#9169 Changing ldap_group_nesting_level in sssd.conf in the subsection for ad-trusts does not work
Opened 2 years ago by mityann. Modified 2 years ago

Issue

[Changing ldap_group_nesting_level in sssd.conf in the subsection for ad-trusts does not work]

Steps to Reproduce

  1. I have added the ldap_group_nesting_level = 3 parameter in sssd.conf in the [domain/ipa_domain] section
  2. I have added subsection [domain/ipa_domain/ad_trust_domain] in sssd.conf. And I have added the ldap_group_nesting_level = 3 parameter in [domain/ipa_domain/ad_trust_domain] subsection
  3. I have restarted sshd
    systemctl sssd restart
  4. I have reseted recods in the cache
    sss_cache -E cache
  5. And I ran command
    id user@ad_trust_domain

Actual behavior

By default, in FreeIPA, the nesting depth of groups is 2. In the log I see sssd_ipa_domain.log that the parameter was applied in both sections. And ldap_group_nesting_level = 3. I see that the query finds all three groups, but only group1 and group2 get into the output of the command "id".
Therefore, I cannot apply the hbac and sudo rules to group3. And this is very important, according to our security policies.

Expected behavior

I expect group3 to appear in the output of the id command and that I will be able to apply sudo and hbac rules to the group3.

Version/Release/Distribution

Package versions:
ipa-server-4.6.8-5.0.1.el7_9.10.x86_64
ipa-client-4.6.8-5.0.1.el7_9.10.x86_64
389-ds-base-1.3.10.2-14.el7_9.x86_64
pki-ca-10.5.18-18.el7_9.noarch
krb5-server-1.15.1-51.0.1.el7_9.x86_64
OS version:
NAME="Oracle Linux Server"
VERSION="7.9"
ID="ol"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.9"
PRETTY_NAME="Oracle Linux Server 7.9"

Additional info:

There is a configured freeipa server with a connection to AD using one-way trusts. There is a domain user who is added to the IPA via id view. The user is added to a group in AD group1, which has two more nested groups group2 and group3. Group3 is added as mapping to an external group in freeipa and added to a local freeipa group.


This is probably more appropriate as an sssd ticket but let's see what @sbose thinks.

What provider are you using, ipa, ad or ldap?

Hi, I am using an IP provider with a connection to AD via one-way trusts. Groups and accounts are stored in AD. Here is my sssd.conf from the ipa server:

[domain/ipadomain.local]

ldap_group_member = member
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipadomain.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa1.ipadomain.local
chpass_provider = ipa
ipa_server = ipa1.ipadomain.local
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_group_nesting_level = 3
debug_level = 9
ldap_use_tokengroups = True
ldap_schema = rfc2307bis

[domain/ipadomain.local/addomain.local]
ldap_group_nesting_level = 3

[sssd]
services = sudo, nss, ifp, pam, ssh
domains = ipadomain.local

[nss]
memcache_timeout = 600
homedir_substring = /home

[pam]
[sudo]

[autofs]

The sssd-ipa man page does not include ldap_group_nesting_level as an available option.

I agree, but this item is in /usr/share/sssd/sssd.api.d/sssd-ipa.conf in the [provider/ipa/id] subsection
And in /usr/share/sssd/sssd.api.d/sssd-ad.conf in the [provider/ad/id] subsection
Perhaps there is another regular way to change the depth of nesting of groups when searching in the catalog?

@sbose any comment from SSSD side? I don't think this has anything to do with IPA code. If there is any bug on SSSD side, the ticket should be opened there.

Hello team. I tried to create 4 local groups in the ipa. I put them one into the other. Then I added a local account to one of these groups. Next, I returned the parameter ldap_group_nesting_level = 2 (default value) in sssd.conf in the [domain/ipadomain.local] section. When I run command "id" for this local accaunt, I got all 4 nested groups in the output. And when I send a request to the AD, I get only 2 nested groups, whatever value I set in the ldap_group_nesting_level parameter in the [domain/ipadomain.local/addomain.local] subsection. As I understand it, the value ldap_group_nesting_level = 2 implies a search in all nested groups. Then the question is how to remove the restriction on the level of nesting when searching in AD + one-way trusts?

Login to comment on this ticket.

Metadata