ipa: improve handling of external group memberships#8094
ipa: improve handling of external group memberships#8094sumit-bose wants to merge 3 commits intoSSSD:masterfrom
Conversation
There was a problem hiding this comment.
Code Review
This pull request effectively refactors the handling of external group memberships to resolve an issue with an in-out parameter, by introducing a dedicated list for missing groups. This correctly prevents unintended group membership removals. Additionally, it introduces filtering for objects that SSSD does not handle. However, I've found a critical use-after-free vulnerability in the new helper function get_rdn_name_from_dn_string which must be addressed.
0eda138 to
77ae7dc
Compare
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request correctly refactors the handling of external group memberships to prevent incorrect group removals by using a dedicated list for missing groups. It also introduces filtering to avoid lookups for non-group objects. The logic seems sound, but I've identified a memory leak in the new filtering function that should be addressed.
77ae7dc to
4b9dce6
Compare
|
Hi, would you mind adding test for the original issue? It should be fairly simple. Once SSSD/sssd-test-framework#190 is merged, we can add also test for the sudo case. |
Hi, you mean a test to check that a group membership is properly removed? For the "sudo case" Shridhar has already opened #8074 for the underlying issue. bye, |
yes |
4b9dce6 to
dc0301b
Compare
added |
96f3a1d to
54f2dc1
Compare
pbrezina
left a comment
There was a problem hiding this comment.
Hi, there is a typo in the second commita message "removall". The third commit also contains some test bits that should be moved to the second commit.
Otherwise ack, thank you.
| :customerscenario: True | ||
| """ | ||
| ipa.sssd.subdom('ipa.test', trusted.domain)['ldap_use_tokengroups'] = use_token_groups | ||
| ipa.sssd.config_apply(check_config=False) |
There was a problem hiding this comment.
Hi,
currently the config check does not like ldap_use_tokengroups in the sub-domain section. I didn't want to add it to the allowed options en passant because it might need some more careful testing when using the AD provider. Since token groups are not used in the IPA provider it might be possible to set ldap_use_tokengroups in the IPA domain section and inherit it, if you prefer.
bye,
Sumit
There was a problem hiding this comment.
Thank you for the explanation, maybe add a comment then?
There was a problem hiding this comment.
Hi,
I switched to the inherit variant and removed check_config=False.
bye,
Sumit
| ipa.group("posix-group").add().add_member(external) | ||
|
|
||
| ipa.sssd.clear(db=True, memcache=True, logs=True) | ||
| ipa.host.conn.exec(["systemctl", "restart", "sssd.service"]) |
There was a problem hiding this comment.
Why don't you use ipa.sssd.restart? And isn't it sufficient to restart it only once, since you are clearing the cache anyway?
There was a problem hiding this comment.
Hi,
this is the work-around for SSSD/sssd-test-framework#203. If ipa.sssd.restart() is used there will be no valid Kerberos ticket anymore for the second ipa .... command.
bye,
Sumit
There was a problem hiding this comment.
No need for workaround, I wrote a fix: SSSD/sssd-test-framework#205
There was a problem hiding this comment.
Hi,
the test is now using ipa.sssd.restart()
bye,
Sumit
|
Note: Covscan is green. |
07b6c6b to
afb2f50
Compare
| return NULL; | ||
| } | ||
|
|
||
| tmp_str = ldb_dn_get_rdn_name(dn); |
There was a problem hiding this comment.
Since ldb_dn_get_rdn_name() returns name of 1st component only anyway:
dn->components[0].name
would it work to simply strchr('=')? Can '=' be escaped in a DN?
There was a problem hiding this comment.
Hi,
using strchr() was my first implementation, but what I found that ldb functions were used for similar task I wanted to be consistent and switch to the current implementation.
Since LDAP attribute names (or short names or descriptors as they are called in the RFCs) cannot contain a =, only "ALPHA / DIGIT / HYPHEN" are allowed (https://www.rfc-editor.org/rfc/rfc4512#section-1.4) the strchr() variant would work as well. So, if you prefer I can change the implementation.
bye,
Sumit
There was a problem hiding this comment.
So, if you prefer I can change the implementation.
It depends if this is a hot path.
Cache performance is already a huge pain point, especially for AD/IPA-AD cases.
If this is a hot path (and imo it can be) then I'd vote to not introduce additional overhead here (this includes my other perf related comments).
5562c52 to
8514b49
Compare
|
Hi, I removed the third patch with the filtering from this PR to be able to move more swiftly with the actual fix. I will add a now PR with the filtering including Alexey's suggestion once this here is finished. bye, |
In a IPA-AD trust environment, AD-user has membership of a external-ipa group. This external-ipa-group is member of IPA-posix group. When a HBAC rule is added and is the ipa-posix member is added as member for that rule, AD-user misses that IPA-group-membership
|
ACK, thank you. |
|
Note: Covscan is still green. |
|
Pushed PR: #8094
|
Recently add_ad_user_to_cached_groups() was modified to better handle
adding and removing group memberships of users from trusted domains in
groups of the local IPA domain. Before the change group members were only
added and with the change a removal was possible as well. This caused an
issues with an in-out parameter which contains the full list of IPA group
memberships at input and the list of group missing in the cache as output.
Since add_ad_user_to_cached_groups() is called twice, the second time after
the missing groups were read from the IPA server, this caused and
unexpected removal of group memberships since the second call to
add_ad_user_to_cached_groups() was done with the list of missing groups and
not with the full list.
With this patch a dedicated list is used for the missing groups to avoid
the described issues.
Additionally this PR contains a second patch which filters some objects SSSD
currently does not handle.
Resolves: #7921