Learn more about these different git repos.
Other Git URLs
Testing with latest ipa that disallows anonymous access to the legacy ou=sudoers subtree I found out that current sssd is not able to fetch rules as it does not use an authenticated connection to fetch sudo rules.
DS Access Logs
[21/Jun/2012:10:37:47 -0400] conn=17 fd=70 slot=70 connection from 192.168.122.10 to 192.168.122.10 [21/Jun/2012:10:37:47 -0400] conn=17 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms defaultnamingcontext lastusn highestcommittedusn aci" [21/Jun/2012:10:37:47 -0400] conn=17 op=0 RESULT err=0 tag=101 nentries=1 etime=0 [21/Jun/2012:10:37:47 -0400] conn=17 op=1 SRCH base="" scope=0 filter="???", Bad search filter [21/Jun/2012:10:37:47 -0400] conn=17 op=1 RESULT err=12 tag=101 nentries=0 etime=0 [21/Jun/2012:10:37:47 -0400] conn=17 op=2 SRCH base="ou=sudoers,dc=ipa,dc=test" scope=2 filter="(&(objectClass=sudoRole)(|(cn=defaults)(sudoUser=ALL)(sudoUser=admin)(sudoUser=#1083200000)(sudoUser=%admins)(sudoUser=+*)))" attrs="objectClass cn sudoCommand sudoHost sudoUser sudoOption sudoRunAsUser sudoRunAsGroup sudoNotBefore sudoNotAfter sudoOrder" [21/Jun/2012:10:37:47 -0400] conn=17 op=2 RESULT err=0 tag=101 nentries=0 etime=0 notes=P
SSSD Logs
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [be_sudo_handler] (0x0400): Entering be_sudo_handler() (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_sudo_refresh_send] (0x0400): Requested refresh for: admin (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'neutral' (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolve_srv_send] (0x0400): The status of SRV lookup is neutral (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolve_get_domain_send] (0x1000): Host name is: srv.ipa.test (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'srv.ipa.test' in files (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolve_get_domain_done] (0x1000): The full FQDN is: srv.ipa.test (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolve_srv_cont] (0x0100): Searching for servers via SRV query '_ldap._tcp.ipa.test' (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.ipa.test' (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [request_watch_destructor] (0x0400): Deleting request watch (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolve_srv_done] (0x0400): Inserted server 'srv.ipa.test:389' for service LDAP (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'LDAP' as 'resolved' (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [get_server_status] (0x1000): Status of server 'srv.ipa.test' is 'name not resolved' (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'srv.ipa.test' in files (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [set_server_common_status] (0x0100): Marking server 'srv.ipa.test' as 'resolving name' (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [set_server_common_status] (0x0100): Marking server 'srv.ipa.test' as 'name resolved' (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [be_resolve_server_done] (0x1000): Saving the first resolved server (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [be_resolve_server_done] (0x0200): Found address for server srv.ipa.test: [192.168.122.10] TTL 7200 (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_uri_callback] (0x0400): Constructed uri 'ldap://srv.ipa.test:389' (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://srv.ipa.test:389/??base] with fd [24]. (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedLDAPVersion] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedSASLMechanisms] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [defaultNamingContext] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [highestCommittedUSN] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(sssmatchingruletest:1.2.840.113556.1.4.1941:=)][]. (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sssmatchingruletest] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_done] (0x0400): Search result: Critical extension is unavailable(12), Bad search filter (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Critical extension is unavailable(12), Bad search filter (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_matching_rule_done] (0x0100): LDAP server does not support the matching rule extension (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [get_naming_context] (0x0200): Using value from [defaultNamingContext] as naming context. (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_set_search_base] (0x0100): Setting option [ldap_search_base] to [dc=ipa,dc=test]. (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][dc=ipa,dc=test][SUBTREE][] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_set_search_base] (0x0100): Setting option [ldap_user_search_base] to [dc=ipa,dc=test]. (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [common_parse_search_base] (0x0100): Search base added: [USER][dc=ipa,dc=test][SUBTREE][] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_set_search_base] (0x0100): Setting option [ldap_group_search_base] to [dc=ipa,dc=test]. (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [common_parse_search_base] (0x0100): Search base added: [GROUP][dc=ipa,dc=test][SUBTREE][] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_set_search_base] (0x0100): Setting option [ldap_netgroup_search_base] to [dc=ipa,dc=test]. (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][dc=ipa,dc=test][SUBTREE][] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_set_search_base] (0x0100): Setting option [ldap_service_search_base] to [dc=ipa,dc=test]. (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][dc=ipa,dc=test][SUBTREE][] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_set_search_base] (0x0100): Setting option [ldap_autofs_search_base] to [dc=ipa,dc=test]. (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][dc=ipa,dc=test][SUBTREE][] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_cli_auth_step] (0x1000): No authentication requested or SASL auth forced off (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'srv.ipa.test' as 'working' (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [set_server_common_status] (0x0100): Marking server 'srv.ipa.test' as 'working' (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_sudo_connect_done] (0x0400): SUDO LDAP connection successful (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with base [ou=sudoers,dc=ipa,dc=test] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=sudoRole)(|(cn=defaults)(sudoUser=ALL)(sudoUser=admin)(sudoUser=#1083200000)(sudoUser=%admins)(sudoUser=+*)))][ou=sudoers,dc=ipa,dc=test]. (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoCommand] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoHost] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoUser] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOption] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsUser] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsGroup] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotBefore] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotAfter] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOrder] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [be_run_online_cb] (0x0080): Going online. Running callbacks. (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base [ou=sudoers,dc=ipa,dc=test] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_sudo_load_sudoers_done] (0x0400): Received 0 rules (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_sudo_purge_sudoers] (0x0400): Purging SUDOers cache of user's [admin] rules (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sysdb_sudo_purge_byfilter] (0x0400): No rules matched (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sysdb_sudo_purge_bysudouser] (0x0400): No rules matched (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_sudo_load_sudoers_done] (0x0400): Sudoers is successfuly stored in cache (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [be_sudo_handler_reply] (0x0200): SUDO Backend returned: (0, 0, Success) (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [delayed_online_authentication_callback] (0x0200): Backend is online, starting delayed online authentication.
_comment0: DS Access Logs
{{{ [21/Jun/2012:10:37:47 -0400] conn=17 fd=70 slot=70 connection from 192.168.122.10 to 192.168.122.10 [21/Jun/2012:10:37:47 -0400] conn=17 op=0 SRCH base="" scope=0 filter="(objectClass=)" attrs=" altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms defaultnamingcontext lastusn highestcommittedusn aci" [21/Jun/2012:10:37:47 -0400] conn=17 op=0 RESULT err=0 tag=101 nentries=1 etime=0 [21/Jun/2012:10:37:47 -0400] conn=17 op=1 SRCH base="" scope=0 filter="???", Bad search filter [21/Jun/2012:10:37:47 -0400] conn=17 op=1 RESULT err=12 tag=101 nentries=0 etime=0 [21/Jun/2012:10:37:47 -0400] conn=17 op=2 SRCH base="ou=sudoers,dc=ipa,dc=test" scope=2 filter="(&(objectClass=sudoRole)(|(cn=defaults)(sudoUser=ALL)(sudoUser=admin)(sudoUser=#1083200000)(sudoUser=%admins)(sudoUser=+*)))" attrs="objectClass cn sudoCommand sudoHost sudoUser sudoOption sudoRunAsUser sudoRunAsGroup sudoNotBefore sudoNotAfter sudoOrder" [21/Jun/2012:10:37:47 -0400] conn=17 op=2 RESULT err=0 tag=101 nentries=0 etime=0 notes=P }}}
{{{ (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [be_sudo_handler] (0x0400): Entering be_sudo_handler() (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_sudo_refresh_send] (0x0400): Requested refresh for: admin (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'neutral' (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolve_srv_send] (0x0400): The status of SRV lookup is neutral (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolve_get_domain_send] (0x1000): Host name is: srv.ipa.test (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'srv.ipa.test' in files (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolve_get_domain_done] (0x1000): The full FQDN is: srv.ipa.test (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolve_srv_cont] (0x0100): Searching for servers via SRV query '_ldap._tcp.ipa.test' (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.ipa.test' (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [request_watch_destructor] (0x0400): Deleting request watch (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolve_srv_done] (0x0400): Inserted server 'srv.ipa.test:389' for service LDAP (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'LDAP' as 'resolved' (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [get_server_status] (0x1000): Status of server 'srv.ipa.test' is 'name not resolved' (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'srv.ipa.test' in files (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [set_server_common_status] (0x0100): Marking server 'srv.ipa.test' as 'resolving name' (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [set_server_common_status] (0x0100): Marking server 'srv.ipa.test' as 'name resolved' (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [be_resolve_server_done] (0x1000): Saving the first resolved server (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [be_resolve_server_done] (0x0200): Found address for server srv.ipa.test: [192.168.122.10] TTL 7200 (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_uri_callback] (0x0400): Constructed uri 'ldap://srv.ipa.test:389' (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://srv.ipa.test:389/??base] with fd [24]. (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=)][]. (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedLDAPVersion] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedSASLMechanisms] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [defaultNamingContext] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [highestCommittedUSN] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(sssmatchingruletest:1.2.840.113556.1.4.1941:=)][]. (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sssmatchingruletest] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_done] (0x0400): Search result: Critical extension is unavailable(12), Bad search filter (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Critical extension is unavailable(12), Bad search filter (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_get_matching_rule_done] (0x0100): LDAP server does not support the matching rule extension (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [get_naming_context] (0x0200): Using value from [defaultNamingContext] as naming context. (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_set_search_base] (0x0100): Setting option [ldap_search_base] to [dc=ipa,dc=test]. (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][dc=ipa,dc=test][SUBTREE][] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_set_search_base] (0x0100): Setting option [ldap_user_search_base] to [dc=ipa,dc=test]. (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [common_parse_search_base] (0x0100): Search base added: [USER][dc=ipa,dc=test][SUBTREE][] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_set_search_base] (0x0100): Setting option [ldap_group_search_base] to [dc=ipa,dc=test]. (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [common_parse_search_base] (0x0100): Search base added: [GROUP][dc=ipa,dc=test][SUBTREE][] (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_set_search_base] (0x0100): Setting option [ldap_netgroup_search_base] to [dc=ipa,dc=test]. (Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][dc=ipa,dc=test][SUBTREE][] }}} => 1340304585868985
Those aren't the right SSSD logs, simo. You only sent the portion requesting the RootDSE (which should happen anonymously, because we use it to query for the available SASL mechanisms).
Please include logs after this point.
Sorry I didn't realize my buffer was cut, I edited the original comment to add the missing info.
As an additional info point, I changed ACIs on my server and if you allow anonymous access, sssd starts working properly.
The problem is, that there is currently no IPA provider for sudo. Thus when you run SUDO it has to initialize a new connection in LDAP provider. And it returns no rules because the default values for a connection differs from IPA (anonymous vs GSSAPI). All you need to do is to enable GSSAPI manually in sssd.conf.
Example configuration:
[domain/ipa.example.com] id_provider = ipa ipa_server = ipa.example.com ldap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri = ldap://ipa.example.com ldap_sudo_search_base = ou=sudoers,dc=ipa,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/hostname.ipa.example.com ldap_sasl_realm = IPA.EXAMPLE.COM krb5_server = ipa.example.com
_comment0: The problem is, that there is currently no IPA provider for sudo. Thus when you run SUDO it has to initialize a new connection in LDAP provider. And it returns no rules because the default values for a connection differs from IPA (anonymous vs GSSAPI). All you need is to enable GSSAPI manually in sssd.conf.
Example configuration: [domain/ipa.example.com] debug_level = 0x0ff0 id_provider = ipa ipa_server = ipa.example.com ldap_tls_cacert = /etc/ipa/ca.crt
sudo_provider = ldap ldap_uri = ldap://ipa.example.com ldap_sudo_search_base = ou=sudoers,dc=ipa,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/hostname.ipa.example.com ldap_sasl_realm = IPA.EXAMPLE.COM krb5_server = ipa.example.com => 1340462299725751 _comment1: The problem is, that there is currently no IPA provider for sudo. Thus when you run SUDO it has to initialize a new connection in LDAP provider. And it returns no rules because the default values for a connection differs from IPA (anonymous vs GSSAPI). All you need is to ''enable GSSAPI manually'' in sssd.conf.
{{{ [domain/ipa.example.com] id_provider = ipa ipa_server = ipa.example.com ldap_tls_cacert = /etc/ipa/ca.crt
sudo_provider = ldap ldap_uri = ldap://ipa.example.com ldap_sudo_search_base = ou=sudoers,dc=ipa,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/hostname.ipa.example.com ldap_sasl_realm = IPA.EXAMPLE.COM krb5_server = ipa.example.com }}} => 1340462340169541
This needs to be documented.
component: SSSD => Documentation milestone: NEEDS_TRIAGE => SSSD 1.9.0
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=836548
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=836548 836548]
Fields changed
owner: somebody => pbrezina status: new => assigned
Documented together with #1418 in 8a2a493
resolution: => fixed status: assigned => closed
Metadata Update from @simo: - Issue assigned to pbrezina - Issue set to the milestone: SSSD 1.9.0
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2429
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.