Page MenuHomePhorge

LDAP remove referrals for correct handling in Samba 4
ClosedPublic

Authored by fabian.melters on Jul 5 2017, 1:36 PM.
Referenced Files
F11590023: D467.id1079.diff
Fri, Mar 29, 1:07 AM
Unknown Object (File)
Fri, Mar 1, 1:10 PM
Unknown Object (File)
Feb 28 2024, 12:38 AM
Unknown Object (File)
Feb 25 2024, 9:22 AM
Unknown Object (File)
Feb 12 2024, 10:19 PM
Unknown Object (File)
Jan 29 2024, 6:18 PM
Unknown Object (File)
Jan 29 2024, 6:53 AM
Unknown Object (File)
Jan 25 2024, 1:45 AM

Details

Summary

LDAP user authentication does not work when using Samba 4 as LDAP backend. Samba 4 (as well as MS AD) returns referrals (search continuations) for some objects.
LDAPv3 does not specify which credentials should be used for the search continuations. libldap tries to anonymous bind and do the search continuations, which fails with
Samba 4 (as well as MS AD).

Kolab 16 will fail while authenticating with ldap.OPERATIONS_ERROR and the error message 00002020: Operation unavailable without authentication

The submitted patch is supposed to be used with

REFERRALS   off

in /etc/ldap.conf and should not affect any other situations.
Eventually setting LDAP option via

ldap.OPT_REFERRALS, 0

would be an option too, but i can't test at the moment, if there is any impact on non Samba 4 setups.

The change in wallace addresses the same problem, as i got

2017-07-05 12:27:28,566 pykolab.wallace ERROR Module resources.heartbeat() failed with error: Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/wallace/__init__.py", line 89, in modules_heartbeat
    modules.heartbeat(module, lastrun)
  File "/usr/lib/python2.7/dist-packages/wallace/modules.py", line 128, in heartbeat
    return modules[name]['heartbeat'](*args, **kw)
  File "/usr/lib/python2.7/dist-packages/wallace/module_resources.py", line 438, in heartbeat
    resource_dns = [dn for dn in resource_dns if resource_base_dn in dn]
TypeError: argument of type 'NoneType' is not iterable
Test Plan

Use Kolab 16 with Samba 4. Try to authenticate user. Should fail. Disable Referrals in /etc/ldap.conf with

REFERRALS   off

and try again. Now you should no longer see the ldap.OPERATIONS_ERROR but an auth fail because of
4 (or at least more than one) results returned. The referrals no longer will be automatically queried, but returned
as part of the results containing None on the position 0 (result-type) of the result tuple.

Apply the patch now, which will remove those None result-type results. The Authentication should succeed.

Diff Detail

Repository
rP pykolab
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

fabian.melters edited the summary of this revision. (Show Details)

Add changes in wallace for correct handling too

Hi. Any chance to get some feedback on this? If the change needs to be adjusted, or a related ticket needs to be created, i just need to know it.

This revision is now accepted and ready to land.Jul 22 2017, 1:01 PM
This revision was automatically updated to reflect the committed changes.