#2490 dereferencing failure against openldap server
Closed: Fixed None Opened 6 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1162480

Description of problem:
Group lookup fails with "Dereference control: attribute decoding error" failure
against openldap server

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Openldap server (openldap-servers-2.4.39-8.el6) has a group ref_grp1 with 12

2. Setup sssd with the following in domain section:
debug_level = 0xFFF0
id_provider = ldap
ldap_uri = ldap://<ldapserver>
ldap_search_base = dc=example,dc=com
ldap_schema = rfc2307bis
ldap_group_object_class = groupOfNames

3. # getent group ref_grp1 ; echo $?

Actual results:
Group lookup via sssd fails.

Domain log shows:
(Tue Nov 11 01:54:19 2014) [sssd[be[LDAP]]] [sdap_get_generic_op_finished]
(0x0400): Search result: Protocol error(2), Dereference control: attribute
decoding error
(Tue Nov 11 01:54:19 2014) [sssd[be[LDAP]]] [sdap_get_generic_op_finished]
(0x0040): Unexpected result from ldap: Protocol error(2), Dereference control:
attribute decoding error
(Tue Nov 11 01:54:19 2014) [sssd[be[LDAP]]] [generic_ext_search_handler]
(0x0040): sdap_get_generic_ext_recv failed [5]: Input/output error
(Tue Nov 11 01:54:19 2014) [sssd[be[LDAP]]] [sdap_deref_search_done] (0x0040):
dereference processing failed [5]: Input/output error
(Tue Nov 11 01:54:19 2014) [sssd[be[LDAP]]]
[sdap_nested_group_deref_direct_done] (0x0020): Error processing direct
membership [5]: Input/output error
(Tue Nov 11 01:54:19 2014) [sssd[be[LDAP]]] [sdap_nested_done] (0x0020): Nested
group processing failed: [5][Input/output error]
(Tue Nov 11 01:54:19 2014) [sssd[be[LDAP]]] [sdap_id_op_done] (0x0200):
communication error on cached connection, moving to next server
(Tue Nov 11 01:54:19 2014) [sssd[be[LDAP]]] [sdap_id_op_done] (0x4000): too
many communication failures, giving up...

Expected results:
Group lookup should work fine as the issue was fixed in bug 1109188

Additional info:

ldapsearch works fine from the client:
# ldapsearch -x -LLL -h <ldapserver> -b 'dc=example,dc=com' -E
'!deref=member:cn,uid' cn=ref_grp1
dn: cn=ref_grp1,ou=qagroup,dc=example,dc=com
# member: <cn=Dref_User1>;<uid=drefuser1>;uid=drefuser1,dc=example,dc=com
# member: <cn=Dref_User2>;<uid=drefuser2>;uid=drefuser2,dc=example,dc=com
# member: <cn=Dref_User3>;<uid=drefuser3>;uid=drefuser3,dc=example,dc=com
# member: <cn=Dref_User4>;<uid=drefuser4>;uid=drefuser4,dc=example,dc=com
# member: <cn=Dref_User5>;<uid=drefuser5>;uid=drefuser5,dc=example,dc=com
# member: <cn=Dref_User6>;<uid=drefuser6>;uid=drefuser6,dc=example,dc=com
# member: <cn=Dref_User7>;<uid=drefuser7>;uid=drefuser7,dc=example,dc=com
# member: <cn=Dref_User8>;<uid=drefuser8>;uid=drefuser8,dc=example,dc=com
# member: <cn=Dref_User9>;<uid=drefuser9>;uid=drefuser9,dc=example,dc=com
# member: <cn=Dref_User10>;<uid=drefuser10>;uid=drefuser10,dc=example,dc=com
# member: <cn=Dref_User11>;<uid=drefuser11>;uid=drefuser11,dc=example,dc=com
# member: <cn=Dref_User12>;<uid=drefuser12>;uid=drefuser12,dc=example,dc=com

objectClass: extensibleObject
objectClass: groupOfNames
gidNumber: 10001
cn: ref_grp1
member: uid=drefuser1,dc=example,dc=com
member: uid=drefuser2,dc=example,dc=com
member: uid=drefuser3,dc=example,dc=com
member: uid=drefuser4,dc=example,dc=com
member: uid=drefuser5,dc=example,dc=com
member: uid=drefuser6,dc=example,dc=com
member: uid=drefuser7,dc=example,dc=com
member: uid=drefuser8,dc=example,dc=com
member: uid=drefuser9,dc=example,dc=com
member: uid=drefuser10,dc=example,dc=com
member: uid=drefuser11,dc=example,dc=com
member: uid=drefuser12,dc=example,dc=com

master: 30c964a

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => sbose
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.12.3
resolution: => fixed
status: new => closed

Metadata Update from @jhrozek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.12.3

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3532

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.