Issue #3721: subdomain lookup fails when certmaprule contains DN - sssd

SSSD / sssd

#3721 subdomain lookup fails when certmaprule contains DN

Opened 7 months ago by jhrozek. Modified 3 months ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1568083

Description of problem:

I'm seeing AD Trust lookups fail when I have certmaprules using DNs for the
rule names.

#  Start with a working AD Trust in IPA:

[root@rhel7-1 ~]# id aduser1@ad.test
uid=1627001114(aduser1@ad.test) gid=1627001114(aduser1@ad.test)
groups=1627001114(aduser1@ad.test),1627000513(domain users@ad.test)

[root@rhel7-1 ~]# ipa certmaprule-add 'CN=adca,DC=ad,DC=test'
--maprule='(userCertificate;binary={cert!bin})'
--matchrule='<ISSUER>CN=adca,DC=ad,DC=test' --domain=ipa2.test
---------------------------------------------------------------
Added Certificate Identity Mapping Rule "CN=adca,DC=ad,DC=test"
---------------------------------------------------------------
  Rule name: CN=adca,DC=ad,DC=test
  Mapping rule: (userCertificate;binary={cert!bin})
  Matching rule: <ISSUER>CN=adca,DC=ad,DC=test
  Domain name: ipa2.test
  Enabled: TRUE

[root@rhel7-1 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl
start sssd

[root@rhel7-1 ~]# id aduser1@ad.test
id: aduser1@ad.test: no such user


Version-Release number of selected component (if applicable):
sssd-1.16.0-19.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1.  Setup IPA Master with AD Trust
2.  Add certmaprule with name set to a DN matching AD
3.  reset SSSD and try a lookup

Actual results:
fails

Expected results:
works

Additional info:

sssd_domain log entries seen

(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [sysdb_certmap_add] (0x0040):
ldb_add failed.
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [sysdb_error_to_errno]
(0x0020): LDB returned unexpected error: [Invalid DN syntax]
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [sysdb_certmap_add] (0x0400):
Error: 14 (Bad address)
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [sysdb_update_certmap]
(0x0040): sysdb_certmap_add failed.
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [ldb] (0x4000): cancel ldb
transaction (nesting: 0)
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [ipa_certmap_parse_results]
(0x0040): sysdb_update_certmap failed(Mon Apr 16 13:01:49 2018)
[sssd[be[ipa2.test]]] [ipa_subdomains_certmap_done] (0x0040): Unable to parse
certmap results [14]: Bad address
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]]
[ipa_subdomains_refresh_certmap_done] (0x0020): Failed to read certificate
mapping rules [14]: Bad address
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [sdap_id_op_destroy] (0x4000):
releasing operation connection
(Mon Apr 16 13:01:49 2018) [sssd[be[ipa2.test]]] [ipa_subdomains_handler_done]
(0x0020): Unable to refresh subdomains [14]: Bad address

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1568083

7 months ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.1 (was: SSSD 2.0)

3 months ago

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

SSSD 2.1

type

None

component

None

version

None

testsupdated

None

selected

None

patch

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1568083

design_review

None

review

None

changelog

None

keywords

None

coverity

None

mark

None

blocking

None

design

None

sensitive

None

blockedby

None

feature_milestone

None

SSSD / sssd

Source Code

Documentation

#3721 subdomain lookup fails when certmaprule contains DN Opened 7 months ago by jhrozek. Modified 3 months ago

Close issue as:

Metadata

#3721 subdomain lookup fails when certmaprule contains DN

Opened 7 months ago by jhrozek. Modified 3 months ago