Hi everybody
I am trying to fix an authentication plugin for openvpn using the openldap library. I am new to the library, so I may lack some understanding.
Here is the situation The openldap version is 2.3.27
If I try to find a user with a base dn of
"ou=mnd999,dc=asp,dc=ruf,dc=ch"
which is the correct base dn for this user, the operation works correctly.
If I just use "dc=asp,dc=ruf,dc=ch"
the operation times out. I am using subtree search and I can see on a packet dump on the line that there is a reply from the ldap server.
The difference between the replies is that in the case of the correct DN just a search entry and a search result message is returned, whereas in the case of the incomplete DN a search entry, a number of search result references end a search result are returned. In both cases, the search result yields success.
The code calls
if ((err = ldap_search_ext_s(ldapConn, [base cString], LDAP_SCOPE_SUBTREE, [filter cString], attrArray, 0, NULL, NULL, &timeout, 5000, &res)) != LDAP_SUCCESS) { [TRLog error: "LDAP search failed: %d: %s", err, ldap_err2string(err)]; goto finish; }
This call times out and returns -5.
I can provide tcpdump files if needed.
Thanks
Erich
Erich Titl wrote:
Hi everybody
I am trying to fix an authentication plugin for openvpn using the openldap library. I am new to the library, so I may lack some understanding.
Here is the situation The openldap version is 2.3.27
If I try to find a user with a base dn of
"ou=mnd999,dc=asp,dc=ruf,dc=ch"
which is the correct base dn for this user, the operation works correctly.
If I just use "dc=asp,dc=ruf,dc=ch"
the operation times out. I am using subtree search and I can see on a packet dump on the line that there is a reply from the ldap server.
The difference between the replies is that in the case of the correct DN just a search entry and a search result message is returned, whereas in the case of the incomplete DN a search entry, a number of search result references end a search result are returned. In both cases, the search result yields success.
The code calls
if ((err = ldap_search_ext_s(ldapConn, [base cString],LDAP_SCOPE_SUBTREE, [filter cString], attrArray, 0, NULL, NULL, &timeout, 5000, &res)) != LDAP_SUCCESS) { [TRLog error: "LDAP search failed: %d: %s", err, ldap_err2string(err)]; goto finish; }
This call times out and returns -5.
I can provide tcpdump files if needed.
Sounds like you're getting search references that the LDAP library tries to chase (anonymously, which is the default) and during that something times out. Since this seems not to be what you need, because the entry you're looking for is present, and you don't need to chase any referral, you should tell the library not to chase them, and simply return the entry you're looking for. To do that, you need to set LDAP_OPT_REFERRALS to LDAP_OPT_OFF using the ldap_set_option(3) call (don't get tricked by the trailing (3): such man page never existed, as far as I know ;). Example code may be found in ldapsearch code (actually, in clients/tools/common.c) and in the proxy backends of slapd in servers/slapd/back-ldap/bind.c.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
And if you want to change references/referrals, I suggest you consider the async interface so you can better manage security contexts. -- Kurt
At 05:01 PM 10/8/2006, Pierangelo Masarati wrote:
Erich Titl wrote:
Hi everybody
I am trying to fix an authentication plugin for openvpn using the openldap library. I am new to the library, so I may lack some understanding.
Here is the situation The openldap version is 2.3.27
If I try to find a user with a base dn of
"ou=mnd999,dc=asp,dc=ruf,dc=ch"
which is the correct base dn for this user, the operation works correctly.
If I just use "dc=asp,dc=ruf,dc=ch"
the operation times out. I am using subtree search and I can see on a packet dump on the line that there is a reply from the ldap server.
The difference between the replies is that in the case of the correct DN just a search entry and a search result message is returned, whereas in the case of the incomplete DN a search entry, a number of search result references end a search result are returned. In both cases, the search result yields success.
The code calls
if ((err = ldap_search_ext_s(ldapConn, [base cString],LDAP_SCOPE_SUBTREE, [filter cString], attrArray, 0, NULL, NULL, &timeout, 5000, &res)) != LDAP_SUCCESS) { [TRLog error: "LDAP search failed: %d: %s", err, ldap_err2string(err)]; goto finish; }
This call times out and returns -5.
I can provide tcpdump files if needed.
Sounds like you're getting search references that the LDAP library tries to chase (anonymously, which is the default) and during that something times out. Since this seems not to be what you need, because the entry you're looking for is present, and you don't need to chase any referral, you should tell the library not to chase them, and simply return the entry you're looking for. To do that, you need to set LDAP_OPT_REFERRALS to LDAP_OPT_OFF using the ldap_set_option(3) call (don't get tricked by the trailing (3): such man page never existed, as far as I know ;). Example code may be found in ldapsearch code (actually, in clients/tools/common.c) and in the proxy backends of slapd in servers/slapd/back-ldap/bind.c.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it
Pierangelo and Kurt
Thanks a lot for this information.
Kurt D. Zeilenga wrote:
And if you want to change references/referrals, I suggest you consider the async interface so you can better manage security contexts. -- Kurt
I tried to rewrite that piece of code to use the async interface, actually the sync appears to just wrap this, without too much luck.
I will go back to the drawing board and try to implement your suggestions.
Thanks
Erich
Pierangelo
Pierangelo Masarati wrote: ..>>
Sounds like you're getting search references that the LDAP library tries to chase (anonymously, which is the default)
Which won't work, as the server does not allow anonymous binds :-(
and during that something
times out. Since this seems not to be what you need, because the entry you're looking for is present, and you don't need to chase any referral, you should tell the library not to chase them, and simply return the entry you're looking for. To do that, you need to set LDAP_OPT_REFERRALS to LDAP_OPT_OFF using the ldap_set_option(3) call (don't get tricked by the trailing (3): such man page never existed, as far as I know ;). Example code may be found in ldapsearch code (actually, in clients/tools/common.c) and in the proxy backends of slapd in servers/slapd/back-ldap/bind.c.
Thanks, will chase that.
Erich
Erich Titl wrote:
Pierangelo
Pierangelo Masarati wrote: ..>>
Sounds like you're getting search references that the LDAP library tries to chase (anonymously, which is the default)
Which won't work, as the server does not allow anonymous binds :-(
In that case, if your client can determine what identity to use when chasing each specific referral, you can hook in some code to bind as appropriate; have a look at ldap_set_rebind_proc(3) (it's in ldap_bind(3) man page, at least in HEAD code... in any case an example use is again in servers/slapd/back-ldap/bind.c).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
Pierangelo
Pierangelo Masarati wrote: ..
Sounds like you're getting search references that the LDAP library tries to chase (anonymously, which is the default) and during that something times out. Since this seems not to be what you need, because the entry you're looking for is present, and you don't need to chase any referral, you should tell the library not to chase them, and simply return the entry you're looking for. To do that, you need to set LDAP_OPT_REFERRALS to LDAP_OPT_OFF using the ldap_set_option(3) call (don't get tricked by the trailing (3): such man page never existed, as far as I know ;). Example code may be found in ldapsearch code (actually, in clients/tools/common.c) and in the proxy backends of slapd in servers/slapd/back-ldap/bind.c.
Looks like your diagnostics were on the spot, I just added the 3-liner
if((err = ldap_set_option( ldapConn, LDAP_OPT_REFERRALS, LDAP_OPT_OFF )) != LDAP_OPT_SUCCESS ) { [TRLog debug: "Could not set LDAP_OPT_REFERRALS off\n"]; goto finish; }
in front of the search call and now the call returns immediately. As the rest of the plugin is not my code I will not modify the entire thing, as it appears now to work, at least in my test environment.
This may be one for the FAQ, but maybe it is just obvious :-(
Thanks a lot
Erich
openldap-software@openldap.org
-
Erich Titl -
Kurt D. Zeilenga -
Pierangelo Masarati