changed notes changed state Open to Test moved from Incoming to Software Bugs
Full_Name: George Tzanetis Version: 2.4.23 stable OS: Red Hat Enterprise 5.5 URL: Submission from: (NULL) (62.169.213.126) I have built openldap 2.4.23 with the back-ndb in 4 machines. I created the slapd.conf as follows: pidfile /usr/local/openldap/var/run/slapd.pid argsfile /usr/local/openldap/var/run/slapd.args ####################################################################### # NDB database definitions ####################################################################### #NDB database defintions database ndb suffix "dc=example,dc=gr" rootdn "cn=root,dc=example,dc=gr" rootpw secret dbconnect 192.168.6.11 dbhost 192.168.6.12 dbport 3306 dbname openldap dbuser ldapUser dbpass "1234" dbconnections 3 dbsocket /tmp/mysql.sock attrblob description index uid ####################################################################### # Monitor Database definitions ####################################################################### database monitor loglevel 5 My problem is that I can authenticate to the ldap with any password for the cn=root,dc=example,dc=gr (rootdn) user, as long as I specify a password. To make it clearer, all the following ldapsearches work: ldapsearch -h 192.168.6.10 -b 'dc=example,dc=gr' -w secret1 -D "cn=root,dc=example,dc=gr" ldapsearch -h 192.168.6.10 -b 'dc=example,dc=gr' -w secret -D "cn=root,dc=example,dc=gr" ldapsearch -h 192.168.6.10 -b 'dc=example,dc=gr' -w sec -D "cn=root,dc=example,dc=gr" ldapsearch -h 192.168.6.10 -b 'dc=example,dc=gr' -w " " -D "cn=root,dc=example,dc=gr" If I do not specify a password, (i.e. -w flag is omitted) I get the message: ldap_bind: Server is unwilling to perform (53) additional info: unauthenticated bind (DN with no password) disallowed In addition if I don input the correct rootdn user, I get the message: ldap_bind: Invalid credentials (49). This behavior exists in all instances of openldap with ndb as back-end. I did some more testing, and I built openldap with the bdb and ndb backends. The issue appears only to the suffix that is stored in the ndb back-end and not to the bdb back-end, so there must be something wrong with the bind operation of the slapd-ndb. Finally, I would like to state that with the slapd-ndb, all the ldapsearches / modifications / deletions are performed correctly, even if the rootpw password is wrong.
Please try back-ndb/bind.cpp 1.5->1.6 from HEAD's CVS. Thanks for the report. p.
Hi, I built openldap using the new code. The rootpw now works, but if a wrong password in an ldap query, then the ldap query process locks. e.g.: with rootdn: 'cn=root,dc=example,dc=gr' and rootpw: secret -when rootdn and rootpw are correct: ldapwhoami -h 192.168.6.10 -D 'cn=root,dc=example,dc=gr' -w 'secret' >dn:cn=root,dc=example,dc=gr -when rootdn is wrong: Ldapwhoami -h 192.168.6.10 -D 'cn=root,dc=example,dc=com' -w 'secret' >ldap_bind: Invalid credentials (49) -when rootdn is correct and rootpw is wrong Ldapwhoami -h 192.168.6.10 -D 'cn=root,dc=example,dc=com' -w 'secret1' "NO RESULT, the ldapwhoami locks" Here are the logs of the slapd process: ################################### #with correct rootdn & rootpw # ################################### daemon: activity on 1 descriptor daemon: activity on: slap_listener_activate(8): daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 busy >>> slap_listener(ldap:///) daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: listen=8, new connection on 23 daemon: activity on 1 descriptor daemon: activity on: 23r daemon: read active on 23 daemon: added 23r (active) listener=(nil) daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL conn=1000 fd=23 ACCEPT from IP=192.168.6.10:47722 (IP=0.0.0.0:389) connection_get(23) connection_get(23): got connid=1000 connection_read(23): checking for input on id=1000 ber_get_next ldap_read: want=8, got=8 ldap_read: want=36, got=36 ber_get_next: tag 0x30 len 42 contents: ber_dump: buf=0x1d047ee0 ptr=0x1d047ee0 end=0x1d047f0a len=42 op tag 0x60, time 1285831215 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL conn=1000 op=0 do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0x1d047ee0 ptr=0x1d047ee3 end=0x1d047f0a len=39 ber_scanf fmt (m}) ber: ber_dump: buf=0x1d047ee0 ptr=0x1d047f01 end=0x1d047f0a len=9 >>> dnPrettyNormal: <cn=root,dc=example,dc=gr> => ldap_bv2dn(cn=root,dc=example,dc=gr,0) <= ldap_bv2dn(cn=root,dc=example,dc=gr)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=root,dc=example,dc=gr)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=root,dc=example,dc=gr)=0 <<< dnPrettyNormal: <cn=root,dc=example,dc=gr>, <cn=root,dc=example,dc=gr> conn=1000 op=0 BIND dn="cn=root,dc=example,dc=gr" method=128 do_bind: version=3 dn="cn=root,dc=example,dc=gr" method=128 ==> ndb_back_bind: dn: cn=root,dc=example,dc=gr conn=1000 op=0 BIND dn="cn=root,dc=example,dc=gr" mech=SIMPLE ssf=0 do_bind: v3 bind: "cn=root,dc=example,dc=gr" to "cn=root,dc=example,dc=gr" send_ldap_result: conn=1000 op=0 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=1 tag=97 err=0 ber_flush2: 14 bytes to sd 23 ldap_write: want=14, written=14 conn=1000 op=0 RESULT tag=97 err=0 text= daemon: activity on 1 descriptor daemon: activity on: 23r daemon: read active on 23 daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL connection_get(23) connection_get(23): got connid=1000 connection_read(23): checking for input on id=1000 ber_get_next ldap_read: want=8, got=8 ldap_read: want=24, got=24 ber_get_next: tag 0x30 len 30 contents: ber_dump: buf=0x1d045c10 ptr=0x1d045c10 end=0x1d045c2e len=30 op tag 0x77, time 1285831215 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL conn=1000 op=1 do_extended ber_scanf fmt ({m) ber: ber_dump: buf=0x1d045c10 ptr=0x1d045c13 end=0x1d045c2e len=27 conn=1000 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.3 do_extended: oid=1.3.6.1.4.1.4203.1.11.3 conn=1000 op=1 WHOAMI send_ldap_extended: err=0 oid= len=26 send_ldap_response: msgid=2 tag=120 err=0 ber_flush2: 42 bytes to sd 23 ldap_write: want=42, written=42 conn=1000 op=1 RESULT oid= err=0 text= daemon: activity on 1 descriptor daemon: activity on: 23r daemon: read active on 23 daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL connection_get(23) connection_get(23): got connid=1000 connection_read(23): checking for input on id=1000 ber_get_next ldap_read: want=8, got=7 ber_get_next: tag 0x30 len 5 contents: ber_dump: buf=0x1d045c10 ptr=0x1d045c10 end=0x1d045c15 len=5 op tag 0x42, time 1285831215 ber_get_next ldap_read: want=8, got=0 ber_get_next on fd 23 failed errno=0 (Success) connection_read(23): input error=-2 id=1000, closing. connection_closing: readying conn=1000 sd=23 for close daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL connection_close: deferring conn=1000 sd=23 conn=1000 op=2 do_unbind conn=1000 op=2 UNBIND connection_resched: attempting closing conn=1000 sd=23 connection_close: conn=1000 sd=23 daemon: removing 23 conn=1000 fd=23 closed ########################################## #with correct rootdn & incorrect rootpw # ########################################## daemon: activity on 1 descriptor daemon: activity on: slap_listener_activate(8): daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 busy >>> slap_listener(ldap:///) daemon: listen=8, new connection on 23 daemon: added 23r (active) listener=(nil) conn=1001 fd=23 ACCEPT from IP=192.168.6.10:47723 (IP=0.0.0.0:389) daemon: activity on 2 descriptors daemon: activity on: 23r daemon: read active on 23 daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL connection_get(23) connection_get(23): got connid=1001 connection_read(23): checking for input on id=1001 ber_get_next ldap_read: want=8, got=8 ldap_read: want=37, got=37 ber_get_next: tag 0x30 len 43 contents: ber_dump: buf=0x1d0460b0 ptr=0x1d0460b0 end=0x1d0460db len=43 op tag 0x60, time 1285831240 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=1001 op=0 do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0x1d0460b0 ptr=0x1d0460b3 end=0x1d0460db len=40 ber_scanf fmt (m}) ber: ber_dump: buf=0x1d0460b0 ptr=0x1d0460d1 end=0x1d0460db len=10 >>> dnPrettyNormal: <cn=root,dc=example,dc=gr> => ldap_bv2dn(cn=root,dc=example,dc=gr,0) <= ldap_bv2dn(cn=root,dc=example,dc=gr)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=root,dc=example,dc=gr)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=root,dc=example,dc=gr)=0 <<< dnPrettyNormal: <cn=root,dc=example,dc=gr>, <cn=root,dc=example,dc=gr> conn=1001 op=0 BIND dn="cn=root,dc=example,dc=gr" method=128 do_bind: version=3 dn="cn=root,dc=example,dc=gr" method=128 ==> ndb_back_bind: dn: cn=root,dc=example,dc=gr daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL thanks, George
> Hi Pierangelo, > > I replied to the ticket's list but I forgot to include your address. > > Here is my reply if you care to read it, > > Regards, > > George > > > > -----Original Message----- > From: George Tzanetis > Sent: Thursday, September 30, 2010 10:37 AM > To: 'openldap-its@openldap.org' > Subject: (ITS#6661) > > Hi, > > I built openldap using the new code. The rootpw now works, but if a wrong > password in an ldap query, then the ldap query process locks. > > e.g.: > with rootdn: 'cn=root,dc=example,dc=gr' > and rootpw: secret > > -when rootdn and rootpw are correct: > ldapwhoami -h 192.168.6.10 -D 'cn=root,dc=example,dc=gr' -w 'secret' >>dn:cn=root,dc=example,dc=gr > > -when rootdn is wrong: > Ldapwhoami -h 192.168.6.10 -D 'cn=root,dc=example,dc=com' -w 'secret' >>ldap_bind: Invalid credentials (49) > > -when rootdn is correct and rootpw is wrong > Ldapwhoami -h 192.168.6.10 -D 'cn=root,dc=example,dc=com' -w 'secret1' > "NO RESULT, the ldapwhoami locks" > > > Here are the logs of the slapd process: > > > ################################### > #with correct rootdn & rootpw # > ################################### > daemon: activity on 1 descriptor > daemon: activity on: > slap_listener_activate(8): > daemon: epoll: listen=7 active_threads=0 tvp=NULL > daemon: epoll: listen=8 busy >>>> slap_listener(ldap:///) > daemon: activity on 1 descriptor > daemon: activity on: > daemon: epoll: listen=7 active_threads=0 tvp=NULL > daemon: epoll: listen=8 active_threads=0 tvp=NULL > daemon: listen=8, new connection on 23 > daemon: activity on 1 descriptor > daemon: activity on: 23r > daemon: read active on 23 > daemon: added 23r (active) listener=(nil) > daemon: epoll: listen=7 active_threads=0 tvp=NULL > daemon: epoll: listen=8 active_threads=0 tvp=NULL > daemon: activity on 1 descriptor > daemon: activity on: > daemon: epoll: listen=7 active_threads=0 tvp=NULL > daemon: epoll: listen=8 active_threads=0 tvp=NULL > conn=1000 fd=23 ACCEPT from IP=192.168.6.10:47722 (IP=0.0.0.0:389) > connection_get(23) > connection_get(23): got connid=1000 > connection_read(23): checking for input on id=1000 > ber_get_next > ldap_read: want=8, got=8 > ldap_read: want=36, got=36 > ber_get_next: tag 0x30 len 42 contents: > ber_dump: buf=0x1d047ee0 ptr=0x1d047ee0 end=0x1d047f0a len=42 > op tag 0x60, time 1285831215 > ber_get_next > ldap_read: want=8 error=Resource temporarily unavailable > daemon: activity on 1 descriptor > daemon: activity on: > daemon: epoll: listen=7 active_threads=0 tvp=NULL > daemon: epoll: listen=8 active_threads=0 tvp=NULL > conn=1000 op=0 do_bind > ber_scanf fmt ({imt) ber: > ber_dump: buf=0x1d047ee0 ptr=0x1d047ee3 end=0x1d047f0a len=39 > ber_scanf fmt (m}) ber: > ber_dump: buf=0x1d047ee0 ptr=0x1d047f01 end=0x1d047f0a len=9 >>>> dnPrettyNormal: <cn=root,dc=example,dc=gr> > => ldap_bv2dn(cn=root,dc=example,dc=gr,0) > <= ldap_bv2dn(cn=root,dc=example,dc=gr)=0 > => ldap_dn2bv(272) > <= ldap_dn2bv(cn=root,dc=example,dc=gr)=0 > => ldap_dn2bv(272) > <= ldap_dn2bv(cn=root,dc=example,dc=gr)=0 > <<< dnPrettyNormal: <cn=root,dc=example,dc=gr>, <cn=root,dc=example,dc=gr> > conn=1000 op=0 BIND dn="cn=root,dc=example,dc=gr" method=128 > do_bind: version=3 dn="cn=root,dc=example,dc=gr" method=128 > ==> ndb_back_bind: dn: cn=root,dc=example,dc=gr > conn=1000 op=0 BIND dn="cn=root,dc=example,dc=gr" mech=SIMPLE ssf=0 > do_bind: v3 bind: "cn=root,dc=example,dc=gr" to "cn=root,dc=example,dc=gr" > send_ldap_result: conn=1000 op=0 p=3 > send_ldap_result: err=0 matched="" text="" > send_ldap_response: msgid=1 tag=97 err=0 > ber_flush2: 14 bytes to sd 23 > ldap_write: want=14, written=14 > conn=1000 op=0 RESULT tag=97 err=0 text= > daemon: activity on 1 descriptor > daemon: activity on: 23r > daemon: read active on 23 > daemon: epoll: listen=7 active_threads=0 tvp=NULL > daemon: epoll: listen=8 active_threads=0 tvp=NULL > connection_get(23) > connection_get(23): got connid=1000 > connection_read(23): checking for input on id=1000 > ber_get_next > ldap_read: want=8, got=8 > ldap_read: want=24, got=24 > ber_get_next: tag 0x30 len 30 contents: > ber_dump: buf=0x1d045c10 ptr=0x1d045c10 end=0x1d045c2e len=30 > op tag 0x77, time 1285831215 > ber_get_next > ldap_read: want=8 error=Resource temporarily unavailable > daemon: activity on 1 descriptor > daemon: activity on: > daemon: epoll: listen=7 active_threads=0 tvp=NULL > daemon: epoll: listen=8 active_threads=0 tvp=NULL > conn=1000 op=1 do_extended > ber_scanf fmt ({m) ber: > ber_dump: buf=0x1d045c10 ptr=0x1d045c13 end=0x1d045c2e len=27 > conn=1000 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.3 > do_extended: oid=1.3.6.1.4.1.4203.1.11.3 > conn=1000 op=1 WHOAMI > send_ldap_extended: err=0 oid= len=26 > send_ldap_response: msgid=2 tag=120 err=0 > ber_flush2: 42 bytes to sd 23 > ldap_write: want=42, written=42 > conn=1000 op=1 RESULT oid= err=0 text= > daemon: activity on 1 descriptor > daemon: activity on: 23r > daemon: read active on 23 > daemon: epoll: listen=7 active_threads=0 tvp=NULL > daemon: epoll: listen=8 active_threads=0 tvp=NULL > connection_get(23) > connection_get(23): got connid=1000 > connection_read(23): checking for input on id=1000 > ber_get_next > ldap_read: want=8, got=7 > ber_get_next: tag 0x30 len 5 contents: > ber_dump: buf=0x1d045c10 ptr=0x1d045c10 end=0x1d045c15 len=5 > op tag 0x42, time 1285831215 > ber_get_next > ldap_read: want=8, got=0 > > ber_get_next on fd 23 failed errno=0 (Success) > connection_read(23): input error=-2 id=1000, closing. > connection_closing: readying conn=1000 sd=23 for close > daemon: activity on 1 descriptor > daemon: activity on: > daemon: epoll: listen=7 active_threads=0 tvp=NULL > daemon: epoll: listen=8 active_threads=0 tvp=NULL > connection_close: deferring conn=1000 sd=23 > conn=1000 op=2 do_unbind > conn=1000 op=2 UNBIND > connection_resched: attempting closing conn=1000 sd=23 > connection_close: conn=1000 sd=23 > daemon: removing 23 > conn=1000 fd=23 closed > > > ########################################## > #with correct rootdn & incorrect rootpw # > ########################################## > daemon: activity on 1 descriptor > daemon: activity on: > slap_listener_activate(8): > daemon: epoll: listen=7 active_threads=0 tvp=NULL > daemon: epoll: listen=8 busy >>>> slap_listener(ldap:///) > daemon: listen=8, new connection on 23 > daemon: added 23r (active) listener=(nil) > conn=1001 fd=23 ACCEPT from IP=192.168.6.10:47723 (IP=0.0.0.0:389) > daemon: activity on 2 descriptors > daemon: activity on: 23r > daemon: read active on 23 > daemon: epoll: listen=7 active_threads=0 tvp=NULL > daemon: epoll: listen=8 active_threads=0 tvp=NULL > connection_get(23) > connection_get(23): got connid=1001 > connection_read(23): checking for input on id=1001 > ber_get_next > ldap_read: want=8, got=8 > ldap_read: want=37, got=37 > ber_get_next: tag 0x30 len 43 contents: > ber_dump: buf=0x1d0460b0 ptr=0x1d0460b0 end=0x1d0460db len=43 > op tag 0x60, time 1285831240 > ber_get_next > ldap_read: want=8 error=Resource temporarily unavailable > conn=1001 op=0 do_bind > ber_scanf fmt ({imt) ber: > ber_dump: buf=0x1d0460b0 ptr=0x1d0460b3 end=0x1d0460db len=40 > ber_scanf fmt (m}) ber: > ber_dump: buf=0x1d0460b0 ptr=0x1d0460d1 end=0x1d0460db len=10 >>>> dnPrettyNormal: <cn=root,dc=example,dc=gr> > => ldap_bv2dn(cn=root,dc=example,dc=gr,0) > <= ldap_bv2dn(cn=root,dc=example,dc=gr)=0 > => ldap_dn2bv(272) > <= ldap_dn2bv(cn=root,dc=example,dc=gr)=0 > => ldap_dn2bv(272) > <= ldap_dn2bv(cn=root,dc=example,dc=gr)=0 > <<< dnPrettyNormal: <cn=root,dc=example,dc=gr>, <cn=root,dc=example,dc=gr> > conn=1001 op=0 BIND dn="cn=root,dc=example,dc=gr" method=128 > do_bind: version=3 dn="cn=root,dc=example,dc=gr" method=128 > ==> ndb_back_bind: dn: cn=root,dc=example,dc=gr > daemon: activity on 1 descriptor > daemon: activity on: > daemon: epoll: listen=7 active_threads=0 tvp=NULL > daemon: epoll: listen=8 active_threads=0 tvp=NULL Should be re-fixed now, sorry. Thanks for the report. p.
Yes it is fixed, But in your fix, only the rootpw password works. If we have the rootdn also as a dn stored inside the ldap tree then openldap does not tries to bind to the dn of the tree if the rootpw is incorrect if we use the same code segment of bind.cpp written for back-bdb which is: /* allow noauth binds */ switch ( be_rootdn_bind( op, NULL ) ) { case LDAP_SUCCESS: /* frontend will send result */ return rs->sr_err; default: break; } And the rootpw is not matched, then slapd will continue to search the ldap tree and if it finds a dn and its userPassword matches, then it authenticates. If an appropriate dn / password is not found in the tree, then it throughs the invalid credentials error. Maybe the bind-dbd way is more correct?
Should be fine now. The whole thing originated from the fact that be_rootdn_bind() was passed a NULL SlapReply* without handling results accordingly. Thanks, p. > Yes it is fixed, > > But in your fix, only the rootpw password works. If we have the rootdn > also as a dn stored inside the ldap tree then openldap does not tries to > bind to the dn of the tree if the rootpw is incorrect > > if we use the same code segment of bind.cpp written for back-bdb which is: > > /* allow noauth binds */ > switch ( be_rootdn_bind( op, NULL ) ) { > case LDAP_SUCCESS: > /* frontend will send result */ > return rs->sr_err; > default: > break; > } > And the rootpw is not matched, then slapd will continue to search the ldap > tree and if it finds a dn and its userPassword matches, then it > authenticates. If an appropriate dn / password is not found in the tree, > then it throughs the invalid credentials error. > > Maybe the bind-dbd way is more correct? > >
changed notes
changed notes changed state Test to Release
changed notes changed state Release to Closed
back-ndb fixed in HEAD fixed in RE24