Full_Name: Florian Huiskens Version: 2.3.30 OS: Ubuntu 7.04 URL: Submission from: (NULL) (85.216.39.101) I try to set up an environment, where a client communicates with an LDAP-Proxy. The Proxy forwards the client's query (using the ldap-backend) to an LDAP-Slave. The authentication mechanism I use (proxy - slave) is SASL (GSSAPI). The proxy has a kerberos ticket available. Proxy Authentication works in general (using PROXAUTHZ), but fails on referrals (though rebind-as-user is set). This means that if information is written and the proxy receives a referral to the master, the bind-informations gets lost. Thanks for any help, regards Florian Config-files: Master: include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 0 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb moduleload syncprov # The maximum number of entries that is returned for a search operation sizelimit 500 # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1 backend bdb checkpoint 512 30 ####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database bdb suffix "dc=idm,dc=local" # rootdn directive for specifying a superuser on the database. This is needed # for syncrepl. rootdn "dc=idm,dc=local" directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq # Save the time that the entry gets modified, for database #1 lastmod on access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=idm,dc=local" write by dn="uid=ldap/extubuntu.idm.local,ou=slaves,dc=idm,dc=local" read by anonymous auth by * none access to dn.base="" by * read access to * by dn="cn=admin,dc=idm,dc=local" write by * read # syncrepl config overlay syncprov syncprov-checkpoint 100 1 syncprov-sessionlog 100 # SASL setup #sasl-host ubuntu-desktop sasl-authz-policy To sasl-secprops minssf=56 sasl-realm idm.local sasl-regexp uid=(.*),cn=idm.local,cn=gssapi,cn=auth ldap:///dc=idm,dc=local??sub?(|(uid=$1)(cn=$1)) Slave: include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 0 modulepath /usr/lib/ldap moduleload back_bdb sizelimit 500 tool-threads 1 backend bdb checkpoint 512 30 database bdb suffix "dc=idm,dc=local" #rootdn "dc=idm,dc=local" rootdn "dc=nowhere,dc=nouniverse" directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=idm,dc=local" write by anonymous auth by self write by * none # by dn="cn=repl-admin,dc=idm,dc=local" write access to dn.base="" by * read access to * by dn="cn=admin,dc=idm,dc=local" write by self write by * read # by dn="cn=repl-admin,dc=idm,dc=local" write # by * read syncrepl rid=1 provider=ldap://ubuntu-desktop:389 searchbase="dc=idm,dc=local" type=refreshAndPersist retry="60 10 300 +" bindmethod=sasl saslmethod=GSSAPI updateref ldap://ubuntu-desktop:389 # SASL setup sasl-authz-policy To sasl-secprops minssf=56 sasl-realm idm.local sasl-regexp uid=(.*),cn=idm.local,cn=gssapi,cn=auth ldap:///dc=idm,dc=local??sub?(|(uid=$1)(cn=$1)) Proxy (running on the same host as the Slave): include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 1 modulepath /usr/lib/ldap moduleload back_ldap database ldap uri ldap://extubuntu.idm.local:390/ suffix "dc=idm,dc=local" chase-referrals yes rebind-as-user yes # SASL setup sasl-secprops minssf=56 sasl-realm idm.local sasl-regexp uid=(.*),cn=idm.local,cn=gssapi,cn=auth ldap:///dc=idm,dc=local??sub?(|(uid=$1)(cn=$1)) idassert-bind bindmethod=sasl mode=self authcid=ldap/extubuntu.idm.local # should come from ticket but does not. Snippets of an ldapsearch: debugging information from the proxy conn=10 fd=9 ACCEPT from IP=127.0.0.1:3380 (IP=0.0.0.0:389) conn=10 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" conn=10 op=0 SRCH attr=supportedSASLMechanisms conn=10 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=10 op=1 BIND dn="" method=163 conn=10 op=2 BIND dn="" method=163 conn=10 op=2 RESULT tag=97 err=14 text= conn=10 op=3 BIND dn="" method=163 conn=10 op=1 RESULT tag=97 err=14 text= request done: ld 0x81dd960 msgid 3 SASL [conn=10] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory conn=10 op=3 BIND authcid="admin@idm.local" authzid="admin@idm.local" conn=10 op=3 BIND dn="cn=admin,dc=idm,dc=local" mech=GSSAPI ssf=56 conn=10 op=3 RESULT tag=97 err=0 text= conn=10 op=4 SRCH base="dc=idm,dc=local" scope=2 deref=0 filter="(cn=fhuisk)" request done: ld 0x8197038 msgid 1 request done: ld 0x8197038 msgid 2 request done: ld 0x8197038 msgid 3 request done: ld 0x8197038 msgid 4 request done: ld 0x8197038 msgid 5 conn=10 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=10 op=5 UNBIND conn=10 fd=9 closed debugging information from the slave conn=0 op=2 SRCH base="dc=idm,dc=local" scope=2 deref=0 filter="(|(uid=admin)(cn=admin))" conn=0 op=2 SRCH attr=1.1 <= bdb_equality_candidates: (uid) index_param failed (18) <= bdb_equality_candidates: (cn) index_param failed (18) conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=2 fd=16 ACCEPT from IP=127.0.1.1:2814 (IP=0.0.0.0:390) conn=2 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" conn=2 op=0 SRCH attr=supportedSASLMechanisms conn=2 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=2 op=1 BIND dn="" method=163 conn=2 op=2 BIND dn="" method=163 conn=2 op=2 RESULT tag=97 err=14 text= conn=2 op=3 BIND dn="" method=163 <= bdb_equality_candidates: (uid) index_param failed (18) <= bdb_equality_candidates: (cn) index_param failed (18) SASL [conn=2] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory conn=2 op=3 BIND authcid="ldap/extubuntu.idm.local@idm.local" authzid="ldap/extubuntu.idm.local@idm.local" conn=2 op=3 BIND dn="uid=ldap/extubuntu.idm.local,ou=slaves,dc=idm,dc=local" mech=GSSAPI ssf=56 conn=2 op=3 RESULT tag=97 err=0 text= conn=2 op=4 PROXYAUTHZ dn="cn=admin,dc=idm,dc=local" conn=2 op=4 SRCH base="dc=idm,dc=local" scope=2 deref=0 filter="(cn=fhuisk)" <= bdb_equality_candidates: (cn) index_param failed (18) conn=2 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=2 op=1 RESULT tag=97 err=14 text= conn=2 op=5 UNBIND conn=2 fd=16 closed ldapsearch call and result root@extUbuntu:/etc/ldap# ldapsearch cn=fhuisk SASL/GSSAPI authentication started SASL username: admin@IDM.LOCAL SASL SSF: 56 SASL installing layers # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: cn=fhuisk # requesting: ALL # # fhuisk, users, idm.local dn: cn=fhuisk,ou=users,dc=idm,dc=local uid: fhuisk givenName:: RmxvcmlhbiA= objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson sn: Huiskens cn: fhuisk userPassword:: dGVzdA== # search result search: 5 result: 0 Success # numResponses: 2 # numEntries: 1 root@extUbuntu:/etc/ldap# fyi: ldapwhoami root@extUbuntu:/etc/ldap# ldapwhoami SASL/GSSAPI authentication started SASL username: admin@IDM.LOCAL SASL SSF: 56 SASL installing layers dn:cn=admin,dc=idm,dc=local Result: Success (0) root@extUbuntu:/etc/ldap# Snippets of an ldapmodify debugging information from the proxy conn=0 fd=9 ACCEPT from IP=127.0.0.1:3145 (IP=0.0.0.0:389) conn=0 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" conn=0 op=0 SRCH attr=supportedSASLMechanisms conn=0 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=0 op=1 BIND dn="" method=163 conn=0 op=2 BIND dn="" method=163 conn=0 op=2 RESULT tag=97 err=14 text= conn=0 op=3 BIND dn="" method=163 request done: ld 0x81a39f8 msgid 1 conn=0 op=1 RESULT tag=97 err=14 text= request done: ld 0x81a39f8 msgid 2 SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory conn=0 op=3 BIND authcid="admin@idm.local" authzid="admin@idm.local" conn=0 op=3 BIND dn="cn=admin,dc=idm,dc=local" mech=GSSAPI ssf=56 conn=0 op=3 RESULT tag=97 err=0 text= conn=0 op=4 MOD dn="cn=fhuisk,ou=users,dc=idm,dc=local" conn=0 op=4 MOD attr=cn request done: ld 0x8192200 msgid 1 request done: ld 0x8192200 msgid 2 request done: ld 0x8192200 msgid 3 request done: ld 0x8192200 msgid 4 request done: ld 0x8192200 msgid 7 request done: ld 0x8192200 msgid 5 conn=0 op=4 RESULT tag=103 err=47 text=anonymous proxyAuthz not allowed conn=0 op=5 UNBIND conn=0 fd=9 closed debugging information from the slave conn=0 fd=13 ACCEPT from IP=127.0.1.1:2862 (IP=0.0.0.0:390) conn=0 op=0 BIND dn="" method=128 conn=0 op=0 RESULT tag=97 err=0 text= conn=0 op=1 SRCH base="dc=idm,dc=local" scope=2 deref=0 filter="(|(uid=admin)(cn=admin))" conn=0 op=1 SRCH attr=1.1 <= bdb_equality_candidates: (uid) index_param failed (18) <= bdb_equality_candidates: (cn) index_param failed (18) conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1 fd=15 ACCEPT from IP=127.0.1.1:2863 (IP=0.0.0.0:390) conn=1 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" conn=1 op=0 SRCH attr=supportedSASLMechanisms conn=1 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1 op=1 BIND dn="" method=163 conn=1 op=2 BIND dn="" method=163 conn=1 op=3 BIND dn="" method=163 <= bdb_equality_candidates: (uid) index_param failed (18) <= bdb_equality_candidates: (cn) index_param failed (18) SASL [conn=1] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory conn=1 op=3 BIND authcid="ldap/extubuntu.idm.local@idm.local" authzid="ldap/extubuntu.idm.local@idm.local" conn=1 op=3 BIND dn="uid=ldap/extubuntu.idm.local,ou=slaves,dc=idm,dc=local" mech=GSSAPI ssf=56 conn=1 op=2 RESULT tag=97 err=14 text= conn=1 op=4 PROXYAUTHZ dn="cn=admin,dc=idm,dc=local" conn=1 op=4 MOD dn="cn=fhuisk,ou=users,dc=idm,dc=local" conn=1 op=4 MOD attr=cn conn=1 op=4 RESULT tag=103 err=10 text= conn=1 op=3 RESULT tag=97 err=0 text= conn=1 op=1 RESULT tag=97 err=14 text= conn=1 op=5 UNBIND conn=1 fd=15 closed debugging information from the master conn=1 fd=14 ACCEPT from IP=172.16.82.240:1290 (IP=0.0.0.0:389) conn=1 op=0 BIND dn="" method=128 conn=1 op=0 RESULT tag=97 err=0 text= conn=1 op=1 RESULT tag=103 err=47 text=anonymous proxyAuthz not allowed do_modify: get_ctrls failed conn=1 op=2 UNBIND conn=1 fd=14 closed ldapmodify call and result root@extUbuntu:/etc/ldap# ldapmodify SASL/GSSAPI authentication started SASL username: admin@IDM.LOCAL SASL SSF: 56 SASL installing layers dn: cn=fhuisk,ou=users,dc=idm,dc=local changetype: modify add: cn cn: newCN - modifying entry "cn=fhuisk,ou=users,dc=idm,dc=local" ldapmodify: Proxy Authorization Failure (47) additional info: anonymous proxyAuthz not allowed root@extUbuntu:/etc/ldap#
Same as ITS#3526; use "chase-referrals no" and slapo-chain(5) to alleviate. p.
changed notes changed state Open to Suspended
> Same as ITS#3526; use "chase-referrals no" and slapo-chain(5) to alleviate. To further elaborate on this: the "right" solution to "wisely" chasing referrals is to disable it within libldap, and rather use a slapo-chain(5) approach. Slapo-chain(5), which is nothing but slapd-ldap(5) called to chase the referral, should be configured to also disable automatic further chasing by libldap, since it allows to define special configuration directives for well-known URIs, so that identity assertion can be used for further referral chasing. I think it needs to be improved to explicitly disable referral chasing, and to repeatedly chasing them as soon as any further gets returned, keeping track of those that were already chased to detect loops. This would allow safe authenticated referral chasing with identity assertion, while distributed procedures (draft-distproc) get implemented. This is why I'm moving your ITS to software development rather than bug tracking: I consider referral chasing a "feature" to be performed anonymously. p.
changed notes moved from Incoming to Software Enhancements
similar to ITS#3526