File 0052-ldap-ignore-unreadable-references.patch of Package sssd.23277
From 82ce4bf9db559848587a7cfa2109e044253e11ce Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 1 Feb 2022 13:14:41 +0100
Subject: [PATCH 1/4] Tests: Use group1_dom1-19661 in test_pysss_nss_idmap.py
The group3_dom1-17775 group has a member referencing a user in a
different domain, which will make the test fail in the following
commits.
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit b67caf27b1fd147358c0d429456e9b0b6d74e718)
---
src/tests/intg/test_pysss_nss_idmap.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/tests/intg/test_pysss_nss_idmap.py b/src/tests/intg/test_pysss_nss_idmap.py
index 8d0d9b794..735994d0c 100644
--- a/src/tests/intg/test_pysss_nss_idmap.py
+++ b/src/tests/intg/test_pysss_nss_idmap.py
@@ -232,9 +232,9 @@ def test_user_operations(ldap_conn, simple_ad):
def test_group_operations(ldap_conn, simple_ad):
- group = 'group3_dom1-17775'
+ group = 'group1_dom1-19661'
group_id = grp.getgrnam(group).gr_gid
- group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82764'
+ group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82810'
output = pysss_nss_idmap.getsidbyname(group)[group]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
--
2.35.1
From 1d52db0b59aabf19b792d9e5062daadf4697feee Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Thu, 3 Feb 2022 17:02:18 +0100
Subject: [PATCH 2/4] SDAP: Add 'ldap_ignore_unreadable_references' parameter
When resolving a group using the AD provider it may happen sssd doesn't
have permissions to read the entry referenced in the 'member' attribute,
for example when the entry is located under a restricted LDAP sub-tree
for security reasons.
In this scenario, the sssd behavior is not consistent and depends on the
ldap_deref_threshold parameter, that controls if an attribute scoped
query (ASQ) will be used or if the group members will be searched
individually. If an ASQ operation is issued, the operation will fail
because the referenced entry can't be parsed and this can
lead to missing groups and makes impossible to use the group in simple
access provider. On the other hand, when the group members are looked
up individually sssd just ignores the unreadable entry.
This patch adds a new parameter 'ldap_ignore_unreadable_references' to
control if the current operation will fail when an unreadable entry is
found or the entry will be ignored, regardless if sssd issued an ASQ or
the members are looked up individually.
The issue can be replicated deploying this AD setup:
CN=users,DC=aforest,DC=ad
CN=g1,CN=users,DC=aforest,DC=ad
member: CN=g2,CN=users,DC=aforest,DC=ad
member: CN=g3,CN=users,DC=aforest,DC=ad
member: CN=g4,CN=users,DC=aforest,DC=ad
member: CN=g5,CN=users,DC=aforest,DC=ad
member: CN=user1,CN=users,DC=aforest,DC=ad
CN=g2,CN=users,DC=aforest,DC=ad
member: CN=g3,CN=users,DC=aforest,DC=ad
member: CN=g4,CN=users,DC=aforest,DC=ad
member: CN=g5,CN=users,DC=aforest,DC=ad
member: CN=user2,CN=users,DC=aforest,DC=ad
memberOf: CN=g1,CN=users,DC=aforest,DC=ad
CN=g3,CN=users,DC=aforest,DC=ad <-- Deny access to sssd account
member: CN=g4,CN=users,DC=aforest,DC=ad
member: CN=g5,CN=users,DC=aforest,DC=ad
member: CN=user3,CN=users,DC=aforest,DC=ad
memberOf: CN=g2,CN=users,DC=aforest,DC=ad
memberOf: CN=g1,CN=users,DC=aforest,DC=ad
CN=g4,CN=users,DC=aforest,DC=ad
member: CN=g5,CN=users,DC=aforest,DC=ad
member: CN=user5,CN=users,DC=aforest,DC=ad
memberOf: CN=g3,CN=users,DC=aforest,DC=ad
memberOf: CN=g2,CN=users,DC=aforest,DC=ad
memberOf: CN=g1,CN=users,DC=aforest,DC=ad
CN=g5,CN=users,DC=aforest,DC=ad
member: CN=user5,CN=users,DC=aforest,DC=ad
memberOf: CN=g4,CN=users,DC=aforest,DC=ad
memberOf: CN=g3,CN=users,DC=aforest,DC=ad
memberOf: CN=g2,CN=users,DC=aforest,DC=ad
memberOf: CN=g1,CN=users,DC=aforest,DC=ad
CN=user1,CN=users,DC=aforest,DC=ad
memberOf: CN=g1,CN=users,DC=aforest,DC=ad
CN=user2,CN=users,DC=aforest,DC=ad
memberOf: CN=g2,CN=users,DC=aforest,DC=ad
CN=user3,CN=users,DC=aforest,DC=ad
memberOf: CN=g3,CN=users,DC=aforest,DC=ad
CN=user4,CN=users,DC=aforest,DC=ad
memberOf: CN=g4,CN=users,DC=aforest,DC=ad
CN=user5,CN=users,DC=aforest,DC=ad
memberOf: CN=g5,CN=users,DC=aforest,DC=ad
And using this sssd.conf
-------------------------------------------------------------------------------
[sssd]
config_file_version = 2
services = nss, pam
domains = aforest.ad
[nss]
[pam]
[domain/aforest.ad]
auth_provider = ad
id_provider = ad
access_provider = simple
simple_allow_groups = g1
ldap_deref_threshold = 1
debug_level = 10
-------------------------------------------------------------------------------
In this setup sssd can't resolve group 'g1' because it fails parsing one
of the referenced members, 'g3':
$> getent group g1
No output.
$> id user5
uid=1862001108(user5) gid=1862000513(domain users) groups=1862000513(domain users),1862001111,18620011
When the group is used to filter access it does not work:
...
[simple_access_check_send] (0x0200): [RID#7] Simple access check for user1@aforest.ad
...
[simple_check_get_groups_send] (0x0400): [RID#7] Need to resolve 3 groups
[sdap_get_generic_ext_step] (0x0400): [RID#8] calling ldap_search_ext with [(&(objectSID=S-1-5-21-3230
...
[sdap_nested_group_hash_insert] (0x4000): [RID#8] Inserting [CN=g1,CN=Users,DC=aforest,DC=ad] into has
[sdap_nested_group_process_send] (0x2000): [RID#8] About to process group [CN=g1,CN=Users,DC=aforest,D
...
[sdap_nested_group_process_send] (0x0400): [RID#8] More members were missing than the deref threshold
[sdap_nested_group_process_send] (0x2000): [RID#8] Looking up 2/5 members of group [CN=g1,CN=Users,DC=
[sdap_nested_group_process_send] (0x2000): [RID#8] Dereferencing members of group [CN=g1,CN=Users,DC=a
[sdap_deref_search_send] (0x2000): [RID#8] Server supports ASQ
[sdap_asq_search_send] (0x0400): [RID#8] Dereferencing entry [CN=g1,CN=Users,DC=aforest,DC=ad] using A
...
[sdap_get_generic_ext_step] (0x0400): [RID#8] calling ldap_search_ext with [no filter][CN=g1,CN=Users,
...
[sdap_process_message] (0x4000): [RID#8] Message type: [LDAP_RES_SEARCH_ENTRY]
[sdap_asq_search_parse_entry] (0x0040): [RID#8] Unknown entry type, no objectClass found for DN [CN=g3
[sdap_get_generic_op_finished] (0x0020): [RID#8] reply parsing callback failed.
[sdap_op_destructor] (0x1000): [RID#8] Abandoning operation 3
[generic_ext_search_handler] (0x0020): [RID#8] sdap_get_generic_ext_recv request failed: [22]: Invalid
[sdap_deref_search_done] (0x0040): [RID#8] dereference processing failed [22]: Invalid argument
[sdap_nested_group_deref_direct_done] (0x0020): [RID#8] Error processing direct membership [22]: Inval
[sdap_nested_done] (0x0020): [RID#8] Nested group processing failed: [22][Invalid argument]
...
[simple_resolve_group_done] (0x0080): [RID#8] Cannot refresh data from DP: 3,0: Group lookup failed
...
[simple_check_get_groups_next] (0x2000): [RID#9] All groups resolved. Done.
[simple_access_check_done] (0x0040): [RID#9] Could not collect groups of user user1@aforest.ad
[simple_access_check_done] (0x0400): [RID#9] But no deny groups were defined so we can continue.
[simple_check_groups] (0x4000): [RID#9] Checking against allow list group name [g1@aforest.ad].
[simple_access_check_done] (0x2000): [RID#9] Group check done
[simple_access_check_recv] (0x1000): [RID#9] Access not granted
...
