Actually filed with SSSD's upstream, not Fedora, despite the hosting name :)
Thanks! On Tue, May 27, 2014 at 3:16 PM, Adam <[email protected]> wrote: > On Thu, 22 May 2014, Jakub Hrozek wrote: > >> I agree this is a bug, I would prefer to skip the duplicates as well. >> >> Can you open one in the upstream tracker (requires a FAS account): >> https://fedorahosted.org/sssd/newticket >> >> Me or any of the other SSSD developers would take it from there. >> >> ... > > > Jakub, > > > I've filed this with Fedora as you've requested. See > > https://fedorahosted.org/sssd/ticket/2341. > > > Thanks! > > > > ** Bug watch added: fedorahosted.org/sssd/ #2341 > https://fedorahosted.org/sssd/ticket/2341 > > -- > You received this bug notification because you are subscribed to sssd in > Ubuntu. > https://bugs.launchpad.net/bugs/1321423 > > Title: > sssd-ldap handles redundant group members incorrectly > > Status in “sssd” package in Ubuntu: > New > > Bug description: > > Context: I'm using sssd(8) to look up group memberships from an LDAP > server, using > the "rfc2307bis" schema. > > I observe that my friendly neighborhood LDAP server does recursion of nested > groups to provide a flat list of "member" attributes, but does not discard > redundant members. That is, consider LDAP groups test_group_A and > test_group_B with members and subgroups like this: > > dn: cn=test_group_A,ou=User Groups,ou=Groups,dc=example,dc=com > member: uid=alice,ou=People,dc=example,dc=com > member: uid=bob,ou=People,dc=example,dc=com > groupMember: cn=test_group_B,ou=User Groups,ou=Groups,dc=example,dc=com > > dn: cn=test_group_B,ou=User Groups,ou=Groups,dc=example,dc=com > member: uid=bob,ou=People,dc=example,dc=com > member: uid=carla,ou=People,dc=example,dc=com > > > If I query my LDAP server with ldapsearch(8) for test_group_A, I see > repeated > member entries. Viz.: > > myhost$ ldapsearch -LLL -x -H ldap://ldap.example.com cn=test_group_A > member > dn: cn=test_group_A,ou=User Groups,ou=Groups,dc=example,dc=com > member: uid=alice,ou=People,dc=example,dc=com > member: uid=bob,ou=People,dc=example,dc=com > member: uid=bob,ou=People,dc=example,dc=com > member: uid=carla,ou=People,dc=example,dc=com > > > Observed behavior: If I look up group membership for test_group_A through > sssd(8), I get an incomplete member list: > > myhost$ getent group test_group_A > test_group_A:*:123456:alice,bob > > Enabling verbose debugging shows that sssd is unhappy about redundant > members, > with the log file showing complaints of "User was looked up twice, this > shouldn't have happened". Nonetheless the group lookup succeeds yielding > partial data. All members after the repeated entry are discarded. > > Expected behaviour: Either return the full list of members, silently > discarding (only) duplicate "member" attributes without error, or reject the > group in its entirety such that "getent group" prints nothing and exits with > return value 2. (The former is preferrable, but the latter at least avoids > labeling > partial data as success.) > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1321423/+subscriptions -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1321423 Title: sssd-ldap handles redundant group members incorrectly To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1321423/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
