#951 sssd 1.6.0 fails to find groups with OpenLDAP server

Created 6 years ago by dpiddock
Modified 9 months ago

1.6.0 is failing to find groups. When a user logs in, sssd queries for which group they are a member of with:

(&(memberUid=testuser)(objectClass=posixGroup)(cn=*)(gidNumber>=1))

In OpenLDAP (and possibly other LDAP servers) the gidNumber is not an ORDERING attribute. This search is returning no results, so sssd thinks the user has no groups. Removing (gidNumber>=1) or changing it to (!(gidNumber=1)) gets the list of groups returned. I've attached a patch to do the latter in the two obvious places in the code (ldap_id.c and sdap_async_accounts.c.)

I'm not sure if the two uses of >= in providers/ldap/ldap_id_enum.c also needs looking at. Their existence doesn't seem to be causing me problems or I'm not hitting those blocks due to the if statements.

(setting version blank as 1.6.0 isn't listed yet)

Fields changed

component: SSSD => LDAP Provider
priority: critical => blocker
version: => 1.6.0

This is a regression caused by b00113f

I only tested with 389 where gidNumber has ORDERING apparently.

This needs fixing in the 1.5 branch as well.

Fields changed

keywords: => Regression

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.5.12
owner: somebody => jhrozek

Fields changed

patch: 0 => 1
status: new => assigned

fixed in master: 86d7790

fixed in sssd-1-6: 9357219

fixed in sssd-1-5: 6266793

resolution: => fixed
status: assigned => closed

Fields changed

rhbz: => 0

9 months ago

Metadata Update from @dpiddock:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.5.12

Login to comment on this ticket.

defect

LDAP Provider

1.6.0

0

1

0

Regression

cancel