Bug 2217367

Summary: Cannot use GSSAPI with openldap-clients
Product: Red Hat Enterprise Linux 8 Reporter: quentin.laffitte
Component: openldapAssignee: LDAP Maintainers <idm-ds-dev-bugs>
Status: NEW --- QA Contact: LDAP QA Team <idm-ds-qe-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.6CC: idm-ds-dev-bugs, spichugi
Target Milestone: rcFlags: spichugi: needinfo? (quentin.laffitte)
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description quentin.laffitte 2023-06-26 06:41:06 UTC 
Description of problem:
I cannot use GSSAPI with ldapsearch, but is work from the 2.4.46 source code.

Version-Release number of selected component (if applicable):
$ rpm -qa | grep -i ldap
python3-ldap-3.3.1-2.el8.x86_64
openldap-2.4.46-18.el8.x86_64
sssd-ldap-2.6.2-3.el8.x86_64
perl-LDAP-0.66-7.el8.noarch
openldap-clients-2.4.46-18.el8.x86_64


How reproducible:
Install the latest version of openldap-client from Rhel8_BaseOS depot with Red Hat Enterprise Linux 8.6.

Steps to Reproduce:
1. sudo dnf install openldap-clients
2. ldapsearch -H ldap://yourldapserver.lan -b "dc=yourldapserver,dc=lan" "(sAMAccountName=guest)" -LLL -Y GSSAPI

Actual results:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success)

Expected results:
SASL/GSSAPI authentication started
SASL username: USER
SASL SSF: 256
SASL data security layer installed.

Additional info:
When i compile with the same version (openldap-2.4.46), i got the expected results with :
wget https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-2.4.46.tgz
tar -xf openldap-2.4.46.tgz
cd openldap-2.4.46/
sudo dnf install libdb-devel cyrus-sasl-devel libtool-ltdl-devel
rpm -qa | grep -e libdb-devel -e cyrus-sasl-devel -e libtool-ltdl-devel
#libtool-ltdl-devel-2.4.6-25.el8.x86_64
#cyrus-sasl-devel-2.1.27-6.el8_5.x86_64
#libdb-devel-5.3.28-42.el8_4.x86_64
./configure --with-cyrus-sasl
make depend
make
./clients/tools/ldapsearch -H ldap://yourldapserver.lan -b "dc=yourldapserver,dc=lan" "(sAMAccountName=guest)" -Y GSSAPI
Comment 1 Simon Pichugin 2023-06-26 22:46:33 UTC 
Please, provide more information about your configuration.
OpenLDAP on RHEL 8 is built to work with SSSD, IPA and RHDS in a certain way.
We have many patches on top of openldap-2.4.46 to make the experience smooth and adjusted to RHEL 8 (as well as it has many additional CVEs fixed).

It's possible that you have misconfigured krb5.conf or ldap.conf.
Do you have SSSD setup?
Do you use 389-ds-base? (remember, openldap-servers is not a supported option on RHEL 8)

Additionally, please, provide the ldapsearch output with the "-d 9" option.
Comment 2 quentin.laffitte 2023-06-27 06:50:32 UTC 
Yes SSSD is setup and i use it with Active Directory so i didn't use 389-ds-base and openldap-servers.

The output with "-d 9"
$ ldapsearch -H ldap://yourldapserver.lan -b "dc=yourldapserver,dc=lan" "(sAMAccountName=guest)" -Y GSSAPI -d 9
ldap_url_parse_ext(ldap://yourldapserver.lan)
ldap_create
ldap_url_parse_ext(ldap://yourldapserver.lan:389/??base)
ldap_sasl_interactive_bind: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP yourldapserver.lan:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 1.2.3.4:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect: 
connect success
ldap_int_sasl_open: host=yourldapserver.lan
SASL/GSSAPI authentication started
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 3839 bytes to sd 3
ldap_msgfree
ldap_result ld 0x556efbad3570 msgid 1
wait4msg ld 0x556efbad3570 msgid 1 (infinite timeout)
wait4msg continue ld 0x556efbad3570 msgid 1 all 1
** ld 0x556efbad3570 Connections:
* host: yourldapserver.lan  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Jun 27 08:26:59 2023


