Public bug reported:
Context: I'm using sssd(8) to look up group memberships from an LDAP server, using the "rfc2307bis" schema. I observe that my friendly neighborhood LDAP server does recursion of nested groups to provide a flat list of "member" attributes, but does not discard redundant members. That is, consider LDAP groups test_group_A and test_group_B with members and subgroups like this: dn: cn=test_group_A,ou=User Groups,ou=Groups,dc=example,dc=com member: uid=alice,ou=People,dc=example,dc=com member: uid=bob,ou=People,dc=example,dc=com groupMember: cn=test_group_B,ou=User Groups,ou=Groups,dc=example,dc=com dn: cn=test_group_B,ou=User Groups,ou=Groups,dc=example,dc=com member: uid=bob,ou=People,dc=example,dc=com member: uid=carla,ou=People,dc=example,dc=com If I query my LDAP server with ldapsearch(8) for test_group_A, I see repeated member entries. Viz.: myhost$ ldapsearch -LLL -x -H ldap://ldap.example.com cn=test_group_A member dn: cn=test_group_A,ou=User Groups,ou=Groups,dc=example,dc=com member: uid=alice,ou=People,dc=example,dc=com member: uid=bob,ou=People,dc=example,dc=com member: uid=bob,ou=People,dc=example,dc=com member: uid=carla,ou=People,dc=example,dc=com Observed behavior: If I look up group membership for test_group_A through sssd(8), I get an incomplete member list: myhost$ getent group test_group_A test_group_A:*:123456:alice,bob Enabling verbose debugging shows that sssd is unhappy about redundant members, with the log file showing complaints of "User was looked up twice, this shouldn't have happened". Nonetheless the group lookup succeeds yielding partial data. All members after the repeated entry are discarded. Expected behaviour: Either return the full list of members, silently discarding (only) duplicate "member" attributes without error, or reject the group in its entirety such that "getent group" prints nothing and exits with return value 2. (The former is preferrable, but the latter at least avoids labeling partial data as success.) ** Affects: sssd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1321423 Title: sssd-ldap handles redundant group members incorrectly To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1321423/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
