#1275 Inspect usage of sysdb_search_user_by_name() ba various parts of code
Closed: wontfix 2 years ago by pbrezina. Opened 9 years ago by jzeleny.

I stumbled upon this when inspecting usage of sysdb_search_user_by_name(). This routine only fetches user by his primary name. The problem is that some parts of the code don't need to fetch user just by his primary name, but also by any of his aliases.

Some parts of the code work ok with this. For example sdap_process_group_members_2307() calls first sysdb_search_user_by_name() and if it doesn't find anything, it calls sdap_process_missing_member_2307() which then searches for all users with that name as alias.

In particular I found three occurrences of sysdb_search_user_by_name() which I'm a bit concerned about and I think they need closer inspection:

  • MPG domains: sysdb_ops.c:1149 (group should not have the same name as any user's alias)
  • sysdb_store_user - although it might a valid solution to check for aliases on all places where this routine is called, I'd prefer the check to be performed in it. Otherwise we might ending up with two users with the same name in the database (one as alias and one as the primary name). It is questionable what should be the right behaviour (update user with that alias, drop the alias or stop adding the user?).
  • sysdb_delete_user - this is called on two places which I'm particularly concerned about: users_get_done() and groups_by_user_done()

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10.0
type: task => defect

Simple reproducer for one of those sysdb_delete_user cases:

  • Add a record with two or more names, one of them being a part of dn
  • getent passwd <alias>
  • ldapmodify that removes the <alias> from server record
  • sss_cache -U
  • (optional) restart sssd
  • getent passwd <alias>

The second request shouldn't return anything. Instead the record is still in the database and the user is returned. I'm not sure what the correct approach should be - delete the user entirely, delete the alias from existing user or detect beforehand what user should the query go for?

What we should do is this:
1. Perform the ldap search
1. If the ldap search receives no reply, do an ldb search on both names and aliases
1. If the cache finds it by name, delete the user entry.
1. If the cache finds it by alias, drop that alias only.

_comment0: What we should do is this:
1) Perform the ldap search
2) If the ldap search receives no reply, do an ldb search on both names and aliases
3) If the cache finds it by name, delete the user entry.
4) If the cache finds it by alias, drop that alias only. => 1333108108188987

Fields changed

type: defect => task

Fields changed

proposed_priority: => Nice to have

Cleaning the 1.10 milestones before putting tickets into it.

milestone: SSSD 1.10.0 => Temp milestone

Moving planned features and bug fixes into the 1.10 bucket.

milestone: Temp milestone => SSSD 1.10.0

Fields changed

milestone: SSSD 1.10.0 => Temp milestone

Moving all the features planned for 1.10 release into 1.10 beta.

milestone: Temp milestone => SSSD 1.10 beta

Fields changed

priority: major => minor

Fields changed

selected: => Not need

Moving tickets that are not a priority for SSSD 1.10 into the next release.

milestone: SSSD 1.10 beta => SSSD 1.11 beta

Fields changed

changelog: =>
design: =>
design_review: => 0
fedora_test_page: =>
milestone: SSSD 1.13 beta => Interim Bucket
priority: minor => major
review: => 0

Fields changed

milestone: Interim Bucket => SSSD 1.12 beta

Should be done together with the rest of the sysdb refactor Michal is working on.

milestone: SSSD 1.12 beta => SSSD 1.13 beta

Fields changed

mark: => 0

Fields changed

owner: somebody => preichl

Nice to do together with sysdb refactoring but not strictly needed.

priority: major => minor

Should be done together with #2011

milestone: SSSD 1.13 beta => SSSD 1.14 beta

We have more urgent tasks on our plate..and either way, we need to change the sysdb format first..

milestone: SSSD 1.14 beta => SSSD 1.15 beta
sensitive: => 0

Metadata Update from @jzeleny:
- Issue assigned to preichl
- Issue set to the milestone: SSSD Future releases (no date set yet)

4 years ago

Metadata Update from @thalman:
- Custom field design_review reset (from 0)
- Custom field mark reset (from 0)
- Custom field patch reset (from 0)
- Custom field review reset (from 0)
- Custom field sensitive reset (from 0)
- Custom field testsupdated reset (from 0)
- Issue close_status updated to: None
- Issue tagged with: Canditate to close

2 years ago

Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfill this request I am closing the issue as wontfix.

If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.

Thank you for understanding.

Metadata Update from @pbrezina:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

2 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2317

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata