LDAP remove referrals for correct handling in Samba 4
Summary:
LDAP user authentication does not work when using Samba 4 as LDAP backend. Samba 4 (as well as MS AD) returns referrals (search continuations) for some objects.
LDAPv3 does not specify which credentials should be used for the search continuations. libldap tries to anonymous bind and do the search continuations, which fails with
Samba 4 (as well as MS AD).
Kolab 16 will fail while authenticating with ldap.OPERATIONS_ERROR and the error message 00002020: Operation unavailable without authentication
The submitted patch is supposed to be used with
REFERRALS off
in /etc/ldap.conf and should not affect any other situations.
Eventually setting LDAP option via
ldap.OPT_REFERRALS, 0
would be an option too, but i can't test at the moment, if there is any impact on non Samba 4 setups.
The change in wallace addresses the same problem, as i got
2017-07-05 12:27:28,566 pykolab.wallace ERROR Module resources.heartbeat() failed with error: Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/wallace/__init__.py", line 89, in modules_heartbeat modules.heartbeat(module, lastrun) File "/usr/lib/python2.7/dist-packages/wallace/modules.py", line 128, in heartbeat return modules[name]['heartbeat'](*args, **kw) File "/usr/lib/python2.7/dist-packages/wallace/module_resources.py", line 438, in heartbeat resource_dns = [dn for dn in resource_dns if resource_base_dn in dn] TypeError: argument of type 'NoneType' is not iterable
Test Plan:
Use Kolab 16 with Samba 4. Try to authenticate user. Should fail. Disable Referrals in /etc/ldap.conf with
REFERRALS off
and try again. Now you should no longer see the ldap.OPERATIONS_ERROR but an auth fail because of
4 (or at least more than one) results returned. The referrals no longer will be automatically queried, but returned
as part of the results containing None on the position 0 (result-type) of the result tuple.
Apply the patch now, which will remove those None result-type results. The Authentication should succeed.
Reviewers: PyKolab Developers, vanmeeuwen
Reviewed By: PyKolab Developers, vanmeeuwen
Subscribers: PyKolab Developers
Tags: Kolab 16
Differential Revision: https://git.kolab.org/D467