Bug 555189

Summary: ldclt: -e randombinddnfromfile fails with LDAP_UNWILLING_TO_PERFORM (53)
Product: [Retired] 389 Reporter: Noriko Hosoi <nhosoi>
Component: Command Line UtilitiesAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: low    
Version: 1.3.0CC: amsharma, sramling
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-07 16:55:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 495079, 639035    
Attachments:
Description Flags
git patch for ldclt rmeggins: review+

Description Noriko Hosoi 2010-01-13 23:46:33 UTC 
Description of problem:
ldclt code is not passing the password correctly to ldap_sasl_bind_s.

The server receives NULL credential.  Due to the default configuration:
 nsslapd-allow-unauthenticated-binds: off
the unauthenticated bind fails.
Comment 1 Noriko Hosoi 2010-01-14 00:26:18 UTC 
Created attachment 383582 [details]
git patch for ldclt

Description
When "-e randombinddnfromfile=file" is given, bind dn and password pair
is retrieved from the file and is supposed to pass to ldap_sasl_bind_s.
Although the password was read from the file, but it was not set to the
berval "cred" which was passed to ldap_sasl_bind_s.  Therefore, the
bind operation tried to bind with bind dn and NULL password, which now
fails since it's considered as an unauthenticated bind.

Also, a usage typo is being fixed.
---
 ldap/servers/slapd/tools/ldclt/ldapfct.c |   53 +++++++++++++++++++----------
 ldap/servers/slapd/tools/ldclt/ldclt.use |    2 +-
 ldap/servers/slapd/tools/ldclt/ldcltU.c  |    4 +-
 3 files changed, 38 insertions(+), 21 deletions(-)
Comment 2 Noriko Hosoi 2010-01-14 19:06:15 UTC 
Thanks to Rich for reviewing the change.  Pushed to master.

$ git merge work
Updating 008edfb..80fb1c7
Fast forward
  ldap/servers/slapd/tools/ldclt/ldapfct.c |   53 
+++++++++++++++++++----------
  ldap/servers/slapd/tools/ldclt/ldclt.use |    2 +-
  ldap/servers/slapd/tools/ldclt/ldcltU.c  |    4 +-
  3 files changed, 38 insertions(+), 21 deletions(-)
$ git push
Counting objects: 19, done.
Delta compression using 2 threads.
Compressing objects: 100% (10/10), done.
Writing objects: 100% (10/10), 1.61 KiB, done.
Total 10 (delta 8), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
    008edfb..80fb1c7  master -> master
Comment 3 Sankar Ramalingam 2011-07-28 12:37:04 UTC 
Steps to verify:
---------------
1. Add 100 entries using ldclt.
 ldclt -h $HOST -p $PORT -D "cn=directory manager" -w Secret123 -b "dc=example,dc=com" -e "object=Users.ldif,rdn=uid:testusr[A=INCRNNOLOOP(100;199;3)]" -e add,commoncounter -n 20 -N 100 -T 100

cat Users.ldif

objectClass: top
objectclass: person
objectClass: inetorgperson
sn: new[A]
cn: new[A]
telephoneNumber: 98[A]
mail: new[A]@redhat.com
givenName: new[A]
userPassword: Secret[A]

2. Create a random bind dn file as this

uid=testusr100,dc=example,dc=com	Secret100
uid=testusr101,dc=example,dc=com	Secret101
uid=testusr102,dc=example,dc=com	Secret102
uid=testusr103,dc=example,dc=com	Secret103
uid=testusr104,dc=example,dc=com	Secret104
uid=testusr105,dc=example,dc=com	Secret105
uid=testusr106,dc=example,dc=com	Secret106
uid=testusr107,dc=example,dc=com	Secret107

3.  ldclt -h $HOST -p $PORT -b "dc=example,dc=com" -e bindeach,bindonly  -e randombinddnfromfile=/export/data/bind.txt
Comment 4 Amita Sharma 2011-07-28 13:15:49 UTC 
(In reply to comment #3)
> Steps to verify:
> ---------------
> 1. Add 100 entries using ldclt.
>  ldclt -h $HOST -p $PORT -D "cn=directory manager" -w Secret123 -b
> "dc=example,dc=com" -e
> "object=Users.ldif,rdn=uid:testusr[A=INCRNNOLOOP(100;199;3)]" -e
> add,commoncounter -n 20 -N 100 -T 100
> 
> cat Users.ldif
> 
> objectClass: top
> objectclass: person
> objectClass: inetorgperson
> sn: new[A]
> cn: new[A]
> telephoneNumber: 98[A]
> mail: new[A]@redhat.com
> givenName: new[A]
> userPassword: Secret[A]
> 
> 2. Create a random bind dn file as this
> 
> uid=testusr100,dc=example,dc=com Secret100
> uid=testusr101,dc=example,dc=com Secret101
> uid=testusr102,dc=example,dc=com Secret102
> uid=testusr103,dc=example,dc=com Secret103
> uid=testusr104,dc=example,dc=com Secret104
> uid=testusr105,dc=example,dc=com Secret105
> uid=testusr106,dc=example,dc=com Secret106
> uid=testusr107,dc=example,dc=com Secret107
>
 
This should have a tab between uid and password :
uid=testusr100,dc=example,dc=com<tab>Secret100

> 3.  ldclt -h $HOST -p $PORT -b "dc=example,dc=com" -e bindeach,bindonly  -e
> randombinddnfromfile=/export/data/bind.txt

ldclt -h localhost -p 389 -b "dc=pnq,dc=redhat,dc=com" -e bindeach,bindonly  -e randombinddnfromfile=/export/bind.txt -N 10
ldclt version 4.23
ldclt[11168]: Starting at Thu Jul 28 18:33:14 2011

ldclt[11168]: Average rate: 2032.50/thr  (2032.50/sec), total:  20325
ldclt[11168]: Average rate:  924.50/thr  ( 924.50/sec), total:   9245
ldclt[11168]: Average rate:  209.60/thr  ( 209.60/sec), total:   2096
ldclt[11168]: Average rate:  200.40/thr  ( 200.40/sec), total:   2004
ldclt[11168]: Average rate:  193.40/thr  ( 193.40/sec), total:   1934
ldclt[11168]: Average rate:  185.70/thr  ( 185.70/sec), total:   1857
ldclt[11168]: Average rate:  178.40/thr  ( 178.40/sec), total:   1784
ldclt[11168]: Average rate:  174.10/thr  ( 174.10/sec), total:   1741
ldclt[11168]: Average rate:  170.60/thr  ( 170.60/sec), total:   1706
ldclt[11168]: Average rate:  712.90/thr  ( 712.90/sec), total:   7129
ldclt[11168]: Number of samples achieved. Bye-bye...
ldclt[11168]: All threads are dead - exit.
ldclt[11168]: Global average rate: 4982.10/thr  (498.21/sec), total:  49821
ldclt[11168]: Global number times "no activity" reports: never
ldclt[11168]: Global no error occurs during this session.
ldclt[11168]: Ending at Thu Jul 28 18:34:54 2011
ldclt[11168]: Exit status 0 - No problem during execution.

Thanks Sankarr for steps, Hence marking VERIFIED.
Comment 7 Sankar Ramalingam 2011-07-28 14:16:30 UTC 
 /usr/bin/ldclt -h 10.65.201.68 -p 1589 -b "dc=testldclt,dc=com" -e bindeach,bindonly  -e randombinddnfromfile=/export/data/bind.txt
ldclt version 4.23
ldclt[14404]: Starting at Thu Jul 28 15:52:23 2011

ldclt[14404]: Average rate: 2057.60/thr  (2057.60/sec), total:  20576
ldclt[14404]: T002: Cannot ldap_simple_bind_s (uid=newuser105,dc=testldclt,dc=com, Secret105), error=-1 (Can't contact LDAP server)
ldclt[14404]: Illegal error number -1
ldclt[14404]: T002: thread is dead.
ldclt[14404]: T008: Cannot ldap_simple_bind_s (uid=newuser106,dc=testldclt,dc=com, Secret106), error=-1 (Can't contact LDAP server)
ldclt[14404]: Illegal error number -1
ldclt[14404]: T005: thread is dead.
ldclt[14404]: T006: Cannot ldap_simple_bind_s (uid=newuser104,dc=testldclt,dc=com, Secret104), error=-1 (Can't contact LDAP server)
ldclt[14404]: Illegal error number -1
ldclt[14404]: T006: thread is dead.
ldclt[14404]: Average rate:  763.60/thr  ( 763.60/sec), total:   7636
ldclt[14404]: Average rate:    0.00/thr  (   0.00/sec), total:      0
ldclt[14404]: All threads are dead - exit.
ldclt[14404]: Global average rate: 2821.20/thr  (940.40/sec), total:  28212
ldclt[14404]: Global number times "no activity" reports: never
ldclt[14404]: Global number of dead threads: 10
ldclt[14404]: Global illegal errors (codes not in [0, 97]) occurs    10 times
ldclt[14404]: Ending at Thu Jul 28 15:52:53 2011
ldclt[14404]: Exit status 4 - Cannot bind.


In fact, I have seen similar error messages in the SSL stress tests. I am not sure whats wrong here.

These messages from SSL stress tests.

ldclt[22417]: Illegal error number -1
ldclt[22428]: Illegal error number -1
ldclt[22439]: Illegal error number -1
Comment 8 Noriko Hosoi 2011-07-28 18:06:05 UTC 
Unfortunately, the error is coming from the network connection failure.  Ldclt is sending out too many connection/bind requests.  Error -1 is considered "Can't contact LDAP server", but actually the server is up and most bind requests are proccessed properly.  For instance,
[28/Jul/2011:15:52:36 -0400] conn=28230 op=0 BIND dn="uid=newuser102,dc=testldclt,dc=com" method=128 version=3
[28/Jul/2011:15:52:36 -0400] conn=28230 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=newuser102,dc=testldclt,dc=com"

There is no error logged in the access log.
# egrep err= /var/log/dirsrv/slapd-testldclt/access | egrep -v err=0
#

To use ldclt for stressing the server, please ignore '-1' as follows:
ldclt -h localhost -p 10389 -b "..." -e bindeach,bindonly -e randombinddnfromfile=/path/to/bind.txt -I '-1'

Or you could run with '-W 1' to slow down ldclt to verify this bug.
Comment 9 Sankar Ramalingam 2011-07-29 14:36:36 UTC 
As per comment #8, problem goes off when using ldclt commands with -W and -I '-1' options.

ldclt -h 10.65.201.68 -p 1589 -b "dc=testldclt,dc=com" -e bindeach,bindonly  -e randombinddnfromfile=/export/data/bind.txt -n 10 -N 10 -T 10 -I '-1' -W 2
ldclt version 4.23
ldclt[22145]: Starting at Fri Jul 29 16:51:16 2011

ldclt[22145]: Average rate:    4.00/thr  (   4.00/sec), total:     40
ldclt[22145]: Average rate:    5.00/thr  (   5.00/sec), total:     50
ldclt[22145]: Average rate:    1.00/thr  (   1.00/sec), total:     10
ldclt[22145]: Average rate:    0.00/thr  (   0.00/sec), total:      0
ldclt[22145]: All threads are dead - exit.
ldclt[22145]: Global average rate:   10.00/thr  (  2.50/sec), total:    100
ldclt[22145]: Global number times "no activity" reports: never
ldclt[22145]: Global number of dead threads: 10
ldclt[22145]: Global no error occurs during this session.
ldclt[22145]: Ending at Fri Jul 29 16:51:56 2011
ldclt[22145]: Exit status 0 - No problem during execution.