Bug 2170720 - [RHEL8] When adding attributes in sssd.conf that we have already, the cross-forest query just stop working
Summary: [RHEL8] When adding attributes in sssd.conf that we have already, the cross-f...
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.8
Hardware: All
OS: All
unspecified
medium
Target Milestone: rc
: ---
Assignee: Alejandro López
QA Contact: Madhuri
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-02-17 03:36 UTC by Waldirio M Pinheiro
Modified: 2023-07-11 09:49 UTC (History)
9 users (show)

Fixed In Version: sssd-2.9.1-1.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd pull 6759 0 None open IPA: Do not try to add duplicate values to the LDAP attributes 2023-05-31 12:07:43 UTC
Red Hat Issue Tracker RHELPLAN-149032 0 None None None 2023-02-17 03:37:23 UTC
Red Hat Issue Tracker SSSD-6173 0 None None None 2023-05-30 13:00:33 UTC

Description Waldirio M Pinheiro 2023-02-17 03:36:50 UTC 
Description of problem:
When adding attributes in sssd.conf that we have already, the cross-forest query just stop working.

For example, when adding the entry below
---
[nss]
user_attributes=+mail, +sn, +givenname

[domain/EXAMPLE]
ldap_user_extra_attrs=mail, sn, givenname
---

The mail attribute will cause issues on idm side and as consequence, all the users with email on AD will not be available to query anymore. For example, "id user1", it will return user not available. However, when checking for an user that has no email, administrator for example, the response will be there.

Version-Release number of selected component (if applicable):
IPA, version: 4.9.10

How reproducible:
100%

Steps to Reproduce:
1. Install idm
2. Install ad
3. Create the cross-forest trust
4. do the query "id user", assuming that @acme.local it's from AD. The response should be ok
5. Change the sssd.conf and add the entry as below, after cleanup the cache and restart sssd
---
[nss]
user_attributes=+mail, +sn, +givenname

[domain/EXAMPLE]
ldap_user_extra_attrs=mail, sn, givenname
---

Actual results:
the field mail causes some issues in sssd logs and also remove the ability to query any user that has email on AD

Expected results:
only cause an alert and everything keep working as expected.

Additional info:
Comment 1 Alexander Bokovoy 2023-02-17 07:30:31 UTC 
Move to SSSD.

Please also attach SSSD logs that demonstrate your problem.
Comment 2 Sumit Bose 2023-02-17 10:27:13 UTC 
Hi,

this sounds a bit like to old https://bugzilla.redhat.com/show_bug.cgi?id=1362023.

As Alexander said, please provide SSSD debug logs with 'debug_level=9' in the [pam], [nss], [ifp] and [domain/...] sections from the IPA client and IPA server. The logs in the case are not consistent. But what I'VE seen so far from the latest client logs:

 - it looks like 'full_name_format = %1$s' is still used on the IPA server, this is not supported.
 - there seem to be a disconnect with the attribute names, on the client they are stored as givenname, sn and mail in the cache but looked up as 'user_attributes=+firstname, +lastname, +email'. Please note that the client gets all user attributes including the attribute names from the IPA server and the ldap_user_extra_attrs option is only used on the IPA server and has no effect on the IPA client.

HTH

bye,
Sumit
Comment 5 Alexey Tikhonov 2023-02-20 11:23:12 UTC 
Quote from a private comment by Sumit:
```
the IPA server is sending the 'mail' attribute twice to the client and the client does not check for duplicates and failed to store the data in the cache.

To fix this we can either make sure that the server only sends each attribute once or let the client check for duplicates or both.

Since it might be better to spend the time once on the server instead of on each client it might be best to fix the server side first.

One way to fix it on the server is to replace add_strings_lists() in sss_nss_cmd_getorigbyname_common() by something which checks the strings are unique in the resulting list. Btw, since 'nss_ctx->extra_attributes' cannot change at runtime it might be a small optimization to merge 'defattrs' and 'nss_ctx->extra_attributes' only once when sss_nss_cmd_getorigbyname_common() is called first and store the result in the nss context.
```
Comment 7 Alexey Tikhonov 2023-06-12 15:05:39 UTC 
Upstream PR: https://github.com/SSSD/sssd/pull/6759
Comment 8 Alexey Tikhonov 2023-06-23 12:55:02 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/6759

* `master`
    * b50415978d2f0fad3291d86e0a5340be7ab90528 - IPA: Do not duplicate the entry attributes.
    * de258f011b9c6fc97e9157435cd2845be1c5d0e0 - RESPONDER: attr_in_list() is replaced by string_in_list_size()
    * 2b8fed59140e32f7a8fa9bafe9e84b8db96d1ae5 - UTIL: add_strings_lists() becomes add_strings_lists_ex()
    * 1b45f29f459f13173af99e75b4bb43ed945680aa - UTIL: New function string_in_list_size()
    * dc508f032904f008714418509a13f79a17660659 - IPA: Do not try to add duplicate values to the LDAP attributes
    * ca7c9f6066d150c1a88bda6bda2843f244e5289d - TEST: Fix pam-srv-tests to correctly treat the test name
* `sssd-2-9`
    * 355b0c2e89606a0db1697b232743f50a2e60ee57 - IPA: Do not duplicate the entry attributes.
    * bfc88dc3c637eb5ceaba5345f779d560ff9c81c8 - RESPONDER: attr_in_list() is replaced by string_in_list_size()
    * 010e61ffa0da1d58470cea9d5c506a117755bf62 - UTIL: add_strings_lists() becomes add_strings_lists_ex()
    * 42cf3c41c566cfca61397139cad079dd6d1e151c - UTIL: New function string_in_list_size()
    * 228183bf4a9ea93d6f6a97801646887a0491a944 - IPA: Do not try to add duplicate values to the LDAP attributes
    * 50922242888b5f4d5b41f9c3549df45dc975dad1 - TEST: Fix pam-srv-tests to correctly treat the test name
Note You need to log in before you can comment on or make changes to this bug.