[Freeipa-devel] CLDAP Netlogon fixes

Simo Sorce simo at redhat.com
Thu May 23 19:12:15 UTC 2013 

On Thu, 2013-05-23 at 15:06 -0400, Simo Sorce wrote:
> On Thu, 2013-05-23 at 21:02 +0300, Alexander Bokovoy wrote:
> > On Thu, 23 May 2013, Simo Sorce wrote:
> > >On Thu, 2013-05-23 at 10:42 -0400, Simo Sorce wrote:
> > >> CLDAP fixes for:
> > >> https://fedorahosted.org/freeipa/ticket/3639
> > >>
> > >> Should be pretty straightforward.
> > >> (pending testing)
> > >>
> > >> Alexander,
> > >> please check they work for your 2012 setup too.
> > >
> > >Alexander found a couple of typos and then the patches didn't work for
> > >him.
> > >
> > >The bug was that I forgot to consider the successful case in the switch
> > >statement I introduced at the last minute ... silly me.
> > >
> > >Tested this new set and works for me, Alexander please confirm.
> > Works for me now. There is still slight difference from what we see
> > against Windows Server 2012.
> > 
> > ----------------------------------------------------------------------------------
> > $ ldapsearch -LL -H cldap://red.bird.clone -b "" -s base '(&(NtVer=\06\00\00\00)(AAC=\00\00\00\00))' netlogon                                     
> > version: 1
> > 
> > dn:
> > netlogon::
> > FwAAAP0DAADBEtlp7qtnRa3yDLzj68BuBGJpcmQFY2xvbmUAwBgDcmVkwBgEQklSRAA
> >   FXFxSRUQAABdEZWZhdWx0LUZpcnN0LVNpdGUtTmFtZQDAOhACAAAAfwAAAQAAAAAAAAAAAAUAAAD/
> >   ////
> > 
> > $ ldapsearch -LL -H cldap://red.bird.clone -b "" -s base '(&(NtVer=\06\00\00\00)(AAC=\00\00\00\00)(DnsDOmain=bird.clone))' netlogon
> > version: 1
> > 
> > dn:
> > netlogon::
> > FwAAAP0DAADBEtlp7qtnRa3yDLzj68BuBGJpcmQFY2xvbmUAwBgDcmVkwBgEQklSRAA
> >   FXFxSRUQAABdEZWZhdWx0LUZpcnN0LVNpdGUtTmFtZQDAOhACAAAAfwAAAQAAAAAAAAAAAAUAAAD/
> >   ////
> > 
> > $ ldapsearch -LL -H cldap://red.bird.clone -b "" -s base '(&(NtVer=\06\00\00\00)(AAC=\00\00\00\00)(DnsDOmain=bird.clone1))' netlogon
> > version: 1
> > 
> > dn:
> > netlogon:
> > 
> > $ ldapsearch -LL -H cldap://red.bird.clone -b "" -s base '(&(NtVer=\00\00\55\00)(AAC=\00\00\00\00)(DnsDOmain=bird.clone))' netlogon
> > version: 1
> > 
> > dn:
> > netlogon:
> > ----------------------------------------------------------------------------------
> > 
> > As you can see, incorrect parameters still return empty dn and netlogon
> > attributes while Windows Server 2012 returns empty response:
> > 
> > $ ldapsearch  -LL -H cldap://altai.ad.lan -b "" -s base '(&(NtVer=\00\00\00\55\00)(AAC=\00\00\00\00))' netlogon
> > version: 1
> > 
> > Yet, since for trusts we care about explicit request with our domain name _and_ the
> > case when DnsDomain is not specified, everything continues to work.
> > 
> > So ACK.
> 
> I can easily avoid returning the empty netlogon field, which is what I
> wanted to do.
> I'll see if I can also avoid returning the DN.
> 
> Let me try just one more revision.

It was a simple fix, attached patches omit LDAP_RES_SERAHC_ENTRY
completely as they were supposed to, and only return a
LDAP_RES_SEARCH_RESULT record.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-CLDAP-Return-empty-reply-on-non-fatal-errors.patch
Type: text/x-patch
Size: 2380 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130523/d41e12ac/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-CLDAP-Fix-domain-handling-in-netlogon-requests.patch
Type: text/x-patch
Size: 4278 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130523/d41e12ac/attachment-0001.bin>

More information about the Freeipa-devel mailing list