Re: LDAP_OPERATIONS_ERROR w/Net::LDAP and AuthNetLDAP?

[Chris R. <Chr...@me...>]

On Thu, 06 Jul 2000 21:01:51 CDT, Mark Wilcox wrote:
> Hi,
> This could be a bug in my AuthNetLDAP module, probably with the opening or
> closing of the LDAP connection. I haven't even really used the module in
> production yet, so I don't know all of the bugs.
> 
> Could you send a copy of the relevant Apache error log to ma...@mj...
> 
> I'll be out of town for the next few days, but I'll try to take a look at
> it when I get back.
> 
> Mark
> 
> Eamon Daly wrote:
> 
> > A handful of our users are getting an LDAP_OPERATIONS_ERROR
> > when they try to authenticate. I haven't seen anything close
> > in the archives, and LDAP_OPERATIONS_ERROR is fairly vague,
> > so I'm kinda stumped. A 'debug => 3' trace follows. The name
> > and password is correct.
> >
> > Apache 1.3.12
> > Solaris 7
> > Net::LDAP 0.19
> > Apache::AuthNetLDAP 0.16
> >
> > Thanks in advance!

I'm inserting the ASN.1 decodes of the PDUs inline. You can generate 
this yourself if you set debug => 12 in current versions of Net::LDAP.

> > [Thu Jul  6 17:03:12 2000] [error] access to / failed for xx.xx.xx.147,
> > reason: user kpeterson: failed bind: 1
> > Net::LDAP=HASH(0x3fa2f8) sending:
> >
> > 30 0C 02 01 01 60 07 02 01 02 04 00 80 00 __ __ 0....`........

0000 30   12: SEQUENCE {
0002 02    1:   INTEGER = 1
0005 60    7:   [APPLICATION 0] {
0007 02    1:     INTEGER = 2
000A 04    0:     STRING = ''
000C 80    0:     [CONTEXT 0]
000E        :   }
000E        : }

(Anonymous bind using LDAPv2)

> > Net::LDAP=HASH(0x3fa2f8) received:
> >
> > 30 0C 02 01 01 61 07 0A 01 00 04 00 04 00 __ __ 0....a........

0000 30   12: SEQUENCE {
0002 02    1:   INTEGER = 1
0005 61    7:   [APPLICATION 1] {
0007 0A    1:     ENUM = 0
000A 04    0:     STRING = ''
000C 04    0:     STRING = ''
000E        :   }
000E        : }

(Bind response: OK)

> > Net::LDAP=HASH(0x3fa2f8) sending:
> >
> > 30 2E 02 01 02 63 29 04 00 0A 01 02 0A 01 02 02 0....c).........
> > 01 00 02 01 00 01 01 00 A3 10 04 03 75 69 64 04 ............uid.
> > 09 6B 70 65 74 65 72 73 6F 6E 30 04 04 02 64 6E .kpeterson0...dn

0000 30   46: SEQUENCE {
0002 02    1:   INTEGER = 2
0005 63   41:   [APPLICATION 3] {
0007 04    0:     STRING = ''
0009 0A    1:     ENUM = 2
000C 0A    1:     ENUM = 2
000F 02    1:     INTEGER = 0
0012 02    1:     INTEGER = 0
0015 01    1:     BOOLEAN = FALSE
0018 A3   16:     [CONTEXT 3] {
001A 04    3:       STRING = 'uid'
001F 04    9:       STRING = 'kpeterson'
002A        :     }
002A 30    4:     SEQUENCE {
002C 04    2:       STRING = 'dn'
0030        :     }
0030        :   }
0030        : }

(Search: base is ROOT, subtree scope, for (uid=kpeterson) and ask for 
the dn attribute back.)

> > Net::LDAP=HASH(0x3fa2f8) received:
> >
> > 30 22 02 01 02 64 1D 04 19 63 6E 3D 6B 70 65 74 0"...d...cn=kpet
> > 65 72 73 6F 6E 2C 6F 3D 66 77 5F 63 6F 6E 74 65 erson,o=fw_conte
> > 78 74 30 00 __ __ __ __ __ __ __ __ __ __ __ __ xt0.

0000 30   34: SEQUENCE {
0002 02    1:   INTEGER = 2
0005 64   29:   [APPLICATION 4] {
0007 04   25:     STRING = 'cn=kpeterson,o=fw_context'
0022 30    0:     SEQUENCE {
0024        :     }
0024        :   }
0024        : }

(SearchResultEntry: entry called <cn=kpeterson,o=fw_context> with no 
attributes)

> > Net::LDAP=HASH(0x3fa2f8) received:
> >
> > 30 0C 02 01 02 65 07 0A 01 00 04 00 04 00 __ __ 0....e........

0000 30   12: SEQUENCE {
0002 02    1:   INTEGER = 2
0005 65    7:   [APPLICATION 5] {
0007 0A    1:     ENUM = 0
000A 04    0:     STRING = ''
000C 04    0:     STRING = ''
000E        :   }
000E        : }

(SearchResultDone: OK)

> > Net::LDAP=HASH(0x3fa2f8) sending:
> >
> > 30 2B 02 01 03 60 26 02 01 02 04 19 63 6E 3D 6B 0+...`&.....cn=k
> > 70 65 74 65 72 73 6F 6E 2C 6F 3D 66 77 5F 63 6F peterson,o=fw_co
> > 6E 74 65 78 74 80 06 73 6D 61 63 6B 68 __ __ __ ntext..smackh

0000 30   43: SEQUENCE {
0002 02    1:   INTEGER = 3
0005 60   38:   [APPLICATION 0] {
0007 02    1:     INTEGER = 2
000A 04   25:     STRING = 'cn=kpeterson,o=fw_context'
0025 80    6:     [CONTEXT 0]
0027        :       73 6D 61 63 6B 68 __ __ __ __ __ __ __ __ __ __ 
smackh
002D        :   }
002D        : }

(Simple bind as <cn=kpeterson,o=fw_context> with a password of smackh, 
using LDAPv3.)

> > Net::LDAP=HASH(0x3fa2f8) received:
> >
> > 30 0C 02 01 03 61 07 0A 01 01 04 00 04 00 __ __ 0....a........

0000 30   12: SEQUENCE {
0002 02    1:   INTEGER = 3
0005 61    7:   [APPLICATION 1] {
0007 0A    1:     ENUM = 1
000A 04    0:     STRING = ''
000C 04    0:     STRING = ''
000E        :   }
000E        : }

(BindResponse: operationsError.)

Hm. Maybe Novell isn't happy about a second bind on a single 
connection, or maybe it isn't happy switching LDAP versions in the 
second bind? Can you try just doing the LDAPv3 bind in a little program 
instead of the additional LDAPv2 bind and search, and/or changing the 
first bind in AuthNetLDAP to LDAPv3?

I find the search somewhat bizarre: why does it request a dn attribute? 
It is presumably working because the server doesn't know what a dn 
attribute is, so it effectively returns a list of no attributes back 
for each entry. If the search used LDAPv3, then specifying an attribute 
with the OID 1.1 would be more appropriate (see RFC 2251 4.5.1 
"attributes" bullet)

Cheers,

Chris