#1275 Inspect usage of sysdb_search_user_by_name() ba various parts of code

Created 6 years ago by jzeleny
Modified a year ago

I stumbled upon this when inspecting usage of sysdb_search_user_by_name(). This routine only fetches user by his primary name. The problem is that some parts of the code don't need to fetch user just by his primary name, but also by any of his aliases.

Some parts of the code work ok with this. For example sdap_process_group_members_2307() calls first sysdb_search_user_by_name() and if it doesn't find anything, it calls sdap_process_missing_member_2307() which then searches for all users with that name as alias.

In particular I found three occurrences of sysdb_search_user_by_name() which I'm a bit concerned about and I think they need closer inspection:

  • MPG domains: sysdb_ops.c:1149 (group should not have the same name as any user's alias)
  • sysdb_store_user - although it might a valid solution to check for aliases on all places where this routine is called, I'd prefer the check to be performed in it. Otherwise we might ending up with two users with the same name in the database (one as alias and one as the primary name). It is questionable what should be the right behaviour (update user with that alias, drop the alias or stop adding the user?).
  • sysdb_delete_user - this is called on two places which I'm particularly concerned about: users_get_done() and groups_by_user_done()

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10.0
type: task => defect

Simple reproducer for one of those sysdb_delete_user cases:

  • Add a record with two or more names, one of them being a part of dn
  • getent passwd <alias>
  • ldapmodify that removes the <alias> from server record
  • sss_cache -U
  • (optional) restart sssd
  • getent passwd <alias>

The second request shouldn't return anything. Instead the record is still in the database and the user is returned. I'm not sure what the correct approach should be - delete the user entirely, delete the alias from existing user or detect beforehand what user should the query go for?

What we should do is this:
1. Perform the ldap search
1. If the ldap search receives no reply, do an ldb search on both names and aliases
1. If the cache finds it by name, delete the user entry.
1. If the cache finds it by alias, drop that alias only.

_comment0: What we should do is this:
1) Perform the ldap search
2) If the ldap search receives no reply, do an ldb search on both names and aliases
3) If the cache finds it by name, delete the user entry.
4) If the cache finds it by alias, drop that alias only. => 1333108108188987

Fields changed

type: defect => task

Fields changed

proposed_priority: => Nice to have

Cleaning the 1.10 milestones before putting tickets into it.

milestone: SSSD 1.10.0 => Temp milestone

Moving planned features and bug fixes into the 1.10 bucket.

milestone: Temp milestone => SSSD 1.10.0

Fields changed

milestone: SSSD 1.10.0 => Temp milestone

Moving all the features planned for 1.10 release into 1.10 beta.

milestone: Temp milestone => SSSD 1.10 beta

Fields changed

priority: major => minor

Fields changed

selected: => Not need

Moving tickets that are not a priority for SSSD 1.10 into the next release.

milestone: SSSD 1.10 beta => SSSD 1.11 beta

Fields changed

changelog: =>
design: =>
design_review: => 0
fedora_test_page: =>
milestone: SSSD 1.13 beta => Interim Bucket
priority: minor => major
review: => 0

Fields changed

milestone: Interim Bucket => SSSD 1.12 beta

Should be done together with the rest of the sysdb refactor Michal is working on.

milestone: SSSD 1.12 beta => SSSD 1.13 beta

Fields changed

mark: => 0

Fields changed

owner: somebody => preichl

Nice to do together with sysdb refactoring but not strictly needed.

priority: major => minor

Should be done together with #2011

milestone: SSSD 1.13 beta => SSSD 1.14 beta

We have more urgent tasks on our plate..and either way, we need to change the sysdb format first..

milestone: SSSD 1.14 beta => SSSD 1.15 beta
sensitive: => 0

a year ago

Metadata Update from @jzeleny:
- Issue assigned to preichl
- Issue set to the milestone: SSSD Future releases (no date set yet)

Login to comment on this ticket.

task

SSSD

1.8.1

0

Not need

0

https://bugzilla.redhat.com/show_bug.cgi?id=808058

0

0

0

0

cancel