Bug 732935

Summary: Add LDAP provider option to set LDAP_OPT_X_SASL_NOCANON
Product: Red Hat Enterprise Linux 6 Reporter: Marko Myllynen <myllynen>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: benl, grajaiya, jgalipea, jhrozek, jzeleny, kbanerje, prc
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.5.1-49.el6 Doc Type: Bug Fix
Doc Text:
Cause: In some cases when SASL is used, libldap might try to canonicalize the hostname by doing a reverse lookup. Consequence: The LDAP request might block. Also if PTR record was wrong, SSSD wouldn't authenticate against the server at all. Fix: An SSSD configuration directive has been implemented, allowing to turn canonicalization inside libldap on or off. The canonicalization is off by default. Result: SASL/GSSAPI works fine even wen the PTR is wrong.
 Story Points: ---
Clone Of:
: 748866 (view as bug list) Environment:
Last Closed: 2011-12-06 16:39:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 732468, 748866    

Description Marko Myllynen 2011-08-24 08:11:34 UTC 
Description of problem:
From https://fedorahosted.org/sssd/ticket/978

In some cases when SASL is used, openldap might try to canonicalize the hostname by doing a reverse lookup. This might be a blocking call because openldap uses glibc's getnameinfo (The openldap function is ldap_pvt_get_hname).

It is possible to turn off this check by setting LDAP_OPT_X_SASL_NOCANON.

It is not only a problem about blocking on DNS calls. It may also cause failures to get a ticket because the PTR is wrong. Bad DNs configuration for reverse addresses is very common, especially in test environments, and small networks.
Comment 2 Stephen Gallagher 2011-08-24 12:42:52 UTC 
This fix is a dependency for fixing BZ #732468 in FreeIPA.
Comment 5 Kaushik Banerjee 2011-09-27 13:38:41 UTC 
Steps to verify:

1. Configure dns as:
A record  : ldap.example.com -> 10.65.201.57
PTR record: 10.65.201.57 -> xyz.example.com


2. Configure sssd for gssapi auth.
[domain/gssapi]
debug_level = 9
id_provider = ldap
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
auth_provider = krb5
krb5_server = ldap.example.com
krb5_realm = EXAMPLE.COM
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/client.example.com
ldap_krb5_init_creds = true
ldap_krb5_ticket_lifetime = 120
krb5_validate = True
krb5_lifetime = 150m

3. Lookup of a ldap user and auth as the user should succeed.( Note that we have to set " rdns = false" in /etc/krb5.conf )

4. Now, set "ldap_sasl_canonicalize = true", restart sssd. Lookup and auth of the ldap user would fail since due to incorrect PTR record, hostname cannot be canonicalized.

Verified in version:
# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 52.el6                        Build Date: Tue 20 Sep 2011 09:11:03 PM IST
Install Date: Mon 26 Sep 2011 05:56:30 PM IST      Build Host: x86-010.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-52.el6.src.rpm
Size        : 3550647                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Comment 6 Jan Zeleny 2011-10-27 14:03:56 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: In some cases when SASL is used, libldap might try to canonicalize the hostname by doing a reverse lookup.
Consequence: The LDAP request might block. Also if PTR record was wrong, SSSD wouldn't authenticate against the server at all.
Fix: A configuration directive has been implemented allowing to turn off canonicalization in libldap.
Result: If there are some issues with the DNS / network which would cause unwanted behavior of SSSD such as blocking calls, it is possible to turn canonicalization off.
Comment 7 Jakub Hrozek 2011-10-27 14:14:02 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,4 +1,4 @@
 Cause: In some cases when SASL is used, libldap might try to canonicalize the hostname by doing a reverse lookup.
 Consequence: The LDAP request might block. Also if PTR record was wrong, SSSD wouldn't authenticate against the server at all.
-Fix: A configuration directive has been implemented allowing to turn off canonicalization in libldap.
+Fix: An SSSD configuration directive has been implemented, allowing to turn canonicalization inside libldap on or off. The canonicalization is off by default.
-Result: If there are some issues with the DNS / network which would cause unwanted behavior of SSSD such as blocking calls, it is possible to turn canonicalization off.+Result: SASL/GSSAPI works fine even wen the PTR is wrong.
Comment 8 errata-xmlrpc 2011-12-06 16:39:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1529.html