Bug 598485

Summary: SSSD doesn't follow LDAP referrals when using non-anonymous bind
Product: Red Hat Enterprise Linux 6 Reporter: Stephen Gallagher <sgallagh>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED CURRENTRELEASE QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: low    
Version: 6.0CC: benl, dpal, jgalipea, rlerch
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
The System Security Services Daemon (SSSD) currently supports following LDAP referrals on anonymous-bind LDAP connections only.
 Story Points: ---
Clone Of:
: 598501 (view as bug list) Environment:
Last Closed: 2010-06-29 15:09:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 579775    
Bug Blocks: 598501    

Description Stephen Gallagher 2010-06-01 13:40:44 UTC 
Description of problem:
If SSSD is configured to use non-anonymous bind (a bind DN is specified and an authentication token such as a password is being used), SSSD does not properly follow referrals. It will only attempt to bind anonymously to the referred server.

More information is available at the upstream bug report:
https://fedorahosted.org/sssd/ticket/495

Version-Release number of selected component (if applicable):
sssd-1.2.0-12.el6

How reproducible:
Every time

Steps to Reproduce:
1. Set up two LDAP servers requiring non-anonymous bind (anonymous bind should fail)
2. Add a referral on the primary LDAP server for a particular entry that will be answered by the secondary LDAP server. (Use a user entry for easiest reproduction)
3. Configure SSSD with id_provider = ldap and ldap_uri pointing at the primary LDAP server.
4. Request the user entry above (use 'getent passwd <username>')

  
Actual results:
No results found. The logs for the secondary LDAP server will show a failed anonymous bind.

Expected results:
The user should be returned from the secondary LDAP server.

Additional info:
https://fedorahosted.org/sssd/ticket/495
Comment 2 Stephen Gallagher 2010-06-01 15:58:09 UTC 
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.

New Contents:
Release note:
SSSD currently supports following LDAP referrals for anonymous-bind LDAP connections only.
Comment 4 Ryan Lerch 2010-06-25 03:10:48 UTC 
Technical note updated. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -1,2 +1 @@
-Release note:
+The System Security Services Daemon (SSSD) currently supports following LDAP referrals on anonymous-bind LDAP connections only.-SSSD currently supports following LDAP referrals for anonymous-bind LDAP connections only.