#3321 userCertificate is not removed from entry in cache

Created 5 months ago by dkupka
Modified 14 hours ago

When certificate is added to user cache gets populated almost instantly but when the certificate is removed from the entry it is not removed from entry in the cache even when the cache is manually expired.
I've hit this issue with Sumit's builds [1] but I believe that this is an issue with caching and not with certificate mapping feature.

[1] https://copr.fedorainfracloud.org/coprs/sbose/pkinit_and_certificate_mapping/

Steps to reproduce:

# ipa user-add tuser --first Test --last User
# ipa user-add-cert tuser --certificate $(cat ~/tuser.pem | head -n -1 | tail -n +2 | tr -d '\r\n')
# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat ~/tuser.pem)" uint32:100
# ipa user-add ouser --first Other --last User
# ipa user-add-cert ouser --certificate $(cat ~/tuser.pem | head -n -1 | tail -n +2 | tr -d '\r\n')
# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat ~/tuser.pem)" uint32:100
# ipa user-remove-cert tuser --certificate $(cat ~/tuser.pem | head -n -1 | tail -n +2 | tr -d '\r\n')
# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat ~/tuser.pem)" uint32:100
# sudo sss_cache -E
# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat ~/tuser.pem)" uint32:100

Actual result (ipa outputs omitted):

method return time=1488893851.804254 sender=:1.254 -> destination=:1.257 serial=11 reply_serial=2
array [
object path "/org/freedesktop/sssd/infopipe/Users/dom_2d058_2d055_2eabc_2eidm_2elab_2eeng_2ebrq_2eredhat_2ecom/14400005"
]
method return time=1488893892.719728 sender=:1.254 -> destination=:1.258 serial=13 reply_serial=2
array [
object path "/org/freedesktop/sssd/infopipe/Users/dom_2d058_2d055_2eabc_2eidm_2elab_2eeng_2ebrq_2eredhat_2ecom/14400006"
object path "/org/freedesktop/sssd/infopipe/Users/dom_2d058_2d055_2eabc_2eidm_2elab_2eeng_2ebrq_2eredhat_2ecom/14400005"
]                                                                                                                                                                                                                                         
method return time=1488893911.276792 sender=:1.254 -> destination=:1.259 serial=15 reply_serial=2
array [
object path "/org/freedesktop/sssd/infopipe/Users/dom_2d058_2d055_2eabc_2eidm_2elab_2eeng_2ebrq_2eredhat_2ecom/14400006"
object path "/org/freedesktop/sssd/infopipe/Users/dom_2d058_2d055_2eabc_2eidm_2elab_2eeng_2ebrq_2eredhat_2ecom/14400005"
]
method return time=1488893934.423090 sender=:1.254 -> destination=:1.261 serial=17 reply_serial=2
array [
object path "/org/freedesktop/sssd/infopipe/Users/dom_2d058_2d055_2eabc_2eidm_2elab_2eeng_2ebrq_2eredhat_2ecom/14400006"
object path "/org/freedesktop/sssd/infopipe/Users/dom_2d058_2d055_2eabc_2eidm_2elab_2eeng_2ebrq_2eredhat_2ecom/14400005"
]                                                                                                                                                                                                                                         

Expected output (ipa outputs omitted):

method return time=1488893851.804254 sender=:1.254 -> destination=:1.257 serial=11 reply_serial=2
array [
object path "/org/freedesktop/sssd/infopipe/Users/dom_2d058_2d055_2eabc_2eidm_2elab_2eeng_2ebrq_2eredhat_2ecom/14400005"
]
method return time=1488893892.719728 sender=:1.254 -> destination=:1.258 serial=13 reply_serial=2
array [
object path "/org/freedesktop/sssd/infopipe/Users/dom_2d058_2d055_2eabc_2eidm_2elab_2eeng_2ebrq_2eredhat_2ecom/14400006"
object path "/org/freedesktop/sssd/infopipe/Users/dom_2d058_2d055_2eabc_2eidm_2elab_2eeng_2ebrq_2eredhat_2ecom/14400005"
]                                                                                                                                                                                                                                         
method return time=1488893911.276792 sender=:1.254 -> destination=:1.259 serial=15 reply_serial=2
array [
object path "/org/freedesktop/sssd/infopipe/Users/dom_2d058_2d055_2eabc_2eidm_2elab_2eeng_2ebrq_2eredhat_2ecom/14400006"
]
method return time=1488893934.423090 sender=:1.254 -> destination=:1.261 serial=17 reply_serial=2
array [
object path "/org/freedesktop/sssd/infopipe/Users/dom_2d058_2d055_2eabc_2eidm_2elab_2eeng_2ebrq_2eredhat_2ecom/14400006"
]                                                                                                                                                                                                                                         
5 months ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.15.3

5 months ago

Metadata Update from @jhrozek:
- Issue priority set to: major

Since upstream would like to release a next tarball quite soon, but at the same time this issue is not a blocker, I'm moving it to the next milestone.

2 months ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.15.4 (was: SSSD 1.15.3)

14 hours ago

Metadata Update from @jhrozek:
- Issue tagged with: cleanup-one-sixteen

Login to comment on this ticket.

cancel