[SSSD] [sssd PR#5881][opened] SDAP: Do not fail ASQ search when parsing a referenced entry fails

scabrero Wed, 17 Nov 2021 08:27:25 -0800

   URL: https://github.com/SSSD/sssd/pull/5881
Author: scabrero
 Title: #5881: SDAP: Do not fail ASQ search when parsing a referenced entry 
fails
Action: opened


PR body:
"""
In an attribute scoped query it may happen sssd doen't have permissions to
read the attribute referenced entry, for example when it is located under a
restricted LDAP sub-tree for security reasons.

In this scenario sssd fails to resolve the group because the referenced
entry can't be parsed and this can lead to missing groups and breaks using
the group in simple access provider.

This patch changes the ASQ entry parser to do not return an error when
it is not possible to parse an entry.

The issue can be replicated deploying this AD setup:

CN=users,DC=aforest,DC=ad
  CN=g1,CN=users,DC=aforest,DC=ad
    member: CN=g2,CN=users,DC=aforest,DC=ad
    member: CN=g3,CN=users,DC=aforest,DC=ad
    member: CN=g4,CN=users,DC=aforest,DC=ad
    member: CN=g5,CN=users,DC=aforest,DC=ad
    member: CN=user1,CN=users,DC=aforest,DC=ad
  CN=g2,CN=users,DC=aforest,DC=ad
    member: CN=g3,CN=users,DC=aforest,DC=ad
    member: CN=g4,CN=users,DC=aforest,DC=ad
    member: CN=g5,CN=users,DC=aforest,DC=ad
    member: CN=user2,CN=users,DC=aforest,DC=ad
    memberOf: CN=g1,CN=users,DC=aforest,DC=ad
  CN=g3,CN=users,DC=aforest,DC=ad               <-- Deny access to sssd account
    member: CN=g4,CN=users,DC=aforest,DC=ad
    member: CN=g5,CN=users,DC=aforest,DC=ad
    member: CN=user3,CN=users,DC=aforest,DC=ad
    memberOf: CN=g2,CN=users,DC=aforest,DC=ad
    memberOf: CN=g1,CN=users,DC=aforest,DC=ad
  CN=g4,CN=users,DC=aforest,DC=ad
    member: CN=g5,CN=users,DC=aforest,DC=ad
    member: CN=user5,CN=users,DC=aforest,DC=ad
    memberOf: CN=g3,CN=users,DC=aforest,DC=ad
    memberOf: CN=g2,CN=users,DC=aforest,DC=ad
    memberOf: CN=g1,CN=users,DC=aforest,DC=ad
  CN=g5,CN=users,DC=aforest,DC=ad
    member: CN=user5,CN=users,DC=aforest,DC=ad
    memberOf: CN=g4,CN=users,DC=aforest,DC=ad
    memberOf: CN=g3,CN=users,DC=aforest,DC=ad
    memberOf: CN=g2,CN=users,DC=aforest,DC=ad
    memberOf: CN=g1,CN=users,DC=aforest,DC=ad
  CN=user1,CN=users,DC=aforest,DC=ad
    memberOf: CN=g1,CN=users,DC=aforest,DC=ad
  CN=user2,CN=users,DC=aforest,DC=ad
    memberOf: CN=g2,CN=users,DC=aforest,DC=ad
  CN=user3,CN=users,DC=aforest,DC=ad
    memberOf: CN=g3,CN=users,DC=aforest,DC=ad
  CN=user4,CN=users,DC=aforest,DC=ad
    memberOf: CN=g4,CN=users,DC=aforest,DC=ad
  CN=user5,CN=users,DC=aforest,DC=ad
    memberOf: CN=g5,CN=users,DC=aforest,DC=ad

And using this sssd.conf
-------------------------------------------------------------------------------
[sssd]
config_file_version = 2
services = nss, pam
domains = aforest.ad

[nss]

[pam]

[domain/aforest.ad]
auth_provider = ad
id_provider = ad
access_provider = simple
simple_allow_groups = g1
ldap_deref_threshold = 1
debug_level = 10
-------------------------------------------------------------------------------

In this setup sssd can't resolve group 'g1' because it fails parsing one
of the referenced members, 'g3':

$> getent group g1
No output.

$> id user5
uid=1862001108(user5) gid=1862000513(domain users) groups=1862000513(domain 
users),1862001111,1862001109(s-1-5-21-3230380732-2157500517-2047582823-1109),1862001113(g5),1862001110(s-1-5-21-3230380732-2157500517-2047582823-1110),1862001112(g4)

When the group is used to filter access it does not work:

...
[simple_access_check_send] (0x0200): [RID#7] Simple access check for 
us...@aforest.ad
...
[simple_check_get_groups_send] (0x0400): [RID#7] Need to resolve 3 groups
[sdap_get_generic_ext_step] (0x0400): [RID#8] calling ldap_search_ext with 
[(&(objectSID=S-1-5-21-3230380732-2157500517-2047582823-1109)(objectClass=group)(sAMAccountName=*))][DC=aforest,DC=ad].
...
[sdap_nested_group_hash_insert] (0x4000): [RID#8] Inserting 
[CN=g1,CN=Users,DC=aforest,DC=ad] into hash table [groups]
[sdap_nested_group_process_send] (0x2000): [RID#8] About to process group 
[CN=g1,CN=Users,DC=aforest,DC=ad]
...
[sdap_nested_group_process_send] (0x0400): [RID#8] More members were missing 
than the deref threshold
[sdap_nested_group_process_send] (0x2000): [RID#8] Looking up 2/5 members of 
group [CN=g1,CN=Users,DC=aforest,DC=ad]
[sdap_nested_group_process_send] (0x2000): [RID#8] Dereferencing members of 
group [CN=g1,CN=Users,DC=aforest,DC=ad]
[sdap_deref_search_send] (0x2000): [RID#8] Server supports ASQ
[sdap_asq_search_send] (0x0400): [RID#8] Dereferencing entry 
[CN=g1,CN=Users,DC=aforest,DC=ad] using ASQ
...
[sdap_get_generic_ext_step] (0x0400): [RID#8] calling ldap_search_ext with [no 
filter][CN=g1,CN=Users,DC=aforest,DC=ad].
...
[sdap_process_message] (0x4000): [RID#8] Message type: [LDAP_RES_SEARCH_ENTRY]
[sdap_asq_search_parse_entry] (0x0040): [RID#8] Unknown entry type, no 
objectClass found for DN [CN=g3,CN=Users,DC=aforest,DC=ad]!
[sdap_get_generic_op_finished] (0x0020): [RID#8] reply parsing callback failed.
[sdap_op_destructor] (0x1000): [RID#8] Abandoning operation 3
[generic_ext_search_handler] (0x0020): [RID#8] sdap_get_generic_ext_recv 
request failed: [22]: Invalid argument
[sdap_deref_search_done] (0x0040): [RID#8] dereference processing failed [22]: 
Invalid argument
[sdap_nested_group_deref_direct_done] (0x0020): [RID#8] Error processing direct 
membership [22]: Invalid argument
[sdap_nested_done] (0x0020): [RID#8] Nested group processing failed: 
[22][Invalid argument]
...
[simple_resolve_group_done] (0x0080): [RID#8] Cannot refresh data from DP: 3,0: 
Group lookup failed
...
[simple_check_get_groups_next] (0x2000): [RID#9] All groups resolved. Done.
[simple_access_check_done] (0x0040): [RID#9] Could not collect groups of user 
us...@aforest.ad
[simple_access_check_done] (0x0400): [RID#9] But no deny groups were defined so 
we can continue.
[simple_check_groups] (0x4000): [RID#9] Checking against allow list group name 
[g...@aforest.ad].
[simple_access_check_done] (0x2000): [RID#9] Group check done
[simple_access_check_recv] (0x1000): [RID#9] Access not granted
...

Resolves: https://github.com/SSSD/sssd/issues/4893

Signed-off-by: Samuel Cabrero <scabr...@suse.de>
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5881/head:pr5881
git checkout pr5881

From 6edac6d4022b6933c196e06f1f088916f431ea8e Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabr...@suse.de>
Date: Tue, 16 Nov 2021 11:21:15 +0100
Subject: [PATCH] SDAP: Do not fail ASQ search when parsing a referenced entry
 fails

In an attribute scoped query it may happen sssd doen't have permissions to
read the attribute referenced entry, for example when it is located under a
restricted LDAP sub-tree for security reasons.

In this scenario sssd fails to resolve the group because the referenced
entry can't be parsed and this can lead to missing groups and breaks using
the group in simple access provider.

This patch changes the ASQ entry parser to do not return an error when
it is not possible to parse an entry.

The issue can be replicated deploying this AD setup:

CN=users,DC=aforest,DC=ad
  CN=g1,CN=users,DC=aforest,DC=ad
    member: CN=g2,CN=users,DC=aforest,DC=ad
    member: CN=g3,CN=users,DC=aforest,DC=ad
    member: CN=g4,CN=users,DC=aforest,DC=ad
    member: CN=g5,CN=users,DC=aforest,DC=ad
    member: CN=user1,CN=users,DC=aforest,DC=ad
  CN=g2,CN=users,DC=aforest,DC=ad
    member: CN=g3,CN=users,DC=aforest,DC=ad
    member: CN=g4,CN=users,DC=aforest,DC=ad
    member: CN=g5,CN=users,DC=aforest,DC=ad
    member: CN=user2,CN=users,DC=aforest,DC=ad
    memberOf: CN=g1,CN=users,DC=aforest,DC=ad
  CN=g3,CN=users,DC=aforest,DC=ad		<-- Deny access to sssd account
    member: CN=g4,CN=users,DC=aforest,DC=ad
    member: CN=g5,CN=users,DC=aforest,DC=ad
    member: CN=user3,CN=users,DC=aforest,DC=ad
    memberOf: CN=g2,CN=users,DC=aforest,DC=ad
    memberOf: CN=g1,CN=users,DC=aforest,DC=ad
  CN=g4,CN=users,DC=aforest,DC=ad
    member: CN=g5,CN=users,DC=aforest,DC=ad
    member: CN=user5,CN=users,DC=aforest,DC=ad
    memberOf: CN=g3,CN=users,DC=aforest,DC=ad
    memberOf: CN=g2,CN=users,DC=aforest,DC=ad
    memberOf: CN=g1,CN=users,DC=aforest,DC=ad
  CN=g5,CN=users,DC=aforest,DC=ad
    member: CN=user5,CN=users,DC=aforest,DC=ad
    memberOf: CN=g4,CN=users,DC=aforest,DC=ad
    memberOf: CN=g3,CN=users,DC=aforest,DC=ad
    memberOf: CN=g2,CN=users,DC=aforest,DC=ad
    memberOf: CN=g1,CN=users,DC=aforest,DC=ad
  CN=user1,CN=users,DC=aforest,DC=ad
    memberOf: CN=g1,CN=users,DC=aforest,DC=ad
  CN=user2,CN=users,DC=aforest,DC=ad
    memberOf: CN=g2,CN=users,DC=aforest,DC=ad
  CN=user3,CN=users,DC=aforest,DC=ad
    memberOf: CN=g3,CN=users,DC=aforest,DC=ad
  CN=user4,CN=users,DC=aforest,DC=ad
    memberOf: CN=g4,CN=users,DC=aforest,DC=ad
  CN=user5,CN=users,DC=aforest,DC=ad
    memberOf: CN=g5,CN=users,DC=aforest,DC=ad

And using this sssd.conf
-------------------------------------------------------------------------------
[sssd]
config_file_version = 2
services = nss, pam
domains = aforest.ad

[nss]

[pam]

[domain/aforest.ad]
auth_provider = ad
id_provider = ad
access_provider = simple
simple_allow_groups = g1
ldap_deref_threshold = 1
debug_level = 10
-------------------------------------------------------------------------------

In this setup sssd can't resolve group 'g1' because it fails parsing one
of the referenced members, 'g3':

$> getent group g1
No output.

$> id user5
uid=1862001108(user5) gid=1862000513(domain users) groups=1862000513(domain users),1862001111,1862001109(s-1-5-21-3230380732-2157500517-2047582823-1109),1862001113(g5),1862001110(s-1-5-21-3230380732-2157500517-2047582823-1110),1862001112(g4)

When the group is used to filter access it does not work:

...
[simple_access_check_send] (0x0200): [RID#7] Simple access check for us...@aforest.ad
...
[simple_check_get_groups_send] (0x0400): [RID#7] Need to resolve 3 groups
[sdap_get_generic_ext_step] (0x0400): [RID#8] calling ldap_search_ext with [(&(objectSID=S-1-5-21-3230380732-2157500517-2047582823-1109)(objectClass=group)(sAMAccountName=*))][DC=aforest,DC=ad].
...
[sdap_nested_group_hash_insert] (0x4000): [RID#8] Inserting [CN=g1,CN=Users,DC=aforest,DC=ad] into hash table [groups]
[sdap_nested_group_process_send] (0x2000): [RID#8] About to process group [CN=g1,CN=Users,DC=aforest,DC=ad]
...
[sdap_nested_group_process_send] (0x0400): [RID#8] More members were missing than the deref threshold
[sdap_nested_group_process_send] (0x2000): [RID#8] Looking up 2/5 members of group [CN=g1,CN=Users,DC=aforest,DC=ad]
[sdap_nested_group_process_send] (0x2000): [RID#8] Dereferencing members of group [CN=g1,CN=Users,DC=aforest,DC=ad]
[sdap_deref_search_send] (0x2000): [RID#8] Server supports ASQ
[sdap_asq_search_send] (0x0400): [RID#8] Dereferencing entry [CN=g1,CN=Users,DC=aforest,DC=ad] using ASQ
...
[sdap_get_generic_ext_step] (0x0400): [RID#8] calling ldap_search_ext with [no filter][CN=g1,CN=Users,DC=aforest,DC=ad].
...
[sdap_process_message] (0x4000): [RID#8] Message type: [LDAP_RES_SEARCH_ENTRY]
[sdap_asq_search_parse_entry] (0x0040): [RID#8] Unknown entry type, no objectClass found for DN [CN=g3,CN=Users,DC=aforest,DC=ad]!
[sdap_get_generic_op_finished] (0x0020): [RID#8] reply parsing callback failed.
[sdap_op_destructor] (0x1000): [RID#8] Abandoning operation 3
[generic_ext_search_handler] (0x0020): [RID#8] sdap_get_generic_ext_recv request failed: [22]: Invalid argument
[sdap_deref_search_done] (0x0040): [RID#8] dereference processing failed [22]: Invalid argument
[sdap_nested_group_deref_direct_done] (0x0020): [RID#8] Error processing direct membership [22]: Invalid argument
[sdap_nested_done] (0x0020): [RID#8] Nested group processing failed: [22][Invalid argument]
...
[simple_resolve_group_done] (0x0080): [RID#8] Cannot refresh data from DP: 3,0: Group lookup failed
...
[simple_check_get_groups_next] (0x2000): [RID#9] All groups resolved. Done.
[simple_access_check_done] (0x0040): [RID#9] Could not collect groups of user us...@aforest.ad
[simple_access_check_done] (0x0400): [RID#9] But no deny groups were defined so we can continue.
[simple_check_groups] (0x4000): [RID#9] Checking against allow list group name [g...@aforest.ad].
[simple_access_check_done] (0x2000): [RID#9] Group check done
[simple_access_check_recv] (0x1000): [RID#9] Access not granted
...

Resolves: https://github.com/SSSD/sssd/issues/4893

Signed-off-by: Samuel Cabrero <scabr...@suse.de>
---
 src/providers/ldap/sdap_async.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index da54705496..ab9f9d3e5c 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -2654,9 +2654,13 @@ static errno_t sdap_asq_search_parse_entry(struct sdap_handle *sh,
     /* Find all suitable maps in the list */
     vals = ldap_get_values_len(sh->ldap, msg->msg, "objectClass");
     if (!vals) {
+        /*
+         * In an ASQ it may happen we don't have permissions to read the referenced
+         * entry. Do not return an error here to continue parsing the next entry.
+         */
         DEBUG(SSSDBG_OP_FAILURE,
-              "Unknown entry type, no objectClass found for DN [%s]!\n", dn);
-        ret = EINVAL;
+              "Skipping unknown entry type, no objectClass found for DN [%s]!\n", dn);
+        ret = EOK;
         goto done;
     }
     for (mi =0; mi < state->num_maps; mi++) {

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5881][opened] SDAP: Do not fail ASQ search when parsing a referenced entry fails

Reply via email to