LDAP client behavior
Dev: https://dev.gitlab.org/gitlab/gitlab-ee/issues/256
User reviewed how GitLab 7.5.2 behaves as an LDAP client and we have some things to improve according to them.
Results: Failed
ACTION REQUIRED: Address comments below and retest
* Application should properly close all connections
conn=1292367
[19/Feb/2015:10:05:31 -0500] conn=1292367 op=-1 msgId=-1 - fd=281 slot=281 LDAP connection from yyy.yyy.yyy.yy:zzzzz to xxx.xxx.xxx.xx
[19/Feb/2015:10:05:31 -0500] conn=1292367 op=0 msgId=1 - BIND dn="cn=AppIN_052042_m,ou=applications,dc=xx,dc=com" method=128 version=3
[19/Feb/2015:10:05:31 -0500] conn=1292367 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0.005000 dn="cn=appin_052042_m,ou=applications,dc=xx,dc=com"
[19/Feb/2015:10:05:31 -0500] conn=1292367 op=1 msgId=0 - RESULT err=80 tag=120 nentries=0 etime=0.000000
[19/Feb/2015:10:05:31 -0500] conn=1292367 op=-1 msgId=-1 - closing from yyy.yyy.yyy.yy:zzzzz - A1 - Client aborted connection -
[19/Feb/2015:10:05:31 -0500] conn=1292367 op=-1 msgId=-1 - closed.
* Searches begin at lowest level depending on search - searching for groups should start at the ou=groups,dc=xx,dc=com
o Update SRCH string to ou=groups,dc=xx,dc=com
* Application is requesting more attributes (ALL) than documented in the Onboarding Questionnaire
o Application must limit the search to only those attributes requested in the onboarding questionnaire or update the questionnaire accordingly
* Some searches attempted by application appears to be on attributes that are not indexed - no un-indexed searches
conn=1299632
[19/Feb/2015:10:44:12 -0500] conn=1299632 op=-1 msgId=-1 - fd=234 slot=234 LDAP connection from 130.172.150.57:11591 to xxx.xxx.xxx.xx
[19/Feb/2015:10:44:12 -0500] conn=1299632 op=0 msgId=1 - BIND dn="cn=AppIN_052042_m,ou=applications,dc=xx,dc=com" method=128 version=3
[19/Feb/2015:10:44:12 -0500] conn=1299632 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0.004000 dn="cn=appin_052042_m,ou=applications,dc=xx,dc=com"
[19/Feb/2015:10:44:12 -0500] conn=1299632 op=1 msgId=2 - SRCH base="" scope=0 filter="(objectClass=*)" attrs="altServer namingContexts supportedcapabilities supportedControl supportedExtension supportedfeatures supportedLDAPVersion supportedSASLMechanisms"
[19/Feb/2015:10:44:12 -0500] conn=1299632 op=1 msgId=2 - RESULT err=0 tag=101 nentries=1 etime=0.002000
[19/Feb/2015:10:44:12 -0500] conn=1299632 op=2 msgId=3 - SRCH base="ou=people,dc=xx,dc=com" scope=2 filter="(uid=qz79j3)" attrs=ALL
[19/Feb/2015:10:44:12 -0500] conn=1299632 op=2 msgId=3 - RESULT err=0 tag=101 nentries=1 etime=0.016000
[19/Feb/2015:10:44:12 -0500] conn=1299632 op=3 msgId=4 - BIND dn="uid=QZ79J3,ou=People,dc=xx,dc=com" method=128 version=3
[19/Feb/2015:10:44:12 -0500] conn=1299632 op=3 msgId=4 - RESULT err=0 tag=97 nentries=0 etime=0.007000 dn="uid=qz79j3,ou=people,dc=xx,dc=com"
[19/Feb/2015:10:44:12 -0500] conn=1299632 op=4 msgId=0 - RESULT err=80 tag=120 nentries=0 etime=0.000000
[19/Feb/2015:10:44:12 -0500] conn=1299632 op=-1 msgId=-1 - closing from 130.172.150.57:11591 - A1 - Client aborted connection -
[19/Feb/2015:10:44:12 -0500] conn=1299632 op=-1 msgId=-1 - closed.
