[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Netscape client misparsing the bind response

To: Julio Sánchez Fernández <j_sanchez@stl.es>
Subject: Re: Netscape client misparsing the bind response
From: mcs@netscape.com (Mark C Smith)
Date: Tue, 03 Aug 1999 14:48:11 -0400
Cc: openldap-devel@OpenLDAP.org
Organization: Netscape Communications
References: <37A72994.47620B4B@stl.es>

I don't work on the Netscape Communicator client, but I do work on the
Netscape/Mozilla SDK that it uses).

Question: Does everything work fine if you do not use SSL/TLS?  It does
sound like one end or the other is getting our of synch with the data
stream, although that surprises me.  I suspect the encoding and decoding
code is correct on both ends, which makes me suspect something in the
SSL/TLS layers.

Can you produce a protocol trace (of the SSL session and the LDAP
stream)?

-- 
Mark Smith
iPlanet Directory Architect / Sun-Netscape Alliance
My words are my own, not my employer's.   Got LDAP?


Julio Sánchez Fernández wrote:
> 
> I am testing the TLS thing and, since I cannot bind with the client
> certificate, I am trying user (i.e. email address) and password
> over SSL.
> 
> Well, it fails mysteriously:
> 
> Aug  3 19:07:07 andromeda slapd[8243]: daemon: conn=0 fd=8 connection from IP=74.3.11.123:23336 (IP=0.0.0.0:1636) accepted.
> Aug  3 19:07:07 andromeda slapd[8244]: conn=0 op=0 BIND dn="" method=128
> Aug  3 19:07:07 andromeda slapd[8244]: conn=0 op=0 RESULT err=0 tag=97 text=(null)
> Aug  3 19:07:11 andromeda slapd[8245]: conn=0 op=1 UNBIND
> Aug  3 19:07:11 andromeda slapd[8245]: conn=-1 fd=8 closed.
> 
> Here, Netscape is trying an anonymous (v2, BTW) bind before searching
> email address and such.  The server thinks the bind succeeded, but
> Netscape thinks it is an error.  To be precise, it thinks that the
> error is 0x61 LDAP_REFERRAL_LIMIT_EXCEEDED (i.e. it is reading the tag
> as the error).  However, for that to happen, it would have to
> get out of sync with the stream.  The relevant part of the trace is:
> 
> ber_get_next: tag 0x30 len 12 contents:
> ber_dump: buf 0x81a31b8, ptr 0x81a31b8, end 0x81a31c4
>         02 01 01  ` 07 02 01 02 04 00 80 00
> ber_get_next
> ber_get_next on fd 8 failed errno 11 (Resource temporarily unavailable)
>         *** got 135934060 of 0 so far
> daemon: select: listen=4 active_threads=1 tvp=NULL
> daemon: select: listen=5 active_threads=1 tvp=NULL
> do_bind
> ber_scanf fmt ({iat) ber:
> ber_dump: buf 0x81a31b8, ptr 0x81a31bb, end 0x81a31c4
>          ` 07 02 01 02 04 00 80 00
> ber_scanf fmt (o}) ber:
> ber_dump: buf 0x81a31b8, ptr 0x81a31c2, end 0x81a31c4
>         80 00
> do_bind: version 2 dn () method 128
> send_ldap_result: conn=0 op=0 p=2
> send_ldap_result: 0::
> send_ldap_response: tag=97 msgid=1 err=0
> 
> Any ideas?
> 
> Julio

Follow-Ups:
- Re: Netscape client misparsing the bind response
  - From: Julio Sánchez Fernández <j_sanchez@stl.es>

References:
- Netscape client misparsing the bind response
  - From: Julio Sánchez Fernández <j_sanchez@stl.es>

Prev by Date: Re: Netscape client misparsing the bind response
Next by Date: Re: Netscape client misparsing the bind response
Index(es):
- Chronological
- Thread