Page MenuHomePhorge
Create Task
Maniphest T1171

LDAP reconnection does not bind the LDAP user
Closed, ResolvedPublic
Actions

Description

While investigating https://issues.kolab.org/show_bug.cgi?id=5368 I found this:

2016-04-05 14:23:43,414 pykolab.auth ERROR LDAP server unavailable: SERVER_DOWN({'desc': "Can't contact LDAP server"},)
2016-04-05 14:23:43,416 pykolab.auth ERROR Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/pykolab/auth/ldap/__init__.py", line 2917, in _search
    secondary_domains
  File "<string>", line 10, in <module>
  File "/usr/lib/python2.6/site-packages/pykolab/auth/ldap/__init__.py", line 2815, in _regular_search
    (_result_type, _result) = self.ldap.result(_search, False, 0)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 458, in result
    resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 462, in result2
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 469, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 476, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 99, in _ldap_call
    result = func(*args,**kwargs)
SERVER_DOWN: {'desc': "Can't contact LDAP server"}

2016-04-05 14:23:43,416 pykolab.auth ERROR -- reconnecting in 10 seconds.

2016-04-05 14:23:53,425 pykolab.auth ERROR An error occured using _regular_search: INAPPROPRIATE_AUTH({'info': 'Anonymous access is not allowed.', 'desc': 'Inappropriate
authentication'},)
2016-04-05 14:23:53,426 pykolab.auth ERROR Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/pykolab/auth/ldap/__init__.py", line 2917, in _search
    secondary_domains
  File "<string>", line 10, in <module>
  File "/usr/lib/python2.6/site-packages/pykolab/auth/ldap/__init__.py", line 2815, in _regular_search
    (_result_type, _result) = self.ldap.result(_search, False, 0)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 458, in result
    resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 462, in result2
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 469, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 476, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 99, in _ldap_call
    result = func(*args,**kwargs)
INAPPROPRIATE_AUTH: {'info': 'Anonymous access is not allowed.', 'desc': 'Inappropriate authentication'}

For me it looks like reconnect() should call _bind() after connect() and this indeed fixes the issue, but I'm not sure it's the correct fix.

Details

Ticket Type
Task

Revisions and Commits

rP pykolab
D199rP5f6e6f869fc7 Resolve finding no entries, too many entries, and ensure that LDAP failures…
D199rPd71e26c1a39d Resolve finding no entries, too many entries, and ensure that LDAP failures…
D126rPe2342d75e98a Fix binding current user after LDAP reconnection (T1171)
D126rP39e31385df84 Fix binding current user after LDAP reconnection (T1171)
D126rP0ffec36d05c7 Fix binding current user after LDAP reconnection (T1171)
D126rPa97671344872 Fix binding current user after LDAP reconnection (T1171)

Related Objects

Event Timeline

machniak created this task.Apr 5 2016, 12:44 PM
vanmeeuwen subscribed.Apr 5 2016, 2:30 PM

It would be, provided the _bind() call does not cause the connection to use credentials that the connection had not intended to use (i.e. from user John to service account or somesuch).

machniak added a revision: D126: Fix binding current user after LDAP reconnection (T1171).Apr 6 2016, 6:38 PM
machniak added a comment.Apr 6 2016, 6:41 PM

Unfortunately, simple_bind_s() is used also in authenticate() and _list_domains(). Please, check my differential very carefully. Works for me in the same scenario, but my pykolab knowledge is very limited. How can I test code paths with authenticate()?

vanmeeuwen closed this task as Resolved by committing rPa97671344872: Fix binding current user after LDAP reconnection (T1171).Apr 14 2016, 9:40 AM
vanmeeuwen added a commit: rPa97671344872: Fix binding current user after LDAP reconnection (T1171).
vanmeeuwen added a commit: rP0ffec36d05c7: Fix binding current user after LDAP reconnection (T1171).
vanmeeuwen mentioned this in rP6156015e2956: Revert "Fix binding current user after LDAP reconnection (T1171)".May 4 2016, 12:24 PM
vanmeeuwen mentioned this in rP1dcecdda9a52: Revert "Fix binding current user after LDAP reconnection (T1171)".
vanmeeuwen reopened this task as Open.May 4 2016, 12:52 PM

This issue still exists as per the commit revert.

vanmeeuwen closed this task as Resolved by committing rP39e31385df84: Fix binding current user after LDAP reconnection (T1171).May 7 2016, 11:06 AM
vanmeeuwen added a commit: rP39e31385df84: Fix binding current user after LDAP reconnection (T1171).
vanmeeuwen added a commit: rPe2342d75e98a: Fix binding current user after LDAP reconnection (T1171).
vanmeeuwen added a revision: D199: Resolve finding no entries, too many entries, and ensure that LDAP failures are triggered immediately.Jul 22 2016, 11:41 AM
vanmeeuwen added a commit: rPd71e26c1a39d: Resolve finding no entries, too many entries, and ensure that LDAP failures….Jul 22 2016, 1:27 PM
vanmeeuwen added a commit: rP5f6e6f869fc7: Resolve finding no entries, too many entries, and ensure that LDAP failures….Jul 22 2016, 1:34 PM
petersen added a project: Kolab Enterprise 14.Aug 19 2016, 10:23 AM