On 09/04/2015 03:24 PM, Petr Cech wrote:
On 09/03/2015 03:45 PM, Sumit Bose wrote:
I tried both case. I used only originalMemberOf and I had right
hostgroups,
>no user groups. Then I used only memberOf and I had no hostgroups,
right
>user groups.
>
>So I did little hack, we could use both memberOf. The patch is
attached and
>it works for me.
Hi Petr,
thank you for the patch I haven't tested it yet. But I think I now
understand the issue better. Currently we store the originalMemberOf
attribute for users and hosts but not for POSIX/user groups (we do not
even read it from LDAP). So an alternative fix might be to add memberOf
attribute to the list of attribute read from LDAP for POSIX groups and
save the result in originalMemberOf in the cache. The using only
originalMemberOf should be sufficient for the netgroups lookup.
Would you mind to try this? For a test is shoult de sufficient to add a
line like
{ "ldap_group_member_of", "memberOf", SYSDB_MEMBEROF, NULL }
to all 'struct sdap_attr_map *_group_map[]' lists and a corresponding
entry to 'enum sdap_group_attrs'.
bye,
Sumit
Hello Sumit,
I tried your alternative way (thanks for it). Patch is attached.
I added some lines like:
# { "ldap_user_member_of", "memberOf", SYSDB_ORIG_MEMBEROF, NULL }
and it works for me.
I hope that meaning of this patch is saving user/POSIX group memberOf
attribute to originalMemberOf attribute.
Regards,
Petr
And there is version with ticket number.
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
>From 0207fbc11e56efea8796b88e8fa449f82c4628fe Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Fri, 4 Sep 2015 09:09:25 -0400
Subject: [PATCH] IPA PROVIDER: Resolve nested netgroup membership
Informations about posix/user group membership are stored in memberOf
attribute. And informations about hostgroup membership are stored
in originalMemberOf.
Netgroup membership process looks only into originalMemberOf.
This patch adds saving of posix/user group memberOf attribute to
originalMemberOf storage.
Resolves:
https://fedorahosted.org/sssd/ticket/2275
---
src/providers/ad/ad_opts.h | 1 +
src/providers/ipa/ipa_opts.h | 1 +
src/providers/ldap/ldap_opts.h | 3 +++
src/providers/ldap/sdap.h | 1 +
4 files changed, 6 insertions(+)
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index 00586a7ada63ad4c89630e9589d3ff75d1726703..7917e8fc5e60ed27e7ed1248550d1e65d2d159d2 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -192,6 +192,7 @@ struct sdap_attr_map ad_2008r2_user_map[] = {
{ "ldap_user_principal", "userPrincipalName", SYSDB_UPN, NULL },
{ "ldap_user_fullname", "name", SYSDB_FULLNAME, NULL },
{ "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
+ { "ldap_user_member_of", "memberOf", SYSDB_ORIG_MEMBEROF, NULL },
{ "ldap_user_uuid", "objectGUID", SYSDB_UUID, NULL },
{ "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL },
{ "ldap_user_primary_group", "primaryGroupID", SYSDB_PRIMARY_GROUP, NULL },
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index 78949e3ddec95f7f4303eab905bbbf6ec14ed6ae..9b5fdd138fbdf09f3d3662c011ea792f6272b7a6 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -180,6 +180,7 @@ struct sdap_attr_map ipa_user_map[] = {
{ "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL },
{ "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL },
{ "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
+ { "ldap_user_member_of", "memberOf", SYSDB_ORIG_MEMBEROF, NULL },
{ "ldap_user_uuid", "ipaUniqueID", SYSDB_UUID, NULL },
{ "ldap_user_objectsid", "ipaNTSecurityIdentifier", SYSDB_SID_STR, NULL },
{ "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL },
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
index 9f58db5bd9eef1391e97c1890cbff94c2a5406d6..db7bc560f430331462470b2825f6319dbaaf9141 100644
--- a/src/providers/ldap/ldap_opts.h
+++ b/src/providers/ldap/ldap_opts.h
@@ -156,6 +156,7 @@ struct sdap_attr_map rfc2307_user_map[] = {
{ "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL },
{ "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL },
{ "ldap_user_member_of", NULL, SYSDB_MEMBEROF, NULL },
+ { "ldap_user_member_of", NULL, SYSDB_ORIG_MEMBEROF, NULL },
{ "ldap_user_uuid", NULL, SYSDB_UUID, NULL },
{ "ldap_user_objectsid", NULL, SYSDB_SID, NULL },
{ "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL },
@@ -212,6 +213,7 @@ struct sdap_attr_map rfc2307bis_user_map[] = {
{ "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL },
{ "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL },
{ "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
+ { "ldap_user_member_of", "memberOf", SYSDB_ORIG_MEMBEROF, NULL },
{ "ldap_user_uuid", NULL, SYSDB_UUID, NULL },
{ "ldap_user_objectsid", NULL, SYSDB_SID, NULL },
{ "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL },
@@ -268,6 +270,7 @@ struct sdap_attr_map gen_ad2008r2_user_map[] = {
{ "ldap_user_principal", "userPrincipalName", SYSDB_UPN, NULL },
{ "ldap_user_fullname", "name", SYSDB_FULLNAME, NULL },
{ "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
+ { "ldap_user_member_of", "memberOf", SYSDB_ORIG_MEMBEROF, NULL },
{ "ldap_user_uuid", "objectGUID", SYSDB_UUID, NULL },
{ "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL },
{ "ldap_user_primary_group", "primaryGroupID", SYSDB_PRIMARY_GROUP, NULL },
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index b3321be48e1b24124d59fbfe88096a2109c920a6..7c54405dcf795e4f22ba559757619042620691f3 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -257,6 +257,7 @@ enum sdap_user_attrs {
SDAP_AT_USER_PRINC,
SDAP_AT_USER_FULLNAME,
SDAP_AT_USER_MEMBEROF,
+ SDAP_AT_USER_ORIG_MEMBEROF,
SDAP_AT_USER_UUID,
SDAP_AT_USER_OBJECTSID,
SDAP_AT_USER_PRIMARY_GROUP,
--
2.4.3
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
