Operations error after successful bind on macOS #165
Description
Describe the bug
After a successful bind, a search throws the Operations error. 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this operation a successful bind must be completed on the connection.
To Reproduce
Any search on my particular setup would do. E.g
var connection = new LdapConnection();
connection.Connect($"ldap://192.168.1.10");
connection.Bind(Native.LdapAuthType.Simple.ToString(), username, password);
connection.Search("dc=pen,dc=local", "(objectClass=domainDNS)");
Expected behavior
A result coming back - not an error complaining about the missing bind.
Desktop (please complete the following information):
- OS: macOS Monterey, apple silicon
- LdapForNet 2.7.15
- .NET 6.0.301
- Openldap version 2.6.2
- LDAP server Active Directory
Additional context
I'll take the tldr first;
Looking at the same query using the ldapsearch command line utility I notice that the ldap4net library after receiving the search result (the searchResEntry packet) does a lot of dns lookups and then an additional bind (to root?) before it receives a searchResDone with the error. The library sends out 6 messages where as the command line is done after the searchResEntry packet with messageId 2.
Windows works as expected albeit I have not looked at the network layer to compare it to the macos version.
Some details on what I see on the wire:
The commandline I used to compare the network traffic
ldapsearch -x -b "dc=pen,dc=local" -H ldap://192.168.1.10 -D username -w password "(objectClass=domainDNS)"
The initial response for the search (the searchResEntry packet) is exactly the same between the two implementations (commandline and ldapfornet).
╰─❯ cat ldap4net.txt
Frame 895158: 1166 bytes on wire (9328 bits), 1166 bytes captured (9328 bits) on interface enp5s0, id 0
Interface id: 0 (enp5s0)
Interface name: enp5s0
Encapsulation type: Ethernet (1)
Arrival Time: Jun 16, 2022 12:01:19.155803257 CEST
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1655373679.155803257 seconds
[Time delta from previous captured frame: 0.000774773 seconds]
[Time delta from previous displayed frame: 0.000774773 seconds]
[Time since reference or first frame: 3220.771943818 seconds]
Frame Number: 895158
Frame Length: 1166 bytes (9328 bits)
Capture Length: 1166 bytes (9328 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:ldap:ldap]
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
Ethernet II, Src: 84:a9:38:9e:37:0e (84:a9:38:9e:37:0e), Dst: TargusUS_19:a6:b6 (4c:56:df:19:a6:b6)
Destination: TargusUS_19:a6:b6 (4c:56:df:19:a6:b6)
Address: TargusUS_19:a6:b6 (4c:56:df:19:a6:b6)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 84:a9:38:9e:37:0e (84:a9:38:9e:37:0e)
Address: 84:a9:38:9e:37:0e (84:a9:38:9e:37:0e)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.1.10, Dst: 192.168.1.16
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 1152
Identification: 0xfd37 (64823)
Flags: 0x4000, Don't fragment
0... .... .... .... = Reserved bit: Not set
.1.. .... .... .... = Don't fragment: Set
..0. .... .... .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (6)
Header checksum: 0xb5d5 [validation disabled]
[Header checksum status: Unverified]
Source: 192.168.1.10
Destination: 192.168.1.16
Transmission Control Protocol, Src Port: 389, Dst Port: 53161, Seq: 2931, Ack: 112, Len: 1100
Source Port: 389
Destination Port: 53161
[Stream index: 247]
[TCP Segment Len: 1100]
Sequence number: 2931 (relative sequence number)
Sequence number (raw): 3078028001
[Next sequence number: 4031 (relative sequence number)]
Acknowledgment number: 112 (relative ack number)
Acknowledgment number (raw): 1677702444
1000 .... = Header Length: 32 bytes (8)
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······AP···]
Window size value: 63601
[Calculated window size: 63601]
[Window size scaling factor: 1]
Checksum: 0x87dd [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - Timestamps: TSval 2089465660, TSecr 3364480861
Kind: Time Stamp Option (8)
Length: 10
Timestamp value: 2089465660
Timestamp echo reply: 3364480861
[SEQ/ACK analysis]
[Bytes in flight: 4031]
[Bytes sent since last PSH flag: 2548]
[Timestamps]
[Time since first frame in this TCP stream: 0.015441521 seconds]
[Time since previous frame in this TCP stream: 0.000774773 seconds]
TCP payload (1100 bytes)
[PDU Size: 3756]
TCP segment data (848 bytes)
[PDU Size: 82]
[PDU Size: 82]
[PDU Size: 66]
[PDU Size: 22]
[4 Reassembled TCP Segments (3756 bytes): #895155(1448), #895156(12), #895157(1448), #895158(848)]
[Frame: 895155, payload: 0-1447 (1448 bytes)]
[Frame: 895156, payload: 1448-1459 (12 bytes)]
[Frame: 895157, payload: 1460-2907 (1448 bytes)]
[Frame: 895158, payload: 2908-3755 (848 bytes)]
[Segment count: 4]
[Reassembled TCP length: 3756]
[Reassembled TCP Data: 308400000ea6020102648400000e9d040f44433d70656e2c…]
Lightweight Directory Access Protocol
LDAPMessage searchResEntry(2) "DC=pen,DC=local" [1 result]
messageID: 2
protocolOp: searchResEntry (4)
searchResEntry
objectName: DC=pen,DC=local
attributes: 50 items
PartialAttributeList item objectClass
type: objectClass
vals: 3 items
AttributeValue: top
AttributeValue: domain
AttributeValue: domainDNS
PartialAttributeList item distinguishedName
type: distinguishedName
vals: 1 item
AttributeValue: DC=pen,DC=local
PartialAttributeList item instanceType
type: instanceType
vals: 1 item
AttributeValue: 5
PartialAttributeList item whenCreated
type: whenCreated
vals: 1 item
AttributeValue: 20211221134930.0Z
PartialAttributeList item whenChanged
type: whenChanged
vals: 1 item
AttributeValue: 20220614203119.0Z
PartialAttributeList item subRefs
type: subRefs
vals: 3 items
AttributeValue: DC=ForestDnsZones,DC=pen,DC=local
AttributeValue: DC=DomainDnsZones,DC=pen,DC=local
AttributeValue: CN=Configuration,DC=pen,DC=local
PartialAttributeList item uSNCreated
type: uSNCreated
vals: 1 item
AttributeValue: 4099
PartialAttributeList item dSASignature
type: dSASignature
vals: 1 item
AttributeValue: 010000002800000000000000000000000000000000000000…
PartialAttributeList item uSNChanged
type: uSNChanged
vals: 1 item
AttributeValue: 344092
PartialAttributeList item name
type: name
vals: 1 item
AttributeValue: pen
PartialAttributeList item objectGUID
type: objectGUID
vals: 1 item
GUID: 6fe3d76f-b679-4049-ab7c-c0a491a0b2fc
PartialAttributeList item replUpToDateVector
type: replUpToDateVector
vals: 1 item
AttributeValue: 02000000000000000200000000000000fbd1bb8551777c48…
PartialAttributeList item creationTime
type: creationTime
vals: 1 item
AttributeValue: 132997122794096816
PartialAttributeList item forceLogoff
type: forceLogoff
vals: 1 item
AttributeValue: -9223372036854775808
PartialAttributeList item lockoutDuration
type: lockoutDuration
vals: 1 item
AttributeValue: -18000000000
PartialAttributeList item lockOutObservationWindow
type: lockOutObservationWindow
vals: 1 item
AttributeValue: -6000000000
PartialAttributeList item lockoutThreshold
type: lockoutThreshold
vals: 1 item
AttributeValue: 3
PartialAttributeList item maxPwdAge
type: maxPwdAge
vals: 1 item
AttributeValue: -36288000000000
PartialAttributeList item minPwdAge
type: minPwdAge
vals: 1 item
AttributeValue: -864000000000
PartialAttributeList item minPwdLength
type: minPwdLength
vals: 1 item
AttributeValue: 7
PartialAttributeList item modifiedCountAtLastProm
type: modifiedCountAtLastProm
vals: 1 item
AttributeValue: 0
PartialAttributeList item nextRid
type: nextRid
vals: 1 item
AttributeValue: 1001
PartialAttributeList item pwdProperties
type: pwdProperties
vals: 1 item
AttributeValue: 0
PartialAttributeList item pwdHistoryLength
type: pwdHistoryLength
vals: 1 item
AttributeValue: 24
PartialAttributeList item objectSid
type: objectSid
vals: 1 item
SID: S-1-5-21-2518377327-113898086-2664691109 (Domain SID)
Revision: 1
Num Auth: 4
Authority: 5
Subauthorities: 21-2518377327-113898086-2664691109
PartialAttributeList item serverState
type: serverState
vals: 1 item
AttributeValue: 1
PartialAttributeList item uASCompat
type: uASCompat
vals: 1 item
AttributeValue: 1
PartialAttributeList item modifiedCount
type: modifiedCount
vals: 1 item
AttributeValue: 1
PartialAttributeList item auditingPolicy
type: auditingPolicy
vals: 1 item
AttributeValue: 0001
PartialAttributeList item nTMixedDomain
type: nTMixedDomain
vals: 1 item
AttributeValue: 0
PartialAttributeList item rIDManagerReference
type: rIDManagerReference
vals: 1 item
AttributeValue: CN=RID Manager$,CN=System,DC=pen,DC=local
PartialAttributeList item fSMORoleOwner
type: fSMORoleOwner
vals: 1 item
AttributeValue: CN=NTDS Settings,CN=WIN-6I2H8LQVPLH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pen,DC=local
PartialAttributeList item systemFlags
type: systemFlags
vals: 1 item
AttributeValue: -1946157056
PartialAttributeList item wellKnownObjects
type: wellKnownObjects
vals: 11 items
AttributeValue: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=pen,DC=local
AttributeValue: B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program Data,DC=pen,DC=local
AttributeValue: B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data,DC=pen,DC=local
AttributeValue: B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrincipals,DC=pen,DC=local
AttributeValue: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,DC=pen,DC=local
AttributeValue: B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=pen,DC=local
AttributeValue: B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=pen,DC=local
AttributeValue: B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=pen,DC=local
AttributeValue: B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers,DC=pen,DC=local
AttributeValue: B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=pen,DC=local
AttributeValue: B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=pen,DC=local
PartialAttributeList item objectCategory
type: objectCategory
vals: 1 item
AttributeValue: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=pen,DC=local
PartialAttributeList item isCriticalSystemObject
type: isCriticalSystemObject
vals: 1 item
AttributeValue: TRUE
PartialAttributeList item gPLink
type: gPLink
vals: 1 item
AttributeValue: [LDAP://cn={D0E3622C-640E-4933-A6FA-06FFD116A1C3},cn=policies,cn=system,DC=pen,DC=local;0][LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=pen,DC=local;0]
PartialAttributeList item dSCorePropagationData
type: dSCorePropagationData
vals: 1 item
AttributeValue: 16010101000000.0Z
PartialAttributeList item otherWellKnownObjects
type: otherWellKnownObjects
vals: 2 items
AttributeValue: B:32:683A24E2E8164BD3AF86AC3C2CF3F981:CN=Keys,DC=pen,DC=local
AttributeValue: B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Service Accounts,DC=pen,DC=local
PartialAttributeList item masteredBy
type: masteredBy
vals: 1 item
AttributeValue: CN=NTDS Settings,CN=WIN-6I2H8LQVPLH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pen,DC=local
PartialAttributeList item ms-DS-MachineAccountQuota
type: ms-DS-MachineAccountQuota
vals: 1 item
AttributeValue: 10
PartialAttributeList item msDS-Behavior-Version
type: msDS-Behavior-Version
vals: 1 item
AttributeValue: 7
PartialAttributeList item msDS-PerUserTrustQuota
type: msDS-PerUserTrustQuota
vals: 1 item
AttributeValue: 1
PartialAttributeList item msDS-AllUsersTrustQuota
type: msDS-AllUsersTrustQuota
vals: 1 item
AttributeValue: 1000
PartialAttributeList item msDS-PerUserTrustTombstonesQuota
type: msDS-PerUserTrustTombstonesQuota
vals: 1 item
AttributeValue: 10
PartialAttributeList item msDs-masteredBy
type: msDs-masteredBy
vals: 1 item
AttributeValue: CN=NTDS Settings,CN=WIN-6I2H8LQVPLH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pen,DC=local
PartialAttributeList item msDS-IsDomainFor
type: msDS-IsDomainFor
vals: 1 item
AttributeValue: CN=NTDS Settings,CN=WIN-6I2H8LQVPLH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pen,DC=local
PartialAttributeList item msDS-NcType
type: msDS-NcType
vals: 1 item
AttributeValue: 0
PartialAttributeList item msDS-ExpirePasswordsOnSmartCardOnlyAccounts
type: msDS-ExpirePasswordsOnSmartCardOnlyAccounts
vals: 1 item
AttributeValue: TRUE
PartialAttributeList item dc
type: dc
vals: 1 item
AttributeValue: pen
Lightweight Directory Access Protocol
LDAPMessage searchResRef(2)
messageID: 2
protocolOp: searchResRef (19)
searchResRef: 1 item
LDAPURL: ldap://ForestDnsZones.pen.local/DC=ForestDnsZones,DC=pen,DC=local
Lightweight Directory Access Protocol
LDAPMessage searchResRef(2)
messageID: 2
protocolOp: searchResRef (19)
searchResRef: 1 item
LDAPURL: ldap://DomainDnsZones.pen.local/DC=DomainDnsZones,DC=pen,DC=local
Lightweight Directory Access Protocol
LDAPMessage searchResRef(2)
messageID: 2
protocolOp: searchResRef (19)
searchResRef: 1 item
LDAPURL: ldap://pen.local/CN=Configuration,DC=pen,DC=local
Lightweight Directory Access Protocol
LDAPMessage searchResDone(2) success [1 result]
messageID: 2
protocolOp: searchResDone (5)
searchResDone
resultCode: success (0)
matchedDN:
errorMessage:
╰─❯ diff ldap4net.txt cmdline.txt
1c1
< Frame 895158: 1166 bytes on wire (9328 bits), 1166 bytes captured (9328 bits) on interface enp5s0, id 0
---
> Frame 824952: 1166 bytes on wire (9328 bits), 1166 bytes captured (9328 bits) on interface enp5s0, id 0
5c5
< Arrival Time: Jun 16, 2022 12:01:19.155803257 CEST
---
> Arrival Time: Jun 16, 2022 11:54:57.235781205 CEST
7,11c7,11
< Epoch Time: 1655373679.155803257 seconds
< [Time delta from previous captured frame: 0.000774773 seconds]
< [Time delta from previous displayed frame: 0.000774773 seconds]
< [Time since reference or first frame: 3220.771943818 seconds]
< Frame Number: 895158
---
> Epoch Time: 1655373297.235781205 seconds
> [Time delta from previous captured frame: 0.000816280 seconds]
> [Time delta from previous displayed frame: 0.000816280 seconds]
> [Time since reference or first frame: 2838.851921766 seconds]
> Frame Number: 824952
36c36
< Identification: 0xfd37 (64823)
---
> Identification: 0x3acc (15052)
44c44
< Header checksum: 0xb5d5 [validation disabled]
---
> Header checksum: 0x7841 [validation disabled]
48c48
< Transmission Control Protocol, Src Port: 389, Dst Port: 53161, Seq: 2931, Ack: 112, Len: 1100
---
> Transmission Control Protocol, Src Port: 389, Dst Port: 53070, Seq: 2931, Ack: 112, Len: 1100
50,51c50,51
< Destination Port: 53161
< [Stream index: 247]
---
> Destination Port: 53070
> [Stream index: 236]
54c54
< Sequence number (raw): 3078028001
---
> Sequence number (raw): 3106919046
57c57
< Acknowledgment number (raw): 1677702444
---
> Acknowledgment number (raw): 3215319792
82c82
< TCP Option - Timestamps: TSval 2089465660, TSecr 3364480861
---
> TCP Option - Timestamps: TSval 2089083740, TSecr 3394213865
85,86c85,86
< Timestamp value: 2089465660
< Timestamp echo reply: 3364480861
---
> Timestamp value: 2089083740
> Timestamp echo reply: 3394213865
91,92c91,92
< [Time since first frame in this TCP stream: 0.015441521 seconds]
< [Time since previous frame in this TCP stream: 0.000774773 seconds]
---
> [Time since first frame in this TCP stream: 0.008464338 seconds]
> [Time since previous frame in this TCP stream: 0.000816280 seconds]
100,104c100,104
< [4 Reassembled TCP Segments (3756 bytes): #895155(1448), #895156(12), #895157(1448), #895158(848)]
< [Frame: 895155, payload: 0-1447 (1448 bytes)]
< [Frame: 895156, payload: 1448-1459 (12 bytes)]
< [Frame: 895157, payload: 1460-2907 (1448 bytes)]
< [Frame: 895158, payload: 2908-3755 (848 bytes)]
---
> [4 Reassembled TCP Segments (3756 bytes): #824949(1448), #824950(12), #824951(1448), #824952(848)]
> [Frame: 824949, payload: 0-1447 (1448 bytes)]
> [Frame: 824950, payload: 1448-1459 (12 bytes)]
> [Frame: 824951, payload: 1460-2907 (1448 bytes)]
> [Frame: 824952, payload: 2908-3755 (848 bytes)]
360d359
<
The sequence for ldap4net is:
bindResponse(1)
searchResEntry(2)
bindResponse(6)
searchResDone(5)
Note that I don't see messageID 3 or 4 and 5 is coming after we have received 6.