#2858 Please fix rfc2307 ldap schema implementation

Created 2 years ago by ondrejv2
Modified 2 years ago

In my test case I use:
autofs_provider = ldap
ldap_schema = rfc2307

But from the logs I see that SSSD is expecting automounter maps in RFC2307bis format instead:
...

(Tue Nov  3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_object_class has value automountMap
(Tue Nov  3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_name has value ou
(Tue Nov  3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_object_class has value automount
(Tue Nov  3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_key has value cn
(Tue Nov  3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_value has value automountInformation

As according to RFC2307, automounter maps are stored as general NIS maps, i.e. :

    ldap_autofs_entry_key = cn
    ldap_autofs_entry_object_class = nisObject
    ldap_autofs_entry_value = nisMapEntry
    ldap_autofs_map_name = nisMapName
    ldap_autofs_map_object_class = nisMap

Fields changed

description: In my test case I use:
autofs_provider = ldap
ldap_schema = rfc2307

But from the logs I see that SSSD is expecting automounter maps in RFC2307bis format instead:
...
(Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_object_class has value automountMap
(Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_name has value ou
(Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_object_class has value automount
(Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_key has value cn
(Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_value has value automountInformation

As according to RFC2307, automounter maps are stored as general NIS maps, i.e. :

ldap_autofs_entry_key = cn
ldap_autofs_entry_object_class = nisObject
ldap_autofs_entry_value = nisMapEntry
ldap_autofs_map_name = nisMapName
ldap_autofs_map_object_class = nisMap

=> In my test case I use:
autofs_provider = ldap
ldap_schema = rfc2307

But from the logs I see that SSSD is expecting automounter maps in RFC2307bis format instead:
...
{{{
(Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_object_class has value automountMap
(Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_name has value ou
(Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_object_class has value automount
(Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_key has value cn
(Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_value has value automountInformation
}}}

As according to RFC2307, automounter maps are stored as general NIS maps, i.e. :

ldap_autofs_entry_key = cn
ldap_autofs_entry_object_class = nisObject
ldap_autofs_entry_value = nisMapEntry
ldap_autofs_map_name = nisMapName
ldap_autofs_map_object_class = nisMap

Fields changed

description: In my test case I use:
autofs_provider = ldap
ldap_schema = rfc2307

But from the logs I see that SSSD is expecting automounter maps in RFC2307bis format instead:
...
{{{
(Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_object_class has value automountMap
(Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_name has value ou
(Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_object_class has value automount
(Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_key has value cn
(Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_value has value automountInformation
}}}

As according to RFC2307, automounter maps are stored as general NIS maps, i.e. :

ldap_autofs_entry_key = cn
ldap_autofs_entry_object_class = nisObject
ldap_autofs_entry_value = nisMapEntry
ldap_autofs_map_name = nisMapName
ldap_autofs_map_object_class = nisMap

=> In my test case I use:
autofs_provider = ldap
ldap_schema = rfc2307

But from the logs I see that SSSD is expecting automounter maps in RFC2307bis format instead:
...
{{{
(Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_object_class has value automountMap
(Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_name has value ou
(Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_object_class has value automount
(Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_key has value cn
(Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_value has value automountInformation
}}}

As according to RFC2307, automounter maps are stored as general NIS maps, i.e. :
{{{
ldap_autofs_entry_key = cn
ldap_autofs_entry_object_class = nisObject
ldap_autofs_entry_value = nisMapEntry
ldap_autofs_map_name = nisMapName
ldap_autofs_map_object_class = nisMap
}}}

The current attribute maps were IIRC modeled after talking to the autofs maintainer, so I'm suprised they would be wrong.

I see nisMapEntry mentioned in rfc2307, but it doesn't seem it's in the context of automounter maps..

In fact, automounter (i.e. its ldap plugin) supports both schemas - rfc2307 and rfc2307bis.
So Ian Kent was right that SSSD should expect rfc2307bis schema as it is newer that its predecessor.

What I am saying is, that if we explicitly instruct SSSD to use older rfc2307 schema, it should do it properly - rfc2307 lack the automount* attributes so we need to use general nis map attributes for this - much like automounter itself would do if we configured it directly to bypass sssd.

The beauty of using older schema (rfc2307) to store automount information is, that we do not need to extend AD schema - which is in many cases quite troublesome action.

