Re: [exim] Compiling and using exim with LDAP on Solaris wit…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MPhilip Hazel at <-
MPhilip Hazel at ->
Delete this message
Reply to this message
Author: Robert Bannocks
Date:  
To: exim-users, ph10
CC: Christian Kuehn
Subject: Re: [exim] Compiling and using exim with LDAP on Solaris withSolarios LDAP libraries
Philip,

This does not work with 4.63

Here is a trace with the following command line on Solaris with Exim
compiled against Solaris Lib LDAP
(I am using Solaris 9 with a recent recommended patch list as of August
2006).

# ./bin/exim -d+all -C configure.exim.list -bt
r.bannocks@??? 2>ldap.stderr
r.bannocks@??? cannot be resolved at this time:
condition check lookup defer

The output of stderr is attached below. You will see that it returns
return codes 94 and 115 which a grep of /usr/include/ldap.c
Gives 

# grep '94' /usr/include/ldap.h
#define LDAP_NO_RESULTS_RETURNED        0x5e    /* 94 - LDAPv3 */
# grep '115' /usr/include/ldap.h
#define LDAP_RES_SEARCH_REFERENCE       0x73    /* 115 */


And a search for LDAP_RES_SEARCH_REFERENCE and LDAP_RES_SEARCH_REFERENCE
gives 

# grep LDAP_RES_SEARCH_REFERENCE /usr/include/ldap.h
#define LDAP_RES_SEARCH_REFERENCE       0x73    /* 115 */
# grep LDAP_RES_SEARCH_RESULT /usr/include/ldap.h
#define LDAP_RES_SEARCH_RESULT          0x65    /* 101 */


The problem seems to be in src/lookups/ldap.c

Here the case of having a LDAP lib which deals with references
(lines 804 to 819) is caught in one place:

/* A return code that isn't -1 doesn't necessarily mean there were no
problems
with the search. The message must be an LDAP_RES_SEARCH_RESULT or
LDAP_RES_SEARCH_REFERENCE or else it's something we can't handle. Some
versions
of LDAP do not define LDAP_RES_SEARCH_REFERENCE (LDAP v1 is one, it
seems). So
we don't provide that functionality when we can't. :-) */ 

if (rc != LDAP_RES_SEARCH_RESULT
#ifdef LDAP_RES_SEARCH_REFERENCE
    && rc != LDAP_RES_SEARCH_REFERENCE
#endif
   )
  {
  *errmsg = string_sprintf("ldap_result returned unexpected code %d",
rc);
  goto RETURN_ERROR;
  }


But at no point latter in the code is the reference dealt with and we
end up parsing the (null) results and then getting blown out at (lines
867-891): 

if (rc != LDAP_SUCCESS && rc != LDAP_SIZELIMIT_EXCEEDED)
  {
  *errmsg = string_sprintf("LDAP search failed - error %d: %s%s%s%s%s",
    rc,
    (error1 != NULL)?                       error1  : US"",
    (error2 != NULL && error2[0] != 0)?     US"/"   : US"",
    (error2 != NULL)?                       error2  : US"",
    (matched != NULL && matched[0] != 0)?   US"/"   : US"",
    (matched != NULL)?                      matched : US"");


  #if defined LDAP_NAME_ERROR
  if (LDAP_NAME_ERROR(rc))
  #elif defined NAME_ERROR    /* OPENLDAP1 calls it this */
  if (NAME_ERROR(rc))
  #else
  if (rc == LDAP_NO_SUCH_OBJECT)
  #endif


    {
    DEBUG(D_lookup) debug_printf("lookup failure forced\n");
    error_yield = FAIL;
    }
  goto RETURN_ERROR;
  }


> -----Original Message-----
> From: Philip Hazel [mailto:ph10@hermes.cam.ac.uk]
> Sent: 05 December 2006 09:39
> To: Robert Bannocks
> Cc: Christian Kuehn; exim-users@???
> Subject: Re: [exim] Compiling and using exim with LDAP on
> Solaris with Solarios LDAP libraries
>
> On Mon, 4 Dec 2006, Robert Bannocks wrote:
>
> > The problem turned out to be that Exim cannot handle
> references coming
> > back from the AD ldap servers.
>
> Which release of Exim? The headers in your message suggest
> that you are using 4.22.
>
> > I hope fixing this is down on the TO-do list for exim.
>
> The ChangeLog for 4.50 contains this entry:
> 
> 54. The LDAP lookup was not handling a return of
>     LDAP_RES_SEARCH_REFERENCE. A patch that reportedly fixes this has
>     been added. I am not expert enough to create a test for 
> it. This is
>     what the patch creator wrote:

> 
>       "I found a little strange behaviour of ldap code when 
> working with
>       Windows 2003 AD Domain, where users was placed in more than one
>       Organization Units. When I tried to give exim partial 
> DN, the exit
>       code of ldap_search was unknown to exim because of
>       LDAP_RES_SEARCH_REFERENCE. But simultaneously result of request
>       was absolutely normal ldap result, so I produce this patch..."

> 
>     Later: it seems that not all versions of LDAP support
>     LDAP_RES_SEARCH_ REFERENCE, so I have modified the code to exclude
>     the patch when that macro is not defined.

>
> If you are in fact using 4.50 or later, then it would seem
> that this patch is not working.
>
> General Note to The List: Please try to get into the habit of
> stating which Exim version you are using. It does make it
> easier to respond.
> 
> -- 
> Philip Hazel            University of Cambridge Computing Service
> Get the Exim 4 book:    http://www.uit.co.uk/exim-book

>
This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] fascistic RCPT TO validationRe: [exim] fascistic RCPT TO validation->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)