Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 592441 - SSSD: Failing to Connect to Directory Server - Marking BE offline
SSSD: Failing to Connect to Directory Server - Marking BE offline
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.0
All Linux
low Severity high
: rc
: ---
Assigned To: Stephen Gallagher
Chandrasekar Kannan
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-14 16:56 EDT by Jenny Galipeau
Modified: 2015-01-04 18:42 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-18 16:53:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jenny Galipeau 2010-05-14 16:56:52 EDT
Description of problem:
With the latest build for RHEL 6 - Directory Server Backend is being immediately marking offline - with can't connect to LDAP server and never re-connects.

I am successful 

openldap tls ldapsearches from the client are successful 

ldapsearch -x -ZZ -H ldap://sssdldap.idm.lab.bos.redhat.com:2389 -b uid=user2000,ou=people,dc=bos,dc=redhat,dc=com
# extended LDIF
#
# LDAPv3
# base <uid=user2000,ou=people,dc=bos,dc=redhat,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# user2000, People, bos.redhat.com
dn: uid=user2000,ou=People, dc=bos,dc=redhat,dc=com
givenName: user
sn: 2000
sn: 2009
loginShell: /bin/bash
uidNumber: 2001
gidNumber: 2001
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: user2000
gecos: User 2001
cn: user 2000
homeDirectory: /home/user2001

# search result
search: 3
result: 0 Success


DEBUG:

(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [sdap_connect_send] (4): Executing START TLS
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [sdap_connect_send] (3): ldap_start_tls failed: [Can't contact LDAP server]
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [sdap_handle_release] (8): Trace: sh[0x928fe40], connected[0], ops[(nil)], ldap[0x928f538], destructor_lock[0], release_memory[0]
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [remove_connection_callback] (9): Successfully removed connection callback.
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [fo_set_port_status] (4): Marking port 2389 of server 'sssdldap.idm.lab.bos.redhat.com' as 'not working'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [fo_resolve_service_send] (4): Trying to resolve service 'LDAP'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_server_status] (7): Status of server 'sssdldap.idm.lab.bos.redhat.com' is 'name resolved'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_port_status] (7): Port status of port 2389 for server 'sssdldap.idm.lab.bos.redhat.com' is 'not working'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_server_status] (7): Status of server 'sssdldap.idm.lab.bos.redhat.com' is 'name resolved'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_port_status] (7): Port status of port 2389 for server 'sssdldap.idm.lab.bos.redhat.com' is 'not working'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_server_status] (7): Status of server 'sssdldap.idm.lab.bos.redhat.com' is 'name resolved'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_port_status] (7): Port status of port 2389 for server 'sssdldap.idm.lab.bos.redhat.com' is 'not
 working'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [fo_resolve_service_send] (1): No available servers for service 'LDAP'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [fo_set_port_status] (4): Marking port 2389 of server 'sssdldap.idm.lab.bos.redhat.com' as 'not working'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [ldap_id_enum_users_done] (9): User enumeration failed with: (5)[Input/output error]
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [be_mark_offline] (8): Going offline!


Also, it would be really helpful if we could get better debug message - than just "[Can't contact LDAP server]" - if possible.

Version-Release number of selected component (if applicable):
sssd-1.1.91-10.el6.i686

How reproducible:
always with the following configuration

[sssd]
config_file_version = 2
domains = LOCAL, LDAP
sbus_timeout = 30
services = nss, pam
debug_level = 6

[nss]
filter_groups = root
filter_users = root

[pam]
reconnection_retries = 3

[domain/LDAP]
auth_provider = ldap
cache_credentials = TRUE
enumerate = TRUE
id_provider = ldap
auth_provider = ldap
ldap_group_search_base = ou=Groups,dc=bos,dc=redhat,dc=com
ldap_user_search_base = ou=People,dc=bos,dc=redhat,dc=com
ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/openldap/cacerts/cacert2.asc
ldap_uri = ldap://sssdldap.idm.lab.bos.redhat.com:2389
timeout = 30
debug_level = 99



Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

If I use the same configuration to a directory server instance running on the default standard port 389 - everything works fine!
Comment 1 Jenny Galipeau 2010-05-14 16:58:43 EDT
(In reply to comment #0)
> Description of problem:
> With the latest build for RHEL 6 - Directory Server Backend is being
> immediately marked offline - can't connect to LDAP server and never
> re-connects.
> 
> 
> openldap tls ldapsearches from the client are successful 
> 
> ldapsearch -x -ZZ -H ldap://sssdldap.idm.lab.bos.redhat.com:2389 -b
> uid=user2000,ou=people,dc=bos,dc=redhat,dc=com
> # extended LDIF
> #
> # LDAPv3
> # base <uid=user2000,ou=people,dc=bos,dc=redhat,dc=com> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> # user2000, People, bos.redhat.com
> dn: uid=user2000,ou=People, dc=bos,dc=redhat,dc=com
> givenName: user
> sn: 2000
> sn: 2009
> loginShell: /bin/bash
> uidNumber: 2001
> gidNumber: 2001
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: posixAccount
> uid: user2000
> gecos: User 2001
> cn: user 2000
> homeDirectory: /home/user2001
> 
> # search result
> search: 3
> result: 0 Success
> 
> 
> DEBUG:
> 
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [sdap_connect_send] (4): Executing
> START TLS
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [sdap_connect_send] (3):
> ldap_start_tls failed: [Can't contact LDAP server]
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [sdap_handle_release] (8): Trace:
> sh[0x928fe40], connected[0], ops[(nil)], ldap[0x928f538], destructor_lock[0],
> release_memory[0]
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [remove_connection_callback] (9):
> Successfully removed connection callback.
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [fo_set_port_status] (4): Marking
> port 2389 of server 'sssdldap.idm.lab.bos.redhat.com' as 'not working'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [fo_resolve_service_send] (4):
> Trying to resolve service 'LDAP'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_server_status] (7): Status of
> server 'sssdldap.idm.lab.bos.redhat.com' is 'name resolved'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_port_status] (7): Port status
> of port 2389 for server 'sssdldap.idm.lab.bos.redhat.com' is 'not working'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_server_status] (7): Status of
> server 'sssdldap.idm.lab.bos.redhat.com' is 'name resolved'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_port_status] (7): Port status
> of port 2389 for server 'sssdldap.idm.lab.bos.redhat.com' is 'not working'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_server_status] (7): Status of
> server 'sssdldap.idm.lab.bos.redhat.com' is 'name resolved'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_port_status] (7): Port status
> of port 2389 for server 'sssdldap.idm.lab.bos.redhat.com' is 'not
>  working'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [fo_resolve_service_send] (1): No
> available servers for service 'LDAP'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [fo_set_port_status] (4): Marking
> port 2389 of server 'sssdldap.idm.lab.bos.redhat.com' as 'not working'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [ldap_id_enum_users_done] (9): User
> enumeration failed with: (5)[Input/output error]
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [be_mark_offline] (8): Going
> offline!
> 
> 
> Also, it would be really helpful if we could get better debug message - than
> just "[Can't contact LDAP server]" - if possible.
> 
> Version-Release number of selected component (if applicable):
> sssd-1.1.91-10.el6.i686
> 
> How reproducible:
> always with the following configuration
> 
> [sssd]
> config_file_version = 2
> domains = LOCAL, LDAP
> sbus_timeout = 30
> services = nss, pam
> debug_level = 6
> 
> [nss]
> filter_groups = root
> filter_users = root
> 
> [pam]
> reconnection_retries = 3
> 
> [domain/LDAP]
> auth_provider = ldap
> cache_credentials = TRUE
> enumerate = TRUE
> id_provider = ldap
> auth_provider = ldap
> ldap_group_search_base = ou=Groups,dc=bos,dc=redhat,dc=com
> ldap_user_search_base = ou=People,dc=bos,dc=redhat,dc=com
> ldap_id_use_start_tls = true
> ldap_tls_reqcert = demand
> ldap_tls_cacert = /etc/openldap/cacerts/cacert2.asc
> ldap_uri = ldap://sssdldap.idm.lab.bos.redhat.com:2389
> timeout = 30
> debug_level = 99
> 
> 
> 
> Steps to Reproduce:
> 1.
> 2.
> 3.
> 
> Actual results:
> 
> 
> Expected results:
> 
> 
> Additional info:
> 
> If I use the same configuration to a directory server instance running on the
> default standard port 389 - everything works fine!
Comment 3 Jenny Galipeau 2010-05-18 16:53:15 EDT
needed to semanage port -a -t ldap_port_t -p <custom_port>
Closing not a bug!

Note You need to log in before you can comment on or make changes to this bug.