Operations error after successful bind on macOS #165

smorgrav · 2022-06-16T10:21:25Z

Describe the bug
After a successful bind, a search throws the Operations error. 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this operation a successful bind must be completed on the connection.

To Reproduce
Any search on my particular setup would do. E.g

        var connection = new LdapConnection();
        connection.Connect($"ldap://192.168.1.10");
        connection.Bind(Native.LdapAuthType.Simple.ToString(), username, password);
        connection.Search("dc=pen,dc=local", "(objectClass=domainDNS)");

Expected behavior
A result coming back - not an error complaining about the missing bind.

Desktop (please complete the following information):

OS: macOS Monterey, apple silicon
LdapForNet 2.7.15
.NET 6.0.301
Openldap version 2.6.2
LDAP server Active Directory

Additional context
I'll take the tldr first;
Looking at the same query using the ldapsearch command line utility I notice that the ldap4net library after receiving the search result (the searchResEntry packet) does a lot of dns lookups and then an additional bind (to root?) before it receives a searchResDone with the error. The library sends out 6 messages where as the command line is done after the searchResEntry packet with messageId 2.

Windows works as expected albeit I have not looked at the network layer to compare it to the macos version.

Some details on what I see on the wire:

The commandline I used to compare the network traffic

ldapsearch -x -b "dc=pen,dc=local" -H ldap://192.168.1.10 -D username -w password "(objectClass=domainDNS)"

The initial response for the search (the searchResEntry packet) is exactly the same between the two implementations (commandline and ldapfornet).

╰─❯ cat ldap4net.txt 
Frame 895158: 1166 bytes on wire (9328 bits), 1166 bytes captured (9328 bits) on interface enp5s0, id 0
    Interface id: 0 (enp5s0)
        Interface name: enp5s0
    Encapsulation type: Ethernet (1)
    Arrival Time: Jun 16, 2022 12:01:19.155803257 CEST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1655373679.155803257 seconds
    [Time delta from previous captured frame: 0.000774773 seconds]
    [Time delta from previous displayed frame: 0.000774773 seconds]
    [Time since reference or first frame: 3220.771943818 seconds]
    Frame Number: 895158
    Frame Length: 1166 bytes (9328 bits)
    Capture Length: 1166 bytes (9328 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:ldap:ldap]
    [Coloring Rule Name: TCP]
    [Coloring Rule String: tcp]
Ethernet II, Src: 84:a9:38:9e:37:0e (84:a9:38:9e:37:0e), Dst: TargusUS_19:a6:b6 (4c:56:df:19:a6:b6)
    Destination: TargusUS_19:a6:b6 (4c:56:df:19:a6:b6)
        Address: TargusUS_19:a6:b6 (4c:56:df:19:a6:b6)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: 84:a9:38:9e:37:0e (84:a9:38:9e:37:0e)
        Address: 84:a9:38:9e:37:0e (84:a9:38:9e:37:0e)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.1.10, Dst: 192.168.1.16
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 1152
    Identification: 0xfd37 (64823)
    Flags: 0x4000, Don't fragment
        0... .... .... .... = Reserved bit: Not set
        .1.. .... .... .... = Don't fragment: Set
        ..0. .... .... .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: TCP (6)
    Header checksum: 0xb5d5 [validation disabled]
    [Header checksum status: Unverified]
    Source: 192.168.1.10
    Destination: 192.168.1.16
Transmission Control Protocol, Src Port: 389, Dst Port: 53161, Seq: 2931, Ack: 112, Len: 1100
    Source Port: 389
    Destination Port: 53161
    [Stream index: 247]
    [TCP Segment Len: 1100]
    Sequence number: 2931    (relative sequence number)
    Sequence number (raw): 3078028001
    [Next sequence number: 4031    (relative sequence number)]
    Acknowledgment number: 112    (relative ack number)
    Acknowledgment number (raw): 1677702444
    1000 .... = Header Length: 32 bytes (8)
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······AP···]
    Window size value: 63601
    [Calculated window size: 63601]
    [Window size scaling factor: 1]
    Checksum: 0x87dd [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - Timestamps: TSval 2089465660, TSecr 3364480861
            Kind: Time Stamp Option (8)
            Length: 10
            Timestamp value: 2089465660
            Timestamp echo reply: 3364480861
    [SEQ/ACK analysis]
        [Bytes in flight: 4031]
        [Bytes sent since last PSH flag: 2548]
    [Timestamps]
        [Time since first frame in this TCP stream: 0.015441521 seconds]
        [Time since previous frame in this TCP stream: 0.000774773 seconds]
    TCP payload (1100 bytes)
    [PDU Size: 3756]
    TCP segment data (848 bytes)
    [PDU Size: 82]
    [PDU Size: 82]
    [PDU Size: 66]
    [PDU Size: 22]
[4 Reassembled TCP Segments (3756 bytes): #895155(1448), #895156(12), #895157(1448), #895158(848)]
    [Frame: 895155, payload: 0-1447 (1448 bytes)]
    [Frame: 895156, payload: 1448-1459 (12 bytes)]
    [Frame: 895157, payload: 1460-2907 (1448 bytes)]
    [Frame: 895158, payload: 2908-3755 (848 bytes)]
    [Segment count: 4]
    [Reassembled TCP length: 3756]
    [Reassembled TCP Data: 308400000ea6020102648400000e9d040f44433d70656e2c…]
Lightweight Directory Access Protocol
    LDAPMessage searchResEntry(2) "DC=pen,DC=local" [1 result]
        messageID: 2
        protocolOp: searchResEntry (4)
            searchResEntry
                objectName: DC=pen,DC=local
                attributes: 50 items
                    PartialAttributeList item objectClass
                        type: objectClass
                        vals: 3 items
                            AttributeValue: top
                            AttributeValue: domain
                            AttributeValue: domainDNS
                    PartialAttributeList item distinguishedName
                        type: distinguishedName
                        vals: 1 item
                            AttributeValue: DC=pen,DC=local
                    PartialAttributeList item instanceType
                        type: instanceType
                        vals: 1 item
                            AttributeValue: 5
                    PartialAttributeList item whenCreated
                        type: whenCreated
                        vals: 1 item
                            AttributeValue: 20211221134930.0Z
                    PartialAttributeList item whenChanged
                        type: whenChanged
                        vals: 1 item
                            AttributeValue: 20220614203119.0Z
                    PartialAttributeList item subRefs
                        type: subRefs
                        vals: 3 items
                            AttributeValue: DC=ForestDnsZones,DC=pen,DC=local
                            AttributeValue: DC=DomainDnsZones,DC=pen,DC=local
                            AttributeValue: CN=Configuration,DC=pen,DC=local
                    PartialAttributeList item uSNCreated
                        type: uSNCreated
                        vals: 1 item
                            AttributeValue: 4099
                    PartialAttributeList item dSASignature
                        type: dSASignature
                        vals: 1 item
                            AttributeValue: 010000002800000000000000000000000000000000000000…
                    PartialAttributeList item uSNChanged
                        type: uSNChanged
                        vals: 1 item
