On ma, 13 marras 2017, Pavel Březina wrote:
On 11/08/2017 11:47 PM, Charles Hedrick wrote:
In my opinion the whole rfc3704bis implementation of net groups is
wonky.
RFC 3704bis does not exist. RFC3704 is about ingress filtering in
multihome networks. Are you talking about RFC 2307bis?
This isn’t the only problem. Why is there a distinction between
internal and external hosts? Suppose I add an external host to a net
group, and later do ipa host-add for it. If the distinction actually
matters I’d expect the system to turn the external host entry into an
internal host entry. But it doesn’t.
In principle there’s a difference between blank and -, but the ipa
implementation always produces - for missing user and host and blank
for missing domain name.
For hosts and users, if you specify hostCategory=all or
userCategory=all, there will be blanks in the generated
nisNetgroupTriple.
For NIS domain name there is always either explicitly defined
nisDomainName or a '-'. Where did you see blanks for the nisDomainName?
Actual mapping rule looks like this:
schema-compat-entry-attribute: nisNetgroupTriple=(%link("%ifeq(\"hostCategory\
",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHo
st\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\
\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\
\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\
"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\
"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\
\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"
member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",
\"\",\"-\")"),%{nisDomainName:-})
As you can see in the last part it includes %{nisDomainName:-}, e.g. if
attribute nisDomainName is not defined in the original IPA net group
object, it will be replaced by '-'.
So one way to solve this problem is by replacing the
"%{nisDomainName:-}" by a more complex expression, something that would
use some predefined nisDomainName to be a trigger to add a blank there.
Something like
%ifeq("nisDomainName","any","","%{nisDomainName:-}"
instead of %{nisDomainName:-}
In my case it looks like this:
# ipa netgroup-show my-new-netgroup
Netgroup name: my-new-netgroup
NIS domain name: any
User category: all
Host category: all
# ldapsearch -x -b cn=ng,cn=compat,$SUFFIX cn=my-new-netgroup
dn: cn=my-new-netgroup,cn=ng,cn=compat,$SUFFIX
objectClass: nisNetgroup
objectClass: top
nisNetgroupTriple: (,,)
cn: my-new-netgroup
I’d really rather see the system just store the triples rather than
doing a complex mapping going in and out.
IPA uses a different LDAP schema for net groups than what RFC2307bis expects.
Thus, a need to dynamically redefine LDAP objects (for whole RFC2307,
not just net groups).
On Nov 8, 2017, at 5:08 PM, Jakub Hrozek <[email protected]> wrote:
Pavel, does this sound like the bug you were looking at wrt sudo lately?
On Wed, Nov 08, 2017 at 09:46:25PM +0000, Charles Hedrick wrote:
Netapp wants the domain field to be blank. That leaves us a problem that’s hard
to solve.
On Nov 8, 2017, at 4:41 PM, Charles Hedrick
<[email protected]<mailto:[email protected]>> wrote:
OK, I see what’s going on, but it looks like a bug.
We mostly use net groups for hosts. In NIS our entries like like
(hostname,,) You can put that into IPA by specifying NISdomain=,
i.e. blank domain name. However if you do that, getent shows no
entries. That is, entries with blank hostname are ignored. I claim
this is a bug, since for a host entry there’s no reason to specify a
domain.
I also found that specifying
ipa_netgroup_domain=cs.rutgers.edu<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcs.rutgers.edu%2F&data=02%7C01%7Chedrick%40rutgers.edu%7Cfdea024ced1e456bf72208d526f561b0%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636457757716393543&sdata=AA3P65kxArCD2WkRwAkGV5ci5jaCN54AZKPZ%2B8O4tbc%3D&reserved=0>
causes no net groups to display, even ones whose domain is
cs.rutgers.edu<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcs.rutgers.edu%2F&data=02%7C01%7Chedrick%40rutgers.edu%7Cfdea024ced1e456bf72208d526f561b0%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636457757716393543&sdata=AA3P65kxArCD2WkRwAkGV5ci5jaCN54AZKPZ%2B8O4tbc%3D&reserved=0>.
This also looks like a bug.
On Nov 8, 2017, at 3:53 PM, Charles Hedrick
<[email protected]<mailto:[email protected]>> wrote:
We want to move our net groups from NIS to IPA. I’ve loaded the
groups. They’re visible on a system that uses nslcd pointed at the
IPA server. But the systems that use SSSD for authentication don’t
show anything. The net groups all show as undefined.
I’ve turned on debugging and looked at the LDAP logs. It does the
right quotes and the log says it extracts the members. But they
don’t show up.
Any idea where to look?
Can you send us some example of what you are trying to achieve and
what does not work? I'm also ccing Alexander Bokovoy to see why IPA
adds somewhere dash and somewhere blanks.
--
/ Alexander Bokovoy
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
