URL: https://github.com/SSSD/sssd/pull/432
Title: #432: CACHE_REQ: Better debugging for email conflicts
lslebodn commented:
"""
On (03/11/17 14:26), mzidek-rh wrote:
>mzidek-rh commented on this pull request.
>> @@ -218,6 +218,21 @@ int sysdb_getpwnam(TALLOC_CTX *mem_ctx,
> goto done;
> }
>
>+ if (res->count > 1) {
>+ /* We expected either 0 or 1 result for search with
>+ * SYSDB_PWNAM_FILTER, but we got more. This error
>+ * is handled individually depending on what function
>+ * called sysdb_getpwnam, so we just print a message
>+ * here and let the caller decide what error code to
>+ * propagate based on res->count > 1. */
>+ DEBUG(SSSDBG_CRIT_FAILURE,
>+ "Search for [%s] returned multiple results. It can be an email "
>+ "address shared among multiple users or an email address of a "
>+ "user that conflicts with another user's fully qualified name. "
>+ "SSSD will not be able to handle those users properly.\n",
>+ sanitized_name);
>+ }
>+
>
>I do not think it is a misuse of nameAlias, but having emailAlias could have
>some benefits. That discussion is however out of scope for this PR and
>refactoring of how we handle the emails in sysdb would also require update of
>sysdb version.
>
I do not think it is out of scope. The title of ticket is
"SSSD authentication fails when two IPA accounts share an email address"
You just underestimate the scope of ticket and want to solve it in hacky way.
>In your example with user123" with email "t...@example.com" and "benutzer123"
>with email "t...@example.com", it is clear conflict of emails. I do not see
>how is the message not helpful here. It clearly says that there may be users
>with conflicting emails.
>
yes, it is clear conflict of emails because you know about them.
But you would log only following message.
Search for benutzer123 returned multiple results. It can be an email
address shared among multiple users or an email address of a
user that conflicts with another user's fully qualified name.
SSSD will not be able to handle those users properly.
and if sb will try to search sssd cache by
ldbsearch -H /var/lib/sssd/db/cache_example.com.ldb \
"(mail=t...@example.com)" dn,mail
it will return only 1 result.
You might ask why sb would like to use ldbsearch and answer is that there are
10000 users in cache and every user have email address.
The purpose of message is to simplify users job especially and current state
will not help a lot. Because message about more results would be visible
also on another place in sssd log with higher debug level.
BTW upstream ticket even mention also logging message to syslog.
https://pagure.io/SSSD/sssd/issue/3293#comment-456587
"""
See the full comment at
https://github.com/SSSD/sssd/pull/432#issuecomment-341723700
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
