On Mon, 2011-08-29 at 16:59 +0300, Alexander Bokovoy wrote:
On 29.08.2011 16:22, Stephen Gallagher wrote:
> There was a typo here and we weren't properly skipping memberOf
> attributes in a user entry that contained fewer than four domain
> This can be reproduced by creating an HBAC rule that includes a specific
> user. The FreeIPA server must also be using a single-component domain
> (e.g. dc=freeipa as opposed to dc=example,dc=com)
> Resolves https://bugzilla.redhat.com/show_bug.cgi?id=733237
Reading through the code ENOENT looks correct as by intent. There are
two code paths that eventually interpret the return code from
get_ipa_groupname() and one of them doesn't care about error type (other
than EOK) but the other one is expecting either EOK or ENOENT for proper
processing and obviously unknown but otherwise syntactically valid dn is
something to skip, not fail.
ACK as well based on this, as original reporter also confirmed
Pushed to master, sssd-1-6 and sssd-1-5.