On Fri, Apr 19, 2013 at 10:56:36AM +0200, Jakub Hrozek wrote:
On Thu, Apr 18, 2013 at 07:29:42PM +0000, Marc us wrote:
> Hi,
>
> I found a bug in sssd stable 1.9.2 and 1.9.4. I found no place to report this so
maybe somene here is able to help with this.
>
> The sudoers ldap lookups fail with a timeout message (see below) when using ldap_uri
= _srv_ (which works with anything else i.e. ldap_users, ldap_groups, ...).
>
> This is how it looks with ldap_uri set to _srv_:
>
> (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_sudo_full_refresh_send]
(0x0400): Issuing a full refresh of sudo rules
> (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_sudo_refresh_connect_done]
(0x0400): SUDO LDAP connection successful
> (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_sudo_load_sudoers_next_base]
(0x0400): Searching for sudo rules with base [dc=mydomain,dc=org]
> (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with [(objectClass=sudoRole)][dc=mydomain,dc=org].
> (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [sudoCommand]
> (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [sudoHost]
> (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [sudoUser]
> (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [sudoOption]
> (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [sudoRunAsUser]
> (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [sudoRunAsGroup]
> (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [sudoNotBefore]
> (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [sudoNotAfter]
> (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [sudoOrder]
> (Thu Apr 18 20:52:03 2013) [sssd[be[MYDOMAIN]]] [sdap_sudo_load_sudoers_process]
(0x0400): Receiving sudo rules with base [dc=mydomain,dc=org]
> (Thu Apr 18 20:52:03 2013) [sssd[be[MYDOMAIN]]]
[sdap_sudo_periodical_first_refresh_done] (0x0040): Periodical full refresh of sudo rules
failed [110]: Connection timed out)
>
> For debugging I turned of ldap_sudo_use_host_filter just in case someone is
wondering about the short ldap filter.
>
> With an ldap_uri set to a FQHN anything works as expected.
Earlier in the logs, you should see what the SRV query expanded to. Are
these servers discovered from DNS what you expect?
The LDAP code that fetches the rules is the same when SRV records are
used and when LDAP URI is used.
And if they are what you'd expect, can you try running the same query
with ldapsearch?
ldapsearch -x -H
ldap://ldap.mydomain.org -b dc=mydomain,dc=org
'(objectClass=sudoRole)'
If you have access to the server logs, maybe they'd have some useful
information, too.