Bug 737172

Summary: "Unknown (private extension) error(21853), (null)" messages are logged during change password operation of a user in openldap server with ppolicy enabled.
Product: Red Hat Enterprise Linux 6 Reporter: Kaushik Banerjee <kbanerje>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: benl, grajaiya, jgalipea, jzeleny, prc
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.5.1-51.el6 Doc Type: Bug Fix
Doc Text:
Cause: SSSD uses a private LDAP error code, because there are no official ones for error conditions indicated by the server side password policies. Consequence: Very generic and thus not understandable error messages were printed when this error occurred. Fix: A routine detecting and translating this error code has been implemented. Result: A clear error message is printed to log when the error occurs.
 Story Points: ---
Clone Of:
: 748879 (view as bug list) Environment:
Last Closed: 2011-12-06 16:40:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 743047, 748879    

Description Kaushik Banerjee 2011-09-09 19:18:16 UTC 
Description of problem:
"Unknown (private extension) error(21853), (null)" messages are logged during change password operation of a user in openldap server with ppolicy enabled.

Version-Release number of selected component (if applicable):
sssd-1.5.1-49.el6

How reproducible:
Always

Steps to Reproduce:
1. Setup ppolicy on openldap server.

# cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb/olcOverlay\=\{1\}ppolicy.ldif 
dn: olcOverlay={1}ppolicy
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {1}ppolicy
olcPPolicyDefault: cn=Standard Policy,ou=Policies,dc=example,dc=com
olcPPolicyUseLockout: TRUE
structuralObjectClass: olcPPolicyConfig
entryUUID: 3142c552-5cc4-1030-94ec-59a8a4130303
creatorsName: cn=admin,cn=config
createTimestamp: 20110817022726Z
entryCSN: 20110817022726.691621Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20110817022726Z


dn: cn=Standard Policy,ou=Policies,dc=example,dc=com
objectClass: device
objectClass: pwdPolicy
pwdAttribute: userPassword
pwdLockoutDuration: 0
pwdInHistory: 6
pwdCheckQuality: 2
pwdExpireWarning: 1000
pwdMaxAge: 30000
pwdMinLength: 5
pwdGraceAuthNLimit: 3
pwdAllowUserChange: TRUE
pwdMustChange: TRUE
pwdMaxFailure: 3
pwdFailureCountInterval: 0
pwdSafeModify: TRUE
pwdLockout: TRUE
cn: Standard Policy

2. Add a user:

dn: uid=ppuser1,dc=example,dc=com
objectClass: account
objectClass: posixAccount
objectClass: pwdPolicy
cn: ppolicy test user 1
uidNumber: 564675
gidNumber: 564675
homeDirectory: /home/ppuser1
pwdAttribute: userPassword
uid: ppuser1
userPassword:: e1NTSEF9akJXbnlTRDFHcWtwdjFJQWFvdHEvc2l3N1lsUHdCc2c=

3. Force password reset for the user:

# ldapmodify -x -D "cn=Manager,dc=example,dc=com" -w Secret123 <<EOF
dn: uid=ppuser1,dc=example,dc=com
changetype: modify
add: pwdReset
pwdReset: TRUE
EOF
modifying entry "uid=ppuser1,dc=example,dc=com"

4. Auth as the user:

# ssh -l ppuser1 localhost
ppuser1@localhost's password: 
Password expired. Change your password now.
Last login: Tue Aug 30 13:04:09 2011 from localhost
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user ppuser1.
Current Password: 
New password: 

  
Actual results:
Functionally this works as expected.

However, the log returns:
[simple_bind_done] (3): Bind result: Unknown (private extension) error(21853), (null)

/var/log/sssd/sssd_LDAP.log shows:

<snip>
(Tue Aug 30 13:06:04 2011) [sssd[be[LDAP]]] [simple_bind_send] (4): Executing simple bind as: uid=ppuser1,dc=example,dc=com
(Tue Aug 30 13:06:04 2011) [sssd[be[LDAP]]] [simple_bind_send] (8): ldap simple bind sent, msgid = 2
(Tue Aug 30 13:06:04 2011) [sssd[be[LDAP]]] [sdap_process_result] (8): Trace: sh[0x1415c00], connected[1], ops[0x13fb9c0], ldap[0x1370620]
(Tue Aug 30 13:06:04 2011) [sssd[be[LDAP]]] [sdap_process_result] (8): Trace: ldap_result found nothing!
(Tue Aug 30 13:06:04 2011) [sssd[be[LDAP]]] [sdap_process_result] (8): Trace: sh[0x1415c00], connected[1], ops[0x13fb9c0], ldap[0x1370620]
(Tue Aug 30 13:06:04 2011) [sssd[be[LDAP]]] [sdap_process_result] (8): Trace: ldap_result found nothing!
(Tue Aug 30 13:06:04 2011) [sssd[be[LDAP]]] [sdap_process_result] (8): Trace: sh[0x1415c00], connected[1], ops[0x13fb9c0], ldap[0x1370620]
(Tue Aug 30 13:06:04 2011) [sssd[be[LDAP]]] [simple_bind_done] (9): Server returned control [1.3.6.1.4.1.42.2.27.8.5.1].
(Tue Aug 30 13:06:04 2011) [sssd[be[LDAP]]] [simple_bind_done] (7): Password Policy Response: expire [-1] grace [-1] error [Password must be changed].
(Tue Aug 30 13:06:04 2011) [sssd[be[LDAP]]] [simple_bind_done] (4): Password was reset. User must set a new password.
(Tue Aug 30 13:06:04 2011) [sssd[be[LDAP]]] [simple_bind_done] (3): Bind result: Unknown (private extension) error(21853), (null)
(Tue Aug 30 13:06:04 2011) [sssd[be[LDAP]]] [auth_bind_user_done] (9): Found ppolicy data, assuming LDAP password policies are active.
(Tue Aug 30 13:06:04 2011) [sssd[be[LDAP]]] [sdap_auth4chpass_done] (9): Initial authentication for change password operation successful.
(Tue Aug 30 13:06:04 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>) [Success]
(Tue Aug 30 13:06:04 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Sending result [0][LDAP]
(Tue Aug 30 13:06:04 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Sent result [0][LDAP]
(Tue Aug 30 13:06:04 2011) [sssd[be[LDAP]]] [sdap_handle_release] (8): Trace: sh[0x1415c00], connected[1], ops[(nil)], ldap[0x1370620], destructor_lock[0], release_memory[0]
(Tue Aug 30 13:06:04 2011) [sssd[be[LDAP]]] [remove_connection_callback] (9): Successfully removed connection callback.

</snip>

Expected results:
Improve error message logging of the private error codes.

Additional info:
Comment 5 Kaushik Banerjee 2011-09-15 17:23:46 UTC 
Verified in version:

# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 51.el6                        Build Date: Mon 12 Sep 2011 06:55:14 PM IST
Install Date: Tue 13 Sep 2011 08:02:21 PM IST      Build Host: x86-001.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-51.el6.src.rpm
Size        : 3670464                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Comment 6 Jakub Hrozek 2011-10-25 15:35:16 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/986
Comment 7 Jan Zeleny 2011-10-27 12:06:57 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: SSSD uses a private LDAP error code, because there are no official ones for error conditions indicated by the server side password policies. 
Consequence: Very generic and thus not understandable error messages were printed when this error occurred.
Fix: A routine detecting and translating this error code has been implemented.
Result: A clear error message is printed to log when the error occurs.
Comment 8 errata-xmlrpc 2011-12-06 16:40:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1529.html