On Thu, Nov 28, 2013 at 05:55:44PM +0100, Sumit Bose wrote: > On Wed, Nov 27, 2013 at 02:50:35PM +0100, Jakub Hrozek wrote: > > On Tue, Nov 26, 2013 at 11:51:41AM +0100, Sumit Bose wrote: > > > Hi, > > > > > > Steeve found some issues when testing sss_cache with sub-domain users. > > > This was originally fixed in https://fedorahosted.org/sssd/ticket/1741 > > > but I guess recent changes have broken it again. > > > > > > I have tested the patches with users and groups. It would be nice is > > > someone with a suitable environment can test them for the other object > > > types as well. > > > > > > bye, > > > Sumit > > > > Hi, > > > > during testing I found out that there is a difference in how we store > > the nameAlias attribute for subdomain users retrieved with the exended > > operation to IPA and subdomain users that are stored with the LDAP > > provider. > > > > The IPA subdomain users have lowercase the whole alias (so typically > > [email protected]) while the LDAP users have only the name component > > lowercased ([email protected]). Currently sss_cache only works with he > > latter. > > > > As discussed on IRC, we should pick on scheme and use it, ideally with > > some helper function. > > I added two new patches to fix this. 0003 adds a new call to add a lower > case alias name to a sysdb_attrs struct and 0004 replace current code > with the new call. > > bye, > Sumit
After testing the patches I think the issue is a bit more complex. I hope I can explain the problem clearly. We can only consider subdomain users and hence FQDN lookups for the problem. In the responder code, the lookup will be performed for user@DOMAIN_NAME, where DOMAIN_NAME is exactly the same case as domain name in the confdb. So unfortunately lowercasing the whole alias won't work unless the responder FQDN lookups are lowercased as well. I was wondering a bit why did the lookups for users on IPA clients (fetched with extop) work and it turns out we matched their name attribute, not alias. This is how the user entry looks now with git HEAD: dn: [email protected],cn=users,cn=WIN.EXAMPLE.COM,cn=sysdb name: [email protected] nameAlias: [email protected] so the nameAlias can only be matched with lowercased sssd domain, in my case, the name attribute is matched. IIRC the reason even the name is lowercased and not original is a bug in winbind we tried to work around.. In IPA server mode the same user entry looks like this with git HEAD: dn: [email protected],cn=users,cn=WIN.EXAMPLE.COM,cn=sysdb name: [email protected] nameAlias: [email protected] So here the nameAlias is matched by the responder. The patches changed that to: dn: [email protected],cn=users,cn=WIN.EXAMPLE.COM,cn=sysdb name: [email protected] nameAlias: [email protected] So neither name nor alias matched. I'm not sure what the best way to fix the inconsistency would be. I think the way subdomain users are stored with AD backend makes more sense to me because the original name as stored on the server is kept in the name attribute and the alias is matched on lookups. But the way extop users are stored might be fine as well, we don't seem to be using the original version of name at the moment. _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
