stefw@redhat.com wrote:
Full_Name: Stef Walter Version: 2.4.35 OS: Fedora 19 URL: ftp://ftp.openldap.org/incoming/stef-walter-130912.patch Submission from: (NULL) (46.5.2.70)
Connectionless LDAP (ie: cldap enabled with -DLDAP_CONNECTIONLESS) is broken for IPv6 for current versions of openldap. Tested with version 2.4.35
It's not clear if this ever worked properly.
No, clearly not, the code was written and deprecated before IPv6 existed. Nobody should be using this code today.
Even if it were to be used, the patch would break slapd; your getnameinfo patch changes the format of the peername string. The format of this string is not arbitrary, it's used in ACLs and the format is documented in slapd.access(5).
In the future, write patches that fix one single issue. Don't make gratuitous changes, particularly if you haven't researched what you're changing.
Connections immediately fail with:
ldap_search_ext: Can't contact LDAP server (-1)
The reason for this is that the LDAP_CONNECTIONLESS buffers include a prefix containing an address in a "struct sockaddr". However, struct sockaddr, is not a concrete type. In particular struct sockaddr_in6 is longer than struct sockaddr.
Noted here: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/l...
So this leads to failures when using IPv6 as the code assumes that the address length is equal to sizeof (struct sockaddr). Seen here:
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/l...
Example command:
$ ldapsearch -d -1 -LL -H 'cldap://[2620:52:0:2223::1:1]' -b '' -s base '(&(DnsDomain=ad.baseos.qe)(NtVer=\06\00\00\00))' NetLogon
Output will contain this:
ldap_write: want=96 error=Invalid argument
Which is the EINVAL resulting from bad value passed to sendto().
-
hyc@symas.com