Bug#428468: ldap-account-manager: reports No such entry or Can't contact server
reassign 428468 slapd 2.3.30-5 thanks Roland == Roland Gruber [EMAIL PROTECTED] writes: Roland there were always some user reports about LDAP server Roland crashes when using TLS. Usually this was caused by buggy Roland OpenSSL installations. But in this case the server does Roland not crash or maybe only a single thread. Yes, I am beginning to think more and more that this is a bug in slapd. Possible a security bug that can allow denial of service attacks, although I haven't worked out yet how to crash the server on demand. For the record: * If I change ldap-account-manager to use ldapi:/// it encounters the same problem. * gdb of gq reports ldap_search_ext_s is returning LDAP_SERVER_DOWN: Breakpoint 3, formlist_from_entry (error_context=74, server=0x80ca830, dn=0x828e768, ocvalues_only=0) at formfill.c:187 187 LDAPControl *ctrls[2] = { NULL, NULL } ; (gdb) n 195c.ldctl_oid = LDAP_CONTROL_MANAGEDSAIT; (gdb) 196c.ldctl_value.bv_val = NULL; (gdb) 197c.ldctl_value.bv_len = 0; (gdb) 198c.ldctl_iscritical = 1; (gdb) 203rc = ldap_search_ext_s(ld, (gdb) 215if(rc == LDAP_NOT_SUPPORTED) { (gdb) 220if (rc == LDAP_SERVER_DOWN) { (gdb) 221 server-server_down++; (gdb) 330close_connection(server, FALSE); (gdb) 331set_normalcursor(); (gdb) 334 } (gdb) n The server was *not* down at the time. -- Brian May [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#428468: ldap-account-manager: reports No such entry or Can't contact server
Roland == Roland Gruber [EMAIL PROTECTED] writes: Roland there were always some user reports about LDAP server crashes when using Roland TLS. Usually this was caused by buggy OpenSSL installations. Roland But in this case the server does not crash or maybe only a single thread. It wouldn't surprise me if the situations are related. That is sometimes my slapd server does crash. However I can't reproduce it on demand. Which is a pity, as otherwise I could get a stack trace with gdb. (just a random guess: stack overflow in slapd?) What annoys me (as far as debugging is): a) I haven't been able to reproduce the problem with ldapsearch. b) Since TLS is enabled that prevents me from tracing packets. Hmm. I wonder if ldap-account-manager will work talking to ldapi:/// - that might be worth testing - on the assumption that TLS won't be enabled on a local socket connection. Will try next Monday. Other then that, the next best thing I can think of is to attack gq with gdb and look at ldap calls made. -- Brian May [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#428468: ldap-account-manager: reports No such entry or Can't contact server
Hi Brian, Brian May schrieb: So it would appear the triggers are: * TLS connection. * only particular users (not sure why). * not ldapsearch. Unfortunately, since it only happens with TLS, this may make finding out more rather difficult. there were always some user reports about LDAP server crashes when using TLS. Usually this was caused by buggy OpenSSL installations. But in this case the server does not crash or maybe only a single thread. -- Best regards Roland Gruber LDAP Account Manager http://lam.sourceforge.net Want more? Get LDAP Account Manager Pro! http://lam.sourceforge.net/lamPro/index.htm signature.asc Description: OpenPGP digital signature
Bug#428468: ldap-account-manager: reports No such entry or Can't contact server
Brian == Brian May [EMAIL PROTECTED] writes: Brian on server: Brian ldap-account-manager ldap://localhostBAD Brian ldapsearch ldap://localhostOK Brian ldapsearch ldap://remotehost OK Brian ldapsearch ldaps://remotehost OK Brian from another computer: Brian ldapsearch ldap://remotehost OK Brian ldapsearch ldaps://remotehost OK Brian gq ldap://remotehost OK Brian gq ldaps://remotehost BAD Brian As far as I can tell, it doesn't matter if I authenticate or bind Brian anonymously. I just discovered something, ldap-account-manager is using LDAP_START_TLS_OID. gq really isn't using TLS for ldap:// So it would appear the triggers are: * TLS connection. * only particular users (not sure why). * not ldapsearch. Unfortunately, since it only happens with TLS, this may make finding out more rather difficult. -- Brian May [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#428468: ldap-account-manager: reports No such entry or Can't contact server
Hi PHP5 maintainers, I assign this bug to you because I think that this is a general bug in PHP when handling binary LDAP data. The problem is that ldap_search() fails if the returned entries contain certain binary data. I was able to reproduce this by adding/removing an image file to the jpegPhoto attribute. The search always failed when the image was set. Binary data can be read with ldap_get_values_len() without problems. But often the content type is unknown. Therefore ldap_search() should be fixed. For some reason I cannot reproduce it today but this is the LDAP log: Jun 23 19:19:56 Roland slapd[2867]: conn=27 op=2 SRCH base=ou=People,o=test,c=de scope=2 deref=0 filter=(objectClass=*) Jun 23 19:19:56 Roland slapd[2867]: send_search_entry: conn 27 ber write failed. Jun 23 19:19:56 Roland slapd[2867]: conn=27 fd=18 closed (connection lost on write) -- Best regards Roland Gruber LDAP Account Manager http://lam.sourceforge.net Want more? Get LDAP Account Manager Pro! http://lam.sourceforge.net/lamPro/index.htm signature.asc Description: OpenPGP digital signature
Bug#428468: ldap-account-manager: reports No such entry or Can't contact server
Hello, I just reproduced this same problem with gq in debian etch. That is, the same entries that can not be seen in ldap-account-manager cannot be seen in gq either. gq reports fetching entry from server even after the operation has presumably aborted. I do not know if this means that the bug is in the slapd server or if gq just happens to share the same buggy code with php. I do know that in experimenting with this, my slapd server has died on two occasions (I can't reproduce this). ldapsearch has no problems accessing the data. Then again, this is getting confusing, gq works fine if I turn off ssl support :-(. Summary: on server: ldap-account-manager ldap://localhostBAD ldapsearch ldap://localhostOK ldapsearch ldap://remotehost OK ldapsearch ldaps://remotehost OK from another computer: ldapsearch ldap://remotehost OK ldapsearch ldaps://remotehost OK gq ldap://remotehost OK gq ldaps://remotehost BAD As far as I can tell, it doesn't matter if I authenticate or bind anonymously. Thanks. -- Brian May [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#428468: ldap-account-manager: reports No such entry or Can't contact server
Hi Brian, Brian May schrieb: For two users on my system, if I try to view the details on tree view, I get the message No such entry and if I try to view the details via Users view I get the message Can't contact LDAP server. I can reproduce this with binary data in jpegPhoto. Probably, I will reassign this bug to PHP or the OpenLDAP package. -- Best regards Roland Gruber LDAP Account Manager http://lam.sourceforge.net Want more? Get LDAP Account Manager Pro! http://lam.sourceforge.net/lamPro/index.htm signature.asc Description: OpenPGP digital signature
Bug#428468: ldap-account-manager: reports No such entry or Can't contact server
Package: ldap-account-manager Version: 1.1.1-2 Severity: important Hello, For two users on my system, if I try to view the details on tree view, I get the message No such entry and if I try to view the details via Users view I get the message Can't contact LDAP server. The first time I tried this it also killed my LDAP server, but I haven't been able to reproduce this. I know the entries in question exist, because the entries appear in the list (both tree view and users view), it is only when I click on of the entries it dies. Also ldapsearch shows the entire record without any problems. It is only two entries that have problems too, but I don't know what is special about them. I am filing this bug report against ldap-account-manager, because so far that is the only client I can reproduce the problems on. Thanks. -- Brian May [EMAIL PROTECTED] -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.16-xen Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Versions of packages ldap-account-manager depends on: ii apache22.2.3-4 Next generation, scalable, extenda ii apache2-mpm-prefork [httpd 2.2.3-4 Traditional model for Apache HTTPD ii debconf [debconf-2.0] 1.5.11Debian configuration management sy ii libapache2-mod-php55.2.0-8+etch4 server-side, HTML-embedded scripti ii php-fpdf 1.53.dfsg-5 PHP class to generate PDF files ii php5 5.2.0-8+etch4 server-side, HTML-embedded scripti ii php5-ldap 5.2.0-8+etch4 LDAP module for php5 Versions of packages ldap-account-manager recommends: ii php5-mhash 5.2.0-8+etch4 MHASH module for php5 -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]