Replying to [comment:4 ondrejv2]:

The beauty of using older schema (rfc2307) to store automount information is, that we do not need to extend AD schema - which is in many cases quite troublesome action.

It seems like an opportunity to explore the beauty of FreeIPA. ;-)

Not really - if I also needed to integrate sudo rules or HBAC - maybe.
For just an automounter is is not worth to deploy yet another directory service (not saying that IPA is a bad product :-)

And why wouldn't you take advantage of those wonderful features too?

Out of scope for this case :). This case is to inform SSSD developers that behavior of the daemon violates RFC recommendations.

well, I'm pretty sure we can't change the defaults, that might break existing setups. I will ask Ian if he also thinks the current defaults are wrong.

FWIW, the current defaults are at: https://fedorahosted.org/sssd/wiki/DesignDocs/AutofsIntegration#TheLDAPschemausedbyautofs

Yes, there was a misunderstanding between Jakub and myself, probably my poor communication and not Jakub, sorry about that.

I'm not sure what the identifies are in the sssd config but if I assume the columns in the table above should be the values (but are lower case) then, nis should be rfc2307, but rfc2307 should be literally what it is in the table, rfc2307bis.

So that is going to be quite a big problem due to existing configurations, double oops!

Once again, sorry, but this was probably my fault from the beginning.

_comment0: Yes, there was a misunderstanding between Jakub and myself, probably my poor communication and not and not Jakub, sorry about that.

I'm not sure what the identifies are in the sssd config but if I assume the columns in the table above should be the values (but are lower case) then, nis should be rfc2307, but rfc2307 should be literally what it is in the table, rfc2307bis.

So that is going to be quite a big problem due to existing configurations, double oops!

Once again, sorry, but this is probably my fault from the beginning. => 1446774101269657
_comment1: Yes, there was a misunderstanding between Jakub and myself, probably my poor communication and not Jakub, sorry about that.

I'm not sure what the identifies are in the sssd config but if I assume the columns in the table above should be the values (but are lower case) then, nis should be rfc2307, but rfc2307 should be literally what it is in the table, rfc2307bis.

So that is going to be quite a big problem due to existing configurations, double oops!

Once again, sorry, but this is probably my fault from the beginning. => 1446774152699086

Code-wise, this is easy to fix, but we need to figure out a way to change the defaults without breaking everyone else's

I think the best would be to file a downstream bug report and change the defaults when releasing a version with other major changes.

AFAIK - SSSD defaults to rfc2307bis so I do not think many people should be affected by this change. But I agree that it needs to be taken into consideration.
Downstream bug report #1278691 opened

I wonder if we could get away with changing the defaults in the next major release (1.14) provided we print some warning to the syslog.

According to my analysis of quite a few real-world config files, very few people use the affected configuration without explicit attribute mappings.

1.14 + some syslog warning sounds reasonable to me.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.14 alpha
owner: somebody => jhrozek
status: new => assigned

Replying to [comment:10 iankent]:

Yes, there was a misunderstanding between Jakub and myself, probably my poor communication and not Jakub, sorry about that.

I'm not sure what the identifies are in the sssd config but if I assume the columns in the table above should be the values (but are lower case) then, nis should be rfc2307, but rfc2307 should be literally what it is in the table, rfc2307bis.

So that is going to be quite a big problem due to existing configurations, double oops!

I have a patch here that changes the rfc2307 schema to the nis mappings and warns users who might have used the old defaults:
https://github.com/jhrozek/sssd/commit/79d0bc5e517678a8122b65069cd39f752dc6af51

It's not upstream yet, but I wanted to double check with you the new defaults are OK.

Were the rfc2307bis defaults also wrong? I'm pretty sure they are correct when IPA is the server and IPA uses a variant of rfc2307bis. FWIW the defaults for rfc2307bis currently are:

ldap_autofs_map_object_class = automountMap
ldap_autofs_map_name = automountMapName

ldap_autofs_entry_object_class = automount
ldap_autofs_entry_key = automountKey
ldap_autofs_entry_value = automountInformation

Patch is available for some time, but shouldn't block the Beta release.

milestone: SSSD 1.14 alpha => SSSD 1.14.0

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

2 years ago

Metadata Update from @ondrejv2:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.14.0

Login to comment on this ticket.

defect

SSSD

1.12.4

0

1

https://bugzilla.redhat.com/show_bug.cgi?id=1278691

0

0

0

0

cancel