From nobody@FreeBSD.org  Thu Aug  9 12:10:21 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2338E1065676
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  9 Aug 2012 12:10:21 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id E45778FC1A
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  9 Aug 2012 12:10:20 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q79CAKNU026720
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 9 Aug 2012 12:10:20 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q79CAK5P026719;
	Thu, 9 Aug 2012 12:10:20 GMT
	(envelope-from nobody)
Message-Id: <201208091210.q79CAK5P026719@red.freebsd.org>
Date: Thu, 9 Aug 2012 12:10:20 GMT
From: Ruslan <r.kalakutsky@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: sssd failed to connect Ldap server without SASL
X-Send-Pr-Version: www-3.1
X-GNATS-Notify: aweits@rit.edu

>Number:         170502
>Category:       ports
>Synopsis:       security/sssd failed to connect Ldap server without SASL
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    zi
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 09 12:20:01 UTC 2012
>Closed-Date:    Mon Oct 28 18:29:55 UTC 2013
>Last-Modified:  Mon Oct 28 18:29:55 UTC 2013
>Originator:     Ruslan
>Release:        8.2-STABLE
>Organization:
twint.ru
>Environment:
FreeBSD outpost.twint.ru 8.2-STABLE FreeBSD 8.2-STABLE #1: Thu Nov 17 03:54:46 UTC 2011     ruslan_ka@:/usr/obj/usr/src/sys/G1  amd64
>Description:
sssd daemon (security/sssd) fails to bind LDAP server (openldap 2.4 in my case) if I use simple bind over TLS (without SASL). This is the known problem: https://fedorahosted.org/sssd/ticket/1100
>How-To-Repeat:
try to use TLS + simple bind to connect to LDAP server with config like this:

/usr/local/etc/sssd/sssd.conf
[domain/example.com]
description =  user database
id_provider = ldap
auth_provider = ldap
enumerate = true
min_id = 10000
max_id = 0
cache_credentials = true
use_fully_qualified_names = false
ldap_schema = rfc2307
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = demand
ldap_tls_cacert = /usr/local/openssl/example.com/cacert.pem
ldap_tls_cacertdir = /usr/local/openssl/example.com/newcerts
ldap_tls_cert = /usr/local/openssl/example.com/certs/ldapclient.example.com.cer
ldap_tls_key  = /usr/local/openssl/example.com/private/ldap.client.example.com.key
ldap_id_use_start_tls = true
ldap_default_bind_dn = cn=ldaproot,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = secret


and you will get error in log:
 [sdap_sys_connect_done] (1): Failed to set LDAP SASL nocanon option to true
>Fix:
1) Put attached patch (based https://fedorahosted.org/sssd/ticket/1100) on  to /usr/ports/security/sssd/files.
2) Or update version of sssd in ports (current stable is 1.8.4)

Patch attached with submission follows:

Index: src/providers/ldap/sdap_async_connection.c
===================================================================
--- src/providers/ldap/sdap_async_connection.c	(revision 11f9ae2ef3a4884b5e7750a3d549a58a71abc015)
+++ src/providers/ldap/sdap_async_connection.c	(revision 17707de12d69baa3bb2490ce9f0aeed7d4a0a7a0)
@@ -265,7 +265,13 @@
                            sasl_nocanon ? LDAP_OPT_ON : LDAP_OPT_OFF);
     if (lret != LDAP_OPT_SUCCESS) {
-        DEBUG(1, ("Failed to set LDAP SASL nocanon option to %s\n",
-                   sasl_nocanon ? "true" : "false"));
-        goto fail;
+        /* Do not fail, just warn into both debug logs and syslog */
+        DEBUG(3,
+              ("Failed to set LDAP SASL nocanon option to %s. If your system "
+               "is configured to use SASL, LDAP operations might fail.\n",
+              sasl_nocanon ? "true" : "false"));
+        sss_log(SSS_LOG_INFO,
+                "Failed to set LDAP SASL nocanon option to %s. If your system "
+                "is configured to use SASL, LDAP operations might fail.\n",
+                sasl_nocanon ? "true" : "false");
     }


>Release-Note:
>Audit-Trail:

From: Edwin Groothuis <edwin@FreeBSD.org>
To: aweits@rit.edu
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/170502: security/sssd failed to connect Ldap server without SASL
Date: Thu, 9 Aug 2012 20:29:33 UT

 Maintainer of security/sssd,
 
 Please note that PR ports/170502 has just been submitted.
 
 If it contains a patch for an upgrade, an enhancement or a bug fix
 you agree on, reply to this email stating that you approve the patch
 and a committer will take care of it.
 
 The full text of the PR can be found at:
     http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/170502
 
 -- 
 Edwin Groothuis via the GNATS Auto Assign Tool
 edwin@FreeBSD.org
State-Changed-From-To: open->feedback 
State-Changed-By: edwin 
State-Changed-When: Thu Aug 9 20:39:23 UTC 2012 
State-Changed-Why:  
Awaiting maintainers feedback (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=170502 

From: Edwin Groothuis <edwin@FreeBSD.org>
To: aweits@rit.edu
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/170502: security/sssd failed to connect Ldap server without SASL
Date: Thu, 9 Aug 2012 20:39:21 UT

 Maintainer of security/sssd,
 
 Please note that PR ports/170502 has just been submitted.
 
 If it contains a patch for an upgrade, an enhancement or a bug fix
 you agree on, reply to this email stating that you approve the patch
 and a committer will take care of it.
 
 The full text of the PR can be found at:
     http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/170502
 
 -- 
 Edwin Groothuis via the GNATS Auto Assign Tool
 edwin@FreeBSD.org
Responsible-Changed-From-To: freebsd-ports-bugs->zi 
Responsible-Changed-By: zi 
Responsible-Changed-When: Sat Sep 8 14:53:10 UTC 2012 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=170502 
State-Changed-From-To: feedback->closed 
State-Changed-By: zi 
State-Changed-When: Mon Oct 28 18:29:55 UTC 2013 
State-Changed-Why:  
Port is at 1.9.5 

http://www.freebsd.org/cgi/query-pr.cgi?pr=170502 
>Unformatted:
