[SRU] search fail with get_ctrls : controls require LDAPv3

Bug #1023025 reported by PierreF on 2012-07-10
28
This bug affects 4 people
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Medium
Unassigned
Precise
Medium
James Page

Bug Description

[IMPACT]

* Any client connecting in LDAPv3 and using v3 specific feature may fail
* This include libnss-ldap (so id user may not return all group). Thus you may login without all your groups and need to logout/login on more time.
* This issue is known and fixed on upsteam, ITS#7107 (commit 85c1c545f4e20882a2f748fcef5f732ea2d2ecf6).

[TESTCASE]

To reproduce this issue, you will need to do enough searches, some with version 2, other with version 3 and some control.

Example:

* In terminal A, run: while true; do ldapsearch -h 127.0.0.1 -b o=company uid=dontcare -P 2 > /dev/null;sleep 0.1;done
* Let the loop run for some time (it increases change of failure for next step).
* In terminal B, run ldapsearch -h 127.0.0.1 -b o=company uid=dontcare -M.

You should not have to run more than 20 times before an error occurs.

[REGRESSION POTENTIAL]

Minimal, as this is a simple one-line change to initialize objects before re-use.
Fix has good heritage as Howard is the Chief TA of OpenLDAP.

PierreF (pierre-fersing) wrote :
PierreF (pierre-fersing) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openldap (Ubuntu):
status: New → Confirmed
cswingle (cswingle) wrote :

I also have this issue with a 12.04 server, also using replication. The issue appears on the slave, not the master, but the master LDAP server is still running 10.04, so I don't know if that is relevant or not. This morning I installed libnss-ldapd / libpam-ldapd (which also installed nscd) and I haven't noted the group mapping or the "controls require LDAPv3" error since. However, since nscd is now running, it could be that I was just lucky and that my first connection managed to grab the LDAP groups, was then cached, and subsequent connections are getting the correct group membership from nscd.

In any case, this is a critical bug because it affects what individual users will have access too. If their logon (local / Samba / etc.) doesn't map the proper groups, they're locked out of shared resources they need.

cswingle (cswingle) wrote :

In my earlier comment (#5) I mentioned installing libnss-ldapd / libpam-ldapd as replacements for libnss-ldap / libpam-ldap. This did *not* solve the issue with group mappings: I experience the group mapping failures with both versions of the libnss and libpam LDAP packages on my 12.04 server.

PierreF (pierre-fersing) wrote :

I can reproduce this issue with a simple ldapsearch:

ldapsearch -h ldap-1 -b ou=people,o=company -x "(&(&(objectClass=posixAccount)(uid=*))(uid=pierref))" -M -v

Note: I think the exact query filter doesn't matter, only the -M switch is important.

The result when it fail is:

ldap_initialize( ldap://ldap-1)
filter: (&(&(objectClass=posixAccount)(uid=*))(uid=pierref))
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <ou=people,o=company> with scope subtree
# filter: (&(&(objectClass=posixAccount)(uid=*))(uid=pierref))
# requesting: ALL
# with manageDSAit control
#

# search result
search: 2
result: 2 Protocol error
text: controls require LDAPv3

# numResponses: 1

But this don't occure often... running this command every 5 seconds generated only 6 errors in 3 hours.

cswingle (cswingle) wrote :

I can also reproduce this issue with the same ldapsearch, except I get a failure about half the time (this is with the daemon versions of lib(pam|nss)-ldapd):

$ ldapsearch -h localhost -b ou=people,dc=company,dc=com -x "(&(&(objectClass=posixAccount)(uid=*))(uid=cswingley))" -M -v
ldap_initialize( ldap://localhost )
filter: (&(&(objectClass=posixAccount)(uid=*))(uid=cswingley))
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=company,dc=com> with scope subtree
# filter: (&(&(objectClass=posixAccount)(uid=*))(uid=cswingley))
# requesting: ALL
# with manageDSAit control
#

# search result
search: 2
result: 2 Protocol error
text: controls require LDAPv3

# numResponses: 1

I tried rebuilding 'nss-pam-ldapd' from the latest upstream sources (0.8.10), copying the debian directory over from the 12.04 src package and modifying the changelog, and the problem is still there, so it doesn't seem to be an issue that was fixed in upstream.

PierreF (pierre-fersing) wrote :

I have found an upstream ticket which seems to be exactly our issue: ITS#7107 [1].

It's fixed on upstream, but was fixed after the release of 2.4.28. It's a one line fix, see git commit [2].

I don't have tested if it effectivelly fix our issue, but description seem very close to our problem.

[1]: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7107;selectid=7107
[2]: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=85c1c545f4e20882a2f748fcef5f732ea2d2ecf6

Changed in openldap (Ubuntu):
importance: Undecided → Medium
James Page (james-page) on 2012-07-19
Changed in openldap (Ubuntu Precise):
status: New → Triaged
importance: Undecided → Medium
milestone: none → ubuntu-12.04.1
Changed in openldap (Ubuntu):
status: Confirmed → Triaged
PierreF (pierre-fersing) on 2012-07-19
description: updated
PierreF (pierre-fersing) wrote :

debdiff for precise sru.

PierreF (pierre-fersing) wrote :

debdiff for quantal.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.28-1.1ubuntu6

---------------
openldap (2.4.28-1.1ubuntu6) quantal; urgency=low

  * Fix issue with intermittent connection issues when using LDAPv3
    protocol (LP: #1023025):
    - d/patches/its-7107-fix-Operation-init-on-reuse.diff: Cherry picked
      patch from upstream VCS which ensures objects are initialized before
      re-use.
 -- Pierre Fersing <email address hidden> Thu, 19 Jul 2012 14:05:09 +0100

Changed in openldap (Ubuntu):
status: Triaged → Fix Released
James Page (james-page) wrote :

Pierre

Thanks for the debdiffs.

I made one change to both which was to fill out the changelog entry in more detail to explain what's being fixed and how.

Other than that looked good so uploaded.

description: updated
summary: - search fail with get_ctrls : controls require LDAPv3
+ [SRU] search fail with get_ctrls : controls require LDAPv3
James Page (james-page) on 2012-07-19
Changed in openldap (Ubuntu Precise):
assignee: nobody → James Page (james-page)
PierreF (pierre-fersing) wrote :

Great. Thanks for your quick reactivity.

James Page (james-page) on 2012-07-19
Changed in openldap (Ubuntu Precise):
status: Triaged → In Progress

Hello PierreF, or anyone else affected,

Accepted openldap into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/openldap/2.4.28-1.1ubuntu4.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in openldap (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
PierreF (pierre-fersing) wrote :

I confirm the version in proposed fix the issue:

* before installing proposed version, on fully updated precises : I still reproduce the bug
* after installing slapd from proposed : I can't reproduce the bug.

Also on this machine, LDAP is used for local authentication, which still work after update (so no regression seen).

tags: added: verification-done
removed: verification-needed

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.28-1.1ubuntu4.1

---------------
openldap (2.4.28-1.1ubuntu4.1) precise-proposed; urgency=low

  * Fix issue with intermittent connection issues when using LDAPv3
    protocol (LP: #1023025):
    - d/patches/its-7107-fix-Operation-init-on-reuse.diff: Cherry picked
      patch from upstream VCS which ensures objects are initialized before
      re-use.
 -- Pierre Fersing <email address hidden> Thu, 19 Jul 2012 14:28:34 +0100

Changed in openldap (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers