sssd-ldap handles redundant group members incorrectly

Bug #1321423 reported by Adam on 2014-05-20
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Undecided
Unassigned

Bug Description

Context: I'm using sssd(8) to look up group memberships from an LDAP server, using
the "rfc2307bis" schema.

I observe that my friendly neighborhood LDAP server does recursion of nested
groups to provide a flat list of "member" attributes, but does not discard
redundant members. That is, consider LDAP groups test_group_A and
test_group_B with members and subgroups like this:

  dn: cn=test_group_A,ou=User Groups,ou=Groups,dc=example,dc=com
  member: uid=alice,ou=People,dc=example,dc=com
  member: uid=bob,ou=People,dc=example,dc=com
  groupMember: cn=test_group_B,ou=User Groups,ou=Groups,dc=example,dc=com

  dn: cn=test_group_B,ou=User Groups,ou=Groups,dc=example,dc=com
  member: uid=bob,ou=People,dc=example,dc=com
  member: uid=carla,ou=People,dc=example,dc=com

If I query my LDAP server with ldapsearch(8) for test_group_A, I see repeated
member entries. Viz.:

  myhost$ ldapsearch -LLL -x -H ldap://ldap.example.com cn=test_group_A member
  dn: cn=test_group_A,ou=User Groups,ou=Groups,dc=example,dc=com
  member: uid=alice,ou=People,dc=example,dc=com
  member: uid=bob,ou=People,dc=example,dc=com
  member: uid=bob,ou=People,dc=example,dc=com
  member: uid=carla,ou=People,dc=example,dc=com

Observed behavior: If I look up group membership for test_group_A through
sssd(8), I get an incomplete member list:

  myhost$ getent group test_group_A
  test_group_A:*:123456:alice,bob

Enabling verbose debugging shows that sssd is unhappy about redundant members,
with the log file showing complaints of "User was looked up twice, this
shouldn't have happened". Nonetheless the group lookup succeeds yielding
partial data. All members after the repeated entry are discarded.

Expected behaviour: Either return the full list of members, silently
discarding (only) duplicate "member" attributes without error, or reject the
group in its entirety such that "getent group" prints nothing and exits with
return value 2. (The former is preferrable, but the latter at least avoids labeling
partial data as success.)

Adam (196377e4a0) wrote :

root@ubuntu-14:~# lsb_release -r
Release: 14.04

root@ubuntu-14:~# uname -a
Linux ubuntu-14 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

root@ubuntu-14:~# sssd --version
1.11.5

Jakub Hrozek (jakub-hrozek) wrote :

Hi,

I agree this is a bug, I would prefer to skip the duplicates as well.

Can you open one in the upstream tracker (requires a FAS account):
https://fedorahosted.org/sssd/newticket

Me or any of the other SSSD developers would take it from there.

On Thu, 22 May 2014, Jakub Hrozek wrote:

> I agree this is a bug, I would prefer to skip the duplicates as well.
>
> Can you open one in the upstream tracker (requires a FAS account):
> https://fedorahosted.org/sssd/newticket
>
> Me or any of the other SSSD developers would take it from there.
>
> ...

Jakub,

I've filed this with Fedora as you've requested. See

  https://fedorahosted.org/sssd/ticket/2341.

Thanks!

Jakub Hrozek (jakub-hrozek) wrote :
Download full text (3.2 KiB)

Actually filed with SSSD's upstream, not Fedora, despite the hosting name :)

Thanks!

On Tue, May 27, 2014 at 3:16 PM, Adam <email address hidden> wrote:
> On Thu, 22 May 2014, Jakub Hrozek wrote:
>
>> I agree this is a bug, I would prefer to skip the duplicates as well.
>>
>> Can you open one in the upstream tracker (requires a FAS account):
>> https://fedorahosted.org/sssd/newticket
>>
>> Me or any of the other SSSD developers would take it from there.
>>
>> ...
>
>
> Jakub,
>
>
> I've filed this with Fedora as you've requested. See
>
> https://fedorahosted.org/sssd/ticket/2341.
>
>
> Thanks!
>
>
>
> ** Bug watch added: fedorahosted.org/sssd/ #2341
> https://fedorahosted.org/sssd/ticket/2341
>
> --
> You received this bug notification because you are subscribed to sssd in
> Ubuntu.
> https://bugs.launchpad.net/bugs/1321423
>
> Title:
> sssd-ldap handles redundant group members incorrectly
>
> Status in “sssd” package in Ubuntu:
> New
>
> Bug description:
>
> Context: I'm using sssd(8) to look up group memberships from an LDAP server, using
> the "rfc2307bis" schema.
>
> I observe that my friendly neighborhood LDAP server does recursion of nested
> groups to provide a flat list of "member" attributes, but does not discard
> redundant members. That is, consider LDAP groups test_group_A and
> test_group_B with members and subgroups like this:
>
> dn: cn=test_group_A,ou=User Groups,ou=Groups,dc=example,dc=com
> member: uid=alice,ou=People,dc=example,dc=com
> member: uid=bob,ou=People,dc=example,dc=com
> groupMember: cn=test_group_B,ou=User Groups,ou=Groups,dc=example,dc=com
>
> dn: cn=test_group_B,ou=User Groups,ou=Groups,dc=example,dc=com
> member: uid=bob,ou=People,dc=example,dc=com
> member: uid=carla,ou=People,dc=example,dc=com
>
>
> If I query my LDAP server with ldapsearch(8) for test_group_A, I see repeated
> member entries. Viz.:
>
> myhost$ ldapsearch -LLL -x -H ldap://ldap.example.com cn=test_group_A member
> dn: cn=test_group_A,ou=User Groups,ou=Groups,dc=example,dc=com
> member: uid=alice,ou=People,dc=example,dc=com
> member: uid=bob,ou=People,dc=example,dc=com
> member: uid=bob,ou=People,dc=example,dc=com
> member: uid=carla,ou=People,dc=example,dc=com
>
>
> Observed behavior: If I look up group membership for test_group_A through
> sssd(8), I get an incomplete member list:
>
> myhost$ getent group test_group_A
> test_group_A:*:123456:alice,bob
>
> Enabling verbose debugging shows that sssd is unhappy about redundant members,
> with the log file showing complaints of "User was looked up twice, this
> shouldn't have happened". Nonetheless the group lookup succeeds yielding
> partial data. All members after the repeated entry are discarded.
>
> Expected behaviour: Either return the full list of members, silently
> discarding (only) duplicate "member" attributes without error, or reject the
> group in its entirety such that "getent group" prints nothing and exits with
> return value 2. (The former is preferrable, but the latter at least avoids labeling
> partial data as success.)
>
> To manage notifications abo...

Read more...

Jakub Hrozek (jakub-hrozek) wrote :

You've filed the bug with sssd's upstream, not fedora despite the hosting name :-)

Thanks, though!

tags: added: trusty
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.