[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Regarding the feature to introduce new LDAP option to set source bind IP address
- To: "Singam, Sudhir (Nokia - IN/Bangalore)" <sudhir.singam@nokia.com>, "'openldap-devel@openldap.org'" <openldap-devel@openldap.org>
- Subject: Re: Regarding the feature to introduce new LDAP option to set source bind IP address
- From: Howard Chu <hyc@symas.com>
- Date: Thu, 6 Sep 2018 16:47:51 +0100
- Cc: "Sharma, Ramakant 2. \(Nokia - IN/Bangalore\)" <ramakant.2.sharma@nokia.com>
- In-reply-to: <HE1PR0702MB3564EB706F5178CF421F1773F7300@HE1PR0702MB3564.eurprd07.prod.outlook.com>
- References: <HE1PR0702MB3564106A1438A27B006F84B1F7260@HE1PR0702MB3564.eurprd07.prod.outlook.com> <HE1PR0702MB35642A0139A575A4CBF69EC3F7390@HE1PR0702MB3564.eurprd07.prod.outlook.com> <HE1PR0702MB3564AC1738FA1C0E59D099C4F7310@HE1PR0702MB3564.eurprd07.prod.outlook.com> <HE1PR0702MB3564EB706F5178CF421F1773F7300@HE1PR0702MB3564.eurprd07.prod.outlook.com>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0 SeaMonkey/2.53
Singam, Sudhir (Nokia - IN/Bangalore) wrote:
> Hi Howard,
>
> Any comments ??
>
> Hi,
>
> Can we go ahead and implement this ??
>
> *Regards,*
> *Sudhir Singam*
>
> *DELIVERING BEST-IN-CLASS PLATFORM is our vision*
>
>
> _____________________________________________
> *From:* Singam, Sudhir (Nokia - IN/Bangalore)
> *Sent:* Wednesday, August 08, 2018 8:48 AM
> *To:* _openldap-devel@openldap.org_ <mailto:openldap-devel@openldap.org>
> *Cc:* Sharma, Ramakant 2. (Nokia - IN/Bangalore) <_ramakant.2.sharma@nokia.com_ <mailto:ramakant.2.sharma@nokia.com>>
> *Subject:* Regarding the feature to introduce new LDAP option to set source bind IP address
>
>
> Hi,
>
> NOKIA has taken up this small feature for contribution. Previously patch was submitted via ITS#8847 but got rejected to take different approach.
> Now I have raised ITS#8893. We want to conclude on the approach before taking for implementation. Please kindly let us know if following approach is OK and if
> any comments.
>
> *Requirement:*
>
> User shall be able to set multiple IPv4/IPv6 socket bind addresses, to be able to route the LDAP traffic via desired network interface. Based on the target IP
> address type, first matching and valid source IP address will be picked for explicit binding*//**at client side*.
Not sure I understand the value of a list of multiple addresses here.
>
> *Work items:*
>
>
> 1. *LDAP option to set the IPv4/IPv6 socket bind addresses.*
>
> /Format: space separated list of IP addresses/
>
> New configuration option LDAP_OPT_SOCKET_BIND_ADDRESSES (0x5013) will be introduced (in ldap.h) to be used via ldap_set_option.
>
> For example,
>
> char* p = ?10.24.56.34 2001:0db8:85a3:0000:0000:8a2e:0370:7334?;
> ldap_set_option(NULL, LDAP_OPT_SOCKET_BIND_ADDRESSES, p);
>
> Bind addresses can also be provided in ldap.conf file via the option ?SOCKET_BIND_ADDRESSES?, for example,
>
> SOCKET_BIND_ADDRESSES 10.24.56.45 10.24.56.46 2001:0db8:85a3:0000:0000:8a2e:0370:7334
>
> Note :
> Option set to ldap handle will override the global option.
> Setting the option multiple times will override the previous values but does not append.
>
>
> 2. *Parsing & validations*
>
>
> Space separated IP addresses will be parsed & validated. IPv4 and IPv6 addresses are stored separately for easy of access during connection.
> Basic syntax validation will be done for IPv4 or IPv6 addresses, if any error, setting of the option will fail and LDAP client will use the default IP address.
>
> ?ldapoptions? structure in ldap-int.h will be modified to add new members
> "char *ldo_local_IPV4_addresses" -> to hold client local IPv4 bind addresses
> "char *ldo_local_IPV6_addresses" -> to hold client local IPv6 bind addresses
Seems like these should be char* arrays, especially since we already have str2charray().
> Any new function /ldap_options_parseBindAddress/ () will be introduced in options.c to parse, validate and store the IP addresses to respective variables. This
> function will be similar to ldap_url_parseHosts.
>
> Memory for ldo_local_IPV4_addresses & ldo_local_IPV6_addresses is dynamically allocated in the form of array for easy access. If any validation failure, no new
> memory will be allocated and existing values will be retained.
>
>
> 3. *Using Bind IP addresses during connection*
>
>
> File:os-ip.c
> Function: ldap_connect_to_host
> - After the connection socket is created (ldap_int_socket) and before it is connected (ldap_pvt_connect).
> Check if the target address family type,
> *I*f it is AF_INET, IPv4 bind address list will be used.
> - If the list is empty and LDAP option was set successfully earlier (IPv6 was set), binding will fail and error is returned.
> - If the list is not empty and not able to bind to any of the provided IPv4 addresses, connection will fail> - If the list is empty and LDAP option setting failed earlier (during syntax validation), LDAP client will continue to use the kernel provided IPv4 address.
> If it is AF_INET6, IPv6 bind address list will be used.
> - If the list is empty and LDAP option was set successfully earlier (IPv4 was set), binding will fail and error is returned.
> - If the list is not empty and not able to bind to any of the provided IPv6 addresses, connection will fail.
> - If the list is empty and LDAP option setting failed earlier (during syntax validation), LDAP client will continue to use the kernel provided IPv6 address.
What specific LDAP API error code will be returned in each instance?
>
>
>
>
> *Regards,*
> *Sudhir Singam*
>
> *DELIVERING BEST-IN-CLASS PLATFORM is our vision*
>
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/