-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.15
-
None
-
No
-
False
-
Description of problem:
This is a bug that is well known from support side and that can be seen multiple times in customer environments.
when sync'ing groups from ldap, usersquery.basedn or groupsquery.basedn is case sensitive when, in fact, ldap should not be.
If we specify in the sync config file:
usersQuery:
baseDN: "cn=users,cn=accounts,DC=DEMO1,DC=FREEIPA,DC=ORG"
we can have an error of this sort:
I0704 15:38:22.006947 27224 ldapinterface.go:99] membership lookup for user "cn=ipausers,cn=groups,cn=accounts,dc=demo1,dc=freeipa,dc=org" in group "uid=tlastnae,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org" skipped because of "search for entry with dn=\"uid=tlastnae,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org\" would search outside of the base dn specified (dn=\"cn=users,cn=accounts,DC=DEMO1,DC=FREEIPA,DC=ORG\")"
it's clear that the basedn specified and the user dn suffix match.
The code we need to change is here:
https://github.com/openshift/oc/blob/master/vendor/github.com/openshift/library-go/pkg/security/ldapquery/query.go#L115-L116
before comparing these two dn's:
if !baseDN.AncestorOf(dn) && !baseDN.Equal(dn) {
return nil, NewQueryOutOfBoundsError(attributeValue, o.BaseDN)
}
We need to normalize them.
Version-Release number of selected component (if applicable):
4.15
How reproducible:
always
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info:
