01409e3d48
Resolves: upstream#3588 - sssd_nss consumes more memory until restarted
or machine swaps
Resolves: failure in glibc tests
https://sourceware.org/bugzilla/show_bug.cgi?id=22530
Resolves: upstream#3451 - When sssd is configured with id_provider proxy and
auth_provider ldap, login fails if the LDAP server
is not allowing anonymous binds
Resolves: upstream#3285 - SSSD needs restart after incorrect clock is
corrected with AD
Resolves: upstream#3586 - Give a more detailed debug and system-log message
if krb5_init_context() failed
Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet
in /etc/systemd/system
Backport few upstream features from 1.16.1
(cherry picked from commit 1dedfbb334
)
94 lines
3.9 KiB
Diff
94 lines
3.9 KiB
Diff
From e728796cde9a95fd4186ad2c30faadc62497472e Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
|
Date: Thu, 26 Oct 2017 18:38:42 +0200
|
|
Subject: [PATCH 52/79] SYSDB: Better debugging for email conflicts
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Add DEBUG message when conflicts in FQ names or emails
|
|
are detected.
|
|
|
|
Also improve man page to hint on how to work around issue
|
|
with conflicting emails.
|
|
|
|
Note: We store emails in two different attributes in sysdb:
|
|
- SYSDB_USER_EMAIL
|
|
- SYSDB_NAME_ALIAS - this one is lowercased and used in getpwnam
|
|
searches.
|
|
|
|
Resolves:
|
|
https://fedorahosted.org/sssd/ticket/3293
|
|
|
|
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
---
|
|
src/db/sysdb_ops.c | 4 +++-
|
|
src/db/sysdb_search.c | 15 +++++++++++++++
|
|
src/man/sssd-ldap.5.xml | 9 +++++++++
|
|
3 files changed, 27 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
|
index 635c7db51f516e2217c93016409499e49289004c..1539c41c93e7d6ebd1e544abbb1707df5578cd72 100644
|
|
--- a/src/db/sysdb_ops.c
|
|
+++ b/src/db/sysdb_ops.c
|
|
@@ -640,7 +640,9 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx,
|
|
goto done;
|
|
} else if (res->count > 1) {
|
|
DEBUG(SSSDBG_OP_FAILURE,
|
|
- "Search for upn [%s] returns more than one result.\n", upn);
|
|
+ "Search for upn [%s] returns more than one result. One of the "
|
|
+ "possible reasons can be that several users share the same "
|
|
+ "email address.\n", upn);
|
|
ret = EINVAL;
|
|
goto done;
|
|
}
|
|
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
|
|
index f488442afcc6eef114437a7110722759f86fe19e..8083966900429b268a3b984f1cad3d47d1099198 100644
|
|
--- a/src/db/sysdb_search.c
|
|
+++ b/src/db/sysdb_search.c
|
|
@@ -218,6 +218,21 @@ int sysdb_getpwnam(TALLOC_CTX *mem_ctx,
|
|
goto done;
|
|
}
|
|
|
|
+ if (res->count > 1) {
|
|
+ /* We expected either 0 or 1 result for search with
|
|
+ * SYSDB_PWNAM_FILTER, but we got more. This error
|
|
+ * is handled individually depending on what function
|
|
+ * called sysdb_getpwnam, so we just print a message
|
|
+ * here and let the caller decide what error code to
|
|
+ * propagate based on res->count > 1. */
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
+ "Search for [%s] returned multiple results. It can be an email "
|
|
+ "address shared among multiple users or an email address of a "
|
|
+ "user that conflicts with another user's fully qualified name. "
|
|
+ "SSSD will not be able to handle those users properly.\n",
|
|
+ sanitized_name);
|
|
+ }
|
|
+
|
|
/* Merge in the timestamps from the fast ts db */
|
|
ret = sysdb_merge_res_ts_attrs(domain->sysdb, res, attrs);
|
|
if (ret != EOK) {
|
|
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
|
|
index d38bac3607d294c53ea692130a6b93ced9b0ab82..de596f0da62be9eb61b880b6e1d4a0f33689e25a 100644
|
|
--- a/src/man/sssd-ldap.5.xml
|
|
+++ b/src/man/sssd-ldap.5.xml
|
|
@@ -877,6 +877,15 @@
|
|
Name of the LDAP attribute containing the email
|
|
address of the user.
|
|
</para>
|
|
+ <para>
|
|
+ Note: If an email address of a user conflicts with
|
|
+ an email address or fully qualified name of another
|
|
+ user, then SSSD will not be able to serve those
|
|
+ users properly. If for some reason several users
|
|
+ need to share the same email address then set
|
|
+ this option to a nonexistent attribute name in
|
|
+ order to disable user lookup/login by email.
|
|
+ </para>
|
|
<para>
|
|
Default: mail
|
|
</para>
|
|
--
|
|
2.15.1
|
|
|