[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: Authentication data not used when chasing referrals (ITS#2106)

To: openldap-its@OpenLDAP.org
Subject: Re: Authentication data not used when chasing referrals (ITS#2106)
From: Kurt@OpenLDAP.org
Date: Mon, 23 Sep 2002 19:37:30 GMT
Presently, all OpenLDAP clients only support anonymous chasing.

The -C option was purposely removed from the usage message of
all LDAP commands but mistaken left in some manual pages.
These have been corrected in HEAD.

If and when non-anonymous chasing is implemented, the usage
and manual pages will be updated to reflect this.

Implementation of non-anonymous chasing is on the TODO list.

Kurt

At 04:44 AM 2002-09-23, andrew.findlay@skills-1st.co.uk wrote:
>Full_Name: Andrew Findlay
>Version: HEAD 23 Sept 2002
>OS: Linux
>URL: 
>Submission from: (NULL) (217.206.98.194)
>
>
>When a modification request is submitted to a slave server, the server returns a
>referral pointing to the master server. If referral chasing is on (e.g. -C flag
>on ldapmodify, setting LDAP_OPT_REFERRALS on) then the client library will
>connect to the master server and re-try the operation.
>
>If the operation requires authentication (as all modify operations tend to) then
>there is a problem, as the client library binds to the master server as NULLDN.
>It does not re-use the authentication data that it used when making the initial
>connection to the slave server.
>
>I append a client trace using master and slave servers both running on the local
>machine. It looks to me as if ldap_chase_v3referrals should be calling
>ldap_bind_s or similar rather than going in at a low level with
>ldap_send_server_request, though I cannot immediately see where it should get
>hold of the authentication credentials.
>
>Andrew
>----------------------------------------------------------------------------------
>
>ldapmodify -H ldap://localhost:2389/ -d 1 -d 8 -C -r -c -x -D
>cn=DSAmgr,dc=example,dc=org -W -f franco.ldif
>
>ldap_create
>ldap_url_parse_ext(ldap://localhost:2389/)
>Enter LDAP Password:
>ldap_bind_s
>ldap_simple_bind_s
>ldap_sasl_bind_s
>ldap_sasl_bind
>ldap_send_initial_request
>ldap_new_connection
>ldap_int_open_connection
>ldap_connect_to_host: TCP localhost:2389
>ldap_new_socket: 4
>ldap_prepare_socket: 4
>ldap_connect_to_host: Trying 127.0.0.1:2389
>ldap_connect_timeout: fd: 4 tm: -1 async: 0
>ldap_ndelay_on: 4
>ldap_is_sock_ready: 4
>ldap_ndelay_off: 4
>ldap_int_sasl_open: host=brick.skills-1st.co.uk
>ldap_open_defconn: successful
>ldap_send_server_request
>ber_flush: 47 bytes to sd 4
>ldap_result msgid 1
>ldap_chkResponseList for msgid=1, all=1
>ldap_chkResponseList returns NULL
>wait4msg (infinite timeout), msgid 1
>wait4msg continue, msgid 1, all 1
>** Connections:
>* host: localhost  port: 2389  (default)
>  refcnt: 2  status: Connected
>  last used: Mon Sep 23 12:16:28 2002
>
>** Outstanding Requests:
> * msgid 1,  origid 1, status InProgress
>   outstanding referrals 0, parent count 0
>** Response Queue:
>   Empty
>ldap_chkResponseList for msgid=1, all=1
>ldap_chkResponseList returns NULL
>ldap_int_select
>read1msg: msgid 1, all 1
>ber_get_next
>ber_get_next: tag 0x30 len 12 contents:
>ldap_read: message type bind msgid 1, original id 1
>ber_scanf fmt ({iaa) ber:
>ber_scanf fmt ({iaa}) ber:
>new result:  res_errno: 0, res_error: <>, res_matched: <>
>read1msg:  0 new referrals
>read1msg:  mark request completed, id = 1
>request 1 done
>res_errno: 0, res_error: <>, res_matched: <>
>ldap_free_request (origid 1, msgid 1)
>ldap_free_connection
>ldap_free_connection: refcnt 1
>ldap_parse_result
>ber_scanf fmt ({iaa) ber:
>ber_scanf fmt (}) ber:
>ldap_msgfree
>modifying entry "cn=Robert Franco+uid=u000182,dc=example,dc=org"
>ldap_modify_ext
>ldap_send_initial_request
>ldap_send_server_request
>ber_flush: 307 bytes to sd 4
>ldap_result msgid 2
>ldap_chkResponseList for msgid=2, all=1
>ldap_chkResponseList returns NULL
>wait4msg (infinite timeout), msgid 2
>wait4msg continue, msgid 2, all 1
>** Connections:
>* host: localhost  port: 2389  (default)
>  refcnt: 2  status: Connected
>  last used: Mon Sep 23 12:16:28 2002
>
>** Outstanding Requests:
> * msgid 2,  origid 2, status InProgress
>   outstanding referrals 0, parent count 0
>** Response Queue:
>   Empty
>ldap_chkResponseList for msgid=2, all=1
>ldap_chkResponseList returns NULL
>ldap_int_select
>read1msg: msgid 2, all 1
>ber_get_next
>ber_get_next: tag 0x30 len 86 contents:
>ldap_read: message type modify msgid 2, original id 2
>ber_scanf fmt ({iaa) ber:
>ber_scanf fmt ({v}) ber:
>ldap_chase_v3referrals
>ldap_url_parse_ext(ldap://localhost:3389/cn=Robert%20Franco+uid=u000182,dc=example,dc=org)
>re_encode_request: new msgid 3, new dn <cn=Robert
>Franco+uid=u000182,dc=example,dc=org>
>ber_scanf fmt ({it) ber:
>ber_scanf fmt ({a) ber:
>ldap_chase_v3referral: msgid 2, url
>"ldap://localhost:3389/cn=Robert%20Franco+uid=u000182,dc=example,dc=org";
>ldap_send_server_request
>ldap_new_connection
>ldap_int_open_connection
>ldap_connect_to_host: TCP localhost:3389
>ldap_new_socket: 5
>ldap_prepare_socket: 5
>ldap_connect_to_host: Trying 127.0.0.1:3389
>ldap_connect_timeout: fd: 5 tm: -1 async: 0
>ldap_ndelay_on: 5
>ldap_is_sock_ready: 5
>ldap_ndelay_off: 5
>ldap_int_sasl_open: host=brick.skills-1st.co.uk
>anonymous rebind via ldap_bind_s
>ldap_bind_s
>ldap_simple_bind_s
>ldap_sasl_bind_s
>ldap_sasl_bind
>ldap_send_initial_request
>ldap_send_server_request
>ber_flush: 14 bytes to sd 5
>ldap_result msgid 4
>ldap_chkResponseList for msgid=4, all=1
>ldap_chkResponseList returns NULL
>wait4msg (infinite timeout), msgid 4
>wait4msg continue, msgid 4, all 1
>** Connections:
>* host: localhost  port: 3389
>  refcnt: 2  status: Connected
>  last used: Mon Sep 23 12:16:28 2002
>  rebind in progress
>    queue is empty
>
>* host: localhost  port: 2389  (default)
>  refcnt: 2  status: Connected
>  last used: Mon Sep 23 12:16:28 2002
>
>** Outstanding Requests:
> * msgid 4,  origid 4, status InProgress
>   outstanding referrals 0, parent count 0
> * msgid 2,  origid 2, status InProgress
>   outstanding referrals 1, parent count 0
>** Response Queue:
>   Empty
>ldap_chkResponseList for msgid=4, all=1
>ldap_chkResponseList returns NULL
>ldap_int_select
>read1msg: msgid 4, all 1
>ber_get_next
>ber_get_next: tag 0x30 len 12 contents:
>ldap_read: message type bind msgid 4, original id 4
>ber_scanf fmt ({iaa) ber:
>ber_scanf fmt ({iaa}) ber:
>new result:  res_errno: 0, res_error: <>, res_matched: <>
>read1msg:  0 new referrals
>read1msg:  mark request completed, id = 4
>request 4 done
>res_errno: 0, res_error: <>, res_matched: <>
>ldap_free_request (origid 4, msgid 4)
>ldap_free_connection
>ldap_free_connection: refcnt 1
>ldap_parse_result
>ber_scanf fmt ({iaa) ber:
>ber_scanf fmt (}) ber:
>ldap_msgfree
>ber_flush: 307 bytes to sd 5
>read1msg:  referral chased, mark request completed, id = 2
>read1msg:  1 new referrals
>wait4msg continue, msgid 2, all 1
>** Connections:
>* host: localhost  port: 3389
>  refcnt: 1  status: Connected
>  last used: Mon Sep 23 12:16:28 2002
>
>* host: localhost  port: 2389  (default)
>  refcnt: 2  status: Connected
>  last used: Mon Sep 23 12:16:28 2002
>
>** Outstanding Requests:
> * msgid 3,  origid 2, status InProgress
>   outstanding referrals 0, parent count 1
> * msgid 2,  origid 2, status Request Completed
>   outstanding referrals 1, parent count 0
>** Response Queue:
>   Empty
>ldap_chkResponseList for msgid=2, all=1
>ldap_chkResponseList returns NULL
>ldap_int_select
>read1msg: msgid 2, all 1
>ber_get_next
>ber_get_next: tag 0x30 len 48 contents:
>ldap_read: message type modify msgid 3, original id 2
>ber_scanf fmt ({iaa) ber:
>ber_scanf fmt ({iaa}) ber:
>ldap_chase_referrals
>read1msg:  V2 referral chased, mark request completed, id = 3
>new result:  res_errno: 8, res_error: <modifications require authentication>,
>res_matched: <>
>read1msg:  0 new referrals
>read1msg:  mark request completed, id = 3
>merged parent (id 2) error info:  result errno 8, error <modifications require
>authentication>, matched <>
>request 2 done
>res_errno: 8, res_error: <modifications require authentication>, res_matched:
><>
>ldap_free_request (origid 2, msgid 2)
>ldap_free_request (origid 2, msgid 3)
>ldap_free_connection
>ldap_send_unbind
>ber_flush: 7 bytes to sd 5
>ldap_free_connection: actually freed
>ldap_parse_result
>ber_scanf fmt ({iaa) ber:
>ber_scanf fmt (}) ber:
>ldap_msgfree
>ldapmodify: update failed: cn=Robert Franco+uid=u000182,dc=example,dc=org
>ldap_perror
>ldap_modify: Strong(er) authentication required (8)
>        additional info: modifications require authentication
>
>ldap_unbind
>ldap_free_connection
>ldap_send_unbind
>ber_flush: 7 bytes to sd 4
>ldap_free_connection: actually freed
Prev by Date: Search scope (ITS#2108)
Next by Date: Re: Search scope (ITS#2108)
Index(es):
- Chronological
- Thread