Issue #3545: SSSD creates bad override search filter due to AD Trust object with parenthesis - sssd

SSSD / sssd

#3545 SSSD creates bad override search filter due to AD Trust object with parenthesis

Closed: Fixed 6 years ago Opened 6 years ago by sbose.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1500087

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
Note this is not affecting the impacted customer at this time,
ignore_group_members = True was used to workaround this problem.

In the default SSSD AD Trust configuration, group membership lookups may lead
to unexpected user objects being retrieved and searched in the override/views
codepath. The '(' or ')' characters are allowed in AD but cause a bad search
filter to be created by SSSD.

...
[ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed:
[1432158245]: Malformed search filter

Version-Release number of selected component (if applicable):
sssd-1.15

How reproducible:
Always in customer environment

Steps to Reproduce:
1. Add user with '(' character as a member of group in Active Directory
2. Attempt to login as AD user in the same group, or any user which would
trigger getgr* calls to a group which returns this bad character user

Actual results:
Bad Search filter

Expected results:
Lookup succeeds

Additional info:
The following options were added to successfully workaround this problem:

subdomain_inherit = ignore_group_members
ignore_group_members = True

Metadata Update from @sbose:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1500087

6 years ago

Metadata Update from @sbose:
- Issue assigned to sbose

6 years ago

sbose commented 6 years ago

https://github.com/SSSD/sssd/pull/406

Metadata Update from @sbose:
- Issue set to the milestone: None

6 years ago

lslebodn commented 6 years ago

master:

c2dec0d

sssd-1-14:

f9f627d

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue set to the milestone: SSSD 1.16.1
- Issue status updated to: Closed (was: Open)

6 years ago

pbrezina commented 3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4571

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata

Assignee

sbose

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

SSSD 1.16.1

type

None

component

None

version

None

selected

None

testsupdated

None

patch

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1500087

design_review

None

review

None

changelog

None

keywords

None

coverity

None

mark

None

blocking

None

design

None

sensitive

None

blockedby

None

feature_milestone

None

SSSD / sssd

Source Code

Documentation

#3545 SSSD creates bad override search filter due to AD Trust object with parenthesis Closed: Fixed 6 years ago Opened 6 years ago by sbose.

Metadata

#3545 SSSD creates bad override search filter due to AD Trust object with parenthesis

Closed: Fixed 6 years ago Opened 6 years ago by sbose.