Net::LDAP::Extension::Refresh doesn't understand responce from server

4 views
Skip to first unread message

Zeus Panchenko

unread,
Dec 26, 2017, 9:00:06 AM12/26/17
to perl...@perl.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

hi,

while playing with refresh()/get_ttl() I found that
Net::LDAP::Extension::Refresh doesn't understand OpenLDAP server reply
in case when option dds-max-ttl is less than ttl I want to set with
refresh()

if in slapd.conf I set `dds-max-ttl 1d' and try to refresh ttl ->
5754911 with:

ldapexop ... "refresh" "uid=..." 5754911

I receive:

ldap_parse_result: Size limit exceeded (4)
additional info: time-to-live for dynamicObject exceeds limit


but code with Net::LDAP::Extension::Refresh spawns this:

Use of uninitialized value $end in numeric ge (>=) at /usr/local/lib/perl5/site_perl/Convert/ASN1/_decode.pm line 626.
Use of uninitialized value $end in numeric eq (==) at /usr/local/lib/perl5/site_perl/Convert/ASN1/_decode.pm line 63.

after setting dds-max-ttl to some big enough value, same code works well
- --
Zeus V. Panchenko jid:ze...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlpCU1YACgkQr3jpPg/3oyrENgCgi6dkpLt3uX/vX2Vtn3XMHbg2
eMUAoPx+8ZNCRxs9TKRIY+3nvN0ph8M4
=fBjQ
-----END PGP SIGNATURE-----

Peter Marschall

unread,
Dec 28, 2017, 7:15:02 AM12/28/17
to perl...@perl.org, Zeus Panchenko
Hi Zeus,

Am Dienstag, 26. Dezember 2017, 14:49:10 CET schrieb Zeus Panchenko:
> while playing with refresh()/get_ttl() I found that
> Net::LDAP::Extension::Refresh doesn't understand OpenLDAP server reply
> in case when option dds-max-ttl is less than ttl I want to set with
> refresh()
>
> if in slapd.conf I set `dds-max-ttl 1d' and try to refresh ttl ->
> 5754911 with:
>
> ldapexop ... "refresh" "uid=..." 5754911
>
> I receive:
>
> ldap_parse_result: Size limit exceeded (4)
> additional info: time-to-live for dynamicObject exceeds limit
>
>
> but code with Net::LDAP::Extension::Refresh spawns this:
>
> Use of uninitialized value $end in numeric ge (>=) at
> /usr/local/lib/perl5/site_perl/Convert/ASN1/_decode.pm line 626. Use of
> uninitialized value $end in numeric eq (==) at
> /usr/local/lib/perl5/site_perl/Convert/ASN1/_decode.pm line 63.
This error message looks like it is from Convert::ASN1
and complaining about the variable $end not being defined.

Have you tried patching usr/local/lib/perl5/site_perl/Convert/ASN1/_decode.pm?
Here's what I'd try as a first idea:

-------- 8< snip >8 --------
--- _decode.pm 2014-06-25 20:47:34.000000000 +0200
+++ _decode.pm 2017-12-28 12:56:46.360571473 +0100
@@ -49,6 +49,8 @@
my ($optn, $ops, $stash, $pos, $end, $seqof, $larr) = @_;
my $idx = 0;

+ $end = 0 unless defined $end;
+
# we try not to copy the input buffer at any time
foreach my $buf ($_[-1]) {
OP:
@@ -623,6 +625,8 @@
sub _decode_tl {
my($pos,$end,$larr) = @_[1,2,3];

+ $end = 0 unless defined $end;
+
return if $pos >= $end;

my $indef = 0
-------- 8< snip >8 --------

Does it change the results?
PS: no warranty - it may affect other parts of perl-ldap as well


> after setting dds-max-ttl to some big enough value, same code works well
Do I get it right, that only the error case (i.e. setting the ttl to a higher
value than allowed) fails, while the correct case (setting the ttl to a value
within the bounds allowed) works?

In any case, can you provde a minimal test case that allows reporducing the
success and failure cases?!

Thanks in advance
PEter

--
Peter Marschall
pe...@adpm.de

Zeus Panchenko

unread,
Dec 28, 2017, 8:15:03 AM12/28/17
to Peter Marschall, perl...@perl.org
Peter Marschall <pe...@adpm.de> wrote:
> Have you tried patching usr/local/lib/perl5/site_perl/Convert/ASN1/_decode.pm?
> Here's what I'd try as a first idea:

not yet, will check it

> > after setting dds-max-ttl to some big enough value, same code works well
> Do I get it right, that only the error case (i.e. setting the ttl to a higher
> value than allowed) fails, while the correct case (setting the ttl to a value
> within the bounds allowed) works?

yes, you do

> In any case, can you provde a minimal test case that allows reporducing the
> success and failure cases?!

bellow are details

I was trying to refresh from now (2017.12.27 14:44) to 2018.07.07 07:00

as the result, the object was created (indeed) with dds-default-ttl ttl but
get_ttl() issued just after the refresh() didn't recognize that

