Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sssd: AD group range retrieval fails when enumeration is enabled #5310

Closed
rd117015 opened this issue Sep 8, 2020 · 4 comments
Closed

sssd: AD group range retrieval fails when enumeration is enabled #5310

rd117015 opened this issue Sep 8, 2020 · 4 comments

Comments

@rd117015
Copy link

rd117015 commented Sep 8, 2020

When enumeration is enabled (required due to legacy application), and where a group has > 1500 members, and AD's MaxValRange is at the default 1500, then sssd fails to show more than 1500 group members. Group lookups are no
longer accurate.

A further interesting aspect is that if the sssd cache is expired (sssctl cache-expiry -E), then the correct group membership is shown until such time as enumeration is processed again (i.e. at most
ldap_enumeration_refresh_timeout + memcache_timeout)

src/providers/ldap/sdap.c's sdap_parse_entry() states:

/*
 * This attribute contained range values and needs more to
 * be retrieved
 */
/* TODO: return the set of attributes that need additional retrieval
 * For now, we'll continue below and treat it as regular values.
 */

i.e. that range retrieval is not implemented, but group that would require range retrieval would be processed by subsequent ASQ/deref queries.

With enumeration enabled the subsequent ASQ/deref processing is never undertaken. As such sssd only ever processes the initial range retrieved members (0-1499) (NB that nested groups members are evaluated).

We have looked at the relevant source code, but can't find a way to trigger Attribute Scope Queries (ASQ)/deref. Indeed, no manner of sssd configuration settings (other than disabling enumeration - which we sadly cannot do) appears to change this behaviour. Increasing MaxValRange on AD defeats the purpose of having MaxValRange.

@sanjay-agrawal
Copy link

We are running into this issue as well. Has anyone had chance to look into it. Any help is greatly appreciated

@sanjay-agrawal
Copy link

Hi, just following up to see if there is any update on this issue. Is this on roadmap to get fixed anytime soon ?

@gleventhal
Copy link

Ping? I too am interested in this. Any thoughts, gentle sssd-folk?

@andreboscatto
Copy link
Contributor

andreboscatto commented Aug 1, 2023

Update: Unfortunately, we don't plan any future enhancements in this area.

There is a deprecation announcement of Enumeration support for AD and IPA providers.
Reference: 9240bca

@andreboscatto andreboscatto closed this as not planned Won't fix, can't repro, duplicate, stale Aug 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants