Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 #5261

elkoniu · 2020-08-04T21:20:00Z

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1859554

Description of problem:
Secondary LDAP group go missing from 'id' command on RHEL 7.8 with
sssd-1.16.2-37.el7_8.1

Version-Release number of selected component (if applicable):
sssd-1.16.2-37.el7_8.1.x86_64

How reproducible:
Always on RHEL 7.8

Steps to Reproduce:
1. Configure sssd and point it to LDAP server with 'id_provider = ldap' mode.
2. Run 'id ldapusername' command.
3. Secondary groups would go missing from 'id' output after 25-30 mins.

Actual results:
Secondary groups go missing from 'id' output after 25-30 mins.

Expected results:
Secondary groups should always be visible in 'id' output.

Additional info:
Same SSSD configuration works very well with older version of sssd on RHEL 7.7
(tested with sssd-1.16.4-21.el7.x86_64).

The text was updated successfully, but these errors were encountered:

elkoniu · 2020-08-04T21:55:30Z

Upstream PR ready for review: #5262

Some of the ldap servers returns DN in attributes such as isMemberOf with spaces like dc=example, dc=com. That should be fine and we should ignore them (cut them out) instead of escaping. Resolves: SSSD#5261

Resolves: SSSD#5261

Some of the ldap servers returns DN in attributes such as isMemberOf with spaces like dc=example, dc=com. That should be fine and we should ignore them (cut them out) instead of escaping. Resolves: SSSD#5261

Resolves: SSSD#5261

Some of the ldap servers returns DN in attributes such as isMemberOf with spaces like dc=example, dc=com. That should be fine and we should ignore them (cut them out) instead of escaping. Resolves: SSSD#5261

Resolves: SSSD#5261

Some of the ldap servers returns DN in attributes such as isMemberOf with spaces like dc=example, dc=com. That should be fine and we should ignore them (cut them out) instead of escaping. Resolves: SSSD#5261

Resolves: SSSD#5261

Some of the ldap servers returns DN in attributes such as isMemberOf with spaces like dc=example, dc=com. That should be fine and we should ignore them (cut them out) instead of escaping. Resolves: SSSD#5261

Resolves: SSSD#5261

Some of the ldap servers returns DN in attributes such as isMemberOf with spaces like dc=example, dc=com. That should be fine and we should ignore them (cut them out) instead of escaping. Resolves: SSSD#5261 (cherry picked from commit 882307c)

Resolves: SSSD#5261 (cherry picked from commit 2635e15)

Tests show that also ldb_dn_get_linearized can return DN with extra spaces. We have to trim that too. Resolves: SSSD#5261

Tests show that also ldb_dn_get_linearized can return DN with extra spaces. We have to trim that too. Resolves: SSSD#5261 (cherry picked from commit 12bbd26)

DN must be trimmed, before it is used as hash key Resolves: SSSD#5261

DN must be trimmed, before it is used as hash key Resolves: SSSD#5261 (cherry picked from commit 619a888)

Allocate memory pool to avoid memory allocation in the loop. Resolves: SSSD#5261

Allocate memory pool to avoid memory allocation in the loop. Resolves: SSSD#5261 (cherry picked from commit 00eafce)

Resolves: #5261 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

Tests show that also ldb_dn_get_linearized can return DN with extra spaces. We have to trim that too. Resolves: #5261 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

pbrezina · 2020-10-02T10:20:07Z

Pushed PR: #5262

master
- 8863139 - intg: allow member DN to have a different case
- 50d0d15 - ldap: use member DN to create ghost user hash table
- fe0f1e6 - UTIL: Use sss_sanitize_dn where we deal with DN 2
- 21b9417 - UTIL: Use sss_sanitize_dn where we deal with DN
- 093061f - UTIL: DN sanitization

Some of the ldap servers returns DN in attributes such as isMemberOf with spaces like dc=example, dc=com. That should be fine and we should ignore them (cut them out) instead of escaping. Resolves: SSSD#5261 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> (cherry picked from commit 093061f)

Resolves: SSSD#5261 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> (cherry picked from commit 21b9417)

Tests show that also ldb_dn_get_linearized can return DN with extra spaces. We have to trim that too. Resolves: SSSD#5261 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> (cherry picked from commit fe0f1e6)

Some of the ldap servers returns DN in attributes such as isMemberOf with spaces like dc=example, dc=com. That should be fine and we should ignore them (cut them out) instead of escaping. Resolves: #5261 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> (cherry picked from commit 093061f) Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

Resolves: #5261 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> (cherry picked from commit 21b9417) Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

Tests show that also ldb_dn_get_linearized can return DN with extra spaces. We have to trim that too. Resolves: #5261 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> (cherry picked from commit fe0f1e6) Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

pbrezina · 2020-10-06T09:56:27Z

Pushed PR: #5281

sssd-1-16
- e5ae7ba - intg: allow member DN to have a different case
- a63a222 - ldap: use member DN to create ghost user hash table
- f31005a - UTIL: Use sss_sanitize_dn where we deal with DN 2
- a960d66 - UTIL: Use sss_sanitize_dn where we deal with DN
- a20e085 - UTIL: DN sanitization

elkoniu assigned thalman Aug 4, 2020

elkoniu linked a pull request Aug 4, 2020 that will close this issue

DN with white spaces #5262

Closed

thalman mentioned this issue Aug 17, 2020

Group membership missing if DN contains spaces or some special characters #5276

Closed

thalman added a commit to thalman/sssd that referenced this issue Aug 17, 2020

UTIL: Use sss_sanitize_dn where we deal with DN

e1b0fc3

Resolves: SSSD#5261

thalman added a commit to thalman/sssd that referenced this issue Aug 17, 2020

UTIL: Use sss_sanitize_dn where we deal with DN

3b35922

Resolves: SSSD#5261

thalman added a commit to thalman/sssd that referenced this issue Aug 17, 2020

UTIL: Use sss_sanitize_dn where we deal with DN

61ff6dd

Resolves: SSSD#5261

thalman added a commit to elkoniu/sssd that referenced this issue Aug 18, 2020

UTIL: Use sss_sanitize_dn where we deal with DN

b9acbd9

Resolves: SSSD#5261

thalman added a commit to elkoniu/sssd that referenced this issue Aug 18, 2020

UTIL: Use sss_sanitize_dn where we deal with DN

bd6fb14

Resolves: SSSD#5261

thalman added a commit to elkoniu/sssd that referenced this issue Aug 18, 2020

UTIL: Use sss_sanitize_dn where we deal with DN

2635e15

Resolves: SSSD#5261

thalman added a commit to thalman/sssd that referenced this issue Aug 18, 2020

UTIL: Use sss_sanitize_dn where we deal with DN

a7edcbc

Resolves: SSSD#5261 (cherry picked from commit 2635e15)

thalman mentioned this issue Aug 18, 2020

Dn with spaces for 1.16 #5281

Closed

thalman added a commit to elkoniu/sssd that referenced this issue Aug 19, 2020

UTIL: Use sss_sanitize_dn where we deal with DN 2

12bbd26

Tests show that also ldb_dn_get_linearized can return DN with extra spaces. We have to trim that too. Resolves: SSSD#5261

thalman added a commit to elkoniu/sssd that referenced this issue Aug 20, 2020

CACHE: trim spaces in DN before hash lookup

619a888

DN must be trimmed, before it is used as hash key Resolves: SSSD#5261

thalman added a commit to thalman/sssd that referenced this issue Aug 20, 2020

CACHE: trim spaces in DN before hash lookup

e847554

DN must be trimmed, before it is used as hash key Resolves: SSSD#5261 (cherry picked from commit 619a888)

thalman added a commit to elkoniu/sssd that referenced this issue Aug 21, 2020

CACHE: use talloc_pool to avoid malloc

00eafce

Allocate memory pool to avoid memory allocation in the loop. Resolves: SSSD#5261

thalman added a commit to thalman/sssd that referenced this issue Aug 26, 2020

CACHE: use talloc_pool to avoid malloc

d12086a

Allocate memory pool to avoid memory allocation in the loop. Resolves: SSSD#5261 (cherry picked from commit 00eafce)

pbrezina closed this as completed in 093061f Oct 2, 2020

pbrezina pushed a commit that referenced this issue Oct 2, 2020

UTIL: Use sss_sanitize_dn where we deal with DN

21b9417

Resolves: #5261 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

pbrezina pushed a commit that referenced this issue Oct 2, 2020

UTIL: Use sss_sanitize_dn where we deal with DN 2

fe0f1e6

Tests show that also ldb_dn_get_linearized can return DN with extra spaces. We have to trim that too. Resolves: #5261 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

pbrezina added the Closed: Fixed Issue was closed as fixed. label Oct 2, 2020

thalman added a commit to thalman/sssd that referenced this issue Oct 5, 2020

UTIL: Use sss_sanitize_dn where we deal with DN

677bf51

Resolves: SSSD#5261 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> (cherry picked from commit 21b9417)

pbrezina pushed a commit that referenced this issue Oct 6, 2020

UTIL: Use sss_sanitize_dn where we deal with DN

a960d66

Resolves: #5261 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> (cherry picked from commit 21b9417) Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 #5261

Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 #5261

elkoniu commented Aug 4, 2020

elkoniu commented Aug 4, 2020

pbrezina commented Oct 2, 2020

pbrezina commented Oct 6, 2020

Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 #5261

Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 #5261

Comments

elkoniu commented Aug 4, 2020

elkoniu commented Aug 4, 2020

pbrezina commented Oct 2, 2020

pbrezina commented Oct 6, 2020