#2481 ID Views implementation does not support IPA user&group overrides
Closed: Fixed None Opened 5 years ago by mkosek.

FreeIPA configuration set via CLI:

# ipa idview-show test --all --show-hosts
  dn: cn=test,cn=views,cn=accounts,dc=mkosek-f21,dc=test
  ID View Name: test
  Description: test
  User object overrides: fbar
  Hosts the view applies to: ipa.mkosek-f21.test, client.mkosek-f21.test
  objectclass: ipaIDView, top, nsContainer

# ipa idoverrideuser-find test --all --raw
--------------------------
1 User ID override matched
--------------------------
  dn: ipaanchoruuid=:IPA:mkosek-f21.test:a645b822-63bd-11e4-8f92-001a4a104e33,cn=test,cn=views,cn=accounts,dc=mkosek-f21,dc=test
  ipaanchoruuid: :IPA:mkosek-f21.test:a645b822-63bd-11e4-8f92-001a4a104e33
  uidnumber: 1000
  homedirectory: /foo/bar
  ipaoriginaluid: fbar
  objectClass: ipaOverrideAnchor
  objectClass: top
  objectClass: ipaUserOverride
----------------------------
Number of entries returned 1
----------------------------

When tested with SSSD, the override does not work

# getent passwd fbar
fbar:*:108000003:108000003:Foo Bar:/home/fbar:/bin/sh

The ldbsearch shows that the View was properly downloaded:

# record 2
dn: cn=views,cn=sysdb
viewName: test
distinguishedName: cn=views,cn=sysdb

Fields changed

description:
{{{

ipa idview-show test --all --show-hosts

dn: cn=test,cn=views,cn=accounts,dc=mkosek-f21,dc=test
ID View Name: test
Description: test
User object overrides: fbar
Hosts the view applies to: ipa.mkosek-f21.test, client.mkosek-f21.test
objectclass: ipaIDView, top, nsContainer

ipa idoverrideuser-find test --all --raw


1 User ID override matched

dn: ipaanchoruuid=:IPA:mkosek-f21.test:a645b822-63bd-11e4-8f92-001a4a104e33,cn=test,cn=views,cn=accounts,dc=mkosek-f21,dc=test
ipaanchoruuid: :IPA:mkosek-f21.test:a645b822-63bd-11e4-8f92-001a4a104e33
uidnumber: 1000
homedirectory: /foo/bar
ipaoriginaluid: fbar
objectClass: ipaOverrideAnchor
objectClass: top
objectClass: ipaUserOverride


Number of entries returned 1

}}}

When tested with SSSD, the override does not work
{{{

getent passwd fbar

fbar:*:108000003:108000003:Foo Bar:/home/fbar:/bin/sh
}}}

The ldbsearch shows that the View was properly downloaded:
{{{

record 2

dn: cn=views,cn=sysdb
viewName: test
distinguishedName: cn=views,cn=sysdb
}}} => FreeIPA configuration set via CLI:

{{{

ipa idview-show test --all --show-hosts

dn: cn=test,cn=views,cn=accounts,dc=mkosek-f21,dc=test
ID View Name: test
Description: test
User object overrides: fbar
Hosts the view applies to: ipa.mkosek-f21.test, client.mkosek-f21.test
objectclass: ipaIDView, top, nsContainer

ipa idoverrideuser-find test --all --raw


1 User ID override matched

dn: ipaanchoruuid=:IPA:mkosek-f21.test:a645b822-63bd-11e4-8f92-001a4a104e33,cn=test,cn=views,cn=accounts,dc=mkosek-f21,dc=test
ipaanchoruuid: :IPA:mkosek-f21.test:a645b822-63bd-11e4-8f92-001a4a104e33
uidnumber: 1000
homedirectory: /foo/bar
ipaoriginaluid: fbar
objectClass: ipaOverrideAnchor
objectClass: top
objectClass: ipaUserOverride


Number of entries returned 1

}}}

When tested with SSSD, the override does not work
{{{

getent passwd fbar

fbar:*:108000003:108000003:Foo Bar:/home/fbar:/bin/sh
}}}

The ldbsearch shows that the View was properly downloaded:
{{{

record 2

dn: cn=views,cn=sysdb
viewName: test
distinguishedName: cn=views,cn=sysdb
}}}
summary: ID Views implementation does not support IPA user overrides => ID Views implementation does not support IPA user&group overrides

Sumit would look into this.

owner: somebody => sbose

Fields changed

patch: 0 => 1

Fields changed

patch: 1 => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.12.3

Fields changed

milestone: SSSD 1.12.3 => NEEDS_TRIAGE
patch: 0 => 1

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.12.3

Fields changed

rhbz: => 0

Metadata Update from @mkosek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.12.3

2 years ago

Login to comment on this ticket.

Metadata