[SSSD] [sssd PR#7] Fix initgroups with nested groups (comment)
jhrozek commented on a pull request """ * master: 5bd3bef4a655fdfacd2f5df8a2343fe7bc68a771 """ See the full comment at https://github.com/SSSD/sssd/pull/7#issuecomment-244058146 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#7] Fix initgroups with nested groups (comment)
jhrozek commented on a pull request """ On Wed, Aug 31, 2016 at 07:15:10AM -0700, lslebodn wrote: > On (31/08/16 01:47), sumit-bose wrote: > >On Wed, Aug 31, 2016 at 01:30:12AM -0700, Jakub Hrozek wrote: > >> On Wed, Aug 31, 2016 at 12:36:37AM -0700, sumit-bose wrote: > >> > On Tue, Aug 30, 2016 at 12:36:20PM -0700, Jakub Hrozek wrote: > >> > > On Tue, Aug 30, 2016 at 11:47:09AM -0700, lslebodn wrote: > >> > > > >> > > About the discussion I saw on #sssd in backscroll, the rfc2307bis > >> > > schema > >> > > only uses the member attribute because IIRC the RFC doesn't talk about > >> > > memberof at all. But in IPA, we know the specifics on the schema, so we > >> > > are able to dereference the memberof attribute to get a complete list > >> > > of > >> > > all groups with one call. > >> > > >> > Unfortunately it is more complicated with IPA because memberOf only > >> > contains the direct memberships, there is a second attribute > >> > memberofindirect which hold the indirect memberships. > >> > >> This is only how IPA UI displays indirect memberships, if you check the > >> memberships with ldapsearch, you'll see it's really only memberof. > > > >bummer, you are right, I thought the --raw option of ipa user-show really > >means 'raw' but it looks some of the values are still processed. > > > >Sorry for the noise. > > > I haven't found any regression caused by this patch. > So at least; issues in ipa-trust test are not caused by this bug. > CI: http://sssd-ci.duckdns.org/logs/job/52/88/summary.html """ See the full comment at https://github.com/SSSD/sssd/pull/7#issuecomment-244052286 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#7] Fix initgroups with nested groups (comment)
lslebodn commented on a pull request """ On (31/08/16 01:47), sumit-bose wrote: >On Wed, Aug 31, 2016 at 01:30:12AM -0700, Jakub Hrozek wrote: >> On Wed, Aug 31, 2016 at 12:36:37AM -0700, sumit-bose wrote: >> > On Tue, Aug 30, 2016 at 12:36:20PM -0700, Jakub Hrozek wrote: >> > > On Tue, Aug 30, 2016 at 11:47:09AM -0700, lslebodn wrote: >> > > >> > > About the discussion I saw on #sssd in backscroll, the rfc2307bis schema >> > > only uses the member attribute because IIRC the RFC doesn't talk about >> > > memberof at all. But in IPA, we know the specifics on the schema, so we >> > > are able to dereference the memberof attribute to get a complete list of >> > > all groups with one call. >> > >> > Unfortunately it is more complicated with IPA because memberOf only >> > contains the direct memberships, there is a second attribute >> > memberofindirect which hold the indirect memberships. >> >> This is only how IPA UI displays indirect memberships, if you check the >> memberships with ldapsearch, you'll see it's really only memberof. > >bummer, you are right, I thought the --raw option of ipa user-show really >means 'raw' but it looks some of the values are still processed. > >Sorry for the noise. > I haven't found any regression caused by this patch. So at least; issues in ipa-trust test are not caused by this bug. LS """ See the full comment at https://github.com/SSSD/sssd/pull/7#issuecomment-24306 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#7] Fix initgroups with nested groups (comment)
sumit-bose commented on a pull request """ On Wed, Aug 31, 2016 at 01:30:12AM -0700, Jakub Hrozek wrote: > On Wed, Aug 31, 2016 at 12:36:37AM -0700, sumit-bose wrote: > > On Tue, Aug 30, 2016 at 12:36:20PM -0700, Jakub Hrozek wrote: > > > On Tue, Aug 30, 2016 at 11:47:09AM -0700, lslebodn wrote: > > > > > > About the discussion I saw on #sssd in backscroll, the rfc2307bis schema > > > only uses the member attribute because IIRC the RFC doesn't talk about > > > memberof at all. But in IPA, we know the specifics on the schema, so we > > > are able to dereference the memberof attribute to get a complete list of > > > all groups with one call. > > > > Unfortunately it is more complicated with IPA because memberOf only > > contains the direct memberships, there is a second attribute > > memberofindirect which hold the indirect memberships. > > This is only how IPA UI displays indirect memberships, if you check the > memberships with ldapsearch, you'll see it's really only memberof. bummer, you are right, I thought the --raw option of ipa user-show really means 'raw' but it looks some of the values are still processed. Sorry for the noise. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/7#issuecomment-243699385 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#7] Fix initgroups with nested groups (comment)
jhrozek commented on a pull request """ On Wed, Aug 31, 2016 at 12:36:37AM -0700, sumit-bose wrote: > On Tue, Aug 30, 2016 at 12:36:20PM -0700, Jakub Hrozek wrote: > > On Tue, Aug 30, 2016 at 11:47:09AM -0700, lslebodn wrote: > > > > About the discussion I saw on #sssd in backscroll, the rfc2307bis schema > > only uses the member attribute because IIRC the RFC doesn't talk about > > memberof at all. But in IPA, we know the specifics on the schema, so we > > are able to dereference the memberof attribute to get a complete list of > > all groups with one call. > > Unfortunately it is more complicated with IPA because memberOf only > contains the direct memberships, there is a second attribute > memberofindirect which hold the indirect memberships. This is only how IPA UI displays indirect memberships, if you check the memberships with ldapsearch, you'll see it's really only memberof. """ See the full comment at https://github.com/SSSD/sssd/pull/7#issuecomment-243695325 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#7] Fix initgroups with nested groups (comment)
sumit-bose commented on a pull request """ On Tue, Aug 30, 2016 at 12:36:20PM -0700, Jakub Hrozek wrote: > On Tue, Aug 30, 2016 at 11:47:09AM -0700, lslebodn wrote: > > About the discussion I saw on #sssd in backscroll, the rfc2307bis schema > only uses the member attribute because IIRC the RFC doesn't talk about > memberof at all. But in IPA, we know the specifics on the schema, so we > are able to dereference the memberof attribute to get a complete list of > all groups with one call. Unfortunately it is more complicated with IPA because memberOf only contains the direct memberships, there is a second attribute memberofindirect which hold the indirect memberships. bye, Sumit > > """ See the full comment at https://github.com/SSSD/sssd/pull/7#issuecomment-243683146 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#7] Fix initgroups with nested groups (comment)
jhrozek commented on a pull request
"""
OK, also looking at gdb confirms this is the right fix of course:
(gdb) frame 0
#0 sdap_initgr_nested_get_membership_diff (mem_ctx=0x1176190, sysdb=0x1120040,
opts=0x1134d90,
dom=0x110b610, group=0x1184b80, all_groups=0x1184a80, groups_count=5,
_mdiff=0x7ffe14f1ed38)
at /sssd/src/providers/ldap/sdap_async_initgroups.c:1420
1420
opts->group_map[SDAP_AT_GROUP_NAME].name,
(gdb) list
1415
1416if (parents_count > 0) {
1417ret = sysdb_attrs_primary_fqdn_list(dom, tmp_ctx,
1418ldap_parentlist,
1419parents_count,
1420
opts->group_map[SDAP_AT_GROUP_NAME].name,
1421_parent_names_list);
1422if (ret != EOK) {
1423DEBUG(SSSDBG_CRIT_FAILURE,
1424 "sysdb_attrs_primary_name_list failed [%d]: %s\n",
(gdb) p *ldap_parentlist[0]
$4 = { num = 8
{ flags = 0, name = 0x1182b20
"originalDN", num_values = 1
{ data = 0x1183370
"cn=group20,cn=groups,cn=accounts,dc=ipa,dc=test", length = 47 } }
{ flags = 0, name = 0x116d0e0 "name",
num_values = 1
{ data = 0x11808e0 "group20",
length = 7 } }
{ flags = 0, name = 0x115db10
"gidNumber", num_values = 1
{ data = 0x1183c20 "935600011",
length = 9 } }
{ flags = 0, name = 0x115dbc0 "member",
num_values = 2
{ data = 0x1183e00
"cn=group10,cn=groups,cn=accounts,dc=ipa,dc=test", length = 47 }
{ data = 0x1183ea0
"cn=group11,cn=groups,cn=accounts,dc=ipa,dc=test", length = 47 } }
{ flags = 0, name = 0x1183d10 "uniqueID",
num_values = 1
{ data = 0x11841c0
"1f9a98ba-5961-11e6-a51b-525400f71478", length = 36 } }
{ flags = 0, name = 0x1184030
"objectSIDString", num_values = 1
{ data = 0x1184400
"S-1-5-21-925249755-300578800-2979754137-1011", length = 44 } }
{ flags = 0, name = 0x11842d0
"originalModifyTimestamp", num_values = 1
{ data = 0x1175780
"20160803100057Z", length = 15 } }
{ flags = 0, name = 0x1175880 "entryUSN",
num_values = 1
{ data = 0x1183f40 "17299",
length = 5 } } }
(gdb)
name is unqualified and should be qualified.
ACK, but I won't push for now in case @lslebodn wants to run some tests before
pushing..
"""
See the full comment at
https://github.com/SSSD/sssd/pull/7#issuecomment-243555414
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#7] Fix initgroups with nested groups (comment)
jhrozek commented on a pull request """ On Tue, Aug 30, 2016 at 11:47:09AM -0700, lslebodn wrote: > Please provide a test-case (probably a hierarchy of groups) I was able to reproduce with: $ ipa group-show group20 Group name: group20 GID: 935600011 Member groups: group10, group11 Indirect Member users: user1 $ ipa group-show group10 Group name: group10 GID: 93568 Member users: user1 Member of groups: group20 $ ipa group-show group11 Group name: group11 GID: 93569 Member users: user1 Member of groups: group20 Before the patch, group20 wasn't resolved, after the patch it was. btw I had this group hierarhcy pre-created on my test IPA server which makes me wonder a bit how we didn't see this bug before, I'm sure I created it for some reason. Also I'm surprised a lot none of the downstream tests we were running caught the bug. About the discussion I saw on #sssd in backscroll, the rfc2307bis schema only uses the member attribute because IIRC the RFC doesn't talk about memberof at all. But in IPA, we know the specifics on the schema, so we are able to dereference the memberof attribute to get a complete list of all groups with one call. """ See the full comment at https://github.com/SSSD/sssd/pull/7#issuecomment-243553980 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#7] Fix initgroups with nested groups (comment)
lslebodn commented on a pull request """ Please provide a test-case (probably a hierarchy of groups) """ See the full comment at https://github.com/SSSD/sssd/pull/7#issuecomment-243540136 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
