Re: openldap 2.4.28 and "allow bind_v2"

[masarati@aero.polimi.it]

>
>
> On 2/1/12 10:55 AM, masarati@aero.polimi.it wrote:
>>> I have built and upgraded one of my openldap servers from 2.4.26 to
>>> 2.4.28
>>>  (on RHEL release
>>> 5.7 x86_64) and with the identical configuration to my other servers, I
>>> am
>>> seeing the following
>>> messages in the slapd.log file:
>>>
>>> slapd[4434]: conn=115331 fd=263 ACCEPT from IP=X.X.X.X:51856
>>> (IP=0.0.0.0:389)
>>> slapd[4434]: conn=115331 op=0 do_extended: protocol version (2) too low
>>> slapd[4434]: conn=115331 op=0 DISCONNECT tag=120 err=2 text=requires
>>> LDAPv3
>>> slapd[4434]: conn=115331 fd=263 closed (operations error)
>>>
>>> I'm not seeing anything leaping out at me from the change log for
>>> 2.4.27/2.4.28 that indicates
>>> what I have gotten wrong that worked until now.
>>>
>>> As I said, I am running the same slapd.conf file on my 2.4.26
>>> installations and not seeing
>>> these failures there at all (and since I use an F5 load balancer, these
>>> connections are sprayed
>>> all across my pool of servers).
>>>
>>> Where should I start looking?
>> "do_extended" means an extended operation is being requested with
>> protocol
>> version set to LDAPv2, and LDAPv2 has no notion of extended operations.
>> Can you track what operation is being requested?
>
> With guidance about how to, I can certainly do my best to.
>
> I can use tcpdump to gather all traffic between the client and this server
> on port 389 - but,
> I'm not going to be able to understand what I'm catching.  Is there a more
> preferred method of
> capturing this?

Starting slapd with -d -1 would dump everything, including a tcp dump of
the request.  Of course you shouldn't do this in production.  Moreover,
you should isolate the logs from the beginning of the offending request to
the point where the error message is returned, to avoid sending too large
messages.

p.