** ld 0x556efbad3570 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x556efbad3570 request count 1 (abandoned 0)
** ld 0x556efbad3570 Response Queue:
   Empty
  ld 0x556efbad3570 response count 0
ldap_chkResponseList ld 0x556efbad3570 msgid 1 all 1
ldap_chkResponseList returns ld 0x556efbad3570 NULL
ldap_int_select
read1msg: ld 0x556efbad3570 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 120 contents:
read1msg: ld 0x556efbad3570 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x556efbad3570 0 new referrals
read1msg:  mark request completed, ld 0x556efbad3570 msgid 1
request done: ld 0x556efbad3570 msgid 1
res_errno: 14, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
sasl_client_step: -1
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
Comment 3 quentin.laffitte 2023-06-27 06:58:56 UTC 
The same output but with the compiled openldap 2.4.46 source code :
./clients/tools/ldapsearch -H ldap://yourldapserver.lan -b "dc=yourldapserver,dc=lan" "(sAMAccountName=guest)" -Y GSSAPI -d 9
ldap_url_parse_ext(ldap://yourldapserver.lan)
ldap_create
ldap_url_parse_ext(ldap://yourldapserver.lan:389/??base)
ldap_sasl_interactive_bind: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP yourldapserver.lan:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 1.2.3.4:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect: 
connect success
ldap_int_sasl_open: host=dc.yourldapserver.lan
SASL/GSSAPI authentication started
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 3839 bytes to sd 3
ldap_msgfree
ldap_result ld 0xf00180 msgid 1
wait4msg ld 0xf00180 msgid 1 (infinite timeout)
wait4msg continue ld 0xf00180 msgid 1 all 1
** ld 0xf00180 Connections:
* host: yourldapserver.lan  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Jun 27 08:52:03 2023


** ld 0xf00180 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0xf00180 request count 1 (abandoned 0)
** ld 0xf00180 Response Queue:
   Empty
  ld 0xf00180 response count 0
ldap_chkResponseList ld 0xf00180 msgid 1 all 1
ldap_chkResponseList returns ld 0xf00180 NULL
ldap_int_select
read1msg: ld 0xf00180 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 176 contents:
read1msg: ld 0xf00180 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0xf00180 0 new referrals
read1msg:  mark request completed, ld 0xf00180 msgid 1
request done: ld 0xf00180 msgid 1
res_errno: 14, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
sasl_client_step: 1
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 22 bytes to sd 3
ldap_msgfree
ldap_result ld 0xf00180 msgid 2
wait4msg ld 0xf00180 msgid 2 (infinite timeout)
wait4msg continue ld 0xf00180 msgid 2 all 1
** ld 0xf00180 Connections:
* host: yourldapserver.lan  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Jun 27 08:52:03 2023


** ld 0xf00180 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0xf00180 request count 1 (abandoned 0)
** ld 0xf00180 Response Queue:
   Empty
  ld 0xf00180 response count 0
ldap_chkResponseList ld 0xf00180 msgid 2 all 1
ldap_chkResponseList returns ld 0xf00180 NULL
ldap_int_select
read1msg: ld 0xf00180 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 50 contents:
read1msg: ld 0xf00180 msgid 2 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0xf00180 0 new referrals
read1msg:  mark request completed, ld 0xf00180 msgid 2
request done: ld 0xf00180 msgid 2
res_errno: 14, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
sasl_client_step: 0
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 56 bytes to sd 3
ldap_msgfree
ldap_result ld 0xf00180 msgid 3
wait4msg ld 0xf00180 msgid 3 (infinite timeout)
wait4msg continue ld 0xf00180 msgid 3 all 1
** ld 0xf00180 Connections:
* host: yourldapserver.lan  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Jun 27 08:52:03 2023


** ld 0xf00180 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0xf00180 request count 1 (abandoned 0)
** ld 0xf00180 Response Queue:
   Empty
  ld 0xf00180 response count 0
ldap_chkResponseList ld 0xf00180 msgid 3 all 1
ldap_chkResponseList returns ld 0xf00180 NULL
ldap_int_select
read1msg: ld 0xf00180 msgid 3 all 1
ber_get_next
ber_get_next: tag 0x30 len 18 contents:
read1msg: ld 0xf00180 msgid 3 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0xf00180 0 new referrals
read1msg:  mark request completed, ld 0xf00180 msgid 3
request done: ld 0xf00180 msgid 3
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 3, msgid 3)
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
SASL username: USERNAME
SASL SSF: 256
ldap_pvt_sasl_generic_install
SASL data security layer installed.
ldap_msgfree

...

ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
Comment 4 Simon Pichugin 2023-08-16 23:18:28 UTC 
I think the issue could be with the configuration, as all of our tests for RHEL 8 pass.
Yes, we use additional patches for certain features used by SSSD - so it could be a misconfiguration issue on your side...

Please, provide more information about your setup and attach the config files for OpenLDAP and SSSD (and Active Directory, if possible).
I'll check it, and if my knowledge of this topic won't be enough, I'll transition the issue to SSSD team.