Hide Forgot
Description of problem: From https://fedorahosted.org/sssd/ticket/978 In some cases when SASL is used, openldap might try to canonicalize the hostname by doing a reverse lookup. This might be a blocking call because openldap uses glibc's getnameinfo (The openldap function is ldap_pvt_get_hname). It is possible to turn off this check by setting LDAP_OPT_X_SASL_NOCANON. It is not only a problem about blocking on DNS calls. It may also cause failures to get a ticket because the PTR is wrong. Bad DNs configuration for reverse addresses is very common, especially in test environments, and small networks.
This fix is a dependency for fixing BZ #732468 in FreeIPA.
Steps to verify: 1. Configure dns as: A record : ldap.example.com -> 10.65.201.57 PTR record: 10.65.201.57 -> xyz.example.com 2. Configure sssd for gssapi auth. [domain/gssapi] debug_level = 9 id_provider = ldap ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com auth_provider = krb5 krb5_server = ldap.example.com krb5_realm = EXAMPLE.COM ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/client.example.com ldap_krb5_init_creds = true ldap_krb5_ticket_lifetime = 120 krb5_validate = True krb5_lifetime = 150m 3. Lookup of a ldap user and auth as the user should succeed.( Note that we have to set " rdns = false" in /etc/krb5.conf ) 4. Now, set "ldap_sasl_canonicalize = true", restart sssd. Lookup and auth of the ldap user would fail since due to incorrect PTR record, hostname cannot be canonicalized. Verified in version: # rpm -qi sssd | head Name : sssd Relocations: (not relocatable) Version : 1.5.1 Vendor: Red Hat, Inc. Release : 52.el6 Build Date: Tue 20 Sep 2011 09:11:03 PM IST Install Date: Mon 26 Sep 2011 05:56:30 PM IST Build Host: x86-010.build.bos.redhat.com Group : Applications/System Source RPM: sssd-1.5.1-52.el6.src.rpm Size : 3550647 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://fedorahosted.org/sssd/ Summary : System Security Services Daemon
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: In some cases when SASL is used, libldap might try to canonicalize the hostname by doing a reverse lookup. Consequence: The LDAP request might block. Also if PTR record was wrong, SSSD wouldn't authenticate against the server at all. Fix: A configuration directive has been implemented allowing to turn off canonicalization in libldap. Result: If there are some issues with the DNS / network which would cause unwanted behavior of SSSD such as blocking calls, it is possible to turn canonicalization off.
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,4 +1,4 @@ Cause: In some cases when SASL is used, libldap might try to canonicalize the hostname by doing a reverse lookup. Consequence: The LDAP request might block. Also if PTR record was wrong, SSSD wouldn't authenticate against the server at all. -Fix: A configuration directive has been implemented allowing to turn off canonicalization in libldap. +Fix: An SSSD configuration directive has been implemented, allowing to turn canonicalization inside libldap on or off. The canonicalization is off by default. -Result: If there are some issues with the DNS / network which would cause unwanted behavior of SSSD such as blocking calls, it is possible to turn canonicalization off.+Result: SASL/GSSAPI works fine even wen the PTR is wrong.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1529.html