lit@cbord.com wrote:
Full_Name: Leo Tohill Version: 2.4.30 OS: Windows 10 URL: https://docs.google.com/document/d/10uKg9Nh3HLiuOzTbLfi6Z7bCfUb8x_Ai6WK5LqNz... Submission from: (NULL) (74.79.8.41)
Summary: openldap 2.4.30 does not accommodate multi-byte length value on bind request.
First, I'll admit that I'm out of my depth here, I'm running a older version, I'm on Windows, and my package was built by I don't know. But I worked hard enough to track this down that I want you to know what I found. I might upgrade, but that's problematic.
At some point my bindings from .net began failing with "the username or password is incorrect" But they were correct. I could confirm with various other tools. I captured the wire traffic to isolate the problem. It turns out that Windows forms the binding request using a multi-byte length indicator in the request. OpenLdap apparently does not accommodate this. I compared to a request generated by ldapsearch.exe. That request, which succeeds, varies only by using a single-byte length indicator.
The multi-byte length value should be allowed, right? Isn't it possible to have a bind request data packet of length > 127? Which would require a multi-byte length value. Perhaps this was fixed in a later version.
Screenshots of the wire capture here:
https://docs.google.com/document/d/10uKg9Nh3HLiuOzTbLfi6Z7bCfUb8x_Ai6WK5LqNz...
This URL is inaccessible, permission denied.
Just copy hex dumps of both requests here in text.
-
hyc@symas.com