600352 – Wrapping the value for "ldap_access_filter" in parentheses causes ldap_search_ext to fail.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 600352 - Wrapping the value for "ldap_access_filter" in parentheses causes ldap_search_ext to fail.

Summary: Wrapping the value for "ldap_access_filter" in parentheses causes ldap_search...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.0
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Stephen Gallagher
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	579775
TreeView+	depends on / blocked

Reported:	2010-06-04 14:24 UTC by Gowrishankar Rajaiyan
Modified:	2015-01-04 23:42 UTC (History)
CC List:	3 users (show)
Fixed In Version:	sssd-1.2.0-14.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-11-10 21:39:52 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
sssd.conf (625 bytes, text/plain) 2010-06-04 14:24 UTC, Gowrishankar Rajaiyan	no flags	Details
View All

Description Gowrishankar Rajaiyan 2010-06-04 14:24:34 UTC

Created attachment 421239 [details]
sssd.conf

Description of problem:


Version-Release number of selected component (if applicable):
sssd-1.2.0-12.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Configure sssd.conf for native ldap domain.
2. Add ldap_access_filter = (&(uidNumber>=1069)(uidNumber<=1071))
3. Clear cache and restart sssd service.
4. Auth with user "auser1" having uidNumber as 1070.
  
Actual results:
(Fri Jun  4 18:53:51 2010) [sssd[be[LDAP]]] [sdap_access_get_dn_done] (6): Checking filter against LDAP
(Fri Jun  4 18:53:51 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (6): calling ldap_search_ext with [(&(uid=auser1)(objectclass=posixAccount)(((uidNumber>1069)(uidNumber<1071))))][uid=auser1,ou=People,dc=example,dc=com].
(Fri Jun  4 18:53:51 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (3): ldap_search_ext failed: Bad search filter
(Fri Jun  4 18:53:51 2010) [sssd[be[LDAP]]] [sdap_access_get_access_done] (1): sdap_get_generic_send() returned error [5][Input/output error](Fri Jun  4 18:53:51 2010) [sssd[be[LDAP]]] [sdap_access_done] (1): Error retrieving access check result.
(Fri Jun  4 18:53:51 2010) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error (Interrupted system call)]


Expected results:
Authentication should succeed and it should be safe to wrap the access filter in parentheses.

Additional info:

Comment 3 Gowrishankar Rajaiyan 2010-07-27 08:28:14 UTC

Verified ldap_access_filter wrapped with parentheses i.e., ldap_access_filter = (&(uidNumber>=1002)(uidNumber<=1003)) and without parentheses i.e., ldap_access_filter = &(uidNumber>=1002)(uidNumber<=1003).

Version: sssd-1.2.1-21.el6.

Comment 4 releng-rhel@redhat.com 2010-11-10 21:39:52 UTC

Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.