ldap: make sure realm is set #7690

sumit-bose · 2024-11-11T17:42:48Z

No description provided.

alexey-tikhonov · 2024-11-11T18:50:55Z

https://issues.redhat.com/browse/RHEL-65848

alexey-tikhonov · 2024-11-12T11:06:58Z

@sumit-bose, I think this can be moved out of draft?

src/providers/ldap/sdap_async_users.c

In general the canonical principal will be only set in the cache after a successful authentication because in general it is not know what the canonical principal might be. For Active Directory it is known that the canonical principal is build with the sAMAccountName attribute and the Kerberos realm which is used in the patch "AD: Construct UPN from the sAMAccountName" (7a27e53). If 'id_provider = ldap' is used to access Active Directory the realm might not be set in the internal domain data and as a result a wrong principal might be created. This patch makes sure the realm is set before creating the canonical principal.

src/tests/system/tests/test_authentication.py

With AD/Samba check the authentication of user by replacing id_provider = ldap Signed-off-by: Madhuri Upadhye <[email protected]>

danlavu

Test looks good, thank you Sumit.

sumit-bose · 2024-11-29T08:43:33Z

Test looks good, thank you Sumit.

Hi,

please note, tests were written by Madhuri.

bye,
Sumit

sumit-bose marked this pull request as draft November 11, 2024 17:43

alexey-tikhonov added branch: sssd-2-10 Bugzilla labels Nov 11, 2024

alexey-tikhonov reviewed Nov 12, 2024

View reviewed changes

src/providers/ldap/sdap_async_users.c Show resolved Hide resolved

alexey-tikhonov self-assigned this Nov 12, 2024

madhuriupadhye force-pushed the ldap_realm_fix branch 2 times, most recently from ec5f63f to 444db02 Compare November 15, 2024 15:20

sumit-bose force-pushed the ldap_realm_fix branch from 444db02 to bc93bf8 Compare November 18, 2024 10:50

sumit-bose marked this pull request as ready for review November 18, 2024 10:50

andreboscatto assigned jakub-vavra-cz Nov 19, 2024

andreboscatto requested review from jakub-vavra-cz and danlavu November 19, 2024 13:37

andreboscatto assigned danlavu Nov 19, 2024

danlavu requested changes Nov 19, 2024

View reviewed changes

Test: Add the test when we replace id_provider

aa55a38

With AD/Samba check the authentication of user by replacing id_provider = ldap Signed-off-by: Madhuri Upadhye <[email protected]>

madhuriupadhye force-pushed the ldap_realm_fix branch from bc93bf8 to aa55a38 Compare November 28, 2024 09:36

madhuriupadhye requested a review from danlavu November 28, 2024 09:40

danlavu approved these changes Nov 28, 2024

View reviewed changes

alexey-tikhonov approved these changes Nov 28, 2024

View reviewed changes

alexey-tikhonov added the Waiting for review label Nov 28, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ldap: make sure realm is set #7690

ldap: make sure realm is set #7690

sumit-bose commented Nov 11, 2024

alexey-tikhonov commented Nov 11, 2024

alexey-tikhonov commented Nov 12, 2024

danlavu left a comment

sumit-bose commented Nov 29, 2024

ldap: make sure realm is set #7690

Are you sure you want to change the base?

ldap: make sure realm is set #7690

Conversation

sumit-bose commented Nov 11, 2024

alexey-tikhonov commented Nov 11, 2024

alexey-tikhonov commented Nov 12, 2024

danlavu left a comment

Choose a reason for hiding this comment

sumit-bose commented Nov 29, 2024