URL: https://github.com/SSSD/sssd/pull/209 Author: sumit-bose Title: #209: IPA: lookup AD users by certificates on IPA clients Action: opened
PR body: """ Get a list of users mapped to a certificate back from the IPA server, look them up and store them together with the certificate used for the search as mapped attribute to the cache.
Related to https://pagure.io/SSSD/sssd/issue/3050
This is another puzzle piece of looking up users by certificate, this time for AD users on IPA clients. If you think it should not run under #3050 anymore please let me know, then I'll open a new ticket.
It turned out that although most of the code was already there to lookup AD users with the whole certificate it so far never worked, see 3rd patch. Even if this is fixed the fixed from a0b1bfa76073d3ce3208e67e6d72bb92088edac5 is needed on the IPA server side as well to allow the processing on reasonable sized certificates.
Since it never worked it took the opportunity to replace the single user lookup with a lookup which returns a list of user to support mapping a certificate to multiple users. To test this the IPA server side must use the patch from https://github.com/freeipa/freeipa/pull/644 to get the user list reply.
To test it the InfoPipe or python listbycert request can be used. """
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/209/head:pr209 git checkout pr209
URL: https://github.com/SSSD/sssd/pull/209 Title: #209: IPA: lookup AD users by certificates on IPA clients
jhrozek commented: """ I started the review by running CI which passed except rawhide which seems broken: http://sssd-ci.duckdns.org/logs/job/66/06/summary.html """
See the full comment at https://github.com/SSSD/sssd/pull/209#issuecomment-290007653
URL: https://github.com/SSSD/sssd/pull/209 Title: #209: IPA: lookup AD users by certificates on IPA clients
jhrozek commented: """ (the machine in CI is broken, not the patches..) """
See the full comment at https://github.com/SSSD/sssd/pull/209#issuecomment-290007734
URL: https://github.com/SSSD/sssd/pull/209 Title: #209: IPA: lookup AD users by certificates on IPA clients
jhrozek commented: """ These patches look OK, but I suspect we might have a bug in the IFP list code. I added a certificate to a user's idview entry and now listing the certificate shows: ``` dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat cert.pem)" uint32:100 method return time=1490786867.303117 sender=:1.40 -> destination=:1.42 serial=7 reply_serial=2 array [ object path "/org/freedesktop/sssd/infopipe/Users/ipa_2etest/679800500" object path "/org/freedesktop/sssd/infopipe/Users/win_2etrust_2etest/679800500" object path "/org/freedesktop/sssd/infopipe/Users/sibling_2ewin_2etrust_2etest/679800500" object path "/org/freedesktop/sssd/infopipe/Users/child_2ewin_2etrust_2etest/679800500" ] ```
The user is only in the win.trust.test domain: ``` [jhrozek@client] sssd $ [(review)] getent passwd 679800500 administrator@win.trust.test:*:679800500:679800500:Administrator:/home/win.trust.test/administrator: ``` """
See the full comment at https://github.com/SSSD/sssd/pull/209#issuecomment-290061842
URL: https://github.com/SSSD/sssd/pull/209 Title: #209: IPA: lookup AD users by certificates on IPA clients
jhrozek commented: """ Hmm, looking at the debug output, it might be the cache_req's code fault: ``` (Wed Mar 29 11:30:04 2017) [sssd[ifp]] [cache_req_set_domain] (0x0400): CR #6: Using domain [win.trust.test] (Wed Mar 29 11:30:04 2017) [sssd[ifp]] [cache_req_search_send] (0x0400): CR #6: Looking up CERT:nxgxW/ww==@win.trust.test ... (Wed Mar 29 11:30:04 2017) [sssd[ifp]] [cache_req_create_and_add_result] (0x0400): CR #6: Found 1 entries in domain win.trust.test ```
That's fine, but: ``` (Wed Mar 29 11:30:04 2017) [sssd[ifp]] [cache_req_set_domain] (0x0400): CR #8: Using domain [child.win.trust.test] (Wed Mar 29 11:30:04 2017) [sssd[ifp]] [cache_req_search_send] (0x0400): CR #8: Looking up CERT:nxgxW/ww==@child.win.trust.test ... (Wed Mar 29 11:30:04 2017) [sssd[ifp]] [cache_req_create_and_add_result] (0x0400): CR #8: Found 1 entries in domain child.win.trust.test ```
So it looks like cache_req is looking in all domains and returning the entries from all domains..
Please let me know if you prefer to file a separate ticket or fix the problem here. """
See the full comment at https://github.com/SSSD/sssd/pull/209#issuecomment-290062549
URL: https://github.com/SSSD/sssd/pull/209 Title: #209: IPA: lookup AD users by certificates on IPA clients
sumit-bose commented: """ It is expected that ListByCertificate returns matches from all domains. So as long as all the listed users have the certficate in their corresponding user object (I assume you are not using other certmap rules), the result is expected. """
See the full comment at https://github.com/SSSD/sssd/pull/209#issuecomment-290065881
URL: https://github.com/SSSD/sssd/pull/209 Title: #209: IPA: lookup AD users by certificates on IPA clients
jhrozek commented: """ So then the consumer of the API is expected to iterate over the paths and find a non-empty attribute? Because the paths from the domains where the user is not are not usable in the sense the getters return only the default attribute ``` [jhrozek@client] sssd $ [(review)] dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/ipa_2etest/679800500 org.freedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Users.User string:name method return time=1490792119.531265 sender=:1.61 -> destination=:1.70 serial=9 reply_serial=2 variant string "" ```
THe path from the correct domain works ``` [jhrozek@client] sssd $ [(review)] dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/win_2etrust_2etest/679800500 org.freedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Users.User string:name method return time=1490792131.291432 sender=:1.61 -> destination=:1.71 serial=11 reply_serial=2 variant string "administrator@win.trust.test" ```
"""
See the full comment at https://github.com/SSSD/sssd/pull/209#issuecomment-290081343
URL: https://github.com/SSSD/sssd/pull/209 Title: #209: IPA: lookup AD users by certificates on IPA clients
jhrozek commented: """ anyway, these patches work and we can push them """
See the full comment at https://github.com/SSSD/sssd/pull/209#issuecomment-290081403
URL: https://github.com/SSSD/sssd/pull/209 Title: #209: IPA: lookup AD users by certificates on IPA clients
Label: +Accepted
URL: https://github.com/SSSD/sssd/pull/209 Title: #209: IPA: lookup AD users by certificates on IPA clients
jhrozek commented: """ * master: 82843754193b177275ce16f2901edac2060a3998 2cf7becc05996eb6d8a3352d3d7b97c75652e590 415d93196533a6fcd90889c67396ef5af5bf791a """
See the full comment at https://github.com/SSSD/sssd/pull/209#issuecomment-290084814
URL: https://github.com/SSSD/sssd/pull/209 Author: sumit-bose Title: #209: IPA: lookup AD users by certificates on IPA clients Action: closed
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/209/head:pr209 git checkout pr209
URL: https://github.com/SSSD/sssd/pull/209 Title: #209: IPA: lookup AD users by certificates on IPA clients
Label: +Pushed
URL: https://github.com/SSSD/sssd/pull/209 Title: #209: IPA: lookup AD users by certificates on IPA clients
lslebodn commented: """ On (29/03/17 05:57), Jakub Hrozek wrote:
So then the consumer of the API is expected to iterate over the paths and find a non-empty attribute? Because the paths from the domains where the user is not are not usable in the sense the getters return only the default attribute
[jhrozek@client] sssd $ [(review)] dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/ipa_2etest/679800500 org.freedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Users.User string:name method return time=1490792119.531265 sender=:1.61 -> destination=:1.70 serial=9 reply_serial=2 variant string ""THe path from the correct domain works
[jhrozek@client] sssd $ [(review)] dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/win_2etrust_2etest/679800500 org.freedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Users.User string:name method return time=1490792131.291432 sender=:1.61 -> destination=:1.71 serial=11 reply_serial=2 variant string "administrator@win.trust.test"
IMHO it worth to file a ticket. (at least)
LS
"""
See the full comment at https://github.com/SSSD/sssd/pull/209#issuecomment-290151595
sssd-devel@lists.fedorahosted.org
-
jhrozek -
lslebodn
-
sumit-bose