search

abbra / freeipa

Mirror of FreeIPA, an integrated security information management solution
http://www.freeipa.org
GNU General Public License v3.0
2 stars 1 forks source link

wrong logic in _get_objectclass? #53

Closed abbra closed 3 years ago

abbra commented 3 years ago

The _get_object_class method has this docustring:

        """Get object class.

        Given the set of attributes, find the principal object class.
        The attrs may contain for instance: top, groupofnames, nestedgroup,
        ipausergroup, ... In this case the most relevant objectclass is
        groupofnames.
        For a user, the attrs may contain top, person. organizationalperson,
        inetorgperson, inetuser, posixaccount, ... and the most relevant
        objectclass is person.
        """

I think this is logically wrong -- Samba expects that a group object can have displayName attribute which is part of inetorgperson object class and if I'd add so, the error below is triggered:

Oct 13 12:51:38 master.ipa.test ipa-gcsyncd[99540]: ipa: INFO: LDAP bind...
Oct 13 12:51:38 master.ipa.test ipa-gcsyncd[99540]: ipa: INFO: Commencing sync process
Oct 13 12:51:38 master.ipa.test ipa-gcsyncd[99540]: Traceback (most recent call last):
Oct 13 12:51:38 master.ipa.test ipa-gcsyncd[99540]:   File "/usr/libexec/ipa/gc/ipa-gcsyncd", line 111, in <module>
Oct 13 12:51:38 master.ipa.test ipa-gcsyncd[99540]:     while sync_conn.syncrepl_poll(all=1, msgid=ldap_search):
Oct 13 12:51:38 master.ipa.test ipa-gcsyncd[99540]:   File "/usr/lib64/python3.8/site-packages/ldap/syncrepl.py", line 435, in syncrepl_poll
Oct 13 12:51:38 master.ipa.test ipa-gcsyncd[99540]:     self.syncrepl_entry(dn, attrs, c.entryUUID)
Oct 13 12:51:38 master.ipa.test ipa-gcsyncd[99540]:   File "/usr/lib/python3.8/site-packages/ipaserver/globalcatalog/gcsyncer.py", line 257, in syncrepl_entry
Oct 13 12:51:38 master.ipa.test ipa-gcsyncd[99540]:     objclass = self._get_objclass(attributes)
Oct 13 12:51:38 master.ipa.test ipa-gcsyncd[99540]:   File "/usr/lib/python3.8/site-packages/ipaserver/globalcatalog/gcsyncer.py", line 217, in _get_objclass
Oct 13 12:51:38 master.ipa.test ipa-gcsyncd[99540]:     assert len(present_objclasses) == 1, attrs[OBJCLASS_ATTR]
Oct 13 12:51:38 master.ipa.test ipa-gcsyncd[99540]: AssertionError: [b'top', b'groupofnames', b'nestedgroup', b'ipausergroup', b'ipaobject', b'posixgroup', b'ipantgroupattrs', b'inetorgperson', b'organizationalPerson', b'person']
Oct 13 12:51:38 master.ipa.test systemd[1]: ipa-gcsyncd.service: Main process exited, code=exited, status=1/FAILURE
Oct 13 12:51:38 master.ipa.test systemd[1]: ipa-gcsyncd.service: Failed with result 'exit-code'.
Oct 13 12:51:38 master.ipa.test audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipa-gcsyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Oct 13 12:51:38 master.ipa.test systemd[1]: ipa-gcsyncd.service: Consumed 2.642s CPU time.

I think it is OK to see both person and groupofnames in real life objects because customers might be using custom attributes added to users/groups. We should probably check a combination of ipantgroupattrs/groupofnames for groups and ipantuserattrs/person for users.

flo-renaud commented 3 years ago

PR 54 should fix the issue

abbra commented 3 years ago

Fixed.