diff options
authorJeroen van Meeuwen (Kolab Systems) <>2017-07-22 13:03:26 +0200
committerJeroen van Meeuwen (Kolab Systems) <>2017-07-22 13:03:26 +0200
commite87109cde2551776fd15a9f4890b86f54c3c70a9 (patch)
parent24da53112b65dfff8ce518816edf34306f428db3 (diff)
LDAP remove referrals for correct handling in Samba 4
Summary: LDAP user authentication does not work when using Samba 4 as LDAP backend. Samba 4 (as well as MS AD) returns referrals (search continuations) for some objects. LDAPv3 does not specify which credentials should be used for the search continuations. **libldap** tries to anonymous bind and do the search continuations, which fails with Samba 4 (as well as MS AD). Kolab 16 will fail while authenticating with **ldap.OPERATIONS_ERROR** and the error message //00002020: Operation unavailable without authentication// The submitted patch is supposed to be used with ``` REFERRALS off ``` in /etc/ldap.conf and should not affect any other situations. Eventually setting LDAP option via ``` ldap.OPT_REFERRALS, 0 ``` would be an option too, but i can't test at the moment, if there is any impact on non Samba 4 setups. The change in wallace addresses the same problem, as i got ``` 2017-07-05 12:27:28,566 pykolab.wallace ERROR Module resources.heartbeat() failed with error: Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/wallace/", line 89, in modules_heartbeat modules.heartbeat(module, lastrun) File "/usr/lib/python2.7/dist-packages/wallace/", line 128, in heartbeat return modules[name]['heartbeat'](*args, **kw) File "/usr/lib/python2.7/dist-packages/wallace/", line 438, in heartbeat resource_dns = [dn for dn in resource_dns if resource_base_dn in dn] TypeError: argument of type 'NoneType' is not iterable ``` Test Plan: Use Kolab 16 with Samba 4. Try to authenticate user. Should fail. Disable Referrals in /etc/ldap.conf with ``` REFERRALS off ``` and try again. Now you should no longer see the **ldap.OPERATIONS_ERROR** but an auth fail because of 4 (or at least more than one) results returned. The referrals no longer will be automatically queried, but returned as part of the results containing //None// on the position 0 (result-type) of the result tuple. Apply the patch now, which will remove those //None// result-type results. The Authentication should succeed. Reviewers: #pykolab_developers, vanmeeuwen Reviewed By: #pykolab_developers, vanmeeuwen Subscribers: #pykolab_developers Tags: #kolab_16 Differential Revision:
2 files changed, 6 insertions, 0 deletions
diff --git a/pykolab/auth/ldap/ b/pykolab/auth/ldap/
index a2a64e0..622df71 100644
--- a/pykolab/auth/ldap/
+++ b/pykolab/auth/ldap/
@@ -246,6 +246,9 @@ class LDAP(pykolab.base.Base):
+ # Remove referrals
+ _result_data = [_e for _e in _result_data if _e[0] is not None]
if len(_result_data) == 1:
(entry_dn, entry_attrs) = _result_data[0]
diff --git a/wallace/ b/wallace/
index f51285a..ed2baf8 100644
--- a/wallace/
+++ b/wallace/
@@ -432,6 +432,9 @@ def heartbeat(lastrun):
resource_dns = auth.find_resource('*')
+ # Remove referrals
+ resource_dns = [dn for dn in resource_dns if dn is not None]
# filter by resource_base_dn
resource_base_dn = conf.get('ldap', 'resource_base_dn', None)
if resource_base_dn is not None: