Date: Thu, 9 Aug 2012 12:10:20 GMT From: Ruslan <r.kalakutsky@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/170502: sssd failed to connect Ldap server without SASL Message-ID: <201208091210.q79CAK5P026719@red.freebsd.org> Resent-Message-ID: <201208091220.q79CK1pb068904@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 170502 >Category: ports >Synopsis: sssd failed to connect Ldap server without SASL >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Aug 09 12:20:01 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Ruslan >Release: 8.2-STABLE >Organization: twint.ru >Environment: FreeBSD outpost.twint.ru 8.2-STABLE FreeBSD 8.2-STABLE #1: Thu Nov 17 03:54:46 UTC 2011 ruslan_ka@:/usr/obj/usr/src/sys/G1 amd64 >Description: sssd daemon (security/sssd) fails to bind LDAP server (openldap 2.4 in my case) if I use simple bind over TLS (without SASL). This is the known problem: https://fedorahosted.org/sssd/ticket/1100 >How-To-Repeat: try to use TLS + simple bind to connect to LDAP server with config like this: /usr/local/etc/sssd/sssd.conf [domain/example.com] description = user database id_provider = ldap auth_provider = ldap enumerate = true min_id = 10000 max_id = 0 cache_credentials = true use_fully_qualified_names = false ldap_schema = rfc2307 ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com ldap_tls_reqcert = demand ldap_tls_cacert = /usr/local/openssl/example.com/cacert.pem ldap_tls_cacertdir = /usr/local/openssl/example.com/newcerts ldap_tls_cert = /usr/local/openssl/example.com/certs/ldapclient.example.com.cer ldap_tls_key = /usr/local/openssl/example.com/private/ldap.client.example.com.key ldap_id_use_start_tls = true ldap_default_bind_dn = cn=ldaproot,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = secret and you will get error in log: [sdap_sys_connect_done] (1): Failed to set LDAP SASL nocanon option to true >Fix: 1) Put attached patch (based https://fedorahosted.org/sssd/ticket/1100) on to /usr/ports/security/sssd/files. 2) Or update version of sssd in ports (current stable is 1.8.4) Patch attached with submission follows: Index: src/providers/ldap/sdap_async_connection.c =================================================================== --- src/providers/ldap/sdap_async_connection.c (revision 11f9ae2ef3a4884b5e7750a3d549a58a71abc015) +++ src/providers/ldap/sdap_async_connection.c (revision 17707de12d69baa3bb2490ce9f0aeed7d4a0a7a0) @@ -265,7 +265,13 @@ sasl_nocanon ? LDAP_OPT_ON : LDAP_OPT_OFF); if (lret != LDAP_OPT_SUCCESS) { - DEBUG(1, ("Failed to set LDAP SASL nocanon option to %s\n", - sasl_nocanon ? "true" : "false")); - goto fail; + /* Do not fail, just warn into both debug logs and syslog */ + DEBUG(3, + ("Failed to set LDAP SASL nocanon option to %s. If your system " + "is configured to use SASL, LDAP operations might fail.\n", + sasl_nocanon ? "true" : "false")); + sss_log(SSS_LOG_INFO, + "Failed to set LDAP SASL nocanon option to %s. If your system " + "is configured to use SASL, LDAP operations might fail.\n", + sasl_nocanon ? "true" : "false"); } >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201208091210.q79CAK5P026719>