Re: BUG #9818: LDAP Authentication subtree problem

Hello Magnus!

On Tue, Apr 18, 2014 at 3:51 PM, Magnus Hagander wrote:
> That page is about about the ModifyObject() function, which we're
> definitely not calling. And it's under the section about DFS replication
> helper protocol. So either you posted the wrong URL, or you have
> misdiagnosed it.

Yes, I might have misdiagnosed it, but it was the closest match possible.

> Do you get anythign in the AD controller logs at this time? Or if
> you can get a packet trace, does it show something clear about what's
> actually going wrong?

No, as AD is managed by another part of the company and there are no
issues using Apache2 or ldapsearch against it, so I do not assume
the problem resides on that side.

> I wonder if it might be related to the use of an LDAP url, that somehow
> gets the subtree search wrong. Can you check to see if it works if
> you specify the individual parts without using an url, e.g.
>
> local all all ldap
> ldapserver=aa00aaa001.aaaa.corp.local
> ldapbasedn=DC=aaaa,DC=corp,DC=local ldapsearchattribute=sAMAccountName
> ldapbinddn="CN=svcLDAPDWH,OU=Services,OU=UsersAdm,DC=aaaa,DC=corp,DC=local"
> ldapbindpasswd="XXXXXX"
>
> For ldap auth not using the url syntax, subtree search is always used.

I tried this on today's unpatched PostgreSQL (8d34f6862) and it does
not work. It gives me the same error like when I use ldapurl in pg_hba.conf.
Just note that I had to quote ldapbasedn's parameter - otherwise the
database server wouldn't start.

As for the packets:
1. bindRequest(1) "CN=svcLDAPDWH,OU=Services,OU=UsersAdm,..."
2. bindResponse(1) success
3. searchRequest(2) "DC=aaaa,DC=corp,DC=local" wholeSubtree
4. searchResEntry(2) "CN=T912348,OU=UsersW7,DC=gpcz,DC=corp,DC=local" | searchResRef(2) | searchResDone(2) success [1 result]
----------------------------------------------------

Then the two (patched and unpatched) start to diverge:
Patched:
----------------------------------------------------
5. unbindRequest(6)
6. bindRequest(1) "CN=user,OU=subgroup,..." simple
7. bindResponse(1) success
8. unbindRequest(2)
Unpatched:
----------------------------------------------------
5. bindRequest(4) "<ROOT>" simple
6. bindResponse(4) success
7. searchRequest(3) "DC=DomainDnsZones,DC=aaaa,..." wholeSubTree
8. searchResDone(3) operationsError (000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1) [0 results]
9. unbindRequest(5)

Thanks for feed-back!
Best regards, Jasan