[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#5110) back-ldap, proxy authentication fails when chasing referrals
Full_Name: Florian Huiskens
Version: 2.3.30
OS: Ubuntu 7.04
URL:
Submission from: (NULL) (85.216.39.101)
I try to set up an environment, where a client communicates with an LDAP-Proxy.
The Proxy forwards the client's query (using the ldap-backend) to an
LDAP-Slave.
The authentication mechanism I use (proxy - slave) is SASL (GSSAPI).
The proxy has a kerberos ticket available.
Proxy Authentication works in general (using PROXAUTHZ), but fails on referrals
(though rebind-as-user is set).
This means that if information is written and the proxy receives a referral to
the master, the bind-informations gets lost.
Thanks for any help, regards
Florian
Config-files:
Master:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 0
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb
moduleload syncprov
# The maximum number of entries that is returned for a search operation
sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
backend bdb
checkpoint 512 30
#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database bdb
suffix "dc=idm,dc=local"
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn "dc=idm,dc=local"
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod on
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=idm,dc=local" write
by dn="uid=ldap/extubuntu.idm.local,ou=slaves,dc=idm,dc=local" read
by anonymous auth
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=idm,dc=local" write
by * read
# syncrepl config
overlay syncprov
syncprov-checkpoint 100 1
syncprov-sessionlog 100
# SASL setup
#sasl-host ubuntu-desktop
sasl-authz-policy To
sasl-secprops minssf=56
sasl-realm idm.local
sasl-regexp uid=(.*),cn=idm.local,cn=gssapi,cn=auth
ldap:///dc=idm,dc=local??sub?(|(uid=$1)(cn=$1))
Slave:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 0
modulepath /usr/lib/ldap
moduleload back_bdb
sizelimit 500
tool-threads 1
backend bdb
checkpoint 512 30
database bdb
suffix "dc=idm,dc=local"
#rootdn "dc=idm,dc=local"
rootdn "dc=nowhere,dc=nouniverse"
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=idm,dc=local" write
by anonymous auth
by self write
by * none
# by dn="cn=repl-admin,dc=idm,dc=local" write
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=idm,dc=local" write
by self write
by * read
# by dn="cn=repl-admin,dc=idm,dc=local" write
# by * read
syncrepl rid=1
provider=ldap://ubuntu-desktop:389
searchbase="dc=idm,dc=local"
type=refreshAndPersist
retry="60 10 300 +"
bindmethod=sasl
saslmethod=GSSAPI
updateref ldap://ubuntu-desktop:389
# SASL setup
sasl-authz-policy To
sasl-secprops minssf=56
sasl-realm idm.local
sasl-regexp uid=(.*),cn=idm.local,cn=gssapi,cn=auth
ldap:///dc=idm,dc=local??sub?(|(uid=$1)(cn=$1))
Proxy (running on the same host as the Slave):
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 1
modulepath /usr/lib/ldap
moduleload back_ldap
database ldap
uri ldap://extubuntu.idm.local:390/
suffix "dc=idm,dc=local"
chase-referrals yes
rebind-as-user yes
# SASL setup
sasl-secprops minssf=56
sasl-realm idm.local
sasl-regexp uid=(.*),cn=idm.local,cn=gssapi,cn=auth
ldap:///dc=idm,dc=local??sub?(|(uid=$1)(cn=$1))
idassert-bind bindmethod=sasl
mode=self
authcid=ldap/extubuntu.idm.local # should come from ticket but
does not.
