Bug 884600 – ldap_chpass_uri failover fails on using same hostname

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 884600 - ldap_chpass_uri failover fails on using same hostname

Summary:	ldap_chpass_uri failover fails on using same hostname

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd (Show other bugs)
Sub Component:
Version:	6.4
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	888457
	Show dependency tree / graph

Reported:	2012-12-06 06:24 EST by Kaushik Banerjee
Modified:	2013-02-21 04:42 EST (History)
CC List:	4 users (show)

See Also:
Fixed In Version:	sssd-1.9.2-46.el6
Doc Type:	Bug Fix
Doc Text:	Cause: SSSD tries to contact all servers in list, if every previous fails during LDAP authentication. Consequence: SSSD tried to connect to the next servers ONLY if the current connection timed out during LDAP authentication. Fix: Try to connect to following servers on ANY error during LDAP authentication. Result: The SSSD tries all servers as expected when authenticating against an LDAP server.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-02-21 04:42:10 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0508	normal	SHIPPED_LIVE	Low: sssd security, bug fix and enhancement update	2013-02-20 16:30:10 EST

Groups: None (edit)

Description Kaushik Banerjee 2012-12-06 06:24:25 EST

Description of problem:
ldap_chpass_uri failover fails on using same hostname

Version-Release number of selected component (if applicable):
sssd-1.9.2-30.el6

How reproducible:
Always

Steps to Reproduce:
1. sssd.conf domain section has:
ldap_uri = ldap://ldapserver.example.com:12345,ldap://ldapserver.example.com:389
ldap_chpass_uri = ldap://ldapserver.example.com:12345,ldap://ldapserver.example.com:389

2. Try to change the password of a user
# ssh -l puser1 localhostpuser1@localhost's password:
Last login: Thu Dec  6 16:11:03 2012 from localhost
-sh-4.1$ passwd
Changing password for user puser1.
Current Password:
passwd: Authentication token manipulation error
-sh-4.1$ 

  
Actual results:
Password change fails.
Log shows:
(Thu Dec  6 16:13:46 2012) [sssd[be[LDAP]]] [sdap_pam_chpass_handler] (0x0040): starting password change request for user [puser1].
(Thu Dec  6 16:13:46 2012) [sssd[be[LDAP]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP_CHPASS'
(Thu Dec  6 16:13:46 2012) [sssd[be[LDAP]]] [get_server_status] (0x1000): Status of server 'ldapserver.example.com' is 'working'
(Thu Dec  6 16:13:46 2012) [sssd[be[LDAP]]] [get_port_status] (0x1000): Port status of port 12345 for server 'ldapserver.example.com' is 'neutral'
(Thu Dec  6 16:13:46 2012) [sssd[be[LDAP]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds
(Thu Dec  6 16:13:46 2012) [sssd[be[LDAP]]] [get_server_status] (0x1000): Status of server 'ldapserver.example.com' is 'working'
(Thu Dec  6 16:13:46 2012) [sssd[be[LDAP]]] [be_resolve_server_process] (0x1000): Saving the first resolved server
(Thu Dec  6 16:13:46 2012) [sssd[be[LDAP]]] [be_resolve_server_process] (0x0200): Found address for server ldapserver.example.com: [192.168.122.13] TTL 604800
(Thu Dec  6 16:13:46 2012) [sssd[be[LDAP]]] [sdap_uri_callback] (0x0400): Constructed uri 'ldap://ldapserver.example.com:12345'
(Thu Dec  6 16:13:46 2012) [sssd[be[LDAP]]] [sss_ldap_init_send] (0x4000): Using file descriptor [22] for LDAP connection.
(Thu Dec  6 16:13:46 2012) [sssd[be[LDAP]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting
(Thu Dec  6 16:13:46 2012) [sssd[be[LDAP]]] [sdap_async_sys_connect_done] (0x0020): connect failed [111][Connection refused].
(Thu Dec  6 16:13:46 2012) [sssd[be[LDAP]]] [sss_ldap_init_sys_connect_done] (0x0020): sdap_async_sys_connect request failed.
(Thu Dec  6 16:13:46 2012) [sssd[be[LDAP]]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed.
(Thu Dec  6 16:13:46 2012) [sssd[be[LDAP]]] [sdap_handle_release] (0x2000): Trace: sh[0x13f2a30], connected[0], ops[(nil)], ldap[(nil)], destructor_lock[0], release_memory[0]
(Thu Dec  6 16:13:46 2012) [sssd[be[LDAP]]] [fo_set_port_status] (0x0100): Marking port 12345 of server 'ldapserver.example.com' as 'not working'
(Thu Dec  6 16:13:46 2012) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]


Expected results:
Password change should work.

Additional info:
Works fine with different hostnames:
ldap_chpass_uri = ldap://invalidsrv.example.com,ldap://ldapserver.example.com

Comment 2 Jakub Hrozek 2012-12-06 07:08:37 EST

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1699

Comment 4 Kaushik Banerjee 2012-12-31 02:57:17 EST

Verified in version 1.9.2-59

Report from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: failover-ldap_chpass_uri_001 Server1 down, Server2 online
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Stopping LDAP Server on Server1 and sleeping for 1 second
:: [   PASS   ] :: Authentication successful, as expected
:: [   PASS   ] :: Running 'auth_success puser1 NewPass_123'
:: [   LOG    ] :: Starting LDAP Server on Server1 and sleeping for 5 seconds
:: [   LOG    ] :: Duration: 14s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: failover-ldap_chpass_uri_001 Server1 down, Server2 online

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: failover-ldap_chpass_uri_002 Failover with single server different ports
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Sleeping for 5 seconds
:: [   PASS   ] :: Authentication successful, as expected
:: [   PASS   ] :: Running 'auth_success puser1 NewPass_123'
:: [   LOG    ] :: Duration: 11s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: failover-ldap_chpass_uri_002 Failover with single server different ports

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: failover-ldap_chpass_uri_003 First Server in the list cannot be resolved
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Sleeping for 5 seconds
:: [   PASS   ] :: Authentication successful, as expected
:: [   PASS   ] :: Running 'auth_success puser1 NewPass_123'
:: [   LOG    ] :: Duration: 11s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: failover-ldap_chpass_uri_003 First Server in the list cannot be resolved

Comment 5 errata-xmlrpc 2013-02-21 04:42:10 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html

Note You need to log in before you can comment on or make changes to this bug.