sdap: do not require GID for non-POSIX group by sumit-bose · Pull Request #8442 · SSSD/sssd

sumit-bose · 2026-02-10T11:45:25Z

In 85b632d the attribute for the GID was removed from non-POSIX groups. Currently sdap_save_group() still requires the attribute and this patch removes this.

sdap_save_group() is currently only used in the code path handling nested groups. To verify the change a test was added were indirect group-members are coming from a nested non-POSIX group.

Resolves: #8441

gemini-code-assist

Code Review

This pull request addresses an issue where sdap_save_group() incorrectly required a GID for non-POSIX groups. The change wraps the GID retrieval logic within a check for posix_group, ensuring that the GID is only required for POSIX groups. This aligns with the intended behavior of allowing non-POSIX groups without GIDs. A new test case has been added to test_identity.py which effectively validates this fix by checking indirect group membership through a nested non-POSIX group. The changes are correct and the test coverage is good.

justin-stephenson

Thank you for the quick fix!

src/tests/system/tests/test_identity.py

src/providers/ldap/sdap_async_groups.c

alexey-tikhonov · 2026-02-16T10:42:32Z

Note: Covscan is green.

In 85b632d the attribute for the GID was removed from non-POSIX groups. Currently sdap_save_group() still requires the attribute and this patch removes this. sdap_save_group() is currently only used in the code path handling nested groups. To verify the change a test was added were indirect group-members are coming from a nested non-POSIX group. Resolves: SSSD#8441 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Justin Stephenson <jstephen@redhat.com>

sssd-bot · 2026-02-17T08:45:35Z

The pull request was accepted by @alexey-tikhonov with the following PR CI status:

🟢 CodeQL (success)
🟢 osh-diff-scan:fedora-rawhide-x86_64:upstream (success)
🟢 rpm-build:centos-stream-10-x86_64:upstream (success)
🟢 rpm-build:fedora-42-x86_64:upstream (success)
🟢 rpm-build:fedora-43-x86_64:upstream (success)
🟢 rpm-build:fedora-44-x86_64:upstream (success)
🟢 rpm-build:fedora-rawhide-x86_64:upstream (success)
🟢 Analyze (target) / cppcheck (success)
🟢 Build / freebsd (success)
🟢 Build / make-distcheck (success)
🟢 ci / intgcheck (centos-10) (success)
🟢 ci / intgcheck (fedora-42) (success)
🟢 ci / intgcheck (fedora-43) (success)
🟢 ci / intgcheck (fedora-44) (success)
🔴 ci / intgcheck (fedora-45) (failure)
🟢 ci / prepare (success)
🟢 ci / system (centos-10) (success)
🟢 ci / system (fedora-42) (success)
🟢 ci / system (fedora-43) (success)
🔴 ci / system (fedora-44) (failure)
🔴 ci / system (fedora-45) (failure)
➖ Coverity scan / coverity (skipped)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.

gemini-code-assist bot reviewed Feb 10, 2026

View reviewed changes

alexey-tikhonov added backport-to-sssd-2-9 backport-to-sssd-2-12 Bugzilla labels Feb 10, 2026

alexey-tikhonov requested a review from justin-stephenson February 10, 2026 11:58

alexey-tikhonov self-assigned this Feb 10, 2026

alexey-tikhonov self-requested a review February 10, 2026 11:59

justin-stephenson approved these changes Feb 10, 2026

View reviewed changes

justin-stephenson self-assigned this Feb 10, 2026

ondrejv2 mentioned this pull request Feb 12, 2026

Generalize combined user and group lookup #8127

Open