#868 [RFE] SSSD should support multiple search bases
Closed: Fixed None Opened 9 years ago by sgallagh.

nss_ldap allows the specification of multiple search bases for users and groups. When multiple bases are used, the search is performed sequentially for each base (stopping if the requested entry is located).

The example use-case that is given is when an app has a hard-coded requirement that users belong to a particular group (e.g. 'oracle'). On different machines with different databases (and therefore different access-control requirements), there needs to be a way to produce a different membership set for the same group name.

The way this is handled classically is to have one branch in LDAP contain all of the common groups (those that do not vary from system to system) and to have other branches that correspond to machines or groups of machines that have specific requirements for a particular group.

The client would then be configured to have a search base for the common groups and secondary (and tertiary, etc.) search base for the specialized groups.

This is something we cannot handle properly right now. Ticket #859 was opened originally to try and get a workaround to behave better, but it is not the correct fix. The problem with that approach is that, while groups list all of the correct users, {{{initgroups()}}} requests on the users do not return all groups. If we handled multiple search bases, we'd have memberOf entries in the SYSDB that would properly handle this.

Moving back to NEEDS_TRIAGE to discuss re-prioritization.

milestone: SSSD Deferred => NEEDS_TRIAGE
rhbz: => 736150

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.7.0
priority: major => blocker

We need to make sure to match nss_ldap here.

nss_base_<map> <basedn?scope?filter>
    Specify the search base, scope and filter to be used for specific maps. (Note that map forms
part of the configuration file keyword and is one of passwd, shadow, group, hosts, services,
networks, protocols, rpc, ethers, netmasks, bootparams, aliases and netgroup.) The syntax of
basedn and scope are the same as for the configuration file options of the same name, with the
addition of being able to omit the trailing suffix of the base DN (in which case the global base
DN will be appended instead). The filter is a search filter to be added to the default search
filter for a specific map, such that the effective filter is the logical intersection of the
two. The base DN, scope and filter are separated with literal question marks (?) as given above;
this is for compatibility with the DUA configuration profile schema and the ldapprofile tool.
This option may be specified multiple times.

So not only do we need to support multiple bases, we need to support independent scope and search filters for each base.

Discussion of how to support this feature is occurring on the sssd-devel mailing list. Archives are available starting here: https://fedorahosted.org/pipermail/sssd-devel/2011-September/006930.html

Fields changed

status: new => assigned

Fields changed

patch: 0 => 1

Fields changed

summary: SSSD should support multiple search bases => [RFE] SSSD should support multiple search bases

Fixed by:

- bbb878fd1bfb49120a0b4fee25eb1ec4de7365e1
- 4d4c5aa6285aa055a4ec780ba47c180106f0926b
- 82962098e3848ed039a57522d74fc500bc6df8ad
- 09b663e6dfd2ed09cead04f926d3e99e9ac01894
- a0e406e5219068aec1a531e2b09ee30309b266cf
- fd94a375467ade9233e34513863571fc51fec2ed
- 86e00b950eae9884702ad535e3030b238ec451e3
- 14742d2cf50774ffd94b37a398238e4ce0e4a740
- 38e1ee5d65ade946f1322efa96f69c05e041c57f
- 9fcfe80902655f495b7258218fc8114aa5d2c023
- 74a7d5805499a95a868ab4f43f77d34ccf9854a3
- 357efd33759fd1297723d9956a7f77226fe26871
- f26b61dfe246c750a42f1f9fb28f9df5981bc841
- 1bbd4c57fc31cec302244725e698413623818d19

resolution: => fixed
status: assigned => closed

(In #647) This ticket was obsoleted by #868

blockedby: => 647

Metadata Update from @sgallagh:
- Issue assigned to sgallagh
- Issue marked as depending on: #647
- Issue set to the milestone: SSSD 1.7.0

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/1910

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.