Red Hat Bugzilla – Bug 1007421
Connectionless LDAP is broken for IPv6
Last modified: 2015-03-02 00:28:10 EST
Connectionless LDAP (ie: cldap enabled with -DLDAP_CONNECTIONLESS) is broken for IPv6 for current versions of openldap. Tested with version 2.4.35
It's not clear if this ever worked properly.
Connections immediately fail with:
ldap_search_ext: Can't contact LDAP server (-1)
The reason for this is that the LDAP_CONNECTIONLESS buffers include a prefix containing an address in a "struct sockaddr". However, struct sockaddr, is not a concrete type. In particular struct sockaddr_in6 is longer than struct sockaddr.
Noted here: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/liblber/sockbuf.c;h=d997e92910954b943e5b3fe7139ff4caaeaf49bf;hb=HEAD#l886
So this leads to failures when using IPv6 as the code assumes that the address length is equal to sizeof (struct sockaddr). Seen here:
$ ldapsearch -d -1 -LL -H 'cldap://[2620:52:0:2223::1:1]' -b '' -s base '(&(DnsDomain=ad.baseos.qe)(NtVer=\06\00\00\00))' NetLogon
Output will contain this:
ldap_write: want=96 error=Invalid argument
Which is the EINVAL resulting from bad value passed to sendto().
Created attachment 796913 [details]
Patch for openldap 2.4.35
I'm quite reluctant to apply this patch without it being upstreamed first.
The fixes have landed in upstream git.
Fix pushed to 'private-jsynacek-rhel-7-cldap-fix'.
This request was resolved in Red Hat Enterprise Linux 7.0.
Contact your manager or support representative in case you have further questions about the request.