Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow ignoring the ppolicy extension #6904

Closed
wants to merge 1 commit into from
Closed

Allow ignoring the ppolicy extension #6904

wants to merge 1 commit into from

Conversation

viraptor
Copy link
Contributor

Introduce ldap_use_ppolicy and allow disabling it to interact with providers that send broken ppolicy responses.
This fixes interaction with the Okta LDAP gateway.

@viraptor viraptor mentioned this pull request Aug 26, 2023
Closed
@viraptor viraptor force-pushed the viraptor/ppolicy-option branch from 6d393c2 to 343c768 Compare August 26, 2023 05:27
@alexey-tikhonov alexey-tikhonov added the no-backport This should go to target branch only. label Aug 27, 2023
@alexey-tikhonov
Copy link
Member 

FAIL: ipa_ldap_opt-tests
========================

Running suite(s): ipa_ldap_opt
[sssd] [sdap_extend_map] (0x0010): Attribute name (foo in LDAP) is already used by SSSD, please choose a different cache name
[sssd] [sdap_extend_map] (0x0010): Attribute uniqueID (bar in LDAP) is already used by SSSD, please choose a different cache name
84%: Checks: 13, Failures: 2, Errors: 0
src/tests/ipa_ldap_opt-tests.c:97:F:ipa_ldap_opt:test_compare_opts:0: [Numerical result out of range]
src/tests/ipa_ldap_opt-tests.c:179:F:ipa_ldap_opt:test_dp_opt_sentinel:0: Unexpected non-NULL for def_val.string in dp_option
FAIL ipa_ldap_opt-tests (exit status: 1)

FAIL: ad_ldap_opt-tests
=======================

Running suite(s): ad_ldap_opt
50%: Checks: 2, Failures: 1, Errors: 0
src/tests/ad_ldap_opt-tests.c:44:F:ad_ldap_opt:test_compare_opts:0: [Numerical result out of range]
FAIL ad_ldap_opt-tests (exit status: 1)

@viraptor
Copy link
Contributor Author

How do I run those tests @alexey-tikhonov ? With make check, I get some unrelated failures, but also no ipa_ldap_opt-tests in the test-suite.log

@viraptor
Copy link
Contributor Author

The covscan step fails with: "Error: Process completed with exit code 247." - there's no logs uploaded or details, so I'm not sure if that's an internal CI failure, or something I should address.

@viraptor
Copy link
Contributor Author

I'm going to disagree with codefactor here :) That one function is pretty simple. Let me know if you really want to redesign it for this change.

@viraptor viraptor marked this pull request as ready for review September 28, 2023 23:22
@andreboscatto andreboscatto requested a review from thalman October 3, 2023 12:41
@andreboscatto andreboscatto requested a review from pbrezina October 3, 2023 12:42
@pbrezina
Copy link
Member

Code looks good but there are more places where LDAP_CONTROL_PASSWORDPOLICYREQUEST is used. Also, can you squash the commits together, please?

We will also need to add some metadata, namely:

@viraptor
Copy link
Contributor Author

viraptor commented Nov 16, 2023
edited
Loading

I looked at the other sites using LDAP_CONTROL_PASSWORDPOLICYREQUEST. Password change needs fixing, another is in the response so can be ignored (since ppolicy was not requested in the first place), but the final in rebind I'm not sure what to do about.

It looks like the only way to properly implement it would be to push the use_ppolicy variable into the connection state. Or would it be enough to say that referrals=1 and use_ppolicy=0 are incompatible and fail at startup? Am I missing some other approach?

@viraptor viraptor force-pushed the viraptor/ppolicy-option branch 3 times, most recently from 41cf86d to 1f4ab74 Compare November 16, 2023 10:48
pbrezina
pbrezina requested changes Dec 4, 2023
View reviewed changes
Copy link
Member

@pbrezina pbrezina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, I just found some indentation requests.

Can you also modify this test and add parametrization to test use_ppolicy = false|true?

src/providers/ldap/sdap_async_connection.c Outdated Show resolved Hide resolved
src/providers/ldap/sdap_async_connection.c Outdated Show resolved Hide resolved
src/providers/ipa/ipa_auth.c Outdated Show resolved Hide resolved
src/providers/ldap/sdap_async.c Outdated Show resolved Hide resolved
src/providers/ldap/sdap_async_connection.c Outdated Show resolved Hide resolved
@pbrezina
Copy link
Member

pbrezina commented Dec 4, 2023
edited
Loading

I looked at the other sites using LDAP_CONTROL_PASSWORDPOLICYREQUEST. Password change needs fixing, another is in the response so can be ignored (since ppolicy was not requested in the first place), but the final in rebind I'm not sure what to do about.

It looks like the only way to properly implement it would be to push the use_ppolicy variable into the connection state. Or would it be enough to say that referrals=1 and use_ppolicy=0 are incompatible and fail at startup? Am I missing some other approach?

Adding it to state sounds like a good approach. Correct me if I'm wrong, but you already did this in the latest version of your patch, right?

@viraptor
Copy link
Contributor Author

viraptor commented Dec 5, 2023

you already did this in the latest version of your patch, right?

Yup, turned out much less of an issue than I expected (doesn't need to be passed between request/response)

thalman
thalman requested changes Dec 5, 2023
View reviewed changes
Copy link
Contributor

@thalman thalman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The patch looks good. Please fix the indentation as Pavel already pointed out, so we can merge it.

It would be also nice if you also rebase to the current mater so we can see latest tests on this PR - but this is not strictly needed.

@viraptor viraptor force-pushed the viraptor/ppolicy-option branch 3 times, most recently from aa6d6c6 to b6af61e Compare December 7, 2023 23:32
thalman
thalman approved these changes Dec 8, 2023
View reviewed changes
Copy link
Contributor

@thalman thalman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for the effort

@alexey-tikhonov
Copy link
Member 

_____________________ ERROR collecting tests/test_ldap.py ______________________
In test_ldap__change_password: function uses no argument 'ldap_use_ppolicy'

@viraptor @pbrezina
LDAP: Allow ignoring the ppolicy extension
54a158c 
Introduce `ldap_use_ppolicy` and allow disabling it to interact with
providers that send broken ppolicy responses.
This fixes interaction with the Okta LDAP gateway.

Resolves: SSSD#6666

:config: Add a ldap_use_ppolicy option for backends with broken ppolicy
  extension handling.
@pbrezina pbrezina force-pushed the viraptor/ppolicy-option branch from b6af61e to 54a158c Compare December 8, 2023 11:25
@pbrezina
Copy link
Member

pbrezina commented Dec 8, 2023 

_____________________ ERROR collecting tests/test_ldap.py ______________________
In test_ldap__change_password: function uses no argument 'ldap_use_ppolicy'

I took the liberty and fixed this, I also added this argument to other relevant test cases. Let's wait for PR CI.

@alexey-tikhonov
Copy link
Member

Pushed PR: #6904

  • master
    • 1980e2c - LDAP: Allow ignoring the ppolicy extension

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thalman thalman thalman approved these changes

@pbrezina pbrezina pbrezina approved these changes

Assignees

@thalman thalman

@pbrezina pbrezina

Labels
no-backport This should go to target branch only. Pushed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@viraptor @alexey-tikhonov @pbrezina @thalman @andreboscatto