Snippets of an ldapsearch:
debugging information from the proxy
conn=10 fd=9 ACCEPT from IP=127.0.0.1:3380 (IP=0.0.0.0:389)
conn=10 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
conn=10 op=0 SRCH attr=supportedSASLMechanisms
conn=10 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=10 op=1 BIND dn="" method=163
conn=10 op=2 BIND dn="" method=163
conn=10 op=2 RESULT tag=97 err=14 text=
conn=10 op=3 BIND dn="" method=163
conn=10 op=1 RESULT tag=97 err=14 text=
request done: ld 0x81dd960 msgid 3
SASL [conn=10] Error: unable to open Berkeley db /etc/sasldb2: No such file or
directory
conn=10 op=3 BIND authcid="admin@idm.local" authzid="admin@idm.local"
conn=10 op=3 BIND dn="cn=admin,dc=idm,dc=local" mech=GSSAPI ssf=56
conn=10 op=3 RESULT tag=97 err=0 text=
conn=10 op=4 SRCH base="dc=idm,dc=local" scope=2 deref=0 filter="(cn=fhuisk)"
request done: ld 0x8197038 msgid 1
request done: ld 0x8197038 msgid 2
request done: ld 0x8197038 msgid 3
request done: ld 0x8197038 msgid 4
request done: ld 0x8197038 msgid 5
conn=10 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=10 op=5 UNBIND
conn=10 fd=9 closed
debugging information from the slave
conn=0 op=2 SRCH base="dc=idm,dc=local" scope=2 deref=0
filter="(|(uid=admin)(cn=admin))"
conn=0 op=2 SRCH attr=1.1
<= bdb_equality_candidates: (uid) index_param failed (18)
<= bdb_equality_candidates: (cn) index_param failed (18)
conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=2 fd=16 ACCEPT from IP=127.0.1.1:2814 (IP=0.0.0.0:390)
conn=2 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
conn=2 op=0 SRCH attr=supportedSASLMechanisms
conn=2 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=2 op=1 BIND dn="" method=163
conn=2 op=2 BIND dn="" method=163
conn=2 op=2 RESULT tag=97 err=14 text=
conn=2 op=3 BIND dn="" method=163
<= bdb_equality_candidates: (uid) index_param failed (18)
<= bdb_equality_candidates: (cn) index_param failed (18)
SASL [conn=2] Error: unable to open Berkeley db /etc/sasldb2: No such file or
directory
conn=2 op=3 BIND authcid="ldap/extubuntu.idm.local@idm.local"
authzid="ldap/extubuntu.idm.local@idm.local"
conn=2 op=3 BIND dn="uid=ldap/extubuntu.idm.local,ou=slaves,dc=idm,dc=local"
mech=GSSAPI ssf=56
conn=2 op=3 RESULT tag=97 err=0 text=
conn=2 op=4 PROXYAUTHZ dn="cn=admin,dc=idm,dc=local"
conn=2 op=4 SRCH base="dc=idm,dc=local" scope=2 deref=0 filter="(cn=fhuisk)"
<= bdb_equality_candidates: (cn) index_param failed (18)
conn=2 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=2 op=1 RESULT tag=97 err=14 text=
conn=2 op=5 UNBIND
conn=2 fd=16 closed
ldapsearch call and result
root@extUbuntu:/etc/ldap# ldapsearch cn=fhuisk
SASL/GSSAPI authentication started
SASL username: admin@IDM.LOCAL
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: cn=fhuisk
# requesting: ALL
#
# fhuisk, users, idm.local
dn: cn=fhuisk,ou=users,dc=idm,dc=local
uid: fhuisk
givenName:: RmxvcmlhbiA=
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
sn: Huiskens
cn: fhuisk
userPassword:: dGVzdA==
# search result
search: 5
result: 0 Success
# numResponses: 2
# numEntries: 1
root@extUbuntu:/etc/ldap#
fyi: ldapwhoami
root@extUbuntu:/etc/ldap# ldapwhoami
SASL/GSSAPI authentication started
SASL username: admin@IDM.LOCAL
SASL SSF: 56
SASL installing layers
dn:cn=admin,dc=idm,dc=local
Result: Success (0)
root@extUbuntu:/etc/ldap#
Snippets of an ldapmodify
debugging information from the proxy
conn=0 fd=9 ACCEPT from IP=127.0.0.1:3145 (IP=0.0.0.0:389)
conn=0 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
conn=0 op=0 SRCH attr=supportedSASLMechanisms
conn=0 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=0 op=1 BIND dn="" method=163
conn=0 op=2 BIND dn="" method=163
conn=0 op=2 RESULT tag=97 err=14 text=
conn=0 op=3 BIND dn="" method=163
request done: ld 0x81a39f8 msgid 1
conn=0 op=1 RESULT tag=97 err=14 text=
request done: ld 0x81a39f8 msgid 2
SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: No such file or
directory
conn=0 op=3 BIND authcid="admin@idm.local" authzid="admin@idm.local"
conn=0 op=3 BIND dn="cn=admin,dc=idm,dc=local" mech=GSSAPI ssf=56
conn=0 op=3 RESULT tag=97 err=0 text=
conn=0 op=4 MOD dn="cn=fhuisk,ou=users,dc=idm,dc=local"
conn=0 op=4 MOD attr=cn
request done: ld 0x8192200 msgid 1
request done: ld 0x8192200 msgid 2
request done: ld 0x8192200 msgid 3
request done: ld 0x8192200 msgid 4
request done: ld 0x8192200 msgid 7
request done: ld 0x8192200 msgid 5
conn=0 op=4 RESULT tag=103 err=47 text=anonymous proxyAuthz not allowed
conn=0 op=5 UNBIND
conn=0 fd=9 closed
debugging information from the slave
conn=0 fd=13 ACCEPT from IP=127.0.1.1:2862 (IP=0.0.0.0:390)
conn=0 op=0 BIND dn="" method=128
conn=0 op=0 RESULT tag=97 err=0 text=
conn=0 op=1 SRCH base="dc=idm,dc=local" scope=2 deref=0
filter="(|(uid=admin)(cn=admin))"
conn=0 op=1 SRCH attr=1.1
<= bdb_equality_candidates: (uid) index_param failed (18)
<= bdb_equality_candidates: (cn) index_param failed (18)
conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 fd=15 ACCEPT from IP=127.0.1.1:2863 (IP=0.0.0.0:390)
conn=1 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
conn=1 op=0 SRCH attr=supportedSASLMechanisms
conn=1 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 op=1 BIND dn="" method=163
conn=1 op=2 BIND dn="" method=163
conn=1 op=3 BIND dn="" method=163
<= bdb_equality_candidates: (uid) index_param failed (18)
<= bdb_equality_candidates: (cn) index_param failed (18)
SASL [conn=1] Error: unable to open Berkeley db /etc/sasldb2: No such file or
directory
conn=1 op=3 BIND authcid="ldap/extubuntu.idm.local@idm.local"
authzid="ldap/extubuntu.idm.local@idm.local"
conn=1 op=3 BIND dn="uid=ldap/extubuntu.idm.local,ou=slaves,dc=idm,dc=local"
mech=GSSAPI ssf=56
conn=1 op=2 RESULT tag=97 err=14 text=
conn=1 op=4 PROXYAUTHZ dn="cn=admin,dc=idm,dc=local"
conn=1 op=4 MOD dn="cn=fhuisk,ou=users,dc=idm,dc=local"
conn=1 op=4 MOD attr=cn
conn=1 op=4 RESULT tag=103 err=10 text=
conn=1 op=3 RESULT tag=97 err=0 text=
conn=1 op=1 RESULT tag=97 err=14 text=
conn=1 op=5 UNBIND
conn=1 fd=15 closed
debugging information from the master
conn=1 fd=14 ACCEPT from IP=172.16.82.240:1290 (IP=0.0.0.0:389)
conn=1 op=0 BIND dn="" method=128
conn=1 op=0 RESULT tag=97 err=0 text=
conn=1 op=1 RESULT tag=103 err=47 text=anonymous proxyAuthz not allowed
do_modify: get_ctrls failed
conn=1 op=2 UNBIND
conn=1 fd=14 closed
ldapmodify call and result
root@extUbuntu:/etc/ldap# ldapmodify
SASL/GSSAPI authentication started
SASL username: admin@IDM.LOCAL
SASL SSF: 56
SASL installing layers
dn: cn=fhuisk,ou=users,dc=idm,dc=local
changetype: modify
add: cn
cn: newCN
-
modifying entry "cn=fhuisk,ou=users,dc=idm,dc=local"
ldapmodify: Proxy Authorization Failure (47)
additional info: anonymous proxyAuthz not allowed
root@extUbuntu:/etc/ldap#