#47361 Empty control list causes LDAP protocol error is thrown
Closed: Fixed None Opened 6 years ago by nkinder.

389 DS should be able to handle an empty control list, but we currently throw a protocol error. If a control list is empty, we should ignore it and avoid sending a protocol error.

Here is the wireshark dump for the one packet response protocol error. Note
that this translates to the LDAP message "searchResDone(2) Protocol Error" .

0000 00 1a 4a 03 4c 60 00 15 17 56 40 d8 08 00 45 00 ..J.L`.. .V@...E.
0010 00 42 31 6c 40 00 40 06 5c 92 0a 03 4c 03 0a 03 .B1l@.@. ...L...
0020 4c af 01 85 c6 b4 6f 12 17 fc 65 84 6d 23 80 18 L.....o. ..e.m#..
0030 00 7a ea c0 00 00 01 01 08 0a 17 2e 26 86 00 d5 .z...... ....&...
0040 39 bd 30 0c 02 01 02 65 07 0a 01 02 04 00 04 00 9.0....e ........

The packet triggering this error is shown below:

0000 00 15 17 56 40 d8 00 1a 4a 03 4c 60 08 00 45 00 ...V@... J.L`..E.
0010 00 98 95 29 40 00 40 06 f8 7e 0a 03 4c af 0a 03 ...)@.@. .~..L...
0020 4c 03 c6 b5 01 85 ad 53 ac f2 c0 d1 ee 86 80 18 L......S ........
0030 00 2e ad 42 00 00 01 01 08 0a 00 d5 39 bf 17 2e ...B.... ....9...
0040 26 88 30 62 02 01 02 63 5b 04 3b 75 69 64 3d 6d &.0b...c [.;uid=m
0050 61 74 73 6d 69 74 68 2c 63 6e 3d 75 73 65 72 73 atsmith, cn=users
0060 2c 63 6e 3d 61 63 63 6f 75 6e 74 73 2c 64 63 3d ,cn=acco unts,dc=
0070 73 61 6c 61 62 2c 64 63 3d 72 65 64 68 61 74 2c salab,dc =redhat,
0080 64 63 3d 63 6f 6d 0a 01 00 0a 01 00 02 01 00 02 dc=com.. ........
0090 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 63 6c 61 .......o bjectcla
00a0 73 73 30 00 a0 00 ss0...

Note the trailing "a0 00" bytes. These represent an LDAP controls list with
zero-elements. With zero-elements, this zero-element list should be dropped. The inclusion of these two bytes is what triggers the protocol error. Note that other LDAP servers (such as AD) may be more forgiving of trailing garbage.


'''Here is the current status'''

  • Reading http://tools.ietf.org/html/rfc4511#section-4.1.11 I think sending a list of controls with 0 control is invalid. Such list (sequence) should contain one or more control

  • recent versions of mozldap/openldap do not send an empty list of control

  • I changed the current version of mozldap to allow empty list of control and recompile a ldapclient. I then succeeded to reproduce search request

{{{
0000 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00 ..............E.
0010 00 63 73 fa 40 00 40 06 c8 98 7f 00 00 01 7f 00 .cs.@.@.........
0020 00 01 8c cf 07 db f2 7f 75 d6 ef 18 80 da 80 18 ........u.......
0030 01 56 fe 57 00 00 01 01 08 0a 10 b0 06 5d 10 b0 .V.W.........]..
0040 06 5c 30 2d 02 01 02 63 26 04 06 64 63 3d 63 6f .\0-...c&..dc=co
0050 6d 0a 01 00 0a 01 00 02 01 00 02 01 00 01 01 00 m...............
0060 87 0b 6f 62 6a 65 63 74 63 6c 61 73 73 30 00 a0 ..objectclass0..
0070 00
}}}

  • I made a fix (without config switch) to allow processing of requests containing empty controls sequence

'''Here are the next steps'''

  • I guess changing the application, to use a more recent version of ldapcsdk, is not an option.
    I will ask customer (IPA) if it would be possible.

  • wait for review

Replying to [comment:4 tbordaz]:

'''Here is the current status'''

I think it is ambiguous. There are other places in the LDAP protocol that allow a SEQUENCE of 0 length. At any rate, it would be nice to allow this in cases where the customer cannot control the behavior of the LDAP SDK.

  • recent versions of mozldap/openldap do not send an empty list of control

  • I changed the current version of mozldap to allow empty list of control and recompile a ldapclient. I then succeeded to reproduce search request

{{{
0000 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00 ..............E.
0010 00 63 73 fa 40 00 40 06 c8 98 7f 00 00 01 7f 00 .cs.@.@.........
0020 00 01 8c cf 07 db f2 7f 75 d6 ef 18 80 da 80 18 ........u.......
0030 01 56 fe 57 00 00 01 01 08 0a 10 b0 06 5d 10 b0 .V.W.........]..
0040 06 5c 30 2d 02 01 02 63 26 04 06 64 63 3d 63 6f .\0-...c&..dc=co
0050 6d 0a 01 00 0a 01 00 02 01 00 02 01 00 01 01 00 m...............
0060 87 0b 6f 62 6a 65 63 74 63 6c 61 73 73 30 00 a0 ..objectclass0..
0070 00
}}}

  • I made a fix (without config switch) to allow processing of requests containing empty controls sequence

'''Here are the next steps'''

  • I guess changing the application, to use a more recent version of ldapcsdk, is not an option.
    I will ask customer (IPA) if it would be possible.

No, not possible.

  • wait for review

'''Push into master'''

git merge ticket47361
Updating e2a5faf..16c41ad
Fast-forward
ldap/servers/slapd/control.c | 32 +++++++++++++++++++++-----------
1 file changed, 21 insertions(+), 11 deletions(-)

commit 16c41ad
Author: Thierry bordaz (tbordaz) tbordaz@redhat.com
Date: Thu May 16 15:28:47 2013 +0200

git push origin master
Counting objects: 11, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 1.33 KiB, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
e2a5faf..16c41ad master -> master

'''Push into 1.2.11'''

git push origin 389-ds-base-1.2.11
Counting objects: 11, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 1.33 KiB, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
b5dc3db..76c87bd 389-ds-base-1.2.11 -> 389-ds-base-1.2.11

commit 76c87bd
Author: Thierry bordaz (tbordaz) tbordaz@redhat.com
Date: Thu May 16 15:28:47 2013 +0200

Thanks Rich you were right, using perlLDAP allows to send empty control list. Here is the code

{{{

! /bin/perl

use Net::LDAP;
use Net::LDAP::Control;

$ldap = Net::LDAP->new ( "<hostname>", port => <port> ) or die "$@";
$userToAuthenticate = "cn=directory manager";
$passwd = "<pwd>";

$mesg = $ldap->bind ( version => 3 ); # use for searches

$mesg = $ldap->bind ( "$userToAuthenticate",
password => "$passwd",
version => 3 ); # use for changes/edits

sub LDAPsearch
{
my ($ldap,$searchString,$attrs,$base) = @_;

if (!$base ) { $base = "<suffix>"; }

# if they don't pass an array of attributes...
# set up something for them

if (!$attrs ) { $attrs = [ 'cn','mail' ]; }

my $result = $ldap->search ( base => "$base",
scope => "sub",
filter => "$searchString",
attrs => $attrs,
control => [ ]
);
}

my $result = LDAPsearch ( $ldap, "uid=*");

}}}

Metadata Update from @tbordaz:
- Issue assigned to tbordaz
- Issue set to the milestone: 1.2.11.22

2 years ago

Login to comment on this ticket.

Metadata