Learn more about these different git repos.
Other Git URLs
ldb's documentation on ldb_dn_explode() which is called by ldb_dn_validate explicitly states:
282 explode a DN string into a ldb_dn structure
283 based on RFC4514 except that we don't support multiple valued RDNs
285 TODO: according to MS-ADTS:18.104.22.168.2 Naming Constraints
286 DN must be compliant with RFC2253
288 static bool ldb_dn_explode(struct ldb_dn *dn)
This breaks if IPA runs into replication errors, which uses mutli-valued RDNs internally.
Ignoring malformed DNs would OK as long as the ipa_hbac_treat_deny_as option is set to DENY_ALL (which is the default). Otherwise, we can't ignore any malformed DN because we can't be sure if it should deny access. This would be OK for 99.99% of deployments as DENY rules are not supported on the server side since ipa-2.1.
So I propose we:
1) Add a new error code that signals that the DN is malformed. Either it failed validation or it doesn't contain the expected fields.
2) If the ipa_hbac_treat_deny_as option is set to DENY_ALL, then skip malformed DNs, but log them
3) Optionally, after dereference, only store objects of the type we're interested in.
4) In master (1.13), deprecate the ipa_hbac_treat_deny_as option and only allow DENY_ALL.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1202245 (Red Hat Enterprise Linux 7)
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=1202245 1202245]
owner: somebody => jhrozek
status: new => assigned
patch: 0 => 1
milestone: NEEDS_TRIAGE => SSSD 1.13 alpha
resolution: => fixed
status: assigned => closed
Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.13 alpha
to comment on this ticket.