Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.5:Update
sssd.30908
0032-ldap-ignore-unreadable-references.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0032-ldap-ignore-unreadable-references.patch of Package sssd.30908
From 8b36d2e0225a4c5d7074692c6d3dede7a424a157 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <scabrero@suse.de> Date: Tue, 1 Feb 2022 13:14:41 +0100 Subject: [PATCH 1/4] Tests: Use group1_dom1-19661 in test_pysss_nss_idmap.py The group3_dom1-17775 group has a member referencing a user in a different domain, which will make the test fail in the following commits. Signed-off-by: Samuel Cabrero <scabrero@suse.de> Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit b67caf27b1fd147358c0d429456e9b0b6d74e718) --- src/tests/intg/test_pysss_nss_idmap.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/tests/intg/test_pysss_nss_idmap.py b/src/tests/intg/test_pysss_nss_idmap.py index aed2a8cf9..55b1923c6 100644 --- a/src/tests/intg/test_pysss_nss_idmap.py +++ b/src/tests/intg/test_pysss_nss_idmap.py @@ -225,9 +225,9 @@ def test_user_operations(ldap_conn, simple_ad): def test_group_operations(ldap_conn, simple_ad): - group = 'group3_dom1-17775' + group = 'group1_dom1-19661' group_id = grp.getgrnam(group).gr_gid - group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82764' + group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82810' output = pysss_nss_idmap.getsidbyname(group)[group] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP -- 2.35.1 From 5efea7851ab1f0aacf7f3e1027475ad7fdf5f00a Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <scabrero@suse.de> Date: Thu, 3 Feb 2022 17:02:18 +0100 Subject: [PATCH 2/4] SDAP: Add 'ldap_ignore_unreadable_references' parameter When resolving a group using the AD provider it may happen sssd doesn't have permissions to read the entry referenced in the 'member' attribute, for example when the entry is located under a restricted LDAP sub-tree for security reasons. In this scenario, the sssd behavior is not consistent and depends on the ldap_deref_threshold parameter, that controls if an attribute scoped query (ASQ) will be used or if the group members will be searched individually. If an ASQ operation is issued, the operation will fail because the referenced entry can't be parsed and this can lead to missing groups and makes impossible to use the group in simple access provider. On the other hand, when the group members are looked up individually sssd just ignores the unreadable entry. This patch adds a new parameter 'ldap_ignore_unreadable_references' to control if the current operation will fail when an unreadable entry is found or the entry will be ignored, regardless if sssd issued an ASQ or the members are looked up individually. The issue can be replicated deploying this AD setup: CN=users,DC=aforest,DC=ad CN=g1,CN=users,DC=aforest,DC=ad member: CN=g2,CN=users,DC=aforest,DC=ad member: CN=g3,CN=users,DC=aforest,DC=ad member: CN=g4,CN=users,DC=aforest,DC=ad member: CN=g5,CN=users,DC=aforest,DC=ad member: CN=user1,CN=users,DC=aforest,DC=ad CN=g2,CN=users,DC=aforest,DC=ad member: CN=g3,CN=users,DC=aforest,DC=ad member: CN=g4,CN=users,DC=aforest,DC=ad member: CN=g5,CN=users,DC=aforest,DC=ad member: CN=user2,CN=users,DC=aforest,DC=ad memberOf: CN=g1,CN=users,DC=aforest,DC=ad CN=g3,CN=users,DC=aforest,DC=ad <-- Deny access to sssd account member: CN=g4,CN=users,DC=aforest,DC=ad member: CN=g5,CN=users,DC=aforest,DC=ad member: CN=user3,CN=users,DC=aforest,DC=ad memberOf: CN=g2,CN=users,DC=aforest,DC=ad memberOf: CN=g1,CN=users,DC=aforest,DC=ad CN=g4,CN=users,DC=aforest,DC=ad member: CN=g5,CN=users,DC=aforest,DC=ad member: CN=user5,CN=users,DC=aforest,DC=ad memberOf: CN=g3,CN=users,DC=aforest,DC=ad memberOf: CN=g2,CN=users,DC=aforest,DC=ad memberOf: CN=g1,CN=users,DC=aforest,DC=ad CN=g5,CN=users,DC=aforest,DC=ad member: CN=user5,CN=users,DC=aforest,DC=ad memberOf: CN=g4,CN=users,DC=aforest,DC=ad memberOf: CN=g3,CN=users,DC=aforest,DC=ad memberOf: CN=g2,CN=users,DC=aforest,DC=ad memberOf: CN=g1,CN=users,DC=aforest,DC=ad CN=user1,CN=users,DC=aforest,DC=ad memberOf: CN=g1,CN=users,DC=aforest,DC=ad CN=user2,CN=users,DC=aforest,DC=ad memberOf: CN=g2,CN=users,DC=aforest,DC=ad CN=user3,CN=users,DC=aforest,DC=ad memberOf: CN=g3,CN=users,DC=aforest,DC=ad CN=user4,CN=users,DC=aforest,DC=ad memberOf: CN=g4,CN=users,DC=aforest,DC=ad CN=user5,CN=users,DC=aforest,DC=ad memberOf: CN=g5,CN=users,DC=aforest,DC=ad And using this sssd.conf ------------------------------------------------------------------------------- [sssd] config_file_version = 2 services = nss, pam domains = aforest.ad [nss] [pam] [domain/aforest.ad] auth_provider = ad id_provider = ad access_provider = simple simple_allow_groups = g1 ldap_deref_threshold = 1 debug_level = 10 ------------------------------------------------------------------------------- In this setup sssd can't resolve group 'g1' because it fails parsing one of the referenced members, 'g3': $> getent group g1 No output. $> id user5 uid=1862001108(user5) gid=1862000513(domain users) groups=1862000513(domain users),1862001111,18620011 When the group is used to filter access it does not work: ... [simple_access_check_send] (0x0200): [RID#7] Simple access check for user1@aforest.ad ... [simple_check_get_groups_send] (0x0400): [RID#7] Need to resolve 3 groups [sdap_get_generic_ext_step] (0x0400): [RID#8] calling ldap_search_ext with [(&(objectSID=S-1-5-21-3230 ... [sdap_nested_group_hash_insert] (0x4000): [RID#8] Inserting [CN=g1,CN=Users,DC=aforest,DC=ad] into has [sdap_nested_group_process_send] (0x2000): [RID#8] About to process group [CN=g1,CN=Users,DC=aforest,D ... [sdap_nested_group_process_send] (0x0400): [RID#8] More members were missing than the deref threshold [sdap_nested_group_process_send] (0x2000): [RID#8] Looking up 2/5 members of group [CN=g1,CN=Users,DC= [sdap_nested_group_process_send] (0x2000): [RID#8] Dereferencing members of group [CN=g1,CN=Users,DC=a [sdap_deref_search_send] (0x2000): [RID#8] Server supports ASQ [sdap_asq_search_send] (0x0400): [RID#8] Dereferencing entry [CN=g1,CN=Users,DC=aforest,DC=ad] using A ... [sdap_get_generic_ext_step] (0x0400): [RID#8] calling ldap_search_ext with [no filter][CN=g1,CN=Users, ... [sdap_process_message] (0x4000): [RID#8] Message type: [LDAP_RES_SEARCH_ENTRY] [sdap_asq_search_parse_entry] (0x0040): [RID#8] Unknown entry type, no objectClass found for DN [CN=g3 [sdap_get_generic_op_finished] (0x0020): [RID#8] reply parsing callback failed. [sdap_op_destructor] (0x1000): [RID#8] Abandoning operation 3 [generic_ext_search_handler] (0x0020): [RID#8] sdap_get_generic_ext_recv request failed: [22]: Invalid [sdap_deref_search_done] (0x0040): [RID#8] dereference processing failed [22]: Invalid argument [sdap_nested_group_deref_direct_done] (0x0020): [RID#8] Error processing direct membership [22]: Inval [sdap_nested_done] (0x0020): [RID#8] Nested group processing failed: [22][Invalid argument] ... [simple_resolve_group_done] (0x0080): [RID#8] Cannot refresh data from DP: 3,0: Group lookup failed ... [simple_check_get_groups_next] (0x2000): [RID#9] All groups resolved. Done. [simple_access_check_done] (0x0040): [RID#9] Could not collect groups of user user1@aforest.ad [simple_access_check_done] (0x0400): [RID#9] But no deny groups were defined so we can continue. [simple_check_groups] (0x4000): [RID#9] Checking against allow list group name [g1@aforest.ad]. [simple_access_check_done] (0x2000): [RID#9] Group check done [simple_access_check_recv] (0x1000): [RID#9] Access not granted ... Resolves: https://github.com/SSSD/sssd/issues/4893 Signed-off-by: Samuel Cabrero <scabrero@suse.de> Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 941418f436bbd3ce8bf7f70f4f0c872770869841) --- src/config/SSSDConfig/__init__.py.in | 1 + src/config/cfg_rules.ini | 1 + src/config/etc/sssd.api.d/sssd-ad.conf | 1 + src/config/etc/sssd.api.d/sssd-ipa.conf | 1 + src/config/etc/sssd.api.d/sssd-ldap.conf | 1 + src/man/sssd-ldap.5.xml | 23 +++++++++++++++++++++++ src/providers/ad/ad_opts.c | 1 + src/providers/ipa/ipa_opts.c | 1 + src/providers/ldap/ldap_opts.c | 1 + src/providers/ldap/sdap.h | 1 + 10 files changed, 32 insertions(+) diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 6e6073f1c..7c264e2fa 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -306,6 +306,7 @@ option_strings = { 'ldap_dns_service_name' : _('Service name for DNS service lookups'), 'ldap_page_size' : _('The number of records to retrieve in a single LDAP query'), 'ldap_deref_threshold' : _('The number of members that must be missing to trigger a full deref'), + 'ldap_ignore_unreadable_references': _('Ignore unreadable LDAP references'), 'ldap_sasl_canonicalize' : _('Whether the LDAP library should perform a reverse lookup to canonicalize the host name during a SASL bind'), 'ldap_entry_usn' : _('entryUSN attribute'), diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 1ac2d636c..c10239763 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -590,6 +590,7 @@ option = ldap_default_authtok_type option = ldap_default_bind_dn option = ldap_deref option = ldap_deref_threshold +option = ldap_ignore_unreadable_references option = ldap_disable_paging option = ldap_disable_range_retrieval option = ldap_dns_service_name diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf index 9c6c6daad..e523ed38d 100644 --- a/src/config/etc/sssd.api.d/sssd-ad.conf +++ b/src/config/etc/sssd.api.d/sssd-ad.conf @@ -57,6 +57,7 @@ ldap_dns_service_name = str, None, false ldap_deref = str, None, false ldap_page_size = int, None, false ldap_deref_threshold = int, None, false +ldap_ignore_unreadable_references = bool, None, false ldap_connection_expire_timeout = int, None, false ldap_disable_paging = bool, None, false krb5_confd_path = str, None, false diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index ab9634c7a..3e6f39be8 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -50,6 +50,7 @@ ldap_dns_service_name = str, None, false ldap_deref = str, None, false ldap_page_size = int, None, false ldap_deref_threshold = int, None, false +ldap_ignore_unreadable_references = bool, None, false ldap_connection_expire_timeout = int, None, false ldap_disable_paging = bool, None, false krb5_confd_path = str, None, false diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf index 65b6407f6..f55c40e59 100644 --- a/src/config/etc/sssd.api.d/sssd-ldap.conf +++ b/src/config/etc/sssd.api.d/sssd-ldap.conf @@ -32,6 +32,7 @@ ldap_dns_service_name = str, None, false ldap_deref = str, None, false ldap_page_size = int, None, false ldap_deref_threshold = int, None, false +ldap_ignore_unreadable_references = bool, None, false ldap_sasl_canonicalize = bool, None, false ldap_sasl_minssf = int, None, false ldap_connection_expire_timeout = int, None, false diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index f7617670c..473cc1bba 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -1587,6 +1587,29 @@ </listitem> </varlistentry> + <varlistentry> + <term>ldap_ignore_unreadable_references (bool)</term> + <listitem> + <para> + Ignore unreadable LDAP entries referenced in + group's member attribute. If this parameter is set + to false an error will be returned and the + operation will fail instead of just ignoring the + unreadable entry. + </para> + <para> + This parameter may be useful when using the AD + provider and the computer account that sssd uses + to connect to AD does not have access to a + particular entry or LDAP sub-tree for security + reasons. + </para> + <para> + Default: False + </para> + </listitem> + </varlistentry> + <varlistentry> <term>ldap_tls_reqcert (string)</term> <listitem> diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c index d4fc811d9..cfebd771a 100644 --- a/src/providers/ad/ad_opts.c +++ b/src/providers/ad/ad_opts.c @@ -132,6 +132,7 @@ struct dp_option ad_def_ldap_opts[] = { { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER }, { "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER }, + { "ldap_ignore_unreadable_references", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }, { "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c index 9419cdcc3..f293556ea 100644 --- a/src/providers/ipa/ipa_opts.c +++ b/src/providers/ipa/ipa_opts.c @@ -142,6 +142,7 @@ struct dp_option ipa_def_ldap_opts[] = { { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER }, { "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER }, + { "ldap_ignore_unreadable_references", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }, { "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, diff --git a/src/providers/ldap/ldap_opts.c b/src/providers/ldap/ldap_opts.c index 8b82e92ee..969641f1f 100644 --- a/src/providers/ldap/ldap_opts.c +++ b/src/providers/ldap/ldap_opts.c @@ -103,6 +103,7 @@ struct dp_option default_basic_opts[] = { { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER }, { "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER }, + { "ldap_ignore_unreadable_references", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }, { "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index ecf9c4d2e..f60f428bc 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -216,6 +216,7 @@ enum sdap_basic_opt { SDAP_DISABLE_AUTH_TLS, SDAP_PAGE_SIZE, SDAP_DEREF_THRESHOLD, + SDAP_IGNORE_UNREADABLE_REFERENCES, SDAP_SASL_CANONICALIZE, SDAP_EXPIRE_TIMEOUT, SDAP_DISABLE_PAGING, -- 2.35.1 From d1f7375f57ef4a75d631d93be830ad51619f3703 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <scabrero@suse.de> Date: Wed, 1 Dec 2021 11:36:01 +0100 Subject: [PATCH 3/4] SDAP: Honor ldap_ignore_unreadable_references parameter Signed-off-by: Samuel Cabrero <scabrero@suse.de> Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 5c7fb41f3f1f4b1a1bbf7ddcb3d5b123ade0becb) --- src/providers/ldap/sdap_async.c | 24 ++++++++++++++++++- src/providers/ldap/sdap_async_nested_groups.c | 13 +++++++++- 2 files changed, 35 insertions(+), 2 deletions(-) diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c index 76cfce207..eaa8b62a6 100644 --- a/src/providers/ldap/sdap_async.c +++ b/src/providers/ldap/sdap_async.c @@ -1906,6 +1906,7 @@ struct sdap_x_deref_search_state { struct sdap_attr_map_info *maps; LDAPControl **ctrls; struct sdap_options *opts; + bool ldap_ignore_unreadable_references; struct sdap_deref_reply dreply; int num_maps; @@ -1940,6 +1941,9 @@ sdap_x_deref_search_send(TALLOC_CTX *memctx, struct tevent_context *ev, talloc_set_destructor((TALLOC_CTX *) state->ctrls, sdap_x_deref_search_ctrls_destructor); + state->ldap_ignore_unreadable_references = dp_opt_get_bool(opts->basic, + SDAP_IGNORE_UNREADABLE_REFERENCES); + ret = sdap_x_deref_create_control(sh, deref_attr, attrs, &state->ctrls[0]); if (ret != EOK) { @@ -2079,6 +2083,13 @@ static errno_t sdap_x_deref_parse_entry(struct sdap_handle *sh, ret = EOK; done: + if (ret != EOK && ret != ENOMEM) { + if (state->ldap_ignore_unreadable_references) { + DEBUG(SSSDBG_TRACE_FUNC, "Ignoring unreadable reference\n"); + ret = EOK; + } + } + talloc_zfree(tmp_ctx); ldap_controls_free(ctrls); ldap_derefresponse_free(deref_res); @@ -2328,6 +2339,7 @@ struct sdap_asq_search_state { int num_maps; LDAPControl **ctrls; struct sdap_options *opts; + bool ldap_ignore_unreadable_references; struct sdap_deref_reply dreply; }; @@ -2367,6 +2379,9 @@ sdap_asq_search_send(TALLOC_CTX *memctx, struct tevent_context *ev, talloc_set_destructor((TALLOC_CTX *) state->ctrls, sdap_asq_search_ctrls_destructor); + state->ldap_ignore_unreadable_references = dp_opt_get_bool(opts->basic, + SDAP_IGNORE_UNREADABLE_REFERENCES); + ret = sdap_asq_search_create_control(sh, deref_attr, &state->ctrls[0]); if (ret != EOK) { talloc_zfree(req); @@ -2441,7 +2456,7 @@ static errno_t sdap_asq_search_parse_entry(struct sdap_handle *sh, int num_attrs; struct sdap_deref_attrs **res; char *tmp; - char *dn; + char *dn = NULL; TALLOC_CTX *tmp_ctx; bool disable_range_rtrvl; @@ -2532,6 +2547,13 @@ static errno_t sdap_asq_search_parse_entry(struct sdap_handle *sh, ret = EOK; done: + if (ret != EOK && ret != ENOMEM) { + if (state->ldap_ignore_unreadable_references) { + DEBUG(SSSDBG_TRACE_FUNC, "Ignoring unreadable reference [%s]\n", + dn != NULL ? dn : "(null)"); + ret = EOK; + } + } talloc_zfree(tmp_ctx); return ret; } diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c index 055de29ca..0a69e96f4 100644 --- a/src/providers/ldap/sdap_async_nested_groups.c +++ b/src/providers/ldap/sdap_async_nested_groups.c @@ -1352,6 +1352,7 @@ struct sdap_nested_group_single_state { struct sysdb_attrs **nested_groups; int num_groups; + bool ignore_unreadable_references; }; static errno_t sdap_nested_group_single_step(struct tevent_req *req); @@ -1392,6 +1393,8 @@ sdap_nested_group_single_send(TALLOC_CTX *mem_ctx, goto immediately; } state->num_groups = 0; /* we will count exact number of the groups */ + state->ignore_unreadable_references = dp_opt_get_bool( + group_ctx->opts->basic, SDAP_IGNORE_UNREADABLE_REFERENCES); /* process each member individually */ ret = sdap_nested_group_single_step(req); @@ -1557,7 +1560,15 @@ sdap_nested_group_single_step_process(struct tevent_req *subreq) break; case SDAP_NESTED_GROUP_DN_UNKNOWN: - /* not found in users nor nested_groups, continue */ + if (state->ignore_unreadable_references) { + DEBUG(SSSDBG_TRACE_FUNC, "Ignoring unreadable reference [%s]\n", + state->current_member->dn); + } else { + DEBUG(SSSDBG_OP_FAILURE, "Unknown entry type [%s]!\n", + state->current_member->dn); + ret = EINVAL; + goto done; + } break; } -- 2.35.1 From eaf0e78ce36e99b21eece27e34da0e87d921f1ec Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <scabrero@suse.de> Date: Tue, 1 Feb 2022 18:10:23 +0100 Subject: [PATCH 4/4] Tests: Add a test for the ldap_ignore_unreadable_references parameter Signed-off-by: Samuel Cabrero <scabrero@suse.de> Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 57d6af2f292c02327e4edd9070d05191c9992d13) --- src/tests/intg/test_pysss_nss_idmap.py | 52 +++++++++++++++++++++++++- 1 file changed, 50 insertions(+), 2 deletions(-) diff --git a/src/tests/intg/test_pysss_nss_idmap.py b/src/tests/intg/test_pysss_nss_idmap.py index 55b1923c6..0fc237ed2 100644 --- a/src/tests/intg/test_pysss_nss_idmap.py +++ b/src/tests/intg/test_pysss_nss_idmap.py @@ -61,8 +61,13 @@ def ldap_conn(request, ad_inst): return ldap_conn -def format_basic_conf(ldap_conn): +def format_basic_conf(ldap_conn, ignore_unreadable_refs): """Format a basic SSSD configuration""" + + ignore_unreadable_refs_conf = "false" + if ignore_unreadable_refs: + ignore_unreadable_refs_conf = "true" + return unindent("""\ [sssd] domains = FakeAD @@ -90,6 +95,8 @@ def format_basic_conf(ldap_conn): ldap_id_mapping = true ldap_idmap_default_domain_sid = S-1-5-21-1305200397-2901131868-73388776 case_sensitive = False + + ldap_ignore_unreadable_references = {ignore_unreadable_refs_conf} """).format(**locals()) @@ -194,7 +201,7 @@ def sysdb_sed_domainid(domain_name, doamin_id): @pytest.fixture def simple_ad(request, ldap_conn): - conf = format_basic_conf(ldap_conn) + conf = format_basic_conf(ldap_conn, ignore_unreadable_refs=False) sysdb_sed_domainid("FakeAD", "S-1-5-21-1305200397-2901131868-73388776") create_conf_fixture(request, conf) @@ -267,3 +274,44 @@ def test_case_insensitive(ldap_conn, simple_ad): output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.NAME_KEY] == group.lower() + + +@pytest.fixture +def simple_ad_ignore_unrdbl_refs(request, ldap_conn): + conf = format_basic_conf(ldap_conn, ignore_unreadable_refs=True) + sysdb_sed_domainid("FakeAD", "S-1-5-21-1305200397-2901131868-73388776") + + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_ignore_unreadable_references(ldap_conn, simple_ad_ignore_unrdbl_refs): + group = 'group3_dom1-17775' + group_id = grp.getgrnam(group).gr_gid + group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82764' + + output = pysss_nss_idmap.getsidbyname(group)[group] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP + assert output[pysss_nss_idmap.SID_KEY] == group_sid + + output = pysss_nss_idmap.getsidbyid(group_id)[group_id] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP + assert output[pysss_nss_idmap.SID_KEY] == group_sid + + output = pysss_nss_idmap.getidbysid(group_sid)[group_sid] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP + assert output[pysss_nss_idmap.ID_KEY] == group_id + + output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP + assert output[pysss_nss_idmap.NAME_KEY] == group + + +def test_no_ignore_unreadable_references(ldap_conn, simple_ad): + group = 'group3_dom1-17775' + + # This group has a member attribute referencing to a user in other + # domain + with pytest.raises(KeyError): + grp.getgrnam(group) -- 2.35.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
