[SSSD] Re: Nested netgroups with IPA provider

On (10/11/16 13:57), Michal Židek wrote: > On 11/10/2016 12:29 PM, Jakub Hrozek wrote: >> On Thu, Nov 10, 2016 at 10:49:55AM +0100, Michal Židek wrote: >>> Hi, >>> >>> this is continuation of discussion about pull >>> request 51 and associated tickets. >>> >>> For context, see: >>> https://github.com/SSSD/sssd/pull/59 >>> https://fedorahosted.org/sssd/ticket/3159 >>> https://fedorahosted.org/sssd/ticket/3116 >>> >>> The FreeIPA UQE guys added upstream test for this issue >>> because we do not have upstream CI tests in SSSD with >>> IPA provider yet and this bug is not present in the >>> plain LDAP. >>> >>> We use hash tables to store members of netgroups while >>> processing netgroups (and creating the netgroup triples). >>> The netgroup names are lowercased before they are stored >>> in the hash table. The reason for this normalization is >>> unknown to me. >> >> I also don't know the reason behind this normalization. There is a >> comment above the code that lowercases the DN that says: >> 646 /* Transform the DN to lower case. >> 647 * this is important, as the member/memberof attributes >> 648 * have the value also in lower-case >> 649 */ >> >> But I really have no idea what this means. We're using SYSDB_NETGROUP_MEMBER, >> but we're storing names in that attribute and the IPA code lowercases >> original DNs, so I'm quite confused about it. >> >>> FreeIPA only creates lowercased netgroup >>> names, so lowercasing only affects the attribute name >>> (that is stored as prefix to the netgroup name in the hash table, >>> and maybe it can happen that the attribute name can be >>> stored in different cases at some point, which would >>> explain why we lower case it, however I was not able >>> to confirm if this is the case). >> >> I really think this is about the original DN values. This is what we >> enter: >> (gdb) p key.str >> "ipauniqueid=026e49e8-969d-11e6-a2f4-525400f6cf82,cn=ng,cn=alt,dc=ipa,dc=test" >> >>> >>> When we read the hash table, we do not lowercase the keys, >>> so the nested netgroups are not found and this is the >>> reason why the bug appears. The patch in PR 51 lower cases >>> the keys before reading the hash table and the bug does not >>> appear after that. Lukas thinks however that this is not >>> good approach, because there should be no need for the lower >>> casing in the first place. >>> >>> Patch that removes the lower casing before adding the keys >>> to htable should also fix the issue. I did not send the patch >>> with this approach, because I was not sure why the lowercasing >>> happens in the first place and I know that lowercasing is not >>> harmful for the IPA netgroups, so I find it safer to use >>> the approach in the PR 51 especially while we do not have good >>> code coverage for IPA provider, however as I mentioned in the >>> PR 51, I am looking for opinions on this. >> >> I'm fine with removing the lowercasing if this moves fixing the issue >> forward. > > I just quickly tried it without the lowercasing and it does work > for me. > awesome LS