search

SSSD / sssd

A daemon to manage identity, authentication and authorization for centrally-managed systems.
https://sssd.io
GNU General Public License v3.0
588 stars 238 forks source link

SSSD limits the name of the domain that can be used #7246

Open liorsu opened 6 months ago

liorsu commented 6 months ago

The limit is due to the unix domain socket path that is being used by the sssd_be process.

The unix domian socket that is chosen is derived from the domain name in the sssd.conf.

Example used configuration for sssd.conf-

[sssd]
domains = supercalifragilisticexpialidocious.musical.mary-poppins.completely-magical-experience.com
services = nss
debug_level = 9

[domain/supercalifragilisticexpialidocious.musical.mary-poppins.completely-magical-experience.com]
ldap_referrals = false
cache_credentials = false
enumerate = false
id_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_schema = rfc2307bis
ldap_user_object_class = user
ldap_group_object_class = group
krb5_realm = SUPERCALIFRAGILISTICEXPIALIDOCIOUS.MUSICAL.MARY-POPPINS.COMPLETELY-MAGICAL-EXPERIENCE.COM
ldap_id_mapping = false
use_fully_qualified_names = False
krb5_canonicalize = false

The sbus unix domain path is- /var/lib/sssd/pipes/private/sbus-dp_<domain-name>.<pid>

While unix domain sockets paths are limited by 108 characters- https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/un.h#L7

The fact that the pid is also part of it, makes it unstable with certain domain lengths, depends on the length of the current pid.

It would have been nice if the unix domain socket would've been derived from something else that wouldn't limit the length of the domain that is used.

A short convo from the #sssd chat with @abbra regarding the issue-

<liorsu> I'm running through an issue with configuring sssd while using ldap with a long domain name
<liorsu> I see that the /usr/libexec/sssd/sssd_be process is trying to bind to a unix domain socket that contains the domain name and when the domain name is too long it fails to do that
<liorsu> Is that a known issue around that or there's some configuration to work around that?
<ab> liorsu: it is known problem on Linux as UNIX domain socket path cannot be longer than 108-characters. So the limit is implied.
<liorsu> @ab I understand the limit from the linux side, though it seems to be a limitation from the sssd implementation choosing to use the unix domain socket which directly derived from the used domain name
<liorsu> There could be an option in the configuration to choose the unix domain name socket path and then not to be limited by the domain name length
<liorsu> Any reason that's not the chosen implementation in sssd?
<ab> nobody needed that, probably. You are welcome to contribute.
sumit-bose commented 6 months ago

Hi,

to avoid an additional option we can also take a hash value, e.g. sha256 or any other message digest function as long as the output is not too long, of the domain name.

bye, Sumit

liorsu commented 6 months ago

SGTM Though we may not want to use the full hex digest, depends on its length (for example sha256 would mean 64 characters which may be too long)