[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8970) bind fails when length value is multi-byte

Full_Name: Leo Tohill
Version: 2.4.30
OS: Windows 10
URL: https://docs.google.com/document/d/10uKg9Nh3HLiuOzTbLfi6Z7bCfUb8x_Ai6WK5LqNzbwA/edit?usp=sharing
Submission from: (NULL) (

Summary: openldap 2.4.30 does not accommodate multi-byte length value on bind

First, I'll admit that I'm out of my depth here, I'm running a older version,
I'm on Windows, and my package was built by I don't know.  But I worked hard
enough to track this down that I want you to know what I found.  I might
upgrade, but that's problematic.  

At some point my bindings from .net began failing with "the username or password
is incorrect" But they were correct.  I could confirm with various other tools. 
I captured the wire traffic to isolate the problem. It turns out that Windows
forms the binding request using  a multi-byte length indicator in the request. 
OpenLdap apparently does not accommodate this.  I compared to a request
generated by  ldapsearch.exe.  That request, which succeeds,  varies only by
using a single-byte length indicator. 

The multi-byte length value should be allowed, right?  Isn't it possible to have
a bind request data packet of length > 127?  Which would require a multi-byte
length value.  Perhaps this was fixed in a later version. 

Screenshots of the wire capture here: 


Thanks for any comments.