---[ slapd.conf quotation start ]-------------------------------------------
...
overlay dds
dds-max-ttl 3d
dds-min-ttl 30m
dds-default-ttl 1h
dds-interval 120s
dds-tolerance 5s
...
---[ slapd.conf quotation end ]-------------------------------------------


---[ code quotation start ]-------------------------------------------
...
use Data::Printer;
...
sub refresh {
my ($self, $entryName, $requestTtl) = @_;
p $entryName; p $requestTtl;
my $callername = (caller(1))[3];
$callername = 'main' if ! defined $callername;
my ($return, $msg);

$msg = $self->ldap->refresh ( entryName => $entryName, requestTtl => $requestTtl );
p my $ttl = "refresh TTL: " . $msg->get_ttl();
p $ttl .= $msg->error() if $msg->code();
if ($msg->code) {
$return = $self->err( $msg );
$return->{caller} = 'call to LDAP_CRUD->refresh from ' . $callername . ': ';
} else {
$return->{success} = $msg->get_ttl();
}
return $return;
}
...
---[ code quotation end ]-------------------------------------------


---[ debug quotation start ]-------------------------------------------
Printing in line 895 of /storage/work-stuff/Catalyst/UMI/script/../lib/LDAP_CRUD.pm:
"authorizedService=w...@borg.startrek.in,uid=naf.nafus3,ou=People,dc=umidb"
Printing in line 895 of /storage/work-stuff/Catalyst/UMI/script/../lib/LDAP_CRUD.pm:
16481774
Use of uninitialized value $end in numeric ge (>=) at /usr/local/lib/perl5/site_perl/Convert/ASN1/_decode.pm line 626, <DATA> line 1063.
Use of uninitialized value $end in numeric eq (==) at /usr/local/lib/perl5/site_perl/Convert/ASN1/_decode.pm line 63, <DATA> line 1063.
Use of uninitialized value in concatenation (.) or string at /storage/work-stuff/Catalyst/UMI/script/../lib/LDAP_CRUD.pm line 901, <DATA> line 1063.
Printing in line 901 of /storage/work-stuff/Catalyst/UMI/script/../lib/LDAP_CRUD.pm:
"refresh TTL: "
Printing in line 902 of /storage/work-stuff/Catalyst/UMI/script/../lib/LDAP_CRUD.pm:
"refresh TTL: time-to-live for dynamicObject exceeds limit"
Printing in line 895 of /storage/work-stuff/Catalyst/UMI/script/../lib/LDAP_CRUD.pm:
"uid=naf.n...@borg.startrek.in,authorizedService=w...@borg.startrek.in,uid=naf.nafus3,ou=People,dc=umidb"
Printing in line 895 of /storage/work-stuff/Catalyst/UMI/script/../lib/LDAP_CRUD.pm:
16481774
Use of uninitialized value $end in numeric ge (>=) at /usr/local/lib/perl5/site_perl/Convert/ASN1/_decode.pm line 626, <DATA> line 1133.
Use of uninitialized value $end in numeric eq (==) at /usr/local/lib/perl5/site_perl/Convert/ASN1/_decode.pm line 63, <DATA> line 1133.
Use of uninitialized value in concatenation (.) or string at /storage/work-stuff/Catalyst/UMI/script/../lib/LDAP_CRUD.pm line 901, <DATA> line 1133.
Printing in line 901 of /storage/work-stuff/Catalyst/UMI/script/../lib/LDAP_CRUD.pm:
"refresh TTL: "
Printing in line 902 of /storage/work-stuff/Catalyst/UMI/script/../lib/LDAP_CRUD.pm:
"refresh TTL: time-to-live for dynamicObject exceeds limit"
---[ debug quotation end ]-------------------------------------------

Peter Marschall

unread,
Dec 28, 2017, 3:15:02 PM12/28/17
to perl...@perl.org, Zeus Panchenko
Hi,

Am Donnerstag, 28. Dezember 2017, 13:58:10 CET schrieb Zeus Panchenko:
> Peter Marschall <pe...@adpm.de> wrote:
> > Have you tried patching
> > usr/local/lib/perl5/site_perl/Convert/ASN1/_decode.pm?
Digging a bit deeper, I don't think Convert::ASN1 is the issue.

The issue is indeed in Net::LDAP::Extension::Refresh,
and the following patch should fix it:

---------------------------[ snip]---------------------------
--- a/lib/Net/LDAP/Extension/Refresh.pm
+++ b/lib/Net/LDAP/Extension/Refresh.pm
@@ -14,7 +14,7 @@ $refreshReq->prepare(q<SEQUENCE {

my $refreshResp = Convert::ASN1->new;
$refreshResp->prepare(q<SEQUENCE {
- responseTtl [0] INTEGER
+ responseTtl [1] INTEGER
}>);

sub Net::LDAP::refresh {
---------------------------[ snip]---------------------------

This should fix the get_ttl() method, and will be in the next release of perl-
ldap.

As a side note:
> $msg = $self->ldap->refresh ( ... );
> my $ttl = "refresh TTL: " . $msg->get_ttl();
> $ttl .= $msg->error() if $msg->code();

In your code, you assign to $ttl before checking that the extened operation
returned success.
Please check for errors first.

Hope that helped

Best
Reply all
Reply to author
Forward
0 new messages