The purpose of external groups in FreeIPA is to be able to reference objects only existing in trusted domains. These members get resolved through SSSD interfaces but there is nothing that prevents SSSD from resolving any IPA user or group if they have security identifiers associated.
Enforce a check that a SID returned by SSSD does not belong to IPA domain and raise a validation error if this is the case. This would prevent adding IPA users or groups as external members of an external group.
Metadata Update from @abbra: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1809835
PR: https://github.com/freeipa/freeipa/pull/4374
master:
ipa-4-8:
ipa-4-7:
ipa-4-6:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
bce5097 ipatests: fix KeyError in test_sssd 7b9cdfb ipatests: fix group-add-member in test_sssd
Login to comment on this ticket.