ldaptor
ldaptor copied to clipboard
TCP Connection not closed if non SSL ldaptor LDAPServer accessed via SSL
I'm using ldaptor for testing the ldap login routines of my code. The ldaptor LDAPServer acts as server in this usecase. One of the testcases is accessing a non SSL server (ldaptor) via SSL configured client (my code).
The server reacts with a log output:
ldaptor.protocols.pureber.UnknownBERTag: BERDecoderContext has no tag 0x16: <LDAPBERDecoderContext_TopLevel identities={0x10: LDAPMessage} fallback=None inherit=<LDAPBERDecoderContext_LDAPMessage identities={0x80: LDAPControls, 0x53: LDAPSearchResultReference} fallback=<LDAPBERDecoderContext identities={0x41: LDAPBindResponse, 0x40: LDAPBindRequest, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: LDAPSearchResultEntry, 0x45: LDAPSearchResultDone, 0x53: LDAPSearchResultReference, 0x83: LDAPReferral, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x4e: LDAPCompareRequest, 0x4f: LDAPCompareResponse} fallback=<BERDecoderContext identities={0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x01: BERBoolean, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None> inherit=<LDAPBERDecoderContext identities={0x41: LDAPBindResponse, 0x40: LDAPBindRequest, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: LDAPSearchResultEntry, 0x45: LDAPSearchResultDone, 0x53: LDAPSearchResultReference, 0x83: LDAPReferral, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x4e: LDAPCompareRequest, 0x4f: LDAPCompareResponse} fallback=<BERDecoderContext identities={0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x01: BERBoolean, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None>>>
and the TCP connection doesn't get closed, which causes the client to never return. (This looks similar to #137).
I tried to debug the code a little bit, it hits the following line in pureber.py:
print(str(UnknownBERTag(i, context))) # TODO
If I add an line afterwards
raise UnknownBERTag(i, context)
the code closes the connection via the general exception handler with a traceback in twisted (not the best solution, but better than now).
Steps to reproduce (tested with Linux Mint 19.3 python 3.6, using ldaptor 19.1.0):
- start ldapserver.py
- On commandline start
ldapsearch -H ldaps://127.0.0.1:10389 -x
- The server outputs the line and the command never returns.
Excecuting the same command (with 'ldaps' address) on an openldap server (also configured nonSSL) it returns immediately with
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
(My hack leads to the same result).
Would be great if you could find a proper solution for this.
Thanks a lot
I believe I am facing the same issue while working with an AD server with SSL. Everything works fine but keep seeing this error in the logs right after the proxy sends 'LDAPUnbindRequest':
2020-12-12 16:23:46-0500 [LoggingProxy,0,127.0.0.1] S<-C LDAPMessage(id=3, value=LDAPUnbindRequest(), controls=None)
2020-12-12 16:23:46-0500 [-] BERDecoderContext has no tag 0x8a: <LDAPBERDecoderContext_LDAPMessage identities={0x80: LDAPControls, 0x53: LDAPSearchResultReference} fallback=<LDAPBERDecoderContext identities={0x41: LDAPBindResponse, 0x40: LDAPBindRequest, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: LDAPSearchResultEntry, 0x45: LDAPSearchResultDone, 0x53: LDAPSearchResultReference, 0x83: LDAPReferral, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x4e: LDAPCompareRequest, 0x4f: LDAPCompareResponse} fallback=<BERDecoderContext identities={0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x01: BERBoolean, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None> inherit=<LDAPBERDecoderContext identities={0x41: LDAPBindResponse, 0x40: LDAPBindRequest, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: LDAPSearchResultEntry, 0x45: LDAPSearchResultDone, 0x53: LDAPSearchResultReference, 0x83: LDAPReferral, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x4e: LDAPCompareRequest, 0x4f: LDAPCompareResponse} fallback=<BERDecoderContext identities={0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x01: BERBoolean, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None>>
2020-12-12 16:23:46-0500 [LDAPClient (TLSMemoryBIOProtocol),client] Got unsolicited notification: LDAPExtendedResponse(resultCode=52, errorMessage='00000003: LdapErr: DSID-0C060607, comment: Error decrypting ldap message, data 0, v3839\x00')