Bug 854619

Summary:	SSSD cannot cope with empty naming context coming from Novell eDirectory
Product:	Red Hat Enterprise Linux 6	Reporter:	Jiri Hnidek <jiri.hnidek>
Component:	sssd	Assignee:	Stephen Gallagher <sgallagh>
Status:	CLOSED ERRATA	QA Contact:	Kaushik Banerjee <kbanerje>
Severity:	high	Docs Contact:
Priority:	urgent
Version:	6.3	CC:	acontant, chhudson, djk, dpal, grajaiya, jgalipea, jhrozek, jpallich, mrhodes, msauton, pbrezina
Target Milestone:	rc	Keywords:	Regression
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	sssd-1.9.2-2.el6	Doc Type:	Bug Fix
Doc Text:	When SSSD was built without sudo support, the ldap_sudo_search_base value was not set and the namingContexts LDAP attribute contained a zero-length string. Consequently, SSSD tried to set ldap_sudo_search_base with this string and failed. Therefore, SSSD was unable to establish connection with LDAP server and switched to offline mode. With this update, SSSD considers the zero-length namingContexts value the same way as if no value was available, thus preventing this bug.	Story Points:	---
Clone Of:
Clones:	881460 (view as bug list)		Environment:
Last Closed:	2013-02-21 09:36:52 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	881460

Description Jiri Hnidek 2012-09-05 12:58:32 UTC

Description of problem:

User authentication using LDAP doesn't work after upgrade from RHEL 6.2 to RHEL 6.3.

Version-Release number of selected component (if applicable):



How reproducible:


Steps to Reproduce:
1. Install RHEL 6.2
2. Configure machine to do LDAP user authentication
3. Upgrade to RHEL 6.3
  
Actual results:

# getent passwd user.name

Expected results:

# getent passwd user.name
user.name:x:1011:2000:User Name:/home/user.name:/bin/bash

Additional info:

I can get information about the LDAP user using ldapsearch. It seems that sssd ignores ldap configuration. I tried downgraded several packages, but I didn't find what package causes this bug.

Comment 2 Jakub Hrozek 2012-09-05 13:22:04 UTC

Hello Jiri,

thank you for the bug report. A regression is quite concerning.. However, I need more information to debug the problem completely.

I would suggest to try the following:
1) Check out the permissions on /etc/nsswitch.conf It should be readable by all and I know there was a recent sudo update that may have changed the permissions to only readable by root. Does /etc/nsswitch.conf contain "sss" on the passwd and group lines?

2) downgrade the SSSD to the 6.2 version. I assume you'd need to remove the cache files, because the cache has been upgraded in 6.3. Removing the files would also remove any cached credentials, so proceed with caution especially on a laptop or other system where you may need the cached credentials offline:
# rm -f /var/lib/sss/db/cache_$domain.log
# yum downgrade sssd
# service sssd restart

3) If the SSSD works after the downgrade to the 6.2 but is broken in 6.3, then we're looking at a regression in the SSSD. Then I would suggest putting debug_level=8 into the [nss] and [domain/$NAME] section of the sssd.conf, restarting the SSSD and attaching logs in /var/log/sssd/*.log

Comment 3 Jiri Hnidek 2012-09-06 08:41:26 UTC

Hi Jakub,
thanks for fast reply.

1) I checked permissions and everybody can read it. String "sss" is on both lines

2) I tried downgrade sssd from version 1.8 version 1.5.1, but it still doesn't work.

3) I changed debug_level to 8 and this is result in current version (6.3) after executing

# getent passwd user.name

/var/log/sssd/sssd_default.log (croped)

(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'ldap.domain.com' as 'name resolved'
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [be_resolve_server_done] (0x1000): Saving the first resolved server
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [be_resolve_server_done] (0x0200): Found address for server ldap.domain.com: [1.2.3.4] TTL 86400
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_uri_callback] (0x0400): Constructed uri 'ldap://ldap.domain.com/'
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://ldap.domain.com:389/??base] with fd [32].
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_sys_connect_done] (0x0100): Executing START TLS
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x23f21a0], connected[1], ops[0x23803f0], ldap[0x240df30]
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_connect_done] (0x0080): START TLS result: Success(0), (null)
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][].
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*]
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer]
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts]
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl]
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension]
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures]
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedLDAPVersion]
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedSASLMechanisms]
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [defaultNamingContext]
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN]
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [highestCommittedUSN]
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 2
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x23f21a0], connected[1], ops[0x237fda0], ldap[0x240df30]
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x23f21a0], connected[1], ops[0x237fda0], ldap[0x240df30]
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x23f21a0], connected[1], ops[0x237fda0], ldap[0x240df30]
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [get_naming_context] (0x0200): Using value from [namingContexts] as naming context.
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_set_search_base] (0x0100): Setting option [ldap_sudo_search_base] to [].
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_cli_use_rootdse] (0x0040): sdap_set_config_options_with_rootdse failed.
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_cli_rootdse_done] (0x0040): sdap_cli_use_rootdse failed
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'ldap.domain.com' as 'not working'
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_handle_release] (0x2000): Trace: sh[0x23f21a0], connected[1], ops[(nil)], ldap[0x240df30], destructor_lock[0], release_memory[0]
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [check_online_callback] (0x0100): Backend returned: (3, 0, <NULL>) [Internal Error (Úspěch)]
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'ldap.domain.com' as 'name not resolved'
(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'ldap.domain.com' as 'neutral'

Other sssd log files doesn't include nothing or nothing useful.

Comment 4 Stephen Gallagher 2012-09-06 08:58:48 UTC

(Thu Sep  6 09:45:34 2012) [sssd[be[default]]] [sdap_set_search_base] (0x0100): Setting option [ldap_sudo_search_base] to [].

This looks to be the problem. The search base should never be an empty string here. It gets that value from one of three ways:

1) It was explicitly specified by the ldap_sudo_search_base option in sssd.conf.
2) It was explicitly specified by the ldap_search_base catch-all option in sssd.conf
3) Neither above option was specified so it gets it from the namingContexts/defaultNamingContext attributes in the LDAP server's rootDSE.

Can you try the following and report the output:

ldapsearch -x -H ldap://ldap.domain.com -b "" -s base namingContexts defaultNamingContext

I suspect that someone may have made a mistake on your LDAP server. In the meantime, you can specify one of the above options in your sssd.conf explicitly to work around the problem.

Comment 5 Jiri Hnidek 2012-09-06 09:49:00 UTC

The output of

ldapsearch -x -H ldap://ldap.domain.com -b "" -s base namingContexts defaultNamingContext

is following:

# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts defaultNamingContext 
#

#
dn:
namingContexts:

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Comment 6 Stephen Gallagher 2012-09-06 13:06:10 UTC

Well, there's the problem. Your LDAP server has become corrupt. The namingContexts attribute of the RootDSE must always contain the search base of your installation.

As I said before, if you need to work around this, just set
ldap_search_base = dc=domain,dc=com

in the [domain/DOMAINNAME] section of sssd.conf and restart SSSD. You should also report the LDAP server problem to your IT department.

Comment 7 Jiri Hnidek 2012-09-07 07:49:34 UTC

No, there is no problem. I had ever have:

ldap_search_base = dc=domain,dc=com

in sssd.conf

Our IT department doesn't see any problem in their configuration of LDAP.

Comment 8 Jakub Hrozek 2012-09-07 16:07:06 UTC

Jiri, can you also paste the beggining of sssd log when the SSSD starts up? It should list how it sets all the options. I'm curious about how the search base got set.

Can you also attach your sanitized sssd.conf?

Thank you!

Comment 9 Thomas Hood 2012-09-11 12:32:39 UTC

Jiri wrote:
> Actual results:
> # getent passwd user.name
>
> Expected results:
> # getent passwd user.name
> user.name:x:1011:2000:User Name:/home/user.name:/bin/bash

What is the output of

    getent passwd user.name@FOO

where 'FOO' here stands for the sssd domain name where 'user.name' can be resolved. 

The sssd domain name in question can be found in sssd.conf at the head of the section where you configured LDAP.

    [domain/FOO]
    ldap_uri = ldap://1.2.3.4
    ...

-- 
Thomas Hood

Comment 10 Jakub Hrozek 2012-09-11 16:19:27 UTC

(In reply to comment #9)
> Jiri wrote:
> > Actual results:
> > # getent passwd user.name
> >
> > Expected results:
> > # getent passwd user.name
> > user.name:x:1011:2000:User Name:/home/user.name:/bin/bash
> 
> What is the output of
> 
>     getent passwd user.name@FOO
> 
> where 'FOO' here stands for the sssd domain name where 'user.name' can be
> resolved. 
> 
> The sssd domain name in question can be found in sssd.conf at the head of
> the section where you configured LDAP.
> 
>     [domain/FOO]
>     ldap_uri = ldap://1.2.3.4

I wouldn't expect this to make a whole lot of difference unless Jiri is using use_fully_qualified_names = True

I still suspect an issue with setting the search bases, however I'd need to see the debug mesages from when the provider started up.

Comment 11 Jiri Hnidek 2012-09-11 18:04:28 UTC

This is sanitized sssd.conf

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = default
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = ou=something,o=somethingelse,t=com
chpass_provider = ldap
id_provider = ldap
auth_provider = ldap
debug_level = 8
ldap_uri = ldaps://ldap.domain.com/
ldap_tls_cacertdir = /etc/openldap/cacerts

The output of 'getent passwd user.name@FOO' is nothing :-)

Comment 12 Jakub Hrozek 2012-09-11 20:14:54 UTC

Jiri, can you also paste the first couple of lines of the SSSD domain log after the SSSD starts? That part of the log would show how the search bases are assigned. I suspect there is a mismatch between the value from the config file (which should trumph all) and what the SSSD reads from the rootDSE.

Comment 13 Jiri Hnidek 2012-09-14 13:44:40 UTC

Hi Jakub,
it seems that sssd has some trouble with rootDSE. There are first lines of sssd_default.log after service sssd is started

(Fri Sep 14 15:39:57 2012) [sssd[be[default]]] [sbus_remove_watch] (0x2000): 0x8b5090/0x8ad6f0
(Fri Sep 14 15:39:57 2012) [sssd[be[default]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Fri Sep 14 15:39:57 2012) [sssd[be[default]]] [be_client_destructor] (0x0400): Removed NSS client
(Fri Sep 14 15:39:57 2012) [sssd[be[default]]] [sbus_remove_watch] (0x2000): 0x8a5e70/0x8a57c0
(Fri Sep 14 15:40:19 2012) [sssd[be[default]]] [server_setup] (0x0080): CONFDB: /var/lib/sss/db/config.ldb
(Fri Sep 14 15:40:19 2012) [sssd[be[default]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Fri Sep 14 15:40:19 2012) [sssd[be[default]]] [resolv_get_family_order] (0x1000): Lookup order: ipv4_first
(Fri Sep 14 15:40:19 2012) [sssd[be[default]]] [fo_context_init] (0x0080): Created new fail over context, retry timeout is 30
(Fri Sep 14 15:40:19 2012) [sssd[be[default]]] [confdb_get_domain_internal] (0x0020): No enumeration for [default]!
(Fri Sep 14 15:40:19 2012) [sssd[be[default]]] [sysdb_domain_init_internal] (0x0200): DB File for default: /var/lib/sss/db/cache_default.ldb
(Fri Sep 14 15:40:19 2012) [sssd[be[default]]] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Fri Sep 14 15:40:19 2012) [sssd[be[default]]] [sbus_init_connection] (0x0200): Adding connection B24420
(Fri Sep 14 15:40:19 2012) [sssd[be[default]]] [sbus_add_watch] (0x2000): 0xb27c00/0xb11340 (21), -/W (enabled)
(Fri Sep 14 15:40:19 2012) [sssd[be[default]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_default,1)
(Fri Sep 14 15:40:19 2012) [sssd[be[default]]] [sbus_add_timeout] (0x2000): 0xb24a60
(Fri Sep 14 15:40:19 2012) [sssd[be[default]]] [create_socket_symlink] (0x1000): Symlinking the dbus path /var/lib/sss/pipes/private/sbus-dp_default.28228 to a link
 /var/lib/sss/pipes/private/sbus-dp_default
(Fri Sep 14 15:40:19 2012) [sssd[be[default]]] [sbus_new_server] (0x0080): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_default.28228,guid
=da3bbc27c5364746f5ce88cc000bdcbc
(Fri Sep 14 15:40:19 2012) [sssd[be[default]]] [sbus_add_watch] (0x2000): 0xb28e70/0xb287c0 (22), R/- (enabled)
(Fri Sep 14 15:40:19 2012) [sssd[be[default]]] [load_backend_module] (0x1000): Loading backend [ldap] with path [/usr/lib64/sssd/libsss_ldap.so].

Comment 14 Jiri Hnidek 2012-09-20 13:05:55 UTC

Hi, I'm sending more output of sssd_default.log, when sssd is starting.

(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [server_setup] (0x0080): CONFDB: /var/lib/sss/db/config.ldb
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [resolv_get_family_order] (0x1000): Lookup order: ipv4_first
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [fo_context_init] (0x0080): Created new fail over context, retry timeout is 30
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [confdb_get_domain_internal] (0x0020): No enumeration for [default]!
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sysdb_domain_init_internal] (0x0200): DB File for default: /var/lib/sss/db/cache_default.ldb
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sbus_init_connection] (0x0200): Adding connection 1D84420
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sbus_add_watch] (0x2000): 0x1d87c00/0x1d84880 (21), -/W (enabled)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_default,1)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sbus_add_timeout] (0x2000): 0x1d87f30
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [create_socket_symlink] (0x1000): Symlinking the dbus path /var/lib/sss/pipes/private/sbus-dp_default.24479 to a link /var/lib/sss/pipes/private/sbus-dp_default
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sbus_new_server] (0x0080): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_default.24479,guid=69a3a2247d33f963ada2364e0004106d
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sbus_add_watch] (0x2000): 0x1d88eb0/0x1d88800 (22), R/- (enabled)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [load_backend_module] (0x1000): Loading backend [ldap] with path [/usr/lib64/sssd/libsss_ldap.so].
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_uri has value ldaps://ldap.domain.com/
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_search_base has value ou=string1,o=string2,t=com
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_default_bind_dn has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_default_authtok_type has value password
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_default_authtok has no binary value.
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_search_timeout has value 6
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_network_timeout has value 6
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_opt_timeout has value 6
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_tls_reqcert has value hard
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_user_search_base has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_user_search_scope has value sub
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_user_search_filter has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_group_search_base has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_group_search_scope has value sub
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_group_search_filter has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_service_search_base has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_sudo_search_base has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_sudo_refresh_enabled is FALSE
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_sudo_refresh_timeout has value 300
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_autofs_search_base has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_schema has value rfc2307
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_offline_timeout has value 60
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_force_upper_case_realm is FALSE
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_enumeration_refresh_timeout has value 300
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_purge_cache_timeout has value 10800
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_tls_cacert has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_tls_cacertdir has value /etc/openldap/cacerts
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_tls_cert has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_tls_key has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_tls_cipher_suite has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_id_use_start_tls is TRUE
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_sasl_mech has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_sasl_authid has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_sasl_realm has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_sasl_minssf has value -1
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_krb5_keytab has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_krb5_init_creds is TRUE
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option krb5_server has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option krb5_realm has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option krb5_canonicalize is TRUE
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_pwd_policy has value none
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_referrals is TRUE
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option account_cache_expiration has value 0
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_dns_service_name has value ldap
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_krb5_ticket_lifetime has value 86400
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_access_filter has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_netgroup_search_base has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_group_nesting_level has value 2
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_deref has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_account_expire_policy has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_access_order has value filter
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_chpass_uri has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_chpass_dns_service_name has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_chpass_update_last_change is FALSE
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_enumeration_search_timeout has value 60
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_auth_disable_tls_never_use_in_production is FALSE
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_page_size has value 1000
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_deref_threshold has value 10
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_sasl_canonicalize is FALSE
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_connection_expire_timeout has value 900
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_disable_paging is FALSE
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [ldap_get_options] (0x0400): Option ldap_user_search_base set to ou=string1,o=string2,t=com
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [ldap_get_options] (0x0400): Option ldap_group_search_base set to ou=string1,o=string2,t=com
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [ldap_get_options] (0x0400): Option ldap_netgroup_search_base set to ou=string1,o=string2,t=com
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [ldap_get_options] (0x0400): Option ldap_service_search_base set to ou=string1,o=string2,t=com
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][ou=string1,o=string2,t=com][SUBTREE][]
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [USER][ou=string1,o=string2,t=com][SUBTREE][]
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [GROUP][ou=string1,o=string2,t=com][SUBTREE][]
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][ou=string1,o=string2,t=com][SUBTREE][]
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][ou=string1,o=string2,t=com][SUBTREE][]
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_entry_usn has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_rootdse_last_usn has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_object_class has value posixAccount
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_name has value uid
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_pwd has value userPassword
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_uid_number has value uidNumber
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_gid_number has value gidNumber
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_gecos has value gecos
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_home_directory has value homeDirectory
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_shell has value loginShell
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_principal has value krbPrincipalName
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_fullname has value cn
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_member_of has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_uuid has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_modify_timestamp has value modifyTimestamp
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_entry_usn has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_shadow_last_change has value shadowLastChange
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_shadow_min has value shadowMin
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_shadow_max has value shadowMax
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_shadow_warning has value shadowWarning
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_shadow_inactive has value shadowInactive
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_shadow_expire has value shadowExpire
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_shadow_flag has value shadowFlag
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_krb_last_pwd_change has value krbLastPwdChange
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_krb_password_expiration has value krbPasswordExpiration
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_pwd_attribute has value pwdAttribute
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_authorized_service has value authorizedService
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_ad_account_expires has value accountExpires
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_ad_user_account_control has value userAccountControl
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_ns_account_lock has value nsAccountLock
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_authorized_host has value host
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_nds_login_disabled has value loginDisabled
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_nds_login_expiration_time has value loginExpirationTime
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_nds_login_allowed_time_map has value loginAllowedTimeMap
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_user_ssh_public_key has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_group_object_class has value posixGroup
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_group_name has value cn
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_group_pwd has value userPassword
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_group_gid_number has value gidNumber
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_group_member has value memberuid
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_group_uuid has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_group_modify_timestamp has value modifyTimestamp
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_group_entry_usn has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_netgroup_object_class has value nisNetgroup
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_netgroup_name has value cn
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_netgroup_member has value memberNisNetgroup
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_netgroup_triple has value nisNetgroupTriple
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_netgroup_uuid has value nsUniqueId
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_netgroup_modify_timestamp has value modifyTimestamp
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_service_object_class has value ipService
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_service_name has value cn
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_service_port has value ipServicePort
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_service_proto has value ipServiceProtocol
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_service_entry_usn has value (null)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [krb5_try_kdcip] (0x0100): No KDC found in configuration, trying legacy option
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sssm_ldap_id_init] (0x1000): Service name for discovery set to ldap
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [fo_new_service] (0x0080): Creating new service 'LDAP'
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_service_init] (0x0400): Added URI ldaps://ldap.domain.com/
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [fo_add_server] (0x0080): Adding new server 'ldap.domain.com', to service 'LDAP'
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [ldap_id_cleanup_set_timer] (0x0400): Scheduling next cleanup at 1348145201.1181000
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [be_process_init] (0x2000): ID backend target successfully loaded from provider [ldap].
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [load_backend_module] (0x1000): Backend [ldap] already loaded.
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sssm_ldap_id_init] (0x2000): Re-using sdap_id_ctx for this provider
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [be_process_init] (0x2000): AUTH backend target successfully loaded from provider [ldap].
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [load_backend_module] (0x0200): no module name found in confdb, using [permit].
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [be_process_init] (0x2000): ACCESS backend target successfully loaded from provider [permit].
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [load_backend_module] (0x1000): Backend [ldap] already loaded.
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sssm_ldap_id_init] (0x2000): Re-using sdap_id_ctx for this provider
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [be_process_init] (0x2000): CHPASS backend target successfully loaded from provider [ldap].
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [load_backend_module] (0x0200): no module name found in confdb, using [ldap].
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [load_backend_module] (0x1000): Backend [ldap] already loaded.
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sssm_ldap_sudo_init] (0x0080): Sudo init handler called but SSSD is built without sudo support, ignoring
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [be_process_init] (0x2000): SUDO backend target successfully loaded from provider [ldap].
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [load_backend_module] (0x0200): no module name found in confdb, using [ldap].
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [load_backend_module] (0x1000): Backend [ldap] already loaded.
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sssm_ldap_id_init] (0x2000): Re-using sdap_id_ctx for this provider
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_autofs_init] (0x2000): Initializing autofs LDAP back end
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [ldap_get_autofs_options] (0x0200): Option ldap_autofs_search_base set to ou=string1,o=string2,t=com
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][ou=string1,o=string2,t=com][SUBTREE][]
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_autofs_map_object_class has value automountMap
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_autofs_map_name has value ou
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_autofs_entry_object_class has value automount
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_autofs_entry_key has value cn
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sdap_get_map] (0x0200): Option ldap_autofs_entry_value has value automountInformation
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [be_process_init] (0x2000): autofs backend target successfully loaded from provider [ldap].
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [load_backend_module] (0x0200): no module name found in confdb, using [ldap].
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [load_backend_module] (0x1000): Backend [ldap] already loaded.
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [be_process_init] (0x0020): No Session module provided for [default] !!
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [load_backend_module] (0x0200): no module name found in confdb, using [ldap].
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [load_backend_module] (0x1000): Backend [ldap] already loaded.
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [be_process_init] (0x0020): No host info module provided for [default] !!
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [main] (0x0020): Backend provider (default) started!
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sbus_remove_timeout] (0x2000): 0x1d87f30
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [id_callback] (0x0100): Got id ack and version (1) from Monitor
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sbus_server_init_new_connection] (0x0200): Entering.
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x1d92e50.
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sbus_init_connection] (0x0200): Adding connection 1D92E50
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sbus_add_watch] (0x2000): 0x1d92c30/0x1d87ee0 (29), -/W (disabled)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sbus_server_init_new_connection] (0x0200): Got a connection
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x1d924c0]
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [client_registration] (0x0100): Cancel DP ID timeout [0x1d924c0]
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [client_registration] (0x0100): Added Frontend client [NSS]
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sbus_server_init_new_connection] (0x0200): Entering.
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x1d97c30.
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sbus_init_connection] (0x0200): Adding connection 1D97C30
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sbus_add_watch] (0x2000): 0x1d98270/0x1d931a0 (30), -/W (disabled)
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [sbus_server_init_new_connection] (0x0200): Got a connection
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x1d984e0]
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [client_registration] (0x0100): Cancel DP ID timeout [0x1d984e0]
(Thu Sep 20 14:46:31 2012) [sssd[be[default]]] [client_registration] (0x0100): Added Frontend client [PAM]

Comment 15 Jiri Hnidek 2012-09-26 14:33:40 UTC

It's our case:

http://ldapwiki.willeke.com/wiki/Edirectory%20Anomalies (Empty namingContext)

Comment 16 Stephen Gallagher 2012-09-26 15:05:28 UTC

Ok, I know what's going on here now. The code that reads the RootDSE will always attempt to populate unset ldap_*_search_base options. The ldap_sudo_search_base option is only populated from ldap_search_base if sudo_provider = ldap.

This meant that it was trying to populate a value we don't actually need during RootDSE lookup from an attribute on the LDAP server that isn't actually valid. Oops.

There are several ways to fix this, but the simplest is for us to just check whether the namingContexts value we got is zero-length and just set it to NULL. We always do NULL checks elsewhere in the code before actually using the value (which in your configuration would never happen). This would also protect against similar issues in the future with other responders such as autofs, ssh_pubkey, etc.

I am sending a patch to the upstream devel list to address this.

Comment 17 Jakub Hrozek 2012-09-26 20:29:31 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1542

Comment 19 Jiri Hnidek 2012-09-27 08:22:08 UTC

I can confirm that it works with this patch :-). Thanks. When can I expect this in repository?

Comment 20 Jakub Hrozek 2012-09-27 08:25:48 UTC

(In reply to comment #19)
> I can confirm that it works with this patch :-). Thanks. When can I expect
> this in repository?

Because the bug is a regression in functionality, then I think RHEL6.4. Feel free to talk to your Red Hat support representative if you need the fix sooner.

Thank you for reporting the issue.

Comment 22 Jiri Hnidek 2012-09-27 09:01:33 UTC

OK, I will create my own rpm packages with this patch, because I need it necessarily next week in monday ;-).

Comment 28 Kaushik Banerjee 2012-11-28 10:47:09 UTC

Marking the bug sanity only verified in version 1.9.2-24 as there are no known regressions related to sssd communicating with ldap servers.

Comment 30 errata-xmlrpc 2013-02-21 09:36:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html