conn=804230
[19/Feb/2015:10:34:30 -0500] conn=804230 op=-1 msgId=-1 - fd=227 slot=227 LDAP connection from aaa.aaa.aaa.aa:bbbb to ccc.cc.ccc.ccc
[19/Feb/2015:10:34:30 -0500] conn=804230 op=0 msgId=12 - BIND dn="cn=AppIN_052042_m,ou=applications,dc=xx,dc=com" method=128 version=3
[19/Feb/2015:10:34:30 -0500] conn=804230 op=0 msgId=12 - RESULT err=0 tag=97 nentries=0 etime=0.005000 dn="cn=appin_052042_m,ou=applications,dc=xx,dc=com"
[19/Feb/2015:10:34:30 -0500] conn=804230 op=1 msgId=14 - SRCH base="dc=xx,dc=com" scope=0 filter="(objectClass=*)" attrs="1. 1"
[19/Feb/2015:10:34:30 -0500] conn=804230 op=1 msgId=14 - RESULT err=0 tag=101 nentries=1 etime=0.000000
[19/Feb/2015:10:34:30 -0500] conn=804230 op=2 msgId=15 - SRCH base="dc=xx,dc=com" scope=1 filter="(objectClass=*)" attrs="objectClass subschemaSubentry"
[19/Feb/2015:10:34:30 -0500] conn=804230 op=3 msgId=16 - SRCH base="dc=xx,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[19/Feb/2015:10:34:30 -0500] conn=804230 op=3 msgId=16 - RESULT err=0 tag=101 nentries=1 etime=0.010000
[19/Feb/2015:10:34:30 -0500] conn=804230 op=2 msgId=15 - RESULT err=0 tag=101 nentries=16 etime=0.011000 notes=U
[19/Feb/2015:10:35:28 -0500] conn=804230 op=4 msgId=20 - SRCH base="dc=xx,dc=com" scope=0 filter="(objectClass=*)" attrs="1.1"
[19/Feb/2015:10:35:28 -0500] conn=804230 op=4 msgId=20 - RESULT err=0 tag=101 nentries=1 etime=0.000000
[19/Feb/2015:10:36:28 -0500] conn=804230 op=5 msgId=21 - SRCH base="ou=people,dc=xx,dc=com" scope=0 filter="(objectClass=*)"attrs="1.1"
[19/Feb/2015:10:36:28 -0500] conn=804230 op=5 msgId=21 - RESULT err=0 tag=101 nentries=1 etime=0.000000
[19/Feb/2015:10:36:28 -0500] conn=804230 op=6 msgId=22 - SRCH base="ou=people,dc=xx,dc=com" scope=2 filter="(memberOf=CN=*,OU=GitLab,OU=appgroups,OU=groups,DC=xx,DC=com)" attrs="uid objectClass subschemaSubentry"
[19/Feb/2015:10:36:37 -0500] conn=804230 op=6 msgId=22 - RESULT err=11 tag=101 nentries=1 etime=8.854000 notes=U
[19/Feb/2015:10:37:44 -0500] conn=804230 op=7 msgId=23 - SRCH base="ou=people,dc=xx,dc=com" scope=0 filter="(objectClass=*)" attrs="1.1"
[19/Feb/2015:10:37:44 -0500] conn=804230 op=7 msgId=23 - RESULT err=0 tag=101 nentries=1 etime=0.001000
[19/Feb/2015:10:37:44 -0500] conn=804230 op=8 msgId=24 - SRCH base="ou=people,dc=xx,dc=com" scope=2 filter="(&(uid=qz79j3)(memberOf=CN=*,OU=GitLab,OU=appgroups,OU=groups,DC=xx,DC=com))" attrs="uid objectClass subschemaSubentry"
[19/Feb/2015:10:37:44 -0500] conn=804230 op=8 msgId=24 - RESULT err=0 tag=101 nentries=1 etime=0.002000
[19/Feb/2015:10:39:05 -0500] conn=804230 op=9 msgId=25 - SRCH base="ou=people,dc=xx,dc=com" scope=0 filter="(objectClass=*)" attrs="1.1"
[19/Feb/2015:10:39:05 -0500] conn=804230 op=9 msgId=25 - RESULT err=0 tag=101 nentries=1 etime=0.000000
