| Request | LDAPMultiPlugins -- bug report -- by Olivier |
| Posted on | Aug 23, 2006 9:47 pm |
| Subscribe |
| Resolve by Jens Vagelpohl on Aug 28, 2006 4:54 am | |
|
Thanks for testing! |
|
|
|
| Comment by Olivier Nicole on Aug 28, 2006 4:46 am | |
|
> I made a change that I believe will fix the issue. The "Use SSL" flag was not sent through correctly to the LDAPUserFolder instantiation code: > > http://svn.dataflake.org/comp.php?repname=DataflakeSoftware&path=&compare%5B%5D=%2FLDAPMultiPlugins@1354&compare%5B%5D=%2FLDAPMultiPlugins@1361 > > Could you please get the latest code from Subversion and test? So far it seems to be working. many thanks, Olivier |
|
|
|
| Comment by Jens Vagelpohl on Aug 27, 2006 10:23 am | |
|
I made a change that I believe will fix the issue. The "Use SSL" flag was not sent through correctly to the LDAPUserFolder instantiation code: http://svn.dataflake.org/comp.php?repname=DataflakeSoftware&path=&compare%5B%5D=%2FLDAPMultiPlugins@1354&compare%5B%5D=%2FLDAPMultiPlugins@1361 Could you please get the latest code from Subversion and test? |
|
|
|
| Comment by Olivier Nicole on Aug 24, 2006 2:47 am | |
|
> "Connecting to TLS" > http://www.dataflake.org/tracker/issue_00526 > > ---------- > > Since I don't use Plone and I don't support any patches to either > PluggableAuthService or LDAPUserFolder, could I ask you to try and > describe a reproduceable test case that does not involve Plone or > these patches? > ----------- OK. ---------------------------------------------------------------------- Configuration is Zope 2.9 LDAPMultiPlugin 1.3 LDAPUserFolder 2.7 I am running OpenLDAP with TLS on port 636. ---------------------------------------------------------------------- In ZMI, I go to acl_users and try to add an LDAP Multi Plugin I configure it with: LDAP server=ldap.cs.ait.ac.th:636 SSL= checked Manager DN=cn=accountAdmin,ou=Administrator,ou=csim,dc=cs,dc=ait,dc=ac,dc=th Password=******** ---------------------------------------------------------------------- Error displayed on ZMI Site Error An error was encountered while publishing this resource. Error Type: SERVER_DOWN Error Value: {'desc': "Can't contact LDAP server"} ---------------------------------------------------------------------- Error in event.log ------ 2006-08-24T13:14:50 CRITICAL event.LDAPDelegate Failure connecting, last attempted server: ldap://ldap.cs.ait.ac.th:636 ({'desc': "Can't contact LDAP server"}) Traceback (most recent call last): File "/usr/local/www/Zope29/Products/LDAPUserFolder/LDAPDelegate.py", line 216, in connect , op_timeout=10 File "/usr/local/www/Zope29/Products/LDAPUserFolder/LDAPDelegate.py", line 310, in _connect connection.simple_bind_s(user_dn, user_pwd) File "/usr/local/lib/python2.4/site-packages/ldap/ldapobject.py", line 759, in simple_bind_s return SimpleLDAPObject.simple_bind_s(self,*args,**kwargs) File "/usr/local/lib/python2.4/site-packages/ldap/ldapobject.py", line 176, in simple_bind_s return self.result(msgid,all=1,timeout=self.timeout) File "/usr/local/lib/python2.4/site-packages/ldap/ldapobject.py", line 405, in result res_type,res_data,res_msgid = self.result2(msgid,all,timeout) File "/usr/local/lib/python2.4/site-packages/ldap/ldapobject.py", line 409, in result2 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) File "/usr/local/lib/python2.4/site-packages/ldap/ldapobject.py", line 415, in result3 rtype, rdata, rmsgid, serverctrls = self._ldap_call(self._l.result3,msgid,all,timeout) File "/usr/local/lib/python2.4/site-packages/ldap/ldapobject.py", line 94, in _ldap_call result = func(*args,**kwargs) SERVER_DOWN: {'desc': "Can't contact LDAP server"} ------ 2006-08-24T13:14:50 ERROR Zope.SiteErrorLog http://ufo.cs.ait.ac.th:8080/acl_users/manage_addProduct/LDAPMultiPlugins/manage_addLDAPMultiPlugin Traceback (innermost last): Module ZPublisher.Publish, line 115, in publish Module ZPublisher.mapply, line 88, in mapply Module ZPublisher.Publish, line 41, in call_object Module Products.LDAPMultiPlugins.LDAPMultiPlugin, line 86, in manage_addLDAPMultiPlugin Module Products.LDAPUserFolder.LDAPUserFolder, line 422, in manage_edit Module Products.LDAPUserFolder.LDAPDelegate, line 241, in connect SERVER_DOWN: {'desc': "Can't contact LDAP server"} ---------------------------------------------------------------------- On a tcpdump I see: SYN SYN+ACK ACK connection handshake and then 13:15:08.080207 ufo.cs.ait.ac.th.59110 > auth.cs.ait.ac.th.ldaps: P 1:88(87) ack 1 win 33304 <nop,nop,timestamp 17173679 1382340372> (DF) 0x0000 4500 008b 8639 4000 4006 dfc0 c029 aa0e E....9@.@....).. 0x0010 c029 aa11 e6e6 027c a933 0ba7 ebec 4b4a .).....|.3....KJ 0x0020 8018 8218 5882 0000 0101 080a 0106 0caf ....X........... 0x0030 5264 d714 3055 0201 0160 5002 0103 0441 Rd..0U...`P....A 0x0040 636e 3d61 6363 6f75 6e74 4164 6d69 6e2c cn=accountAdmin, 0x0050 6f75 3d41 646d 696e 6973 7472 6174 6f72 ou=Administrator 0x0060 2c6f 753d 6373 696d 2c64 633d 6373 2c64 ,ou=csim,dc=cs,d 0x0070 633d 6169 742c 6463 3d61 632c 6463 3d74 c=ait,dc=ac,dc=t 0x0080 6880 08** **** **** **** ** h..******** I masked the password but obviously the connection is going not crypted. From other LDAP client, this packet should be the exchange of the certificate. If I disable TLS and run LDAP on port 389, then I can connect. best regards, Olivier |
|
|
|
| Comment by Jens Vagelpohl on Aug 23, 2006 9:54 pm | |
|
Since I don't use Plone and I don't support any patches to either PluggableAuthService or LDAPUserFolder, could I ask you to try and describe a reproduceable test case that does not involve Plone or these patches? |
|
|
|
| Initial Request by Olivier on Aug 23, 2006 9:47 pm | |
|
My LDAP serveris running on port 636 with TLS. Using LDAPMultiPlugins 1.2 + patch or 1.3, using LDAPUserFolder 2.7, Zope 2.9, Plone 2.5. I can get LDAPUserFolder to connect to my server and pass requests, add users, etc. but LDAPMultiPlugin will never connect. It seems that either I select SSL connection or not, I get the same unsuccessfull result. From a tcpdump, I see that even with SSL check, traffic goes in clear. |
