OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/5971
Full headers

From: ngarratt@gmail.com
Subject: Debug mode "fixes" authentication issue
Compose comment
Download message
State:
0 replies:
2 followups: 1 2

Major security issue: yes  no

Notes:

Notification:


Date: Mon, 23 Feb 2009 07:12:27 +0000
From: ngarratt@gmail.com
To: openldap-its@OpenLDAP.org
Subject: Debug mode "fixes" authentication issue
Full_Name: Neil Garratt
Version: 2.4.14
OS: Centos 5.2
URL: 
Submission from: (NULL) (196.35.158.180)


I'm testing OpenLDAP 2.4.14 on Centos 5.2, used as a reverse proxy to AD. When
slapd is run with debugging disabled (or set to 0), search requests throw the
following error:

DSID-0C090627: In order to perform this operation a successful bind must be
completed on the connection.

When run with any other debug value, it returns the results correctly. In both
cases, the logs show a successful bind with the acl-bind user, the search finds
the correct result, and acl's show access granted to read. The only difference
is what is returned.

If I hammer the requests through, I do occasionally get the correct answer when
using -d 0, and I also occasionally get the error with -d 1.

http://www.nu.co.za/slapd/slapd.conf
http://www.nu.co.za/slapd/d0-ldapsearch.txt
http://www.nu.co.za/slapd/d0-slapdlog.txt
http://www.nu.co.za/slapd/d1-ldapsearch.txt
http://www.nu.co.za/slapd/d1-slapdlog.txt

The d0 files are from slapd started with -d 0 (failing)
The d1 files are from slapd started with -d 1 (working)

Followup 1

Download message
Date: Mon, 23 Feb 2009 10:05:38 +0100
From: Pierangelo Masarati <ando@sys-net.it>
To: ngarratt@gmail.com
CC: openldap-its@openldap.org
Subject: Re: (ITS#5971) Debug mode "fixes" authentication issue
ngarratt@gmail.com wrote:

> I'm testing OpenLDAP 2.4.14 on Centos 5.2, used as a reverse proxy to AD.
When
> slapd is run with debugging disabled (or set to 0), search requests throw
the
> following error:
> 
> DSID-0C090627: In order to perform this operation a successful bind must be
> completed on the connection.
> 
> When run with any other debug value, it returns the results correctly. In
both
> cases, the logs show a successful bind with the acl-bind user, the search
finds
> the correct result, and acl's show access granted to read. The only
difference
> is what is returned.
> 
> If I hammer the requests through, I do occasionally get the correct answer
when
> using -d 0, and I also occasionally get the error with -d 1.
> 
> http://www.nu.co.za/slapd/slapd.conf
> http://www.nu.co.za/slapd/d0-ldapsearch.txt
> http://www.nu.co.za/slapd/d0-slapdlog.txt
> http://www.nu.co.za/slapd/d1-ldapsearch.txt
> http://www.nu.co.za/slapd/d1-slapdlog.txt
> 
> The d0 files are from slapd started with -d 0 (failing)
> The d1 files are from slapd started with -d 1 (working)

The problem seems to be not so repeatable.  First of all, the right 
response is the error, since it fails while chasing referrals, and you 
didn't instruct it to chase referrals with authentication.

Moreover, I've set up a system that mimics your setup, and the host 
containing the referred object is always returning the error, but the 
proxy is presenting it only occasionally.  So the proxy's behavior looks 
erratic, and this is a bug, but your configuration looks broken.

I'll look at the bug; in the meanwhile, you may want to fix your 
configuration by adding

chase-referrals	no

overlay chain
chain-uri <the referred URI with no DN>
chain-idassert-bind <info to allow proxyauthz of users>
# ...

See slapo-chain for details.  Another option is to use

chase-referrals	no
rebind-as-user yes

but I suspect it's broken and, in any case, it does not allow you to 
control what hosts are actually given the user's credentials, or to 
proxyauthz as.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------



Followup 2

Download message
Date: Mon, 23 Feb 2009 13:47:58 +0200
Subject: Re: (ITS#5971) Debug mode "fixes" authentication issue
From: Neil Garratt <ngarratt@gmail.com>
To: Pierangelo Masarati <ando@sys-net.it>
Cc: openldap-its@openldap.org
> I'll look at the bug; in the meanwhile, you may want to fix your
> configuration by adding
>
> chase-referrals no
>
> overlay chain
> chain-uri <the referred URI with no DN>
> chain-idassert-bind <info to allow proxyauthz of users>
> # ...
>
> See slapo-chain for details.  Another option is to use
>
> chase-referrals no
> rebind-as-user yes
>

Thanks Pierangelo

The fact that it worked under debug mode was throwing me off.
Referrals have been fixed and it's working as expected now.

Neil


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org