On Tue, Dec 03, 2013 at 02:01:27PM +0100, Jakub Hrozek wrote: > On Thu, Nov 28, 2013 at 05:55:44PM +0100, Sumit Bose wrote: > > On Wed, Nov 27, 2013 at 02:50:35PM +0100, Jakub Hrozek wrote: > > > On Tue, Nov 26, 2013 at 11:51:41AM +0100, Sumit Bose wrote: > > > > Hi, > > > > > > > > Steeve found some issues when testing sss_cache with sub-domain users. > > > > This was originally fixed in https://fedorahosted.org/sssd/ticket/1741 > > > > but I guess recent changes have broken it again. > > > > > > > > I have tested the patches with users and groups. It would be nice is > > > > someone with a suitable environment can test them for the other object > > > > types as well. > > > > > > > > bye, > > > > Sumit > > > > > > Hi, > > > > > > during testing I found out that there is a difference in how we store > > > the nameAlias attribute for subdomain users retrieved with the exended > > > operation to IPA and subdomain users that are stored with the LDAP > > > provider. > > > > > > The IPA subdomain users have lowercase the whole alias (so typically > > > [email protected]) while the LDAP users have only the name component > > > lowercased ([email protected]). Currently sss_cache only works with he > > > latter. > > > > > > As discussed on IRC, we should pick on scheme and use it, ideally with > > > some helper function. > > > > I added two new patches to fix this. 0003 adds a new call to add a lower > > case alias name to a sysdb_attrs struct and 0004 replace current code > > with the new call. > > > > bye, > > Sumit > > After testing the patches I think the issue is a bit more complex. I > hope I can explain the problem clearly. We can only consider subdomain > users and hence FQDN lookups for the problem. > > In the responder code, the lookup will be performed for user@DOMAIN_NAME, > where DOMAIN_NAME is exactly the same case as domain name in the confdb. > So unfortunately lowercasing the whole alias won't work > unless the responder FQDN lookups are lowercased as well. > > I was wondering a bit why did the lookups for users on IPA clients > (fetched with extop) work and it turns out we matched their name > attribute, not alias. This is how the user entry looks now with git > HEAD: > > dn: [email protected],cn=users,cn=WIN.EXAMPLE.COM,cn=sysdb > name: [email protected] > nameAlias: [email protected] > > so the nameAlias can only be matched with lowercased sssd domain, in my > case, the name attribute is matched. IIRC the reason even the name is > lowercased and not original is a bug in winbind we tried to work > around.. > > In IPA server mode the same user entry looks like this with git HEAD: > > dn: [email protected],cn=users,cn=WIN.EXAMPLE.COM,cn=sysdb > name: [email protected] > nameAlias: [email protected] > > So here the nameAlias is matched by the responder. > > The patches changed that to: > dn: [email protected],cn=users,cn=WIN.EXAMPLE.COM,cn=sysdb > name: [email protected] > nameAlias: [email protected] > > So neither name nor alias matched. > > I'm not sure what the best way to fix the inconsistency would be. I > think the way subdomain users are stored with AD backend makes more > sense to me because the original name as stored on the server is kept in > the name attribute and the alias is matched on lookups. But the way > extop users are stored might be fine as well, we don't seem to be using > the original version of name at the moment.
The users coming from extdom are always lower-cased because winbind will return them in lower-case most of the time and winbind was feeding the extdom plugin before we had ipa-server-mode. I say 'most of the time' because there was a bug in some versions of winbind where the original name was returned. Since the information from the extdom plugin have to be extended with the group information from the PAC I thought the easiest way to find the right user is to always use lower-case names here which will always work because AD is case-insensitve. But if we can make sure that nameAlias is handled consistently I do not have any objections to use the name which is returned from the server without making it lower-case explicitly. About the case of the domain in nameAlias. As long as nameAlias is used only inside the sssd process the case does not matter much because I think the domain name is always taken from the name member of the sss_domain_info struct (and if it is not the case it can easily be converted). Nevertheless I find it a bit counter intuitive to have a mixed cased name in nameAlias to search for a case-insensitive name so I would prefer to change the responder. Since sss_parse_name_for_domains() make case-insensitive comparison of the domain name as well we do not have a chance to support case-sensitive domain names. bye, Sumit > _______________________________________________ > sssd-devel mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
