Bug 1007421 - Connectionless LDAP is broken for IPv6
Connectionless LDAP is broken for IPv6
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openldap (Show other bugs)
Unspecified Unspecified
medium Severity medium
: beta
: ---
Assigned To: Jan Synacek
David Spurek
Depends On:
Blocks: 917637 1004442
  Show dependency treegraph
Reported: 2013-09-12 09:06 EDT by Stef Walter
Modified: 2015-03-02 00:28 EST (History)
5 users (show)

See Also:
Fixed In Version: openldap-2.4.35-7.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-06-13 08:05:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch for openldap 2.4.35 (8.61 KB, patch)
2013-09-12 11:16 EDT, Stef Walter
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
OpenLDAP ITS 7694 None None None Never

  None (edit)
Description Stef Walter 2013-09-12 09:06:34 EDT
Connectionless LDAP (ie: cldap enabled with -DLDAP_CONNECTIONLESS) is broken for IPv6 for current versions of openldap. Tested with version 2.4.35

It's not clear if this ever worked properly.

Connections immediately fail with:

ldap_search_ext: Can't contact LDAP server (-1)
Comment 1 Stef Walter 2013-09-12 09:11:52 EDT
The reason for this is that the LDAP_CONNECTIONLESS buffers include a prefix containing an address in a "struct sockaddr". However, struct sockaddr, is not a concrete type. In particular struct sockaddr_in6 is longer than struct sockaddr.

Noted here: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/liblber/sockbuf.c;h=d997e92910954b943e5b3fe7139ff4caaeaf49bf;hb=HEAD#l886

So this leads to failures when using IPv6 as the code assumes that the address length is equal to sizeof (struct sockaddr). Seen here:

Comment 3 Stef Walter 2013-09-12 11:15:43 EDT
Example command:

$ ldapsearch -d -1 -LL -H 'cldap://[2620:52:0:2223::1:1]' -b '' -s base '(&(DnsDomain=ad.baseos.qe)(NtVer=\06\00\00\00))' NetLogon

Output will contain this:

ldap_write: want=96 error=Invalid argument

Which is the EINVAL resulting from bad value passed to sendto().
Comment 4 Stef Walter 2013-09-12 11:16:56 EDT
Created attachment 796913 [details]
Patch for openldap 2.4.35
Comment 5 Jan Synacek 2013-10-08 06:48:23 EDT
I'm quite reluctant to apply this patch without it being upstreamed first.
Comment 6 Jan Synacek 2013-10-11 01:45:07 EDT
The fixes have landed in upstream git.
Comment 12 Ludek Smid 2014-06-13 08:05:33 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.