2096183 – BE_REQ_USER_AND_GROUP LDAP search filter can inadvertently catch multiple overrides

Bug 2096183 - BE_REQ_USER_AND_GROUP LDAP search filter can inadvertently catch multiple overrides

Summary: BE_REQ_USER_AND_GROUP LDAP search filter can inadvertently catch multiple ove...

Keywords:
Status:	VERIFIED
Alias:	None
Deadline:	2023-06-12
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	8.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Alejandro López
QA Contact:	Madhuri
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-06-13 08:16 UTC by Anton Bobrov
Modified:	2023-08-14 08:27 UTC (History)
CC List:	9 users (show)
Fixed In Version:	sssd-2.9.1-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	SSSD sssd pull 6671	None	open	IPA: Use a more specific filter when searching for BE_REQ_USER_AND_GROUP	2023-05-11 13:22:13 UTC
Red Hat Issue Tracker	RHELPLAN-125070	None	None	None	2022-06-13 08:27:35 UTC
Red Hat Issue Tracker	SSSD-4717	None	None	None	2022-06-13 11:19:26 UTC

Description Anton Bobrov 2022-06-13 08:16:28 UTC

Description of problem:

The customer has observed messages like the one below popping up in the logs:

Found [1266] overrides with filter [(&(objectClass=ipaOverrideAnchor)(|(uidNumber=27676)(gidNumber=27676)))], expected only 1.

From what I can see the search is done on LDAP base

cn=Default Trust View,cn=views,cn=accounts,dc=whatever,dc=man

The customer however has a bunch of users that belong to the same primary group and thus do have that gidNumber in their cn=Default Trust View overrides

objectClass: ipaOverrideAnchor
objectClass: ipaUserOverride
gidNumber: 27676

Looking at the sssd code there is BE_REQ_USER_AND_GROUP case that constructs that filter and it looks like its trying to get both user and group overrides in one go, instead of say doing 2 separate search ops or 1 search with more complex filter, based on the fact that it is using the superior ipaOverrideAnchor objectclass and not user or group specific one.

@Sumit Bose:

"BE_REQ_USER_AND_GROUP is used when it is not clear if a user or a group
is looked up, e.g. when you looking up a SID.

I agree the LDAP search filter is a bit sloppy and should be more
specific like e.g.

    (|(&(objectClass=ipaUserOverride)(uidNumber=27676))(&(objectClass=ipaGroupOverride)(gidNumber=27676)))"

Comment 5 Alexey Tikhonov 2023-05-11 13:23:45 UTC

Upstream PR: https://github.com/SSSD/sssd/pull/6671

Comment 6 Alexey Tikhonov 2023-05-26 10:59:16 UTC

Pushed PR: https://github.com/SSSD/sssd/pull/6671

* `master`
    * 99d0ab82e98a8f1e3cab23d871f36b9d890e034c - IPA: Use a more specific filter when searching for BE_REQ_USER_AND_GROUP
    * 1d69fdb73e5cbaf9789fbb153fa2bc55644e5ec1 - SYSDB: Make enum sysdb_obj_type public
* `sssd-2-9`
    * 3eb4c4a7e146e949e65d60e2912e7e4c834db6b1 - IPA: Use a more specific filter when searching for BE_REQ_USER_AND_GROUP
    * 58855b712a74b3c7cff3b9dc5daaf4f8b384fa02 - SYSDB: Make enum sysdb_obj_type public

Note You need to log in before you can comment on or make changes to this bug.