Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use the DN from existing entry when updating a cached group #7360

Closed
wants to merge 2 commits into from
Closed

Use the DN from existing entry when updating a cached group #7360

wants to merge 2 commits into from

Conversation

scabrero
Copy link
Contributor

@scabrero scabrero commented May 8, 2024
edited
Loading

I have found an issue where storing a group fails with:

[sdap_save_group] (0x0400): Processing group [email protected]
[sdap_check_ad_group_type] (0x4000): AD group [[email protected]] has type flags 0x80000002
[sdap_save_group] (0x0400): Storing info for group [email protected].
[sysdb_check_ts_cache] (0x2000): Cannot find TS cache entry for [[email protected],cn=groups,cn=example.com,cn=sysdb]: [2]: No such file or directory
[ldb] (0x4000): Entry not found ([email protected],cn=groups,cn=example.com,cn=sysdb)
[sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait from ldb_modify with LDB_WAIT_ALL: No such object (32)]
[sysdb_set_entry_attr] (0x0080): Cannot set attrs for [email protected],cn=groups,cn=example.com,cn=sysdb, 2 [No such file or directory]
[sysdb_store_group] (0x0400): Error: 2 (No such file or directory)
[sdap_store_group_with_gid] (0x0040): Could not store group [email protected]
[sdap_save_group] (0x0080): Could not store group with GID: [No such file or directory]
[sdap_save_group] (0x0080): Failed to save group [[email protected]]: [No such file or directory]

The entry exists in the cache, although with different capitalization:

dn: [email protected],cn=groups,cn=example.com,cn=sysdb
gidNumber: 123456
name: [email protected]
objectCategory: group
originalDN: CN=UPPERCASE,OU=xxx,OU=xxx,DC=example,DC=com
objectSIDString: S-1-5-21-1234567890-123456789-1234567890-123456
memberof: [email protected],cn=groups,cn=example.com,cn=sysdb
orig_member: CN=xxx,OU=xxx,OU=xxx,DC=example,DC=com
orig_member: CN=yyy,OU=xxx,OU=xxx,DC=example,DC=com
nameAlias: [email protected]
distinguishedName: [email protected],cn=groups,cn=example.com,cn=sysdb

The problem is in that sysdb_store_group() searches the group including nameAlias, but subsequent modification fails because the DN is built based on the given name which may differ in case.

IMO if the first search finds the entry, its DN must be used to modify it.

@alexey-tikhonov alexey-tikhonov added no-backport This should go to target branch only. Waiting for review labels May 9, 2024
pbrezina
pbrezina requested changes May 15, 2024
View reviewed changes
Copy link
Member

@pbrezina pbrezina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, thank you for your patch. See slight remark inside. Otherwise ack.

src/db/sysdb.h Outdated Show resolved Hide resolved
@alexey-tikhonov
Copy link
Member

Hi @scabrero,
could you please also rebase?

@scabrero scabrero force-pushed the scabrero-sysdb-group-add-use-dn branch from 715cafa to 27ad1f7 Compare May 16, 2024 09:20
@alexey-tikhonov alexey-tikhonov requested a review from pbrezina May 20, 2024 13:38
alexey-tikhonov
alexey-tikhonov reviewed May 20, 2024
View reviewed changes
src/db/sysdb_ops.c Outdated Show resolved Hide resolved
alexey-tikhonov
alexey-tikhonov reviewed May 20, 2024
View reviewed changes
src/db/sysdb_ops.c Outdated Show resolved Hide resolved
@alexey-tikhonov
Copy link
Member

Hi,

please see a couple of comments inline.

Additionally it feels inconsistent that sysdb_set_user_attr() keeps composing 'dn' internally while sysdb_set_group_attr() now takes it as an arg.

scabrero added 2 commits May 22, 2024 13:30
@scabrero
TESTS: Extend sysdb-tests to check case-insensitive store operations
e1b70e8 
If the domain is case insensitive then users and groups must be
correctly stored regardless name capitalization.

Signed-off-by: Samuel Cabrero <[email protected]>
@scabrero
SYSDB: Use SYSDB_NAME from cached entry when updating users and groups
517dcf2 
The sysdb_store_user() and sysdb_store_group() functinos search for the
entry by name to check if it is already cached. This search considers
SYSDB_ALIAS, added when the domain is case insensitive. If a matching
entry is found use its SYSDB_NAME instead of the passed name.

It may happen the group is stored in uppercase, but later some server
returns a memberOf attribute in lowercase. When updating the group to
add the memberships the first search will find the entry, but the modify
operation will fail as the group name in the built DN will differ in case.

Signed-off-by: Samuel Cabrero <[email protected]>
@scabrero scabrero force-pushed the scabrero-sysdb-group-add-use-dn branch from 27ad1f7 to 517dcf2 Compare May 22, 2024 12:10
@alexey-tikhonov
Copy link
Member

@pbrezina , please take a look at the latest version.

@alexey-tikhonov alexey-tikhonov added the Ready to push Ready to push label May 23, 2024
@pbrezina
Copy link
Member

Pushed PR: #7360

  • master
    • d2b734b - SYSDB: Use SYSDB_NAME from cached entry when updating users and groups
    • 85a238c - TESTS: Extend sysdb-tests to check case-insensitive store operations

@pbrezina pbrezina added Pushed and removed Accepted Ready to push Ready to push labels May 29, 2024
@pbrezina pbrezina closed this May 29, 2024
@alexey-tikhonov
Copy link
Member

2.9/2.9.4 backport - #7788

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexey-tikhonov alexey-tikhonov alexey-tikhonov approved these changes

@pbrezina pbrezina pbrezina approved these changes

Assignees

@pbrezina pbrezina

@alexey-tikhonov alexey-tikhonov

Labels
no-backport This should go to target branch only. Pushed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@scabrero @alexey-tikhonov @pbrezina