Re: [Freeipa-devel] CLDAP Netlogon fixes

Thu, 23 May 2013 11:02:55 -0700 

On Thu, 23 May 2013, Simo Sorce wrote:

On Thu, 2013-05-23 at 10:42 -0400, Simo Sorce wrote:

CLDAP fixes for:
https://fedorahosted.org/freeipa/ticket/3639

Should be pretty straightforward.
(pending testing)

Alexander,
please check they work for your 2012 setup too.


Alexander found a couple of typos and then the patches didn't work for
him.

The bug was that I forgot to consider the successful case in the switch
statement I introduced at the last minute ... silly me.

Tested this new set and works for me, Alexander please confirm.

Works for me now. There is still slight difference from what we see
against Windows Server 2012.

----------------------------------------------------------------------------------
$ ldapsearch -LL -H cldap://red.bird.clone -b "" -s base '(&(NtVer=\06\00\00\00)(AAC=\00\00\00\00))' netlogon version: 1 

dn:
netlogon::
FwAAAP0DAADBEtlp7qtnRa3yDLzj68BuBGJpcmQFY2xvbmUAwBgDcmVkwBgEQklSRAA
 FXFxSRUQAABdEZWZhdWx0LUZpcnN0LVNpdGUtTmFtZQDAOhACAAAAfwAAAQAAAAAAAAAAAAUAAAD/
 ////

$ ldapsearch -LL -H cldap://red.bird.clone -b "" -s base 
'(&(NtVer=\06\00\00\00)(AAC=\00\00\00\00)(DnsDOmain=bird.clone))' netlogon
version: 1

dn:
netlogon::
FwAAAP0DAADBEtlp7qtnRa3yDLzj68BuBGJpcmQFY2xvbmUAwBgDcmVkwBgEQklSRAA
 FXFxSRUQAABdEZWZhdWx0LUZpcnN0LVNpdGUtTmFtZQDAOhACAAAAfwAAAQAAAAAAAAAAAAUAAAD/
 ////

$ ldapsearch -LL -H cldap://red.bird.clone -b "" -s base 
'(&(NtVer=\06\00\00\00)(AAC=\00\00\00\00)(DnsDOmain=bird.clone1))' netlogon
version: 1

dn:
netlogon:

$ ldapsearch -LL -H cldap://red.bird.clone -b "" -s base 
'(&(NtVer=\00\00\55\00)(AAC=\00\00\00\00)(DnsDOmain=bird.clone))' netlogon
version: 1

dn:
netlogon:
----------------------------------------------------------------------------------

As you can see, incorrect parameters still return empty dn and netlogon
attributes while Windows Server 2012 returns empty response:

$ ldapsearch  -LL -H cldap://altai.ad.lan -b "" -s base 
'(&(NtVer=\00\00\00\55\00)(AAC=\00\00\00\00))' netlogon
version: 1

Yet, since for trusts we care about explicit request with our domain name _and_ 
the
case when DnsDomain is not specified, everything continues to work.

So ACK.

--
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to