Hi,
I found a bug in sssd stable 1.9.2 and 1.9.4. I found no place to report this so maybe
somene here is able to help with this.
The sudoers ldap lookups fail with a timeout message (see below) when using ldap_uri =
_srv_ (which works with anything else i.e. ldap_users, ldap_groups, ...).
This is how it looks with ldap_uri set to _srv_:
(Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_sudo_full_refresh_send] (0x0400):
Issuing a full refresh of sudo rules
(Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_sudo_refresh_connect_done] (0x0400):
SUDO LDAP connection successful
(Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_sudo_load_sudoers_next_base]
(0x0400): Searching for sudo rules with base [dc=mydomain,dc=org]
(Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x0400):
calling ldap_search_ext with [(objectClass=sudoRole)][dc=mydomain,dc=org].
(Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [sudoCommand]
(Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [sudoHost]
(Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [sudoUser]
(Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [sudoOption]
(Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [sudoRunAsUser]
(Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [sudoRunAsGroup]
(Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [sudoNotBefore]
(Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [sudoNotAfter]
(Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [sudoOrder]
(Thu Apr 18 20:52:03 2013) [sssd[be[MYDOMAIN]]] [sdap_sudo_load_sudoers_process] (0x0400):
Receiving sudo rules with base [dc=mydomain,dc=org]
(Thu Apr 18 20:52:03 2013) [sssd[be[MYDOMAIN]]] [sdap_sudo_periodical_first_refresh_done]
(0x0040): Periodical full refresh of sudo rules failed [110]: Connection timed out)
For debugging I turned of ldap_sudo_use_host_filter just in case someone is wondering
about the short ldap filter.
With an ldap_uri set to a FQHN anything works as expected.
Is there anyone who can help creating a patch for this? I have very little knowledge about
the sssd source.
Thanks,
Marcus