Issue #1387: sssd_ldap fails to properly authenticate to the disrectory for sudo queries - sssd

SSSD / sssd

#1387 sssd_ldap fails to properly authenticate to the disrectory for sudo queries

Closed: Fixed None Opened 11 years ago by simo.

Testing with latest ipa that disallows anonymous access to the legacy ou=sudoers subtree I found out that current sssd is not able to fetch rules as it does not use an authenticated connection to fetch sudo rules.

simo commented 11 years ago

DS Access Logs

[21/Jun/2012:10:37:47 -0400] conn=17 fd=70 slot=70 connection from 192.168.122.10 to 192.168.122.10
[21/Jun/2012:10:37:47 -0400] conn=17 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms defaultnamingcontext lastusn highestcommittedusn aci"
[21/Jun/2012:10:37:47 -0400] conn=17 op=0 RESULT err=0 tag=101 nentries=1 etime=0
[21/Jun/2012:10:37:47 -0400] conn=17 op=1 SRCH base="" scope=0 filter="???", Bad search filter
[21/Jun/2012:10:37:47 -0400] conn=17 op=1 RESULT err=12 tag=101 nentries=0 etime=0
[21/Jun/2012:10:37:47 -0400] conn=17 op=2 SRCH base="ou=sudoers,dc=ipa,dc=test" scope=2 filter="(&(objectClass=sudoRole)(|(cn=defaults)(sudoUser=ALL)(sudoUser=admin)(sudoUser=#1083200000)(sudoUser=%admins)(sudoUser=+*)))" attrs="objectClass cn sudoCommand sudoHost sudoUser sudoOption sudoRunAsUser sudoRunAsGroup sudoNotBefore sudoNotAfter sudoOrder"
[21/Jun/2012:10:37:47 -0400] conn=17 op=2 RESULT err=0 tag=101 nentries=0 etime=0 notes=P

SSSD Logs

(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [be_sudo_handler] (0x0400): Entering be_sudo_handler()
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_sudo_refresh_send] (0x0400): Requested refresh for: admin
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'neutral'
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolve_srv_send] (0x0400): The status of SRV lookup is neutral
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolve_get_domain_send] (0x1000): Host name is: srv.ipa.test
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'srv.ipa.test' in files
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolve_get_domain_done] (0x1000): The full FQDN is: srv.ipa.test
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolve_srv_cont] (0x0100): Searching for servers via SRV query '_ldap._tcp.ipa.test'
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.ipa.test'
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [request_watch_destructor] (0x0400): Deleting request watch
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolve_srv_done] (0x0400): Inserted server 'srv.ipa.test:389' for service LDAP
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'LDAP' as 'resolved'
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [get_server_status] (0x1000): Status of server 'srv.ipa.test' is 'name not resolved'
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'srv.ipa.test' in files
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [set_server_common_status] (0x0100): Marking server 'srv.ipa.test' as 'resolving name'
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [set_server_common_status] (0x0100): Marking server 'srv.ipa.test' as 'name resolved'
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [be_resolve_server_done] (0x1000): Saving the first resolved server
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [be_resolve_server_done] (0x0200): Found address for server srv.ipa.test: [192.168.122.10] TTL 7200
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_uri_callback] (0x0400): Constructed uri 'ldap://srv.ipa.test:389'
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://srv.ipa.test:389/??base] with fd [24].
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][].
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedLDAPVersion]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedSASLMechanisms]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [defaultNamingContext]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [highestCommittedUSN]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(sssmatchingruletest:1.2.840.113556.1.4.1941:=)][].
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sssmatchingruletest]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_done] (0x0400): Search result: Critical extension is unavailable(12), Bad search filter
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Critical extension is unavailable(12), Bad search filter
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_matching_rule_done] (0x0100): LDAP server does not support the matching rule extension
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [get_naming_context] (0x0200): Using value from [defaultNamingContext] as naming context.
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_set_search_base] (0x0100): Setting option [ldap_search_base] to [dc=ipa,dc=test].
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][dc=ipa,dc=test][SUBTREE][]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_set_search_base] (0x0100): Setting option [ldap_user_search_base] to [dc=ipa,dc=test].
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [common_parse_search_base] (0x0100): Search base added: [USER][dc=ipa,dc=test][SUBTREE][]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_set_search_base] (0x0100): Setting option [ldap_group_search_base] to [dc=ipa,dc=test].
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [common_parse_search_base] (0x0100): Search base added: [GROUP][dc=ipa,dc=test][SUBTREE][]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_set_search_base] (0x0100): Setting option [ldap_netgroup_search_base] to [dc=ipa,dc=test].
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][dc=ipa,dc=test][SUBTREE][]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_set_search_base] (0x0100): Setting option [ldap_service_search_base] to [dc=ipa,dc=test].
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][dc=ipa,dc=test][SUBTREE][]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_set_search_base] (0x0100): Setting option [ldap_autofs_search_base] to [dc=ipa,dc=test].
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][dc=ipa,dc=test][SUBTREE][]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_cli_auth_step] (0x1000): No authentication requested or SASL auth forced off
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'srv.ipa.test' as 'working'
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [set_server_common_status] (0x0100): Marking server 'srv.ipa.test' as 'working'
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_sudo_connect_done] (0x0400): SUDO LDAP connection successful
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with base [ou=sudoers,dc=ipa,dc=test]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=sudoRole)(|(cn=defaults)(sudoUser=ALL)(sudoUser=admin)(sudoUser=#1083200000)(sudoUser=%admins)(sudoUser=+*)))][ou=sudoers,dc=ipa,dc=test].
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoCommand]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoHost]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoUser]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOption]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsUser]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsGroup]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotBefore]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotAfter]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOrder]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [be_run_online_cb] (0x0080): Going online. Running callbacks.
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base [ou=sudoers,dc=ipa,dc=test]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_sudo_load_sudoers_done] (0x0400): Received 0 rules
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_sudo_purge_sudoers] (0x0400): Purging SUDOers cache of user's [admin] rules
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sysdb_sudo_purge_byfilter] (0x0400): No rules matched
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sysdb_sudo_purge_bysudouser] (0x0400): No rules matched
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_sudo_load_sudoers_done] (0x0400): Sudoers is successfuly stored in cache
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [be_sudo_handler_reply] (0x0200): SUDO Backend returned: (0, 0, Success)
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [delayed_online_authentication_callback] (0x0200): Backend is online, starting delayed online authentication.