Resolves: https://github.com/SSSD/sssd/issues/4893
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 941418f436bbd3ce8bf7f70f4f0c872770869841)
---
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.d/sssd-ad.conf | 1 +
src/config/etc/sssd.api.d/sssd-ipa.conf | 1 +
src/config/etc/sssd.api.d/sssd-ldap.conf | 1 +
src/man/sssd-ldap.5.xml | 23 +++++++++++++++++++++++
src/providers/ad/ad_opts.c | 1 +
src/providers/ipa/ipa_opts.c | 1 +
src/providers/ldap/ldap_opts.c | 1 +
src/providers/ldap/sdap.h | 1 +
10 files changed, 32 insertions(+)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 8b34acf6f..222d751fe 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -308,6 +308,7 @@ option_strings = {
'ldap_dns_service_name' : _('Service name for DNS service lookups'),
'ldap_page_size' : _('The number of records to retrieve in a single LDAP query'),
'ldap_deref_threshold' : _('The number of members that must be missing to trigger a full deref'),
+ 'ldap_ignore_unreadable_references': _('Ignore unreadable LDAP references'),
'ldap_sasl_canonicalize' : _('Whether the LDAP library should perform a reverse lookup to canonicalize the host name during a SASL bind'),
'ldap_entry_usn' : _('entryUSN attribute'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 074169389..77170e43e 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -593,6 +593,7 @@ option = ldap_default_authtok_type
option = ldap_default_bind_dn
option = ldap_deref
option = ldap_deref_threshold
+option = ldap_ignore_unreadable_references
option = ldap_disable_paging
option = ldap_disable_range_retrieval
option = ldap_dns_service_name
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 41bbd2014..5be7f6bb2 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -59,6 +59,7 @@ ldap_dns_service_name = str, None, false
ldap_deref = str, None, false
ldap_page_size = int, None, false
ldap_deref_threshold = int, None, false
+ldap_ignore_unreadable_references = bool, None, false
ldap_connection_expire_timeout = int, None, false
ldap_disable_paging = bool, None, false
krb5_confd_path = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 427559f5d..583439a36 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -51,6 +51,7 @@ ldap_dns_service_name = str, None, false
ldap_deref = str, None, false
ldap_page_size = int, None, false
ldap_deref_threshold = int, None, false
+ldap_ignore_unreadable_references = bool, None, false
ldap_connection_expire_timeout = int, None, false
ldap_disable_paging = bool, None, false
krb5_confd_path = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index bd6cc7d7f..995014402 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -32,6 +32,7 @@ ldap_dns_service_name = str, None, false
ldap_deref = str, None, false
ldap_page_size = int, None, false
ldap_deref_threshold = int, None, false
+ldap_ignore_unreadable_references = bool, None, false
ldap_sasl_canonicalize = bool, None, false
ldap_sasl_minssf = int, None, false
ldap_sasl_maxssf = int, None, false
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index a0f64cbfd..77ef0aa42 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1603,6 +1603,29 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>ldap_ignore_unreadable_references (bool)</term>
+ <listitem>
+ <para>
+ Ignore unreadable LDAP entries referenced in
+ group's member attribute. If this parameter is set
+ to false an error will be returned and the
+ operation will fail instead of just ignoring the
+ unreadable entry.
+ </para>
+ <para>
+ This parameter may be useful when using the AD
+ provider and the computer account that sssd uses
+ to connect to AD does not have access to a
+ particular entry or LDAP sub-tree for security
+ reasons.
+ </para>
+ <para>
+ Default: False
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>ldap_tls_reqcert (string)</term>
<listitem>
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
index 395d3fd58..c2e517152 100644
--- a/src/providers/ad/ad_opts.c
+++ b/src/providers/ad/ad_opts.c
@@ -134,6 +134,7 @@ struct dp_option ad_def_ldap_opts[] = {
{ "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER },
{ "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
+ { "ldap_ignore_unreadable_references", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER },
{ "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c
index 82b2f6312..49da52e05 100644
--- a/src/providers/ipa/ipa_opts.c
+++ b/src/providers/ipa/ipa_opts.c
@@ -143,6 +143,7 @@ struct dp_option ipa_def_ldap_opts[] = {
{ "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER },
{ "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
+ { "ldap_ignore_unreadable_references", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER },
{ "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
diff --git a/src/providers/ldap/ldap_opts.c b/src/providers/ldap/ldap_opts.c
index b63f0a3a5..6b711f665 100644
--- a/src/providers/ldap/ldap_opts.c
+++ b/src/providers/ldap/ldap_opts.c
@@ -104,6 +104,7 @@ struct dp_option default_basic_opts[] = {
{ "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER },
{ "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
+ { "ldap_ignore_unreadable_references", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER },
{ "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 6c6e5d770..be559b977 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -217,6 +217,7 @@ enum sdap_basic_opt {
SDAP_DISABLE_AUTH_TLS,
SDAP_PAGE_SIZE,
SDAP_DEREF_THRESHOLD,
+ SDAP_IGNORE_UNREADABLE_REFERENCES,
SDAP_SASL_CANONICALIZE,
SDAP_EXPIRE_TIMEOUT,
SDAP_DISABLE_PAGING,
--
2.35.1
From 397cef9230a3a7025be6cd8897352775629e9510 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Wed, 1 Dec 2021 11:36:01 +0100
Subject: [PATCH 3/4] SDAP: Honor ldap_ignore_unreadable_references parameter
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 5c7fb41f3f1f4b1a1bbf7ddcb3d5b123ade0becb)
---
src/providers/ldap/sdap_async.c | 24 ++++++++++++++++++-
src/providers/ldap/sdap_async_nested_groups.c | 13 +++++++++-
2 files changed, 35 insertions(+), 2 deletions(-)
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index 76cfce207..eaa8b62a6 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -1906,6 +1906,7 @@ struct sdap_x_deref_search_state {
struct sdap_attr_map_info *maps;
LDAPControl **ctrls;
struct sdap_options *opts;
+ bool ldap_ignore_unreadable_references;
struct sdap_deref_reply dreply;
int num_maps;
@@ -1940,6 +1941,9 @@ sdap_x_deref_search_send(TALLOC_CTX *memctx, struct tevent_context *ev,
talloc_set_destructor((TALLOC_CTX *) state->ctrls,
sdap_x_deref_search_ctrls_destructor);
+ state->ldap_ignore_unreadable_references = dp_opt_get_bool(opts->basic,
+ SDAP_IGNORE_UNREADABLE_REFERENCES);
+
ret = sdap_x_deref_create_control(sh, deref_attr,
attrs, &state->ctrls[0]);
if (ret != EOK) {
@@ -2079,6 +2083,13 @@ static errno_t sdap_x_deref_parse_entry(struct sdap_handle *sh,
ret = EOK;
done:
+ if (ret != EOK && ret != ENOMEM) {
+ if (state->ldap_ignore_unreadable_references) {
+ DEBUG(SSSDBG_TRACE_FUNC, "Ignoring unreadable reference\n");
+ ret = EOK;
+ }
+ }
+
talloc_zfree(tmp_ctx);
ldap_controls_free(ctrls);
ldap_derefresponse_free(deref_res);
@@ -2328,6 +2339,7 @@ struct sdap_asq_search_state {
int num_maps;
LDAPControl **ctrls;
struct sdap_options *opts;
+ bool ldap_ignore_unreadable_references;
struct sdap_deref_reply dreply;
};
@@ -2367,6 +2379,9 @@ sdap_asq_search_send(TALLOC_CTX *memctx, struct tevent_context *ev,
talloc_set_destructor((TALLOC_CTX *) state->ctrls,
sdap_asq_search_ctrls_destructor);
+ state->ldap_ignore_unreadable_references = dp_opt_get_bool(opts->basic,
+ SDAP_IGNORE_UNREADABLE_REFERENCES);
+
ret = sdap_asq_search_create_control(sh, deref_attr, &state->ctrls[0]);
if (ret != EOK) {
talloc_zfree(req);
@@ -2441,7 +2456,7 @@ static errno_t sdap_asq_search_parse_entry(struct sdap_handle *sh,
int num_attrs;
struct sdap_deref_attrs **res;
char *tmp;
- char *dn;
+ char *dn = NULL;
TALLOC_CTX *tmp_ctx;
bool disable_range_rtrvl;
@@ -2532,6 +2547,13 @@ static errno_t sdap_asq_search_parse_entry(struct sdap_handle *sh,
ret = EOK;
done:
+ if (ret != EOK && ret != ENOMEM) {
+ if (state->ldap_ignore_unreadable_references) {
+ DEBUG(SSSDBG_TRACE_FUNC, "Ignoring unreadable reference [%s]\n",
+ dn != NULL ? dn : "(null)");
+ ret = EOK;
+ }
+ }
talloc_zfree(tmp_ctx);
return ret;
}
diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c
index 055de29ca..0a69e96f4 100644
--- a/src/providers/ldap/sdap_async_nested_groups.c
+++ b/src/providers/ldap/sdap_async_nested_groups.c
@@ -1352,6 +1352,7 @@ struct sdap_nested_group_single_state {
struct sysdb_attrs **nested_groups;
int num_groups;
+ bool ignore_unreadable_references;
};
static errno_t sdap_nested_group_single_step(struct tevent_req *req);
@@ -1392,6 +1393,8 @@ sdap_nested_group_single_send(TALLOC_CTX *mem_ctx,
goto immediately;
}
state->num_groups = 0; /* we will count exact number of the groups */
+ state->ignore_unreadable_references = dp_opt_get_bool(
+ group_ctx->opts->basic, SDAP_IGNORE_UNREADABLE_REFERENCES);
/* process each member individually */
ret = sdap_nested_group_single_step(req);
@@ -1557,7 +1560,15 @@ sdap_nested_group_single_step_process(struct tevent_req *subreq)
break;
case SDAP_NESTED_GROUP_DN_UNKNOWN:
- /* not found in users nor nested_groups, continue */
+ if (state->ignore_unreadable_references) {
+ DEBUG(SSSDBG_TRACE_FUNC, "Ignoring unreadable reference [%s]\n",
+ state->current_member->dn);
+ } else {
+ DEBUG(SSSDBG_OP_FAILURE, "Unknown entry type [%s]!\n",
+ state->current_member->dn);
+ ret = EINVAL;
+ goto done;
+ }
break;
}
--
2.35.1
From 73ccfd2c605363572d54d6cad949d18913803843 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 1 Feb 2022 18:10:23 +0100
Subject: [PATCH 4/4] Tests: Add a test for the
ldap_ignore_unreadable_references parameter
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 57d6af2f292c02327e4edd9070d05191c9992d13)
---
src/tests/intg/test_pysss_nss_idmap.py | 52 +++++++++++++++++++++++++-
1 file changed, 50 insertions(+), 2 deletions(-)
diff --git a/src/tests/intg/test_pysss_nss_idmap.py b/src/tests/intg/test_pysss_nss_idmap.py
index 735994d0c..4c6cd9000 100644
--- a/src/tests/intg/test_pysss_nss_idmap.py
+++ b/src/tests/intg/test_pysss_nss_idmap.py
@@ -61,8 +61,13 @@ def ldap_conn(request, ad_inst):
return ldap_conn
-def format_basic_conf(ldap_conn):
+def format_basic_conf(ldap_conn, ignore_unreadable_refs):
"""Format a basic SSSD configuration"""
+
+ ignore_unreadable_refs_conf = "false"
+ if ignore_unreadable_refs:
+ ignore_unreadable_refs_conf = "true"
+
return unindent("""\
[sssd]
domains = FakeAD
@@ -90,6 +95,8 @@ def format_basic_conf(ldap_conn):
ldap_id_mapping = true
ldap_idmap_default_domain_sid = S-1-5-21-1305200397-2901131868-73388776
case_sensitive = False
+
+ ldap_ignore_unreadable_references = {ignore_unreadable_refs_conf}
""").format(**locals())
@@ -194,7 +201,7 @@ def sysdb_sed_domainid(domain_name, doamin_id):
@pytest.fixture
def simple_ad(request, ldap_conn):
- conf = format_basic_conf(ldap_conn)
+ conf = format_basic_conf(ldap_conn, ignore_unreadable_refs=False)
sysdb_sed_domainid("FakeAD", "S-1-5-21-1305200397-2901131868-73388776")
create_conf_fixture(request, conf)
@@ -288,3 +295,44 @@ def test_case_insensitive(ldap_conn, simple_ad):
output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.NAME_KEY] == group.lower()
+
+
+@pytest.fixture
+def simple_ad_ignore_unrdbl_refs(request, ldap_conn):
+ conf = format_basic_conf(ldap_conn, ignore_unreadable_refs=True)
+ sysdb_sed_domainid("FakeAD", "S-1-5-21-1305200397-2901131868-73388776")
+
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
+def test_ignore_unreadable_references(ldap_conn, simple_ad_ignore_unrdbl_refs):
+ group = 'group3_dom1-17775'
+ group_id = grp.getgrnam(group).gr_gid
+ group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82764'
+
+ output = pysss_nss_idmap.getsidbyname(group)[group]
+ assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
+ assert output[pysss_nss_idmap.SID_KEY] == group_sid
+
+ output = pysss_nss_idmap.getsidbyid(group_id)[group_id]
+ assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
+ assert output[pysss_nss_idmap.SID_KEY] == group_sid
+
+ output = pysss_nss_idmap.getidbysid(group_sid)[group_sid]
+ assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
+ assert output[pysss_nss_idmap.ID_KEY] == group_id
+
+ output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid]
+ assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
+ assert output[pysss_nss_idmap.NAME_KEY] == group
+
+
+def test_no_ignore_unreadable_references(ldap_conn, simple_ad):
+ group = 'group3_dom1-17775'
+
+ # This group has a member attribute referencing to a user in other
+ # domain
+ with pytest.raises(KeyError):
+ grp.getgrnam(group)
--
2.35.1
