1.6.0 is failing to find groups. When a user logs in, sssd queries for which group they are a member of with:
In OpenLDAP (and possibly other LDAP servers) the gidNumber is not an ORDERING attribute. This search is returning no results, so sssd thinks the user has no groups. Removing (gidNumber>=1) or changing it to (!(gidNumber=1)) gets the list of groups returned. I've attached a patch to do the latter in the two obvious places in the code (ldap_id.c and sdap_async_accounts.c.)
I'm not sure if the two uses of >= in providers/ldap/ldap_id_enum.c also needs looking at. Their existence doesn't seem to be causing me problems or I'm not hitting those blocks due to the if statements.
(setting version blank as 1.6.0 isn't listed yet)
component: SSSD => LDAP Provider
priority: critical => blocker
version: => 1.6.0
This is a regression caused by b00113f8d5fcaf405364dfb5bc28a8076b6c10bd
I only tested with 389 where gidNumber has ORDERING apparently.
This needs fixing in the 1.5 branch as well.
keywords: => Regression
milestone: NEEDS_TRIAGE => SSSD 1.5.12
owner: somebody => jhrozek
patch: 0 => 1
status: new => assigned
fixed in master: 86d77907310fa939fe89884fbbdf2142c06a420e
fixed in sssd-1-6: 9357219643b329b107ed311d91fef8b6e6f3b804
fixed in sssd-1-5: 62667936cfb054352a6c36c1490d823abbf5ea02
resolution: => fixed
status: assigned => closed
rhbz: => 0
Metadata Update from @dpiddock:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.5.12
to comment on this ticket.
Copyright © 2014-2017 Red Hat
2.13.2 — Documentation