summaryrefslogtreecommitdiffstats
path: root/pykolab
diff options
context:
space:
mode:
authorJeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com>2017-07-22 13:03:26 +0200
committerJeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com>2017-07-22 13:03:26 +0200
commite87109cde2551776fd15a9f4890b86f54c3c70a9 (patch)
tree09e29915543c8fedb2dc8dbe6baca7070667fc6a /pykolab
parent24da53112b65dfff8ce518816edf34306f428db3 (diff)
downloadpykolab-e87109cde2551776fd15a9f4890b86f54c3c70a9.tar.gz
LDAP remove referrals for correct handling in Samba 4
Summary: LDAP user authentication does not work when using Samba 4 as LDAP backend. Samba 4 (as well as MS AD) returns referrals (search continuations) for some objects. LDAPv3 does not specify which credentials should be used for the search continuations. **libldap** tries to anonymous bind and do the search continuations, which fails with Samba 4 (as well as MS AD). Kolab 16 will fail while authenticating with **ldap.OPERATIONS_ERROR** and the error message //00002020: Operation unavailable without authentication// The submitted patch is supposed to be used with ``` REFERRALS off ``` in /etc/ldap.conf and should not affect any other situations. Eventually setting LDAP option via ``` ldap.OPT_REFERRALS, 0 ``` would be an option too, but i can't test at the moment, if there is any impact on non Samba 4 setups. The change in wallace addresses the same problem, as i got ``` 2017-07-05 12:27:28,566 pykolab.wallace ERROR Module resources.heartbeat() failed with error: Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/wallace/__init__.py", line 89, in modules_heartbeat modules.heartbeat(module, lastrun) File "/usr/lib/python2.7/dist-packages/wallace/modules.py", line 128, in heartbeat return modules[name]['heartbeat'](*args, **kw) File "/usr/lib/python2.7/dist-packages/wallace/module_resources.py", line 438, in heartbeat resource_dns = [dn for dn in resource_dns if resource_base_dn in dn] TypeError: argument of type 'NoneType' is not iterable ``` Test Plan: Use Kolab 16 with Samba 4. Try to authenticate user. Should fail. Disable Referrals in /etc/ldap.conf with ``` REFERRALS off ``` and try again. Now you should no longer see the **ldap.OPERATIONS_ERROR** but an auth fail because of 4 (or at least more than one) results returned. The referrals no longer will be automatically queried, but returned as part of the results containing //None// on the position 0 (result-type) of the result tuple. Apply the patch now, which will remove those //None// result-type results. The Authentication should succeed. Reviewers: #pykolab_developers, vanmeeuwen Reviewed By: #pykolab_developers, vanmeeuwen Subscribers: #pykolab_developers Tags: #kolab_16 Differential Revision: https://git.kolab.org/D467
Diffstat (limited to 'pykolab')
-rw-r--r--pykolab/auth/ldap/__init__.py3
1 files changed, 3 insertions, 0 deletions
diff --git a/pykolab/auth/ldap/__init__.py b/pykolab/auth/ldap/__init__.py
index a2a64e0..622df71 100644
--- a/pykolab/auth/ldap/__init__.py
+++ b/pykolab/auth/ldap/__init__.py
@@ -246,6 +246,9 @@ class LDAP(pykolab.base.Base):
level=8
)
+ # Remove referrals
+ _result_data = [_e for _e in _result_data if _e[0] is not None]
+
if len(_result_data) == 1:
(entry_dn, entry_attrs) = _result_data[0]