa/commit/e5f04258b5b3fb6c04c28ddd38ae251c822e80bc
https://github.com/freeipa/freeipa/commit/5f898c3c614f4165f0eb15c3aad2157689fbbcfe
https://github.com/freeipa/freeipa/commit/84b6c0f53b9ebdd4c01181898499bb6992aa9e8a
https://github.com/freeipa/freeipa/commit/bddf64b9da2df21a14022109ae989bd5408bf14b

ipa-4-8:
https://github.com/freeipa/freeipa/commit/51723c73f48098ee123a3216fb577194555f0a3f
https://github.com/freeipa/freeipa/commit/9253c18b1d199cc723ddb9b1c4b41a35b6861234
https://github.com/freeipa/freeipa/commit/d8a6b21d7ee6b91e60c45da4c9668d22ca9d0c6e
https://github.com/freeipa/freeipa/commit/13a37fb43f4c43f4eea5aa6650bf7488d85675e7

ipa-4-7:
https://github.com/freeipa/freeipa/commit/2e8a2a564a46a2a4f04236e08dda26d6126135ea
https://github.com/freeipa/freeipa/commit/b442b82b4a4c80b9e7992b33eb008f4f0dea44e2
https://github.com/freeipa/freeipa/commit/5340a03e30d37015777eafb58d7f36fc3d81c5eb
https://github.com/freeipa/freeipa/commit/f8b070587c5c2779b6b76237d1c712a0947f9438

ipa-4-6:
https://github.com/freeipa/freeipa/commit/b182a96226de46b6d194fb924b7374d923c14733
https://github.com/freeipa/freeipa/commit/20612db06516ec59922827e16f5226d21815751a
https://github.com/freeipa/freeipa/commit/0a1ad84adfedc141fbbaece3a7dee1ade69c1fdc
https://github.com/freeipa/freeipa/commit/9a140cdc269bbde9e9ebb99d9cd8c643a94afb6c

Comment 8 Florence Blanc-Renaud 2020-02-12 16:36:32 UTC

Test added upstream
master:
https://pagure.io/freeipa/c/4f09416f2f01cee03213f7d5186fe1a7104e6d66
https://pagure.io/freeipa/c/0a4bec2a1f2a1fbf6b6b05a5cdbdf5bf08d66344

Comment 9 François Cami 2020-02-17 15:53:44 UTC

Test added upstream
ipa-4-8:
https://pagure.io/freeipa/c/2d0da2f9aff2e6256ae9f43838ca24335381e7e8
https://pagure.io/freeipa/c/985c99fc7ad6fdd30d428d099e006b1a0836a87d

Comment 10 François Cami 2020-02-17 15:54:16 UTC

Test added upstream
ipa-4-7:
https://pagure.io/freeipa/c/9a0f6cb2582e265a5d1bb87aaff6049ccd5a5b35
https://pagure.io/freeipa/c/b0ad2c432362e88764bb11e14cc852c2616fd952

Comment 11 Florence Blanc-Renaud 2020-02-19 09:40:42 UTC

Test added upstream:
ipa-4-6:
https://pagure.io/freeipa/c/a736449a217dc38e98054e8018fe7c7fd11f54be
https://pagure.io/freeipa/c/2e4e1b37a71d7a9d8bd834fefcc241eaac19e1e7

Comment 12 anuja 2020-02-20 09:17:51 UTC

Test verified using existing automation: test_integration/test_sssd.py::TestSSSDWithAdTrust::test_extdom_group
Using version: 
ipa-server-4.8.4-6.module+el8.2.0+5773+68ace8c5.x86_64
ipa-client-4.8.4-6.module+el8.2.0+5774+71f22ff9.x86_64

Test log:
===================================================== test session starts =====================================================
platform linux -- Python 3.6.8, pytest-3.4.2, py-1.5.3, pluggy-0.6.0 -- /usr/libexec/platform-python
cachedir: .pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-179.el8.x86_64-x86_64-with-redhat-8.2-Ootpa', 'Packages': {'pytest': '3.4.2', 'py': '1.5.3', 'pluggy': '0.6.0'}, 'Plugins': {'metadata': '1.8.0', 'html': '1.22.1', 'sourceorder': '0.5', 'multihost': '3.0'}}
rootdir: /usr/lib/python3.6/site-packages/ipatests, inifile:
plugins: metadata-1.8.0, html-1.22.1, sourceorder-0.5, multihost-3.0
collected 10 items                                                                                                            

test_integration/test_sssd.py::TestSSSDWithAdTrust::test_auth_cache_disabled_by_default[ipa] PASSED                     [ 10%]
test_integration/test_sssd.py::TestSSSDWithAdTrust::test_auth_cache_disabled_by_default[ad] PASSED                      [ 20%]
test_integration/test_sssd.py::TestSSSDWithAdTrust::test_auth_cache_disabled_with_value_0[ipa] PASSED                   [ 30%]
test_integration/test_sssd.py::TestSSSDWithAdTrust::test_auth_cache_disabled_with_value_0[ad] PASSED                    [ 40%]
test_integration/test_sssd.py::TestSSSDWithAdTrust::test_auth_cache_enabled_when_configured[ipa] PASSED                 [ 50%]
test_integration/test_sssd.py::TestSSSDWithAdTrust::test_auth_cache_enabled_when_configured[ad] PASSED                  [ 60%]
test_integration/test_sssd.py::TestSSSDWithAdTrust::test_is_user_filtered[ad] PASSED                                    [ 70%]
test_integration/test_sssd.py::TestSSSDWithAdTrust::test_is_user_filtered[fakeuser] PASSED                              [ 80%]
test_integration/test_sssd.py::TestSSSDWithAdTrust::test_extdom_group PASSED                                            [ 90%]
test_integration/test_sssd.py::TestSSSDWithAdTrust::test_external_group_paging PASSED                                   [100%]

--------------------------- generated xml file: /usr/lib/python3.6/site-packages/ipatests/junit.xml ---------------------------
================================================ 10 passed in 1024.88 seconds =================================================
[root@runner ipatests]# 

Based on this marking bz as verified.

Comment 18 errata-xmlrpc 2020-04-28 15:43:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:1640

Note You need to log in before you can comment on or make changes to this bug.