Using sssd with a 389DS/ldap backend.

389DS/ldap is configure to reject anonymous connections

Configured sssd.conf with "sudo_provider = none".

sssd works as expected handling ldap authentication etc.

Have also configured /etc/nsswitch.conf with "sudoers: files" as per the man
page.

Regardless though, sssd_be continues to attempt anonymous connections to the
ldap server every few minutes means that the logs are filling up with garbage.

Trying the same exact same configuration with a tumbleweed client, we do not
see any anonymous sudo lookup attempts.


Versions:
sssd-2.5.2-150400.4.11.1.x86_64
sssd-common-2.5.2-150400.4.11.1.x86_64
sssd-dbus-2.5.2-150400.4.11.1.x86_64
sssd-kcm-2.5.2-150400.4.11.1.x86_64
sssd-krb5-2.5.2-150400.4.11.1.x86_64
sssd-krb5-common-2.5.2-150400.4.11.1.x86_64
sssd-ldap-2.5.2-150400.4.11.1.x86_64
sssd-tools-2.5.2-150400.4.11.1.x86_64


eth6:~ # systemctl status sssd
��������� sssd.service - System Security Services Daemon
     Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor
preset: disabled)
     Active: active (running) since Sat 2023-02-18 15:06:36 GMT; 31min ago
   Main PID: 14005 (sssd)
      Tasks: 6 (limit: 4915)
     CGroup: /system.slice/sssd.service
             ������������������ 14005 /usr/sbin/sssd -i --logger=files
             ������������������ 14006 /usr/lib/sssd/sssd_be --domain bgcomp.co.uk --uid 0 --gid
0 --logger=files
             ������������������ 14007 /usr/lib/sssd/sssd_nss --uid 0 --gid 0 --logger=files
             ������������������ 14008 /usr/lib/sssd/sssd_pam --uid 0 --gid 0 --logger=files
             ������������������ 14009 /usr/lib/sssd/sssd_ssh --uid 0 --gid 0 --logger=files
             ������������������ 14010 /usr/lib/sssd/sssd_autofs --uid 0 --gid 0 --logger=files
Feb 18 15:06:36 eth6 systemd[1]: Starting System Security Services Daemon...
Feb 18 15:06:36 eth6 sssd[14005]: Starting up
Feb 18 15:06:36 eth6 sssd_be[14006]: Starting up
Feb 18 15:06:36 eth6 sssd_pam[14008]: Starting up
Feb 18 15:06:36 eth6 sssd_autofs[14010]: Starting up
Feb 18 15:06:36 eth6 sssd_nss[14007]: Starting up
Feb 18 15:06:36 eth6 sssd_ssh[14009]: Starting up
Feb 18 15:06:36 eth6 systemd[1]: Started System Security Services Daemon.
Feb 18 15:08:49 eth6 sssd_be[14006]: Backend is online


Typical... timestamps do not matter, with anonymous connections allowed...
[17/Feb/2023:11:49:22.640010889 +0000] conn=6 fd=65 slot=65 SSL connection from
2001:XXXX:XX:6::fd to 2001:XXXX:XX:6::fd
[17/Feb/2023:11:49:22.656292467 +0000] conn=6 TLS1.2 128-bit AES-GCM
[17/Feb/2023:11:49:22.656444285 +0000] conn=6 op=0 SRCH base="" scope=0
filter="(objectClass=*)" attrs="* altServer namingContexts supportedControl
supportedExtension supportedFeatures supportedLDAPVersion
supportedSASLMechanisms domaincontrollerfuncti
onality defaultnamingcontext lastusn highestcommittedusn aci"
[17/Feb/2023:11:49:22.657051142 +0000] conn=6 op=0 RESULT err=0 tag=101
nentries=1 wtime=0.016220939 optime=0.000609257 etime=0.016829074
[17/Feb/2023:11:49:22.657703691 +0000] conn=6 op=1 SRCH
base="dc=example,dc=co,dc=uk" scope=2
filter="(&(objectClass=sudoRole)(|(&(!(sudoHost=*))(cn=defaults))(sudoHost=ALL)(sudoHost=eth6)(sudoHost=host.example.bgcomp.co.uk)(sudoHost=10.0.0.1)(sudoHost=10.0.0.0/24)(sudoHost=10.0.0.2)(sudoHost=10.0.0.0/24)(sudoHost=2001:XXXX:XX:6::fd)(sudoHost=2001:XXXX:XX:6::/64)(sudoHost=fe80::XXXX:XXXX:XXXX:XXXX)(sudoHost=fe80::/64)(sudoHost=2001:XXXX:XXXX:9::fd)(sudoHost=2001:XXXX:XX:9::/64)(sudoHost=2001:XXXX:XX:f0ad::fd)(sudoHost=2001:XXXX:XXXX:f0ad::/64)(sudoHost=fe80::XXXX)(sudoHost=fe80::/64)(sudoH..."
attrs="objectClass objectClass cn sudoCommand sudoHost sudoUser sudoOption
sudoRunAs sudoRunAsUser sudoRunAsGroup sudoNotBefore sudoNotAfter sudoOrder
modifyTimestamp"
[17/Feb/2023:11:49:22.657859857 +0000] conn=6 op=1 RESULT err=0 tag=101
nentries=0 wtime=0.000109246 optime=0.000146980 etime=0.000254724 notes=P
details="Paged Search" pr_idx=0 pr_cookie=-1
[17/Feb/2023:11:49:24.006504472 +0000] conn=4 op=2 UNBIND
[17/Feb/2023:11:49:24.006522045 +0000] conn=4 op=2 fd=66 closed error - U1


Typical... timestamps do not matter, with anonymous connections rejected...
[18/Feb/2023:15:46:39.186981182 +0000] conn=425 fd=65 slot=65 SSL connection
from 2001:XXXX:XXXX:6::fd to 2001:XXXX:XXXX:6::fd
[18/Feb/2023:15:46:39.214496081 +0000] conn=425 TLS1.2 128-bit AES-GCM
[18/Feb/2023:15:46:39.223371696 +0000] conn=425 op=0 UNPROCESSED OPERATION -
Anonymous access not allowed
[18/Feb/2023:15:46:39.232238473 +0000] conn=425 op=0 RESULT err=48 tag=101
nentries=0 wtime=0.027612313 optime=0.008867303 etime=0.036473744
[18/Feb/2023:15:46:39.232501278 +0000] conn=425 op=1 UNPROCESSED OPERATION -
Anonymous access not allowed
[18/Feb/2023:15:46:39.249763372 +0000] conn=425 op=1 RESULT err=48 tag=101
nentries=0 wtime=0.000047701 optime=0.017259941 etime=0.017302107
[18/Feb/2023:15:46:39.249980031 +0000] conn=425 op=2 UNBIND
[18/Feb/2023:15:46:39.267415523 +0000] conn=425 op=2 fd=65 closed error - U1

Does not matter if client is local or remote to the 389DS/ldap server.

Bug ID	1208452
Summary	SSSD configured with ldap cannot disable sudoers lookup
Classification	openSUSE
Product	openSUSE Distribution
Version	Leap 15.4
Hardware	Other
OS	Other
Status	NEW
Severity	Normal
Priority	P5 - None
Component	Security
Assignee	security-team@suse.de
Reporter	opensuse@1.opensuse.bgcomp.co.uk
QA Contact	qa-bugs@suse.de
Found By	---
Blocker	---