[PATCH] IPA: use ipaUserGroup object class for groups

https://fedorahosted.org/sssd/ticket/2471

AFAIK all group object in IPA has ipaUserGroup object class so it should be general enough to cover all type of groups but excluding roles.

Are you sure, even with non-POSIX groups, POSIX groups and user private groups (I haven't tested all three, I'm mostly asking..)

Pavel Březina

8:52 a.m.

On 10/31/2014 02:41 PM, Jakub Hrozek wrote:

...

On Fri, Oct 31, 2014 at 02:36:54PM +0100, Pavel Březina wrote:

...
https://fedorahosted.org/sssd/ticket/2471

AFAIK all group object in IPA has ipaUserGroup object class so it should be general enough to cover all type of groups but excluding roles.

Are you sure, even with non-POSIX groups, POSIX groups and user private groups (I haven't tested all three, I'm mostly asking..)

non-POSIX, POSIX and external groups have oc ipaUserGroup, user private groups have oc posixGroup which is still used as an alternative oc for groups since

6f91c61426c8cfbfec52d5e77ae4650007694e69 Add alternative objectClass to group attribute maps

Alexander Bokovoy

8:55 a.m.

On Fri, 31 Oct 2014, Jakub Hrozek wrote:

...

On Fri, Oct 31, 2014 at 02:36:54PM +0100, Pavel Březina wrote:

...
https://fedorahosted.org/sssd/ticket/2471

AFAIK all group object in IPA has ipaUserGroup object class so it should be general enough to cover all type of groups but excluding roles.

Are you sure, even with non-POSIX groups, POSIX groups and user private groups (I haven't tested all three, I'm mostly asking..)

External groups use ipaUserGroup+ipaObject+nestedGroup (and few more) object classes. However, UPGs don't use ipaUserGroup, they are using posixGroup+ipaObject:

dn: cn=foobar2,cn=groups,cn=accounts,dc=ipacloud,dc=test objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top cn: foobar2 gidNumber: 242800005 description: User private group for foobar2 mepManagedBy: uid=foobar2,cn=users,cn=accounts,dc=ipacloud,dc=test ipaUniqueID: 1740bb50-6105-11e4-8e75-545200f9718b

-- / Alexander Bokovoy

Jakub Hrozek

9:22 a.m.

On Fri, Oct 31, 2014 at 03:55:53PM +0200, Alexander Bokovoy wrote:

...

On Fri, 31 Oct 2014, Jakub Hrozek wrote:

...
On Fri, Oct 31, 2014 at 02:36:54PM +0100, Pavel Březina wrote:

...
https://fedorahosted.org/sssd/ticket/2471

AFAIK all group object in IPA has ipaUserGroup object class so it should be general enough to cover all type of groups but excluding roles.

Are you sure, even with non-POSIX groups, POSIX groups and user private groups (I haven't tested all three, I'm mostly asking..)

External groups use ipaUserGroup+ipaObject+nestedGroup (and few more) object classes. However, UPGs don't use ipaUserGroup, they are using posixGroup+ipaObject:

Right, currently SSSD supports looking entries by "objectClass" and "alternative ObjectClass". The latter is currently only use for UPGs.

This is how the two OCs look after Pavel's patch: { "ldap_group_object_class", "ipaUserGroup", SYSDB_GROUP_CLASS, NULL }, { "ldap_group_object_class_alt", "posixGroup", SYSDB_GROUP_CLASS, NULL },

The filter ORs the two entries.

...

dn: cn=foobar2,cn=groups,cn=accounts,dc=ipacloud,dc=test objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top cn: foobar2 gidNumber: 242800005 description: User private group for foobar2 mepManagedBy: uid=foobar2,cn=users,cn=accounts,dc=ipacloud,dc=test ipaUniqueID: 1740bb50-6105-11e4-8e75-545200f9718b

-- / Alexander Bokovoy _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Jakub Hrozek

5 Nov 5 Nov

6:46 a.m.

On Fri, Oct 31, 2014 at 02:36:54PM +0100, Pavel Březina wrote:

...

https://fedorahosted.org/sssd/ticket/2471

AFAIK all group object in IPA has ipaUserGroup object class so it should be general enough to cover all type of groups but excluding roles.

...

From cf85760923a112687bfbabbcc487851f627de73f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= pbrezina@redhat.com Date: Fri, 31 Oct 2014 14:26:30 +0100 Subject: [PATCH] IPA: use ipaUserGroup object class for groups

dfb34c6c82ed5014599bf70de6791e6d79106fc2 changed object class of IPA groups from posixGroups to more general groupOfNames. However, this object class is used also for roles, permissions and privileges which caused SSSD to consider those objects to be groups as well during initgroups.

Resolves: https://fedorahosted.org/sssd/ticket/2471

POSIX, non-POSIX and user-private groups still work fine.

ACK

...

src/providers/ipa/ipa_opts.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h index 4785e0164bf6d9efb574a8703b573f4e8086cab6..0e0eed49cd397fe88ce7bf41579c066088947d04 100644 --- a/src/providers/ipa/ipa_opts.h +++ b/src/providers/ipa/ipa_opts.h @@ -205,7 +205,7 @@ struct sdap_attr_map ipa_user_map[] = { };

struct sdap_attr_map ipa_group_map[] = {

{ "ldap_group_object_class", "groupOfNames", SYSDB_GROUP_CLASS, NULL },

{ "ldap_group_object_class", "ipaUserGroup", SYSDB_GROUP_CLASS, NULL }, { "ldap_group_object_class_alt", "posixGroup", SYSDB_GROUP_CLASS, NULL }, { "ldap_group_name", "cn", SYSDB_NAME, NULL }, { "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL },

-- 1.7.11.7

...

sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Jakub Hrozek

8:09 a.m.

On Wed, Nov 05, 2014 at 01:46:28PM +0100, Jakub Hrozek wrote:

...

On Fri, Oct 31, 2014 at 02:36:54PM +0100, Pavel Březina wrote:

...
https://fedorahosted.org/sssd/ticket/2471

AFAIK all group object in IPA has ipaUserGroup object class so it should be general enough to cover all type of groups but excluding roles.

...
From cf85760923a112687bfbabbcc487851f627de73f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= pbrezina@redhat.com Date: Fri, 31 Oct 2014 14:26:30 +0100 Subject: [PATCH] IPA: use ipaUserGroup object class for groups

dfb34c6c82ed5014599bf70de6791e6d79106fc2 changed object class of IPA groups from posixGroups to more general groupOfNames. However, this object class is used also for roles, permissions and privileges which caused SSSD to consider those objects to be groups as well during initgroups.

Resolves: https://fedorahosted.org/sssd/ticket/2471

POSIX, non-POSIX and user-private groups still work fine.

ACK

* master: 3937736546e2a4b7cccc58fded3efdff9ae690fc * sssd-1-11: f070a93e7dd6b594d8652718e513a18ec389fc2c

3852

Age (days ago)

3857

Last active (days ago)

sssd-devel@lists.fedorahosted.org

6 comments

3 participants

tags (0)

participants (3)

Alexander Bokovoy
Jakub Hrozek
Pavel Březina