Shane Frasier via FreeIPA-users wrote: > Hi Flo, > > Thanks for the quick response! I have been following your helpful > instructions, but we are still baffled. Frankly, I am starting to doubt my > sanity :) > > I removed all certificate and certmap data from a contractor's user account, > then ran sss_cache -E to clear the cache. After that I ran ipa certmap-match > against his certificate. Somehow I still got a match with the correct user > name (!), and I got the following output from > /var/log/sssd/sssd_staging.cool.cyber.dhs.gov.log: > > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_method_handler] > (0x2000): Received D-Bus method sssd.dataprovider.getAccountInfo on /sssd > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_senders_lookup] > (0x2000): Looking for identity of sender [sssd.ifp] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [dp_get_account_info_send] (0x0200): Got request for > [0x14][BE_REQ_BY_CERT][cert=<base64_cert_data_redacted>] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_attach_req] > (0x0400): DP Request [Account #15631]: New request. Flags [0x0001]. > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_attach_req] > (0x0400): Number of active DP request: 1 > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sss_domain_get_state] (0x1000): Domain staging.cool.cyber.dhs.gov is Active > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sss_domain_get_state] (0x1000): Domain staging.cool.cyber.dhs.gov is Active > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_id_op_connect_step] (0x4000): reusing cached connection > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_search_user_next_base] (0x0400): Searching for users with base > [cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_print_server] > (0x2000): Searching 10.128.0.4:389 > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(ipacertmapdata=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland > Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. > Government,OU=Department of Homeland Security,OU=DHS > HQ,OU=People,UID=0123456789.DHS HQ,CN=MAX M MUSTERMANN > (affiliate))(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov]. > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTSecurityIdentifier] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [krbPasswordExpiration] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [userCertificate;binary] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [mail] > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sdap_get_generic_ext_step] (0x0080): ldap_search_ext failed: Bad search > filter > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [generic_ext_search_handler] (0x0040): sdap_get_generic_ext_recv failed > [1432158246]: Malformed search filter > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_users_done] > (0x0040): Failed to retrieve users [1432158246][Malformed search filter]. > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_id_op_done] > (0x4000): releasing operation connection > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [ipa_id_get_account_info_orig_done] (0x0040): sdap_handle_acct request > failed: 1432158246 > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_done] > (0x0400): DP Request [Account #15631]: Request handler finished [0]: Success > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [_dp_req_recv] > (0x0400): DP Request [Account #15631]: Receiving request data. > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_destructor] > (0x0400): DP Request [Account #15631]: Request removed. > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_destructor] > (0x0400): Number of active DP request: 0 > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_reply_std] > (0x1000): DP Request [Account #15631]: Returning [Internal Error]: > 3,1432158246,Malformed search filter > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] > [sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo: Success > (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_dispatch] > (0x4000): Dispatching. > > Are you able to explain what is going on here? I don't understand how the > certificate is still matching if the user has no certificate or certmap data.
I'll bet it's the parenthesis in the subject causing the bad search filter and failure to work. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
