Bug 598501 - SSSD doesn't follow LDAP referrals when using non-anonymous bind
SSSD doesn't follow LDAP referrals when using non-anonymous bind
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.0
All Linux
low Severity medium
: rc
: ---
Assigned To: Stephen Gallagher
Chandrasekar Kannan
:
Depends On: 598485
Blocks: 579778
  Show dependency treegraph
 
Reported: 2010-06-01 10:12 EDT by Dmitri Pal
Modified: 2015-01-04 18:42 EST (History)
5 users (show)

See Also:
Fixed In Version: sssd-1.5.0-1.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 598485
Environment:
Last Closed: 2011-05-19 07:41:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0560 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2011-05-19 07:38:17 EDT

  None (edit)
Description Dmitri Pal 2010-06-01 10:12:14 EDT
+++ This bug was initially created as a clone of Bug #598485 +++

Description of problem:
If SSSD is configured to use non-anonymous bind (a bind DN is specified and an authentication token such as a password is being used), SSSD does not properly follow referrals. It will only attempt to bind anonymously to the referred server.

More information is available at the upstream bug report:
https://fedorahosted.org/sssd/ticket/495

Version-Release number of selected component (if applicable):
sssd-1.2.0-12.el6

How reproducible:
Every time

Steps to Reproduce:
1. Set up two LDAP servers requiring non-anonymous bind (anonymous bind should fail)
2. Add a referral on the primary LDAP server for a particular entry that will be answered by the secondary LDAP server. (Use a user entry for easiest reproduction)
3. Configure SSSD with id_provider = ldap and ldap_uri pointing at the primary LDAP server.
4. Request the user entry above (use 'getent passwd <username>')

  
Actual results:
No results found. The logs for the secondary LDAP server will show a failed anonymous bind.

Expected results:
The user should be returned from the secondary LDAP server.

Additional info:
https://fedorahosted.org/sssd/ticket/495
Comment 3 Gowrishankar Rajaiyan 2011-04-12 11:28:52 EDT
Server:
# ldapsearch -x -h sssdldap.redhat.com -p 389 -D "uid=referred_user3,ou=People,dc=example,dc=com" -w Secret123 -b ou=people,dc=example,dc=com
ldap_bind: Referral (10)
	referrals:
		ldap://shanksldap.redhat.com/uid=referred_user3,ou=people,dc=example,dc=com


Client:
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://sssdldap.redhat.com:636
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = demand
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/cacert.asc
cache_credentials = true
enumerate = false
debug_level = 9
ldap_default_bind_dn = cn=Directory Manager
ldap_default_authtok_type = password
ldap_default_authtok = Secret123


# getent -s sss passwd referred_user3
referred_user3:*:7007:7007:referred_user3:/home/referred_user3:/bin/bash


Verified: # rpm -qi sssd | head 
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 27.el6                        Build Date: Tue 12 Apr 2011 07:10:31 PM IST
Install Date: Tue 12 Apr 2011 07:27:31 PM IST      Build Host: hs20-bc2-3.build.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-27.el6.src.rpm
Size        : 3462773                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Comment 4 errata-xmlrpc 2011-05-19 07:41:25 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html
Comment 5 errata-xmlrpc 2011-05-19 09:08:35 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html

Note You need to log in before you can comment on or make changes to this bug.