Red Hat Bugzilla – Bug 806209
ldap_user_authorized_host = gecos doesn't work
Last modified: 2016-01-07 08:01:17 EST
Description of problem:
ldap_user_authorized_host doesn't read non-default value
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Add a user with attribute "gecos: host1.example.com":
2. Edit sssd.conf and add:
ldap_user_authorized_host = gecos
3. Restart sssd with clear cache.
4. Login as the user.
Following messages are seen in the log:
[sdap_get_map] (0x0200): Option ldap_user_authorized_host has value gecos
[sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available for [user]
[sdap_access_host_send] (0x0020): Missing hosts. Access denied
sssd should get the hostname from gecos attribute of the user and allow login.
Login is successful after I set "ldap_user_authorized_host = host" in sssd.conf.
This issue can be reproduced only when I set "ldap_user_authorized_host =
I added added another ldap attribute "description: host1.example.com" to
the user and the issue is no longer seen when I set
"ldap_user_authorized_host = description".
Also, I tried with "ldap_user_gecos = description" and
"ldap_user_authorized_host = gecos" and it works fine in this case.
This is the case because you have used gecos for *both* user's gecos and the authorizedHost attribute. In this case, the first match (which is user's gecos) wins.
As you noted, everything works fine if you also mapped the ldap_user_gecos attribute onto something else.
I don't think this is a bug.
(In reply to comment #3)
> This is the case because you have used gecos for *both* user's gecos and the
> authorizedHost attribute. In this case, the first match (which is user's gecos)
> As you noted, everything works fine if you also mapped the ldap_user_gecos
> attribute onto something else.
> I don't think this is a bug.
It is a bug. We're supposed to be explicitly handling the possibility of having the same attribute address act as more than one option. This was added so we could support using "cn" for multiple options (specifically).
This functionality was implemented in commit eed2073f6f7bed7df0327b9fc0f2d410975d5332 which made it to upstream release 1.12