As discovered by Stef Walter, our CLDAP responder poorly processes cases when no DnsDomain is specified in the query.
this hangs:
ldapsearch -LL -H cldap://dc.gorn.thewalter.lan -b "" -s base '(NtVer=\06\00\00\00)'
as does this:
ldapsearch -LL -H cldap://dc.gorn.thewalter.lan -b "" -s base '(&(NtVer=\06\00\00\00)(AAC=\00\00\00\00))'
ldapsearch -LL -H cldap://dc.gorn.thewalter.lan -b "" -s base '(&(DnsDomain=blah.com)(NtVer=\06\00\00\00)(AAC=\00\00\00\00))'
this doesn't hang:
ldapsearch -LL -H cldap://dc.gorn.thewalter.lan -b "" -s base '(&(DnsDomain=gorn.thewalter.lan)(NtVer=\06\00\00\00)(AAC=\00\00\00\00))'
We need to fix the behaviour to allow proper discovery for realmd.
I did few experiments against Windows Server 2012 and here is what I get:
I think we need to always check if the domain we are asked about is owned by us -- including case when DnsDomain is missing from the query (assumed to be request for our domain).
master:[[BR]] 1e224c2 CLDAP: Return empty reply on non-fatal errors[[BR]] b402b6d CLDAP: Fix domain handling in netlogon requests[[BR]]
ipa-3-2:[[BR]] 2dd9673 CLDAP: Return empty reply on non-fatal errors[[BR]] c5d3f98 CLDAP: Fix domain handling in netlogon requests[[BR]]
ipa-3-1:[[BR]] 1657b1e CLDAP: Return empty reply on non-fatal errors[[BR]] 2d6eb08 CLDAP: Fix domain handling in netlogon requests[[BR]]
As I found out, CLDAP queries with just one filter component fails:
# ldapsearch -LL -H cldap://vm-037.idm.lab.bos.redhat.com -b "" -s base '(NtVer=\06\00\00\00)' version: 1 ^C
Reopening the ticket.
master: b21abc7[[BR]] ipa-3-2: 848f4bc[[BR]] ipa-3-1: 4f8cce7
Rename "trusts" component to "Trusts" to achieve correct sorting.
Metadata Update from @abbra: - Issue assigned to simo - Issue set to the milestone: FreeIPA 3.2.x - 2013/05 (bug fixing)
Login to comment on this ticket.