[Freeipa-devel] [PATCH] slapi-nis: normalize memberUid search filter term for AD users
Alexander Bokovoy
abokovoy at redhat.com
Mon Oct 20 06:13:44 UTC 2014
On Sun, 19 Oct 2014, Jakub Hrozek wrote:
>On Thu, Oct 09, 2014 at 02:01:16PM +0300, Alexander Bokovoy wrote:
>> Hi,
>>
>> memberUid attribute has case-sensitive comparison defined but when we
>> construct memberUid for AD users (coming through SSSD), they are
>> normalized to lower case. Interestingly enough, 'uid' attribute has
>> case-insensitive comparison.
>>
>> Work around the issue by low-casing the memberUid search term value when
>> it is a fully-qualified name (user at domain), meaning we do ask for a SSSD
>> user.
>>
>> This is the patch on top of my ID views support patch.
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1130131
>> --
>> / Alexander Bokovoy
>
>The code reads good to me and passed some basic sanity testing..however,
>I'be been unable to reproduce the issue, so I'm not sure this counts as
>a full ACK...
Thanks. I've already pushed the patch to slapi-nis and released 0.54
last week.
To reproduce the issue you just need to have an AD group with an AD user
searched in the compat tree with '(&(objectclass=posixgroup)(cn=Domain Admins at AD.DOMAIN))'
and then search by memberUid with a case different from what is there,
i.e. '(&(objectclass=posixgroup)(memberUid=Administrator at AD.DOMAIN))' --
given that memberUid will be set to a normalized name, administrator at ad.domain,
the search will fail because memberUid comparison rule is case-sensitive
in RFC2307 schema.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list