#2917 Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore
Closed: Fixed None Opened 3 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1296618

Description of problem:
Since the DNs in the SSSD cache differ from the DNs of the original objects
SSSD saves the original DN in attributes prefixed by 'original'. The is done
for the memberOf attributes of a user as well. If now e.g. from a AD user all
secondary group memberships are removed, i.e. the user is only member of the
primary group which is 'Domain Users' in the AD case, there are no memberOf
attributes in the original object anymore. In this case any existing
OriginalMemberOf attributes are not removed from the cache. This can be seen by
checking the cache entry with the ldbsearch utility.

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => sbose
review: True => 0
selected: =>
status: new => assigned
testsupdated: => 0

Since the bug is fixed and cloned downstream, I also took the liberty of moving to sssd 1.13.4 milestone

milestone: NEEDS_TRIAGE => SSSD 1.13.4
resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.13.4

2 years ago

Login to comment on this ticket.

Metadata