Return value of ldap_result() not compared to LDAP_RES_BIND?
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Return value of ldap_result() not compared to LDAP_RES_BIND?
- From: Felix Fontein <felix [at] fontein.de>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Return value of ldap_result() not compared to LDAP_RES_BIND?
- Date: Fri, 11 Sep 2020 11:16:07 +0200
Hi,
I've spent some hours today trying to figure out why I can't get nslcd
correctly to authenticate with with OpenLDAP.
After fixing some problems with my config and the OpenLDAP ACLs (at
some point I was also enjoying the "INCORRECT" password), I reached a
point where things were getting really strange. When BINDing to the
user to verify the password, nslcd's debug output shows an unknown
error:
DEBUG: myldap_search(base="uid=felix.fontein,ou=users,dc=localhost",
filter="(objectClass=*)")
DEBUG: ldap_initialize(ldaps://localhost:636/)
DEBUG: ldap_set_rebind_proc()
DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
DEBUG: ldap_sasl_bind("uid=felix.fontein,ou=users,dc=localhost","***")
(uri="ldaps://localhost:636/") (ppolicy=no)
DEBUG: ldap_parse_result() result: Unknown error
DEBUG: failed to bind to LDAP server ldaps://localhost:636/: Unknown error
DEBUG: ldap_unbind()
In the OpenLDAP log I saw:
conn=1465 fd=15 ACCEPT from IP=192.168.1.2:60111 (IP=0.0.0.0:636)
conn=1465 fd=15 TLS established tls_ssf=256 ssf=256
conn=1465 op=0 BIND dn="uid=felix.fontein,ou=users,dc=localhost" method=128
conn=1465 op=0 BIND dn="uid=felix.fontein,ou=users,dc=localhost" mech=SIMPLE
ssf=0
conn=1465 op=0 RESULT tag=97 err=0 text=
conn=1465 op=1 UNBIND
conn=1465 fd=15 closed
So OpenLDAP returned no error, but nslcd was seeing an error. I was
able to trace this to the following lines in do_ppolicy_bind() in
myldap.c:
rc = ldap_result(ld, msgid, LDAP_MSG_ALL, &timeout, &result);
[...]
/* return the result of the BIND operation */
if (rc != LDAP_SUCCESS)
{
myldap_err(LOG_DEBUG, ld, rc, "ldap_parse_result() result");
return rc;
}
Adding some more debug output, I found out that rc has value 97.
Looking at the man page of ldap_result
(https://linux.die.net/man/3/ldap_result), it says:
RETURN VALUE
Upon success, the type of the result received is returned [...]
The possible result types returned are:
LDAP_RES_BIND (0x61)
[...]
ERRORS
ldap_result() returns -1 if something bad happens, and zero if
the timeout specified was exceeded. ldap_msgtype() and
ldap_msgid() return -1 on error.
So rc == LDAP_RES_BIND, but the code checks for LDAP_SUCCESS (which is
0). Which obviously won't match.
I've tentatively changed the if condition to
if (rc != LDAP_SUCCESS && rc != LDAP_RES_BIND)
and with that was successfully able to log in.
Now I'm wondering why the code looks as-is, especially since it has
been in that form for many years now. Is the current code known to work
in some cases? Or did ldap_result (breakingly) changed over time?
Thanks and best regards,
Felix
- Return value of ldap_result() not compared to LDAP_RES_BIND?,
Felix Fontein
