Learn more about these different git repos.
Other Git URLs
Reproducer:
assign a "managed role to user"
dn: uid=lockuser,ou=people,dc=example,dc=com changetype: modify add: nsRoleDN nsRoleDN: cn=managed,ou=people,dc=example,dc=com
authenticate with lockuser //should PASS
inactivate users on LDAP server
ns-inactivate.pl -D "cn=Manager,dc=example,dc=com" -W -p 389 -h $SERVER -I cn=managed,ou=people,dc=example,dc=com"
authenticate with lockuser // should be denied
activate users in LDAP server
ns-activate.pl -D "cn=Manager,dc=example,dc=com" -W -p 389 -h $SERVER -I cn=managed,ou=people,dc=example,dc=com"
authenticate with lockuser
Expected result:
Current result:
sssd.conf:
[sssd] services = nss, pam domains = LDAP [nss] [pam] [domain/LDAP] id_provider = ldap ldap_uri = ldap://$SERVER ldap_search_base = dc=example,dc=com ldap_tls_cacert = /etc/openldap/certs/cacert.asc
Fields changed
owner: somebody => lslebodn
After a small debugging and discussion with 389ds developers I found a reason.
Enabling and disabling user just changes the virtual attribute nsaccountlock. However virtual attributes are computed and not stored therefore modifyTimestamp is not changed for the user therefore sssd does not detected unlocking of user.
I think we need to special-case operational and virtual attributes, then. Do you have a setup I can use for testing?
I have a POC patch as well. But the question is which attributes to we need to special case. I doubt there is a way how to detect virtual attributes from LDAP server. Maybe in schema but it would bot be very portable.
Yes, I was wondering actually whether we want to use the modifyTimestamp after all for positive detection as well (=if the timestamp is the same, consider the entry non-changed and go on) or if we only want to use it for detecting changes (=if the timestamp is different, change the entry, if it's not different, go on and try to compare the attributes).
It would be better to discuss on mailing list :-)
patch: 0 => 1 status: new => assigned
rhbz: => todo
milestone: NEEDS_TRIAGE => SSSD 1.14.1
resolution: => fixed status: assigned => closed
rhbz: todo => 0
Metadata Update from @lslebodn: - Issue assigned to lslebodn - Issue set to the milestone: SSSD 1.14.1
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4143
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.