URL:
https://github.com/freeipa/freeipa/pull/5860
Author: rcritten
Title: #5860: Don't return more attributes than requested from LDAP cache
Action: opened
PR body:
"""
On a hit in the LDAP cache the entire cached entry was returned.
This caused problems because more attributes could be returned
than requested.
The automember condition add/remove calls only request the
inclusive/exclusive rule attributes and loop over the returned
values to look for duplicates. This was failing because the queried
entry contains attributes that the candidate entry does not contain.
The automember code is:
old_entry = ldap.get_entry(dn, [attr])
for regex in old_entry.keys():
if not isinstance(entry_attrs[regex], (list, tuple)):
old_entry, returned from the cache, contained objectclass, cn,
description, etc. which don't exist in the candidate entry so
entry_attrs[regex] threw a KeyError.
Instead generate a new entry from the cache consisting of the
requested attributes only if all of the requested attributes are
cached.
Also be more careful when storing the attribbutes in the cache entry.
The returned attributes may not match the requested. So store the
attributes we actually have.
This issue was exposed by Ansible which maintains a larger and
longer-lived cache because commands are executed in the server context
one after another, giving the cache a chance to build up.
https://pagure.io/freeipa/issue/8897
Signed-off-by: Rob Crittenden <rcritten(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa
https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5860/head:pr5860
git checkout pr5860