Homekolab.org

LDAP remove referrals for correct handling in Samba 4

Authored by vanmeeuwen on Jul 22 2017, 1:03 PM.

Description

LDAP remove referrals for correct handling in Samba 4

Summary:
LDAP user authentication does not work when using Samba 4 as LDAP backend. Samba 4 (as well as MS AD) returns referrals (search continuations) for some objects.
LDAPv3 does not specify which credentials should be used for the search continuations. libldap tries to anonymous bind and do the search continuations, which fails with
Samba 4 (as well as MS AD).

Kolab 16 will fail while authenticating with ldap.OPERATIONS_ERROR and the error message 00002020: Operation unavailable without authentication

The submitted patch is supposed to be used with

REFERRALS   off

in /etc/ldap.conf and should not affect any other situations.
Eventually setting LDAP option via

ldap.OPT_REFERRALS, 0

would be an option too, but i can't test at the moment, if there is any impact on non Samba 4 setups.

The change in wallace addresses the same problem, as i got

2017-07-05 12:27:28,566 pykolab.wallace ERROR Module resources.heartbeat() failed with error: Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/wallace/__init__.py", line 89, in modules_heartbeat
    modules.heartbeat(module, lastrun)
  File "/usr/lib/python2.7/dist-packages/wallace/modules.py", line 128, in heartbeat
    return modules[name]['heartbeat'](*args, **kw)
  File "/usr/lib/python2.7/dist-packages/wallace/module_resources.py", line 438, in heartbeat
    resource_dns = [dn for dn in resource_dns if resource_base_dn in dn]
TypeError: argument of type 'NoneType' is not iterable

Test Plan:
Use Kolab 16 with Samba 4. Try to authenticate user. Should fail. Disable Referrals in /etc/ldap.conf with

REFERRALS   off

and try again. Now you should no longer see the ldap.OPERATIONS_ERROR but an auth fail because of
4 (or at least more than one) results returned. The referrals no longer will be automatically queried, but returned
as part of the results containing None on the position 0 (result-type) of the result tuple.

Apply the patch now, which will remove those None result-type results. The Authentication should succeed.

Reviewers: PyKolab Developers, vanmeeuwen

Reviewed By: PyKolab Developers, vanmeeuwen

Subscribers: PyKolab Developers

Tags: Kolab 16

Differential Revision: https://git.kolab.org/D467

Details

Committed
vanmeeuwenJul 22 2017, 1:03 PM
Pushed
vanmeeuwenJul 22 2017, 1:07 PM
Reviewer
PyKolab Developers
Differential Revision
D467: LDAP remove referrals for correct handling in Samba 4
Parents
rP24da53112b65: Merge branch 'arcpatch-D479'
Branches
Unknown
Tags
Unknown
Build Status
Buildable 11366