Skip to content

Commit ad173e0

Browse files
sumit-bosealexey-tikhonov
authored andcommitted
sdap: do not require GID for non-POSIX group
In 85b632d the attribute for the GID was removed from non-POSIX groups. Currently sdap_save_group() still requires the attribute and this patch removes this. sdap_save_group() is currently only used in the code path handling nested groups. To verify the change a test was added were indirect group-members are coming from a nested non-POSIX group. Resolves: #8441 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Justin Stephenson <jstephen@redhat.com>
1 parent 0458e65 commit ad173e0

File tree

2 files changed

+48
-9
lines changed

2 files changed

+48
-9
lines changed

src/providers/ldap/sdap_async_groups.c

Lines changed: 11 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -620,15 +620,17 @@ static int sdap_save_group(TALLOC_CTX *memctx,
620620
goto done;
621621
}
622622

623-
ret = sysdb_attrs_get_uint32_t(attrs,
624-
opts->group_map[SDAP_AT_GROUP_GID].sys_name,
625-
&gid);
626-
if (ret != EOK) {
627-
DEBUG(SSSDBG_CRIT_FAILURE,
628-
"no gid provided for [%s] in domain [%s].\n",
629-
group_name, dom->name);
630-
ret = EINVAL;
631-
goto done;
623+
if (posix_group) {
624+
ret = sysdb_attrs_get_uint32_t(attrs,
625+
opts->group_map[SDAP_AT_GROUP_GID].sys_name,
626+
&gid);
627+
if (ret != EOK) {
628+
DEBUG(SSSDBG_CRIT_FAILURE,
629+
"no gid provided for [%s] in domain [%s].\n",
630+
group_name, dom->name);
631+
ret = EINVAL;
632+
goto done;
633+
}
632634
}
633635
}
634636
}

src/tests/system/tests/test_identity.py

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -761,3 +761,40 @@ def test_identity__filter_groups_by_name_and_lookup_by_gid(client: Client, ldap:
761761

762762
result = client.tools.getent.group(20001)
763763
assert result is None, "Filtered group was found"
764+
765+
766+
@pytest.mark.importance("critical")
767+
@pytest.mark.topology(KnownTopologyGroup.AnyAD)
768+
def test_identity__nested_non_posix_group(client: Client, provider: GenericADProvider):
769+
"""
770+
:title: Lookup indirect group-members of a nested non-POSIX group
771+
:setup:
772+
1. Add a new POSIX user and two new groups, one POSIX the other non-POSIX
773+
2. Add the user to the non-POSIX group and the non-POSIX group to the POSIX group
774+
3. Set 'ldap_id_mapping = false' to allow non-POSIX groups, because
775+
with POSIX id-mapping enabled all groups will get POSIX ID and hence
776+
there are no non-POSIX groups, and start SSSD
777+
:steps:
778+
1. Lookup the POSIX group with getent
779+
:expectedresults:
780+
1. Group is present and the new user is a member
781+
:customerscenario: False
782+
"""
783+
user = provider.user("nesteduser").add(
784+
uid=10001, gid=20001, password="Secret123", gecos="User for tests", shell="/bin/bash"
785+
)
786+
nested_group = provider.group("nested_nonposix_group").add().add_member(user)
787+
base_group = provider.group("posix_group").add(gid=30001).add_member(nested_group)
788+
789+
client.sssd.domain["ldap_id_mapping"] = "false"
790+
client.sssd.start()
791+
792+
result = client.tools.getent.group(base_group.name)
793+
assert result is not None, f"Group '{base_group.name}' not found!"
794+
assert (
795+
len(result.members) == 1
796+
), f"Group '{base_group.name}' has unexpected number of members [{len(result.members)}]!"
797+
assert f"{user.name}" in result.members, f"Member '{user.name}' of group '{base_group.name}' not found!"
798+
799+
result = client.tools.getent.group(nested_group.name)
800+
assert result is None, f"Non-POSIX Group '{nested_group.name}' was found with 'getent group'!"

0 commit comments

Comments
 (0)