[Freeipa-users] ipa-server-4.1.0 ipasam performance issue / strange behaviour
Alexander Bokovoy
abokovoy at redhat.com
Tue Jun 30 17:01:18 UTC 2015
----- Original Message -----
>
> > On 30 Jun 2015, at 17:29, Alexander Bokovoy <abokovoy at redhat.com> wrote:
> >
> > ----- Original Message -----
> >> If I load the keytab for Samba: kinit -t /etc/samba/samba.keytab
> >> cifs/ipa02.XXX at XXX
> >> Then run the query using GSSAPI - I get no results!
> >>
> >> [...]
> >>
> >> Even stranger, if I split the OR filter and only run the group part, but
> >> still running through GSSAPI - it is successful!
> >>
> >> [...]
> >>
> >> Any ideas what might be happening here?
> >> I’ve read something about non-existent attributes can mess with OR
> >> queries.
> >> But I can’t understand why it would only affect the GSSAPI authenticated
> >> user.
> > This is definitely an issue with ACLs or NACLPlugin.
> >
> > Regarding LDAPI+root and GSSAPI -- the first one maps to cn=Directory
> > Manager, the second one maps to a specific DN.
> > When you are cn=Directory Manager, no ACLs apply to you, so the result is
> > expected.
>
> I thought it might be.
>
> However, the fact that the query works fine without the OR - does that not
> indicate otherwise? Surely permissions would impact both?
>
> To summarise, when using GSSAPI with specific DN, the following returns
> nothing:
> > (|(&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs))(&(uidNumber=543800010)(objectClass=posixAccount)))
>
> The following returns one result:
> > (&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs))
>
> My understanding would be if it were permissions, both would return nothing.
> I’ve even tried the uidNumber part with a valid uid and it does actually
> return something.
That's why I'm saying it might be an issue in NACLPlugin. Can you please file a bug about it?
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list