Netgroups should ignore the 'use_fully_qualified_names' setting #3055

sssd-bot · 2020-05-02T12:54:11Z

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/2013

Created at 2013-07-09 22:26:01 by sgallagh
Closed as Fixed
Assigned to sgallagh
Associated bugzillas
- https://bugzilla.redhat.com/show_bug.cgi?id=983580

Netgroups are a special-case when processing. They are capable of containing nested netgroup names in their LDAP objects which have to be returned as-is to libc so that they can also be looked up. What complicates this situation is that netgroups are allowed to contain netgroups from other providers (e.g. a netgroup stored in LDAP may include a netgroup that's stored on the local system in /etc/netgroups).

When a domain has {{{use_fully_qualified_names = True}}}, all lookups that do not contain an SSSD domain name component will skip over that domain while searching for the entry. So the net effect is that if we have an LDAP netgroup named {{{parent}}} that contains another LDAP netgroup named {{{child}}} in a fully-qualified SSSD domain, then doing a lookup of {{{parent@DOMAIN}}} will end up missing the contents of {{{child}}}. This will also result in increased LDAP load, since {{{child}}} will always be missing from the cache.

My recommendation should be that we alter the lookup logic for netgroups (and only netgroups) so that fully-qualified domains are not skipped over when looking up unqualified netgroup names.