[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#8314) ldap_back_is_proxy_authz returned 0 - misconfigured uri? - Maybe a Bug?
Full_Name: Dominique V.st
Version: 2.4.40
OS: Debian,CentOS,BSDs
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (195.37.70.39)
Hi everyone,
I installed a new OpenLDAP Server (Debian Jessy) (OpenLDAP Version 2.4.40) which
is used to proxy parts of the Active Directory.
However, from time to time it is not able to get Entries (does not answer to
querys but returns success) from the Active Directory.
What I see in the logs is the following:
Jun 10 11:37:38 openldap-proxy slapd[41657]: conn=1166 op=1 ldap_back_retry:
retrying URI="ldaps://dc.ourdomain.com"
DN="cn=ldap-binder,ou=serviceaccounts,dc= ourdomain,dc=com"
Jun 10 11:37:38 openldap-proxy slapd[41657]: Error: ldap_back_is_proxy_authz
returned 0, misconfigured URI?
First of all, the URI is correct and the System works well during most of the
time(except for this error), those ?errors? only happen from time to time.
The Strange thing is, that this new LDAP Server is running via the exactly same
configuration as another OpenLDAP-Server which has been running over 2 Years
now
and the old OpenLDAP Server (Debian Wheezy) (OpenLDAP Version 2.4.31) does also
show the first Log Entry from time to time (the ldap_back_retry one),
But does not show the ldap_back_is_proxy_authz error afterwards. Furthermore it
does also always return the right answer.
For Debugging reasons I tried Wiresharking the Domain Controller, TCP-Dumping
the LDAP-Server and the Client.
The Traffic looks okay, in case of that error the OpenLDAP Server simply is
asking the Domain Controller which returns Success but no results.
Since once this error occurs, the query right after the error works and then it
takes some time until that error occurs again and due to the fact that in the
older OpenLDAP Version it is working, could it be a Bug in the new OpenLDAP
Version?
I also looked in the Logs of the Domain Controller, everything is fine there.
Furthermore I installed test OpenLDAP Systems (Centos[yum], OpenBSD[pkg] and one
via compilation from sources via minimal module configuration) (2.4.40) and
tried the same configuration there, same Problem.
While googling and searching for a solution I stumbled across a guy having the
same problem, reporting this 2013 to this mailing list.
Someone suggested to add the Active Directory Schema to the OpenLDAP, which I
did andhihich did not solve this issue.
I tried adding the full schema as well as adding only Attributes and Object
classes that are used. Problem still persists.
After looking into the code of the bind.c and the commits in the ldap-back
Module I saw a change of the code lines in servers/slapd/back-ldap/bind.c
(around line 1407):
rc = ldap_back_is_proxy_authz( op, rs,
LDAP_BACK_DONTSEND, &binddn, &bindcred );
- assert( rc == 1 );
+ if ( rc != 1 ) {
+ Debug( LDAP_DEBUG_ANY, "Error: ldap_back_is_proxy_authz "
+ "returned %d, misconfigured URI?\n", rc, 0, 0 );
+ rs->sr_err = LDAP_OTHER;
+ rs->sr_text = "misconfigured URI?";
+ LDAP_BACK_CONN_ISBOUND_CLEAR( lc );
+ if ( sendok & LDAP_BACK_SENDERR ) {
+ send_ldap_result( op, rs %;%B
+ }
+ goto done;
+ }
}
rc = ldap_back_proxy_authz_bind( lc, op, rs, sendok, &binddn, &bindcred );
goto done;
Diff: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blobdiff;f=servers/slapd/back-ldap/bind.c;h=20197f3ed4db5a5288401efc318000c49c542b80;hp=9ef163c879d61cca0c537fed119f413947bfc518;hb=HEAD;hpb=ceefe132a8af19ee12fe0f072294ecce7bd3973b
Is it intended that there is a call to goto done? Which obviously prevents the
ldap_back_proxy_autzh_bind to happen ? - Since in older Versions of OpenLDAP it
works.
Best Regards,
Dominique Voest