[autobackport: sssd-2-9] ipa s2n: do not try to update user-private-group#8347
Conversation
There was a problem hiding this comment.
Code Review
This pull request backports a fix to prevent SSSD from trying to update user-private-groups (UPGs) when an ID view changes. The changes in src/providers/ipa/ipa_s2n_exop.c correctly add a check for the group's objectCategory to differentiate real groups from UPGs, ensuring that only real groups are queued for update if they are missing the SYSDB_OVERRIDE_DN attribute. The new test case in src/tests/system/tests/test_ipa_trusts.py effectively validates this fix by simulating a view change and verifying that user lookups still succeed. The changes are well-implemented and the code appears correct. I have no further comments.
When an IPA client requests the details about a trusted user from the IPA server including its memberships the server will return the name of all groups including the user-private-group. Since this group is not a cached object on its own it is not needed to try to update it as a group but it will be updated when the user object is updated. This has to be taken into account especially after a client is assigned to a new id-view because now the SYSDB_OVERRIDE_DN attribute is required and all cached objects which are missing it must be updated. If the user-private-group was found for update it should be skipped because the calls to update group objects in the cache cannot handle user-private-groups. This is expected behavior as user-private-groups are not objects on their own. Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Alejandro López <allopez@redhat.com> (cherry picked from commit 1a8c302)
After a new view is applied to a client SSSD should make sure that the cache entries are updated properly and all cached users can still be resolved properly. Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Alejandro López <allopez@redhat.com> (cherry picked from commit 08c2ccf)
|
The pull request was accepted by @alexey-tikhonov with the following PR CI status: 🟢 CodeQL (success) There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging. |
3230971 to
ccb3ec5
Compare
This is an automatic backport of PR#8002 ipa s2n: do not try to update user-private-group to branch sssd-2-9, created by @sumit-bose.
Please make sure this backport is correct.
Note
The commits were cherry-picked without conflicts.
You can push changes to this pull request
Original commits
1a8c302 - ipa s2n: do not try to update user-private-group
08c2ccf - tests: check user lookup after view change
Backported commits
Original Pull Request Body
When an IPA client requests the details about a trusted user from the
IPA server including its memberships the server will return the name of
all groups including the user-private-group. Since this group is not a
cached object on its own it is not needed to try to update it as a group
but it will be updated when the user object is updated.
This has to be taken into account especially after a client is assigned
to a new id-view because now the SYSDB_OVERRIDE_DN attribute is required
and all cached objects which are missing it must be updated. If the
user-private-group was found for update it should be skipped because the
calls to update group objects in the cache cannot handle
user-private-groups. This is expected behavior as user-private-groups
are not objects on their own.