Bug 1807000

Summary: ldap_uri failover doesn't work with different ports
Product: Red Hat Enterprise Linux 7 Reporter: Amith <apeetham>
Component: sssdAssignee: Pavel Březina <pbrezina>
Status: CLOSED DUPLICATE QA Contact: sssd-qe <sssd-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.7CC: atikhono, grajaiya, jhrozek, lslebodn, mzidek, pbrezina, sssd-maint, tscherf
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-05 16:12:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Amith 2020-02-25 12:49:20 UTC 
Description of problem:

This issue is copied from RHEL-8.1 bug 1766962. Looks like this issue existed from rhel version 7.7 onwards except 8.0.0.

We have multiple testcase failures related to failover wherein the list of URI's have different port numbers. These cases worked in RHEL-8.0.0. Following are the cases:
1. ldap uri failover with single server different ports
2. ldap chpass uri failover with single server different ports
3. ldap chpass backup uri failover with single server different ports

Version-Release number of selected component (if applicable):
sssd-1.16.4-21.el7.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Setup SSSD with any one of the following domain section:

    [domain/LDAP]
    debug_level=0xFFF0
    id_provider = ldap
    ldap_uri = ldap://$SERVER1:12345,ldap://$SERVER1:389
    ldap_tls_cacertdir = /etc/openldap/certs
    ldap_search_base = dc=example,dc=com

OR

    [domain/LDAP]
    debug_level=0xFFF0
    id_provider = ldap
    auth_provider = ldap
    chpass_provider = ldap
    ldap_uri = ldap://$SERVER1
    ldap_chpass_uri = ldap://$SERVER1:12345,ldap://$SERVER1:389
    ldap_tls_cacertdir = /etc/openldap/certs
    ldap_search_base = dc=example,dc=com

OR

    [domain/LDAP]
    debug_level=0xFFF0
    id_provider = ldap
    auth_provider = ldap
    chpass_provider = ldap
    ldap_uri = ldap://$SERVER1
    ldap_chpass_uri = ldap://$SERVER1:12345
    ldap_chpass_backup_uri = ldap://$SERVER1:389
    ldap_tls_cacertdir = /etc/openldap/certs
    ldap_search_base = dc=example,dc=com

2. In the above cases, port 12345 is non-existent in order to allow SSSD to failover to next uri or backup uri. Now restart SSSD service.

3. Run a user login. You will see that user auth fails. SSSD log shows "PORT NOT WORKING" error.
Comment 4 Pavel Březina 2020-03-04 11:50:09 UTC 
Upstream PR:
https://github.com/SSSD/sssd/pull/996
Comment 5 Pavel Březina 2020-03-05 09:31:17 UTC 
* `sssd-1-16`
    * 4b1d1a099d89c5de320d233e57d65ea9484ca205 - failover: make sure we switch to another server if only port differs