Bug 1007421

Summary: Connectionless LDAP is broken for IPv6
Product: Red Hat Enterprise Linux 7 Reporter: Stef Walter <stefw>
Component: openldapAssignee: Jan Synacek <jsynacek>
Status: CLOSED CURRENTRELEASE QA Contact: David Spurek <dspurek>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: dspurek, ebenes, jsynacek, pkis, stefw
Target Milestone: beta   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openldap-2.4.35-7.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 12:05:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 917637, 1004442    
Attachments:
Description Flags
Patch for openldap 2.4.35 none

Description Stef Walter 2013-09-12 13:06:34 UTC 
Connectionless LDAP (ie: cldap enabled with -DLDAP_CONNECTIONLESS) is broken for IPv6 for current versions of openldap. Tested with version 2.4.35

It's not clear if this ever worked properly.

Connections immediately fail with:

ldap_search_ext: Can't contact LDAP server (-1)
Comment 1 Stef Walter 2013-09-12 13:11:52 UTC 
The reason for this is that the LDAP_CONNECTIONLESS buffers include a prefix containing an address in a "struct sockaddr". However, struct sockaddr, is not a concrete type. In particular struct sockaddr_in6 is longer than struct sockaddr.

Noted here: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/liblber/sockbuf.c;h=d997e92910954b943e5b3fe7139ff4caaeaf49bf;hb=HEAD#l886

So this leads to failures when using IPv6 as the code assumes that the address length is equal to sizeof (struct sockaddr). Seen here:

http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/liblber/sockbuf.c;h=d997e92910954b943e5b3fe7139ff4caaeaf49bf;hb=HEAD#l940
Comment 3 Stef Walter 2013-09-12 15:15:43 UTC 
Example command:

$ ldapsearch -d -1 -LL -H 'cldap://[2620:52:0:2223::1:1]' -b '' -s base '(&(DnsDomain=ad.baseos.qe)(NtVer=\06\00\00\00))' NetLogon

Output will contain this:

ldap_write: want=96 error=Invalid argument

Which is the EINVAL resulting from bad value passed to sendto().
Comment 4 Stef Walter 2013-09-12 15:16:56 UTC 
Created attachment 796913 [details]
Patch for openldap 2.4.35
Comment 5 Jan Synacek 2013-10-08 10:48:23 UTC 
I'm quite reluctant to apply this patch without it being upstreamed first.
Comment 6 Jan Synacek 2013-10-11 05:45:07 UTC 
The fixes have landed in upstream git.
Comment 7 Jan Synacek 2013-10-14 11:53:47 UTC 
Fix pushed to 'private-jsynacek-rhel-7-cldap-fix'.

http://pkgs.devel.redhat.com/cgit/rpms/openldap/commit/?h=private-jsynacek-rhel-7-cldap-fix&id=80e0e83b19c3bcbe04b91de9019a27c689d5bd54
Comment 12 Ludek Smid 2014-06-13 12:05:33 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.