#2383 dereferencing control failure against openldap server
Closed: Fixed None Opened 6 years ago by dpal.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1109188

Description of problem:
Unable to lookup groups with dereferencing control enabled on openldap server

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. ldapsearch against the openldap server returns:

# ldapsearch -x -LLL -h <ldapserver> -b 'dc=example,dc=com' -D
"cn=Manager,dc=example,dc=com" -w XXXXX -E 'deref=member:uid' cn=ref_grp1
dn: cn=ref_grp1,ou=qagroup,dc=example,dc=com
# member: <uid=drefuser1>;uid=drefuser1,dc=example,dc=com
# member: <uid=drefuser2>;uid=drefuser2,dc=example,dc=com
# member: <uid=drefuser3>;uid=drefuser3,dc=example,dc=com
# member: <uid=drefuser4>;uid=drefuser4,dc=example,dc=com
# member: <uid=drefuser5>;uid=drefuser5,dc=example,dc=com
# member: <uid=drefuser6>;uid=drefuser6,dc=example,dc=com
# member: <uid=drefuser7>;uid=drefuser7,dc=example,dc=com
# member: <uid=drefuser8>;uid=drefuser8,dc=example,dc=com
# member: <uid=drefuser9>;uid=drefuser9,dc=example,dc=com
# member: <uid=drefuser10>;uid=drefuser10,dc=example,dc=com
# member: <uid=drefuser11>;uid=drefuser11,dc=example,dc=com
# member: <uid=drefuser12>;uid=drefuser12,dc=example,dc=com

objectClass: extensibleObject
objectClass: groupOfNames
gidNumber: 10001
cn: ref_grp1
member: uid=drefuser1,dc=example,dc=com
member: uid=drefuser2,dc=example,dc=com
member: uid=drefuser3,dc=example,dc=com
member: uid=drefuser4,dc=example,dc=com
member: uid=drefuser5,dc=example,dc=com
member: uid=drefuser6,dc=example,dc=com
member: uid=drefuser7,dc=example,dc=com
member: uid=drefuser8,dc=example,dc=com
member: uid=drefuser9,dc=example,dc=com
member: uid=drefuser10,dc=example,dc=com
member: uid=drefuser11,dc=example,dc=com
member: uid=drefuser12,dc=example,dc=com

2. Configure sssd.conf with the following in domain section:
id_provider = ldap
auth_provider = ldap
enumerate = FALSE
debug_level = 0xFFF0
ldap_uri = ldap://<ldapserver>
ldap_search_base = dc=example,dc=com
ldap_schema = rfc2307bis
ldap_group_object_class = groupOfNames

3. Lookup group ref_grp1
# getent group ref_grp1; echo $?

Actual results:
Lookup via sssd fails. Domain log shows:

(Fri Jun 13 08:18:53 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_done]
(0x0400): Search result: Protocol error(2), Dereference control: attribute
decoding error
(Fri Jun 13 08:18:53 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_done]
(0x0040): Unexpected result from ldap: Protocol error(2), Dereference control:
attribute decoding error
(Fri Jun 13 08:18:53 2014) [sssd[be[LDAP]]] [sdap_x_deref_search_done]
(0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error
(Fri Jun 13 08:18:53 2014) [sssd[be[LDAP]]] [sdap_deref_search_done] (0x0040):
dereference processing failed [5]: Input/output error
(Fri Jun 13 08:18:53 2014) [sssd[be[LDAP]]]
[sdap_nested_group_deref_direct_done] (0x0020): Error processing direct
membership [5]: Input/output error
(Fri Jun 13 08:18:53 2014) [sssd[be[LDAP]]] [sdap_nested_done] (0x0020): Nested
group processing failed: [5][Input/output error]
(Fri Jun 13 08:18:53 2014) [sssd[be[LDAP]]] [sdap_id_op_done] (0x0200):
communication error on cached connection, moving to next server
(Fri Jun 13 08:18:53 2014) [sssd[be[LDAP]]] [sdap_id_op_done] (0x4000): too
many communication failures, giving up...
(Fri Jun 13 08:18:53 2014) [sssd[be[LDAP]]] [sdap_id_op_done] (0x4000):
releasing operation connection
(Fri Jun 13 08:18:53 2014) [sssd[be[LDAP]]] [sdap_id_release_conn_data]
(0x4000): releasing unused connection
(Fri Jun 13 08:18:53 2014) [sssd[be[LDAP]]] [sdap_handle_release] (0x2000):
Trace: sh[0x1025ae0], connected[1], ops[(nil)], ldap[0x1010a50],
destructor_lock[0], release_memory[0]
(Fri Jun 13 08:18:53 2014) [sssd[be[LDAP]]] [remove_connection_callback]
(0x4000): Successfully removed connection callback.
(Fri Jun 13 08:18:53 2014) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100):
Request processed. Returned 3,5,Group lookup failed

Expected results:
Group lookup should work

Additional info:

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => lslebodn
review: True => 0
selected: =>
status: new => assigned
testsupdated: => 0

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

Metadata Update from @dpal:
- Issue assigned to lslebodn
- Issue set to the milestone: SSSD 1.11.7

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3425

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.