Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/sssd/ticket/960 A group within the ldap_group_search_base can contain a member group which is outside this search base. When SSSD then pulls down the members of that parent group it should *not* expand the group outside of the group search base. Currently this appears to get resolved, meaning groups from outside of the group search base are expanded.
Verified on sssd-1.8.0-22.el6.x86_64. The beaker script is available at: https://svn.devel.redhat.com//repos/SSSDtetframework/branches/sssd-RHEL6.3/Functional/Tests-for-LDAP-ID-and-LDAP-AUTH/bugzilla-automation.sh The output of the beaker automation script is given below: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Verify BZ release ticket #341 :- ldap_*_search_base dosen't fully limit the group search base :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running '/usr/bin/getent group' :: [ PASS ] :: Running '/usr/bin/getent group > /tmp/grp_file' :: [ PASS ] :: File '/tmp/grp_file' should contain 'Group111' :: [ PASS ] :: File '/tmp/grp_file' should contain 'Group22' :: [ LOG ] :: Duration: 30s :: [ LOG ] :: Assertions: 16 good, 0 bad :: [ PASS ] :: RESULT: Verify BZ release ticket #341 :- ldap_*_search_base dosen't fully limit the group search base :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Verify BZ release ticket #341 :- ldap_*_search_base dosen't fully limit the Netgroup search base :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running '/usr/bin/getent netgroup Seceng' :: [ PASS ] :: Running '/usr/bin/getent netgroup Seceng > /tmp/grp_file' :: [ PASS ] :: File '/tmp/grp_file' should contain '(h1, QEuser, example.com)' :: [ PASS ] :: File '/tmp/grp_file' should not contain '(h3, Coreuser, example.com)' :: [ LOG ] :: Duration: 32s :: [ LOG ] :: Assertions: 11 good, 0 bad :: [ PASS ] :: RESULT: Verify BZ release ticket #341 :- ldap_*_search_base dosen't fully limit the Netgroup search base
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: No documentation required
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0747.html