On (29/09/14 17:58), Michal Židek wrote:
>Hi,
>
>this patch solves the ticket:
>https://fedorahosted.org/sssd/ticket/2361
>
>From the discussion on bugzilla and the ticket comments, it
>looks like Jakub and Lukas were for changes in documentation
>only (+ maybe warning/error if user misconfigured SSSD).
>
>I do not want look like I ignore the opinions of others
>but I think the best way is to simply change the defaults
>to the same as expected by AD backend. While I do agree
>that users should set their id_provider option to AD
>if they use AD backend, this option is more or less
>AD specific, so I think it would be better to have
>the same defaults with id_provider ldap. This
>would also solve the small regressions that are
>mentioned in the bugzilla (by users who do use
>id_provider=AD and id_mapping=true).
>
>OTOH if this approach is disliked by other developers
>I have no big problems with the man page + warning/error
>solution.
>
>Simple patch is attached.
>
>Thanks,
>Michal
>From 2d0f2f3c62eefe4f55cb21b91538bad8b68f6df5 Mon Sep 17 00:00:00 2001
>From: Michal Zidek <mzidek(a)redhat.com>
>Date: Mon, 29 Sep 2014 17:17:59 +0200
>Subject: [PATCH] LDAP: Change defaults for ldap_user/group_objectsid
>
>Fixes:
>https://fedorahosted.org/sssd/ticket/2361
>---
> src/man/sssd-ldap.5.xml | 4 ++--
> src/providers/ldap/ldap_opts.h | 8 ++++----
> 2 files changed, 6 insertions(+), 6 deletions(-)
>
>diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
>index 03ea794..a21ffc1 100644
>--- a/src/man/sssd-ldap.5.xml
>+++ b/src/man/sssd-ldap.5.xml
>@@ -346,7 +346,7 @@
> necessary for ActiveDirectory servers.
> </para>
> <para>
>- Default: objectSid for ActiveDirectory, not set
>+ Default: ipaNTSecurityIdentifier for IPA, objectSID
> for other servers.
> </para>
> </listitem>
>@@ -854,7 +854,7 @@
> necessary for ActiveDirectory servers.
> </para>
> <para>
>- Default: objectSid for ActiveDirectory, not set
>+ Default: ipaNTSecurityIdentifier for IPA, objectSID
> for other servers.
> </para>
> </listitem>
>diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
>index 0a33289..61e3309 100644
>--- a/src/providers/ldap/ldap_opts.h
>+++ b/src/providers/ldap/ldap_opts.h
>@@ -155,7 +155,7 @@ struct sdap_attr_map rfc2307_user_map[] = {
> { "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL
},
> { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL },
> { "ldap_user_member_of", NULL, SYSDB_MEMBEROF, NULL },
>- { "ldap_user_objectsid", NULL, SYSDB_SID, NULL },
>+ { "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL },
> { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL },
> { "ldap_user_modify_timestamp", "modifyTimestamp",
SYSDB_ORIG_MODSTAMP, NULL },
> { "ldap_user_entry_usn", NULL, SYSDB_USN, NULL },
>@@ -188,7 +188,7 @@ struct sdap_attr_map rfc2307_group_map[] = {
> { "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL },
> { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL
},
> { "ldap_group_member", "memberuid", SYSDB_MEMBER, NULL },
>- { "ldap_group_objectsid", NULL, SYSDB_SID, NULL },
>+ { "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL },
> { "ldap_group_modify_timestamp", "modifyTimestamp",
SYSDB_ORIG_MODSTAMP, NULL },
> { "ldap_group_entry_usn", NULL, SYSDB_USN, NULL },
> { "ldap_group_type", NULL, SYSDB_GROUP_TYPE, NULL },
>@@ -207,7 +207,7 @@ struct sdap_attr_map rfc2307bis_user_map[] = {
> { "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL
},
> { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL },
> { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
>- { "ldap_user_objectsid", NULL, SYSDB_SID, NULL },
>+ { "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL },
> { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL },
> { "ldap_user_modify_timestamp", "modifyTimestamp",
SYSDB_ORIG_MODSTAMP, NULL },
> { "ldap_user_entry_usn", NULL, SYSDB_USN, NULL },
>@@ -240,7 +240,7 @@ struct sdap_attr_map rfc2307bis_group_map[] = {
> { "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL },
> { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL
},
> { "ldap_group_member", "member", SYSDB_MEMBER, NULL },
>- { "ldap_group_objectsid", NULL, SYSDB_SID, NULL },
>+ { "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL },
> { "ldap_group_modify_timestamp", "modifyTimestamp",
SYSDB_ORIG_MODSTAMP, NULL },
> { "ldap_group_entry_usn", NULL, SYSDB_USN, NULL },
> { "ldap_group_type", NULL, SYSDB_GROUP_TYPE, NULL },
These changes in rfc2307_user_map and rfc2307bis_user_map caused regression,
which was fixed by ticket
https://fedorahosted.org/sssd/ticket/2383
Dereference failed with openldapserver.
[sdap_nested_group_process_send] (0x2000): Dereferencing members of group
[cn=topgrp,ou=Groups,dc=example,dc=com]
[sdap_deref_search_send] (0x2000): Server supports OpenLDAP deref
[sdap_x_deref_search_send] (0x0400): Dereferencing entry
[cn=topgrp,ou=Groups,dc=example,dc=com] using OpenLDAP deref
[sdap_print_server] (0x2000): Searching 10.16.64.191
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no
filter][cn=topgrp,ou=Groups,dc=example,dc=com].
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 3
[sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
[sdap_get_generic_op_finished] (0x0400): Search result: Protocol error(2), Dereference
control: attribute decoding error
[sdap_get_generic_op_finished] (0x0040): Unexpected result from ldap: Protocol error(2),
Dereference control: attribute decoding error
[generic_ext_search_handler] (0x0040): sdap_get_generic_ext_recv failed [5]: Input/output
error
[sdap_deref_search_done] (0x0040): dereference processing failed [5]: Input/output error
[sdap_nested_group_deref_direct_done] (0x0020): Error processing direct membership [5]:
Input/output error
[sdap_nested_done] (0x0020): Nested group processing failed: [5][Input/output error]
SSSD did equivalen of next command line search:
[root@host ~]# ldapsearch -x -LLL -h $SERVER -b 'dc=example,dc=com' \
-E
'!deref=member:objectClass,cn,userPassword,gidNumber,objectSID,modifyTimestamp,uid'
\
cn=topgrp
Protocol error (2)
Additional information: Dereference control: attribute decoding error
Dereferencing failed because attribute objectSID isn't in any objectclass on
openldap server.
Summary:
We should revert this patch. ObjectSID should not be set by default
in rfc2307 or rfc2307bis scheme.