Learn more about these different git repos.
Other Git URLs
ldb's documentation on ldb_dn_explode() which is called by ldb_dn_validate explicitly states:
282 explode a DN string into a ldb_dn structure 283 based on RFC4514 except that we don't support multiple valued RDNs 284 285 TODO: according to MS-ADTS:3.1.1.5.2 Naming Constraints 286 DN must be compliant with RFC2253 287 */ 288 static bool ldb_dn_explode(struct ldb_dn *dn)
This breaks if IPA runs into replication errors, which uses mutli-valued RDNs internally.
Ignoring malformed DNs would OK as long as the ipa_hbac_treat_deny_as option is set to DENY_ALL (which is the default). Otherwise, we can't ignore any malformed DN because we can't be sure if it should deny access. This would be OK for 99.99% of deployments as DENY rules are not supported on the server side since ipa-2.1.
So I propose we: 1) Add a new error code that signals that the DN is malformed. Either it failed validation or it doesn't contain the expected fields. 2) If the ipa_hbac_treat_deny_as option is set to DENY_ALL, then skip malformed DNs, but log them 3) Optionally, after dereference, only store objects of the type we're interested in. 4) In master (1.13), deprecate the ipa_hbac_treat_deny_as option and only allow DENY_ALL.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1202245 (Red Hat Enterprise Linux 7)
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=1202245 1202245]
Fields changed
owner: somebody => jhrozek status: new => assigned
patch: 0 => 1
milestone: NEEDS_TRIAGE => SSSD 1.13 alpha
resolution: => fixed status: assigned => closed
Metadata Update from @jhrozek: - Issue assigned to jhrozek - Issue set to the milestone: SSSD 1.13 alpha
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3644
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.