New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP: Fix nesting level comparison #300
LDAP: Fix nesting level comparison #300
Conversation
Can one of the admins verify this patch? |
1 similar comment
Can one of the admins verify this patch? |
ok to test |
@justin-stephenson, the code itself looks good. I'm running some of our tests here and I will get back to you with the results. Last but not least, AFAIR we should already have tests for "no nesting" in our code base (please, take a look on @lslebodn, please, correct me if I'm mistaken about the "no nesting" tests. For now setting the label to "Changes requested" as per the tests comment. @lslebodn, again, please, feel free to remove the label if I'm mistaken about the tests. |
We have a single test for nesting level zero. But we check level on few places (3 IIRC) so there might and this codepath was not covered by existing test. |
b0a952e
to
121aa1a
Compare
@fidencio to test this you would need to configure SSSD with a basic LDAP provider configuration and using the options Before the patch you would see: After the patch only parent groups of the user should be searched(nesting level 0), not parent groups of groups. I added to the test_zero_nesting_level integration test, I don't really think the original test was checking nesting level properly so the extra commit is what I propose to fix it. |
@justin-stephenson: I'm not sure if I understood properly the changed you proposed for the tests. I was expecting some changes that would make our test_zero_nesting_level failed without your patch applied, but it doesn't happen at all. Am I missing something here? Does make sense to expect some changes in order to have the tests failing in case your patch is not applied? |
I would expect that core developers would give a hint to external contributors what is missing and not ask what is missing :-).
The missing part is that bug is not triggered by |
Correct an issue with nesting level comparison of option ldap_group_nesting_level to ensure that setting nesting level 0 will avoid parent group of group searches. Resolves: https://pagure.io/SSSD/sssd/issue/3425
The reason why the integration test succeeds even without the patch in this PR applied is that the -- Before the patch with ldap_group_nesting_level = 0
-- After the patch with ldap_group_nesting_level = 0
-- With ldap_group_nesting_level = 2
Here we see that nestedgrp is not actually visible even before the patch in this PR so at first it does not seem the patch makes a difference but in fact there is a slight difference. In the non-patched code the nestedgrp is actually discovered with LDAP search and processed but never gets stored in the cache because it is filtered elsewhere in the code. With the patch applied the code to search for this nested group is circumvented and we save some LDAP search operations skipping rfc2307bis_nested_groups_step(). -- Without patch, nesting level 0
-- After patch, nesting level 0
As the patch leads to skipping some parts of the code and not affecting the initgroups list output, I don't know if it is possible to write a test for this. I did not drop my changes to the
Even with nesting level 0 parent groups should be searched and I believe my suggested changes will improve the test. To summarize: This |
@fidencio to test this I used Active Directory as a basic LDAP server and created a user(posixuser), a parent group(posixgrp), and a nested group(nestedgrp). posixuser is a member of posixgrp and posixgrp is a member of nestedgrp. I manually added uid/gid attributes to the user and each group and used the following SSSD configuration:
After the patch, the parent groups of posixgrp should not be searched - this line should not be in the logs:
|
@justin-stephenson: Thanks a lot for the really detailed explanation. So, patches look good. There's just one nitpick about the commit message on the patch touching the tests themselves. TESTS: Update zero nesting level test
|
Add code to the existing zero nesting level test, check group list and ensure nested groups are intentionally skipped and filtered out.
121aa1a
to
59aa0e3
Compare
@fidencio thanks for the review, changes have been made. |
ACK! |
Very(very) basic fix to correct an issue with nesting level comparison of option
ldap_group_nesting_level
to ensure that setting nesting level 0 will avoid parent group of group searches.This was tested and confirmed as fixed downstream, but if needed can be tested with the LDAP provider and
ldap_schema = rfc2307bis
with nesting level set to 0.Resolves:
https://pagure.io/SSSD/sssd/issue/3425