[SSSD] [sssd PR#5881][edited] SDAP: Do not fail ASQ search when parsing a referenced entry fails

Wed, 17 Nov 2021 08:28:13 -0800 

   URL: https://github.com/SSSD/sssd/pull/5881
Author: scabrero
 Title: #5881: SDAP: Do not fail ASQ search when parsing a referenced entry 
fails
Action: edited

 Changed field: body
Original value:
"""
In an attribute scoped query it may happen sssd doen't have permissions to
read the attribute referenced entry, for example when it is located under a
restricted LDAP sub-tree for security reasons.

In this scenario sssd fails to resolve the group because the referenced
entry can't be parsed and this can lead to missing groups and breaks using
the group in simple access provider.

This patch changes the ASQ entry parser to do not return an error when
it is not possible to parse an entry.

The issue can be replicated deploying this AD setup:

CN=users,DC=aforest,DC=ad
  CN=g1,CN=users,DC=aforest,DC=ad
    member: CN=g2,CN=users,DC=aforest,DC=ad
    member: CN=g3,CN=users,DC=aforest,DC=ad
    member: CN=g4,CN=users,DC=aforest,DC=ad
    member: CN=g5,CN=users,DC=aforest,DC=ad
    member: CN=user1,CN=users,DC=aforest,DC=ad
  CN=g2,CN=users,DC=aforest,DC=ad
    member: CN=g3,CN=users,DC=aforest,DC=ad
    member: CN=g4,CN=users,DC=aforest,DC=ad
    member: CN=g5,CN=users,DC=aforest,DC=ad
    member: CN=user2,CN=users,DC=aforest,DC=ad
    memberOf: CN=g1,CN=users,DC=aforest,DC=ad
  CN=g3,CN=users,DC=aforest,DC=ad               <-- Deny access to sssd account
    member: CN=g4,CN=users,DC=aforest,DC=ad
    member: CN=g5,CN=users,DC=aforest,DC=ad
    member: CN=user3,CN=users,DC=aforest,DC=ad
    memberOf: CN=g2,CN=users,DC=aforest,DC=ad
    memberOf: CN=g1,CN=users,DC=aforest,DC=ad
  CN=g4,CN=users,DC=aforest,DC=ad
    member: CN=g5,CN=users,DC=aforest,DC=ad
    member: CN=user5,CN=users,DC=aforest,DC=ad
    memberOf: CN=g3,CN=users,DC=aforest,DC=ad
    memberOf: CN=g2,CN=users,DC=aforest,DC=ad
    memberOf: CN=g1,CN=users,DC=aforest,DC=ad
  CN=g5,CN=users,DC=aforest,DC=ad
    member: CN=user5,CN=users,DC=aforest,DC=ad
    memberOf: CN=g4,CN=users,DC=aforest,DC=ad
    memberOf: CN=g3,CN=users,DC=aforest,DC=ad
    memberOf: CN=g2,CN=users,DC=aforest,DC=ad
    memberOf: CN=g1,CN=users,DC=aforest,DC=ad
  CN=user1,CN=users,DC=aforest,DC=ad
    memberOf: CN=g1,CN=users,DC=aforest,DC=ad
  CN=user2,CN=users,DC=aforest,DC=ad
    memberOf: CN=g2,CN=users,DC=aforest,DC=ad
  CN=user3,CN=users,DC=aforest,DC=ad
    memberOf: CN=g3,CN=users,DC=aforest,DC=ad
  CN=user4,CN=users,DC=aforest,DC=ad
    memberOf: CN=g4,CN=users,DC=aforest,DC=ad
  CN=user5,CN=users,DC=aforest,DC=ad
    memberOf: CN=g5,CN=users,DC=aforest,DC=ad

And using this sssd.conf
-------------------------------------------------------------------------------
[sssd]
config_file_version = 2
services = nss, pam
domains = aforest.ad

[nss]

[pam]

[domain/aforest.ad]
auth_provider = ad
id_provider = ad
access_provider = simple
simple_allow_groups = g1
ldap_deref_threshold = 1
debug_level = 10
-------------------------------------------------------------------------------

In this setup sssd can't resolve group 'g1' because it fails parsing one
of the referenced members, 'g3':

$> getent group g1
No output.

$> id user5
uid=1862001108(user5) gid=1862000513(domain users) groups=1862000513(domain 
users),1862001111,1862001109(s-1-5-21-3230380732-2157500517-2047582823-1109),1862001113(g5),1862001110(s-1-5-21-3230380732-2157500517-2047582823-1110),1862001112(g4)

When the group is used to filter access it does not work:

...
[simple_access_check_send] (0x0200): [RID#7] Simple access check for 
us...@aforest.ad
...
[simple_check_get_groups_send] (0x0400): [RID#7] Need to resolve 3 groups
[sdap_get_generic_ext_step] (0x0400): [RID#8] calling ldap_search_ext with 
[(&(objectSID=S-1-5-21-3230380732-2157500517-2047582823-1109)(objectClass=group)(sAMAccountName=*))][DC=aforest,DC=ad].
...
[sdap_nested_group_hash_insert] (0x4000): [RID#8] Inserting 
[CN=g1,CN=Users,DC=aforest,DC=ad] into hash table [groups]
[sdap_nested_group_process_send] (0x2000): [RID#8] About to process group 
[CN=g1,CN=Users,DC=aforest,DC=ad]
...
[sdap_nested_group_process_send] (0x0400): [RID#8] More members were missing 
than the deref threshold
[sdap_nested_group_process_send] (0x2000): [RID#8] Looking up 2/5 members of 
group [CN=g1,CN=Users,DC=aforest,DC=ad]
[sdap_nested_group_process_send] (0x2000): [RID#8] Dereferencing members of 
group [CN=g1,CN=Users,DC=aforest,DC=ad]
[sdap_deref_search_send] (0x2000): [RID#8] Server supports ASQ
[sdap_asq_search_send] (0x0400): [RID#8] Dereferencing entry 
[CN=g1,CN=Users,DC=aforest,DC=ad] using ASQ
...
[sdap_get_generic_ext_step] (0x0400): [RID#8] calling ldap_search_ext with [no 
filter][CN=g1,CN=Users,DC=aforest,DC=ad].
...
[sdap_process_message] (0x4000): [RID#8] Message type: [LDAP_RES_SEARCH_ENTRY]
[sdap_asq_search_parse_entry] (0x0040): [RID#8] Unknown entry type, no 
objectClass found for DN [CN=g3,CN=Users,DC=aforest,DC=ad]!
[sdap_get_generic_op_finished] (0x0020): [RID#8] reply parsing callback failed.
[sdap_op_destructor] (0x1000): [RID#8] Abandoning operation 3
[generic_ext_search_handler] (0x0020): [RID#8] sdap_get_generic_ext_recv 
request failed: [22]: Invalid argument
[sdap_deref_search_done] (0x0040): [RID#8] dereference processing failed [22]: 
Invalid argument
[sdap_nested_group_deref_direct_done] (0x0020): [RID#8] Error processing direct 
membership [22]: Invalid argument
[sdap_nested_done] (0x0020): [RID#8] Nested group processing failed: 
[22][Invalid argument]
...
[simple_resolve_group_done] (0x0080): [RID#8] Cannot refresh data from DP: 3,0: 
Group lookup failed
...
[simple_check_get_groups_next] (0x2000): [RID#9] All groups resolved. Done.
[simple_access_check_done] (0x0040): [RID#9] Could not collect groups of user 
us...@aforest.ad
[simple_access_check_done] (0x0400): [RID#9] But no deny groups were defined so 
we can continue.
[simple_check_groups] (0x4000): [RID#9] Checking against allow list group name 
[g...@aforest.ad].
[simple_access_check_done] (0x2000): [RID#9] Group check done
[simple_access_check_recv] (0x1000): [RID#9] Access not granted
...

Resolves: https://github.com/SSSD/sssd/issues/4893

Signed-off-by: Samuel Cabrero <scabr...@suse.de>
"""


_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to