Hi,
On Thu, 24 Oct 2019 05:26:49 +0200,
Predrag Punosevac wrote:
>
> Kapetanakis Giannis wrote:
>
> > On 23/10/2019 19:14, Predrag Punosevac wrote:
> > > Hi Misc,
> > >
> > > I just upgraded a LDAP server from 6.5 to 6.6 running authorization and
> > > authentication services for a 100 some member university research group.
> > > It appears TLS handshake is broken. This worked perfectly on 6.5 and
> > > earlier.
> > >
[ rest deleted ]
> I am out of fuel to look more this tonight but I am 99% sure something
> have changed on 6.6 which broke the things. Maybe my configuration was
> wrong all along and in 6.6 few screws got tighten up which bit me for my
> rear end. I would appreciate any further commend or suggestions how to
> debug this. I would also appreciate any reports of fully working ldapd
> on 6.6 release
>
> Best,
> Predrag
>
This is related to commit “Make sure that ber in ber_scanf_elements is
not NULL before parsing format” (martijn@) and caused by the scan string
used by ber_scanf_elements on line 310 in ldape.c
Regarding the commit, see also emails with subject “ber.c: Don't
continue on nonexistent ber” to tech@ on August, 13.
When you set scan string for ber_scanf_elements in line 310 of ldape.c
from "{se" to "{s" it works again. Patch below.
When you look at the ldap_extended function on ldape.c, you see ext_val
is assigned to req_op in line 314. The only use could happen in the
extended_ops[i]fn(req) call in line 318. This currently can only be a
call to ldap_starttls (beginning at line 285, same file) which doesn't
use req_op either. So it the `e' shouldn't matter.
At a guess, this also conforms to RFC4511, section 4.14.1.
If ldap_extended is extended to handle other operations than starttls,
care must be taken for an optional additional octet string in the
request (see definition of extended request in RFC4511, section 4.12).
Best regards
Robert
--- ldape.c.orig Fri Jun 28 15:32:48 2019
+++ ldape.c Thu Oct 24 13:28:38 2019
@@ -307,7 +307,7 @@
{ NULL }
};
- if (ber_scanf_elements(req->op, "{se", &oid, &ext_val) != 0)
+ if (ber_scanf_elements(req->op, "{s", &oid, &ext_val) != 0)
goto done;
log_debug("got extended operation %s", oid);