_comment0: DS Access Logs

{{{
[21/Jun/2012:10:37:47 -0400] conn=17 fd=70 slot=70 connection from 192.168.122.10 to 192.168.122.10
[21/Jun/2012:10:37:47 -0400] conn=17 op=0 SRCH base="" scope=0 filter="(objectClass=)" attrs=" altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms defaultnamingcontext lastusn highestcommittedusn aci"
[21/Jun/2012:10:37:47 -0400] conn=17 op=0 RESULT err=0 tag=101 nentries=1 etime=0
[21/Jun/2012:10:37:47 -0400] conn=17 op=1 SRCH base="" scope=0 filter="???", Bad search filter
[21/Jun/2012:10:37:47 -0400] conn=17 op=1 RESULT err=12 tag=101 nentries=0 etime=0
[21/Jun/2012:10:37:47 -0400] conn=17 op=2 SRCH base="ou=sudoers,dc=ipa,dc=test" scope=2 filter="(&(objectClass=sudoRole)(|(cn=defaults)(sudoUser=ALL)(sudoUser=admin)(sudoUser=#1083200000)(sudoUser=%admins)(sudoUser=+*)))" attrs="objectClass cn sudoCommand sudoHost sudoUser sudoOption sudoRunAsUser sudoRunAsGroup sudoNotBefore sudoNotAfter sudoOrder"
[21/Jun/2012:10:37:47 -0400] conn=17 op=2 RESULT err=0 tag=101 nentries=0 etime=0 notes=P
}}}

SSSD Logs

{{{
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [be_sudo_handler] (0x0400): Entering be_sudo_handler()
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_sudo_refresh_send] (0x0400): Requested refresh for: admin
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'neutral'
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolve_srv_send] (0x0400): The status of SRV lookup is neutral
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolve_get_domain_send] (0x1000): Host name is: srv.ipa.test
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'srv.ipa.test' in files
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolve_get_domain_done] (0x1000): The full FQDN is: srv.ipa.test
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolve_srv_cont] (0x0100): Searching for servers via SRV query '_ldap._tcp.ipa.test'
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.ipa.test'
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [request_watch_destructor] (0x0400): Deleting request watch
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolve_srv_done] (0x0400): Inserted server 'srv.ipa.test:389' for service LDAP
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'LDAP' as 'resolved'
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [get_server_status] (0x1000): Status of server 'srv.ipa.test' is 'name not resolved'
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'srv.ipa.test' in files
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [set_server_common_status] (0x0100): Marking server 'srv.ipa.test' as 'resolving name'
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [set_server_common_status] (0x0100): Marking server 'srv.ipa.test' as 'name resolved'
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [be_resolve_server_done] (0x1000): Saving the first resolved server
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [be_resolve_server_done] (0x0200): Found address for server srv.ipa.test: [192.168.122.10] TTL 7200
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_uri_callback] (0x0400): Constructed uri 'ldap://srv.ipa.test:389'
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://srv.ipa.test:389/??base] with fd [24].
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=)][].
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: []
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedLDAPVersion]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedSASLMechanisms]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [defaultNamingContext]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [highestCommittedUSN]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(sssmatchingruletest:1.2.840.113556.1.4.1941:=)][].
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sssmatchingruletest]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_done] (0x0400): Search result: Critical extension is unavailable(12), Bad search filter
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Critical extension is unavailable(12), Bad search filter
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_matching_rule_done] (0x0100): LDAP server does not support the matching rule extension
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [get_naming_context] (0x0200): Using value from [defaultNamingContext] as naming context.
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_set_search_base] (0x0100): Setting option [ldap_search_base] to [dc=ipa,dc=test].
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][dc=ipa,dc=test][SUBTREE][]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_set_search_base] (0x0100): Setting option [ldap_user_search_base] to [dc=ipa,dc=test].
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [common_parse_search_base] (0x0100): Search base added: [USER][dc=ipa,dc=test][SUBTREE][]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_set_search_base] (0x0100): Setting option [ldap_group_search_base] to [dc=ipa,dc=test].
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [common_parse_search_base] (0x0100): Search base added: [GROUP][dc=ipa,dc=test][SUBTREE][]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_set_search_base] (0x0100): Setting option [ldap_netgroup_search_base] to [dc=ipa,dc=test].
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][dc=ipa,dc=test][SUBTREE][]
}}} => 1340304585868985

