adubovikov
commented
4 years ago https://github.com/sipcapture/homer-app/commit/5b1dd122ee1edfb1d71ce64f41847da164d7b88c please compile and test
Closed kpribic closed 4 years ago
adubovikov
commented
4 years ago https://github.com/sipcapture/homer-app/commit/5b1dd122ee1edfb1d71ce64f41847da164d7b88c please compile and test
kpribic
commented
4 years ago As far as I understand defer will delay closing connection until function call is over. It kind of works in sense that I can login and connections don't hang, however when I inspect the trace there is one error. This is what happens, described from prespective of homer-app:
This exchange lasts for ~100ms Immediately afterwards:
It appears that the second request failed because bind to binddn was done in wrong TCP connection (previous and now closed). I don't know why there were two requests for user, I logged in only once and I didn't experience any issues logging in. Tried this multiple times, flow is always same.
Marked with yellow is the new TCP connection. Not sure why we stil get RST packet after FIN, but I think it probably isn't important for this issue
kpribic
commented
4 years ago One correction, after I reviewed the traces, step 8 above is actually searchRequest for memberUid=%username%
Where %username% is value previously used for sAMAccountName, and no the full LDAP path to that user.
kpribic
commented
4 years ago @adubovikov is there any particular reason why memberUid=%username% is used? I can't get that to work on Active Directory.
What did work (in my case specifically for recursive search) is:
1) Defining an admingroup, adding "dn" to ldap configconfig and setting adminmode to false.
"ldap_config": {
"admingroup": "HOMER_admins",
"adminmode": false,
"anonymous": false,
"attributes": [
"dn",
"givenName",
"sn",
"mail",
"uid"
],2) Setting group filter to:
"groupfilter": "(member:1.2.840.113556.1.4.1941:=%s)",`3) Making these code changes to fix dropped connection and LDAP query with username instead of DN: https://github.com/kpribic/homer-app/commit/3570f2ef91c59488657ffc8ea233a0d4f048f0f9
This results in behavior:
kpribic
commented
4 years ago Fixed along the way while fixing #328
Currently LDAP code establishes a TCP connection to LDAP server, executes a request and then keeps the TCP connection active via 15sec TCP keepalives. After 15mins of keepalives my LDAP server cuts the connection with TCP RST packet.
After that homer-app is confused because it apparently doesn't know how to setup the connection again. All new auth queries don't initiate a new TCP connection but simply fail in the app
Restart of homer-app service re-establishes the connection, but after 15mins of idling it's stuck again.
My understanding is that LDAP clients should keep the connection active only for a limited time, ballpark of 5 minutes, and then disconnect. When new request comes new connection should be established.
NOTE: Version: homer-app 1.1.35