Search problem on AD

[GoogleCodeExporter]

What version of the product are you using? On what operating system?
OpenVPN on Ubuntu Hardy 32 bits with auth-ldap-2.0.3 installed from source.

Attached file is the tree of what I see from my LDAP browser on the AD
server for domain dc=XXX,dc=ZZZ. Basically I got 2 different branches with
their own set of users (ou=YYY,dc=XXX,dc=ZZZ and ou=AAA,dc=XXX,dc=ZZZ). I
want to give access to users of both trees.

When I point my configuration pointing to a specific branch
ou=YYY,dc=XXX,dc=ZZZ I can authenticate users within this branch:

# auth-ldap configuration
<LDAP>
 URL ldap://AD_IP
 BindDN "CN=ldapbrowser,CN=Users,DC=XXX,DC=ZZZ"
 Password pass
 FollowReferrals no
</LDAP>

<Authorization>
 BaseDN "OU=YYY,DC=XXX,DC=YYY"
 SearchFilter "sAMAccountName=%u"
 RequireGroup false
</Authorization>

Here is the tethereal output of the LDAP traffic when a user log in:
1 LDAP bindRequest(1) "CN=ldapbrowser,CN=Users,DC=XXX,DC=ZZZ" simple 
2 LDAP bindResponse(1) success 
3 LDAP searchRequest(2) "OU=YYY,DC=XXX,DC=ZZZ" wholeSubtree 
4 LDAP searchResEntry(2) "CN=Bruno Clermont,OU=Users,OU=YYY,DC=XXX,DC=ZZZ" 
5 LDAP bindRequest(1) "CN=ldapbrowser,CN=Users,DC=XXX,DC=ZZZ" simple 
6 LDAP bindResponse(1) success 
7 LDAP bindRequest(2) "CN=Bruno Clermont,OU=Users,OU=YYY,DC=XXX,DC=ZZZ" 8
simple 
9 LDAP bindResponse(2) success 
10 LDAP unbindRequest(3) 
11 LDAP unbindRequest(3) 
12 LDAP bindRequest(1) "CN=ldapbrowser,CN=Users,DC=XXX,DC=ZZZ" simple 
13 LDAP bindResponse(1) success 
14 LDAP searchRequest(2) "OU=YYY,DC=XXX,DC=ZZZ" wholeSubtree 
15 LDAP searchResEntry(2) "CN=Bruno Clermont,OU=Users,OU=YYY,DC=XXX,DC=ZZZ" 
16 LDAP unbindRequest(3) 

I wonder why it search a 2nd time after validated my OpenVPN client user...
but that's not my problem. This work.

My problem start when I change the basedn to point to the root of my AD
structure to be able to let users of 2 branches authenticate. In my
configuration I just change
 BaseDN "DC=XXX,DC=YYY"

and here is the tethereal output:

1 LDAP bindRequest(1) "CN=ldapbrowser,CN=Users,DC=XXX,DC=ZZZ" simple 
2 LDAP bindResponse(1) success 
3 LDAP searchRequest(2) "DC=XXX,DC=ZZZ" wholeSubtree 
4 LDAP searchResEntry(2) "CN=Bruno Clermont,OU=Users,OU=YYY,DC=XXX,DC=ZZZ" 
5 LDAP bindRequest(4) "<ROOT>" simple 
6 LDAP bindResponse(4) success 
7 LDAP bindRequest(6) "<ROOT>" simple 
8 LDAP bindResponse(6) success 
9 LDAP bindRequest(8) "<ROOT>" simple 
10 LDAP bindResponse(8) success 
11 LDAP searchRequest(7) "CN=Configuration,DC=XXX,DC=ZZZ" wholeSubtree 
12 LDAP searchRequest(5) "DC=DomainDnsZones,DC=XXX,DC=ZZZ" wholeSubtree 
13 LDAP searchRequest(3) "DC=ForestDnsZones,DC=XXX,DC=ZZZ" wholeSubtree 
14 LDAP searchResDone(3) operationsError (00000000: LdapErr: DSID-0C090627,
comment: In order to perform this operation a successful bind must be
completed on the connection., data 0, vece) 
15 LDAP unbindRequest(9) 
16 LDAP searchResDone(7) operationsError (00000000: LdapErr: DSID-0C090627,
comment: In order to perform this operation a successful bind must be
completed on the connection., data 0, vece) 
17 LDAP searchResDone(5) operationsError (00000000: LdapErr: DSID-0C090627,
comment: In order to perform this operation a successful bind must be
completed on the connection., data 0, vece) 
18 LDAP unbindRequest(10) 
19 LDAP unbindRequest(11) 
20 LDAP unbindRequest(12) 

At line 4, it definitely find my user. But on line 5 it also try to bind
<ROOT>, which is something I don't know...
And after that it try to search in sub branches Windows Active Directory
that require higher privilege. Once it knocked out somewhere it refused to
try to bind my user and validated my VPN user.

Should auth-ldap took the found object, ignore failed search and try to
authenticate to that user?

thank you

Original issue reported on code.google.com by bruno.cl...@gmail.com on 25 Jun 2008 at 4:35

Attachments:

• ad_ldap.png

[GoogleCodeExporter]

I've looked at the code and it's in searchWithFilter() in LFLDAPConnection.m 
calling
openldap's function ldap_search_ext_s()

The weird thing is, if I use openldap's ldapsearch(1), it work:

$ ldapsearch -h $ad_ip -D 'CN=ldapbrowser,CN=Users,dc=XXX,dc=YYY' -W -x -b
'dc=XXX,dc=YYY' 'samaccountname=bruno.clermont'
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=XXX,dc=YYY> with scope subtree
# filter: samaccountname=bruno.clermont
# requesting: ALL
#

# Bruno Clermont, Users, YYY, XXX, ZZZ
dn: CN=Bruno Clermont,OU=Users,OU=YYY,DC=XXX,DC=ZZZ
[and the content of the entry]

Original comment by bruno.cl...@gmail.com on 25 Jun 2008 at 6:16

[GoogleCodeExporter]

I found the problem:

ldapsearch(1) (code at
http://www.openldap.org/devel/cvsweb.cgi/~checkout~/clients/tools/ldapsearch.c) 
is
using ldap_search_ext(3) which is asynchronous while this plugin use the 
synchronous
ldap_search_ext_s(3).

Because of denied access by the AD server, ldap_search_ext_s(3) catch a
LDAP_OPERATIONS_ERROR while ldap_search_ext_s(3) get result and ignored those
sub-tree operations error.

The only possible bug fix for this issue is to move to the asynchronous search.

For me, I'll just ignore LDAP_OPERATIONS_ERROR.

Original comment by bruno.cl...@gmail.com on 25 Jun 2008 at 7:30

[GoogleCodeExporter]

Original comment by landon.j.fuller@gmail.com on 7 Jul 2008 at 12:50

• Changed state: Accepted

[GoogleCodeExporter]

This calls for supporting search across multiple trees.

Original comment by landon.j.fuller@gmail.com on 26 Jul 2008 at 5:16

• Added labels: Type-Enhancement
• Removed labels: Priority-Medium, Type-Defect

[GoogleCodeExporter]

Any patch for this? Without this feature its almost unusable for us.

Original comment by lacik...@gmail.com on 4 Nov 2010 at 6:39

[GoogleCodeExporter]

You can use this SearchFilter for BaseDN "DC=XXX,DC=YYY":
SearchFilter "(&(objectCategory=person)(sAMAccountName=%u))"

or restrict to users from VPN group:
SearchFilter 
"(&(objectCategory=person)(sAMAccountName=%u)(memberOf=CN=VPN,OU=GGG,DC=XXX,DC=Y
YY))"

Original comment by yag...@gmail.com on 4 Aug 2011 at 10:29