sgallagh commented 11 years ago

Those aren't the right SSSD logs, simo. You only sent the portion requesting the RootDSE (which should happen anonymously, because we use it to query for the available SASL mechanisms).

Please include logs after this point.

simo commented 11 years ago

Sorry I didn't realize my buffer was cut, I edited the original comment to add the missing info.

As an additional info point, I changed ACIs on my server and if you allow anonymous access, sssd starts working properly.

pbrezina commented 11 years ago

The problem is, that there is currently no IPA provider for sudo. Thus when you run SUDO it has to initialize a new connection in LDAP provider. And it returns no rules because the default values for a connection differs from IPA (anonymous vs GSSAPI). All you need to do is to enable GSSAPI manually in sssd.conf.

Example configuration:

[domain/ipa.example.com]
id_provider = ipa
ipa_server = ipa.example.com
ldap_tls_cacert = /etc/ipa/ca.crt

sudo_provider = ldap
ldap_uri = ldap://ipa.example.com
ldap_sudo_search_base = ou=sudoers,dc=ipa,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/hostname.ipa.example.com
ldap_sasl_realm = IPA.EXAMPLE.COM
krb5_server = ipa.example.com

_comment0: The problem is, that there is currently no IPA provider for sudo. Thus when you run SUDO it has to initialize a new connection in LDAP provider. And it returns no rules because the default values for a connection differs from IPA (anonymous vs GSSAPI). All you need is to enable GSSAPI manually in sssd.conf.

Example configuration:
[domain/ipa.example.com]
debug_level = 0x0ff0
id_provider = ipa
ipa_server = ipa.example.com
ldap_tls_cacert = /etc/ipa/ca.crt

sudo_provider = ldap
ldap_uri = ldap://ipa.example.com
ldap_sudo_search_base = ou=sudoers,dc=ipa,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/hostname.ipa.example.com
ldap_sasl_realm = IPA.EXAMPLE.COM
krb5_server = ipa.example.com => 1340462299725751
_comment1: The problem is, that there is currently no IPA provider for sudo. Thus when you run SUDO it has to initialize a new connection in LDAP provider. And it returns no rules because the default values for a connection differs from IPA (anonymous vs GSSAPI). All you need is to ''enable GSSAPI manually'' in sssd.conf.

Example configuration:

{{{
[domain/ipa.example.com]
id_provider = ipa
ipa_server = ipa.example.com
ldap_tls_cacert = /etc/ipa/ca.crt

dpal commented 11 years ago

This needs to be documented.

component: SSSD => Documentation
milestone: NEEDS_TRIAGE => SSSD 1.9.0

dpal commented 11 years ago

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=836548

rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=836548 836548]

pbrezina commented 11 years ago

Fields changed

owner: somebody => pbrezina
status: new => assigned

pbrezina commented 11 years ago

Documented together with #1418 in 8a2a493

resolution: => fixed
status: assigned => closed

Metadata Update from @simo:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.9.0

7 years ago

pbrezina commented 4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2429

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata

Assignee

pbrezina

Tags

None

Blocking

None

Depending on

None

Priority

blocker

Milestone

SSSD 1.9.0

type

defect

component

Documentation

version

1.9.0 beta 1

selected

None

testsupdated

patch

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=836548

design_review

None

review

None

changelog

None

keywords

None

coverity

None

mark

None

blocking

None

design

None

sensitive

None

blockedby

None

feature_milestone

None

SSSD / sssd

Source Code

Documentation

#1387 sssd_ldap fails to properly authenticate to the disrectory for sudo queries Closed: Fixed None Opened 11 years ago by simo.

Metadata

#1387 sssd_ldap fails to properly authenticate to the disrectory for sudo queries

Closed: Fixed None Opened 11 years ago by simo.