#119 LDAP mail lookup problem when having to use a passsword

[Anonymous]

Hi Jan kara,

This ticket is follow up of ticket #116 concerning user lookup using LDAP. I am still seeing the same problems.

After migrating our server to CentOS 6, i had to setup quotas again. I downloaded the latest version from the git repository (git://git.code.sf.net/p/linuxquota/code linuxquota-code) and did the following to compile the code:

aclocal
autoconf
./configure --enable-ldapmail=yes
make
make install

I am using the following warnquota.conf ldap configuration:

LDAP_MAIL = true
LDAP_URI = ldaps://<ldap sever="">:636
LDAP_BINDDN = cn=grid_query,dc=hpcv,dc=sara,dc=nl
LDAP_BINDPW = <password>
LDAP_BASEDN = ou=Users,dc=hpcv,dc=sara,dc=nl
LDAP_SEARCH_ATTRIBUTE = uid
LDAP_MAIL_ATTRIBUTE = mail
LDAP_DEFAULT_MAIL_DOMAIN = <default domain="">

When i run warnquota, email is still send to <user>@<default domain=""> in stead of the email adrdress that should be retreived from LDAP. As my knowledge of C is very basic, i find it hard to debug warnquota.c.

Before, when our ldap database wasn't protected with a password, it worked perfectly. Apparently, the use of LDAP_BINDDN and LDAP_BINDPW messes things up and warnquota is not able to retreive any emails anymore and uses the "default domain" in stead.

I hope you can help me,

Regards,
Ernst Pijper

[Jan Kara]

Sorry for not getting to you earlier. Does warnquota print any error message? Also can you post config.h from your system?

[Anonymous]

Hi Jan Kara,

Been very busy so completely forgot about this :(

When i run warnquota, there are no error messages. Also i can not find any error messages under /var/log. I attached the config.h file you asked for.

Is there any way i can help to debug the problem?

[Jan Kara]

Hum, so your config.h shows that you didn't compile quota-tools with LDAP support (there is line / #undef USE_LDAP_MAIL_LOOKUP / in config.h). Is this really the config.h used for compilation? Can you check what configure script reported when trying to configure LDAP libraries?

[Anonymous]

Hi Jan Kara,

Not sure what happened there so today i decided to install from the latest git source. First of all, i had some problems compiling the code. This is what i did:

• ./autogen.sh
• ./configure

got the following warning:

config.status: WARNING: 'po/Makefile.in.in' seems to ignore the --datarootdir setting

So i added the line datarootdir = @datarootdir@ to po/Makefile.in.in just above the line datadir = @datadir@. Now configure went ok.

• make

got the following error:

rquota.c:6:20: error: rquota.h: No such file or directory

installing quota-devel did not solve this problem so i replaced #include "rquota.h" with #include rpcsvc/quota.h" in quota.c quotaops.c rquota.c rquota_client.c rquota_server.c rquota_svc.c setquota.c. Then make went through ok.

• make install

To test i edited my quota with setquota such that i exceeded my quota. Then run warnquota:

root# warnquota -s
warnquota: Entry not found for client root.
warnquota: Entry not found for client root.
warnquota: Entry not found for client root.

Emails were sent to the local account on the machine where i ran the above command and not to email addresses from the ldap database.

Let me know i can do anything to debug.

Thanks,
Ernst

[Jan Kara]

So rquota.h should get autogenerated using rpcgen from rquota.x. I'd be interested why it doesn't happen for you. Can you have a look? But that's a separate issue.

The errors about client root likely come from the CC line you don't seem to set in your warnquota.conf. Can you set CC_TO to something sensible just to see whether there will still be any messages? (BTW: I've just pushed out modification to warnquota to don't add CC when it is set to empty string).

Finally, looking into the code, are you sure the attribute is named 'mail' in LDAP? Because the only way how I could see warnquota using default domain without any error message is when we don't find the attribute we were asked for.

If the attribute name is right, please try running with the debug patch I'll attach in a moment.

[Jan Kara]

Patch for debugging which LDAP attributes we saw.

[Anonymous]

I apllied your patch and this is what i see:

Searching for attribute: 'mail'
Seeing attr: 'cn'
Seeing attr: 'objectClass'
Seeing attr: 'uid'
Seeing attr: 'uidNumber'
Seeing attr: 'gidNumber'
Seeing attr: 'givenName'
Seeing attr: 'sn'
Seeing attr: 'homeDirectory'
Seeing attr: 'loginShell'
Seeing attr: 'surfsaraToken'

If i query the ldap database using ldapsearch, i get this:

# ernstp, Users, hpcv.sara.nl
dn: uid=ernstp,ou=Users,dc=hpcv,dc=sara,dc=nl
cn: Ernst Pijper
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
objectClass: SURFsara
objectClass: entrustIGUser
uid: ernstp
uidNumber: 36545
gidNumber: 32173
givenName: Ernst
sn: Pijper
homeDirectory: /home/ernstp
loginShell: /bin/bash
mail: <email address>
surfsaraToken: entrust

So some how warnquota is not seeing the mail attribute (where i'm just assuming for the moment that it is actually there because i can see if i do a ldapsearch).

Concerning the CC_TO, if i set it to something sensible, the warning messages do indeed disappear. However, warnquota will now lookup the CC_TO value in the ldap database as well. So, for example, if i set CC_TO = support@mydomain.nl it will give the following warning:

warnquota: Entry not found for client support@mydomain.nl

because there is no user 'support@mydomain.nl' in the ldap database. I would personally prefer if i could use a complete email address in CC_TO

I will look into the rquota.h problem a bit more. Any suggestions on where/how to debug this would be welcome. During what step should rquota.h be created?

Below is the output of the autogen and configure step:

root# ./autogen.sh
autoreconf: Entering directory `.'
autoreconf: running: autopoint --force
Copying file ABOUT-NLS
Copying file config.rpath
Creating directory m4
Copying file m4/codeset.m4
Copying file m4/gettext.m4
Copying file m4/glibc21.m4
Copying file m4/iconv.m4
Copying file m4/intdiv0.m4
Copying file m4/inttypes-pri.m4
Copying file m4/inttypes.m4
Copying file m4/inttypes_h.m4
Copying file m4/isc-posix.m4
Copying file m4/lcmessage.m4
Copying file m4/lib-ld.m4
Copying file m4/lib-link.m4
Copying file m4/lib-prefix.m4
Copying file m4/nls.m4
Copying file m4/po.m4
Copying file m4/progtest.m4
Copying file m4/stdint_h.m4
Copying file m4/uintmax_t.m4
Copying file m4/ulonglong.m4
Copying file mkinstalldirs
Copying file po/Makefile.in.in
Copying file po/Makevars.template
Copying file po/Rules-quot
Copying file po/boldquot.sed
Copying file po/en@boldquot.header
Copying file po/en@quot.header
Copying file po/insert-header.sin
Copying file po/quot.sed
Copying file po/remove-potcdate.sin
autoreconf: running: aclocal --force -I m4
autoreconf: configure.ac: tracing
autoreconf: configure.ac: not using Libtool
autoreconf: running: /usr/bin/autoconf --force
autoreconf: running: /usr/bin/autoheader --force
autoreconf: running: automake --add-missing --copy --force-missing
configure.ac:40: installing ./config.guess' configure.ac:40: installing./config.sub'
configure.ac:19: installing ./install-sh' configure.ac:19: installing./missing'
Makefile.am: installing ./depcomp' autoreconf: Leaving directory.'

14:26 ui.grid.sara.nl:/root/tmp/linuxquota-code
root# ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking for cc... cc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether cc accepts -g... yes
checking for cc option to accept ISO C89... none needed
checking for style of include used by make... GNU
checking dependency style of cc... gcc3
checking for ranlib... ranlib
checking for a BSD-compatible install... /usr/bin/install -c
checking whether ln -s works... yes
checking whether make sets $(MAKE)... (cached) yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.20... yes
checking for an ANSI C-conforming const... yes
checking for inline... inline
checking whether NLS is requested... yes
checking for msgfmt... /usr/bin/msgfmt
checking for gmsgfmt... /usr/bin/msgfmt
checking for xgettext... /usr/bin/xgettext
checking for msgmerge... /usr/bin/msgmerge
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking for ld used by GCC... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for shared library run path origin... done
checking whether NLS is requested... yes
checking for GNU gettext in libc... yes
checking whether to use NLS... yes
checking where the gettext function comes from... libc
checking for ldap_initialize in -lldap... yes
checking for COM_ERR... yes
checking for EXT2FS... no
checking for DBUS... no
checking for LIBNL3... no
checking how to run the C preprocessor... cc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking tcpd.h usability... yes
checking tcpd.h presence... yes
checking for tcpd.h... yes
checking for rpcgen... /usr/bin/rpcgen
configure: creating ./config.status
config.status: creating Makefile
config.status: creating po/Makefile.in
config.status: WARNING: 'po/Makefile.in.in' seems to ignore the --datarootdir setting
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing default-1 commands
config.status: creating po/POTFILES
config.status: creating po/Makefile
configure:
==============================================================================
Build configuration:
bsd-behaviour: yes
ext2-direct: no
ldap-mail: yes
libwrap: yes
netlink: no
nls: yes
proc-mounts: /proc/mounts
rpc: yes
rpcsetquota: no
xfs-roothack: no
werror: no
==============================================================================

Thanks,
Ernst

[Anonymous]

I am also getting the error
"warnquota: Entry not found for client mmustermann. Not sending mail."

I am running Debian 8.6 64bit and the version of warnquota is:

$ warnquota --version
Quota-Hilfsprogramme Version 4.01.
Compiliert mit: USE_LDAP_MAIL_LOOKUP EXT2_DIRECT HOSTS_ACCESS RPC RPC_SETQUOTA BSD_BEHAVIOUR
Fehler an jack@suse.cz

the ldapsearch command works fine though and I have double-checked everything twice. I have no other ideas what else to try because ldapsearch works as expected and it finds the user and outputs the mail attribute (mail address). Why does warnquota fail to find the user?

[Anonymous]

I just downloaded into a separate folder the latest version 4.05 and did run
./autogen.sh
./configure
./make

and ./warnquota --version outputs the new 4.05 version but unfortunately I get the same error when running ./warnquota -us

Then I tried to apply the debug patch seen above with:

patch < 0001-warnquota-debug.patch

and I got a succeed message back:

patching file warnquota.c
Hunk #1 succeeded at 439 (offset 20 lines).

but I still get the simple error message when running ./warnquota -us
warnquota: Entry not found for client mmustermann. Not sending mail.

my /etc/warnquota.conf:

; ; and # type comments are allowed

MAIL_CMD = "/usr/sbin/sendmail -t"
FROM = "support@domain.tld"
SUBJECT = "Speicherplatz Kontigent ueberschritten!"
CC_TO =
SUPPORT = "support@domain.tld"
PHONE = "-123"
CHARSET = UTF-8

LDAP_URI = ldap://192.168.100.100:389
LDAP_BASEDN = "OU=persons,OU=my OU,DC=intra,DC=mydomain,DC=tld"
LDAP_BINDDN = "CN=bindaccount,OU=serviceaccounts,DC=intra,DC=mydomain,DC=tld"
LDAP_BINDPW = "sup3rs3cr3t"
LDAP_SEARCH_ATTRIBUTE = uid
LDAP_MAIL_ATTRIBUTE = mail
LDAP_MAIL = "true"

I would have expect to see some debug messages. However, hope it'll get fixed soon because at the moment warnquota is useless. Our LDAP server is samba4 Active Directory and it does not allow anonymous binds by default. So I cannot (and even DON'T WANT to) enable anonymous logins to our LDAP server. Any thoughts how to solve this issue?

any help appreciated.

[Jan Kara]

Well, at least in the previous case it seemed warnquota was able to find the user but openldap library was not returning 'mail' attribute for the user. Can you attach here your warnquota.conf, output of 'ldapsearch -v' for the problematic user and output of warnquota compiled with the debug patch attached in this bug? Thanks!

[Jan Kara]

Our posts crossed :). Can you attach here output of 'ldapsearch -v' for the problematic user? Everything else is in your latest comment.

[Anonymous]

Hello Jan,

I'm performing a ldapsearch for the user mmustermann and return only its DN and the MAIL attribute value. See here ...

$ ldapsearch -H ldap://192.168.100.100 -W -D "CN=bindaccount,OU=serviceaccounts,DC=intra,DC=mydomain,DC=tld" -b "OU=persons,OU=my OU,DC=intra,DC=mydomain,DC=tld" -Z -LLL "(uid=mmustermann)" mail -v
ldap_initialize( ldap://192.168.100.100:389/??base )
Enter LDAP Password:
filter: (uid=mmustermann)
requesting: mail
dn: CN=Mustermann\, Max,persons,OU=my OU,DC=intra,DC=mydomain,DC=tld
mail: max.mustermann@mydomain.tld

there are a lot lot of other attributes on an object as you know but we don't care about them now. Is this information helpful for letting you investigate further?

Greetings,
phaeno

[Jan Kara]

Thanks for the output! Still I don't understand why LDAP query as constructed by warnquota doesn't return anything. Can you please attach here output of warnquota when run with attached patch (applies on top of stock 4.05 version)? Thanks!

[Anonymous]

obviously I'm doing something wrong when trying to apply the patch. I don't get any different output when executing. What I am doing is:

downloading the debug.patch into the downloaded folder of latest 4.05 version

cd ~/Downloads/test/quota-4.05
wget https://sourceforge.net/p/linuxquota/bugs/_discuss/thread/97ce6bfb/8619/attachment/0001-warnquota-debug.patch

and then create a backup of the original warnquota.c before applying the patch:

cp warnquota.c warnquota.c.bak
patch < 0001-warnquota-debug.patch

which outputs following result:

patching file warnquota.c
Hunk #1 succeeded at 439 (offset 20 lines).

then I run...
./autogen.sh

autoreconf2.50: Entering directory `.'
autoreconf2.50: running: autopoint --force
Copying file mkinstalldirs
autoreconf2.50: running: aclocal --force -I m4
autoreconf2.50: configure.ac: tracing
autoreconf2.50: configure.ac: not using Libtool
autoreconf2.50: running: /usr/bin/autoconf --force
autoreconf2.50: running: /usr/bin/autoheader --force
autoreconf2.50: running: automake --add-missing --copy --force-missing
autoreconf2.50: Leaving directory `.'

./configure

checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether make supports nested variables... (cached) yes
checking for style of include used by make... GNU
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... gcc3
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking minix/config.h usability... no
checking minix/config.h presence... no
checking for minix/config.h... no
checking whether it is safe to define EXTENSIONS... yes
checking for special C compiler options needed for large files... no
checking for _FILE_OFFSET_BITS value needed for large files... no
checking for ar... ar
checking the archiver (ar) interface... ar
checking whether we are using the GNU C compiler... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking for gcc option to accept ISO C89... (cached) none needed
checking whether gcc understands -c and -o together... (cached) yes
checking dependency style of gcc... (cached) gcc3
checking for ranlib... ranlib
checking whether ln -s works... yes
checking whether make sets $(MAKE)... (cached) yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.20... yes
checking for an ANSI C-conforming const... yes
checking for inline... inline
checking for nl_langinfo... yes
checking whether NLS is requested... yes
checking for msgfmt... /usr/bin/msgfmt
checking for gmsgfmt... /usr/bin/msgfmt
checking for xgettext... /usr/bin/xgettext
checking for msgmerge... /usr/bin/msgmerge
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking for ld used by GCC... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for shared library run path origin... done
checking whether NLS is requested... yes
checking for GNU gettext in libc... yes
checking whether to use NLS... yes
checking where the gettext function comes from... libc
checking for ldap_initialize in -lldap... yes
checking for COM_ERR... no
checking for EXT2FS... no
checking for DBUS... no
checking for LIBNL3... no
checking tcpd.h usability... no
checking tcpd.h presence... no
checking for tcpd.h... no
configure: WARNING: tcpd.h not found
checking for rpcgen... /usr/bin/rpcgen
checking for TIRPC... no
configure: WARNING: libtirpc not found
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating po/Makefile.in
config.status: WARNING: 'po/Makefile.in.in' seems to ignore the --datarootdir setting
config.status: creating config.h
config.status: config.h is unchanged
config.status: executing depfiles commands
config.status: executing default-1 commands
config.status: creating po/POTFILES
config.status: creating po/Makefile
configure:
==============================================================================
Build configuration:
bsd-behaviour: yes
ext2-direct: no
ldap-mail: yes
libwrap: no
netlink: no
nls: yes
proc-mounts: /proc/mounts
rpc: no
rpcsetquota: no
xfs-roothack: no
werror: no
==============================================================================

./make

make all-recursive
make[1]: Entering directory '/root/Downloads/test/quota-4.05'
Making all in po
make[2]: Entering directory '/root/Downloads/test/quota-4.05/po'
make[2]: Nothing to be done for 'all'.
make[2]: Leaving directory '/root/Downloads/test/quota-4.05/po'
make[2]: Entering directory '/root/Downloads/test/quota-4.05'
CC warnquota.o
CCLD warnquota
make[2]: Leaving directory '/root/Downloads/test/quota-4.05'
make[1]: Leaving directory '/root/Downloads/test/quota-4.05'

./warnquota --version

Quota utilities version 4.05.
Compiled with: USE_LDAP_MAIL_LOOKUP BSD_BEHAVIOUR
Bugs to jack@suse.cz

./warnquota -us

warnquota: Entry not found for client mmustermann.

puzzled? why do I not get the debug output as expected?

[Jan Kara]

Hu, no idea. You can try to edit the "Entry not found" message just to see whether indeed the modified source gets compiled & executed. If yes, please check in the source file you can see the debug prints (one printf() should be shortly before the "Entry not found" message). Finally if everything still looks fine, you can try to change printf(xxx) to fprintf(stderr, xxx) to see whether there isn't some problem with printing to stdout...

[Anonymous]

It get compiled correctly and the change is there. Here in detail what the warnquota.c looks like after being patched and when I modify the original line "Entry not found..." message

[...]

        /* search for the offender_name in ldap */
        if (256 <= snprintf(searchbuf, 256, "(%s=%s)", config->ldap_search_attr,
                    user)) {
                errstr(_("Could not format LDAP search filter for %s user and "
                        "%s search attribute due to excessive length.\n"),
                        user, config->ldap_search_attr);
                return NULL;
        }
        ret = ldap_search_ext_s(ldapconn,
                config->ldap_basedn, LDAP_SCOPE_SUBTREE,
                searchbuf, NULL, 0, NULL, NULL, NULL,
                0, &result);

        if (ret < 0) {
                errstr(_("Error with %s.\n"), user);
                errstr(_("ldap_search_ext_s() failed: %s\n"), ldap_err2string(ret));
                return NULL;
        }

        cnt = ldap_count_entries(ldapconn, result);
        if (cnt > 1) {
                errstr(_("Multiple entries found for client %s (%d).\n"),
                       user, cnt);
                return NULL;
        } else if (cnt == 0) {
                errstr(_("No LDAP record found for user %s.\n"), user);
                return NULL;
        }
        printf("Searching for attribute: '%s'\n", config->ldap_mail_attr);
        /* get the attr */
        entry = ldap_first_entry(ldapconn, result);
        for (a = ldap_first_attribute(ldapconn, entry, &ber); a != NULL;
             a = ldap_next_attribute(ldapconn, entry, ber)) {
                printf("Seeing attr: '%s'\n", a);
                if (strcasecmp(a, config->ldap_mail_attr) == 0) {
                        bvals = ldap_get_values_len(ldapconn, entry, a);
                        if (bvals == NULL) {
                                errstr(_("Could not get values for %s.\n"),
                                       user);
                                return NULL;
                        }
                        to = sstrdup(bvals[0]->bv_val);
                        ldap_memfree(a);
                        ldap_value_free_len(bvals);
                        break;
                }
                ldap_memfree(a);
        }

        ber_free(ber, 0);

[...]

I run

./autogen.sh
./configure
make
./warnquota -us

and output is:

warnquota: No LDAP record found for user mmustermann.

when I search through the file warnquota.c Nor I cannot find any match for string "ebug" in this file neither I do see a printf() line short before the usual "Entry not found..." line (which by the way I modified to "No LDAP record found for user ...").

On the last step I checked for your suggestion related to replace printf() with fprintf(). The whole warnquota.c file contains just 2 lines where a "printf()" command appears:

[...]

       ** printf**("Searching for attribute: '%s'\n", config->ldap_mail_attr);
        /* get the attr */
        entry = ldap_first_entry(ldapconn, result);
        for (a = ldap_first_attribute(ldapconn, entry, &ber); a != NULL;
             a = ldap_next_attribute(ldapconn, entry, ber)) {
               ** printf**("Seeing attr: '%s'\n", a);
                if (strcasecmp(a, config->ldap_mail_attr) == 0) {
                        bvals = ldap_get_values_len(ldapconn, entry, a);
                        if (bvals == NULL) {
                                errstr(_("Could not get values for %s.\n"),
                                       user);
                                return NULL;
                        }
                        to = sstrdup(bvals[0]->bv_val);
                        ldap_memfree(a);
                        ldap_value_free_len(bvals);
                        break;
                }
                ldap_memfree(a);
        }

[...]

so I replaced those two lines containing printf() and not this sections looks like that:
[...]

        fprintf(stderr,"Searching for attribute: '%s'\n", config->ldap_mail_attr);
        /* get the attr */
        entry = ldap_first_entry(ldapconn, result);
        for (a = ldap_first_attribute(ldapconn, entry, &ber); a != NULL;
             a = ldap_next_attribute(ldapconn, entry, ber)) {
                fprintf(stderr,"Seeing attr: '%s'\n", a);
                if (strcasecmp(a, config->ldap_mail_attr) == 0) {
                        bvals = ldap_get_values_len(ldapconn, entry, a);
                        if (bvals == NULL) {
                                errstr(_("Could not get values for %s.\n"),
                                       user);
                                return NULL;
                        }
                        to = sstrdup(bvals[0]->bv_val);
                        ldap_memfree(a);
                        ldap_value_free_len(bvals);
                        break;
                }
                ldap_memfree(a);
        }

[...]

but I still get a single output of:

warnquota: No LDAP record found for user mmustermann.

[Jan Kara]

OK, this shows that you actually applied the old version of the debug patch which adds debug prints only to processing of entry attributes but in your case we never get that far. I've now deleted the old version of the patch from this bug to avoid confusion so please download the new version and make sure you are apply it and not the old one. Thanks!

[Anonymous]

Ok thank you for the updated patch you provided. Now I get following output:

Quearying LDAP. basedn='OU=persons,OU=my OU,DC=intra,DC=mydomain,DC=tld', filter='(uid=mmustermann)'
ldap_search_ext_s() returned 1
ldap_count_entries() returned 0
warnquota: Entry not found for client mmustermann.

[Anonymous]

Hi again Jan,

after looking over and over I have a thought, maybe the lookup fails because the base DN needs to be put in quotation marks at all? listen, my base DN in real looks like that:

OU=persons,OU=users,OU=My Company Name GmbH,DC=intra,DC=my-domain,DC=de

in the stated examples above I changed the text for hiding sensitive private data.
OU=persons,OU=my OU,DC=intra,DC=mydomain,DC=tld

maybe the (white)space within the company name makes your warnquota tool to fail? Can you check your code to ensure it's quoted correctly? just a thought, maybe total useless but I thought to mention it.

[Jan Kara]

OK, so the message "ldap_search_ext_s() returned 1" tells that ldap_search_ext_s() already failed and returned error (the error handling in warnquota() looks buggy in this regard). Error 1 is
LDAP_OPERATIONS_ERROR which doesn't tell much to me. Maybe from LDAP wiki this is relevant: "eDirectory: In NDS 8.3x through NDS 7.xx, this was the default error for NDS errors that did not map to an LDAP error code. To conform to the new LDAP drafts, NDS 8.5 uses 80 (0x50) for such errors." But still it doesn't tell me why eDirectory server doesn't like the query formed by warnquota. Can't you perhaps have a look at eDirectory logs what the server doesn't like about our query?

Spaces in the DN do not really matter and needn't be quoted. Warnquota doesn't really care as it treats DN as opaque string. So if what is printed in the message inside quotes is correct (is it?), warnquota didn't mangle anything. Only special characters like '=' or ',' inside entries need to be quoted so that ldap server does not interpret them as separators.

[Anonymous]

Ok, so no worries about the quoting part. But I don't know what else information to provide to you. The LDAP server we run is an ActiveDirectory builtin to samba4. It works fine with lots of other services which are bound to our AD server and they can perform successfully querys and pull data required for their operations. Had no issues so far. I don't know what eDirectory is, never heard of it before.

[Anonymous]

if you meant to check the logs on the LDAP server process ... well, I cannot find any logs produced on my samba4 server. I am not sure though how to enable debug log view to see LDAP queries hitting the samba4 AD/LDAP server. Isn't there any other option to see what warnquota does for the LDAP query? as mentioned before, even a manual ldapsearch command succeeds to get the necessary information (see my initial postings).

[Jan Kara]

Yeah, I'm also puzzled why 'ldapsearch' works while what warnquota does doesn't... Warnquota does very similar thing to ldapsearch. One difference I can see is that warnquota requests all attributes while ldapsearch query you did only the 'mail' attribute. To simplify experimenting, I've created ldap_experiment.c which just parses the config file and does ldap query. You need to compile it like:

gcc -Wall -llber -lldap -o ldap_experiment ldap_experiment.c

Can you try running it like:
ldap_experiment /etc/warnquota.conf mmustermann

It should fail the same way as warnquota does. As a side note I've tested it against LDAP server in our company and it works there just fine.

[Jan Kara]

I've spotted one more buggy error check. Attaching new version of ldap_experiment.c.

[Anonymous]

gcc ./ldap_experiment.c -o ldap_exp

/tmp/ccaCw0ca.o: In function wc_exit': ldap_experiment.c:(.text+0x2c): undefined reference toldap_unbind_ext'
/tmp/ccaCw0ca.o: In function setup_ldap': ldap_experiment.c:(.text+0xe3): undefined reference toldap_initialize'
ldap_experiment.c:(.text+0xf6): undefined reference to ldap_err2string' ldap_experiment.c:(.text+0x14d): undefined reference toldap_set_option'
ldap_experiment.c:(.text+0x16c): undefined reference to ldap_set_option' ldap_experiment.c:(.text+0x185): undefined reference toldap_start_tls_s'
ldap_experiment.c:(.text+0x198): undefined reference to ldap_err2string' ldap_experiment.c:(.text+0x1f3): undefined reference toldap_sasl_bind_s'
ldap_experiment.c:(.text+0x20a): undefined reference to ldap_err2string' /tmp/ccaCw0ca.o: In functionlookup_user':
ldap_experiment.c:(.text+0x3db): undefined reference to ldap_search_ext_s' ldap_experiment.c:(.text+0x412): undefined reference toldap_err2string'
ldap_experiment.c:(.text+0x451): undefined reference to ldap_count_entries' ldap_experiment.c:(.text+0x4d0): undefined reference toldap_first_entry'
ldap_experiment.c:(.text+0x4f1): undefined reference to ldap_first_attribute' ldap_experiment.c:(.text+0x539): undefined reference toldap_get_values_len'
ldap_experiment.c:(.text+0x591): undefined reference to ldap_memfree' ldap_experiment.c:(.text+0x59d): undefined reference toldap_value_free_len'
ldap_experiment.c:(.text+0x5ab): undefined reference to ldap_memfree' ldap_experiment.c:(.text+0x5c8): undefined reference toldap_next_attribute'
ldap_experiment.c:(.text+0x5eb): undefined reference to `ber_free'
collect2: error: ld returned 1 exit status

then tried
make ldap_experiment

gcc -g -O2 -Wall -fPIC ldap_experiment.c -o ldap_experiment
ldap_experiment.c: In function ‘main’:
ldap_experiment.c:434:1: warning: control reaches end of non-void function [-Wreturn-type]
}
^
/tmp/ccpuvseZ.o: In function wc_exit': /root/Downloads/test/test2/quota-4.05/ldap_experiment.c:57: undefined reference toldap_unbind_ext'
/tmp/ccpuvseZ.o: In function setup_ldap': /root/Downloads/test/test2/quota-4.05/ldap_experiment.c:83: undefined reference toldap_initialize'
/root/Downloads/test/test2/quota-4.05/ldap_experiment.c:99: undefined reference to ldap_sasl_bind_s' /root/Downloads/test/test2/quota-4.05/ldap_experiment.c:91: undefined reference toldap_set_option'
/root/Downloads/test/test2/quota-4.05/ldap_experiment.c:92: undefined reference to ldap_set_option' /root/Downloads/test/test2/quota-4.05/ldap_experiment.c:93: undefined reference toldap_start_tls_s'
/root/Downloads/test/test2/quota-4.05/ldap_experiment.c:95: undefined reference to ldap_err2string' /root/Downloads/test/test2/quota-4.05/ldap_experiment.c:86: undefined reference toldap_err2string'
/root/Downloads/test/test2/quota-4.05/ldap_experiment.c:101: undefined reference to ldap_err2string' /tmp/ccpuvseZ.o: In functionlookup_user':
/root/Downloads/test/test2/quota-4.05/ldap_experiment.c:145: undefined reference to ldap_search_ext_s' /root/Downloads/test/test2/quota-4.05/ldap_experiment.c:156: undefined reference toldap_count_entries'
/root/Downloads/test/test2/quota-4.05/ldap_experiment.c:166: undefined reference to ldap_first_entry' /root/Downloads/test/test2/quota-4.05/ldap_experiment.c:167: undefined reference toldap_first_attribute'
/root/Downloads/test/test2/quota-4.05/ldap_experiment.c:181: undefined reference to ldap_memfree' /root/Downloads/test/test2/quota-4.05/ldap_experiment.c:168: undefined reference toldap_next_attribute'
/root/Downloads/test/test2/quota-4.05/ldap_experiment.c:170: undefined reference to ldap_get_values_len' /root/Downloads/test/test2/quota-4.05/ldap_experiment.c:177: undefined reference toldap_memfree'
/root/Downloads/test/test2/quota-4.05/ldap_experiment.c:178: undefined reference to ldap_value_free_len' /root/Downloads/test/test2/quota-4.05/ldap_experiment.c:184: undefined reference tober_free'
/root/Downloads/test/test2/quota-4.05/ldap_experiment.c:184: undefined reference to ber_free' /root/Downloads/test/test2/quota-4.05/ldap_experiment.c:152: undefined reference toldap_err2string'
collect2: error: ld returned 1 exit status
<builtin>: recipe for target 'ldap_experiment' failed
make: *** [ldap_experiment] Error 1</builtin>