[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Regarding the feature to introduce new LDAP option to set source bind IP address
- To: "Sharma, Ramakant 2. (Nokia - IN/Bangalore)" <ramakant.2.sharma@nokia.com>, "openldap-devel@openldap.org" <openldap-devel@openldap.org>
- Subject: Re: Regarding the feature to introduce new LDAP option to set source bind IP address
- From: Howard Chu <hyc@symas.com>
- Date: Mon, 15 Oct 2018 14:54:27 +0100
- Cc: "Singam, Sudhir \(Nokia - IN/Bangalore\)" <sudhir.singam@nokia.com>
- In-reply-to: <DBXPR07MB46456F012F1440C14CE2D85EEFD0@DBXPR07MB464.eurprd07.prod.outlook.com>
- References: <HE1PR0702MB3564106A1438A27B006F84B1F7260@HE1PR0702MB3564.eurprd07.prod.outlook.com> <HE1PR0702MB35642A0139A575A4CBF69EC3F7390@HE1PR0702MB3564.eurprd07.prod.outlook.com> <HE1PR0702MB3564AC1738FA1C0E59D099C4F7310@HE1PR0702MB3564.eurprd07.prod.outlook.com> <HE1PR0702MB3564EB706F5178CF421F1773F7300@HE1PR0702MB3564.eurprd07.prod.outlook.com> <4bc2fe2d-e103-8795-8691-aafe0d3c80be@symas.com> <HE1PR0702MB3564C326FAFA1711CDF65925F7000@HE1PR0702MB3564.eurprd07.prod.outlook.com> <DBXPR07MB4641DE6D4344507838B00C1EEE00@DBXPR07MB464.eurprd07.prod.outlook.com> <DBXPR07MB46456F012F1440C14CE2D85EEFD0@DBXPR07MB464.eurprd07.prod.outlook.com>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0 SeaMonkey/2.53
Sharma, Ramakant 2. (Nokia - IN/Bangalore) wrote:
> Hi Howard,
>
> Please provide your valuable comments.
>
> Can we start implementation with the proposed design?
Yes this sounds fine to me. I'm guessing no one else on the list has any comments at this point.
>
> BR,
> Ramakant Sharma
>
> -----Original Message-----
> From: Sharma, Ramakant 2. (Nokia - IN/Bangalore)
> Sent: Wednesday, October 10, 2018 2:21 PM
> To: 'hyc@symas.com' <hyc@symas.com>; 'openldap-devel@openldap.org' <openldap-devel@openldap.org>
> Cc: Singam, Sudhir (Nokia - IN/Bangalore) <sudhir.singam@nokia.com>
> Subject: RE: Regarding the feature to introduce new LDAP option to set source bind IP address
>
> Hi Howard,
>
>>> Not sure I understand the value of a list of multiple addresses here.
>
> [Ramakant]: Yes you are right that there is no use case for multiple IPv4 or multiple IPv6 address setting for an LDAP client. The list can have only one IPv4 and one IPv6. LDAP client will chose either IPv4 or IPv6 address for binding, based on the target address type.
>
>>> Seems like these should be char* arrays, especially since we already have str2charray().
> [Ramakant]: Modified as per comment and now only one variable will hold both IPv4 and IPv6.
>
>>> What specific LDAP API error code will be returned in each instance?
> [Ramakant]: We are planning to re-use " LDAP_CONNECT_ERROR ".
>
> Please find the update content here after above comments.
>
> "
> *Requirement:*
>
> User shall be able to set IPv4/IPv6 socket bind address to be able to route the LDAP traffic via desired network interface. Based on the target IP address type, matching IP address will be picked for explicit binding*//**at client side*.
>
> *Work items:*
> 1. *LDAP option to set the IPv4/IPv6 socket bind addresses.*
> /Format: space separated list of IP addresses/
>
> New configuration option LDAP_OPT_SOCKET_BIND_ADDRESSES (0x5013) will be introduced (in ldap.h) to be used via ldap_set_option.
>
> For example,
>
> char* p = "10.24.56.34 2001:0db8:85a3:0000:0000:8a2e:0370:7334";
> ldap_set_option(NULL, LDAP_OPT_SOCKET_BIND_ADDRESSES, p);
>
> Bind addresses can also be provided in ldap.conf file via the option "SOCKET_BIND_ADDRESSES"
>
> Valid examples:
>
> SOCKET_BIND_ADDRESSES 10.24.56.45 2001:0db8:85a3:0000:0000:8a2e:0370:7334
> SOCKET_BIND_ADDRESSES 10.24.56.45
> SOCKET_BIND_ADDRESSES 2001:0db8:85a3:0000:0000:8a2e:0370:7334
> SOCKET_BIND_ADDRESSES 2001:0db8:85a3:0000:0000:8a2e:0370:7334 10.24.56.45
>
> Invalid examples:
> SOCKET_BIND_ADDRESSES 2001:0db8:85a3:0000:0000:8a2e:0370:7334 2001:0db8:85a3:0000:0000:8a2e:0370:7335
> SOCKET_BIND_ADDRESSES 10.24.56.45 10.24.56.47
>
> Note :
> Option set to ldap handle will override the global option.
> Setting the option multiple times will override the previous values but does not append.
>
> 2. *Parsing & validations*
>
> Space separated IP addresses will be parsed & validated.
> Basic syntax validation will be done for IPv4 or IPv6 addresses, if any error, setting of the option will fail and LDAP client will use the default IP address or previously successfully validated IP addresses provided by set option.
> If multiple IPv4 or multiple IPv6 address is set, validation will fail.
>
> "ldapoptions" structure in ldap-int.h will be modified to add new variable to hold given IPv4 and IPv6 address.
> char** ldo_local_IP_addresses
>
> Any new function /ldap_options_parseBindAddress() will be introduced in options.c to parse, validate and store the IP address to " ldo_local_IP_addresses" variable. This function will be similar to ldap_url_parseHosts.
> If parseBindAddress() fails to parse & validate the addresses successfully then previously set IP address will not be overwritten. If there were no previous address then default kernel address will be used during connection.
>
> 3. *Using Bind IP addresses during connection*
>
> File:os-ip.c
> Function: ldap_connect_to_host
> - After the connection socket is created (ldap_int_socket) and before it is connected (ldap_pvt_connect).
> Check if the target address family type, *I*f it is AF_INET, IPv4 bind
> - If the list is empty means there were no addresses provided from user, then default kernel provided address will be used for binding the interface.
> - If the list is not empty and not able to bind to provided IPv4 address, connection will fail>
> - if the list is not empty and it just contains IPV6 address then default kernel provided IPv4 address will be used for binding the interface.
> If it is AF_INET6, IPv6 bind address will be used from the list.
> - If the list is not empty and not able to bind to provided IPv6 addresses, connection will fail.
> - if the list is not empty and it just contains IPV4 address then default kernel provided IPv6 address will be used for binding the interface.
> - If the list is empty then LDAP client will continue to use the kernel provided IPv6 address.
>
> "
> BR,
> Ramakant Sharma
> Technical Lead
> Nokia Networks, Bangalore
>
> -----Original Message-----
> From: Howard Chu <hyc@symas.com>
> Sent: Thursday, September 06, 2018 9:18 PM
> To: Singam, Sudhir (Nokia - IN/Bangalore) <sudhir.singam@nokia.com>; 'openldap-devel@openldap.org' <openldap-devel@openldap.org>
> Cc: Sharma, Ramakant 2. (Nokia - IN/Bangalore) <ramakant.2.sharma@nokia.com>
> Subject: Re: Regarding the feature to introduce new LDAP option to set source bind IP address
>
> Singam, Sudhir (Nokia - IN/Bangalore) wrote:
>> Hi Howard,
>>
>> Any comments ??
>
>>
>> Hi,
>>
>> Can we go ahead and implement this ??
>>
>> *Regards,*
>> *Sudhir Singam*
>>
>> *DELIVERING BEST-IN-CLASS PLATFORM is our vision*
>>
>>
>> _____________________________________________
>> *From:* Singam, Sudhir (Nokia - IN/Bangalore)
>> *Sent:* Wednesday, August 08, 2018 8:48 AM
>> *To:* _openldap-devel@openldap.org_
>> <mailto:openldap-devel@openldap.org>
>> *Cc:* Sharma, Ramakant 2. (Nokia - IN/Bangalore)
>> <_ramakant.2.sharma@nokia.com_ <mailto:ramakant.2.sharma@nokia.com>>
>> *Subject:* Regarding the feature to introduce new LDAP option to set
>> source bind IP address
>>
>>
>> Hi,
>>
>> NOKIA has taken up this small feature for contribution. Previously patch was submitted via ITS#8847 but got rejected to take different approach.
>> Now I have raised ITS#8893. We want to conclude on the approach before
>> taking for implementation. Please kindly let us know if following approach is OK and if any comments.
>>
>> *Requirement:*
>>
>> User shall be able to set multiple IPv4/IPv6 socket bind addresses, to
>> be able to route the LDAP traffic via desired network interface. Based on the target IP address type, first matching and valid source IP address will be picked for explicit binding*//**at client side*.
>
> Not sure I understand the value of a list of multiple addresses here.
>>
>> *Work items:*
>>
>>
>> 1. *LDAP option to set the IPv4/IPv6 socket bind addresses.*
>>
>> /Format: space separated list of IP addresses/
>>
>> New configuration option LDAP_OPT_SOCKET_BIND_ADDRESSES (0x5013) will be introduced (in ldap.h) to be used via ldap_set_option.
>>
>> For example,
>>
>> char* p = "10.24.56.34 2001:0db8:85a3:0000:0000:8a2e:0370:7334";
>> ldap_set_option(NULL, LDAP_OPT_SOCKET_BIND_ADDRESSES, p);
>>
>> Bind addresses can also be provided in ldap.conf file via the option
>> "SOCKET_BIND_ADDRESSES", for example,
>>
>> SOCKET_BIND_ADDRESSES 10.24.56.45 10.24.56.46
>> 2001:0db8:85a3:0000:0000:8a2e:0370:7334
>>
>> Note :
>> Option set to ldap handle will override the global option.
>> Setting the option multiple times will override the previous values but does not append.
>>
>>
>> 2. *Parsing & validations*
>>
>>
>> Space separated IP addresses will be parsed & validated. IPv4 and IPv6 addresses are stored separately for easy of access during connection.
>> Basic syntax validation will be done for IPv4 or IPv6 addresses, if any error, setting of the option will fail and LDAP client will use the default IP address.
>>
>> "ldapoptions" structure in ldap-int.h will be modified to add new
>> members "char *ldo_local_IPV4_addresses" -> to hold client local IPv4
>> bind addresses "char *ldo_local_IPV6_addresses" -> to hold client
>> local IPv6 bind addresses
>
> Seems like these should be char* arrays, especially since we already have str2charray().
>
>> Any new function /ldap_options_parseBindAddress/ () will be introduced
>> in options.c to parse, validate and store the IP addresses to respective variables. This function will be similar to ldap_url_parseHosts.
>>
>> Memory for ldo_local_IPV4_addresses & ldo_local_IPV6_addresses is
>> dynamically allocated in the form of array for easy access. If any validation failure, no new memory will be allocated and existing values will be retained.
>>
>>
>> 3. *Using Bind IP addresses during connection*
>>
>>
>> File:os-ip.c
>> Function: ldap_connect_to_host
>> - After the connection socket is created (ldap_int_socket) and before it is connected (ldap_pvt_connect).
>> Check if the target address family type, *I*f it is AF_INET, IPv4 bind
>> address list will be used.
>> - If the list is empty and LDAP option was set successfully earlier (IPv6 was set), binding will fail and error is returned.
>> - If the list is not empty and not able to bind to any of the provided IPv4 addresses, connection will fail> - If the list is empty and LDAP option setting failed earlier (during syntax validation), LDAP client will continue to use the kernel provided IPv4 address.
>> If it is AF_INET6, IPv6 bind address list will be used.
>> - If the list is empty and LDAP option was set successfully earlier (IPv4 was set), binding will fail and error is returned.
>> - If the list is not empty and not able to bind to any of the provided IPv6 addresses, connection will fail.
>> - If the list is empty and LDAP option setting failed earlier (during syntax validation), LDAP client will continue to use the kernel provided IPv6 address.
>
> What specific LDAP API error code will be returned in each instance?
>
>>
>>
>>
>>
>> *Regards,*
>> *Sudhir Singam*
>>
>> *DELIVERING BEST-IN-CLASS PLATFORM is our vision*
>>
>>
>>
>
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/