Bug 732935 - Add LDAP provider option to set LDAP_OPT_X_SASL_NOCANON
Summary: Add LDAP provider option to set LDAP_OPT_X_SASL_NOCANON
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.1
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Stephen Gallagher
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 732468 748866
TreeView+ depends on / blocked
 
Reported: 2011-08-24 08:11 UTC by Marko Myllynen
Modified: 2015-01-04 23:50 UTC (History)
7 users (show)

Fixed In Version: sssd-1.5.1-49.el6
Doc Type: Bug Fix
Doc Text:
Cause: In some cases when SASL is used, libldap might try to canonicalize the hostname by doing a reverse lookup. Consequence: The LDAP request might block. Also if PTR record was wrong, SSSD wouldn't authenticate against the server at all. Fix: An SSSD configuration directive has been implemented, allowing to turn canonicalization inside libldap on or off. The canonicalization is off by default. Result: SASL/GSSAPI works fine even wen the PTR is wrong.
Clone Of:
: 748866 (view as bug list)
Environment:
Last Closed: 2011-12-06 16:39:31 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1529 normal SHIPPED_LIVE sssd bug fix and enhancement update 2011-12-06 00:50:20 UTC
FedoraHosted SSSD 978 None None None Never

Description Marko Myllynen 2011-08-24 08:11:34 UTC
Description of problem:
From https://fedorahosted.org/sssd/ticket/978

In some cases when SASL is used, openldap might try to canonicalize the hostname by doing a reverse lookup. This might be a blocking call because openldap uses glibc's getnameinfo (The openldap function is ldap_pvt_get_hname).

It is possible to turn off this check by setting LDAP_OPT_X_SASL_NOCANON.

It is not only a problem about blocking on DNS calls. It may also cause failures to get a ticket because the PTR is wrong. Bad DNs configuration for reverse addresses is very common, especially in test environments, and small networks.

Comment 2 Stephen Gallagher 2011-08-24 12:42:52 UTC
This fix is a dependency for fixing BZ #732468 in FreeIPA.

Comment 5 Kaushik Banerjee 2011-09-27 13:38:41 UTC
Steps to verify:

1. Configure dns as:
A record  : ldap.example.com -> 10.65.201.57
PTR record: 10.65.201.57 -> xyz.example.com


2. Configure sssd for gssapi auth.
[domain/gssapi]
debug_level = 9
id_provider = ldap
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
auth_provider = krb5
krb5_server = ldap.example.com
krb5_realm = EXAMPLE.COM
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/client.example.com
ldap_krb5_init_creds = true
ldap_krb5_ticket_lifetime = 120
krb5_validate = True
krb5_lifetime = 150m

3. Lookup of a ldap user and auth as the user should succeed.( Note that we have to set " rdns = false" in /etc/krb5.conf )

4. Now, set "ldap_sasl_canonicalize = true", restart sssd. Lookup and auth of the ldap user would fail since due to incorrect PTR record, hostname cannot be canonicalized.

Verified in version:
# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 52.el6                        Build Date: Tue 20 Sep 2011 09:11:03 PM IST
Install Date: Mon 26 Sep 2011 05:56:30 PM IST      Build Host: x86-010.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-52.el6.src.rpm
Size        : 3550647                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon

Comment 6 Jan Zeleny 2011-10-27 14:03:56 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: In some cases when SASL is used, libldap might try to canonicalize the hostname by doing a reverse lookup.
Consequence: The LDAP request might block. Also if PTR record was wrong, SSSD wouldn't authenticate against the server at all.
Fix: A configuration directive has been implemented allowing to turn off canonicalization in libldap.
Result: If there are some issues with the DNS / network which would cause unwanted behavior of SSSD such as blocking calls, it is possible to turn canonicalization off.

Comment 7 Jakub Hrozek 2011-10-27 14:14:02 UTC
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,4 +1,4 @@
 Cause: In some cases when SASL is used, libldap might try to canonicalize the hostname by doing a reverse lookup.
 Consequence: The LDAP request might block. Also if PTR record was wrong, SSSD wouldn't authenticate against the server at all.
-Fix: A configuration directive has been implemented allowing to turn off canonicalization in libldap.
+Fix: An SSSD configuration directive has been implemented, allowing to turn canonicalization inside libldap on or off. The canonicalization is off by default.
-Result: If there are some issues with the DNS / network which would cause unwanted behavior of SSSD such as blocking calls, it is possible to turn canonicalization off.+Result: SASL/GSSAPI works fine even wen the PTR is wrong.

Comment 8 errata-xmlrpc 2011-12-06 16:39:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1529.html


Note You need to log in before you can comment on or make changes to this bug.