Full_Name: Stef Walter Version: 2.4.35 OS: Fedora 19 URL: ftp://ftp.openldap.org/incoming/stef-walter-130912.patch Submission from: (NULL) (46.5.2.70) Connectionless LDAP (ie: cldap enabled with -DLDAP_CONNECTIONLESS) is broken for IPv6 for current versions of openldap. Tested with version 2.4.35 It's not clear if this ever worked properly. Connections immediately fail with: ldap_search_ext: Can't contact LDAP server (-1) The reason for this is that the LDAP_CONNECTIONLESS buffers include a prefix containing an address in a "struct sockaddr". However, struct sockaddr, is not a concrete type. In particular struct sockaddr_in6 is longer than struct sockaddr. Noted here: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/liblber/sockbuf.c;h=d997e92910954b943e5b3fe7139ff4caaeaf49bf;hb=HEAD#l886 So this leads to failures when using IPv6 as the code assumes that the address length is equal to sizeof (struct sockaddr). Seen here: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/liblber/sockbuf.c;h=d997e92910954b943e5b3fe7139ff4caaeaf49bf;hb=HEAD#l940 Example command: $ ldapsearch -d -1 -LL -H 'cldap://[2620:52:0:2223::1:1]' -b '' -s base '(&(DnsDomain=ad.baseos.qe)(NtVer=\06\00\00\00))' NetLogon Output will contain this: ldap_write: want=96 error=Invalid argument Which is the EINVAL resulting from bad value passed to sendto().
--On Thursday, September 12, 2013 3:56 PM +0000 stefw@redhat.com wrote: > Full_Name: Stef Walter > Version: 2.4.35 > OS: Fedora 19 > URL: ftp://ftp.openldap.org/incoming/stef-walter-130912.patch > Submission from: (NULL) (46.5.2.70) > > > Connectionless LDAP (ie: cldap enabled with -DLDAP_CONNECTIONLESS) is > broken for IPv6 for current versions of openldap. Tested with version > 2.4.35 2.4.35 is not the current version of OpenLDAP, 2.4.36 is. There were fixes to CLDAP made in 2.4.36. Please test against 2.4.36 and report back, thanks. --Quanah -- Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
On 12.09.2013 18:00, Quanah Gibson-Mount wrote: > --On Thursday, September 12, 2013 3:56 PM +0000 stefw@redhat.com wrote: > >> Full_Name: Stef Walter >> Version: 2.4.35 >> OS: Fedora 19 >> URL: ftp://ftp.openldap.org/incoming/stef-walter-130912.patch >> Submission from: (NULL) (46.5.2.70) >> >> >> Connectionless LDAP (ie: cldap enabled with -DLDAP_CONNECTIONLESS) is >> broken for IPv6 for current versions of openldap. Tested with version >> 2.4.35 > > > 2.4.35 is not the current version of OpenLDAP, 2.4.36 is. There were > fixes to CLDAP made in 2.4.36. Please test against 2.4.36 and report > back, thanks. This patch is against master. However master cldap support is broken in additional ways, and I'll be filing further bugs/patches. Cheers, Stef
--On Thursday, September 12, 2013 4:04 PM +0000 stefw@redhat.com wrote: >> 2.4.35 is not the current version of OpenLDAP, 2.4.36 is. There were >> fixes to CLDAP made in 2.4.36. Please test against 2.4.36 and report >> back, thanks. > > This patch is against master. > > However master cldap support is broken in additional ways, and I'll be > filing further bugs/patches. Hi Stef, Thanks! In the future then, if it is an issue with the current 2.4 release series still, you can just put RE24 as the version. ;) Then I won't spend time trying to see if it's a known issue already fixed via the changes log. --Quanah -- Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
quanah@zimbra.com wrote: > --On Thursday, September 12, 2013 4:04 PM +0000 stefw@redhat.com wrote: > >>> 2.4.35 is not the current version of OpenLDAP, 2.4.36 is. There were >>> fixes to CLDAP made in 2.4.36. Please test against 2.4.36 and report >>> back, thanks. >> >> This patch is against master. >> >> However master cldap support is broken in additional ways, and I'll be >> filing further bugs/patches. > > Hi Stef, > > Thanks! In the future then, if it is an issue with the current 2.4 release > series still, you can just put RE24 as the version. ;) Then I won't spend > time trying to see if it's a known issue already fixed via the changes log. The CLDAP code is a remnant from pre-LDAPv3, there was no such thing as IPv6 when it was written, so no, this has never worked with IPv6. Who still uses CLDAP today? This code has no valid reason to exist any more. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes changed state Open to Test moved from Incoming to Software Bugs
stefw@redhat.com wrote: > Full_Name: Stef Walter > Version: 2.4.35 > OS: Fedora 19 > URL: ftp://ftp.openldap.org/incoming/stef-walter-130912.patch > Submission from: (NULL) (46.5.2.70) > > > Connectionless LDAP (ie: cldap enabled with -DLDAP_CONNECTIONLESS) is broken for > IPv6 for current versions of openldap. Tested with version 2.4.35 > > It's not clear if this ever worked properly. No, clearly not, the code was written and deprecated before IPv6 existed. Nobody should be using this code today. Even if it were to be used, the patch would break slapd; your getnameinfo patch changes the format of the peername string. The format of this string is not arbitrary, it's used in ACLs and the format is documented in slapd.access(5). In the future, write patches that fix one