[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6711) Problems with ppolicy_forward_updates and starttls with certificate-based auth
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6711) Problems with ppolicy_forward_updates and starttls with certificate-based auth
- From: subbarao@computer.org
- Date: Wed, 2 Feb 2011 16:51:42 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
This is a multi-part message in MIME format.
--------------060105070408050605050000
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
>> Another problem is that bind operations to the consumer server start to
>> return two result messages -- one with the error code of the chained
>> operation, and one with the error code of the bind operation.
I'm continuing to see this problem, even after I fix the acl-bind and
the 'manage' ACL configuration. See the attached for an updated test
script that illustrates the problem -- I've added a bind with an
incorrect password which should return 49, but instead is returning 0 to
the client.
The last line of output from the test script is:
ldap bind operation returned 0, expected 49
For the relevant operation in slapd.2.log, I see the following:
conn=1003 op=0 RESULT tag=103 err=0 text=
[...]
conn=1003 op=0 RESULT tag=97 err=49 text=
slapd is returning two RESULT messages for the BIND operation. Error 0
seems to be from the successful chained modification of the
pwdFailureTime attribute, and Error 49 seems to be for the incorrect
password.
-Kartik
--------------060105070408050605050000
Content-Type: text/plain;
name="test099-ppolicy-update"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="test099-ppolicy-update"
#! /bin/sh
# $OpenLDAP: pkg/ldap/tests/scripts/test022-ppolicy,v 1.17.2.9 2010/04/13 20:24:03 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2010 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
echo "running defines.sh"
. $SRCDIR/scripts/defines.sh
if test $PPOLICY = ppolicyno; then
echo "Password policy overlay not available, test skipped"
exit 0
fi
mkdir -p $TESTDIR $DBDIR1
$SLAPPASSWD -g -n >$CONFIGPWF
echo "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >$TESTDIR/configpw.conf
echo "Starting slapd on TCP/IP port $PORT1..."
. $CONFFILTER $BACKEND $MONITORDB < $PPOLICYCONF > $CONF1
$SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 &
PID=$!
if test $WAIT != 0 ; then
echo PID $PID
read foo
fi
KILLPIDS="$PID"
USER="uid=nd, ou=People, dc=example, dc=com"
PASS=testpassword
sleep 1
echo "Using ldapsearch to check that slapd is running..."
for i in 0 1 2 3 4 5; do
$LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \
'objectclass=*' > /dev/null 2>&1
RC=$?
if test $RC = 0 ; then
break
fi
echo "Waiting 5 seconds for slapd to start..."
sleep 5
done
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo /dev/null > $TESTOUT
echo "Using ldapadd to populate the database..."
# may need "-e relax" for draft 09, but not yet.
$LDAPADD -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD < \
$LDIFPPOLICY >> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapadd failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
if test "$BACKLDAP" != "ldapno" && test "$SYNCPROV" != "syncprovno" ; then
echo ""
echo "Setting up policy state forwarding test..."
mkdir $DBDIR2
sed -e "s,$DBDIR1,$DBDIR2," < $CONF1 > $CONF2
echo "Starting slapd consumer on TCP/IP port $PORT2..."
$SLAPD -f $CONF2 -h $URI2 -d $LVL $TIMING > $LOG2 2>&1 &
PID=$!
if test $WAIT != 0 ; then
echo PID $PID
read foo
fi
KILLPIDS="$KILLPIDS $PID"
echo "Configuring syncprov on provider..."
if [ "$SYNCPROV" = syncprovmod ]; then
$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
dn: cn=module,cn=config
objectclass: olcModuleList
cn: module
olcModulePath: $TESTWD/../servers/slapd/overlays
olcModuleLoad: syncprov.la
EOF
RC=$?
if test $RC != 0 ; then
echo "ldapadd failed for moduleLoad ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
fi
$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
dn: olcOverlay={1}syncprov,olcDatabase={1}$BACKEND,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {1}syncprov
EOF
RC=$?
if test $RC != 0 ; then
echo "ldapadd failed for provider database config ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Using ldapsearch to check that slapd is running..."
for i in 0 1 2 3 4 5; do
$LDAPSEARCH -s base -b "$MONITOR" -H $URI2 \
'objectclass=*' > /dev/null 2>&1
RC=$?
if test $RC = 0 ; then
break
fi
echo "Waiting 5 seconds for slapd to start..."
sleep 5
done
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Configuring syncrepl on consumer..."
if [ "$BACKLDAP" = ldapmod ]; then
$LDAPADD -D cn=config -H $URI2 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
dn: cn=module,cn=config
objectclass: olcModuleList
cn: module
olcModulePath: $TESTWD/../servers/slapd/back-ldap
olcModuleLoad: back_ldap.la
EOF
RC=$?
if test $RC != 0 ; then
echo "ldapadd failed for moduleLoad ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
fi
$LDAPMODIFY -D cn=config -H $URI2 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: {0}chain
olcChainReturnError: TRUE
dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
changetype: add
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDBURI: $URI1
olcDBStartTLS: start
olcDBIDAssertBind: mode=none bindmethod=sasl saslmech=EXTERNAL tls_cert=$DATADIR/localhost.crt tls_key=$DATADIR/localhost.key tls_cacert=$DATADIR/localhost.crt tls_reqcert=never
olcDBIDAssertAuthzFrom: *
olcDBACLBind: bindmethod=sasl saslmech=EXTERNAL tls_cert=$DATADIR/localhost.crt tls_key=$DATADIR/localhost.key tls_cacert=$DATADIR/localhost.crt tls_reqcert=never
dn: olcDatabase={1}$BACKEND,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: rid=1
provider=$URI1
starttls=yes
bindmethod=sasl
saslmech=EXTERNAL
tls_key=$DATADIR/localhost.key
tls_cert=$DATADIR/localhost.crt
tls_cacert=$DATADIR/localhost.crt
tls_reqcert=never
tls_crlcheck=none
searchbase="dc=example,dc=com"
type=refreshAndPersist
retry="3 5 300 5"
-
add: olcUpdateref
olcUpdateref: $URI1
-
dn: olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config
changetype: modify
replace: olcPPolicyForwardUpdates
olcPPolicyForwardUpdates: TRUE
-
EOF
RC=$?
if test $RC != 0 ; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Waiting for consumer to sync..."
sleep $SLEEP1
echo "Testing policy state forwarding..."
$LDAPSEARCH -H $URI2 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1
if test $? != 49; then
echo "ldap bind operation returned $?, expected 49"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit 1
fi
$LDAPSEARCH -H $URI1 -D "$MANAGERDN" -w $PASSWD -b "$USER" \* \+ >> $SEARCHOUT 2>&1
COUNT=`grep "pwdFailureTime" $SEARCHOUT | wc -l`
if test $COUNT != 1 ; then
echo "Policy state forwarding failed"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit 1
fi
# End of chaining test
fi
test $KILLSERVERS != no && kill -HUP $KILLPIDS
echo ">>>>> Test succeeded"
test $KILLSERVERS != no && wait
exit 0
--------------060105070408050605050000--