Description of problem: The customer has observed messages like the one below popping up in the logs: Found [1266] overrides with filter [(&(objectClass=ipaOverrideAnchor)(|(uidNumber=27676)(gidNumber=27676)))], expected only 1. From what I can see the search is done on LDAP base cn=Default Trust View,cn=views,cn=accounts,dc=whatever,dc=man The customer however has a bunch of users that belong to the same primary group and thus do have that gidNumber in their cn=Default Trust View overrides objectClass: ipaOverrideAnchor objectClass: ipaUserOverride gidNumber: 27676 Looking at the sssd code there is BE_REQ_USER_AND_GROUP case that constructs that filter and it looks like its trying to get both user and group overrides in one go, instead of say doing 2 separate search ops or 1 search with more complex filter, based on the fact that it is using the superior ipaOverrideAnchor objectclass and not user or group specific one. @Sumit Bose: "BE_REQ_USER_AND_GROUP is used when it is not clear if a user or a group is looked up, e.g. when you looking up a SID. I agree the LDAP search filter is a bit sloppy and should be more specific like e.g. (|(&(objectClass=ipaUserOverride)(uidNumber=27676))(&(objectClass=ipaGroupOverride)(gidNumber=27676)))"
Upstream PR: https://github.com/SSSD/sssd/pull/6671
Pushed PR: https://github.com/SSSD/sssd/pull/6671 * `master` * 99d0ab82e98a8f1e3cab23d871f36b9d890e034c - IPA: Use a more specific filter when searching for BE_REQ_USER_AND_GROUP * 1d69fdb73e5cbaf9789fbb153fa2bc55644e5ec1 - SYSDB: Make enum sysdb_obj_type public * `sssd-2-9` * 3eb4c4a7e146e949e65d60e2912e7e4c834db6b1 - IPA: Use a more specific filter when searching for BE_REQ_USER_AND_GROUP * 58855b712a74b3c7cff3b9dc5daaf4f8b384fa02 - SYSDB: Make enum sysdb_obj_type public