[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5971) Debug mode "fixes" authentication issue

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5971) Debug mode "fixes" authentication issue
From: ando@sys-net.it
Date: Mon, 23 Feb 2009 09:05:58 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

ngarratt@gmail.com wrote:

> I'm testing OpenLDAP 2.4.14 on Centos 5.2, used as a reverse proxy to AD. When
> slapd is run with debugging disabled (or set to 0), search requests throw the
> following error:
> 
> DSID-0C090627: In order to perform this operation a successful bind must be
> completed on the connection.
> 
> When run with any other debug value, it returns the results correctly. In both
> cases, the logs show a successful bind with the acl-bind user, the search finds
> the correct result, and acl's show access granted to read. The only difference
> is what is returned.
> 
> If I hammer the requests through, I do occasionally get the correct answer when
> using -d 0, and I also occasionally get the error with -d 1.
> 
> http://www.nu.co.za/slapd/slapd.conf
> http://www.nu.co.za/slapd/d0-ldapsearch.txt
> http://www.nu.co.za/slapd/d0-slapdlog.txt
> http://www.nu.co.za/slapd/d1-ldapsearch.txt
> http://www.nu.co.za/slapd/d1-slapdlog.txt
> 
> The d0 files are from slapd started with -d 0 (failing)
> The d1 files are from slapd started with -d 1 (working)

The problem seems to be not so repeatable.  First of all, the right 
response is the error, since it fails while chasing referrals, and you 
didn't instruct it to chase referrals with authentication.

Moreover, I've set up a system that mimics your setup, and the host 
containing the referred object is always returning the error, but the 
proxy is presenting it only occasionally.  So the proxy's behavior looks 
erratic, and this is a bug, but your configuration looks broken.

I'll look at the bug; in the meanwhile, you may want to fix your 
configuration by adding

chase-referrals	no

overlay chain
chain-uri <the referred URI with no DN>
chain-idassert-bind <info to allow proxyauthz of users>
# ...

See slapo-chain for details.  Another option is to use

chase-referrals	no
rebind-as-user yes

but I suspect it's broken and, in any case, it does not allow you to 
control what hosts are actually given the user's credentials, or to 
proxyauthz as.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Prev by Date: Re: (ITS#5967) build failure with openssl : error: structure has no member named `ldo_tls_crlcheck'
Next by Date: Re: (ITS#5970) slapd
Index(es):
- Chronological
- Thread