You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Netgroups are a special-case when processing. They are capable of containing nested netgroup names in their LDAP objects which have to be returned as-is to libc so that they can also be looked up. What complicates this situation is that netgroups are allowed to contain netgroups from other providers (e.g. a netgroup stored in LDAP may include a netgroup that's stored on the local system in /etc/netgroups).
When a domain has {{{use_fully_qualified_names = True}}}, all lookups that do not contain an SSSD domain name component will skip over that domain while searching for the entry. So the net effect is that if we have an LDAP netgroup named {{{parent}}} that contains another LDAP netgroup named {{{child}}} in a fully-qualified SSSD domain, then doing a lookup of {{{parent@DOMAIN}}} will end up missing the contents of {{{child}}}. This will also result in increased LDAP load, since {{{child}}} will always be missing from the cache.
My recommendation should be that we alter the lookup logic for netgroups (and only netgroups) so that fully-qualified domains are not skipped over when looking up unqualified netgroup names.
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/2013
Netgroups are a special-case when processing. They are capable of containing nested netgroup names in their LDAP objects which have to be returned as-is to libc so that they can also be looked up. What complicates this situation is that netgroups are allowed to contain netgroups from other providers (e.g. a netgroup stored in LDAP may include a netgroup that's stored on the local system in /etc/netgroups).
When a domain has {{{use_fully_qualified_names = True}}}, all lookups that do not contain an SSSD domain name component will skip over that domain while searching for the entry. So the net effect is that if we have an LDAP netgroup named {{{parent}}} that contains another LDAP netgroup named {{{child}}} in a fully-qualified SSSD domain, then doing a lookup of {{{parent@DOMAIN}}} will end up missing the contents of {{{child}}}. This will also result in increased LDAP load, since {{{child}}} will always be missing from the cache.
My recommendation should be that we alter the lookup logic for netgroups (and only netgroups) so that fully-qualified domains are not skipped over when looking up unqualified netgroup names.
Comments
Comment from dpal at 2013-07-11 15:57:43
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.10.1
Comment from dpal at 2013-07-11 15:58:23
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=983580
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=983580 983580]
Comment from jhrozek at 2013-07-12 14:31:50
Fields changed
owner: somebody => sgallagh
patch: 0 => 1
Comment from jhrozek at 2013-07-18 16:46:07
Moving tickets that didn't make 1.10.1 to the 1.10.2 bucket.
Comment from jhrozek at 2013-07-18 16:49:33
Moving tickets that didn't make 1.10.1 to 1.10.2
milestone: SSSD 1.10.1 => SSSD 1.10.2
Comment from jhrozek at 2013-07-29 13:02:21
resolution: => fixed
status: new => closed
Comment from sgallagh at 2017-02-24 14:29:16
Metadata Update from @sgallagh:
The text was updated successfully, but these errors were encountered: