[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldapsearch hangs on referrals when using Active Directory and SSL (ITS#3304)



Full_Name: Paul Boven
Version: 2.2.15
OS: Solaris 9
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (145.100.25.81)


L.S.,

When using ldapsearch to query an Active Directory (2003), the OpenLdap
ldapsearch application hangs after displaying the data in question. However,
this -only- happens when using an SSL connection. The problem seems to be with
the referrals returned by the AD server, and this problem is very similar to
ITS#3051 except that without SSL, everything works fine. The hang occurs at the
same place as in ITS#3051 (See below). 

Further information: The server in question is using the Active Directory as
it's DNS server in order to verify the certificates.

/usr/local/etc/openldap/ldap.conf:
URI     ldaps://ads1.edu.local ldaps://ads2.edu.local
BASE    dc=edu,dc=local
TLS_CACERTDIR   /usr/local/openssl/certs
SASL_SECPROPS   maxssf=0 #For Kerberos to work

The problem occurs with both 'simple authentication' and with Kerberos.
OpenSSL version is 0.9.7d

Debug output:

(searching on a non-existing user to keep the debug-size in check a bit, the
problem occurs with objects that do exist as well).

bash-2.05$ /usr/local/bin/ldapsearch -d 1 -H ldaps://ads2.edu.local
"(samaccountname=zttest)"
ldap_create
ldap_url_parse_ext(ldaps://ads2.edu.local)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP ads2.edu.local:636
ldap_new_socket: 5
ldap_prepare_socket: 5
ldap_connect_to_host: Trying 10.1.2.3:636
ldap_connect_timeout: fd: 5 tm: -1 async: 0
ldap_ndelay_on: 5
ldap_is_sock_ready: 5
ldap_ndelay_off: 5
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject:
/DC=local/DC=edu/CN=ads2, issuer: /DC=local/DC=edu/CN=ads2
TLS certificate verification: depth: 0, err: 0, subject: /CN=ads2.edu.local,
issuer: /DC=local/DC=edu/CN=ads2
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 64 bytes to sd 5
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: ads2.edu.local  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Aug 26 14:51:56 2004

** Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ber_get_next: tag 0x30 len 96 contents:
ldap_read: message type search-entry msgid 1, original id 1
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
ldap_read: message type search-result msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
adding response id 1 type 101:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_get_values
ber_scanf fmt ({x{{a) ber:
ber_scanf fmt ([v]) ber:
ldap_msgfree
ldap_sasl_interactive_bind_s: server supports: GSSAPI GSS-SPNEGO EXTERNAL
DIGEST-MD5
ldap_int_sasl_bind: GSSAPI GSS-SPNEGO EXTERNAL DIGEST-MD5
ldap_int_sasl_open: host=ads2
SASL/GSSAPI authentication started
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_flush: 1173 bytes to sd 5
ldap_result msgid 2
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 2
wait4msg continue, msgid 2, all 1
** Connections:
* host: ads2.edu.local  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Aug 26 14:51:57 2004
** Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 2, all 1
ber_get_next
ber_get_next: tag 0x30 len 132 contents:
ldap_read: message type bind msgid 2, original id 2
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 2
request 2 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
sasl_client_step: 1
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_flush: 22 bytes to sd 5
ldap_result msgid 3
ldap_chkResponseList for msgid=3, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 3
wait4msg continue, msgid 3, all 1
** Connections:
* host: ads2.edu.local  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Aug 26 14:51:57 2004

** Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=3, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 3, all 1
ber_get_next
ber_get_next: tag 0x30 len 71 contents:
ldap_read: message type bind msgid 3, original id 3
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 3
request 3 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 3, msgid 3)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
sasl_client_step: 0
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_flush: 77 bytes to sd 5
ldap_result msgid 4
ldap_chkResponseList for msgid=4, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 4
wait4msg continue, msgid 4, all 1
** Connections:
* host: ads2.edu.local  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Aug 26 14:51:57 2004

** Outstanding Requests:
 * msgid 4,  origid 4, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=4, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 4, all 1
ber_get_next
ber_get_next: tag 0x30 len 18 contents:
ldap_read: message type bind msgid 4, original id 4
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 4
request 4 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 4, msgid 4)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
SASL username: Administrator@EDU.LOCAL
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (samaccountname=zttest)
# requesting: ALL
#

ldap_search_ext
put_filter: "(samaccountname=zttest)"
put_filter: simple
put_simple_filter: "samaccountname=zttest"
ldap_send_initial_request
ldap_send_server_request
ber_flush: 67 bytes to sd 5
ldap_result msgid -1
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid -1
wait4msg continue, msgid -1, all 0
** Connections:
* host: ads2.edu.local  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Aug 26 14:51:57 2004

** Outstanding Requests:
 * msgid 5,  origid 5, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid -1, all 0
ber_get_next
ber_get_next: tag 0x30 len 77 contents:
ldap_read: message type search-reference msgid 5, original id 5
# search reference
ber_scanf fmt ({v) ber:
ber_scanf fmt (}) ber:
ref: ldaps://ForestDnsZones.edu.local/DC=ForestDnsZones,DC=edu,DC=local
ldap_msgfree
ldap_result msgid -1
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid -1
wait4msg continue, msgid -1, all 0
** Connections:
* host: ads2.edu.local  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Aug 26 14:51:57 2004

** Outstanding Requests:
 * msgid 5,  origid 5, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
read1msg: msgid -1, all 0
ber_get_next
ber_get_next: tag 0x30 len 77 contents:
ldap_read: message type search-reference msgid 5, original id 5

# search reference
ber_scanf fmt ({v) ber:
ber_scanf fmt (}) ber:
ref: ldaps://DomainDnsZones.edu.local/DC=DomainDnsZones,DC=edu,DC=local
ldap_msgfree
ldap_result msgid -1
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid -1
wait4msg continue, msgid -1, all 0
** Connections:
* host: ads2.edu.local  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Aug 26 14:51:57 2004

** Outstanding Requests:
 * msgid 5,  origid 5, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
read1msg: msgid -1, all 0
ber_get_next
ber_get_next: tag 0x30 len 61 contents:
ldap_read: message type search-reference msgid 5, original id 5

# search reference
ber_scanf fmt ({v) ber:
ber_scanf fmt (}) ber:
ref: ldaps://edu.local/CN=Configuration,DC=edu,DC=local
ldap_msgfree
ldap_result msgid -1
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid -1
wait4msg continue, msgid -1, all 0
** Connections:
* host: ads2.edu.local  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Aug 26 14:51:57 2004

** Outstanding Requests:
 * msgid 5,  origid 5, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
read1msg: msgid -1, all 0
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
ldap_read: message type search-result msgid 5, original id 5
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 5
request 5 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 5, msgid 5)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_int_select