Ubuntu
alpine package

Doesn’t deal well with bogus referrals from MS Active Directory

Bug #485200 reported by Joshua Miller
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
alpine (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: alpine

When starting alpine, the following errors can be seen (hit CTRL-z after it starts):

alpine: /usr/local/lib/liblber-2.4.so.2: no version information available (required by alpine)
alpine: /usr/local/lib/libldap_r-2.4.so.2: no version information available (required by alpine)

Configured ldap server (from main screen, (S)etup, (D)irectory).
Went to address book.
Searched LDAP directory.
Search hangs indefinitely.

I've tested the LDAP server using ldapsearch, and it works fine, and returns quickly.
Also tried setting a timeout in the directory configuration to 10 seconds, and the timeout is not honored (likely because there are issues with the library).

Unbuntu version: Ubuntu 9.04

Tags: alpine ldap
Revision history for this message
Anders Kaseorg (andersk) wrote :

Why do you have a local copy of openldap installed in /usr/local (including /usr/local/lib/liblber-2.4.so.2 and /usr/local/lib/libldap_r-2.4.so.2)? Can you reproduce with a clean /usr/local?

Changed in alpine (Ubuntu):
status: New → Incomplete
Revision history for this message
Joshua Miller (unrtst) wrote :

Tested on fresh and up to date ubuntu 9.10 install.
The lib error no longer appears, but the search still doesn't work.

Tested the search with ldap search. The following works:

ldapsearch -h 10.0.0.53 -x -D joshmiller@myaddomain -W -b dc=mydomain.com (|(cn=josh* miller*)(name=josh* miller*)(email=josh* miller*)(mailNickname=josh* miller*)) dn cn employeeID sAMAcountName mail userPrincipalName

.pinerc config line:
ldap-servers=10.0.0.53:389 "/base=dc=mydomain,dc=com/binddn=joshmiller@myaddomain/impl=0/rhs=0/ref=0/nosub=0/tls=0/tlsm=0/type=name/srch=begins-with/time=5/size=50/cust=/nick=MY AD Directory/matr=/catr=name/satr=/gatr="

Set the timeout to 5 seconds, and search still hangs. CTRL-c doesn't work; CTRL-z doesn't work. Had to kill it from another prompt.

I let it run longer this time, and it eventually errors out with:
[LDAP search failed: Referral: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points^J ref>

I did some more digging around, and found this thread:
http://marc.info/?l=pine-info&m=111571503603423&w=2

It appears that newer MS Active Directory servers always return a referral, and often with a bogus URL. From my ldapsearch results, I can confirm that is happening in this case as well. That thread was from 2005. I believe alpine is attempting to follow the bogus referral, and that's causing the error.

An strace on alpine shows it is attempting to follow the referral, which goes to an address for which I don't have access.

I also tried compiling alpine from scratch, and receive the same results. So, I believe this is probably an upstream bug/issue.

This would probably be best fixed with an additional config option in alpine to ignore referrals. I imagine that's unlikely to get patched in ubuntu, and probably needs to go upstream.

Revision history for this message
Anders Kaseorg (andersk) wrote :

Great, thanks for the information. Let us know if you have a patch to propose, or if one makes its way upstream.

summary: - alpine ldap support appears to be broken (libldap_r-2.4.so.2 lib error)
+ Doesn’t deal well with bogus referrals from MS Active Directory
Changed in alpine (Ubuntu):
status: Incomplete → New
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.