Full_Name: Dominique V.st Version: 2.4.40 OS: Debian,CentOS,BSDs URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (195.37.70.39)

Hi everyone,

I installed a new OpenLDAP Server (Debian Jessy) (OpenLDAP Version 2.4.40) which is used to proxy parts of the Active Directory.

However, from time to time it is not able to get Entries (does not answer to querys but returns success) from the Active Directory.

What I see in the logs is the following:

Jun 10 11:37:38 openldap-proxy slapd[41657]: conn=1166 op=1 ldap_back_retry: retrying URI="ldaps://dc.ourdomain.com" DN="cn=ldap-binder,ou=serviceaccounts,dc= ourdomain,dc=com"

Jun 10 11:37:38 openldap-proxy slapd[41657]: Error: ldap_back_is_proxy_authz returned 0, misconfigured URI?

First of all, the URI is correct and the System works well during most of the time(except for this error), those “errors” only happen from time to time.

The Strange thing is, that this new LDAP Server is running via the exactly same configuration as another OpenLDAP-Server which has been running over 2 Years now

and the old OpenLDAP Server (Debian Wheezy) (OpenLDAP Version 2.4.31) does also show the first Log Entry from time to time (the ldap_back_retry one),

But does not show the ldap_back_is_proxy_authz error afterwards. Furthermore it does also always return the right answer.

For Debugging reasons I tried Wiresharking the Domain Controller, TCP-Dumping the LDAP-Server and the Client.

The Traffic looks okay, in case of that error the OpenLDAP Server simply is asking the Domain Controller which returns Success but no results.

Since once this error occurs, the query right after the error works and then it takes some time until that error occurs again and due to the fact that in the older OpenLDAP Version it is working, could it be a Bug in the new OpenLDAP Version?

I also looked in the Logs of the Domain Controller, everything is fine there.

Furthermore I installed test OpenLDAP Systems (Centos[yum], OpenBSD[pkg] and one via compilation from sources via minimal module configuration) (2.4.40) and tried the same configuration there, same Problem.

While googling and searching for a solution I stumbled across a guy having the same problem, reporting this 2013 to this mailing list.

Someone suggested to add the Active Directory Schema to the OpenLDAP, which I did andhihich did not solve this issue.

I tried adding the full schema as well as adding only Attributes and Object classes that are used. Problem still persists.

After looking into the code of the bind.c and the commits in the ldap-back Module I saw a change of the code lines in servers/slapd/back-ldap/bind.c (around line 1407):

rc = ldap_back_is_proxy_authz( op, rs, LDAP_BACK_DONTSEND, &binddn, &bindcred ); - assert( rc == 1 ); + if ( rc != 1 ) { + Debug( LDAP_DEBUG_ANY, "Error: ldap_back_is_proxy_authz " + "returned %d, misconfigured URI?\n", rc, 0, 0 ); + rs->sr_err = LDAP_OTHER; + rs->sr_text = "misconfigured URI?"; + LDAP_BACK_CONN_ISBOUND_CLEAR( lc ); + if ( sendok & LDAP_BACK_SENDERR ) { + send_ldap_result( op, rs %;%B + } + goto done; + } } rc = ldap_back_proxy_authz_bind( lc, op, rs, sendok, &binddn, &bindcred ); goto done;

Diff: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blobdiff;f=servers...

Is it intended that there is a call to goto done? Which obviously prevents the ldap_back_proxy_autzh_bind to happen ? - Since in older Versions of OpenLDAP it works.

Best Regards,

Dominique Voest