#3721 subdomain lookup fails when certmaprule contains DN
Closed: Fixed a year ago by pbrezina. Opened 3 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1568083

Description of problem:

I'm seeing AD Trust lookups fail when I have certmaprules using DNs for the
rule names.

#  Start with a working AD Trust in IPA:

[root@rhel7-1 ~]# id aduser1@ad.test
uid=1627001114(aduser1@ad.test) gid=1627001114(aduser1@ad.test)
groups=1627001114(aduser1@ad.test),1627000513(domain users@ad.test)

[root@rhel7-1 ~]# ipa certmaprule-add 'CN=adca,DC=ad,DC=test'
--maprule='(userCertificate;binary={cert!bin})'
--matchrule='<ISSUER>CN=adca,DC=ad,DC=test' --domain=ipa2.test
---------------------------------------------------------------
Added Certificate Identity Mapping Rule "CN=adca,DC=ad,DC=test"
---------------------------------------------------------------
  Rule name: CN=adca,DC=ad,DC=test
  Mapping rule: (userCertificate;binary={cert!bin})
  Matching rule: <ISSUER>CN=adca,DC=ad,DC=test
  Domain name: ipa2.test
  Enabled: TRUE

[root@rhel7-1 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl
start sssd

[root@rhel7-1 ~]# id aduser1@ad.test
id: aduser1@ad.test: no such user


Version-Release number of selected component (if applicable):
sssd-1.16.0-19.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1.  Setup IPA Master with AD Trust
2.  Add certmaprule with name set to a DN matching AD
3.  reset SSSD and try a lookup

Actual results:
fails

Expected results:
works

Additional info:

sssd_domain log entries seen

(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [sysdb_certmap_add] (0x0040):
ldb_add failed.
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [sysdb_error_to_errno]
(0x0020): LDB returned unexpected error: [Invalid DN syntax]
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [sysdb_certmap_add] (0x0400):
Error: 14 (Bad address)
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [sysdb_update_certmap]
(0x0040): sysdb_certmap_add failed.
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [ldb] (0x4000): cancel ldb
transaction (nesting: 0)
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [ipa_certmap_parse_results]
(0x0040): sysdb_update_certmap failed(Mon Apr 16 13:01:49 2018)
[sssd[be[ipa2.test]]] [ipa_subdomains_certmap_done] (0x0040): Unable to parse
certmap results [14]: Bad address
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]]
[ipa_subdomains_refresh_certmap_done] (0x0020): Failed to read certificate
mapping rules [14]: Bad address
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [sdap_id_op_destroy] (0x4000):
releasing operation connection
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [ipa_subdomains_handler_done]
(0x0020): Unable to refresh subdomains [14]: Bad address

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1568083

3 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.1 (was: SSSD 2.0)

2 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.2 (was: SSSD 2.1)

2 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.3 (was: SSSD 2.2)

2 years ago

Metadata Update from @pbrezina:
- Issue tagged with: bugzilla

a year ago

Metadata Update from @sbose:
- Issue assigned to sbose

a year ago

Metadata Update from @sbose:
- Custom field patch adjusted to on

a year ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4730

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata