[prev in list] [next in list] [prev in thread] [next in thread]
List: sssd-users
Subject: =?utf-8?q?=5BSSSD-users=5D?= Re: sssd: AD range retrieval fails when enumeration is enabled
From: R Davies <rhodfoss () gmail ! com>
Date: 2020-09-08 8:28:40
Message-ID: CAGyFBRpe-2w4+AJKxEUgYHGxZBfnyg9EBi8_i+osVVdFEcKRAw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks.
I've raised https://github.com/SSSD/sssd/issues/5310.
1. group lookups are inaccurate for groups with > 1500 members. Once that
> condition hits, is it inaccurate for all memberships of all groups, or only
> the specific groups with > 1500 members?
>
It only applies to groups with > 1500 (AD's MaxValRange) member attributes.
> 2. Are you using tokengroups? Or does this happen whether or not you use
> tokengroups?
>
ldap_use_tokengroups is enabled by default for AD. I think I disabled
tokengroups in one round of testing, but it either made no difference, or
broke behaviour is some other way.
On Tue, 8 Sep 2020 at 07:10, Sumit Bose <sbose@redhat.com> wrote:
> On Mon, Sep 07, 2020 at 05:57:13PM +0100, R Davies wrote:
> >Hi,
> >
> >When enumeration is enabled (required due to legacy application), and
> where
> >a group has > 1500 members, and AD's MaxValRange is at the default 1500,
> >then sssd fails to show more than 1500 group members. Group lookups are
> no
> >longer accurate.
> >
> >A further interesting aspect is that if the sssd cache is expired (sssctl
> >cache-expiry -E), then the correct group membership is shown until such
> >time as enumeration is processed again (i.e. at most
> >ldap_enumeration_refresh_timeout + memcache_timeout)
> >
> >src/providers/ldap/sdap.c's sdap_parse_entry() states:
> >
> >/* This attribute contained range values and needs more to
> >> * be retrieved
> >> */
> >> /* TODO: return the set of attributes that need additional retrieval
> >> * For now, we'll continue below and treat it as regular values.
> >> */
> >
> >
> >As enumeration is enabled the subsequent ASQ/deref work is never
> >undertaken. As such sssd only ever processes the initial range retrieved
> >members (0-1499) (NB that nested groups members are evaluated).
>
> Hi,
>
> there is a fair change that the range handling is missing in a code-path
> used by enumeration. Please open a ticket at
> https://github.com/SSSD/sssd/issues/new for further investigations.
>
> bye,
> Sumit
>
> >
> >We have looked at the relevant source code, but can't find a way to
> trigger
> >Attribute Scope Queries (ASQ)/deref. Indeed, no manner of sssd
> >configuration settings (other than disabling enumeration - which we sadly
> >cannot do) appears to change this behaviour. Increasing MaxValRange on AD
> >defeats the purpose of having MaxValRange.
> >
> >Has anyone run into this before? Or, should I raise a new issue?
> >
> >Many Thanks.
> >
> >R.
>
> >_______________________________________________
> >sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> >To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> >Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> >List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
>
[Attachment #5 (text/html)]
<div dir="ltr"><div>Thanks.</div><div><br></div><div>I've raised <a \
href="https://github.com/SSSD/sssd/issues/5310">https://github.com/SSSD/sssd/issues/5310</a>.</div><div><br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div><div>1. group lookups are inaccurate for \
groups with > 1500 members. Once that condition hits, is it inaccurate for all \
memberships of all groups, or only the specific groups with > 1500 \
members?</div></div></blockquote><div><br></div><div>It only applies to groups with \
> 1500 (AD's MaxValRange) member attributes.<br></div><div> \
<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div><div><br></div><div>2. Are you using \
tokengroups? Or does this happen whether or not you use \
tokengroups?</div></div></blockquote><div><br></div><div>ldap_use_tokengroups is \
enabled by default for AD. I think I disabled tokengroups in one round of testing, \
but it either made no difference, or broke behaviour is some other \
way.</div><div><br></div><div><br></div><div><br></div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 8 Sep 2020 at 07:10, \
Sumit Bose <<a href="mailto:sbose@redhat.com">sbose@redhat.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Mon, Sep 07, 2020 \
at 05:57:13PM +0100, R Davies wrote:<br> >Hi,<br>
><br>
>When enumeration is enabled (required due to legacy application), and where<br>
>a group has > 1500 members, and AD's MaxValRange is at the default \
1500,<br> >then sssd fails to show more than 1500 group members. Group lookups \
are no<br> >longer accurate.<br>
><br>
>A further interesting aspect is that if the sssd cache is expired (sssctl<br>
>cache-expiry -E), then the correct group membership is shown until such<br>
>time as enumeration is processed again (i.e. at most<br>
>ldap_enumeration_refresh_timeout + memcache_timeout)<br>
><br>
>src/providers/ldap/sdap.c's sdap_parse_entry() states:<br>
><br>
>/* This attribute contained range values and needs more to<br>
>> * be retrieved<br>
>> */<br>
>> /* TODO: return the set of attributes that need additional retrieval<br>
>> * For now, we'll continue below and treat it as regular values.<br>
>> */<br>
><br>
><br>
>As enumeration is enabled the subsequent ASQ/deref work is never<br>
>undertaken. As such sssd only ever processes the initial range retrieved<br>
>members (0-1499) (NB that nested groups members are evaluated).<br>
<br>
Hi,<br>
<br>
there is a fair change that the range handling is missing in a code-path<br>
used by enumeration. Please open a ticket at<br>
<a href="https://github.com/SSSD/sssd/issues/new" rel="noreferrer" \
target="_blank">https://github.com/SSSD/sssd/issues/new</a> for further \
investigations.<br> <br>
bye,<br>
Sumit<br>
<br>
><br>
>We have looked at the relevant source code, but can't find a way to \
trigger<br> >Attribute Scope Queries (ASQ)/deref. Indeed, no manner of sssd<br>
>configuration settings (other than disabling enumeration - which we sadly<br>
>cannot do) appears to change this behaviour. Increasing MaxValRange on AD<br>
>defeats the purpose of having MaxValRange.<br>
><br>
>Has anyone run into this before? Or, should I raise a new issue?<br>
><br>
>Many Thanks.<br>
><br>
>R.<br>
<br>
>_______________________________________________<br>
>sssd-users mailing list -- <a href="mailto:sssd-users@lists.fedorahosted.org" \
target="_blank">sssd-users@lists.fedorahosted.org</a><br> >To unsubscribe send an \
email to <a href="mailto:sssd-users-leave@lists.fedorahosted.org" \
target="_blank">sssd-users-leave@lists.fedorahosted.org</a><br> >Fedora Code of \
Conduct: <a href="https://docs.fedoraproject.org/en-US/project/code-of-conduct/" \
rel="noreferrer" target="_blank">https://docs.fedoraproject.org/en-US/project/code-of-conduct/</a><br>
>List Guidelines: <a \
href="https://fedoraproject.org/wiki/Mailing_list_guidelines" rel="noreferrer" \
target="_blank">https://fedoraproject.org/wiki/Mailing_list_guidelines</a><br> \
>List Archives: <a \
href="https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org" \
rel="noreferrer" target="_blank">https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org</a><br>
_______________________________________________<br>
sssd-users mailing list -- <a href="mailto:sssd-users@lists.fedorahosted.org" \
target="_blank">sssd-users@lists.fedorahosted.org</a><br> To unsubscribe send an \
email to <a href="mailto:sssd-users-leave@lists.fedorahosted.org" \
target="_blank">sssd-users-leave@lists.fedorahosted.org</a><br> Fedora Code of \
Conduct: <a href="https://docs.fedoraproject.org/en-US/project/code-of-conduct/" \
rel="noreferrer" target="_blank">https://docs.fedoraproject.org/en-US/project/code-of-conduct/</a><br>
List Guidelines: <a href="https://fedoraproject.org/wiki/Mailing_list_guidelines" \
rel="noreferrer" target="_blank">https://fedoraproject.org/wiki/Mailing_list_guidelines</a><br>
List Archives: <a href="https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org" \
rel="noreferrer" target="_blank">https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org</a><br>
</blockquote></div>
[Attachment #6 (text/plain)]
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic