A bunch of patches to be merged downstream to c8s #7706
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
To allow to lookup group memberships of other objects similar to user objects but with different attribute mappings, e.g. host objects in AD, a new option to provide an alternative attribute map is added. Resolves: SSSD#7590 Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Tomáš Halman <[email protected]> (cherry picked from commit 69f63f1) (cherry picked from commit 321ca19)
Use the default AD user attribute map to lookup the group membership of the AD host object. This should help to avoid issues if user attributes are overwritten in the user attribute map. Resolves: SSSD#7590 Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Tomáš Halman <[email protected]> (cherry picked from commit 5f5077a) (cherry picked from commit 2c23363)
SSSD does not handle the root user (UID==0) and treats all accounts with UID 0 as non-Posix accounts. The primary GID of those accounts is 0 as well and as a result for those accounts in MPG domains the check for a collisions of the primary GID should be skipped. The current code might e.g. cause issues during GPO evaluation when adding a host account into the cache which does not have any UID or GID set in AD and SSSD is configured to read UID and GID from AD. Resolves: SSSD#7451 Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Tomáš Halman <[email protected]> (cherry picked from commit 986bb72) (cherry picked from commit d234cf5)
In case the LDAP server allows to run the extended operation to change a password even if an authenticated bind fails due to missing grace logins the new option 'exop_force' can be used to run the extended operation to change the password anyways. :config: Added `exop_force` value for configuration option `ldap_pwmodify_mode`. This can be used to force a password change even if no grace logins are left. Depending on the configuration of the LDAP server it might be expected that the password change will fail. (cherry picked from commit 72a7fd0) Reviewed-by: Justin Stephenson <[email protected]> (cherry picked from commit e3a3f44)
Addition to 718fed9 Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Iker Pedrosa <[email protected]> (cherry picked from commit ab2671c) (cherry picked from commit 8dcf23f)
alexey-tikhonov
added
Waiting for review
Bugzilla
Trivial
no-backport
justin-stephenson
approved these changes
Nov 19, 2024
alexey-tikhonov
added
Accepted
Ready to push
|
Pushed PR: #7706
|
This was referenced Nov 21, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.