LDAP integration missing UNBIND

Infos:

  • Used Zammad version: 3.3
  • Used Zammad installation source: package
  • Operating system: Centos 7.5 1804 (server), Ubuntu 18.04 (client), Windows 10 (client)
  • Browser + version: Firefox 78.3.1esr 64 bits, Chromium 85.0.4183.121

Expected behavior:

  • The LDAP server should receive an UNBIND operation before closing connections.
    Leaving connections without UNBIND may cause resource leaks and security issues.
    In OpenLdap logs we should see the last two log lines:

    Oct 3 16:02:37 localhost slapd[20216]: conn=1323 fd=25 ACCEPT from IP=[::1]:59022 (IP=[::]:389)
    Oct 3 16:02:37 localhost slapd[20216]: conn=1323 op=0 BIND dn=“cn=ldapadm,dc=mydomain,dc=local” method=128
    Oct 3 16:02:37 localhost slapd[20216]: conn=1323 op=0 BIND dn=“cn=ldapadm,dc=mydomain,dc=local” mech=SIMPLE ssf=0
    Oct 3 16:02:37 localhost slapd[20216]: conn=1323 op=0 RESULT tag=97 err=0 text=
    Oct 3 16:02:37 localhost slapd[20216]: conn=1323 op=1 UNBIND
    Oct 3 16:02:37 localhost slapd[20216]: conn=1323 fd=25 closed

Actual behavior:

  • There is no trace of unbind calls in /opt/zammad/ldap.rb
    In the server log, with the current zammad 3.3 version, the connection is simply lost, without unbind, in the last log line:

    Oct 3 14:06:20 localhost slapd[20216]: conn=1274 fd=27 ACCEPT from IP=[::1]:58000 (IP=[::]:389)
    Oct 3 14:06:20 localhost slapd[20216]: conn=1274 op=0 BIND dn=“cn=ldapadm,dc=mydomain,dc=local” method=128
    Oct 3 14:06:20 localhost slapd[20216]: conn=1274 op=0 BIND dn=“cn=ldapadm,dc=mydomain,dc=local” mech=SIMPLE ssf=0
    Oct 3 14:06:20 localhost slapd[20216]: conn=1274 op=0 RESULT tag=97 err=0 text=
    Oct 3 14:06:20 localhost slapd[20216]: conn=1274 op=1 SRCH base=“dc=mydomain,dc=local” scope=2 deref=0 filter="(objectClass=posixGroup)"
    Oct 3 14:06:20 localhost slapd[20216]: conn=1274 op=1 SRCH attr=dn member memberuid uniquemember
    Oct 3 14:06:20 localhost slapd[20216]: conn=1274 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
    Oct 3 14:06:20 localhost slapd[20216]: conn=1274 fd=27 closed (connection lost)

Steps to reproduce the behavior:

  • Configure Zammad with LDAP integration, look into ldap server logs (at debug level): missing UNBIND commands and lost connections after every sync

I managed to make Zammad send UNBIND commands by changing two files (one in zammad distribution, the other in the net::ldap ruby library), here are my diffs, in case they can help:

--- /opt/zammad/vendor/bundle/ruby/2.5.0/gems/net-ldap-0.16.1/lib/net/ldap.rb.orig  	2020-09-29 11:37:07.732340840 +0200
+++ /opt/zammad/vendor/bundle/ruby/2.5.0/gems/net-ldap-0.16.1/lib/net/ldap.rb   2020-09-29 11:35:48.471429309 +0200
@@ -968,6 +968,21 @@
    end
   end

+  # LD 20200928
+  def unbind(args = {})
+	instrument "unbind.net_ldap", args do |payload|
+  	@result = use_connection(args) do |conn|
+    	#conn.unbind
+    	message_id = conn.next_msgid
+    	request	= [].to_ber(16 + Net::LDAP::PDU::UnbindRequest)
+    	conn.send(:write, request, nil, message_id)
+  	end
+  	#@result.success?
+	end
+  end
+
   # Modifies the attribute values of a particular entry on the LDAP
   # directory. Takes a hash with arguments. Supported arguments are:
   # :dn :: (the full DN of the entry whose attributes are to be modified)


--- /opt/zammad/lib/ldap.rb.orig        2020-09-29 11:33:01.645510982 +0200
+++ /opt/zammad/lib/ldap.rb     2020-09-29 11:23:41.849074027 +0200
@@ -78,6 +78,16 @@
     ) do |entry|
       yield entry
     end
+
+    # LD 29/09/2020 wild try: unbind after search
+    Rails.logger.info 'LD calling unbind'
+    connection.unbind
   end

Thank you very much, kudos for this great product!

Hello,

thank you for your patience.
Two things:

In terms of Zammad this is a third party issue, because we rely on the gem being fixed before hand.
Thanks for your heads up.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.