On Tue, Apr 18, 2017 at 08:52:50PM +0300, Alexander Bokovoy wrote: > On ti, 18 huhti 2017, Justin Stephenson wrote: > > Hello, > > > > I was working on a fix for BZ # 1433835(IPA clients fails to retrieve > > groups with @-sign in the group name in an IPA-AD trust setup) where the > > patch at the end of this email seems to work well parsing a > > double-qualified object properly a group name like > > 'group@testing@domain' > > > > > > [ipa_s2n_get_user_done] (0x0400): Received [4] groups in group list from > > IPA Server > > [ipa_s2n_get_user_done] (0x0400): [trustuser1@ad.jstephen]. > > [ipa_s2n_get_user_done] (0x0400): [customgroup@testing@ad.jstephen]. > > [ipa_s2n_get_user_done] (0x0400): [trustgroup@ad.jstephen]. > > [ipa_s2n_get_user_done] (0x0400): [domain users@ad.jstephen]. > > > > > > However, there is a subsequent group lookup extended operation which > > fails on the IPA server when the NSS responder is unable to parse the > > double-qualified name. > > > > - Client > > > > [ipa_s2n_get_list_step] (0x0400): Sending request_type: > > [REQ_FULL_WITH_MEMBERS] for group [customgroup@testing@ad.jstephen]. > > [ipa_s2n_exop_send] (0x0400): Executing extended operation > > [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 14 > > [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such > > object(32), (null). > > [ipa_s2n_get_list_next] (0x0040): s2n exop request failed. > > [ipa_s2n_get_list_done] (0x0040): s2n get_fqlist request failed. > > > > > > - Server > > > > [nss_getby_name] (0x0400): Input name: customgroup@testing > > [cache_req_set_plugin] (0x2000): CR #16: Setting "Group by name" plugin > > [cache_req_send] (0x0400): CR #16: New request 'Group by name' > > [cache_req_process_input] (0x0400): CR #16: Parsing input name > > [customgroup@testing] > > [sss_domain_get_state] (0x1000): Domain idm.jstephen is Active > > [sss_domain_get_state] (0x1000): Domain AD.JSTEPHEN is Active > > [sss_parse_inp_send] (0x0200): Requesting info for [(null)] from [testing] > > [sss_domain_get_state] (0x1000): Domain AD.JSTEPHEN is Active > > [sss_dp_get_domains_send] (0x0400): Last call was too recent, nothing to do! > > [sss_domain_get_state] (0x1000): Domain idm.jstephen is Active > > [sss_domain_get_state] (0x1000): Domain AD.JSTEPHEN is Active > > [sss_parse_inp_done] (0x0040): Unknown domain in [customgroup@testing] > > [nss_protocol_done] (0x4000): Sending reply: error [1432158243]: Domain > > not found > > > > > > I suspect the input to the NSS responder received here is output from > > the extdom plugin parsing the domain and object name. > > > > I was looking for some advice on the best way to fix this, or if my > > patch is doing things horribly wrong then just let me know please :) > I think we fixed server side (FreeIPA) part with Sumit in > https://github.com/freeipa/freeipa/commit/ee455f163d756a6b71db8e999365139cad46c6ad > > If you want to handle it on the client side, make sure to use strrchr() > to search '@' from end of the string. This way you can handle multiple > '@' in a string as only the last one will be a real separator.
We use regexes instead for parsing input. I didn't know the IPA part is fixed though, thanks. Then just by modifying the regex, the clients should work (as long as the servers are ficxed with the commit you linked) _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