[19/Feb/2015:10:39:05 -0500] conn=804230 op=10 msgId=26 - SRCH base="ou=people,dc=xx,dc=com" scope=2 filter="(&(uid=hzmc47)( memberOf=CN=*,OU=GitLab,OU=appgroups,OU=groups,DC=xx,DC=com))" attrs="uid objectClass subschemaSubentry"
[19/Feb/2015:10:39:05 -0500] conn=804230 op=10 msgId=26 - RESULT err=0 tag=101 nentries=0 etime=0.001000
[19/Feb/2015:10:39:15 -0500] conn=804230 op=11 msgId=27 - SRCH base="ou=people,dc=xx,dc=com" scope=0 filter="(objectClass=*)" attrs="1.1"
[19/Feb/2015:10:39:15 -0500] conn=804230 op=11 msgId=27 - RESULT err=0 tag=101 nentries=1 etime=0.000000
[19/Feb/2015:10:39:15 -0500] conn=804230 op=12 msgId=28 - SRCH base="ou=people,dc=xx,dc=com" scope=2 filter="(&(uid=wzv431)( memberOf=CN=*,OU=GitLab,OU=appgroups,OU=groups,DC=xx,DC=com))" attrs="uid objectClass subschemaSubentry"
[19/Feb/2015:10:39:15 -0500] conn=804230 op=12 msgId=28 - RESULT err=0 tag=101 nentries=0 etime=0.000000
[19/Feb/2015:10:39:37 -0500] conn=804230 op=13 msgId=29 - SRCH base="ou=people,dc=xx,dc=com" scope=0 filter="(objectClass=*)" attrs="1.1"
[19/Feb/2015:10:39:37 -0500] conn=804230 op=13 msgId=29 - RESULT err=0 tag=101 nentries=1 etime=0.000000
[19/Feb/2015:10:39:37 -0500] conn=804230 op=14 msgId=30 - SRCH base="ou=people,dc=xx,dc=com" scope=2 filter="(&(uid=wz43v1)( memberOf=CN=*,OU=GitLab,OU=appgroups,OU=groups,DC=xx,DC=com))" attrs="uid objectClass subschemaSubentry"
[19/Feb/2015:10:39:37 -0500] conn=804230 op=14 msgId=30 - RESULT err=0 tag=101 nentries=1 etime=0.001000
[19/Feb/2015:10:39:48 -0500] conn=804230 op=15 msgId=31 - SRCH base="ou=people,dc=xx,dc=com" scope=0 filter="(objectClass=*)" attrs="1.1"
[19/Feb/2015:10:39:48 -0500] conn=804230 op=15 msgId=31 - RESULT err=0 tag=101 nentries=1 etime=0.000000
[19/Feb/2015:10:39:48 -0500] conn=804230 op=16 msgId=32 - SRCH base="ou=people,dc=xx,dc=com" scope=2 filter="(&(uid=hzmc47)( memberOf=CN=*,OU=GitLab,OU=appgroups,OU=groups,DC=xx,DC=com))" attrs="uid objectClass subschemaSubentry"
[19/Feb/2015:10:39:48 -0500] conn=804230 op=16 msgId=32 - RESULT err=0 tag=101 nentries=0 etime=0.000000
[19/Feb/2015:10:40:04 -0500] conn=804230 op=17 msgId=33 - SRCH base="ou=people,dc=xx,dc=com" scope=0 filter="(objectClass=*)" attrs="1.1"
[19/Feb/2015:10:40:04 -0500] conn=804230 op=17 msgId=33 - RESULT err=0 tag=101 nentries=1 etime=0.001000
[19/Feb/2015:10:40:04 -0500] conn=804230 op=18 msgId=34 - SRCH base="ou=people,dc=xx,dc=com" scope=2 filter="(&(uid=hzmc47)(memberOf=CN=*,OU=GitLab,OU=appgroups,OU=groups,DC=xx,DC=com))" attrs="uid objectClass subschemaSubentry"
[19/Feb/2015:10:40:04 -0500] conn=804230 op=18 msgId=34 - RESULT err=0 tag=101 nentries=0 etime=0.001000
[19/Feb/2015:10:40:20 -0500] conn=804230 op=19 msgId=35 - SRCH base="ou=people,dc=xx,dc=com" scope=0 filter="(objectClass=*)" attrs="1.1"
[19/Feb/2015:10:40:20 -0500] conn=804230 op=19 msgId=35 - RESULT err=0 tag=101 nentries=1 etime=0.000000
[19/Feb/2015:10:40:20 -0500] conn=804230 op=20 msgId=36 - SRCH base="ou=people,dc=xx,dc=com" scope=2 filter="(&(uid=hzmc47)(memberOf=CN=*,OU=GitLab,OU=appgroups,OU=groups,DC=xx,DC=com))" attrs="uid memberOf cn objectClass subschemaSubentry"
[19/Feb/2015:10:40:20 -0500] conn=804230 op=20 msgId=36 - RESULT err=0 tag=101 nentries=0 etime=0.000000
[19/Feb/2015:10:41:42 -0500] conn=804230 op=21 msgId=37 - SRCH base="ou=people,dc=xx,dc=com" scope=0 filter="(objectClass=*)" attrs="1.1"
[19/Feb/2015:10:41:42 -0500] conn=804230 op=21 msgId=37 - RESULT err=0 tag=101 nentries=1 etime=0.000000
[19/Feb/2015:10:41:42 -0500] conn=804230 op=22 msgId=38 - SRCH base="ou=people,dc=xx,dc=com" scope=2 filter="(&(uid=qz79j3)(memberOf=CN=*,OU=GitLab,OU=appgroups,OU=groups,DC=xx,DC=com))" attrs="uid memberOf cn objectClass subschemaSubentry"
[19/Feb/2015:10:41:42 -0500] conn=804230 op=22 msgId=38 - RESULT err=0 tag=101 nentries=1 etime=0.001000
[19/Feb/2015:11:20:44 -0500] conn=804230 op=23 msgId=39 - UNBIND
[19/Feb/2015:11:20:44 -0500] conn=804230 op=23 msgId=-1 - closing from aaa.aaa.aaa.aa:bbbb - U1 - Connection closed by unbind client -
[19/Feb/2015:11:20:44 -0500] conn=804230 op=-1 msgId=-1 - closed.
Jacob
- Application should properly close all connections
This might be because we use
LDAP::Adapter.new
instead ofLDAP::Adapter.open
inlib/api/ldap.rb
.
- Searches begin at lowest level depending on search - searching for groups should start at the ou=groups,dc=gm,dc=com
This sounds like a misconfigured group_base setting to me.
- Application is requesting more attributes (ALL) than documented in the Onboarding Questionnaire
Net::LDAP allows you to limit the LDAP attributes you search for. Maybe we are not doing that everywhere (or nowhere). This may also require digging in omniauth-ldap because that does its own queries.
More info from customer
Thanks for this feedback!
>Application should properly close all connections
Could it be that the aborted connections only happen during group search autocomplete? If so then I have a hunch what is happening there.
>Searches begin at lowest level depending on search - searching for groups should start at the ou=groups,dc=gm,dc=com
That sounds like exactly what the group_base LDAP setting in GitLab is for. Was it set correctly during the tests?
>Application is requesting more attributes (ALL) than documented in the Onboarding Questionnaire
This sounds like something our developers should have a look at.
>Some searches attempted by application appears to be on attributes that are not indexed - no un-indexed searches
Which attributes would that be?
above, hunch == Adapter.new instead of Adapter.open
Douwe
Regarding the following:
- Application should properly close all connections
This appears to be a bug in
Net::LDAP
, which implements closing the connection as closing theTCPSocket
to the server (source), forgetting to send the required Unbind request to allow the LDAP server to properly clean up.