[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8893) New LDAP option to support binding to specific IPv4/IPv6 address at client side

To: openldap-its@OpenLDAP.org
Subject: (ITS#8893) New LDAP option to support binding to specific IPv4/IPv6 address at client side
From: sudhir.singam@gmail.com
Date: Tue, 07 Aug 2018 04:33:33 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: sudhir reddy singam
Version: master branch
OS: fedora
URL: 
Submission from: (NULL) (131.228.66.13)



The attached file is derived from OpenLDAP Software. All of the modifications
to
OpenLDAP Software represented in the following patch(es) were developed by
NOKIA. NOKIA has not assigned rights and/or interest in this work to any party.
I, SINGAM SUDHIR REDDY authorized by NOKIA, my employer, to release this work
under the following terms.

NOKIA hereby place the following modifications to OpenLDAP Software (and only
these modifications) into the public domain. Hence, these modifications may be
freely used and/or redistributed for any purpose with or without attribution
and/or other notice.

****

Description:

This is continuation to ITS#8847. NOKIA has decided to contribute on this small
feature, that is, providing new LDAP option to be able to set the source bind IP
address at openldap client side. 

Following are the design details of what we are planning to do. Please provide
your comments for the design, so that we can proceed with the implementation.

Details:

Requirement:

User shall be able to set multiple IPv4/IPv6 socket bind addresses, to be able
to route the LDAP traffic via desired network interface. Based on the target IP
address type, first matching and valid source IP address will be picked for
explicit binding at client side.

Work items:

1)	LDAP option to set the IPv4/IPv6 socket bind addresses.
Format: space separated list of IP addresses

New configuration option LDAP_OPT_SOCKET_BIND_ADDRESSES (0x5013) will be
introduced (in ldap.h) to be used via ldap_set_option.

For example,

char* p = ?10.24.56.34 2001:0db8:85a3:0000:0000:8a2e:0370:7334?;
ldap_set_option(NULL, LDAP_OPT_SOCKET_BIND_ADDRESSES, p);

Bind addresses can also be provided in ldap.conf file via the option
?SOCKET_BIND_ADDRESSES?, for example,

SOCKET_BIND_ADDRESSES 10.24.56.45 10.24.56.46
2001:0db8:85a3:0000:0000:8a2e:0370:7334

	Note :
	Option set to ldap handle will override the global option.
	Setting the option multiple times will override the previous values but does
not append.

2)	Parsing & validations

Space separated IP addresses will be parsed & validated. IPv4 and IPv6 addresses
are stored separately for easy of access during connection.
Basic syntax validation will be done for IPv4 or IPv6 addresses, if any error,
setting of the option will fail and LDAP client will use the default IP
address.

?ldapoptions? structure in ldap-int.h will be modified to add new members
"char *ldo_local_IPV4_addresses" -> to hold client local IPv4 bind addresses
"char *ldo_local_IPV6_addresses" -> to hold client local IPv6 bind addresses

Any new function ldap_options_parseBindAddress () will be introduced in
options.c to parse, validate and store the IP addresses to respective variables.
This function will be similar to ldap_url_parseHosts.

Memory for ldo_local_IPV4_addresses & ldo_local_IPV6_addresses is dynamically
allocated in the form of array for easy access. If any validation failure, no
new memory will be allocated and existing values will be retained.

3)	Using Bind IP addresses during connection

File:os-ip.c
Function: ldap_connect_to_host

- After the connection socket is created (ldap_int_socket) and before it is
connected (ldap_pvt_connect).
Check if the target address family type, 

If it is AF_INET, IPv4 bind address list will be used. 

- If the list is empty and LDAP option was set successfully earlier (IPv6 was
set), binding will fail and error is returned. 
- If the list is not empty and not able to bind to any of the provided IPv4
addresses, connection will fail.
- If the list is empty and LDAP option setting failed earlier (during syntax
validation), LDAP client will continue to use the kernel provided IPv4 address.

If it is AF_INET6, IPv6 bind address list will be used. 

- If the list is empty and LDAP option was set successfully earlier (IPv4 was
set), binding will fail and error is returned. 
- If the list is not empty and not able to bind to any of the provided IPv6
addresses, connection will fail.
- If the list is empty and LDAP option setting failed earlier (during syntax
validation), LDAP client will continue to use the kernel provided IPv6 address.

Prev by Date: Re: (ITS#8892) ISC dhcpd cannot start TLS session to 389-DS after updating openldap rpm
Next by Date: (ITS#8894) git clone fails
Index(es):
- Chronological
- Thread