Bug 676911

Summary: SSSD attempts to use START_TLS over LDAPS for authentication
Product: Red Hat Enterprise Linux 6 Reporter: Stephen Gallagher <sgallagh>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 6.0CC: benl, dpal, grajaiya, jgalipea, prc
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.5.1-6.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 11:38:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stephen Gallagher 2011-02-11 19:55:33 UTC 
Description of problem:
SSSD always attempts to use the START_TLS function when performing LDAP auth. However, some LDAP servers (especially those sitting behind SSL accelerators) cannot handle TLS over LDAPS. This prevents authentication from succeeding on those platforms.

Version-Release number of selected component (if applicable):
sssd-1.2.1-28.el6_0.4

How reproducible:
Proof that this is happening is easily seen in the debug logs, however the auth failure requires a fairly complicated configuration.

Steps to Reproduce:
1. Configure SSSD with ldap_uri = ldaps://ldap.example.com and auth_provider = ldap
2. Set DEBUG logs to level 4 or higher (debug_level = 4)
3. Perform an LDAP user login through SSSD.
  
Actual results:
Logs include a line like:
(Fri Feb 11 14:27:08 2011) [sssd[be[default]]] [sdap_connect_send] (4):
Executing START TLS

Expected results:
SSSD should not attempt to start TLS.

Additional info:
Extensive mailing list thread on sssd-devel:
https://fedorahosted.org/pipermail/sssd-devel/2011-February/005651.html
Comment 3 Gowrishankar Rajaiyan 2011-04-06 12:05:12 UTC 
No more "Executing START TLS" message logged in the domain logs while authenticating against ldaps.

Snippet from /var/log/sssd/sssd_default.log:
(Wed Apr  6 16:40:17 2011) [sssd[be[default]]] [auth_resolve_done] (8):
[ldaps://sssdldap.redhat.com:636] is a secure channel. No need to run START_TLS

Verified.

# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 24.el6                        Build Date: Sat 02 Apr 2011 01:24:54 AM IST
Install Date: Tue 05 Apr 2011 11:11:29 AM IST      Build Host: x86-012.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-24.el6.src.rpm
Size        : 3462740                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Comment 4 errata-xmlrpc 2011-05-19 11:38:36 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html
Comment 5 errata-xmlrpc 2011-05-19 13:09:31 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html