Uploaded image for project: 'Directory ApacheDS'
  1. Directory ApacheDS
  2. DIRSERVER-2332

Unexpected Session Termination (nslcd - libpam-ldapd

Details

    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 2.0.0.AM26
    • 2.0.0.AM27
    • asn1, core, ldap
    • - Raspbian Clients with nslcd
      - Apache Studio in Windows
      - ApacheDS running in Docker (self built image)

    Description

      I'm currently playing around with a small raspi-cluster - the intention is to have unified LDAP login via libpam-ldapd and NFS mounted home-dirs.

      t

      While setting up libpam-ldapd together with apacheds worked like charm - during some tests i noticed, that secondary group names don't work.

       

      Tinkering around with the log-levels revealed a NullPointerException

      at org.apache.directory.api.ldap.codec.actions.controls.StoreControlValue.action(StoreControlValue.java:81)

       

      I tried to isolate the cause of the error to build a test-case but while finding my way through the code-base I stranded in the mina and ldap-api repo.

      I'm willing to provide every information that is needed to dive deeper into this issue.

      A Capture (pcap) of the ldap_search from nslcp aswell as (basically) the same search from studio (which suprisingly works just fine) are attached aswell as the DEBUG log which also contains the HEX for the network request.

      Attachments

        1. Dockerfile.txt
          0.5 kB
          D. Tervooren
        2. debug.log
          65 kB
          D. Tervooren
        3. capture_studio.pcap
          1 kB
          D. Tervooren
        4. capture_nslcd.pcap
          0.8 kB
          D. Tervooren

        Activity

          eifoen D. Tervooren added a comment -

          I attached the Dockerfile.txt out of which the Container was built

          eifoen D. Tervooren added a comment - I attached the  Dockerfile.txt  out of which the Container was built

          Hi !

          So the received PDU in a more readable way gives :

          0x30 0x81 0xCB 
            0x02 0x01 0x02 
            0x63 0x81 0x91 
            0x04 0x2C 
              'd' 'c' '=' 'm' 'i' 'n' 'i' '-' 
              'c' 'l' 'u' 's' 't' 'e' 'r' ','
              'd' 'c' '=' 'c' 'o' 's' 'y', ',' 
              'd' 'c' '=' 'f' 'h' '-' 'm' 'u' 
              'e' 'n' 's' 't' 'e' 'r' ',' 'd' 
              'c' '='' 'd' 'e' 
            0x0A 0x01 0x02 
            0x0A 0x01 0x00 
            0x02 0x01 0x00 
            0x02 0x01 0x00 
            0x01 0x01 0x00 
            0xA0 0x2E 
              0xA3 0x19 
                0x04 0x0B 
                  'o' 'b' 'j' 'e' 'c' 't' 'C' 'l' 
                  'a' 's' 's' 
                0x04 0x0A 
                  'p' 'o' 's' 'i' 'x' 'G' 'r' 'o' 
                  'u' 'p' 
              0xA3 0x11 
                0x04 0x09 
                  'g' 'i' 'd' 'N' 'u' 'm' 'b' 'e' 
                  'r' 
                0x04 0x04 
                  '9' '9' '9' '9'
            0x30 0x22 
              0x04 0x06 
                'm' 'e' 'm' 'b' 'e' 'r' 
              0x04 0x02 
                'c' 'n' 
              0x04 0x09 
                'm' 'e' 'm' 'b' 'e' 'r' 'U' 'i' 'd' 
              0x04 0x09 
                'g' 'i' 'd' 'N' 'u' 'm' 'b' 'e' 'r' 
            0xA0 0x32 
              0x30 0x30 
                0x04 0x19 
                  '1.3.6.1.4.1.4203.666.5.16'
                0x04 0x13 
                  0x30 0x11 
                    0x30 0x0F 
                      0x04 0x06 
                        'm' 'e' 'm' 'b' 'e' 'r' 
                      0x30 0x05 
                        0x04 0x03 
                          'u' 'i' 'd'
          

          I spare you the details, but what is important is the end : '1.3.6.1.4.1.4203.666.5.16'. This is the control OID, and a quick look on The Internet gives : https://ldapwiki.com/wiki/LDAP%20Dereference%20Control

          We don't support this control in ApacheDS (https://directory.apache.org/api/user-guide/6.7-control.html)

          However, you should never get a NPE. The cause is those two lines of code :

                     ControlFactory<?> factory = container.getControlFactory();
                      factory.decodeValue( control, value.getData() );
          

          At this point, I think the value is null (to be double checked).

          We can add some check for such a use case and return a more accurate response.

          elecharny Emmanuel Lécharny added a comment - Hi ! So the received PDU in a more readable way gives : 0x30 0x81 0xCB 0x02 0x01 0x02 0x63 0x81 0x91 0x04 0x2C 'd' 'c' '=' 'm' 'i' 'n' 'i' '-' 'c' 'l' 'u' 's' 't' 'e' 'r' ',' 'd' 'c' '=' 'c' 'o' 's' 'y', ',' 'd' 'c' '=' 'f' 'h' '-' 'm' 'u' 'e' 'n' 's' 't' 'e' 'r' ',' 'd' 'c' '='' 'd' 'e' 0x0A 0x01 0x02 0x0A 0x01 0x00 0x02 0x01 0x00 0x02 0x01 0x00 0x01 0x01 0x00 0xA0 0x2E 0xA3 0x19 0x04 0x0B 'o' 'b' 'j' 'e' 'c' 't' 'C' 'l' 'a' 's' 's' 0x04 0x0A 'p' 'o' 's' 'i' 'x' 'G' 'r' 'o' 'u' 'p' 0xA3 0x11 0x04 0x09 'g' 'i' 'd' 'N' 'u' 'm' 'b' 'e' 'r' 0x04 0x04 '9' '9' '9' '9' 0x30 0x22 0x04 0x06 'm' 'e' 'm' 'b' 'e' 'r' 0x04 0x02 'c' 'n' 0x04 0x09 'm' 'e' 'm' 'b' 'e' 'r' 'U' 'i' 'd' 0x04 0x09 'g' 'i' 'd' 'N' 'u' 'm' 'b' 'e' 'r' 0xA0 0x32 0x30 0x30 0x04 0x19 '1.3.6.1.4.1.4203.666.5.16' 0x04 0x13 0x30 0x11 0x30 0x0F 0x04 0x06 'm' 'e' 'm' 'b' 'e' 'r' 0x30 0x05 0x04 0x03 'u' 'i' 'd' I spare you the details, but what is important is the end : '1.3.6.1.4.1.4203.666.5.16' . This is the control OID, and a quick look on The Internet gives : https://ldapwiki.com/wiki/LDAP%20Dereference%20Control We don't support this control in ApacheDS ( https://directory.apache.org/api/user-guide/6.7-control.html ) However, you should never get a NPE. The cause is those two lines of code : ControlFactory<?> factory = container.getControlFactory(); factory.decodeValue( control, value.getData() ); At this point, I think the value is null (to be double checked). We can add some check for such a use case and return a more accurate response.

          This has been fixed in LDAP API 2.0.0-M3. We are currently using LDAP API 2.1.2.

          elecharny Emmanuel Lécharny added a comment - This has been fixed in LDAP API 2.0.0-M3. We are currently using LDAP API 2.1.2.

          People

            Unassigned Unassigned
            eifoen D. Tervooren
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: