sssd/0052-SYSDB-Better-debugging-for-email-conflicts.patch
Lukas Slebodnik 01409e3d48 Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in setnetgrent_result_timeout
Resolves: upstream#3588 - sssd_nss consumes more memory until restarted
                          or machine swaps
Resolves: failure in glibc tests
          https://sourceware.org/bugzilla/show_bug.cgi?id=22530
Resolves: upstream#3451 - When sssd is configured with id_provider proxy and
                          auth_provider ldap, login fails if the LDAP server
                          is not allowing anonymous binds
Resolves: upstream#3285 - SSSD needs restart after incorrect clock is
                          corrected with AD
Resolves: upstream#3586 - Give a more detailed debug and system-log message
                          if krb5_init_context() failed
Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet
                         in /etc/systemd/system
Backport few upstream features from 1.16.1

(cherry picked from commit 1dedfbb334)
2017-12-04 21:53:43 +01:00

94 lines
3.9 KiB
Diff

From e728796cde9a95fd4186ad2c30faadc62497472e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Thu, 26 Oct 2017 18:38:42 +0200
Subject: [PATCH 52/79] SYSDB: Better debugging for email conflicts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add DEBUG message when conflicts in FQ names or emails
are detected.
Also improve man page to hint on how to work around issue
with conflicting emails.
Note: We store emails in two different attributes in sysdb:
- SYSDB_USER_EMAIL
- SYSDB_NAME_ALIAS - this one is lowercased and used in getpwnam
searches.
Resolves:
https://fedorahosted.org/sssd/ticket/3293
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/db/sysdb_ops.c | 4 +++-
src/db/sysdb_search.c | 15 +++++++++++++++
src/man/sssd-ldap.5.xml | 9 +++++++++
3 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 635c7db51f516e2217c93016409499e49289004c..1539c41c93e7d6ebd1e544abbb1707df5578cd72 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -640,7 +640,9 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx,
goto done;
} else if (res->count > 1) {
DEBUG(SSSDBG_OP_FAILURE,
- "Search for upn [%s] returns more than one result.\n", upn);
+ "Search for upn [%s] returns more than one result. One of the "
+ "possible reasons can be that several users share the same "
+ "email address.\n", upn);
ret = EINVAL;
goto done;
}
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
index f488442afcc6eef114437a7110722759f86fe19e..8083966900429b268a3b984f1cad3d47d1099198 100644
--- a/src/db/sysdb_search.c
+++ b/src/db/sysdb_search.c
@@ -218,6 +218,21 @@ int sysdb_getpwnam(TALLOC_CTX *mem_ctx,
goto done;
}
+ if (res->count > 1) {
+ /* We expected either 0 or 1 result for search with
+ * SYSDB_PWNAM_FILTER, but we got more. This error
+ * is handled individually depending on what function
+ * called sysdb_getpwnam, so we just print a message
+ * here and let the caller decide what error code to
+ * propagate based on res->count > 1. */
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Search for [%s] returned multiple results. It can be an email "
+ "address shared among multiple users or an email address of a "
+ "user that conflicts with another user's fully qualified name. "
+ "SSSD will not be able to handle those users properly.\n",
+ sanitized_name);
+ }
+
/* Merge in the timestamps from the fast ts db */
ret = sysdb_merge_res_ts_attrs(domain->sysdb, res, attrs);
if (ret != EOK) {
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index d38bac3607d294c53ea692130a6b93ced9b0ab82..de596f0da62be9eb61b880b6e1d4a0f33689e25a 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -877,6 +877,15 @@
Name of the LDAP attribute containing the email
address of the user.
</para>
+ <para>
+ Note: If an email address of a user conflicts with
+ an email address or fully qualified name of another
+ user, then SSSD will not be able to serve those
+ users properly. If for some reason several users
+ need to share the same email address then set
+ this option to a nonexistent attribute name in
+ order to disable user lookup/login by email.
+ </para>
<para>
Default: mail
</para>
--
2.15.1