Open Bug 1138592 Opened 10 years ago Updated 2 years ago

No LDAP results when using GSSAPI

Categories

(Thunderbird :: Address Book, defect)

Product:
Thunderbird
Component:
Address Book
Version:
38 Branch
Platform:
x86_64
Linux
Type:
defect

Tracking

(Not tracked)

People

(Reporter: karl, Unassigned)

References

(Depends on 1 open bug)

Details

Hello! I am having an issue using Thunderbird with Stanford's LDAP infrastructure: It seems that when I am using GSSAPI binding, LDAP searches do not return any results. I have Thunderbird configured to use our LDAP server cluster, with SSL enabled, and using GSSAPI for binding. When I try to search for my name, here is what gets logged: 254719776[7f500e01b260]: entering nsAuthGSSAPI::nsAuthGSSAPI() 254719776[7f500e01b260]: entering nsAuthGSSAPI::Init() 254719776[7f500e01b260]: entering nsAuthGSSAPI::GetNextToken() 254719776[7f500e01b260]: leaving nsAuthGSSAPI::GetNextToken [rv=0] 254719776[7f500e01b260]: pending operation added; total pending operations now = 1 -491792640[7f4fd8fcf0c0]: nsLDAPConnection::RemovePendingOperation(): operation removed -491792640[7f4fd8fcf0c0]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0 -491792640[7f4fd8fcf0c0]: entering nsAuthGSSAPI::GetNextToken() -491792640[7f4fd8fcf0c0]: leaving nsAuthGSSAPI::GetNextToken [rv=4b0028] -491792640[7f4fd8fcf0c0]: pending operation added; total pending operations now = 1 -491792640[7f4fd8fcf0c0]: nsLDAPConnection::RemovePendingOperation(): operation removed -491792640[7f4fd8fcf0c0]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0 -491792640[7f4fd8fcf0c0]: pending operation added; total pending operations now = 1 -491792640[7f4fd8fcf0c0]: pending operation removed; total pending operations now = 0 254719776[7f500e01b260]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'cn=people,dc=stanford,dc=edu'; aFilter = '(|(mail=*kornel*)(cn=*kornel*)(givenName=*kornel*)(sn=*kornel*))'; aAttributes = description,notes,telephoneNumber,title,sn,surname,mozillaHomeLocalityName,o,company,givenName,mozillaHomeState,mail,mozillaWorkUrl,workurl,labeledURI,mozillaUseHtmlMail,xmozillausehtmlmail,mozillaNickname,xmozillanickname,mobile,cellphone,carphone,modifytimestamp,nsAIMid,nscpaimscreenname,birthyear,c,countryname,mozillaHomeStreet,cn,commonname,postalCode,zip,mozillaCustom1,custom1,mozillaHomeCountryName,st,region,mozillaCustom2,custom2,mozillaSecondEmail,xmozillasecondemail,mozillaHomeStreet2,facsimiletelephonenumber,fax,mozillaCustom3,custom3,homePhone,birthday,street,streetaddress,postOfficeBox,mozillaCustom4,custom4,mozillaHomeUrl,homeurl,l,locality,pager,pagerphone,ou,department,departmentnumber,orgunit,birthmonth,mozillaWorkStreet2,mozillaHomePostalCode,objectClass; aSizeLimit = 100 254719776[7f500e01b260]: pending operation added; total pending operations now = 1 -491792640[7f4fd8fcf0c0]: pending operation removed; total pending operations now = 0 The above query looks correct to me, and the search DN is correct, but I get no results. If I use `ldapsearch` on command-line, I get results: ldapsearch -h ldap.stanford.edu -b 'cn=people,dc=stanford,dc=edu' -ZZ "(&(|(mail=*kornel*)(cn=*kornel*)(givenName=*kornel*)(sn=*kornel*)))" mozillaUseHtmlMail xmozillausehtmlmail description notes telephoneNumber title sn surname mozillaHomeLocalityName o company givenName mozillaHomeState mail mozillaWorkUrl workurl labeledURI mozillaNickname xmozillanickname nsAIMid nscpaimscreenname mozillaHomeStreet2 mobile cellphone carphone modifytimestamp birthmonth facsimiletelephonenumber fax birthyear c countryname mozillaHomeStreet ou department departmentnumber orgunit mozillaSecondEmail xmozillasecondemail postalCode zip mozillaCustom1 custom1 mozillaHomeCountryName homePhone st region mozillaCustom2 custom2 pager pagerphone mozillaHomePostalCode mozillaCustom3 custom3 birthday street streetaddress postOfficeBox mozillaCustom4 custom4 mozillaHomeUrl homeurl l locality cn commonname mozillaWorkStreet2 objectClass SASL/GSSAPI authentication started SASL username: akkornel@stanford.edu SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=people,dc=stanford,dc=edu> with scope subtree # filter: (&(|(mail=*kornel*)(cn=*kornel*)(givenName=*kornel*)(sn=*kornel*))) # requesting: mozillaUseHtmlMail xmozillausehtmlmail description notes telephoneNumber title sn surname mozillaHomeLocalityName o company givenName mozillaHomeState mail mozillaWorkUrl workurl labeledURI mozillaNickname xmozillanickname nsAIMid nscpaimscreenname mozillaHomeStreet2 mobile cellphone carphone modifytimestamp birthmonth facsimiletelephonenumber fax birthyear c countryname mozillaHomeStreet ou department departmentnumber orgunit mozillaSecondEmail xmozillasecondemail postalCode zip mozillaCustom1 custom1 mozillaHomeCountryName homePhone st region mozillaCustom2 custom2 pager pagerphone mozillaHomePostalCode mozillaCustom3 custom3 birthday street streetaddress postOfficeBox mozillaCustom4 custom4 mozillaHomeUrl homeurl l locality cn commonname mozillaWorkStreet2 objectClass # <<<snip results from 4 people who aren't me> # 3bc6201411294b7292c9aea6be293ef6, people, stanford.edu dn: suRegID=3bc6201411294b7292c9aea6be293ef6,cn=people,dc=stanford,dc=edu objectClass: person objectClass: inetOrgPerson objectClass: suPerson objectClass: organizationalPerson sn: kornel ou: Computing Services o: University labeledURI: http://karl.kornel.us/ mobile: <<<snip>>> mail: akkornel@stanford.edu homePhone: <<<snip>>> telephoneNumber: <<<snip>>> givenName: karl cn: karl kornel street: <<<snip>>> title: System Software Developer description: Computing Services, System Software Developer modifyTimestamp: 20150220193612Z # search result search: 6 result: 0 Success # numResponses: 5 # numEntries: 4 I have tested this in Thunderbird 31.4, and also Thunderbird 38.0a2, with the same results. Something weird: If I change Thunderbird to use anonymous binding (instead of GSSAPI), then I get results. The results I get are pretty useless, because the LDAP server limits what you can see with an anonymous bind, but I do actually get results. Turning SSL on or off doesn't affect results. Unfortunately, I am not able to get you a packet capture with GSSAPI on but SSL off, because of bug 655074. Is there a way I can get more detailed LDAP logging from Thunderbird? Or is there any other information you would like me to send you? Either way, please let me know!
Is there a reason you think this is not the same as bug 655074?
Flags: needinfo?(karl)
(In reply to Wayne Mery (:wsmwk) from comment #1) > Is there a reason you think this is not the same as bug 655074? I think the error is different because I am seeing different output when I turn SSL off or on. With GSSAPI binding and SSL off, I get this: -216611040[7fe5f1e3b260]: entering nsAuthGSSAPI::nsAuthGSSAPI() -216611040[7fe5f1e3b260]: Attempting to load gss functions -216611040[7fe5f1e3b260]: entering nsAuthGSSAPI::Init() -216611040[7fe5f1e3b260]: entering nsAuthGSSAPI::GetNextToken() -216611040[7fe5f1e3b260]: leaving nsAuthGSSAPI::GetNextToken [rv=0] -216611040[7fe5f1e3b260]: pending operation added; total pending operations now = 1 -1101060352[7fe5ca941b80]: nsLDAPConnection::RemovePendingOperation(): operation removed -1101060352[7fe5ca941b80]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0 -1101060352[7fe5ca941b80]: entering nsAuthGSSAPI::GetNextToken() -1101060352[7fe5ca941b80]: leaving nsAuthGSSAPI::GetNextToken [rv=4b0028] -1101060352[7fe5ca941b80]: pending operation added; total pending operations now = 1 -1101060352[7fe5ca941b80]: nsLDAPConnection::RemovePendingOperation(): operation removed -1101060352[7fe5ca941b80]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0 The connection fails in the binding process. With SSL on, I get the log that I included in my description: The connection has gone far enough that Thunderbird decides to go ahead and execute the search.
Flags: needinfo?(karl)
Depends on: 655074
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.