single issue. Don't make gratuitous changes, particularly if you haven't researched what you're changing. > Connections immediately fail with: > > ldap_search_ext: Can't contact LDAP server (-1) > > The reason for this is that the LDAP_CONNECTIONLESS buffers include a prefix > containing an address in a "struct sockaddr". However, struct sockaddr, is not a > concrete type. In particular struct sockaddr_in6 is longer than struct > sockaddr. > > Noted here: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/liblber/sockbuf.c;h=d997e92910954b943e5b3fe7139ff4caaeaf49bf;hb=HEAD#l886 > > So this leads to failures when using IPv6 as the code assumes that the address > length is equal to sizeof (struct sockaddr). Seen here: > > http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/liblber/sockbuf.c;h=d997e92910954b943e5b3fe7139ff4caaeaf49bf;hb=HEAD#l940 > > Example command: > > $ ldapsearch -d -1 -LL -H 'cldap://[2620:52:0:2223::1:1]' -b '' -s base > '(&(DnsDomain=ad.baseos.qe)(NtVer=\06\00\00\00))' NetLogon > > Output will contain this: > > ldap_write: want=96 error=Invalid argument > > Which is the EINVAL resulting from bad value passed to sendto(). > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On 10.10.2013 12:59, Howard Chu wrote: > stefw@redhat.com wrote: >> Full_Name: Stef Walter >> Version: 2.4.35 >> OS: Fedora 19 >> Submission from: (NULL) (46.5.2.70) >> >> >> Connectionless LDAP (ie: cldap enabled with -DLDAP_CONNECTIONLESS) is >> broken for >> IPv6 for current versions of openldap. Tested with version 2.4.35 >> >> It's not clear if this ever worked properly. > > No, clearly not, the code was written and deprecated before IPv6 > existed. Nobody should be using this code today. Interesting. FWIW, the code is packaged by RHEL and Fedora, and is in use by several projects. > Even if it were to be used, the patch would break slapd; your > getnameinfo patch changes the format of the peername string. The format > of this string is not arbitrary, it's used in ACLs and the format is > documented in slapd.access(5). > > In the future, write patches that fix one single issue. Don't make > gratuitous changes, particularly if you haven't researched what you're > changing. Sorry bout that. Here's a new patch without the slapd change: ftp://ftp.openldap.org/incoming/stef-walter-131010.patch Cheers, Stef
Stef Walter wrote: > On 10.10.2013 12:59, Howard Chu wrote: >> stefw@redhat.com wrote: >>> Full_Name: Stef Walter >>> Version: 2.4.35 >>> OS: Fedora 19 >>> Submission from: (NULL) (46.5.2.70) >>> >>> >>> Connectionless LDAP (ie: cldap enabled with -DLDAP_CONNECTIONLESS) is >>> broken for >>> IPv6 for current versions of openldap. Tested with version 2.4.35 >>> >>> It's not clear if this ever worked properly. >> >> No, clearly not, the code was written and deprecated before IPv6 >> existed. Nobody should be using this code today. > > Interesting. FWIW, the code is packaged by RHEL and Fedora, and is in > use by several projects. Can you list any of these, offhand? The original spec, RFC1798, is long obsoleted. There is no such thing as CLDAP in LDAPv3. Support in OpenLDAP was first removed back in 2000. (commit 25a9f7427ddc1b584a721ceb0e12690a96d3639e ) Any apps using this must be quite ancient code and in serious need of a rewrite. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On 10.10.2013 13:59, Howard Chu wrote: > Stef Walter wrote: >> On 10.10.2013 12:59, Howard Chu wrote: >>> stefw@redhat.com wrote: >>>> Full_Name: Stef Walter >>>> Version: 2.4.35 >>>> OS: Fedora 19 >>>> Submission from: (NULL) (46.5.2.70) >>>> >>>> >>>> Connectionless LDAP (ie: cldap enabled with -DLDAP_CONNECTIONLESS) is >>>> broken for >>>> IPv6 for current versions of openldap. Tested with version 2.4.35 >>>> >>>> It's not clear if this ever worked properly. >>> >>> No, clearly not, the code was written and deprecated before IPv6 >>> existed. Nobody should be using this code today. >> >> Interesting. FWIW, the code is packaged by RHEL and Fedora, and is in >> use by several projects. > > Can you list any of these, offhand? The original spec, RFC1798, is long > obsoleted. There is no such thing as CLDAP in LDAPv3. Support in > OpenLDAP was first removed back in 2000. (commit > 25a9f7427ddc1b584a721ceb0e12690a96d3639e ) > Any apps using this must be quite ancient code and in serious need of a > rewrite. Well, there's still lots of libldap client code around to support LDAP over UDP. Guarded with LDAP_CONNECTIONLESS #defines, and one can use "cldap://xxxx" urls with ldap_initialize() and do basic cldap searches and so on. Windows Server is accessed via CLDAP during discovery. Although there is normative documentation for this, it's easier to understand via these descriptions: http://wiki.wireshark.org/MS-CLDAP https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryDNSSites#SendingtheCLDAPping So things like samba, IPA, realmd, adcli, and so on ... use and support cldap for talking with AD. I know Samba has reimplemented cldap but the others use libldap for this. Cheers, Stef
changed notes
changed notes changed state Test to Closed
fixed in master fixed in RE24 fixed in RE25