Hi. > Is there any way to disable these queries, or is it mandatory for the OpenLDAP server to allow anonymous access?
No, currently there is no way to disable this. I'll quote what Sumit wrote in one of the relevant tickets on this topic: ``` SSSD is currently reading the rootDSE anonymously because our understanding of the related RFCs was that it is recommended to allow reading the rootDSE anonymously. This makes sense because the rootDSE will e.g. contain information about which authentication methods are supported. Nevertheless the given cases show that reality is different. If the rootDSE cannot be read SSSD will do best effort assumptions about what the LDAP server might support and what not so that often this information given by the rootDSE is not strictly required. My suggestion to fix this ticket ... would be to add a new option, e.g. `ldap_read_rootdse` with the values `anonymous` (default as it is the current behavior), `never` and `authenticated`. ``` On Sun, Feb 2, 2025 at 12:34 AM Rodrigo Prieto via sssd-users < [email protected]> wrote: > Hello, I have an OpenLDAP server with anonymous access disabled. When I > check the SSSD logs, I see that it makes an anonymous query for certain > attributes, resulting in the following error: > > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_connect_done] (0x0080): START > TLS result: Success(0), (null) > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_op_destructor] (0x2000): > Operation 1 finished > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_rootdse_send] (0x4000): > Getting rootdse > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step] > (0x0400): calling ldap_search_ext with [(objectclass=*)][]. > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [*] > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [altServer] > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [namingContexts] > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [supportedControl] > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [supportedExtension] > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [supportedFeatures] > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [supportedLDAPVersion] > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [supportedSASLMechanisms] > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [domainControllerFunctionality] > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [defaultNamingContext] > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [lastUSN] > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [highestCommittedUSN] > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step] > (0x2000): ldap_search_ext called, msgid = 2 > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_op_add] (0x2000): New > operation 2 timeout 6 > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_process_result] (0x2000): > Trace: sh[0x5562b7500710], connected[1], ops[0x5562b7494520], > ldap[0x5562b74feb80] > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_process_result] (0x2000): > Trace: end of ldap_result list > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_process_result] (0x2000): > Trace: sh[0x5562b7500710], connected[1], ops[0x5562b7494520], > ldap[0x5562b74feb80] > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_process_result] (0x2000): > Trace: end of ldap_result list > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_process_result] (0x2000): > Trace: sh[0x5562b7500710], connected[1], ops[0x5562b7494520], > ldap[0x5562b74feb80] > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_process_result] (0x2000): > Trace: end of ldap_result list > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_process_result] (0x2000): > Trace: sh[0x5562b7500710], connected[1], ops[0x5562b7494520], > ldap[0x5562b74feb80] > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_process_message] (0x4000): > Message type: [LDAP_RES_SEARCH_RESULT] > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_op_finished] > (0x0400): Search result: Server is unwilling to perform(53), authentication > required > * (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_op_finished] > (0x0040): Unexpected result from ldap: Server is unwilling to perform(53), > authentication required > > If I enable anonymous access, this error does not appear. In my sssd.conf > configuration, I am using binddn and password. > > Is there any way to disable these queries, or is it mandatory for the > OpenLDAP server to allow anonymous access? > > Best regards. > -- > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
