From e728796cde9a95fd4186ad2c30faadc62497472e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Thu, 26 Oct 2017 18:38:42 +0200 Subject: [PATCH 52/79] SYSDB: Better debugging for email conflicts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add DEBUG message when conflicts in FQ names or emails are detected. Also improve man page to hint on how to work around issue with conflicting emails. Note: We store emails in two different attributes in sysdb: - SYSDB_USER_EMAIL - SYSDB_NAME_ALIAS - this one is lowercased and used in getpwnam searches. Resolves: https://fedorahosted.org/sssd/ticket/3293 Reviewed-by: Fabiano FidĂȘncio --- src/db/sysdb_ops.c | 4 +++- src/db/sysdb_search.c | 15 +++++++++++++++ src/man/sssd-ldap.5.xml | 9 +++++++++ 3 files changed, 27 insertions(+), 1 deletion(-) diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index 635c7db51f516e2217c93016409499e49289004c..1539c41c93e7d6ebd1e544abbb1707df5578cd72 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -640,7 +640,9 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx, goto done; } else if (res->count > 1) { DEBUG(SSSDBG_OP_FAILURE, - "Search for upn [%s] returns more than one result.\n", upn); + "Search for upn [%s] returns more than one result. One of the " + "possible reasons can be that several users share the same " + "email address.\n", upn); ret = EINVAL; goto done; } diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c index f488442afcc6eef114437a7110722759f86fe19e..8083966900429b268a3b984f1cad3d47d1099198 100644 --- a/src/db/sysdb_search.c +++ b/src/db/sysdb_search.c @@ -218,6 +218,21 @@ int sysdb_getpwnam(TALLOC_CTX *mem_ctx, goto done; } + if (res->count > 1) { + /* We expected either 0 or 1 result for search with + * SYSDB_PWNAM_FILTER, but we got more. This error + * is handled individually depending on what function + * called sysdb_getpwnam, so we just print a message + * here and let the caller decide what error code to + * propagate based on res->count > 1. */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Search for [%s] returned multiple results. It can be an email " + "address shared among multiple users or an email address of a " + "user that conflicts with another user's fully qualified name. " + "SSSD will not be able to handle those users properly.\n", + sanitized_name); + } + /* Merge in the timestamps from the fast ts db */ ret = sysdb_merge_res_ts_attrs(domain->sysdb, res, attrs); if (ret != EOK) { diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index d38bac3607d294c53ea692130a6b93ced9b0ab82..de596f0da62be9eb61b880b6e1d4a0f33689e25a 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -877,6 +877,15 @@ Name of the LDAP attribute containing the email address of the user. + + Note: If an email address of a user conflicts with + an email address or fully qualified name of another + user, then SSSD will not be able to serve those + users properly. If for some reason several users + need to share the same email address then set + this option to a nonexistent attribute name in + order to disable user lookup/login by email. + Default: mail -- 2.15.1