From de3b178ada423c10c8f14194a64c299ad96e7bf1 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>

Date: Thu, 26 Oct 2017 18:38:42 +0200

Subject: [PATCH 46/46] SYSDB: Better debugging for email conflicts

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Add DEBUG message when conflicts in FQ names or emails

are detected.

Also improve man page to hint on how to work around issue

with conflicting emails.

Note: We store emails in two different attributes in sysdb:

- SYSDB_USER_EMAIL

- SYSDB_NAME_ALIAS - this one is lowercased and used in getpwnam

                     searches.

Resolves:

https://fedorahosted.org/sssd/ticket/3293

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

(cherry picked from commit 39d6a3be119b050b0690152b6b443117c8617b1c)

---

 src/db/sysdb_ops.c      |  4 +++-

 src/db/sysdb_search.c   | 15 +++++++++++++++

 src/man/sssd-ldap.5.xml |  9 +++++++++

 3 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c

index 635c7db51f516e2217c93016409499e49289004c..1539c41c93e7d6ebd1e544abbb1707df5578cd72 100644

--- a/src/db/sysdb_ops.c

+++ b/src/db/sysdb_ops.c

@@ -640,7 +640,9 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx,

         goto done;

     } else if (res->count > 1) {

         DEBUG(SSSDBG_OP_FAILURE,

-              "Search for upn [%s] returns more than one result.\n", upn);

+              "Search for upn [%s] returns more than one result. One of the "

+              "possible reasons can be that several users share the same "

+              "email address.\n", upn);

         ret = EINVAL;

         goto done;

     }

diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c

index f488442afcc6eef114437a7110722759f86fe19e..8083966900429b268a3b984f1cad3d47d1099198 100644

--- a/src/db/sysdb_search.c

+++ b/src/db/sysdb_search.c

@@ -218,6 +218,21 @@ int sysdb_getpwnam(TALLOC_CTX *mem_ctx,

         goto done;

     }

+    if (res->count > 1) {

+        /* We expected either 0 or 1 result for search with

+         * SYSDB_PWNAM_FILTER, but we got more. This error

+         * is handled individually depending on what function

+         * called sysdb_getpwnam, so we just print a message

+         * here and let the caller decide what error code to

+         * propagate based on res->count > 1. */

+        DEBUG(SSSDBG_CRIT_FAILURE,

+              "Search for [%s] returned multiple results. It can be an email "

+              "address shared among multiple users or an email address of a "

+              "user that conflicts with another user's fully qualified name. "

+              "SSSD will not be able to handle those users properly.\n",

+              sanitized_name);

+    }

+

     /* Merge in the timestamps from the fast ts db */

     ret = sysdb_merge_res_ts_attrs(domain->sysdb, res, attrs);

     if (ret != EOK) {

diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml

index d38bac3607d294c53ea692130a6b93ced9b0ab82..de596f0da62be9eb61b880b6e1d4a0f33689e25a 100644

--- a/src/man/sssd-ldap.5.xml

+++ b/src/man/sssd-ldap.5.xml

@@ -878,6 +878,15 @@

                             address of the user.

                         </para>

                         <para>

+                            Note: If an email address of a user conflicts with

+                            an email address or fully qualified name of another

+                            user, then SSSD will not be able to serve those

+                            users properly. If for some reason several users

+                            need to share the same email address then set

+                            this option to a nonexistent attribute name in

+                            order to disable user lookup/login by email.

+                        </para>

+                        <para>

                             Default: mail

                         </para>

                     </listitem>

-- 

2.13.6