#1977 issues when combining the AD provider and ldap_access_filter
Closed: Invalid None Opened 7 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 972944

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Version:
sssd-1.9.2-82.el6

use the ad provider:
id_provider = ad

Just adding an ldap filer like this will resulte in a bind error:
ldap_access_order = filter, expire
ldap_account_expire_policy = ad
access_provider = ldap
ldap_access_filter = memberOf=CN=sshadmins,OU=groups,DC=2k8r2domain,DC=gss

(Thu Jun  6 16:08:10 2013) [sssd[be[2k8r2domain.gss]]]
[set_server_common_status] (0x0100): Marking server
'win2k8sp1-64.2k8r2domain.gss' as 'working'
(Thu Jun  6 16:08:10 2013) [sssd[be[2k8r2domain.gss]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=jage
e)(objectclass=posixAccount)(memberOf=CN=sshadmins,OU=groups,DC=2k8r2domain,DC=
gss))][CN=Jeremy Agee,CN=Users,DC=2k8r2domain,DC=gss].
(Thu Jun  6 16:08:10 2013) [sssd[be[2k8r2domain.gss]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Operations error(1),
000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a
successful bind must be completed on the connection., data 0, v1db1
(Thu Jun  6 16:08:10 2013) [sssd[be[2k8r2domain.gss]]]
[sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Operations
error(1), 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this
operation a successful bind must be completed on the connection., data 0, v1db1
(Thu Jun  6 16:08:10 2013) [sssd[be[2k8r2domain.gss]]] [sdap_get_generic_done]
(0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error

Adding the sasl bind works around the bind issue.
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = RHEL6-2K8-ADPRO$@2K8R2DOMAIN.GSS

The use of one of these two settings is also needed so the search works since
it defaults to objectclass=posixAccount without them.
ldap_schema = ad
or
ldap_user_object_class = person

(Fri Jun  7 14:34:17 2013) [sssd[be[2k8r2domain.gss]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=jage
e)(objectclass=posixAccount)(memberOf=CN=sshadmins,OU=groups,DC=2k8r2domain,DC=
gss))][CN=Jeremy Agee,CN=Users,DC=2k8r2domain,DC=gss].


Desired config would be allow a filter as a one line addition to the sssd
config.

id_provider = ad
ldap_access_filter = memberOf=CN=sshadmins,OU=groups,DC=2k8r2domain,DC=gss

Need to decide whether the fix would be in code or just documentation.

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
milestone: NEEDS_TRIAGE => SSSD 1.12 beta
review: True => 0
selected: =>
testsupdated: => 0

Leave it for now. It might be improved when we change initialization of the providers.

This is better solved (in my opinion) by implementing the RFE in ticket #1326. Then a chained LDAP access provider could be used where needed.

Fields changed

mark: => 0

So far we documented the behavior. The proper fix would be to support access provider chaining, but that's unlikely to happen. I propose to close.

milestone: SSSD 1.13 beta => SSSD 1.13 backlog
review: 0 => 1

Fields changed

priority: major => trivial

Mass-moving tickets not planned for any immediate release and re-setting priority.

milestone: SSSD 1.13 backlog => SSSD Deferred
priority: trivial => major

I think this can be closed, we have GPOs and ad_access_filter in the meantime.

sensitive: => 0

Fields changed

resolution: => wontfix
status: new => closed

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD Patches welcome

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3019

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata