[Freeipa-devel] CLDAP Netlogon fixes

Alexander Bokovoy abokovoy at redhat.com
Thu May 23 18:02:04 UTC 2013 

On Thu, 23 May 2013, Simo Sorce wrote:
>On Thu, 2013-05-23 at 10:42 -0400, Simo Sorce wrote:
>> CLDAP fixes for:
>> https://fedorahosted.org/freeipa/ticket/3639
>>
>> Should be pretty straightforward.
>> (pending testing)
>>
>> Alexander,
>> please check they work for your 2012 setup too.
>
>Alexander found a couple of typos and then the patches didn't work for
>him.
>
>The bug was that I forgot to consider the successful case in the switch
>statement I introduced at the last minute ... silly me.
>
>Tested this new set and works for me, Alexander please confirm.
Works for me now. There is still slight difference from what we see
against Windows Server 2012.

----------------------------------------------------------------------------------
$ ldapsearch -LL -H cldap://red.bird.clone -b "" -s base '(&(NtVer=\06\00\00\00)(AAC=\00\00\00\00))' netlogon                                     
version: 1

dn:
netlogon::
FwAAAP0DAADBEtlp7qtnRa3yDLzj68BuBGJpcmQFY2xvbmUAwBgDcmVkwBgEQklSRAA
  FXFxSRUQAABdEZWZhdWx0LUZpcnN0LVNpdGUtTmFtZQDAOhACAAAAfwAAAQAAAAAAAAAAAAUAAAD/
  ////

$ ldapsearch -LL -H cldap://red.bird.clone -b "" -s base '(&(NtVer=\06\00\00\00)(AAC=\00\00\00\00)(DnsDOmain=bird.clone))' netlogon
version: 1

dn:
netlogon::
FwAAAP0DAADBEtlp7qtnRa3yDLzj68BuBGJpcmQFY2xvbmUAwBgDcmVkwBgEQklSRAA
  FXFxSRUQAABdEZWZhdWx0LUZpcnN0LVNpdGUtTmFtZQDAOhACAAAAfwAAAQAAAAAAAAAAAAUAAAD/
  ////

$ ldapsearch -LL -H cldap://red.bird.clone -b "" -s base '(&(NtVer=\06\00\00\00)(AAC=\00\00\00\00)(DnsDOmain=bird.clone1))' netlogon
version: 1

dn:
netlogon:

$ ldapsearch -LL -H cldap://red.bird.clone -b "" -s base '(&(NtVer=\00\00\55\00)(AAC=\00\00\00\00)(DnsDOmain=bird.clone))' netlogon
version: 1

dn:
netlogon:
----------------------------------------------------------------------------------

As you can see, incorrect parameters still return empty dn and netlogon
attributes while Windows Server 2012 returns empty response:

$ ldapsearch  -LL -H cldap://altai.ad.lan -b "" -s base '(&(NtVer=\00\00\00\55\00)(AAC=\00\00\00\00))' netlogon
version: 1

Yet, since for trusts we care about explicit request with our domain name _and_ the
case when DnsDomain is not specified, everything continues to work.

So ACK.

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list