File 0001-ldap-ignore-unreadable-references.patch of Package sssd.29965
From fd3525be591937e24cb4f3b737238c963e39e37f Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 1 Feb 2022 13:14:41 +0100
Subject: [PATCH 1/4] Tests: Use group1_dom1-19661 in test_pysss_nss_idmap.py
The group3_dom1-17775 group has a member referencing a user in a
different domain, which will make the test fail in the following
commits.
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit b67caf27b1fd147358c0d429456e9b0b6d74e718)
---
src/tests/intg/test_pysss_nss_idmap.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/tests/intg/test_pysss_nss_idmap.py b/src/tests/intg/test_pysss_nss_idmap.py
index 89d4ecc08..0dc197276 100644
--- a/src/tests/intg/test_pysss_nss_idmap.py
+++ b/src/tests/intg/test_pysss_nss_idmap.py
@@ -233,9 +233,9 @@ def test_user_operations(ldap_conn, simple_ad):
def test_group_operations(ldap_conn, simple_ad):
- group = 'group3_dom1-17775'
+ group = 'group1_dom1-19661'
group_id = grp.getgrnam(group).gr_gid
- group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82764'
+ group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82810'
output = pysss_nss_idmap.getsidbyname(group)[group]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
--
2.35.1
From df6fe08d2fe5190b1c1ae73595945e9308bb8f4e Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Wed, 1 Dec 2021 11:17:23 +0100
Subject: [PATCH 2/4] SDAP: Add 'ldap_ignore_unreadable_references' parameter
When resolving a group using the AD provider it may happen sssd doesn't
have permissions to read the entry referenced in the 'member' attribute,
for example when the entry is located under a restricted LDAP sub-tree
for security reasons.
In this scenario, the sssd behavior is not consistent and depends on the
ldap_deref_threshold parameter, that controls if an attribute scoped
query (ASQ) will be used or if the group members will be searched
individually. If an ASQ operation is issued, the operation will fail
because the referenced entry can't be parsed and this can
lead to missing groups and makes impossible to use the group in simple
access provider. On the other hand, when the group members are looked
up individually sssd just ignores the unreadable entry.
This patch adds a new parameter 'ldap_ignore_unreadable_references' to
control if the current operation will fail when an unreadable entry is
found or the entry will be ignored, regardless if sssd issued an ASQ or
the members are looked up individually.
The issue can be replicated deploying this AD setup:
CN=users,DC=aforest,DC=ad
CN=g1,CN=users,DC=aforest,DC=ad
member: CN=g2,CN=users,DC=aforest,DC=ad
member: CN=g3,CN=users,DC=aforest,DC=ad
member: CN=g4,CN=users,DC=aforest,DC=ad
member: CN=g5,CN=users,DC=aforest,DC=ad
member: CN=user1,CN=users,DC=aforest,DC=ad
CN=g2,CN=users,DC=aforest,DC=ad
member: CN=g3,CN=users,DC=aforest,DC=ad
member: CN=g4,CN=users,DC=aforest,DC=ad
member: CN=g5,CN=users,DC=aforest,DC=ad
member: CN=user2,CN=users,DC=aforest,DC=ad
memberOf: CN=g1,CN=users,DC=aforest,DC=ad
CN=g3,CN=users,DC=aforest,DC=ad <-- Deny access to sssd account
member: CN=g4,CN=users,DC=aforest,DC=ad
member: CN=g5,CN=users,DC=aforest,DC=ad
member: CN=user3,CN=users,DC=aforest,DC=ad
memberOf: CN=g2,CN=users,DC=aforest,DC=ad
memberOf: CN=g1,CN=users,DC=aforest,DC=ad
CN=g4,CN=users,DC=aforest,DC=ad
member: CN=g5,CN=users,DC=aforest,DC=ad
member: CN=user5,CN=users,DC=aforest,DC=ad
memberOf: CN=g3,CN=users,DC=aforest,DC=ad
memberOf: CN=g2,CN=users,DC=aforest,DC=ad
memberOf: CN=g1,CN=users,DC=aforest,DC=ad
CN=g5,CN=users,DC=aforest,DC=ad
member: CN=user5,CN=users,DC=aforest,DC=ad
memberOf: CN=g4,CN=users,DC=aforest,DC=ad
memberOf: CN=g3,CN=users,DC=aforest,DC=ad
memberOf: CN=g2,CN=users,DC=aforest,DC=ad
memberOf: CN=g1,CN=users,DC=aforest,DC=ad
CN=user1,CN=users,DC=aforest,DC=ad
memberOf: CN=g1,CN=users,DC=aforest,DC=ad
CN=user2,CN=users,DC=aforest,DC=ad
memberOf: CN=g2,CN=users,DC=aforest,DC=ad
CN=user3,CN=users,DC=aforest,DC=ad
memberOf: CN=g3,CN=users,DC=aforest,DC=ad
CN=user4,CN=users,DC=aforest,DC=ad
memberOf: CN=g4,CN=users,DC=aforest,DC=ad
CN=user5,CN=users,DC=aforest,DC=ad
memberOf: CN=g5,CN=users,DC=aforest,DC=ad
And using this sssd.conf
-------------------------------------------------------------------------------
[sssd]
config_file_version = 2
services = nss, pam
domains = aforest.ad
[nss]
[pam]
[domain/aforest.ad]
auth_provider = ad
id_provider = ad
access_provider = simple
simple_allow_groups = g1
ldap_deref_threshold = 1
debug_level = 10
-------------------------------------------------------------------------------
In this setup sssd can't resolve group 'g1' because it fails parsing one
of the referenced members, 'g3':
$> getent group g1
No output.
