Cleaning up summary.

description: Using the native LDAP id backend fails to enumerate users if any of the users returned fall outside the assigned domain range.

Steps to reproduce:
Set up an LDAP server with posix users. Create several users.
Configure sssd.conf to use provider=ldap and connect to that LDAP server.
Set the minId and maxId ranges so that some - but not all - of the users in the LDAP server would fit in the range.
Start the SSSD in debug mode (I used -d 9).

In another window, run 'getent -s sss passwd'. None of your LDAP users will be returned.

Check your debug messages. You will see the following:
[sssd[be[ldap]]] [sdap_save_user_send] (6): Storing info for user jnovello
[sssd[be[ldap]]] [sdap_process_result] (8): Trace: sh[0x109ccf0], connected[1], ops[0x10989d0], fde[0x10a6330], ldap[0x109cd20]
[sssd[be[ldap]]] [sdap_process_result] (8): Trace: sh[0x109ccf0], connected[1], ops[0x10989d0], fde[0x10a6330], ldap[0x109cd20]
[sssd[be[ldap]]] [sysdb_add_user_send] (2): Supplied gid [100] is not in the allowed range [500-20000].
[sssd[be[ldap]]] [sdap_process_result] (8): Trace: sh[0x109ccf0], connected[1], ops[0x10989d0], fde[0x10a6330], ldap[0x109cd20]
[sssd[be[ldap]]] [ldb] (9): cancel ldb transaction (nesting: 0)
[sssd[dp]] [sbus_remove_timeout] (8): 0xee9340
[sssd[dp]] [sbus_dispatch] (6): dbus conn: EE0FE0
[sssd[dp]] [sbus_dispatch] (6): Dispatching.
[sssd[dp]] [be_got_account_info] (4): Got reply (3, 22, Enum Users Failed) from ldap(redhat.com)
[sssd[dp]] [be_got_account_info] (1): Backend returned an error: 3,22(Invalid argument),Enum Users Failed
[sssd[nss]] [sbus_remove_timeout] (8): 0x1c61fb0
[sssd[nss]] [sbus_dispatch] (6): dbus conn: 1C568F0
[sssd[nss]] [sbus_dispatch] (6): Dispatching.
[sssd[be[ldap]]] [acctinfo_callback] (4): [sssd[nss]] [nss_dp_get_reply] (4): Request processed. Returned 3,22,Enum Users Failed
Got reply (0, 0, Success) from Data Provider
[sssd[be[ldap]]] [sdap_process_result] (8): Trace: sh[0x109ccf0], connected[1], ops[(nil)], fde[0x10a6330], ldap[0x109cd20]
[sssd[be[ldap]]] [sdap_process_result] (8): Trace: ldap_result found nothing!
[sssd[be[ldap]]] [sdap_process_result] (8): Trace: sh[0x109ccf0], connected[1], ops[(nil)], fde[0x10a6330], ldap[0x109cd20]
...repeats...

All users queried after this failure will return "ldap_result found nothing!" and the whole transaction will return failure (and therefore not save to the LDB).

I believe this issue may be related to commit [4a2370f] (Fix race condition in sdap code) => Using the native LDAP id backend fails to enumerate users if any of the users returned fall outside the assigned domain range.

Steps to reproduce:
1. Set up an LDAP server with posix users. Create several users.
1. Configure sssd.conf to use provider=ldap and connect to that LDAP server.
1. Set the minId and maxId ranges so that some - but not all - of the users in the LDAP server would fit in the range.
1. Start the SSSD in debug mode (I used -d 9).
1. In another window, run 'getent -s sss passwd'. None of your LDAP users will be returned.
1. Check your debug messages. You will see the following:
{{{
[sssd[be[ldap]]] [sdap_save_user_send] (6): Storing info for user jnovello
[sssd[be[ldap]]] [sdap_process_result] (8): Trace: sh[0x109ccf0], connected[1], ops[0x10989d0], fde[0x10a6330], ldap[0x109cd20]
[sssd[be[ldap]]] [sdap_process_result] (8): Trace: sh[0x109ccf0], connected[1], ops[0x10989d0], fde[0x10a6330], ldap[0x109cd20]
[sssd[be[ldap]]] [sysdb_add_user_send] (2): Supplied gid [100] is not in the allowed range [500-20000].
[sssd[be[ldap]]] [sdap_process_result] (8): Trace: sh[0x109ccf0], connected[1], ops[0x10989d0], fde[0x10a6330], ldap[0x109cd20]
[sssd[be[ldap]]] [ldb] (9): cancel ldb transaction (nesting: 0)
[sssd[dp]] [sbus_remove_timeout] (8): 0xee9340
[sssd[dp]] [sbus_dispatch] (6): dbus conn: EE0FE0
[sssd[dp]] [sbus_dispatch] (6): Dispatching.
[sssd[dp]] [be_got_account_info] (4): Got reply (3, 22, Enum Users Failed) from ldap(redhat.com)
[sssd[dp]] [be_got_account_info] (1): Backend returned an error: 3,22(Invalid argument),Enum Users Failed
[sssd[nss]] [sbus_remove_timeout] (8): 0x1c61fb0
[sssd[nss]] [sbus_dispatch] (6): dbus conn: 1C568F0
[sssd[nss]] [sbus_dispatch] (6): Dispatching.
[sssd[be[ldap]]] [acctinfo_callback] (4): [sssd[nss]] [nss_dp_get_reply] (4): Request processed. Returned 3,22,Enum Users Failed
Got reply (0, 0, Success) from Data Provider
[sssd[be[ldap]]] [sdap_process_result] (8): Trace: sh[0x109ccf0], connected[1], ops[(nil)], fde[0x10a6330], ldap[0x109cd20]
[sssd[be[ldap]]] [sdap_process_result] (8): Trace: ldap_result found nothing!
[sssd[be[ldap]]] [sdap_process_result] (8): Trace: sh[0x109ccf0], connected[1], ops[(nil)], fde[0x10a6330], ldap[0x109cd20]
...repeats...
}}}

All users queried after this failure will return "ldap_result found nothing!" and the whole transaction will return failure (and therefore not save to the LDB).

I believe this issue may be related to commit [4a2370f] (Fix race condition in sdap code)
milestone: SSSD 1.0 => Iteration 7

It's actually a failure condition that should simply be ignored and instead is fatal.
It's not related to the commit listed in the description, as error condition checks have not changed (AFAIK) in that fix, it was probably always there.

status: new => assigned

Fields changed

fixedin: => 0.5.0
resolution: => fixed
status: assigned => closed

Fixed in: 28bbb2e

Fields changed

doc: => 0
docupdated: => 0
tests: => 0
testsupdated: => 1

Fields changed

rhbz: => 0

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/1135

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.