#3721 subdomain lookup fails when certmaprule contains DN

Created a month ago by jhrozek
Modified a month ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1568083

Description of problem:

I'm seeing AD Trust lookups fail when I have certmaprules using DNs for the
rule names.

#  Start with a working AD Trust in IPA:

[root@rhel7-1 ~]# id aduser1@ad.test
uid=1627001114(aduser1@ad.test) gid=1627001114(aduser1@ad.test)
groups=1627001114(aduser1@ad.test),1627000513(domain users@ad.test)

[root@rhel7-1 ~]# ipa certmaprule-add 'CN=adca,DC=ad,DC=test'
--matchrule='<ISSUER>CN=adca,DC=ad,DC=test' --domain=ipa2.test
Added Certificate Identity Mapping Rule "CN=adca,DC=ad,DC=test"
  Rule name: CN=adca,DC=ad,DC=test
  Mapping rule: (userCertificate;binary={cert!bin})
  Matching rule: <ISSUER>CN=adca,DC=ad,DC=test
  Domain name: ipa2.test
  Enabled: TRUE

[root@rhel7-1 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl
start sssd

[root@rhel7-1 ~]# id aduser1@ad.test
id: aduser1@ad.test: no such user

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  Setup IPA Master with AD Trust
2.  Add certmaprule with name set to a DN matching AD
3.  reset SSSD and try a lookup

Actual results:

Expected results:

Additional info:

sssd_domain log entries seen

(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [sysdb_certmap_add] (0x0040):
ldb_add failed.
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [sysdb_error_to_errno]
(0x0020): LDB returned unexpected error: [Invalid DN syntax]
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [sysdb_certmap_add] (0x0400):
Error: 14 (Bad address)
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [sysdb_update_certmap]
(0x0040): sysdb_certmap_add failed.
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [ldb] (0x4000): cancel ldb
transaction (nesting: 0)
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [ipa_certmap_parse_results]
(0x0040): sysdb_update_certmap failed(Mon Apr 16 13:01:49 2018)
[sssd[be[ipa2.test]]] [ipa_subdomains_certmap_done] (0x0040): Unable to parse
certmap results [14]: Bad address
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]]
[ipa_subdomains_refresh_certmap_done] (0x0020): Failed to read certificate
mapping rules [14]: Bad address
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [sdap_id_op_destroy] (0x4000):
releasing operation connection
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [ipa_subdomains_handler_done]
(0x0020): Unable to refresh subdomains [14]: Bad address
a month ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1568083

Login to comment on this ticket.