diff --git a/0001-SYSDB-Use-SYSDB_NAME-from-cached-entry-when-updating.patch b/0001-SYSDB-Use-SYSDB_NAME-from-cached-entry-when-updating.patch new file mode 100644 index 0000000..fcc2405 --- /dev/null +++ b/0001-SYSDB-Use-SYSDB_NAME-from-cached-entry-when-updating.patch @@ -0,0 +1,83 @@ +From 4f9fb5fd301d635ad54bf6d0ef93d6811445c7f9 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Wed, 22 May 2024 13:31:06 +0200 +Subject: [PATCH] SYSDB: Use SYSDB_NAME from cached entry when updating users + and groups +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The sysdb_store_user() and sysdb_store_group() functinos search for the +entry by name to check if it is already cached. This search considers +SYSDB_ALIAS, added when the domain is case insensitive. If a matching +entry is found use its SYSDB_NAME instead of the passed name. + +It may happen the group is stored in uppercase, but later some server +returns a memberOf attribute in lowercase. When updating the group to +add the memberships the first search will find the entry, but the modify +operation will fail as the group name in the built DN will differ in case. + +Signed-off-by: Samuel Cabrero + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Pavel Březina +(cherry picked from commit d2b734b926e1f23370c9cabd8ba6f07bf6b29a86) + +Reviewed-by: Justin Stephenson +--- + src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c +index 76f4580aa..32e49d759 100644 +--- a/src/db/sysdb_ops.c ++++ b/src/db/sysdb_ops.c +@@ -2615,6 +2615,22 @@ int sysdb_store_user(struct sss_domain_info *domain, + } + } else { + /* the user exists, let's just replace attributes when set */ ++ /* ++ * The sysdb_search_user_by_name() function also matches lowercased ++ * aliases, saved when the domain is case-insensitive. This means that ++ * the stored entry name can differ in capitalization from the search ++ * name. Use the cached entry name to perform the modification because ++ * if name capitalization in entry's DN differs the modify operation ++ * will fail. ++ */ ++ const char *entry_name = ++ ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); ++ if (entry_name != NULL) { ++ name = entry_name; ++ } else { ++ DEBUG(SSSDBG_MINOR_FAILURE, "User '%s' without a name?\n", name); ++ } ++ + ret = sysdb_store_user_attrs(domain, name, uid, gid, gecos, homedir, + shell, orig_dn, attrs, remove_attrs, + cache_timeout, now); +@@ -2849,6 +2865,22 @@ int sysdb_store_group(struct sss_domain_info *domain, + ret = sysdb_store_new_group(domain, name, gid, attrs, + cache_timeout, now); + } else { ++ /* ++ * The sysdb_search_group_by_name() function also matches lowercased ++ * aliases, saved when the domain is case-insensitive. This means that ++ * the stored entry name can differ in capitalization from the search ++ * name. Use the cached entry name to perform the modification because ++ * if name capitalization in entry's DN differs the modify operation ++ * will fail. ++ */ ++ const char *entry_name = ++ ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); ++ if (entry_name != NULL) { ++ name = entry_name; ++ } else { ++ DEBUG(SSSDBG_MINOR_FAILURE, "Group '%s' without a name?\n", name); ++ } ++ + ret = sysdb_store_group_attrs(domain, name, gid, attrs, + cache_timeout, now); + } +-- +2.47.0 + diff --git a/sssd.spec b/sssd.spec index 036ff4f..8a17448 100644 --- a/sssd.spec +++ b/sssd.spec @@ -27,14 +27,14 @@ Name: sssd Version: 2.9.6 -Release: 1%{?dist} +Release: 2%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz ### Patches ### -# Patch0001: +Patch0001: 0001-SYSDB-Use-SYSDB_NAME-from-cached-entry-when-updating.patch ### Dependencies ### @@ -1084,6 +1084,9 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Tue Jan 14 2025 Alexey Tikhonov - 2.9.6-2 +- Resolves: RHEL-73400 - Use the DN from existing entry when updating a cached group [rhel-9] + * Thu Dec 5 2024 Alexey Tikhonov - 2.9.6-1 - Resolves: RHEL-70189 - Rebase SSSD for RHEL 9.6 - Resolves: RHEL-67670 - Label DP_OPT_DYNDNS_REFRESH_OFFSET has no corresponding option [rhel-9]