Issue 8973 - Error with domainScope control when using C# LDAP API
Summary: Error with domainScope control when using C# LDAP API
Status: VERIFIED FIXED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: 2.4.47
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-06 08:44 UTC by Clément OUDOT
Modified: 2019-06-06 23:22 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this issue.
Description Clément OUDOT 2019-02-06 08:44:50 UTC
Full_Name: Clement OUDOT
Version: 2.4.47
OS: GNU/Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (81.250.130.213)


Hello,

after upgrading from 2.4.46 to 2.4.47, this C# code does not work anymore :
----
$auth = [System.DirectoryServices.AuthenticationTypes]::FastBind
$de = New-Object System.DirectoryServices.DirectoryEntry($DN,$userReferentiel,
$passwordReferentiel, $auth)
----

The log in OpenLDAP 2.4.47 :
----
Feb  5 18:21:03 anteros slapd[30762]: conn=1577 fd=17 ACCEPT from
IP=10.10.2.163:47304 (IP=0.0.0.0:390)
Feb  5 18:21:03 anteros slapd[30762]: conn=1577 op=0 BIND
dn="uid=ADPassword,ou=configuration,dc=referentiel,dc=local" method=128
Feb  5 18:21:03 anteros slapd[30762]: conn=1577 op=0 BIND
dn="uid=ADPassword,ou=configuration,dc=referentiel,dc=local" mech=SIMPLE ssf=0
Feb  5 18:21:03 anteros slapd[30762]: conn=1577 op=0 RESULT tag=97 err=0 text=
Feb  5 18:21:03 anteros slapd[30762]: conn=1577 op=1 SRCH
base="dc=referentiel,dc=local" scope=0 deref=0 filter="(objectClass=*)" 
Feb  5 18:21:03 anteros slapd[30762]: conn=1577 op=1 SRCH attr=objectClass
Feb  5 18:21:03 anteros slapd[30762]: conn=1577 op=1 SEARCH RESULT tag=101 err=0
nentries=1 text=
Feb  5 18:21:03 anteros slapd[30762]: conn=1577 op=2 SRCH base="" scope=0
deref=0 filter="(objectClass=*)" 
Feb  5 18:21:03 anteros slapd[30762]: conn=1577 op=2 SRCH attr=subschemaSubentry
dsServiceName namingContexts defaultNamingContext schemaNamingContext
configurationNamingContext rootDomainNamingContext supportedControl
supportedLDAPVersion supportedLDAPPolicies supportedSASLMechanisms dnsHostName
ldapServiceName serverName supportedCapabilities
Feb  5 18:21:03 anteros slapd[30762]: conn=1577 op=2 SEARCH RESULT tag=101 err=0
nentries=1 text=
Feb  5 18:21:03 anteros slapd[30762]: conn=1577 op=3 SEARCH RESULT tag=101 err=2
nentries=0 text=domainScope control value not absent
Feb  5 18:21:03 anteros slapd[30762]: conn=1577 op=3 do_search: get_ctrls
failed
----

The behavior change is related to the fix of ITS#8840 :
www.openldap.org/its/index.cgi/Software Bugs?id=8840

I did not see how to change the C# code, are we sure that the fix of ITS#8840 is
valid?
Comment 1 Howard Chu 2019-02-06 11:44:12 UTC
clement.oudot@worteks.com wrote:
> Full_Name: Clement OUDOT
> Version: 2.4.47
> OS: GNU/Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (81.250.130.213)
> 
> 
> Hello,
> 
> after upgrading from 2.4.46 to 2.4.47, this C# code does not work anymore :

The code in controls.c is correct. The DomainScope control does not take a value,
so the value is required to be NULL.

> ----
> $auth = [System.DirectoryServices.AuthenticationTypes]::FastBind
> $de = New-Object System.DirectoryServices.DirectoryEntry($DN,$userReferentiel,
> $passwordReferentiel, $auth)
> ----
> 
> The log in OpenLDAP 2.4.47 :
> ----
> Feb  5 18:21:03 anteros slapd[30762]: conn=1577 fd=17 ACCEPT from
> IP=10.10.2.163:47304 (IP=0.0.0.0:390)
> Feb  5 18:21:03 anteros slapd[30762]: conn=1577 op=0 BIND
> dn="uid=ADPassword,ou=configuration,dc=referentiel,dc=local" method=128
> Feb  5 18:21:03 anteros slapd[30762]: conn=1577 op=0 BIND
> dn="uid=ADPassword,ou=configuration,dc=referentiel,dc=local" mech=SIMPLE ssf=0
> Feb  5 18:21:03 anteros slapd[30762]: conn=1577 op=0 RESULT tag=97 err=0 text=
> Feb  5 18:21:03 anteros slapd[30762]: conn=1577 op=1 SRCH
> base="dc=referentiel,dc=local" scope=0 deref=0 filter="(objectClass=*)" 
> Feb  5 18:21:03 anteros slapd[30762]: conn=1577 op=1 SRCH attr=objectClass
> Feb  5 18:21:03 anteros slapd[30762]: conn=1577 op=1 SEARCH RESULT tag=101 err=0
> nentries=1 text=
> Feb  5 18:21:03 anteros slapd[30762]: conn=1577 op=2 SRCH base="" scope=0
> deref=0 filter="(objectClass=*)" 
> Feb  5 18:21:03 anteros slapd[30762]: conn=1577 op=2 SRCH attr=subschemaSubentry
> dsServiceName namingContexts defaultNamingContext schemaNamingContext
> configurationNamingContext rootDomainNamingContext supportedControl
> supportedLDAPVersion supportedLDAPPolicies supportedSASLMechanisms dnsHostName
> ldapServiceName serverName supportedCapabilities
> Feb  5 18:21:03 anteros slapd[30762]: conn=1577 op=2 SEARCH RESULT tag=101 err=0
> nentries=1 text=
> Feb  5 18:21:03 anteros slapd[30762]: conn=1577 op=3 SEARCH RESULT tag=101 err=2
> nentries=0 text=domainScope control value not absent
> Feb  5 18:21:03 anteros slapd[30762]: conn=1577 op=3 do_search: get_ctrls
> failed
> ----
> 
> The behavior change is related to the fix of ITS#8840 :
> www.openldap.org/its/index.cgi/Software Bugs?id=8840
> 
> I did not see how to change the C# code, are we sure that the fix of ITS#8840 is
> valid?
> 
> 


-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Comment 2 Howard Chu 2019-02-06 11:57:29 UTC
hyc@symas.com wrote:
> clement.oudot@worteks.com wrote:
>> Full_Name: Clement OUDOT
>> Version: 2.4.47
>> OS: GNU/Linux
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (81.250.130.213)
>>
>>
>> Hello,
>>
>> after upgrading from 2.4.46 to 2.4.47, this C# code does not work anymore :
> 
> The code in controls.c is correct. The DomainScope control does not take a value,
> so the value is required to be NULL.

Microsoft spec https://msdn.microsoft.com/en-us/library/cc223348.aspx

"When sending this control to the DC, the controlValue field of the Control structure is omitted."

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Comment 3 Clément OUDOT 2019-02-06 13:16:38 UTC

Le 06/02/2019 à 12:57, hyc@symas.com a écrit :
> hyc@symas.com wrote:
>> clement.oudot@worteks.com wrote:
>>> Full_Name: Clement OUDOT
>>> Version: 2.4.47
>>> OS: GNU/Linux
>>> URL: ftp://ftp.openldap.org/incoming/
>>> Submission from: (NULL) (81.250.130.213)
>>>
>>>
>>> Hello,
>>>
>>> after upgrading from 2.4.46 to 2.4.47, this C# code does not work anymore :
>> The code in controls.c is correct. The DomainScope control does not take a value,
>> so the value is required to be NULL.
> Microsoft spec https://msdn.microsoft.com/en-us/library/cc223348.aspx
>
> "When sending this control to the DC, the controlValue field of the Control structure is omitted."
>

Thanks a lot for your feedback, I will try to understand with the C#
code is sending a value inside the control.

-- 
Clément Oudot | Identity Solutions Manager

clement.oudot@worteks.com

Worteks | https://www.worteks.com


Comment 4 Clément OUDOT 2019-03-05 09:59:35 UTC
Le 06/02/2019 à 14:16, clement.oudot@worteks.com a écrit :
> Le 06/02/2019 à 12:57, hyc@symas.com a écrit :
>> hyc@symas.com wrote:
>>> clement.oudot@worteks.com wrote:
>>>> Full_Name: Clement OUDOT
>>>> Version: 2.4.47
>>>> OS: GNU/Linux
>>>> URL: ftp://ftp.openldap.org/incoming/
>>>> Submission from: (NULL) (81.250.130.213)
>>>>
>>>>
>>>> Hello,
>>>>
>>>> after upgrading from 2.4.46 to 2.4.47, this C# code does not work anymore :
>>> The code in controls.c is correct. The DomainScope control does not take a value,
>>> so the value is required to be NULL.
>> Microsoft spec https://msdn.microsoft.com/en-us/library/cc223348.aspx
>>
>> "When sending this control to the DC, the controlValue field of the Control structure is omitted."
>>
> Thanks a lot for your feedback, I will try to understand with the C#
> code is sending a value inside the control.


For the record, the bug seems to be inside powershell and the API 
"system.DirectoryServices.DirectorySearcher" which is sending the control.

To solve this, you need to use another API:
"System.DirectoryServices.Protocols"

See
https://docs.microsoft.com/fr-fr/dotnet/api/system.directoryservices.protocols?view=netframework-4.7.2


-- 
Clément Oudot | Identity Solutions Manager

clement.oudot@worteks.com

Worteks | https://www.worteks.com


Comment 5 OpenLDAP project 2019-06-06 23:22:42 UTC
Not an openldap bug
Comment 6 Quanah Gibson-Mount 2019-06-06 23:22:42 UTC
changed notes
changed state Open to Closed