Page MenuHomePhorge

LDAP reconnection does not bind the LDAP user
Closed, ResolvedPublic

Description

While investigating https://issues.kolab.org/show_bug.cgi?id=5368 I found this:

2016-04-05 14:23:43,414 pykolab.auth ERROR LDAP server unavailable: SERVER_DOWN({'desc': "Can't contact LDAP server"},)
2016-04-05 14:23:43,416 pykolab.auth ERROR Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/pykolab/auth/ldap/__init__.py", line 2917, in _search
    secondary_domains
  File "<string>", line 10, in <module>
  File "/usr/lib/python2.6/site-packages/pykolab/auth/ldap/__init__.py", line 2815, in _regular_search
    (_result_type, _result) = self.ldap.result(_search, False, 0)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 458, in result
    resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 462, in result2
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 469, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 476, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 99, in _ldap_call
    result = func(*args,**kwargs)
SERVER_DOWN: {'desc': "Can't contact LDAP server"}

2016-04-05 14:23:43,416 pykolab.auth ERROR -- reconnecting in 10 seconds.

2016-04-05 14:23:53,425 pykolab.auth ERROR An error occured using _regular_search: INAPPROPRIATE_AUTH({'info': 'Anonymous access is not allowed.', 'desc': 'Inappropriate
authentication'},)
2016-04-05 14:23:53,426 pykolab.auth ERROR Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/pykolab/auth/ldap/__init__.py", line 2917, in _search
    secondary_domains
  File "<string>", line 10, in <module>
  File "/usr/lib/python2.6/site-packages/pykolab/auth/ldap/__init__.py", line 2815, in _regular_search
    (_result_type, _result) = self.ldap.result(_search, False, 0)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 458, in result
    resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 462, in result2
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 469, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 476, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 99, in _ldap_call
    result = func(*args,**kwargs)
INAPPROPRIATE_AUTH: {'info': 'Anonymous access is not allowed.', 'desc': 'Inappropriate authentication'}

For me it looks like reconnect() should call _bind() after connect() and this indeed fixes the issue, but I'm not sure it's the correct fix.

Details

Ticket Type
Task

Event Timeline

It would be, provided the _bind() call does not cause the connection to use credentials that the connection had not intended to use (i.e. from user John to service account or somesuch).

Unfortunately, simple_bind_s() is used also in authenticate() and _list_domains(). Please, check my differential very carefully. Works for me in the same scenario, but my pykolab knowledge is very limited. How can I test code paths with authenticate()?

This issue still exists as per the commit revert.