$> id user5
uid=1862001108(user5) gid=1862000513(domain users) groups=1862000513(domain users),1862001111,18620011
When the group is used to filter access it does not work:
...
[simple_access_check_send] (0x0200): [RID#7] Simple access check for user1@aforest.ad
...
[simple_check_get_groups_send] (0x0400): [RID#7] Need to resolve 3 groups
[sdap_get_generic_ext_step] (0x0400): [RID#8] calling ldap_search_ext with [(&(objectSID=S-1-5-21-3230
...
[sdap_nested_group_hash_insert] (0x4000): [RID#8] Inserting [CN=g1,CN=Users,DC=aforest,DC=ad] into has
[sdap_nested_group_process_send] (0x2000): [RID#8] About to process group [CN=g1,CN=Users,DC=aforest,D
...
[sdap_nested_group_process_send] (0x0400): [RID#8] More members were missing than the deref threshold
[sdap_nested_group_process_send] (0x2000): [RID#8] Looking up 2/5 members of group [CN=g1,CN=Users,DC=
[sdap_nested_group_process_send] (0x2000): [RID#8] Dereferencing members of group [CN=g1,CN=Users,DC=a
[sdap_deref_search_send] (0x2000): [RID#8] Server supports ASQ
[sdap_asq_search_send] (0x0400): [RID#8] Dereferencing entry [CN=g1,CN=Users,DC=aforest,DC=ad] using A
...
[sdap_get_generic_ext_step] (0x0400): [RID#8] calling ldap_search_ext with [no filter][CN=g1,CN=Users,
...
[sdap_process_message] (0x4000): [RID#8] Message type: [LDAP_RES_SEARCH_ENTRY]
[sdap_asq_search_parse_entry] (0x0040): [RID#8] Unknown entry type, no objectClass found for DN [CN=g3
[sdap_get_generic_op_finished] (0x0020): [RID#8] reply parsing callback failed.
[sdap_op_destructor] (0x1000): [RID#8] Abandoning operation 3
[generic_ext_search_handler] (0x0020): [RID#8] sdap_get_generic_ext_recv request failed: [22]: Invalid
[sdap_deref_search_done] (0x0040): [RID#8] dereference processing failed [22]: Invalid argument
[sdap_nested_group_deref_direct_done] (0x0020): [RID#8] Error processing direct membership [22]: Inval
[sdap_nested_done] (0x0020): [RID#8] Nested group processing failed: [22][Invalid argument]
...
[simple_resolve_group_done] (0x0080): [RID#8] Cannot refresh data from DP: 3,0: Group lookup failed
...
[simple_check_get_groups_next] (0x2000): [RID#9] All groups resolved. Done.
[simple_access_check_done] (0x0040): [RID#9] Could not collect groups of user user1@aforest.ad
[simple_access_check_done] (0x0400): [RID#9] But no deny groups were defined so we can continue.
[simple_check_groups] (0x4000): [RID#9] Checking against allow list group name [g1@aforest.ad].
[simple_access_check_done] (0x2000): [RID#9] Group check done
[simple_access_check_recv] (0x1000): [RID#9] Access not granted
...
Resolves: https://github.com/SSSD/sssd/issues/4893
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 941418f436bbd3ce8bf7f70f4f0c872770869841)
---
src/config/SSSDConfig/sssdoptions.py | 1 +
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.d/sssd-ldap.conf | 1 +
src/man/sssd-ldap.5.xml | 23 +++++++++++++++++++++++
src/providers/ad/ad_opts.c | 1 +
src/providers/ipa/ipa_opts.c | 1 +
src/providers/ldap/ldap_opts.c | 1 +
src/providers/ldap/sdap.h | 1 +
8 files changed, 30 insertions(+)
diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
index c4ce2588b..46b0ef2ae 100644
--- a/src/config/SSSDConfig/sssdoptions.py
+++ b/src/config/SSSDConfig/sssdoptions.py
@@ -390,6 +390,7 @@ class SSSDOptions(object):
'ldap_dns_service_name': _('Service name for DNS service lookups'),
'ldap_page_size': _('The number of records to retrieve in a single LDAP query'),
'ldap_deref_threshold': _('The number of members that must be missing to trigger a full deref'),
+ 'ldap_ignore_unreadable_references': _('Ignore unreadable LDAP references'),
'ldap_sasl_canonicalize': _('Whether the LDAP library should perform a reverse lookup to canonicalize the '
'host name during a SASL bind'),
'ldap_rfc2307_fallback_to_local_users': _('Allows to retain local users as members of an LDAP group for '
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 0a3c32a97..e74738e2e 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -673,6 +673,7 @@ option = ldap_default_authtok_type
option = ldap_default_bind_dn
option = ldap_deref
option = ldap_deref_threshold
+option = ldap_ignore_unreadable_references
option = ldap_disable_paging
option = ldap_disable_range_retrieval
option = ldap_dns_service_name
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index 1945d6552..8800825c8 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -33,6 +33,7 @@ ldap_dns_service_name = str, None, false
ldap_deref = str, None, false
ldap_page_size = int, None, false
ldap_deref_threshold = int, None, false
+ldap_ignore_unreadable_references = bool, None, false
ldap_sasl_canonicalize = bool, None, false
ldap_sasl_minssf = int, None, false
ldap_sasl_maxssf = int, None, false
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 436350b1c..1565341c4 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -686,6 +686,29 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>ldap_ignore_unreadable_references (bool)</term>
+ <listitem>
+ <para>
+ Ignore unreadable LDAP entries referenced in
+ group's member attribute. If this parameter is set
+ to false an error will be returned and the
+ operation will fail instead of just ignoring the
+ unreadable entry.
+ </para>
+ <para>
+ This parameter may be useful when using the AD
+ provider and the computer account that sssd uses
+ to connect to AD does not have access to a
+ particular entry or LDAP sub-tree for security
+ reasons.
+ </para>
+ <para>
+ Default: False
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>ldap_tls_reqcert (string)</term>
<listitem>
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
index 2ab45df20..c3b39ec0f 100644
--- a/src/providers/ad/ad_opts.c
+++ b/src/providers/ad/ad_opts.c
@@ -144,6 +144,7 @@ struct dp_option ad_def_ldap_opts[] = {
{ "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER },
{ "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
+ { "ldap_ignore_unreadable_references", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER },
{ "ldap_connection_expire_offset", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c
index 09e360a43..64f9200ae 100644
--- a/src/providers/ipa/ipa_opts.c
+++ b/src/providers/ipa/ipa_opts.c
@@ -150,6 +150,7 @@ struct dp_option ipa_def_ldap_opts[] = {
{ "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER },
{ "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
+ { "ldap_ignore_unreadable_references", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER },
{ "ldap_connection_expire_offset", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
diff --git a/src/providers/ldap/ldap_opts.c b/src/providers/ldap/ldap_opts.c
index 46f5ec026..e2c5cb501 100644
