#2490 dereferencing failure against openldap server
Closed: Fixed None Opened 5 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1162480

Description of problem:
Group lookup fails with "Dereference control: attribute decoding error" failure
against openldap server

Version-Release number of selected component (if applicable):
sssd-1.12.2-10.el7

How reproducible:
Always

Steps to Reproduce:
1. Openldap server (openldap-servers-2.4.39-8.el6) has a group ref_grp1 with 12
members.

2. Setup sssd with the following in domain section:
[domain/LDAP]
debug_level = 0xFFF0
id_provider = ldap
ldap_uri = ldap://<ldapserver>
ldap_search_base = dc=example,dc=com
ldap_schema = rfc2307bis
ldap_group_object_class = groupOfNames

3. # getent group ref_grp1 ; echo $?
2

Actual results:
Group lookup via sssd fails.

Domain log shows:
(Tue Nov 11 01:54:19 2014) [sssd[be[LDAP]]] [sdap_get_generic_op_finished]
(0x0400): Search result: Protocol error(2), Dereference control: attribute
decoding error
(Tue Nov 11 01:54:19 2014) [sssd[be[LDAP]]] [sdap_get_generic_op_finished]
(0x0040): Unexpected result from ldap: Protocol error(2), Dereference control:
attribute decoding error
(Tue Nov 11 01:54:19 2014) [sssd[be[LDAP]]] [generic_ext_search_handler]
(0x0040): sdap_get_generic_ext_recv failed [5]: Input/output error
(Tue Nov 11 01:54:19 2014) [sssd[be[LDAP]]] [sdap_deref_search_done] (0x0040):
dereference processing failed [5]: Input/output error
(Tue Nov 11 01:54:19 2014) [sssd[be[LDAP]]]
[sdap_nested_group_deref_direct_done] (0x0020): Error processing direct
membership [5]: Input/output error
(Tue Nov 11 01:54:19 2014) [sssd[be[LDAP]]] [sdap_nested_done] (0x0020): Nested
group processing failed: [5][Input/output error]
(Tue Nov 11 01:54:19 2014) [sssd[be[LDAP]]] [sdap_id_op_done] (0x0200):
communication error on cached connection, moving to next server
(Tue Nov 11 01:54:19 2014) [sssd[be[LDAP]]] [sdap_id_op_done] (0x4000): too
many communication failures, giving up...


Expected results:
Group lookup should work fine as the issue was fixed in bug 1109188

Additional info:

ldapsearch works fine from the client:
# ldapsearch -x -LLL -h <ldapserver> -b 'dc=example,dc=com' -E
'!deref=member:cn,uid' cn=ref_grp1
dn: cn=ref_grp1,ou=qagroup,dc=example,dc=com
# member: <cn=Dref_User1>;<uid=drefuser1>;uid=drefuser1,dc=example,dc=com
# member: <cn=Dref_User2>;<uid=drefuser2>;uid=drefuser2,dc=example,dc=com
# member: <cn=Dref_User3>;<uid=drefuser3>;uid=drefuser3,dc=example,dc=com
# member: <cn=Dref_User4>;<uid=drefuser4>;uid=drefuser4,dc=example,dc=com
# member: <cn=Dref_User5>;<uid=drefuser5>;uid=drefuser5,dc=example,dc=com
# member: <cn=Dref_User6>;<uid=drefuser6>;uid=drefuser6,dc=example,dc=com
# member: <cn=Dref_User7>;<uid=drefuser7>;uid=drefuser7,dc=example,dc=com
# member: <cn=Dref_User8>;<uid=drefuser8>;uid=drefuser8,dc=example,dc=com
# member: <cn=Dref_User9>;<uid=drefuser9>;uid=drefuser9,dc=example,dc=com
# member: <cn=Dref_User10>;<uid=drefuser10>;uid=drefuser10,dc=example,dc=com
# member: <cn=Dref_User11>;<uid=drefuser11>;uid=drefuser11,dc=example,dc=com
# member: <cn=Dref_User12>;<uid=drefuser12>;uid=drefuser12,dc=example,dc=com

objectClass: extensibleObject
objectClass: groupOfNames
gidNumber: 10001
cn: ref_grp1
member: uid=drefuser1,dc=example,dc=com
member: uid=drefuser2,dc=example,dc=com
member: uid=drefuser3,dc=example,dc=com
member: uid=drefuser4,dc=example,dc=com
member: uid=drefuser5,dc=example,dc=com
member: uid=drefuser6,dc=example,dc=com
member: uid=drefuser7,dc=example,dc=com
member: uid=drefuser8,dc=example,dc=com
member: uid=drefuser9,dc=example,dc=com
member: uid=drefuser10,dc=example,dc=com
member: uid=drefuser11,dc=example,dc=com
member: uid=drefuser12,dc=example,dc=com

master: 30c964a

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => sbose
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.12.3
resolution: => fixed
status: new => closed

Metadata Update from @jhrozek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.12.3

2 years ago

Login to comment on this ticket.

Metadata