Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP7:Update
sssd.30906
0052-ldap-ignore-unreadable-references.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0052-ldap-ignore-unreadable-references.patch of Package sssd.30906
From 82ce4bf9db559848587a7cfa2109e044253e11ce Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <scabrero@suse.de> Date: Tue, 1 Feb 2022 13:14:41 +0100 Subject: [PATCH 1/4] Tests: Use group1_dom1-19661 in test_pysss_nss_idmap.py The group3_dom1-17775 group has a member referencing a user in a different domain, which will make the test fail in the following commits. Signed-off-by: Samuel Cabrero <scabrero@suse.de> Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit b67caf27b1fd147358c0d429456e9b0b6d74e718) --- src/tests/intg/test_pysss_nss_idmap.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/tests/intg/test_pysss_nss_idmap.py b/src/tests/intg/test_pysss_nss_idmap.py index 8d0d9b794..735994d0c 100644 --- a/src/tests/intg/test_pysss_nss_idmap.py +++ b/src/tests/intg/test_pysss_nss_idmap.py @@ -232,9 +232,9 @@ def test_user_operations(ldap_conn, simple_ad): def test_group_operations(ldap_conn, simple_ad): - group = 'group3_dom1-17775' + group = 'group1_dom1-19661' group_id = grp.getgrnam(group).gr_gid - group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82764' + group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82810' output = pysss_nss_idmap.getsidbyname(group)[group] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP -- 2.35.1 From 1d52db0b59aabf19b792d9e5062daadf4697feee Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <scabrero@suse.de> Date: Thu, 3 Feb 2022 17:02:18 +0100 Subject: [PATCH 2/4] SDAP: Add 'ldap_ignore_unreadable_references' parameter When resolving a group using the AD provider it may happen sssd doesn't have permissions to read the entry referenced in the 'member' attribute, for example when the entry is located under a restricted LDAP sub-tree for security reasons. In this scenario, the sssd behavior is not consistent and depends on the ldap_deref_threshold parameter, that controls if an attribute scoped query (ASQ) will be used or if the group members will be searched individually. If an ASQ operation is issued, the operation will fail because the referenced entry can't be parsed and this can lead to missing groups and makes impossible to use the group in simple access provider. On the other hand, when the group members are looked up individually sssd just ignores the unreadable entry. This patch adds a new parameter 'ldap_ignore_unreadable_references' to control if the current operation will fail when an unreadable entry is found or the entry will be ignored, regardless if sssd issued an ASQ or the members are looked up individually. The issue can be replicated deploying this AD setup: CN=users,DC=aforest,DC=ad CN=g1,CN=users,DC=aforest,DC=ad member: CN=g2,CN=users,DC=aforest,DC=ad member: CN=g3,CN=users,DC=aforest,DC=ad member: CN=g4,CN=users,DC=aforest,DC=ad member: CN=g5,CN=users,DC=aforest,DC=ad member: CN=user1,CN=users,DC=aforest,DC=ad CN=g2,CN=users,DC=aforest,DC=ad member: CN=g3,CN=users,DC=aforest,DC=ad member: CN=g4,CN=users,DC=aforest,DC=ad member: CN=g5,CN=users,DC=aforest,DC=ad member: CN=user2,CN=users,DC=aforest,DC=ad memberOf: CN=g1,CN=users,DC=aforest,DC=ad CN=g3,CN=users,DC=aforest,DC=ad <-- Deny access to sssd account member: CN=g4,CN=users,DC=aforest,DC=ad member: CN=g5,CN=users,DC=aforest,DC=ad member: CN=user3,CN=users,DC=aforest,DC=ad memberOf: CN=g2,CN=users,DC=aforest,DC=ad memberOf: CN=g1,CN=users,DC=aforest,DC=ad CN=g4,CN=users,DC=aforest,DC=ad member: CN=g5,CN=users,DC=aforest,DC=ad member: CN=user5,CN=users,DC=aforest,DC=ad memberOf: CN=g3,CN=users,DC=aforest,DC=ad memberOf: CN=g2,CN=users,DC=aforest,DC=ad memberOf: CN=g1,CN=users,DC=aforest,DC=ad CN=g5,CN=users,DC=aforest,DC=ad member: CN=user5,CN=users,DC=aforest,DC=ad memberOf: CN=g4,CN=users,DC=aforest,DC=ad memberOf: CN=g3,CN=users,DC=aforest,DC=ad memberOf: CN=g2,CN=users,DC=aforest,DC=ad memberOf: CN=g1,CN=users,DC=aforest,DC=ad CN=user1,CN=users,DC=aforest,DC=ad memberOf: CN=g1,CN=users,DC=aforest,DC=ad CN=user2,CN=users,DC=aforest,DC=ad memberOf: CN=g2,CN=users,DC=aforest,DC=ad CN=user3,CN=users,DC=aforest,DC=ad memberOf: CN=g3,CN=users,DC=aforest,DC=ad CN=user4,CN=users,DC=aforest,DC=ad memberOf: CN=g4,CN=users,DC=aforest,DC=ad CN=user5,CN=users,DC=aforest,DC=ad memberOf: CN=g5,CN=users,DC=aforest,DC=ad And using this sssd.conf ------------------------------------------------------------------------------- [sssd] config_file_version = 2 services = nss, pam domains = aforest.ad [nss] [pam] [domain/aforest.ad] auth_provider = ad id_provider = ad access_provider = simple simple_allow_groups = g1 ldap_deref_threshold = 1 debug_level = 10 ------------------------------------------------------------------------------- In this setup sssd can't resolve group 'g1' because it fails parsing one of the referenced members, 'g3': $> getent group g1 No output. $> id user5 uid=1862001108(user5) gid=1862000513(domain users) groups=1862000513(domain users),1862001111,18620011 When the group is used to filter access it does not work: ... [simple_access_check_send] (0x0200): [RID#7] Simple access check for user1@aforest.ad ... [simple_check_get_groups_send] (0x0400): [RID#7] Need to resolve 3 groups [sdap_get_generic_ext_step] (0x0400): [RID#8] calling ldap_search_ext with [(&(objectSID=S-1-5-21-3230 ... [sdap_nested_group_hash_insert] (0x4000): [RID#8] Inserting [CN=g1,CN=Users,DC=aforest,DC=ad] into has [sdap_nested_group_process_send] (0x2000): [RID#8] About to process group [CN=g1,CN=Users,DC=aforest,D ... [sdap_nested_group_process_send] (0x0400): [RID#8] More members were missing than the deref threshold [sdap_nested_group_process_send] (0x2000): [RID#8] Looking up 2/5 members of group [CN=g1,CN=Users,DC= [sdap_nested_group_process_send] (0x2000): [RID#8] Dereferencing members of group [CN=g1,CN=Users,DC=a [sdap_deref_search_send] (0x2000): [RID#8] Server supports ASQ [sdap_asq_search_send] (0x0400): [RID#8] Dereferencing entry [CN=g1,CN=Users,DC=aforest,DC=ad] using A ... [sdap_get_generic_ext_step] (0x0400): [RID#8] calling ldap_search_ext with [no filter][CN=g1,CN=Users, ... [sdap_process_message] (0x4000): [RID#8] Message type: [LDAP_RES_SEARCH_ENTRY] [sdap_asq_search_parse_entry] (0x0040): [RID#8] Unknown entry type, no objectClass found for DN [CN=g3 [sdap_get_generic_op_finished] (0x0020): [RID#8] reply parsing callback failed. [sdap_op_destructor] (0x1000): [RID#8] Abandoning operation 3 [generic_ext_search_handler] (0x0020): [RID#8] sdap_get_generic_ext_recv request failed: [22]: Invalid [sdap_deref_search_done] (0x0040): [RID#8] dereference processing failed [22]: Invalid argument [sdap_nested_group_deref_direct_done] (0x0020): [RID#8] Error processing direct membership [22]: Inval [sdap_nested_done] (0x0020): [RID#8] Nested group processing failed: [22][Invalid argument] ... [simple_resolve_group_done] (0x0080): [RID#8] Cannot refresh data from DP: 3,0: Group lookup failed ... [simple_check_get_groups_next] (0x2000): [RID#9] All groups resolved. Done. [simple_access_check_done] (0x0040): [RID#9] Could not collect groups of user user1@aforest.ad [simple_access_check_done] (0x0400): [RID#9] But no deny groups were defined so we can continue. [simple_check_groups] (0x4000): [RID#9] Checking against allow list group name [g1@aforest.ad]. [simple_access_check_done] (0x2000): [RID#9] Group check done [simple_access_check_recv] (0x1000): [RID#9] Access not granted ... Resolves: https://github.com/SSSD/sssd/issues/4893 Signed-off-by: Samuel Cabrero <scabrero@suse.de> Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 941418f436bbd3ce8bf7f70f4f0c872770869841) --- src/config/SSSDConfig/__init__.py.in | 1 + src/config/cfg_rules.ini | 1 + src/config/etc/sssd.api.d/sssd-ad.conf | 1 + src/config/etc/sssd.api.d/sssd-ipa.conf | 1 + src/config/etc/sssd.api.d/sssd-ldap.conf | 1 + src/man/sssd-ldap.5.xml | 23 +++++++++++++++++++++++ src/providers/ad/ad_opts.c | 1 + src/providers/ipa/ipa_opts.c | 1 + src/providers/ldap/ldap_opts.c | 1 + src/providers/ldap/sdap.h | 1 + 10 files changed, 32 insertions(+) diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 8b34acf6f..222d751fe 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -308,6 +308,7 @@ option_strings = { 'ldap_dns_service_name' : _('Service name for DNS service lookups'), 'ldap_page_size' : _('The number of records to retrieve in a single LDAP query'), 'ldap_deref_threshold' : _('The number of members that must be missing to trigger a full deref'), + 'ldap_ignore_unreadable_references': _('Ignore unreadable LDAP references'), 'ldap_sasl_canonicalize' : _('Whether the LDAP library should perform a reverse lookup to canonicalize the host name during a SASL bind'), 'ldap_entry_usn' : _('entryUSN attribute'), diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 074169389..77170e43e 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -593,6 +593,7 @@ option = ldap_default_authtok_type option = ldap_default_bind_dn option = ldap_deref option = ldap_deref_threshold +option = ldap_ignore_unreadable_references option = ldap_disable_paging option = ldap_disable_range_retrieval option = ldap_dns_service_name diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf index 41bbd2014..5be7f6bb2 100644 --- a/src/config/etc/sssd.api.d/sssd-ad.conf +++ b/src/config/etc/sssd.api.d/sssd-ad.conf @@ -59,6 +59,7 @@ ldap_dns_service_name = str, None, false ldap_deref = str, None, false ldap_page_size = int, None, false ldap_deref_threshold = int, None, false +ldap_ignore_unreadable_references = bool, None, false ldap_connection_expire_timeout = int, None, false ldap_disable_paging = bool, None, false krb5_confd_path = str, None, false diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index 427559f5d..583439a36 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -51,6 +51,7 @@ ldap_dns_service_name = str, None, false ldap_deref = str, None, false ldap_page_size = int, None, false ldap_deref_threshold = int, None, false +ldap_ignore_unreadable_references = bool, None, false ldap_connection_expire_timeout = int, None, false ldap_disable_paging = bool, None, false krb5_confd_path = str, None, false diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf index bd6cc7d7f..995014402 100644 --- a/src/config/etc/sssd.api.d/sssd-ldap.conf +++ b/src/config/etc/sssd.api.d/sssd-ldap.conf @@ -32,6 +32,7 @@ ldap_dns_service_name = str, None, false ldap_deref = str, None, false ldap_page_size = int, None, false ldap_deref_threshold = int, None, false +ldap_ignore_unreadable_references = bool, None, false ldap_sasl_canonicalize = bool, None, false ldap_sasl_minssf = int, None, false ldap_sasl_maxssf = int, None, false diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index a0f64cbfd..77ef0aa42 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -1603,6 +1603,29 @@ </listitem> </varlistentry> + <varlistentry> + <term>ldap_ignore_unreadable_references (bool)</term> + <listitem> + <para> + Ignore unreadable LDAP entries referenced in + group's member attribute. If this parameter is set + to false an error will be returned and the + operation will fail instead of just ignoring the + unreadable entry. + </para> + <para> + This parameter may be useful when using the AD + provider and the computer account that sssd uses + to connect to AD does not have access to a + particular entry or LDAP sub-tree for security + reasons. + </para> + <para> + Default: False + </para> + </listitem> + </varlistentry> + <varlistentry> <term>ldap_tls_reqcert (string)</term> <listitem> diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c index 395d3fd58..c2e517152 100644 --- a/src/providers/ad/ad_opts.c +++ b/src/providers/ad/ad_opts.c @@ -134,6 +134,7 @@ struct dp_option ad_def_ldap_opts[] = { { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER }, { "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER }, + { "ldap_ignore_unreadable_references", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }, { "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c index 82b2f6312..49da52e05 100644 --- a/src/providers/ipa/ipa_opts.c +++ b/src/providers/ipa/ipa_opts.c @@ -143,6 +143,7 @@ struct dp_option ipa_def_ldap_opts[] = { { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER }, { "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER }, + { "ldap_ignore_unreadable_references", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }, { "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, diff --git a/src/providers/ldap/ldap_opts.c b/src/providers/ldap/ldap_opts.c index b63f0a3a5..6b711f665 100644 --- a/src/providers/ldap/ldap_opts.c +++ b/src/providers/ldap/ldap_opts.c @@ -104,6 +104,7 @@ struct dp_option default_basic_opts[] = { { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER }, { "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER }, + { "ldap_ignore_unreadable_references", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }, { "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index 6c6e5d770..be559b977 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -217,6 +217,7 @@ enum sdap_basic_opt { SDAP_DISABLE_AUTH_TLS, SDAP_PAGE_SIZE, SDAP_DEREF_THRESHOLD, + SDAP_IGNORE_UNREADABLE_REFERENCES, SDAP_SASL_CANONICALIZE, SDAP_EXPIRE_TIMEOUT, SDAP_DISABLE_PAGING, -- 2.35.1 From 397cef9230a3a7025be6cd8897352775629e9510 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <scabrero@suse.de> Date: Wed, 1 Dec 2021 11:36:01 +0100 Subject: [PATCH 3/4] SDAP: Honor ldap_ignore_unreadable_references parameter Signed-off-by: Samuel Cabrero <scabrero@suse.de> Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 5c7fb41f3f1f4b1a1bbf7ddcb3d5b123ade0becb) --- src/providers/ldap/sdap_async.c | 24 ++++++++++++++++++- src/providers/ldap/sdap_async_nested_groups.c | 13 +++++++++- 2 files changed, 35 insertions(+), 2 deletions(-) diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c index 76cfce207..eaa8b62a6 100644 --- a/src/providers/ldap/sdap_async.c +++ b/src/providers/ldap/sdap_async.c @@ -1906,6 +1906,7 @@ struct sdap_x_deref_search_state { struct sdap_attr_map_info *maps; LDAPControl **ctrls; struct sdap_options *opts; + bool ldap_ignore_unreadable_references; struct sdap_deref_reply dreply; int num_maps; @@ -1940,6 +1941,9 @@ sdap_x_deref_search_send(TALLOC_CTX *memctx, struct tevent_context *ev, talloc_set_destructor((TALLOC_CTX *) state->ctrls, sdap_x_deref_search_ctrls_destructor); + state->ldap_ignore_unreadable_references = dp_opt_get_bool(opts->basic, + SDAP_IGNORE_UNREADABLE_REFERENCES); + ret = sdap_x_deref_create_control(sh, deref_attr, attrs, &state->ctrls[0]); if (ret != EOK) { @@ -2079,6 +2083,13 @@ static errno_t sdap_x_deref_parse_entry(struct sdap_handle *sh, ret = EOK; done: + if (ret != EOK && ret != ENOMEM) { + if (state->ldap_ignore_unreadable_references) { + DEBUG(SSSDBG_TRACE_FUNC, "Ignoring unreadable reference\n"); + ret = EOK; + } + } + talloc_zfree(tmp_ctx); ldap_controls_free(ctrls); ldap_derefresponse_free(deref_res); @@ -2328,6 +2339,7 @@ struct sdap_asq_search_state { int num_maps; LDAPControl **ctrls; struct sdap_options *opts; + bool ldap_ignore_unreadable_references; struct sdap_deref_reply dreply; }; @@ -2367,6 +2379,9 @@ sdap_asq_search_send(TALLOC_CTX *memctx, struct tevent_context *ev, talloc_set_destructor((TALLOC_CTX *) state->ctrls, sdap_asq_search_ctrls_destructor); + state->ldap_ignore_unreadable_references = dp_opt_get_bool(opts->basic, + SDAP_IGNORE_UNREADABLE_REFERENCES); + ret = sdap_asq_search_create_control(sh, deref_attr, &state->ctrls[0]); if (ret != EOK) { talloc_zfree(req); @@ -2441,7 +2456,7 @@ static errno_t sdap_asq_search_parse_entry(struct sdap_handle *sh, int num_attrs; struct sdap_deref_attrs **res; char *tmp; - char *dn; + char *dn = NULL; TALLOC_CTX *tmp_ctx; bool disable_range_rtrvl; @@ -2532,6 +2547,13 @@ static errno_t sdap_asq_search_parse_entry(struct sdap_handle *sh, ret = EOK; done: + if (ret != EOK && ret != ENOMEM) { + if (state->ldap_ignore_unreadable_references) { + DEBUG(SSSDBG_TRACE_FUNC, "Ignoring unreadable reference [%s]\n", + dn != NULL ? dn : "(null)"); + ret = EOK; + } + } talloc_zfree(tmp_ctx); return ret; } diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c index 055de29ca..0a69e96f4 100644 --- a/src/providers/ldap/sdap_async_nested_groups.c +++ b/src/providers/ldap/sdap_async_nested_groups.c @@ -1352,6 +1352,7 @@ struct sdap_nested_group_single_state { struct sysdb_attrs **nested_groups; int num_groups; + bool ignore_unreadable_references; }; static errno_t sdap_nested_group_single_step(struct tevent_req *req); @@ -1392,6 +1393,8 @@ sdap_nested_group_single_send(TALLOC_CTX *mem_ctx, goto immediately; } state->num_groups = 0; /* we will count exact number of the groups */ + state->ignore_unreadable_references = dp_opt_get_bool( + group_ctx->opts->basic, SDAP_IGNORE_UNREADABLE_REFERENCES); /* process each member individually */ ret = sdap_nested_group_single_step(req); @@ -1557,7 +1560,15 @@ sdap_nested_group_single_step_process(struct tevent_req *subreq) break; case SDAP_NESTED_GROUP_DN_UNKNOWN: - /* not found in users nor nested_groups, continue */ + if (state->ignore_unreadable_references) { + DEBUG(SSSDBG_TRACE_FUNC, "Ignoring unreadable reference [%s]\n", + state->current_member->dn); + } else { + DEBUG(SSSDBG_OP_FAILURE, "Unknown entry type [%s]!\n", + state->current_member->dn); + ret = EINVAL; + goto done; + } break; } -- 2.35.1 From 73ccfd2c605363572d54d6cad949d18913803843 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <scabrero@suse.de> Date: Tue, 1 Feb 2022 18:10:23 +0100 Subject: [PATCH 4/4] Tests: Add a test for the ldap_ignore_unreadable_references parameter Signed-off-by: Samuel Cabrero <scabrero@suse.de> Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 57d6af2f292c02327e4edd9070d05191c9992d13) --- src/tests/intg/test_pysss_nss_idmap.py | 52 +++++++++++++++++++++++++- 1 file changed, 50 insertions(+), 2 deletions(-) diff --git a/src/tests/intg/test_pysss_nss_idmap.py b/src/tests/intg/test_pysss_nss_idmap.py index 735994d0c..4c6cd9000 100644 --- a/src/tests/intg/test_pysss_nss_idmap.py +++ b/src/tests/intg/test_pysss_nss_idmap.py @@ -61,8 +61,13 @@ def ldap_conn(request, ad_inst): return ldap_conn -def format_basic_conf(ldap_conn): +def format_basic_conf(ldap_conn, ignore_unreadable_refs): """Format a basic SSSD configuration""" + + ignore_unreadable_refs_conf = "false" + if ignore_unreadable_refs: + ignore_unreadable_refs_conf = "true" + return unindent("""\ [sssd] domains = FakeAD @@ -90,6 +95,8 @@ def format_basic_conf(ldap_conn): ldap_id_mapping = true ldap_idmap_default_domain_sid = S-1-5-21-1305200397-2901131868-73388776 case_sensitive = False + + ldap_ignore_unreadable_references = {ignore_unreadable_refs_conf} """).format(**locals()) @@ -194,7 +201,7 @@ def sysdb_sed_domainid(domain_name, doamin_id): @pytest.fixture def simple_ad(request, ldap_conn): - conf = format_basic_conf(ldap_conn) + conf = format_basic_conf(ldap_conn, ignore_unreadable_refs=False) sysdb_sed_domainid("FakeAD", "S-1-5-21-1305200397-2901131868-73388776") create_conf_fixture(request, conf) @@ -288,3 +295,44 @@ def test_case_insensitive(ldap_conn, simple_ad): output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.NAME_KEY] == group.lower() + + +@pytest.fixture +def simple_ad_ignore_unrdbl_refs(request, ldap_conn): + conf = format_basic_conf(ldap_conn, ignore_unreadable_refs=True) + sysdb_sed_domainid("FakeAD", "S-1-5-21-1305200397-2901131868-73388776") + + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_ignore_unreadable_references(ldap_conn, simple_ad_ignore_unrdbl_refs): + group = 'group3_dom1-17775' + group_id = grp.getgrnam(group).gr_gid + group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82764' + + output = pysss_nss_idmap.getsidbyname(group)[group] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP + assert output[pysss_nss_idmap.SID_KEY] == group_sid + + output = pysss_nss_idmap.getsidbyid(group_id)[group_id] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP + assert output[pysss_nss_idmap.SID_KEY] == group_sid + + output = pysss_nss_idmap.getidbysid(group_sid)[group_sid] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP + assert output[pysss_nss_idmap.ID_KEY] == group_id + + output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP + assert output[pysss_nss_idmap.NAME_KEY] == group + + +def test_no_ignore_unreadable_references(ldap_conn, simple_ad): + group = 'group3_dom1-17775' + + # This group has a member attribute referencing to a user in other + # domain + with pytest.raises(KeyError): + grp.getgrnam(group) -- 2.35.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
