#2944 [RFE] In the cache, identify a group entity by more than its name.
Closed: wontfix 4 years ago by pbrezina. Opened 8 years ago by howardg.

SSSD is hooked to an LDAP database of two users, using rfc2307bis schema:

user1 is a member of cn=Staff,ou=Unit1,dc=domain
user2 is a member of cn=Staff,ou=Unit2,dc=domain

While investigating why SSSD would mix up the group memberships of user1 and user2 in certain circumstances, SSSD developer Pavel was very helpful and pointed out that the cache can only see "cn=Staff", hence two groups share the same object in SSSD cache, causing unpredictable response in group membership query.

While the LDAP database setup is indeed unusual, I have seen it implemented in real scenarios, hence it would be very useful if SSSD could support the setup.

See Ticket #2923 for the complete discussion and setup details.


Maybe we could do this in the dbus API, but I don't think this is possible to do in the NSS API, because functions like getpwnam or getgrnam just take a name as input, so we don't really have a way to distinguish the two..

Please note that in the LDAP database, user1 directly belongs to cn=Staff,ou=Unit1, but cn=Staff is not a posixGroup. cn=Staff is a member of cn=All1, which is a posixGroup.

Could SSSD figure out that user1's posixGroup is cn=All1 (instead of cn=Staff), and cache cn=All1 instead of cn=Staff?

Fields changed

rhbz: => todo

Right, but we still save the groups to the cache where we don't handle the same names at the moment..

milestone: NEEDS_TRIAGE => SSSD Deferred

Metadata Update from @howardg:
- Issue set to the milestone: SSSD Patches welcome

7 years ago

Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfill this request I am closing the issue as wontfix.

If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.

Thank you for understanding.

Metadata Update from @pbrezina:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3985

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata