Problem description ------------------- I'm using slapd-ldap to proxy for a remote LDAP server. LDAP backend is configured to: - allow user binds that are passed directly to the remote LDAP server - allow local user binds that are mapped to remote bind using idassert-bind The problem happens when remote LDAP server abruptly disconnects the (idle) LDAP connection. For example, next search operation will fail with error: Server is unavailable (52) Additional information: misconfigured URI? The operation will succeed when repeating it for second time. Reproducing the problem ----------------------- I created a test case that reproduces the problem - https://git.openldap.org/tsaarni/openldap/-/compare/master...ldap-back-retry-fail Preliminary troubleshooting --------------------------- While troubleshooting this I observed following: (A) The problem is related to retry after remote server abruptly dropped the LDAP connection. Call chain ldap_back_retry() -> ldap_back_dobind_int() -> ldap_back_is_proxy_authz() ends up in this branch: if ( !( li->li_idassert_flags & LDAP_BACK_AUTH_OVERRIDE )) { if ( op->o_tag == LDAP_REQ_BIND ) { if ( !BER_BVISEMPTY( &ndn )) { dobind = 0; goto done; } where "dobind = 0" causes "binddn" and "bindcred" return variables NOT to be filled. Then in ldap_back_dobind_int() we fall into this branch: if ( LDAP_BACK_CONN_ISIDASSERT( lc ) ) { if ( BER_BVISEMPTY( &binddn ) && BER_BVISEMPTY( &bindcred ) ) { /* if we got here, it shouldn't return result */ rc = ldap_back_is_proxy_authz( op, rs, LDAP_BACK_DONTSEND, &binddn, &bindcred ); if ( rc != 1 ) { Debug( LDAP_DEBUG_ANY, "Error: ldap_back_is_proxy_authz " "returned %d, misconfigured URI?\n", rc ); rs->sr_err = LDAP_OTHER; rs->sr_text = "misconfigured URI?"; LDAP_BACK_CONN_ISBOUND_CLEAR( lc ); if ( sendok & LDAP_BACK_SENDERR ) { send_ldap_result( op, rs ); } goto done; } } (B) The problem does NOT occur if configuring separate instances of back-ldap: - one backend for users: BIND is done with users own credentials - no idassert - second backend for local admin: local admin BIND is overwritten with idassert-bind Possibly the same problem have been discussed also earlier, for example - https://www.openldap.org/lists/openldap-technical/201307/msg00070.html - https://www.openldap.com/lists/openldap-bugs/201511/msg00041.html - https://www.openldap.org/lists/openldap-bugs/201905/msg00001.html
(In reply to tero.saarni from comment #0) > Problem description > ------------------- Thanks for the detailed report, fixed now in git master. Will probably move your test into the regression tests, not the main set. > > I'm using slapd-ldap to proxy for a remote LDAP server. LDAP backend is > configured to: > > - allow user binds that are passed directly to the remote LDAP server > - allow local user binds that are mapped to remote bind using idassert-bind > > The problem happens when remote LDAP server abruptly disconnects the > (idle) LDAP connection. For example, next search operation will fail with > error: > > Server is unavailable (52) > Additional information: misconfigured URI? > > The operation will succeed when repeating it for second time. > > > Reproducing the problem > ----------------------- > > I created a test case that reproduces the problem > - > https://git.openldap.org/tsaarni/openldap/-/compare/master...ldap-back-retry- > fail > Possibly the same problem have been discussed also earlier, for example > - https://www.openldap.org/lists/openldap-technical/201307/msg00070.html > - https://www.openldap.com/lists/openldap-bugs/201511/msg00041.html > - https://www.openldap.org/lists/openldap-bugs/201905/msg00001.html
Thank you for the quick fix! It fixed the problem I was seeing, but I see unfortunately test029-ldapglue started failing. Looking at Wireshark capture, it seems like there might now be an extra bind <ROOT> towards the *second* slapd-back: bindRequest(1) "uid=bjorn,ou=People,dc=example,dc=com" simple bindResponse(1) success bindRequest(1) "<ROOT>" simple bindResponse(1) success searchRequest(2) "ou=People,dc=example,dc=com" wholeSubtree searchResDone(2) success [0 results] Comparing to before the fix, following package capture produced: bindRequest(1) "uid=bjorn,ou=People,dc=example,dc=com" simple bindResponse(1) success searchRequest(2) "ou=People,dc=example,dc=com" wholeSubtree searchResEntry(2) "ou=People,dc=example,dc=com" searchResEntry(2) "uid=bjorn,ou=People,dc=example,dc=com" searchResEntry(2) "uid=bjensen,ou=People,dc=example,dc=com" searchResEntry(2) "uid=proxy,ou=People,dc=example,dc=com" In case you would like to use the test case I created, I will write the copyright notice here according to the contributor guidelines: Ericsson Software Technology AB hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. I created another version, which is moved to the regression test suite directory https://git.openldap.org/tsaarni/openldap/-/commit/7b908d1eb93e8fc09248ae3239c34414b8258cac
(In reply to tero.saarni from comment #2) > Thank you for the quick fix! > > It fixed the problem I was seeing, but I see unfortunately test029-ldapglue > started failing. Looking at Wireshark capture, it seems like there might now > be an extra bind <ROOT> towards the *second* slapd-back: Yes, thanks. This is also now fixed. > In case you would like to use the test case I created, I will write the > copyright > notice here according to the contributor guidelines: > > Ericsson Software Technology AB hereby place the following modifications to > OpenLDAP Software (and only these modifications) into the public domain. > Hence, these modifications may be freely used and/or redistributed for any > purpose with or without attribution and/or other notice. > > > I created another version, which is moved to the regression test suite > directory > https://git.openldap.org/tsaarni/openldap/-/commit/ > 7b908d1eb93e8fc09248ae3239c34414b8258cac Great, thank you.
Works now for me as well, thank you!
trunk: Commits: • 1ea12260 by Howard Chu at 2020-11-23T05:14:30+00:00 ITS#9400 back-ldap: fix retry binds Commits: • 12523b0f by Howard Chu at 2020-11-24T16:08:29+00:00 ITS#9400 back-ldap: fix prev commit Commits: • a3abd127 by Tero Saarni at 2020-11-24T18:47:07+00:00 ITS#9400 Added test case for back-ldap retry failure RE24: • 0dd812ec by Howard Chu at 2020-12-02T21:28:07+00:00 ITS#9400 back-ldap: fix retry binds • d8e50d13 by Howard Chu at 2020-12-02T21:28:17+00:00 ITS#9400 back-ldap: fix prev commit
Trunk: Commits: • fd3b8dde by Quanah Gibson-Mount at 2020-12-02T23:16:36+00:00 ITS#9400 - Fix prev commit for modular builds
*** Issue 7832 has been marked as a duplicate of this issue. ***
*** Issue 8044 has been marked as a duplicate of this issue. ***