Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 592441 - SSSD: Failing to Connect to Directory Server - Marking BE offline
Summary: SSSD: Failing to Connect to Directory Server - Marking BE offline
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.0
Hardware: All
OS: Linux
low
high
Target Milestone: rc
: ---
Assignee: Stephen Gallagher
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-14 20:56 UTC by Jenny Galipeau
Modified: 2015-01-04 23:42 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-05-18 20:53:15 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Jenny Galipeau 2010-05-14 20:56:52 UTC
Description of problem:
With the latest build for RHEL 6 - Directory Server Backend is being immediately marking offline - with can't connect to LDAP server and never re-connects.

I am successful 

openldap tls ldapsearches from the client are successful 

ldapsearch -x -ZZ -H ldap://sssdldap.idm.lab.bos.redhat.com:2389 -b uid=user2000,ou=people,dc=bos,dc=redhat,dc=com
# extended LDIF
#
# LDAPv3
# base <uid=user2000,ou=people,dc=bos,dc=redhat,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# user2000, People, bos.redhat.com
dn: uid=user2000,ou=People, dc=bos,dc=redhat,dc=com
givenName: user
sn: 2000
sn: 2009
loginShell: /bin/bash
uidNumber: 2001
gidNumber: 2001
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: user2000
gecos: User 2001
cn: user 2000
homeDirectory: /home/user2001

# search result
search: 3
result: 0 Success


DEBUG:

(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [sdap_connect_send] (4): Executing START TLS
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [sdap_connect_send] (3): ldap_start_tls failed: [Can't contact LDAP server]
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [sdap_handle_release] (8): Trace: sh[0x928fe40], connected[0], ops[(nil)], ldap[0x928f538], destructor_lock[0], release_memory[0]
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [remove_connection_callback] (9): Successfully removed connection callback.
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [fo_set_port_status] (4): Marking port 2389 of server 'sssdldap.idm.lab.bos.redhat.com' as 'not working'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [fo_resolve_service_send] (4): Trying to resolve service 'LDAP'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_server_status] (7): Status of server 'sssdldap.idm.lab.bos.redhat.com' is 'name resolved'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_port_status] (7): Port status of port 2389 for server 'sssdldap.idm.lab.bos.redhat.com' is 'not working'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_server_status] (7): Status of server 'sssdldap.idm.lab.bos.redhat.com' is 'name resolved'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_port_status] (7): Port status of port 2389 for server 'sssdldap.idm.lab.bos.redhat.com' is 'not working'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_server_status] (7): Status of server 'sssdldap.idm.lab.bos.redhat.com' is 'name resolved'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_port_status] (7): Port status of port 2389 for server 'sssdldap.idm.lab.bos.redhat.com' is 'not
 working'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [fo_resolve_service_send] (1): No available servers for service 'LDAP'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [fo_set_port_status] (4): Marking port 2389 of server 'sssdldap.idm.lab.bos.redhat.com' as 'not working'
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [ldap_id_enum_users_done] (9): User enumeration failed with: (5)[Input/output error]
(Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [be_mark_offline] (8): Going offline!


Also, it would be really helpful if we could get better debug message - than just "[Can't contact LDAP server]" - if possible.

Version-Release number of selected component (if applicable):
sssd-1.1.91-10.el6.i686

How reproducible:
always with the following configuration

[sssd]
config_file_version = 2
domains = LOCAL, LDAP
sbus_timeout = 30
services = nss, pam
debug_level = 6

[nss]
filter_groups = root
filter_users = root

[pam]
reconnection_retries = 3

[domain/LDAP]
auth_provider = ldap
cache_credentials = TRUE
enumerate = TRUE
id_provider = ldap
auth_provider = ldap
ldap_group_search_base = ou=Groups,dc=bos,dc=redhat,dc=com
ldap_user_search_base = ou=People,dc=bos,dc=redhat,dc=com
ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/openldap/cacerts/cacert2.asc
ldap_uri = ldap://sssdldap.idm.lab.bos.redhat.com:2389
timeout = 30
debug_level = 99



Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

If I use the same configuration to a directory server instance running on the default standard port 389 - everything works fine!

