From owner-freebsd-ports-bugs@FreeBSD.ORG  Thu Aug  9 12:20:02 2012
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 2DE131065670
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Thu,  9 Aug 2012 12:20:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id F238C8FC0A
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Thu,  9 Aug 2012 12:20:01 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q79CK1i5068905
	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Thu, 9 Aug 2012 12:20:01 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q79CK1pb068904;
	Thu, 9 Aug 2012 12:20:01 GMT (envelope-from gnats)
Resent-Date: Thu, 9 Aug 2012 12:20:01 GMT
Resent-Message-Id: <201208091220.q79CK1pb068904@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Ruslan <r.kalakutsky@gmail.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2338E1065676
	for <freebsd-gnats-submit@FreeBSD.org>;
	Thu,  9 Aug 2012 12:10:21 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id E45778FC1A
	for <freebsd-gnats-submit@FreeBSD.org>;
	Thu,  9 Aug 2012 12:10:20 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q79CAKNU026720
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 9 Aug 2012 12:10:20 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q79CAK5P026719;
	Thu, 9 Aug 2012 12:10:20 GMT (envelope-from nobody)
Message-Id: <201208091210.q79CAK5P026719@red.freebsd.org>
Date: Thu, 9 Aug 2012 12:10:20 GMT
From: Ruslan <r.kalakutsky@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: ports/170502: sssd failed to connect Ldap server without SASL
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Aug 2012 12:20:02 -0000


>Number:         170502
>Category:       ports
>Synopsis:       sssd failed to connect Ldap server without SASL
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 09 12:20:01 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Ruslan
>Release:        8.2-STABLE
>Organization:
twint.ru
>Environment:
FreeBSD outpost.twint.ru 8.2-STABLE FreeBSD 8.2-STABLE #1: Thu Nov 17 03:54:46 UTC 2011     ruslan_ka@:/usr/obj/usr/src/sys/G1  amd64
>Description:
sssd daemon (security/sssd) fails to bind LDAP server (openldap 2.4 in my case) if I use simple bind over TLS (without SASL). This is the known problem: https://fedorahosted.org/sssd/ticket/1100
>How-To-Repeat:
try to use TLS + simple bind to connect to LDAP server with config like this:

/usr/local/etc/sssd/sssd.conf
[domain/example.com]
description =  user database
id_provider = ldap
auth_provider = ldap
enumerate = true
min_id = 10000
max_id = 0
cache_credentials = true
use_fully_qualified_names = false
ldap_schema = rfc2307
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = demand
ldap_tls_cacert = /usr/local/openssl/example.com/cacert.pem
ldap_tls_cacertdir = /usr/local/openssl/example.com/newcerts
ldap_tls_cert = /usr/local/openssl/example.com/certs/ldapclient.example.com.cer
ldap_tls_key  = /usr/local/openssl/example.com/private/ldap.client.example.com.key
ldap_id_use_start_tls = true
ldap_default_bind_dn = cn=ldaproot,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = secret


and you will get error in log:
 [sdap_sys_connect_done] (1): Failed to set LDAP SASL nocanon option to true
>Fix:
1) Put attached patch (based https://fedorahosted.org/sssd/ticket/1100) on  to /usr/ports/security/sssd/files.
2) Or update version of sssd in ports (current stable is 1.8.4)

Patch attached with submission follows:

Index: src/providers/ldap/sdap_async_connection.c
===================================================================
--- src/providers/ldap/sdap_async_connection.c	(revision 11f9ae2ef3a4884b5e7750a3d549a58a71abc015)
+++ src/providers/ldap/sdap_async_connection.c	(revision 17707de12d69baa3bb2490ce9f0aeed7d4a0a7a0)
@@ -265,7 +265,13 @@
                            sasl_nocanon ? LDAP_OPT_ON : LDAP_OPT_OFF);
     if (lret != LDAP_OPT_SUCCESS) {
-        DEBUG(1, ("Failed to set LDAP SASL nocanon option to %s\n",
-                   sasl_nocanon ? "true" : "false"));
-        goto fail;
+        /* Do not fail, just warn into both debug logs and syslog */
+        DEBUG(3,
+              ("Failed to set LDAP SASL nocanon option to %s. If your system "
+               "is configured to use SASL, LDAP operations might fail.\n",
+              sasl_nocanon ? "true" : "false"));
+        sss_log(SSS_LOG_INFO,
+                "Failed to set LDAP SASL nocanon option to %s. If your system "
+                "is configured to use SASL, LDAP operations might fail.\n",
+                sasl_nocanon ? "true" : "false");
     }


>Release-Note:
>Audit-Trail:
>Unformatted: