gvm-libs
gvm-libs copied to clipboard
greenbone
LDAPS connection problem
gvm-libs version: main branch system: Debian Bullseye (with OpenLDAP 2.4.57+dfsg-3+deb11u1)
LDAP authentication using LDAPS is not possible, causing an error:
LDAP anonymous authentication failure: Protocol error
This is caused by another initialization of LDAP handler (after StartTLS). After the initialization LDAP version is set back to 2 (that is not supported on the server in my case). GDB script that was used to find the cause:
set pagination off
break /g/util/ldaputils.c:298
break /g/util/ldaputils.c:300
break /g/util/ldaputils.c:308
set follow-fork-mode child
continue
print (*ldap->ldc).ldc_options.ldo_version
continue
print (*ldap->ldc).ldc_options.ldo_version
continue
print (*ldap->ldc).ldc_options.ldo_version
continue
quit
GDB output:
Breakpoint 1 at 0x7f04c22ff361: file /g/util/ldaputils.c, line 299.
Breakpoint 2 at 0x7f04c22ff37a: file /g/util/ldaputils.c, line 300.
Breakpoint 3 at 0x7f04c22ff3e7: file /g/util/ldaputils.c, line 308.
[Attaching after Thread 0x7f04beb95ac0 (LWP 1590690) fork to child process 1610197]
[New inferior 2 (process 1610197)]
[Detaching after fork from parent process 1590690]
[Inferior 1 (process 1590690) detached]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7f04be6ba700 (LWP 1610198)]
[Switching to Thread 0x7f04beb95ac0 (LWP 1610197)]
Thread 2.1 "gvmd" hit Breakpoint 1, ldap_auth_bind (host=0x55a909de1210 "ADDRESS_REDACTED", userdn=0x55a909dd68e0 "BIND_DN_REDACTED", password=0x55a9180da450 "PASSWORD_REDACTED", force_encryption=1, cacert=0x55a909dee370 "CERTIFICATE_REDACTED"...) at /g/util/ldaputils.c:299
warning: Source file is more recent than executable.
299 ldap_return = ldap_start_tls_s (ldap, NULL, NULL);
$1 = 3
Thread 2.1 "gvmd" hit Breakpoint 2, ldap_auth_bind (host=0x55a909de1210 "ADDRESS_REDACTED", userdn=0x55a909dd68e0 "BIND_DN_REDACTED", password=0x55a9180da450 "PASSWORD_REDACTED", force_encryption=1, cacert=0x55a909dee370 "CERTIFICATE_REDACTED"...) at /g/util/ldaputils.c:300
300 if (ldap_return != LDAP_SUCCESS)
$2 = 3
Thread 2.1 "gvmd" hit Breakpoint 3, ldap_auth_bind (host=0x55a909de1210 "ADDRESS_REDACTED", userdn=0x55a909dd68e0 "BIND_DN_REDACTED", password=0x55a9180da450 "PASSWORD_REDACTED", force_encryption=1, cacert=0x55a909dee370 "CERTIFICATE_REDACTED"...) at /g/util/ldaputils.c:308
308 if (ldap == NULL || ldap_return != LDAP_SUCCESS)
$3 = 2
This can be fixed in the code by the following change:
diff --git a/util/ldaputils.c b/util/ldaputils.c
index a361957c..fbcc1c43 100644
--- a/util/ldaputils.c
+++ b/util/ldaputils.c
@@ -333,8 +333,29 @@ ldap_auth_bind (const gchar *host, const gchar *userdn, const gchar *password,
g_free (ldapuri);
goto fail;
}
+ // Set LDAP version to 3 after initialization
+ ldap_return = ldap_set_option (ldap, LDAP_OPT_PROTOCOL_VERSION, &ldapv3);
+ if (ldap_return != LDAP_SUCCESS)
+ {
+ g_warning ("Aborting, could not set ldap protocol version to 3: %s.",
+ ldap_err2string (ldap_return));
+ g_free (ldapuri);
+ goto fail;
+ }
}
}
+ else
+ {
+ // Set LDAP version to 3 after initialization
+ ldap_return = ldap_set_option (ldap, LDAP_OPT_PROTOCOL_VERSION, &ldapv3);
+ if (ldap_return != LDAP_SUCCESS)
+ {
+ g_warning ("Aborting, could not set ldap protocol version to 3: %s.",
+ ldap_err2string (ldap_return));
+ g_free (ldapuri);
+ goto fail;
+ }
+ }
}
else
g_debug ("LDAP StartTLS initialized.");