                            AttributeValue: 344092
                    PartialAttributeList item name
                        type: name
                        vals: 1 item
                            AttributeValue: pen
                    PartialAttributeList item objectGUID
                        type: objectGUID
                        vals: 1 item
                            GUID: 6fe3d76f-b679-4049-ab7c-c0a491a0b2fc
                    PartialAttributeList item replUpToDateVector
                        type: replUpToDateVector
                        vals: 1 item
                            AttributeValue: 02000000000000000200000000000000fbd1bb8551777c48…
                    PartialAttributeList item creationTime
                        type: creationTime
                        vals: 1 item
                            AttributeValue: 132997122794096816
                    PartialAttributeList item forceLogoff
                        type: forceLogoff
                        vals: 1 item
                            AttributeValue: -9223372036854775808
                    PartialAttributeList item lockoutDuration
                        type: lockoutDuration
                        vals: 1 item
                            AttributeValue: -18000000000
                    PartialAttributeList item lockOutObservationWindow
                        type: lockOutObservationWindow
                        vals: 1 item
                            AttributeValue: -6000000000
                    PartialAttributeList item lockoutThreshold
                        type: lockoutThreshold
                        vals: 1 item
                            AttributeValue: 3
                    PartialAttributeList item maxPwdAge
                        type: maxPwdAge
                        vals: 1 item
                            AttributeValue: -36288000000000
                    PartialAttributeList item minPwdAge
                        type: minPwdAge
                        vals: 1 item
                            AttributeValue: -864000000000
                    PartialAttributeList item minPwdLength
                        type: minPwdLength
                        vals: 1 item
                            AttributeValue: 7
                    PartialAttributeList item modifiedCountAtLastProm
                        type: modifiedCountAtLastProm
                        vals: 1 item
                            AttributeValue: 0
                    PartialAttributeList item nextRid
                        type: nextRid
                        vals: 1 item
                            AttributeValue: 1001
                    PartialAttributeList item pwdProperties
                        type: pwdProperties
                        vals: 1 item
                            AttributeValue: 0
                    PartialAttributeList item pwdHistoryLength
                        type: pwdHistoryLength
                        vals: 1 item
                            AttributeValue: 24
                    PartialAttributeList item objectSid
                        type: objectSid
                        vals: 1 item
                            SID: S-1-5-21-2518377327-113898086-2664691109  (Domain SID)
                                Revision: 1
                                Num Auth: 4
                                Authority: 5
                                Subauthorities: 21-2518377327-113898086-2664691109
                    PartialAttributeList item serverState
                        type: serverState
                        vals: 1 item
                            AttributeValue: 1
                    PartialAttributeList item uASCompat
                        type: uASCompat
                        vals: 1 item
                            AttributeValue: 1
                    PartialAttributeList item modifiedCount
                        type: modifiedCount
                        vals: 1 item
                            AttributeValue: 1
                    PartialAttributeList item auditingPolicy
                        type: auditingPolicy
                        vals: 1 item
                            AttributeValue: 0001
                    PartialAttributeList item nTMixedDomain
                        type: nTMixedDomain
                        vals: 1 item
                            AttributeValue: 0
                    PartialAttributeList item rIDManagerReference
                        type: rIDManagerReference
                        vals: 1 item
                            AttributeValue: CN=RID Manager$,CN=System,DC=pen,DC=local
                    PartialAttributeList item fSMORoleOwner
                        type: fSMORoleOwner
                        vals: 1 item
                            AttributeValue: CN=NTDS Settings,CN=WIN-6I2H8LQVPLH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pen,DC=local
                    PartialAttributeList item systemFlags
                        type: systemFlags
                        vals: 1 item
                            AttributeValue: -1946157056
                    PartialAttributeList item wellKnownObjects
                        type: wellKnownObjects
                        vals: 11 items
                            AttributeValue: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=pen,DC=local
                            AttributeValue: B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program Data,DC=pen,DC=local
                            AttributeValue: B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data,DC=pen,DC=local
                            AttributeValue: B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrincipals,DC=pen,DC=local
                            AttributeValue: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,DC=pen,DC=local
                            AttributeValue: B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=pen,DC=local
                            AttributeValue: B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=pen,DC=local
                            AttributeValue: B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=pen,DC=local
                            AttributeValue: B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers,DC=pen,DC=local
                            AttributeValue: B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=pen,DC=local
                            AttributeValue: B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=pen,DC=local
                    PartialAttributeList item objectCategory
                        type: objectCategory
                        vals: 1 item
                            AttributeValue: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=pen,DC=local
                    PartialAttributeList item isCriticalSystemObject
                        type: isCriticalSystemObject
                        vals: 1 item
                            AttributeValue: TRUE
                    PartialAttributeList item gPLink
                        type: gPLink
                        vals: 1 item
                            AttributeValue: [LDAP://cn={D0E3622C-640E-4933-A6FA-06FFD116A1C3},cn=policies,cn=system,DC=pen,DC=local;0][LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=pen,DC=local;0]
                    PartialAttributeList item dSCorePropagationData
                        type: dSCorePropagationData
                        vals: 1 item
                            AttributeValue: 16010101000000.0Z
                    PartialAttributeList item otherWellKnownObjects
                        type: otherWellKnownObjects
                        vals: 2 items
                            AttributeValue: B:32:683A24E2E8164BD3AF86AC3C2CF3F981:CN=Keys,DC=pen,DC=local
                            AttributeValue: B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Service Accounts,DC=pen,DC=local
                    PartialAttributeList item masteredBy
                        type: masteredBy
                        vals: 1 item
                            AttributeValue: CN=NTDS Settings,CN=WIN-6I2H8LQVPLH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pen,DC=local
                    PartialAttributeList item ms-DS-MachineAccountQuota
                        type: ms-DS-MachineAccountQuota
                        vals: 1 item
                            AttributeValue: 10
                    PartialAttributeList item msDS-Behavior-Version
                        type: msDS-Behavior-Version
                        vals: 1 item
                            AttributeValue: 7
                    PartialAttributeList item msDS-PerUserTrustQuota
                        type: msDS-PerUserTrustQuota
                        vals: 1 item
                            AttributeValue: 1
                    PartialAttributeList item msDS-AllUsersTrustQuota
                        type: msDS-AllUsersTrustQuota
                        vals: 1 item
                            AttributeValue: 1000
                    PartialAttributeList item msDS-PerUserTrustTombstonesQuota
                        type: msDS-PerUserTrustTombstonesQuota
                        vals: 1 item
                            AttributeValue: 10
                    PartialAttributeList item msDs-masteredBy
                        type: msDs-masteredBy
                        vals: 1 item
                            AttributeValue: CN=NTDS Settings,CN=WIN-6I2H8LQVPLH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pen,DC=local
                    PartialAttributeList item msDS-IsDomainFor
                        type: msDS-IsDomainFor
                        vals: 1 item
                            AttributeValue: CN=NTDS Settings,CN=WIN-6I2H8LQVPLH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pen,DC=local
                    PartialAttributeList item msDS-NcType
                        type: msDS-NcType
                        vals: 1 item
                            AttributeValue: 0
                    PartialAttributeList item msDS-ExpirePasswordsOnSmartCardOnlyAccounts
                        type: msDS-ExpirePasswordsOnSmartCardOnlyAccounts
                        vals: 1 item
                            AttributeValue: TRUE
                    PartialAttributeList item dc
                        type: dc
                        vals: 1 item
                            AttributeValue: pen
Lightweight Directory Access Protocol
    LDAPMessage searchResRef(2)
        messageID: 2
        protocolOp: searchResRef (19)
            searchResRef: 1 item
                LDAPURL: ldap://ForestDnsZones.pen.local/DC=ForestDnsZones,DC=pen,DC=local
Lightweight Directory Access Protocol
    LDAPMessage searchResRef(2)
        messageID: 2
        protocolOp: searchResRef (19)
            searchResRef: 1 item
                LDAPURL: ldap://DomainDnsZones.pen.local/DC=DomainDnsZones,DC=pen,DC=local
Lightweight Directory Access Protocol
    LDAPMessage searchResRef(2)
        messageID: 2
        protocolOp: searchResRef (19)
            searchResRef: 1 item
                LDAPURL: ldap://pen.local/CN=Configuration,DC=pen,DC=local
Lightweight Directory Access Protocol
    LDAPMessage searchResDone(2) success [1 result]
        messageID: 2
        protocolOp: searchResDone (5)
            searchResDone
                resultCode: success (0)
                matchedDN: 
                errorMessage:

