Document that if two certificate matching rules with the same priority match only one is used #4415
Labels
Comments
sumit-bose
changed the title
|
Hi, the purpose of this ticket is changed to document the current behavior and not change it to avoid incompatibilities with older versions. bye, |
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Apr 27, 2021
Explain in the man page what is expected when two or more mapping and matching rules have the same priority. Resolves: SSSD#4415
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Apr 28, 2021
Explain in the man page what is expected when two or more mapping and matching rules have the same priority. Resolves: SSSD#4415
akuster
pushed a commit
to akuster/sssd
that referenced
this issue
May 18, 2021
Explain in the man page what is expected when two or more mapping and matching rules have the same priority. Resolves: SSSD#4415 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/3388
If two or more certificate matching rules with the same priority match SSSD should generate a LDAP search filter where the individual search filters are or-ed together (|(rule1)(rule2)....(ruleN)).
Currently only the filter from one of the rules is used.
Work-around: Create a single combined certmap rule where the filters from the individual rules are or-ed together.
Comments
Comment from spoore at 2017-05-02 17:14:58
FYI, example where I saw this:
ipa certmaprule-add testrule1 --matchrule='CN=Certificate Authority,O=TESTRELM.TEST' --maprule='(ipacertmapdata=X509:{issuer_dn!nss_x500}
{subject_dn!nss_x500})'ipa certmaprule-add wholecert --matchrule='CN=Certificate Authority,O=TESTRELM.TEST' --maprule='(userCertificate;binary={cert!bin})'
systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd
dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat testuser1.crt)"
would sometimes fail if user had either whole cert or certmapdata.
Comment from jhrozek at 2017-05-03 22:27:46
Metadata Update from @jhrozek:
Comment from jhrozek at 2017-05-03 22:27:46
Metadata Update from @jhrozek:
Comment from jhrozek at 2017-05-03 22:27:46
Issue linked to Bugzilla: Bug 1447098
Comment from jhrozek at 2017-05-04 11:49:16
Metadata Update from @jhrozek:
Comment from jhrozek at 2017-05-04 11:49:16
Metadata Update from @jhrozek:
Comment from jhrozek at 2017-05-04 11:49:16
Issue linked to Bugzilla: Bug 1447945
Comment from jhrozek at 2017-05-04 11:49:48
Metadata Update from @jhrozek:
Comment from jhrozek at 2017-05-04 15:55:53
Metadata Update from @jhrozek:
Comment from jhrozek at 2017-05-04 16:28:55
Metadata Update from @jhrozek:
Comment from jhrozek at 2017-06-28 17:43:15
Since upstream would like to release a next tarball quite soon, but at the same time this issue is not a blocker, I'm moving it to the next milestone.
Comment from jhrozek at 2017-06-28 17:43:36
Metadata Update from @jhrozek:
Comment from jhrozek at 2017-08-10 13:37:54
Metadata Update from @jhrozek:
Comment from jhrozek at 2017-10-19 20:21:35
Since we are required to release a new upstream tarball no later than Friday Oct-20, I'm moving tickets that will not be closed by that date to the next milestone, 1.16.1
Comment from jhrozek at 2017-10-19 20:21:37
Metadata Update from @jhrozek:
Comment from jhrozek at 2017-12-15 19:57:40
Metadata Update from @jhrozek:
Comment from jhrozek at 2018-01-08 17:55:48
Metadata Update from @jhrozek:
Comment from jhrozek at 2018-08-13 10:14:16
Metadata Update from @jhrozek:
Comment from jhrozek at 2019-02-22 15:50:04
Metadata Update from @jhrozek:
Comment from jhrozek at 2019-06-13 23:22:05
Metadata Update from @jhrozek:
Comment from thalman at 2020-03-11 11:59:01
Metadata Update from @thalman:
The text was updated successfully, but these errors were encountered: