diff options
author | Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com> | 2017-07-22 13:03:26 +0200 |
---|---|---|
committer | Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com> | 2017-07-22 13:03:26 +0200 |
commit | e87109cde2551776fd15a9f4890b86f54c3c70a9 (patch) | |
tree | 09e29915543c8fedb2dc8dbe6baca7070667fc6a /wallace/module_resources.py | |
parent | 24da53112b65dfff8ce518816edf34306f428db3 (diff) | |
download | pykolab-e87109cde2551776fd15a9f4890b86f54c3c70a9.tar.gz |
LDAP remove referrals for correct handling in Samba 4
Summary:
LDAP user authentication does not work when using Samba 4 as LDAP backend. Samba 4 (as well as MS AD) returns referrals (search continuations) for some objects.
LDAPv3 does not specify which credentials should be used for the search continuations. **libldap** tries to anonymous bind and do the search continuations, which fails with
Samba 4 (as well as MS AD).
Kolab 16 will fail while authenticating with **ldap.OPERATIONS_ERROR** and the error message //00002020: Operation unavailable without authentication//
The submitted patch is supposed to be used with
```
REFERRALS off
```
in /etc/ldap.conf and should not affect any other situations.
Eventually setting LDAP option via
```
ldap.OPT_REFERRALS, 0
```
would be an option too, but i can't test at the moment, if there is any impact on non Samba 4 setups.
The change in wallace addresses the same problem, as i got
```
2017-07-05 12:27:28,566 pykolab.wallace ERROR Module resources.heartbeat() failed with error: Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/wallace/__init__.py", line 89, in modules_heartbeat
modules.heartbeat(module, lastrun)
File "/usr/lib/python2.7/dist-packages/wallace/modules.py", line 128, in heartbeat
return modules[name]['heartbeat'](*args, **kw)
File "/usr/lib/python2.7/dist-packages/wallace/module_resources.py", line 438, in heartbeat
resource_dns = [dn for dn in resource_dns if resource_base_dn in dn]
TypeError: argument of type 'NoneType' is not iterable
```
Test Plan:
Use Kolab 16 with Samba 4. Try to authenticate user. Should fail. Disable Referrals in /etc/ldap.conf with
```
REFERRALS off
```
and try again. Now you should no longer see the **ldap.OPERATIONS_ERROR** but an auth fail because of
4 (or at least more than one) results returned. The referrals no longer will be automatically queried, but returned
as part of the results containing //None// on the position 0 (result-type) of the result tuple.
Apply the patch now, which will remove those //None// result-type results. The Authentication should succeed.
Reviewers: #pykolab_developers, vanmeeuwen
Reviewed By: #pykolab_developers, vanmeeuwen
Subscribers: #pykolab_developers
Tags: #kolab_16
Differential Revision: https://git.kolab.org/D467
Diffstat (limited to 'wallace/module_resources.py')
-rw-r--r-- | wallace/module_resources.py | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/wallace/module_resources.py b/wallace/module_resources.py index f51285a..ed2baf8 100644 --- a/wallace/module_resources.py +++ b/wallace/module_resources.py @@ -432,6 +432,9 @@ def heartbeat(lastrun): resource_dns = auth.find_resource('*') + # Remove referrals + resource_dns = [dn for dn in resource_dns if dn is not None] + # filter by resource_base_dn resource_base_dn = conf.get('ldap', 'resource_base_dn', None) if resource_base_dn is not None: |