On Thu, 23 May 2013, Simo Sorce wrote:
On Thu, 2013-05-23 at 10:42 -0400, Simo Sorce wrote:
CLDAP fixes for:
https://fedorahosted.org/freeipa/ticket/3639
Should be pretty straightforward.
(pending testing)
Alexander,
please check they work for your 2012 setup too.
Alexander found a couple of typos and then the patches didn't work for
him.
The bug was that I forgot to consider the successful case in the switch
statement I introduced at the last minute ... silly me.
Tested this new set and works for me, Alexander please confirm.
Works for me now. There is still slight difference from what we see
against Windows Server 2012.
----------------------------------------------------------------------------------
$ ldapsearch -LL -H cldap://red.bird.clone -b "" -s base '(&(NtVer=\06\00\00\00)(AAC=\00\00\00\00))' netlogon
version: 1
dn:
netlogon::
FwAAAP0DAADBEtlp7qtnRa3yDLzj68BuBGJpcmQFY2xvbmUAwBgDcmVkwBgEQklSRAA
FXFxSRUQAABdEZWZhdWx0LUZpcnN0LVNpdGUtTmFtZQDAOhACAAAAfwAAAQAAAAAAAAAAAAUAAAD/
////
$ ldapsearch -LL -H cldap://red.bird.clone -b "" -s base
'(&(NtVer=\06\00\00\00)(AAC=\00\00\00\00)(DnsDOmain=bird.clone))' netlogon
version: 1
dn:
netlogon::
FwAAAP0DAADBEtlp7qtnRa3yDLzj68BuBGJpcmQFY2xvbmUAwBgDcmVkwBgEQklSRAA
FXFxSRUQAABdEZWZhdWx0LUZpcnN0LVNpdGUtTmFtZQDAOhACAAAAfwAAAQAAAAAAAAAAAAUAAAD/
////
$ ldapsearch -LL -H cldap://red.bird.clone -b "" -s base
'(&(NtVer=\06\00\00\00)(AAC=\00\00\00\00)(DnsDOmain=bird.clone1))' netlogon
version: 1
dn:
netlogon:
$ ldapsearch -LL -H cldap://red.bird.clone -b "" -s base
'(&(NtVer=\00\00\55\00)(AAC=\00\00\00\00)(DnsDOmain=bird.clone))' netlogon
version: 1
dn:
netlogon:
----------------------------------------------------------------------------------
As you can see, incorrect parameters still return empty dn and netlogon
attributes while Windows Server 2012 returns empty response:
$ ldapsearch -LL -H cldap://altai.ad.lan -b "" -s base
'(&(NtVer=\00\00\00\55\00)(AAC=\00\00\00\00))' netlogon
version: 1
Yet, since for trusts we care about explicit request with our domain name _and_
the
case when DnsDomain is not specified, everything continues to work.
So ACK.
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel