[Date Prev][Date Next] [Chronological] [Thread] [Top]

Solaris and "wierd LDAP queries"

To: openldap-general@OpenLDAP.org
Subject: Solaris and "wierd LDAP queries"
From: David J N Begley <david@avarice.nepean.uws.edu.au>
Date: Sun, 14 Nov 1999 02:33:48 +1100 (EST)

Having completed an investigation to determine why some of our servers were
inexplicably making strange LDAP queries (despite not running any LDAP
software, to our knowledge), I thought I'd share the findings - in case
someone else comes across this behaviour in future and wonders what the heck
is going on.

Our core computing environment is almost entirely Sun SPARC running Solaris
(2.5.1, 2.6 and 7).  I have an OpenLDAP server (2.0-devel, from CVS) running
on one of the Sol7 boxes, with the DNS CNAME of "ldap" (duh, of course).
There are only a few machines on which LDAP software has been installed (for
varying projects).

Out of nowhere, however, some *other* machines (on which we did not believe
any LDAP software was installed) started making strange LDAP queries -
sometimes one-off, others were quite periodic (appeared to be cron-driven).

The queries were of the variety:

- LDAPv2 anonymous (null) bind;
- with a null base DN, one-level search filter "(objectclass=*)" for
  attributes "objectreferencestring", "objectclass" and "presentationaddress"
  (this fails with the error, no such object);
- with a null base DN, base search filter "(objectclass=*)" for
  attribute "nnsreferencestring" (this doesn't cause any error, but of course
  there is no such attribute so none is returned);  and,
- unbind.

Being the part-time paranoid type, I wanted to know what broken software was
making such queries (they appeared to be root DSE-like, but using LDAPv2?!),
especially since those machines weren't supposed to be running any LDAP
software.

As it happens, Solaris includes The Open Group's XFN federated name service:

  http://www.opengroup.org/pubs/catalog/c403.htm
  http://docs.sun.com/ab2/coll.47.8/NETNAME/@Ab2PageView/26702

One of the two global naming systems supported is X.500 (via LDAP) - this
doesn't appear to support LDAPv3 (in fact, on Sol7 boxes it's not even using
the new LDAPv3 libraries, but some separate LDAP library).  Okay, that
explains the strange nature of the queries.

Now - how did it manage to find our LDAP server?  Well, remember the
bleedingly obvious CNAME I assigned to the LDAP server?  "/etc/fn/x500.conf"
(Solaris 2.6 and 7 only - not in Solaris 2.5.1) specifies a list of LDAP
servers to search - including (you guessed it), "ldap":

  http://docs.sun.com/ab2/coll.47.8/NETNAME/@Ab2PageView/36760#AF7GLOB-35990

But what triggered the request in the first place?  On a Solaris 2.6 or 7 box,
change to the "/xfn/_x500" directory and run "ls" - congrats, you've just
triggered the query (ie., any find/locate that traverses into this directory 
could trigger the query).  Of course, there's no feedback to tell you what's
happened under the covers, but there ya go...

Nice to know it's all benign after all that.  Hope this is of interest/use to
someone in future.

Cheers..


dave

Prev by Date: Re: Create login account in NDS via LDAP
Next by Date: a heretical question about LDAP in general
Index(es):
- Chronological
- Thread