Bug 891356 – Smart refresh doesn't notice "defaults" addition with OpenLDAP

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 891356 - Smart refresh doesn't notice "defaults" addition with OpenLDAP

Summary:	Smart refresh doesn't notice "defaults" addition with OpenLDAP

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd (Show other bugs)
Sub Component:
Version:	6.4
Hardware:	Unspecified Unspecified

Priority	medium Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	895654
	Show dependency tree / graph

Reported:	2013-01-02 12:14 EST by Nikolai Kondrashov
Modified:	2013-02-21 04:43 EST (History)
CC List:	6 users (show)

See Also:
Fixed In Version:	sssd-1.9.2-65.el6
Doc Type:	Bug Fix
Doc Text:	No documentation needed.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-02-21 04:43:04 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
sudo_defaults_openldap_test.ldif (2.08 KB, text/plain) 2013-01-02 12:16 EST, Nikolai Kondrashov	no flags	Details
sssd.conf (498 bytes, text/plain) 2013-01-02 12:16 EST, Nikolai Kondrashov	no flags	Details
sudo_defaults_openldap_test (2.71 KB, text/plain) 2013-01-02 12:19 EST, Nikolai Kondrashov	no flags	Details
defaults_389ds_logs.tar.gz (81.04 KB, application/x-gzip) 2013-01-03 07:08 EST, Nikolai Kondrashov	no flags	Details
defaults_openldap_logs.tar.gz (72.52 KB, application/x-gzip) 2013-01-03 07:09 EST, Nikolai Kondrashov	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0508	normal	SHIPPED_LIVE	Low: sssd security, bug fix and enhancement update	2013-02-20 16:30:10 EST

Groups: None (edit)

Description Nikolai Kondrashov 2013-01-02 12:14:03 EST

Description of problem:
Smart refresh doesn't notice a newly added "defaults" entry with OpenLDAP server. It gets noticed only after full refresh.

Version-Release number of selected component (if applicable):
libsss_idmap-1.9.2-59.el6.x86_64
sssd-client-1.9.2-59.el6.x86_64
sudo-1.8.6p3-6.el6.x86_64
sssd-1.9.2-59.el6.x86_64
libsss_sudo-1.9.2-59.el6.x86_64
openldap-servers-2.4.23-31.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Use the attached sudo_defaults_openldap_test.ldif file to fill LDAP directory.
2. Use the attached sssd.conf as the base for SSSD configuration.
3. Execute the attached sudo_defaults_openldap_test script as root after modifying it to connect to the LDAP server.
  
Actual results:
sudo: no tty present and no askpass program specified
initially: 1
sudo: no tty present and no askpass program specified
smart_refresh_with_rule_added: 1
sudo: no tty present and no askpass program specified
smart_refresh_with_defaults_added: 1
full_refresh_with_defaults_added: 0

Expected results:
sudo: no tty present and no askpass program specified
initially: 1
sudo: no tty present and no askpass program specified
smart_refresh_with_rule_added: 1
smart_refresh_with_defaults_added: 0
full_refresh_with_defaults_added: 0

Additional info:
This works with sssd sudo backend and 389-ds and with LDAP sudo backend and OpenLDAP server.

Comment 1 Nikolai Kondrashov 2013-01-02 12:16:27 EST

Created attachment 671567 [details]
sudo_defaults_openldap_test.ldif

Comment 2 Nikolai Kondrashov 2013-01-02 12:16:59 EST

Created attachment 671568 [details]
sssd.conf

Comment 3 Nikolai Kondrashov 2013-01-02 12:19:03 EST

Created attachment 671580 [details]
sudo_defaults_openldap_test

Comment 5 Jakub Hrozek 2013-01-02 15:07:48 EST

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1736

Comment 6 Pavel Březina 2013-01-03 03:12:26 EST

Hi,
can you provide logs from both 389 and OpenLDAP runs (debug_level = 0xfff0)? Thanks.

Comment 7 Nikolai Kondrashov 2013-01-03 07:08:55 EST

Created attachment 672016 [details]
defaults_389ds_logs.tar.gz

Comment 8 Nikolai Kondrashov 2013-01-03 07:09:19 EST

Created attachment 672017 [details]
defaults_openldap_logs.tar.gz

Comment 9 Nikolai Kondrashov 2013-01-03 07:10:10 EST

Attached OpenLDAP/389-ds logs with 0xFFF0 debug_level.

Comment 10 Pavel Březina 2013-01-04 08:38:13 EST

I managed to reproduce this issue. The problem is that OpenLDAP check whether the filter contains schema-correct value for modifyTimestamp attribute.

We use modifyTimestamp>=0 in smart refresh filter in case USN values are not available. OpenLDAP rejects this filter and returns 0 records. The correct value to use would be 000101010000Z.

I'll prepare a patch.

Comment 12 Nikolai Kondrashov 2013-01-11 14:17:03 EST

Verified fixed with the following packages:

sssd-client-1.9.2-68.el6.x86_64
libsss_sudo-1.9.2-68.el6.x86_64
sudo-1.8.6p3-6.el6.x86_64
libsss_idmap-1.9.2-68.el6.x86_64
sssd-1.9.2-68.el6.x86_64

Relevant sudo suite output:

:: [   PASS   ] :: defaults_with

Comment 13 errata-xmlrpc 2013-02-21 04:43:04 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html

Note You need to log in before you can comment on or make changes to this bug.