From owner-freebsd-ports-bugs@FreeBSD.ORG Thu Aug 9 12:20:02 2012 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2DE131065670 for ; Thu, 9 Aug 2012 12:20:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id F238C8FC0A for ; Thu, 9 Aug 2012 12:20:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q79CK1i5068905 for ; Thu, 9 Aug 2012 12:20:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q79CK1pb068904; Thu, 9 Aug 2012 12:20:01 GMT (envelope-from gnats) Resent-Date: Thu, 9 Aug 2012 12:20:01 GMT Resent-Message-Id: <201208091220.q79CK1pb068904@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Ruslan Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2338E1065676 for ; Thu, 9 Aug 2012 12:10:21 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id E45778FC1A for ; Thu, 9 Aug 2012 12:10:20 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q79CAKNU026720 for ; Thu, 9 Aug 2012 12:10:20 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id q79CAK5P026719; Thu, 9 Aug 2012 12:10:20 GMT (envelope-from nobody) Message-Id: <201208091210.q79CAK5P026719@red.freebsd.org> Date: Thu, 9 Aug 2012 12:10:20 GMT From: Ruslan To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: ports/170502: sssd failed to connect Ldap server without SASL X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Aug 2012 12:20:02 -0000 >Number: 170502 >Category: ports >Synopsis: sssd failed to connect Ldap server without SASL >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Aug 09 12:20:01 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Ruslan >Release: 8.2-STABLE >Organization: twint.ru >Environment: FreeBSD outpost.twint.ru 8.2-STABLE FreeBSD 8.2-STABLE #1: Thu Nov 17 03:54:46 UTC 2011 ruslan_ka@:/usr/obj/usr/src/sys/G1 amd64 >Description: sssd daemon (security/sssd) fails to bind LDAP server (openldap 2.4 in my case) if I use simple bind over TLS (without SASL). This is the known problem: https://fedorahosted.org/sssd/ticket/1100 >How-To-Repeat: try to use TLS + simple bind to connect to LDAP server with config like this: /usr/local/etc/sssd/sssd.conf [domain/example.com] description = user database id_provider = ldap auth_provider = ldap enumerate = true min_id = 10000 max_id = 0 cache_credentials = true use_fully_qualified_names = false ldap_schema = rfc2307 ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com ldap_tls_reqcert = demand ldap_tls_cacert = /usr/local/openssl/example.com/cacert.pem ldap_tls_cacertdir = /usr/local/openssl/example.com/newcerts ldap_tls_cert = /usr/local/openssl/example.com/certs/ldapclient.example.com.cer ldap_tls_key = /usr/local/openssl/example.com/private/ldap.client.example.com.key ldap_id_use_start_tls = true ldap_default_bind_dn = cn=ldaproot,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = secret and you will get error in log: [sdap_sys_connect_done] (1): Failed to set LDAP SASL nocanon option to true >Fix: 1) Put attached patch (based https://fedorahosted.org/sssd/ticket/1100) on to /usr/ports/security/sssd/files. 2) Or update version of sssd in ports (current stable is 1.8.4) Patch attached with submission follows: Index: src/providers/ldap/sdap_async_connection.c =================================================================== --- src/providers/ldap/sdap_async_connection.c (revision 11f9ae2ef3a4884b5e7750a3d549a58a71abc015) +++ src/providers/ldap/sdap_async_connection.c (revision 17707de12d69baa3bb2490ce9f0aeed7d4a0a7a0) @@ -265,7 +265,13 @@ sasl_nocanon ? LDAP_OPT_ON : LDAP_OPT_OFF); if (lret != LDAP_OPT_SUCCESS) { - DEBUG(1, ("Failed to set LDAP SASL nocanon option to %s\n", - sasl_nocanon ? "true" : "false")); - goto fail; + /* Do not fail, just warn into both debug logs and syslog */ + DEBUG(3, + ("Failed to set LDAP SASL nocanon option to %s. If your system " + "is configured to use SASL, LDAP operations might fail.\n", + sasl_nocanon ? "true" : "false")); + sss_log(SSS_LOG_INFO, + "Failed to set LDAP SASL nocanon option to %s. If your system " + "is configured to use SASL, LDAP operations might fail.\n", + sasl_nocanon ? "true" : "false"); } >Release-Note: >Audit-Trail: >Unformatted: