LDAP and "Ambiguous search result"

Peter Lambrechtsen peter at crypt.nz
Wed Nov 9 09:23:18 CET 2016 

Hi Folks

I have an interesting question in regards to how best to handle the
"Ambiguous search result" use case.

If I have a search and returns two entries I get the error:

(1) ldap: ERROR: Ambiguous search result, returned 2 unsorted entries
(should return 1 or 0).  Enable sorting, or specify a more restrictive
base_dn, filter or scope
(1) ldap: ERROR: The following entries were returned:

Which is obvious, but the module returns fail.

In previous versions the return code was invalid.

Since I am trying to pick up on if the LDAP Database was down, or if there
was just bad data in there which both return a fail.

Is the best / only way to handle the issue to check for fail plus the
Ambiguous search result?

if (fail && &Module-Failure-Message && &Module-Failure-Message =~
/Ambiguous search result/ ) {..

As I need the &Module-Failure-Message on it's own otherwise the
Module-fail-message gets overwritten since there isn't any fail message
when the DB is down and I get the error.

(4)       elsif (fail && &Module-Failure-Message =~ /Ambiguous search
result/ ) {
(4)       ERROR: Failed retrieving values required to evaluate condition
(4)       else {

And after that the Module Failure Message is now the "Failed retreiving..."

The first time after I shutdown the directory I get a Module Fail Message:

rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase
"spare"
rlm_ldap (ldap): Opening additional connection (5), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to ldap://127.0.0.1:389
rlm_ldap (ldap): Bind with cn=FreeRadius,o=Identities to ldap://
127.0.0.1:389 failed: Can't contact LDAP server
rlm_ldap (ldap): Opening connection failed (5)

And the module fail message is:

"ldap: Failed performing search: Server is unavailable"

But the second time once all the threads have been closed I get no failure
message

rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase
"spare"
rlm_ldap (ldap): Opening additional connection (5), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to ldap://127.0.0.1:389
rlm_ldap (ldap): Bind with cn=FreeRadius,o=Identities to ldap://
127.0.0.1:389 failed: Can't contact LDAP server
rlm_ldap (ldap): Opening connection failed (5)

But there isn't anything in the Module fail message to indicate what the
root cause is.

Thoughts and suggestions on if the Ambiguous should be an invalid or fail.

Cheers

Peter

More information about the Freeradius-Devel mailing list