╰─❯ diff ldap4net.txt cmdline.txt 
1c1
< Frame 895158: 1166 bytes on wire (9328 bits), 1166 bytes captured (9328 bits) on interface enp5s0, id 0
---
> Frame 824952: 1166 bytes on wire (9328 bits), 1166 bytes captured (9328 bits) on interface enp5s0, id 0
5c5
<     Arrival Time: Jun 16, 2022 12:01:19.155803257 CEST
---
>     Arrival Time: Jun 16, 2022 11:54:57.235781205 CEST
7,11c7,11
<     Epoch Time: 1655373679.155803257 seconds
<     [Time delta from previous captured frame: 0.000774773 seconds]
<     [Time delta from previous displayed frame: 0.000774773 seconds]
<     [Time since reference or first frame: 3220.771943818 seconds]
<     Frame Number: 895158
---
>     Epoch Time: 1655373297.235781205 seconds
>     [Time delta from previous captured frame: 0.000816280 seconds]
>     [Time delta from previous displayed frame: 0.000816280 seconds]
>     [Time since reference or first frame: 2838.851921766 seconds]
>     Frame Number: 824952
36c36
<     Identification: 0xfd37 (64823)
---
>     Identification: 0x3acc (15052)
44c44
<     Header checksum: 0xb5d5 [validation disabled]
---
>     Header checksum: 0x7841 [validation disabled]
48c48
< Transmission Control Protocol, Src Port: 389, Dst Port: 53161, Seq: 2931, Ack: 112, Len: 1100
---
> Transmission Control Protocol, Src Port: 389, Dst Port: 53070, Seq: 2931, Ack: 112, Len: 1100
50,51c50,51
<     Destination Port: 53161
<     [Stream index: 247]
---
>     Destination Port: 53070
>     [Stream index: 236]
54c54
<     Sequence number (raw): 3078028001
---
>     Sequence number (raw): 3106919046
57c57
<     Acknowledgment number (raw): 1677702444
---
>     Acknowledgment number (raw): 3215319792
82c82
<         TCP Option - Timestamps: TSval 2089465660, TSecr 3364480861
---
>         TCP Option - Timestamps: TSval 2089083740, TSecr 3394213865
85,86c85,86
<             Timestamp value: 2089465660
<             Timestamp echo reply: 3364480861
---
>             Timestamp value: 2089083740
>             Timestamp echo reply: 3394213865
91,92c91,92
<         [Time since first frame in this TCP stream: 0.015441521 seconds]
<         [Time since previous frame in this TCP stream: 0.000774773 seconds]
---
>         [Time since first frame in this TCP stream: 0.008464338 seconds]
>         [Time since previous frame in this TCP stream: 0.000816280 seconds]
100,104c100,104
< [4 Reassembled TCP Segments (3756 bytes): #895155(1448), #895156(12), #895157(1448), #895158(848)]
<     [Frame: 895155, payload: 0-1447 (1448 bytes)]
<     [Frame: 895156, payload: 1448-1459 (12 bytes)]
<     [Frame: 895157, payload: 1460-2907 (1448 bytes)]
<     [Frame: 895158, payload: 2908-3755 (848 bytes)]
---
> [4 Reassembled TCP Segments (3756 bytes): #824949(1448), #824950(12), #824951(1448), #824952(848)]
>     [Frame: 824949, payload: 0-1447 (1448 bytes)]
>     [Frame: 824950, payload: 1448-1459 (12 bytes)]
>     [Frame: 824951, payload: 1460-2907 (1448 bytes)]
>     [Frame: 824952, payload: 2908-3755 (848 bytes)]
360d359
<

The sequence for ldap4net is:
bindResponse(1)
searchResEntry(2)
bindResponse(6)
searchResDone(5)

Note that I don't see messageID 3 or 4 and 5 is coming after we have received 6.

The text was updated successfully, but these errors were encountered:

smorgrav · 2022-06-16T10:30:39Z

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Operations error after successful bind on macOS #165

Operations error after successful bind on macOS #165

smorgrav commented Jun 16, 2022

smorgrav commented Jun 16, 2022

Operations error after successful bind on macOS #165

Operations error after successful bind on macOS #165

Comments

smorgrav commented Jun 16, 2022

smorgrav commented Jun 16, 2022