Comment 1 Jenny Galipeau 2010-05-14 20:58:43 UTC
(In reply to comment #0)
> Description of problem:
> With the latest build for RHEL 6 - Directory Server Backend is being
> immediately marked offline - can't connect to LDAP server and never
> re-connects.
> 
> 
> openldap tls ldapsearches from the client are successful 
> 
> ldapsearch -x -ZZ -H ldap://sssdldap.idm.lab.bos.redhat.com:2389 -b
> uid=user2000,ou=people,dc=bos,dc=redhat,dc=com
> # extended LDIF
> #
> # LDAPv3
> # base <uid=user2000,ou=people,dc=bos,dc=redhat,dc=com> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> # user2000, People, bos.redhat.com
> dn: uid=user2000,ou=People, dc=bos,dc=redhat,dc=com
> givenName: user
> sn: 2000
> sn: 2009
> loginShell: /bin/bash
> uidNumber: 2001
> gidNumber: 2001
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: posixAccount
> uid: user2000
> gecos: User 2001
> cn: user 2000
> homeDirectory: /home/user2001
> 
> # search result
> search: 3
> result: 0 Success
> 
> 
> DEBUG:
> 
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [sdap_connect_send] (4): Executing
> START TLS
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [sdap_connect_send] (3):
> ldap_start_tls failed: [Can't contact LDAP server]
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [sdap_handle_release] (8): Trace:
> sh[0x928fe40], connected[0], ops[(nil)], ldap[0x928f538], destructor_lock[0],
> release_memory[0]
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [remove_connection_callback] (9):
> Successfully removed connection callback.
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [fo_set_port_status] (4): Marking
> port 2389 of server 'sssdldap.idm.lab.bos.redhat.com' as 'not working'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [fo_resolve_service_send] (4):
> Trying to resolve service 'LDAP'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_server_status] (7): Status of
> server 'sssdldap.idm.lab.bos.redhat.com' is 'name resolved'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_port_status] (7): Port status
> of port 2389 for server 'sssdldap.idm.lab.bos.redhat.com' is 'not working'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_server_status] (7): Status of
> server 'sssdldap.idm.lab.bos.redhat.com' is 'name resolved'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_port_status] (7): Port status
> of port 2389 for server 'sssdldap.idm.lab.bos.redhat.com' is 'not working'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_server_status] (7): Status of
> server 'sssdldap.idm.lab.bos.redhat.com' is 'name resolved'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [get_port_status] (7): Port status
> of port 2389 for server 'sssdldap.idm.lab.bos.redhat.com' is 'not
>  working'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [fo_resolve_service_send] (1): No
> available servers for service 'LDAP'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [fo_set_port_status] (4): Marking
> port 2389 of server 'sssdldap.idm.lab.bos.redhat.com' as 'not working'
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [ldap_id_enum_users_done] (9): User
> enumeration failed with: (5)[Input/output error]
> (Fri May 14 16:43:34 2010) [sssd[be[LDAP]]] [be_mark_offline] (8): Going
> offline!
> 
> 
> Also, it would be really helpful if we could get better debug message - than
> just "[Can't contact LDAP server]" - if possible.
> 
> Version-Release number of selected component (if applicable):
> sssd-1.1.91-10.el6.i686
> 
> How reproducible:
> always with the following configuration
> 
> [sssd]
> config_file_version = 2
> domains = LOCAL, LDAP
> sbus_timeout = 30
> services = nss, pam
> debug_level = 6
> 
> [nss]
> filter_groups = root
> filter_users = root
> 
> [pam]
> reconnection_retries = 3
> 
> [domain/LDAP]
> auth_provider = ldap
> cache_credentials = TRUE
> enumerate = TRUE
> id_provider = ldap
> auth_provider = ldap
> ldap_group_search_base = ou=Groups,dc=bos,dc=redhat,dc=com
> ldap_user_search_base = ou=People,dc=bos,dc=redhat,dc=com
> ldap_id_use_start_tls = true
> ldap_tls_reqcert = demand
> ldap_tls_cacert = /etc/openldap/cacerts/cacert2.asc
> ldap_uri = ldap://sssdldap.idm.lab.bos.redhat.com:2389
> timeout = 30
> debug_level = 99
> 
> 
> 
> Steps to Reproduce:
> 1.
> 2.
> 3.
> 
> Actual results:
> 
> 
> Expected results:
> 
> 
> Additional info:
> 
> If I use the same configuration to a directory server instance running on the
> default standard port 389 - everything works fine!

Comment 3 Jenny Galipeau 2010-05-18 20:53:15 UTC
needed to semanage port -a -t ldap_port_t -p <custom_port>
Closing not a bug!


Note You need to log in before you can comment on or make changes to this bug.