[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8970) bind fails when length value is multi-byte

To: openldap-its@OpenLDAP.org
Subject: (ITS#8970) bind fails when length value is multi-byte
From: lit@cbord.com
Date: Fri, 01 Feb 2019 03:52:35 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Leo Tohill
Version: 2.4.30
OS: Windows 10
URL: https://docs.google.com/document/d/10uKg9Nh3HLiuOzTbLfi6Z7bCfUb8x_Ai6WK5LqNzbwA/edit?usp=sharing
Submission from: (NULL) (74.79.8.41)


Summary: openldap 2.4.30 does not accommodate multi-byte length value on bind
request. 


First, I'll admit that I'm out of my depth here, I'm running a older version,
I'm on Windows, and my package was built by I don't know.  But I worked hard
enough to track this down that I want you to know what I found.  I might
upgrade, but that's problematic.  

At some point my bindings from .net began failing with "the username or password
is incorrect" But they were correct.  I could confirm with various other tools. 
I captured the wire traffic to isolate the problem. It turns out that Windows
forms the binding request using  a multi-byte length indicator in the request. 
OpenLdap apparently does not accommodate this.  I compared to a request
generated by  ldapsearch.exe.  That request, which succeeds,  varies only by
using a single-byte length indicator. 

The multi-byte length value should be allowed, right?  Isn't it possible to have
a bind request data packet of length > 127?  Which would require a multi-byte
length value.  Perhaps this was fixed in a later version. 

Screenshots of the wire capture here: 

https://docs.google.com/document/d/10uKg9Nh3HLiuOzTbLfi6Z7bCfUb8x_Ai6WK5LqNzbwA/edit?usp=sharing

Thanks for any comments.

Next by Date: Re: (ITS#8963) Start TLS failed errors on back-ldap binds / short timeout, config option request
Index(es):
- Chronological
- Thread