Red Hat Bugzilla – Bug 640602
sssd is not escaping correctly LDAP searches
Last modified: 2015-01-04 18:44:23 EST
+++ This bug was initially created as a clone of Bug #640597 +++ Description of problem: sssd is not escaping correctly LDAP searches, and when it receives an error from the LDAP server is going offline Version-Release number of selected component (if applicable): sssd-1.2.1-27.el5 How reproducible: always Steps to Reproduce: I noticed that sssd in some of our servers was going offline with no apparent reason, so bumping up the debug_level I found this in the logs: (Wed Oct 6 07:27:09 2010) [sssd[be[ALMACARONI]]] [be_get_account_info] (4): Got request for [4097][1][name=hacienda\eladio] (Wed Oct 6 07:27:09 2010) [sssd[be[ALMACARONI]]] [sdap_get_generic_send] (3): ldap_search_ext failed: Bad search filter (Wed Oct 6 07:27:09 2010) [sssd[be[ALMACARONI]]] [be_run_offline_cb] (3): Going offline. Running callbacks. A bit of investigation turned up that the query was initiated by winbind, which was running on the server, so it was a matter of changing the "winbind separator" and restarting winbind and sssd to hide the problem. Now is evident that this is a bug in SSSD, where it is sufficient that any user queryiing for a username with an '\' in its name to have SSSD going offline. I reproduced this executing "id hacienda\\eladio"
On server: # user\5Ca, People, example.com dn: uid=user\5Ca,ou=People,dc=example,dc=com uidNumber: 29201 gidNumber: 29201 objectClass: top objectClass: posixAccount objectClass: inetuser cn: user\5Ca homeDirectory: /home/usera loginShell: /bin/bash uid: user\a userPassword:: U2VjcmV0MTIz # group\5Ca, Groups, example.com dn: cn=group\5Ca,ou=Groups,dc=example,dc=com gidNumber: 29201 objectClass: top objectClass: posixGroup memberUid: uid=user\5Ca,ou=People,dc=example,dc=com cn: group\a # user\5C001, People, example.com dn: uid=user\5C001,ou=People,dc=example,dc=com uidNumber: 29204 gidNumber: 29204 objectClass: top objectClass: posixAccount objectClass: inetuser cn: user001 homeDirectory: /home/user001 loginShell: /bin/bash uid: user\001 userPassword:: U2VjcmV0MTIz # group\5C001, Groups, example.com dn: cn=group\5C001,ou=Groups,dc=example,dc=com gidNumber: 29204 objectClass: top objectClass: posixGroup memberUid: uid=user\5C001,ou=People,dc=example,dc=com cn: group\001 On Client: [domain/default] id_provider = ldap auth_provider = ldap ldap_uri = ldaps://sssdldap.redhat.com:636 ldap_search_base = dc=example,dc=com ldap_tls_reqcert = demand ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_cacert = /etc/openldap/cacerts/cacert.asc cache_credentials = true enumerate = false debug_level = 9 # id user\\a uid=29201(user\a) gid=29201(group\a) groups=29201(group\a) # id -G -n user\\a group\a # id user\\001 uid=29204(user\001) gid=29204(group\001) groups=29204(group\001) # id -G -n user\\001 group\001 # ssh -l user\\a localhost user\a@localhost's password: Creating directory '/home/usera'. Last login: Thu Apr 7 15:35:18 2011 from localhost [user\a@rhel6-1 ~]$ id uid=29201(user\a) gid=29201(group\a) groups=29201(group\a) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Verified. # rpm -qi sssd Name : sssd Relocations: (not relocatable) Version : 1.5.1 Vendor: Red Hat, Inc. Release : 24.el6 Build Date: Sat 02 Apr 2011 01:24:54 AM IST Install Date: Tue 05 Apr 2011 11:11:29 AM IST Build Host: x86-012.build.bos.redhat.com Group : Applications/System Source RPM: sssd-1.5.1-24.el6.src.rpm Size : 3462740 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://fedorahosted.org/sssd/ Summary : System Security Services Daemon
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2011-0560.html