[Freeipa-users] ipa-server-4.1.0 ipasam performance issue / strange behaviour
Jason Woods
devel at jasonwoods.me.uk
Tue Jun 30 16:50:25 UTC 2015
> On 30 Jun 2015, at 17:29, Alexander Bokovoy <abokovoy at redhat.com> wrote:
>
> ----- Original Message -----
>> If I load the keytab for Samba: kinit -t /etc/samba/samba.keytab
>> cifs/ipa02.XXX at XXX
>> Then run the query using GSSAPI - I get no results!
>>
>> [...]
>>
>> Even stranger, if I split the OR filter and only run the group part, but
>> still running through GSSAPI - it is successful!
>>
>> [...]
>>
>> Any ideas what might be happening here?
>> I’ve read something about non-existent attributes can mess with OR queries.
>> But I can’t understand why it would only affect the GSSAPI authenticated
>> user.
> This is definitely an issue with ACLs or NACLPlugin.
>
> Regarding LDAPI+root and GSSAPI -- the first one maps to cn=Directory Manager, the second one maps to a specific DN.
> When you are cn=Directory Manager, no ACLs apply to you, so the result is expected.
> --
> / Alexander Bokovoy
I thought it might be.
However, the fact that the query works fine without the OR - does that not indicate otherwise? Surely permissions would impact both?
To summarise, when using GSSAPI with specific DN, the following returns nothing:
> (|(&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs))(&(uidNumber=543800010)(objectClass=posixAccount)))
The following returns one result:
> (&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs))
My understanding would be if it were permissions, both would return nothing.
I’ve even tried the uidNumber part with a valid uid and it does actually return something.
Thanks,
Jason Woods
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150630/a6a3d2f6/attachment.sig>
More information about the Freeipa-users
mailing list