592441 – SSSD: Failing to Connect to Directory Server - Marking BE offline

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 592441 - SSSD: Failing to Connect to Directory Server - Marking BE offline

Summary: SSSD: Failing to Connect to Directory Server - Marking BE offline

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.0
Hardware:	All
OS:	Linux
Priority:	low
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Stephen Gallagher
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-05-14 20:56 UTC by Jenny Severance
Modified:	2015-01-04 23:42 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-05-18 20:53:15 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Jenny Severance 2010-05-14 20:56:52 UTC

Description of problem:
With the latest build for RHEL 6 - Directory Server Backend is being immediately marking offline - with can't connect to LDAP server and never re-connects.

I am successful 

openldap tls ldapsearches from the client are successful 

ldapsearch -x -ZZ -H ldap://sssdldap.idm.lab.bos.redhat.com:2389 -b uid=user2000,ou=people,dc=bos,dc=redhat,dc=com
# extended LDIF
#
# LDAPv3
# base <uid=user2000,ou=people,dc=bos,dc=redhat,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# user2000, People, bos.redhat.com
dn: uid=user2000,ou=People, dc=bos,dc=redhat,dc=com
givenName: user
sn: 2000
sn: 2009
loginShell: /bin/bash
uidNumber: 2001
gidNumber: 2001
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: user2000
gecos: User 2001
cn: user 2000
homeDirectory: /home/user2001

# search result
search: 3
result: 0 Success


DEBUG:

(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [sdap_connect_send] (4): Executing START TLS
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [sdap_connect_send] (3): ldap_start_tls failed: [Can't contact LDAP server]
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [sdap_handle_release] (8): Trace: sh[0x928fe40], connected[0], ops[(nil)], ldap[0x928f538], destructor_lock[0], release_memory[0]
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [remove_connection_callback] (9): Successfully removed connection callback.
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [fo_set_port_status] (4): Marking port 2389 of server 'sssdldap.idm.lab.bos.redhat.com' as 'not working'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [fo_resolve_service_send] (4): Trying to resolve service 'LDAP'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_server_status] (7): Status of server 'sssdldap.idm.lab.bos.redhat.com' is 'name resolved'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_port_status] (7): Port status of port 2389 for server 'sssdldap.idm.lab.bos.redhat.com' is 'not working'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_server_status] (7): Status of server 'sssdldap.idm.lab.bos.redhat.com' is 'name resolved'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_port_status] (7): Port status of port 2389 for server 'sssdldap.idm.lab.bos.redhat.com' is 'not working'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_server_status] (7): Status of server 'sssdldap.idm.lab.bos.redhat.com' is 'name resolved'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_port_status] (7): Port status of port 2389 for server 'sssdldap.idm.lab.bos.redhat.com' is 'not
 working'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [fo_resolve_service_send] (1): No available servers for service 'LDAP'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [fo_set_port_status] (4): Marking port 2389 of server 'sssdldap.idm.lab.bos.redhat.com' as 'not working'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [ldap_id_enum_users_done] (9): User enumeration failed with: (5)[Input/output error]
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [be_mark_offline] (8): Going offline!


Also, it would be really helpful if we could get better debug message - than just "[Can't contact LDAP server]" - if possible.

Version-Release number of selected component (if applicable):
sssd-1.1.91-10.el6.i686

How reproducible:
always with the following configuration

[sssd]
config_file_version = 2
domains = LOCAL, LDAP
sbus_timeout = 30
services = nss, pam
debug_level = 6

[nss]
filter_groups = root
filter_users = root

[pam]
reconnection_retries = 3

[domain/LDAP]
auth_provider = ldap
cache_credentials = TRUE
enumerate = TRUE
id_provider = ldap
auth_provider = ldap
ldap_group_search_base = ou=Groups,dc=bos,dc=redhat,dc=com
ldap_user_search_base = ou=People,dc=bos,dc=redhat,dc=com
ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/openldap/cacerts/cacert2.asc
ldap_uri = ldap://sssdldap.idm.lab.bos.redhat.com:2389
timeout = 30
debug_level = 99



Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

If I use the same configuration to a directory server instance running on the default standard port 389 - everything works fine!

Comment 1 Jenny Severance 2010-05-14 20:58:43 UTC

(In reply to comment #0)
> Description of problem:
> With the latest build for RHEL 6 - Directory Server Backend is being
> immediately marked offline - can't connect to LDAP server and never
> re-connects.
> 
> 
> openldap tls ldapsearches from the client are successful 
> 
> ldapsearch -x -ZZ -H ldap://sssdldap.idm.lab.bos.redhat.com:2389 -b
> uid=user2000,ou=people,dc=bos,dc=redhat,dc=com
> # extended LDIF
> #
> # LDAPv3
> # base <uid=user2000,ou=people,dc=bos,dc=redhat,dc=com> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> # user2000, People, bos.redhat.com
> dn: uid=user2000,ou=People, dc=bos,dc=redhat,dc=com
> givenName: user
> sn: 2000
> sn: 2009
> loginShell: /bin/bash
> uidNumber: 2001
> gidNumber: 2001
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: posixAccount
> uid: user2000
> gecos: User 2001
> cn: user 2000
> homeDirectory: /home/user2001
> 
> # search result
> search: 3
> result: 0 Success
> 
> 
> DEBUG:
> 
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [sdap_connect_send] (4): Executing
> START TLS
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [sdap_connect_send] (3):
> ldap_start_tls failed: [Can't contact LDAP server]
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [sdap_handle_release] (8): Trace:
> sh[0x928fe40], connected[0], ops[(nil)], ldap[0x928f538], destructor_lock[0],
> release_memory[0]
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [remove_connection_callback] (9):
> Successfully removed connection callback.
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [fo_set_port_status] (4): Marking
> port 2389 of server 'sssdldap.idm.lab.bos.redhat.com' as 'not working'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [fo_resolve_service_send] (4):
> Trying to resolve service 'LDAP'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_server_status] (7): Status of
> server 'sssdldap.idm.lab.bos.redhat.com' is 'name resolved'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_port_status] (7): Port status
> of port 2389 for server 'sssdldap.idm.lab.bos.redhat.com' is 'not working'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_server_status] (7): Status of
> server 'sssdldap.idm.lab.bos.redhat.com' is 'name resolved'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_port_status] (7): Port status
> of port 2389 for server 'sssdldap.idm.lab.bos.redhat.com' is 'not working'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_server_status] (7): Status of
> server 'sssdldap.idm.lab.bos.redhat.com' is 'name resolved'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_port_status] (7): Port status
> of port 2389 for server 'sssdldap.idm.lab.bos.redhat.com' is 'not
>  working'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [fo_resolve_service_send] (1): No
> available servers for service 'LDAP'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [fo_set_port_status] (4): Marking
> port 2389 of server 'sssdldap.idm.lab.bos.redhat.com' as 'not working'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [ldap_id_enum_users_done] (9): User
> enumeration failed with: (5)[Input/output error]
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [be_mark_offline] (8): Going
> offline!
> 
> 
> Also, it would be really helpful if we could get better debug message - than
> just "[Can't contact LDAP server]" - if possible.
> 
> Version-Release number of selected component (if applicable):
> sssd-1.1.91-10.el6.i686
> 
> How reproducible:
> always with the following configuration
> 
> [sssd]
> config_file_version = 2
> domains = LOCAL, LDAP
> sbus_timeout = 30
> services = nss, pam
> debug_level = 6
> 
> [nss]
> filter_groups = root
> filter_users = root
> 
> [pam]
> reconnection_retries = 3
> 
> [domain/LDAP]
> auth_provider = ldap
> cache_credentials = TRUE
> enumerate = TRUE
> id_provider = ldap
> auth_provider = ldap
> ldap_group_search_base = ou=Groups,dc=bos,dc=redhat,dc=com
> ldap_user_search_base = ou=People,dc=bos,dc=redhat,dc=com
> ldap_id_use_start_tls = true
> ldap_tls_reqcert = demand
> ldap_tls_cacert = /etc/openldap/cacerts/cacert2.asc
> ldap_uri = ldap://sssdldap.idm.lab.bos.redhat.com:2389
> timeout = 30
> debug_level = 99
> 
> 
> 
> Steps to Reproduce:
> 1.
> 2.
> 3.
> 
> Actual results:
> 
> 
> Expected results:
> 
> 
> Additional info:
> 
> If I use the same configuration to a directory server instance running on the
> default standard port 389 - everything works fine!

Comment 3 Jenny Severance 2010-05-18 20:53:15 UTC

needed to semanage port -a -t ldap_port_t -p <custom_port>
Closing not a bug!

Note You need to log in before you can comment on or make changes to this bug.