Issue #3721: subdomain lookup fails when certmaprule contains DN - sssd

SSSD/sssd

System Security Services Daemon

#3721 subdomain lookup fails when certmaprule contains DN

Created 5 months ago by jhrozek

Modified a month ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1568083

Description of problem:

I'm seeing AD Trust lookups fail when I have certmaprules using DNs for the
rule names.

#  Start with a working AD Trust in IPA:

[root@rhel7-1 ~]# id aduser1@ad.test
uid=1627001114(aduser1@ad.test) gid=1627001114(aduser1@ad.test)
groups=1627001114(aduser1@ad.test),1627000513(domain users@ad.test)

[root@rhel7-1 ~]# ipa certmaprule-add 'CN=adca,DC=ad,DC=test'
--maprule='(userCertificate;binary={cert!bin})'
--matchrule='<ISSUER>CN=adca,DC=ad,DC=test' --domain=ipa2.test
---------------------------------------------------------------
Added Certificate Identity Mapping Rule "CN=adca,DC=ad,DC=test"
---------------------------------------------------------------
  Rule name: CN=adca,DC=ad,DC=test
  Mapping rule: (userCertificate;binary={cert!bin})
  Matching rule: <ISSUER>CN=adca,DC=ad,DC=test
  Domain name: ipa2.test
  Enabled: TRUE

[root@rhel7-1 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl
start sssd

[root@rhel7-1 ~]# id aduser1@ad.test
id: aduser1@ad.test: no such user


Version-Release number of selected component (if applicable):
sssd-1.16.0-19.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1.  Setup IPA Master with AD Trust
2.  Add certmaprule with name set to a DN matching AD
3.  reset SSSD and try a lookup

Actual results:
fails

Expected results:
works

Additional info:

sssd_domain log entries seen

(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [sysdb_certmap_add] (0x0040):
ldb_add failed.
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [sysdb_error_to_errno]
(0x0020): LDB returned unexpected error: [Invalid DN syntax]
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [sysdb_certmap_add] (0x0400):
Error: 14 (Bad address)
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [sysdb_update_certmap]
(0x0040): sysdb_certmap_add failed.
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [ldb] (0x4000): cancel ldb
transaction (nesting: 0)
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [ipa_certmap_parse_results]
(0x0040): sysdb_update_certmap failed(Mon Apr 16 13:01:49 2018)
[sssd[be[ipa2.test]]] [ipa_subdomains_certmap_done] (0x0040): Unable to parse
certmap results [14]: Bad address
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]]
[ipa_subdomains_refresh_certmap_done] (0x0020): Failed to read certificate
mapping rules [14]: Bad address
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [sdap_id_op_destroy] (0x4000):
releasing operation connection
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [ipa_subdomains_handler_done]
(0x0020): Unable to refresh subdomains [14]: Bad address

5 months ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1568083

a month ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.1 (was: SSSD 2.0)

Status

Open

Tags

Assignee

unassigned

Blocking

Depending on

Priority

Milestone

SSSD 2.1

Cancel

type

component

version

testsupdated

selected

patch

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1568083

design_review

review

changelog

keywords

coverity

mark

blocking

design

sensitive

blockedby

feature_milestone

cancel