--- a/src/providers/ldap/ldap_opts.c
+++ b/src/providers/ldap/ldap_opts.c
@@ -111,6 +111,7 @@ struct dp_option default_basic_opts[] = {
{ "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER },
{ "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
+ { "ldap_ignore_unreadable_references", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER },
{ "ldap_connection_expire_offset", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index ffcbee8a5..774704d8b 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -224,6 +224,7 @@ enum sdap_basic_opt {
SDAP_DISABLE_AUTH_TLS,
SDAP_PAGE_SIZE,
SDAP_DEREF_THRESHOLD,
+ SDAP_IGNORE_UNREADABLE_REFERENCES,
SDAP_SASL_CANONICALIZE,
SDAP_EXPIRE_TIMEOUT,
SDAP_EXPIRE_OFFSET,
--
2.35.1
From dea1dd9eaf9969439578b9f92c5c927bce32345c Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Wed, 1 Dec 2021 11:36:01 +0100
Subject: [PATCH 3/4] SDAP: Honor ldap_ignore_unreadable_references parameter
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 5c7fb41f3f1f4b1a1bbf7ddcb3d5b123ade0becb)
---
src/providers/ldap/sdap_async.c | 24 ++++++++++++++++++-
src/providers/ldap/sdap_async_nested_groups.c | 13 +++++++++-
2 files changed, 35 insertions(+), 2 deletions(-)
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index da5470549..11afcdd3e 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -2070,6 +2070,7 @@ struct sdap_x_deref_search_state {
struct sdap_attr_map_info *maps;
LDAPControl **ctrls;
struct sdap_options *opts;
+ bool ldap_ignore_unreadable_references;
struct sdap_deref_reply dreply;
int num_maps;
@@ -2104,6 +2105,9 @@ sdap_x_deref_search_send(TALLOC_CTX *memctx, struct tevent_context *ev,
talloc_set_destructor((TALLOC_CTX *) state->ctrls,
sdap_x_deref_search_ctrls_destructor);
+ state->ldap_ignore_unreadable_references = dp_opt_get_bool(opts->basic,
+ SDAP_IGNORE_UNREADABLE_REFERENCES);
+
ret = sdap_x_deref_create_control(sh, deref_attr,
attrs, &state->ctrls[0]);
if (ret != EOK) {
@@ -2243,6 +2247,13 @@ static errno_t sdap_x_deref_parse_entry(struct sdap_handle *sh,
ret = EOK;
done:
+ if (ret != EOK && ret != ENOMEM) {
+ if (state->ldap_ignore_unreadable_references) {
+ DEBUG(SSSDBG_TRACE_FUNC, "Ignoring unreadable reference\n");
+ ret = EOK;
+ }
+ }
+
talloc_zfree(tmp_ctx);
ldap_controls_free(ctrls);
ldap_derefresponse_free(deref_res);
@@ -2500,6 +2511,7 @@ struct sdap_asq_search_state {
int num_maps;
LDAPControl **ctrls;
struct sdap_options *opts;
+ bool ldap_ignore_unreadable_references;
struct sdap_deref_reply dreply;
};
@@ -2539,6 +2551,9 @@ sdap_asq_search_send(TALLOC_CTX *memctx, struct tevent_context *ev,
talloc_set_destructor((TALLOC_CTX *) state->ctrls,
sdap_asq_search_ctrls_destructor);
+ state->ldap_ignore_unreadable_references = dp_opt_get_bool(opts->basic,
+ SDAP_IGNORE_UNREADABLE_REFERENCES);
+
ret = sdap_asq_search_create_control(sh, deref_attr, &state->ctrls[0]);
if (ret != EOK) {
talloc_zfree(req);
@@ -2613,7 +2628,7 @@ static errno_t sdap_asq_search_parse_entry(struct sdap_handle *sh,
int num_attrs;
struct sdap_deref_attrs **res;
char *tmp;
- char *dn;
+ char *dn = NULL;
TALLOC_CTX *tmp_ctx;
bool disable_range_rtrvl;
@@ -2704,6 +2719,13 @@ static errno_t sdap_asq_search_parse_entry(struct sdap_handle *sh,
ret = EOK;
done:
+ if (ret != EOK && ret != ENOMEM) {
+ if (state->ldap_ignore_unreadable_references) {
+ DEBUG(SSSDBG_TRACE_FUNC, "Ignoring unreadable reference [%s]\n",
+ dn != NULL ? dn : "(null)");
+ ret = EOK;
+ }
+ }
talloc_zfree(tmp_ctx);
return ret;
}
diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c
index 2570a00bb..3c69832ee 100644
--- a/src/providers/ldap/sdap_async_nested_groups.c
+++ b/src/providers/ldap/sdap_async_nested_groups.c
@@ -1355,6 +1355,7 @@ struct sdap_nested_group_single_state {
struct sysdb_attrs **nested_groups;
int num_groups;
+ bool ignore_unreadable_references;
};
static errno_t sdap_nested_group_single_step(struct tevent_req *req);
@@ -1395,6 +1396,8 @@ sdap_nested_group_single_send(TALLOC_CTX *mem_ctx,
goto immediately;
}
state->num_groups = 0; /* we will count exact number of the groups */
+ state->ignore_unreadable_references = dp_opt_get_bool(
+ group_ctx->opts->basic, SDAP_IGNORE_UNREADABLE_REFERENCES);
/* process each member individually */
ret = sdap_nested_group_single_step(req);
@@ -1573,7 +1576,15 @@ sdap_nested_group_single_step_process(struct tevent_req *subreq)
break;
case SDAP_NESTED_GROUP_DN_UNKNOWN:
- /* not found in users nor nested_groups, continue */
+ if (state->ignore_unreadable_references) {
+ DEBUG(SSSDBG_TRACE_FUNC, "Ignoring unreadable reference [%s]\n",
+ state->current_member->dn);
+ } else {
+ DEBUG(SSSDBG_OP_FAILURE, "Unknown entry type [%s]!\n",
+ state->current_member->dn);
+ ret = EINVAL;
+ goto done;
+ }
break;
}
--
2.35.1
From 076589da4686585280dafe301c0930703ec4895f Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 1 Feb 2022 18:10:23 +0100
Subject: [PATCH 4/4] Tests: Add a test for the
ldap_ignore_unreadable_references parameter
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 57d6af2f292c02327e4edd9070d05191c9992d13)
---
src/tests/intg/test_pysss_nss_idmap.py | 59 +++++++++++++++++++++++++-
1 file changed, 57 insertions(+), 2 deletions(-)
diff --git a/src/tests/intg/test_pysss_nss_idmap.py b/src/tests/intg/test_pysss_nss_idmap.py
index 0dc197276..01fe3783a 100644
--- a/src/tests/intg/test_pysss_nss_idmap.py
+++ b/src/tests/intg/test_pysss_nss_idmap.py
@@ -62,8 +62,13 @@ def ldap_conn(request, ad_inst):
return ldap_conn
-def format_basic_conf(ldap_conn):
+def format_basic_conf(ldap_conn, ignore_unreadable_refs):
"""Format a basic SSSD configuration"""
+
+ ignore_unreadable_refs_conf = "false"
+ if ignore_unreadable_refs:
+ ignore_unreadable_refs_conf = "true"
+
return unindent("""\
[sssd]
domains = FakeAD
@@ -91,6 +96,8 @@ def format_basic_conf(ldap_conn):
ldap_id_mapping = true
ldap_idmap_default_domain_sid = S-1-5-21-1305200397-2901131868-73388776
case_sensitive = False
+
+ ldap_ignore_unreadable_references = {ignore_unreadable_refs_conf}
""").format(**locals())
@@ -195,7 +202,7 @@ def sysdb_sed_domainid(domain_name, domain_id):
@pytest.fixture
def simple_ad(request, ldap_conn):
- conf = format_basic_conf(ldap_conn)
+ conf = format_basic_conf(ldap_conn, ignore_unreadable_refs=False)
sysdb_sed_domainid("FakeAD", "S-1-5-21-1305200397-2901131868-73388776")
create_conf_fixture(request, conf)
@@ -289,3 +296,51 @@ def test_case_insensitive(ldap_conn, simple_ad):
output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.NAME_KEY] == group.lower()
+
+
+@pytest.fixture
+def simple_ad_ignore_unrdbl_refs(request, ldap_conn):
+ conf = format_basic_conf(ldap_conn, ignore_unreadable_refs=True)
+ sysdb_sed_domainid("FakeAD", "S-1-5-21-1305200397-2901131868-73388776")
+
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
+def test_ignore_unreadable_references(ldap_conn, simple_ad_ignore_unrdbl_refs):
+ group = 'group3_dom1-17775'
+ group_id = grp.getgrnam(group).gr_gid
+ group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82764'
+
+ output = pysss_nss_idmap.getsidbyname(group)[group]
+ assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
+ assert output[pysss_nss_idmap.SID_KEY] == group_sid
+
+ output = pysss_nss_idmap.getsidbyid(group_id)[group_id]
+ assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
+ assert output[pysss_nss_idmap.SID_KEY] == group_sid
+
+ output = pysss_nss_idmap.getsidbygid(group_id)[group_id]
+ assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
+ assert output[pysss_nss_idmap.SID_KEY] == group_sid
+
+ output = pysss_nss_idmap.getsidbyuid(group_id)
+ assert len(output) == 0
+
+ output = pysss_nss_idmap.getidbysid(group_sid)[group_sid]
+ assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
+ assert output[pysss_nss_idmap.ID_KEY] == group_id
+
+ output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid]
+ assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
+ assert output[pysss_nss_idmap.NAME_KEY] == group
+
+
+def test_no_ignore_unreadable_references(ldap_conn, simple_ad):
+ group = 'group3_dom1-17775'
+
+ # This group has a member attribute referencing to a user in other
+ # domain
+ with pytest.raises(KeyError):
+ grp.getgrnam(group)
--
2.35.1
