Skip to content

ipa s2n: do not try to update user-private-group #8002

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sumit-bose wants to merge 1 commit into
base: master
Choose a base branch
from
Open

ipa s2n: do not try to update user-private-group #8002

sumit-bose wants to merge 1 commit into from
+28 −2

Conversation

@sumit-bose
Copy link
Contributor

@sumit-bose sumit-bose commented Jun 17, 2025

When an IPA client requests the details about a trusted user from the
IPA server including its memberships the server will return the name of
all groups including the user-private-group. Since this group is not a
cached object on its own it is not needed to try to update it as a group
but it will be updated when the user object is updated.

This has to be taken into account especially after a client is assigned
to a new id-view because now the SYSDB_OVERRIDE_DN attribute is required
and all cached objects which are missing it must be updated. If the
user-private-group was found for update it should be skipped because the
calls to update group objects in the cache cannot handle
user-private-groups. This is expected behavior as user-private-groups
are not objects on their own.

@sumit-bose sumit-bose marked this pull request as draft June 17, 2025 13:44
@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Jun 17, 2025

Is this related to https://issues.redhat.com/browse/RHEL-94545 ?

@pbrezina pbrezina force-pushed the master branch 2 times, most recently from f5d64b3 to b854636 Compare November 4, 2025 14:27
@sumit-bose
ipa s2n: do not try to update user-private-group
2c72fc0 
When an IPA client requests the details about a trusted user from the
IPA server including its memberships the server will return the name of
all groups including the user-private-group. Since this group is not a
cached object on its own it is not needed to try to update it as a group
but it will be updated when the user object is updated.

This has to be taken into account especially after a client is assigned
to a new id-view because now the SYSDB_OVERRIDE_DN attribute is required
and all cached objects which are missing it must be updated. If the
user-private-group was found for update it should be skipped because the
calls to update group objects in the cache cannot handle
user-private-groups. This is expected behavior as user-private-groups
are not objects on their own.
@sumit-bose sumit-bose force-pushed the mpg_after_view_change branch from 88f9155 to 2c72fc0 Compare December 22, 2025 18:33
@sumit-bose sumit-bose marked this pull request as ready for review December 22, 2025 18:33
@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Dec 23, 2025

@sumit-bose, is there a related ticket?
I guess this needs a backport to sssd-2-9 as well?

@sumit-bose
Copy link
Contributor Author

sumit-bose commented Dec 23, 2025

@sumit-bose, is there a related ticket? I guess this needs a backport to sssd-2-9 as well?

Yes, this issue is present in sssd-2-9.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

backport-to-sssd-2-9

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sumit-bose @alexey-tikhonov