OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Bugs/7464
Full headers

From: prune@lecentre.net
Subject: ldap_back_dobind_int breaking binded user
Compose comment
Download message
State:
0 replies:
7 followups: 1 2 3 4 5 6 7

Major security issue: yes  no

Notes:

Notification:


Date: Thu, 06 Dec 2012 16:58:40 +0000
From: prune@lecentre.net
To: openldap-its@OpenLDAP.org
Subject: ldap_back_dobind_int breaking binded user
Full_Name: Sebastien Prune THOMAS
Version: slapd 2.4.31
OS: Linux CentOS
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (206.167.157.64)


I use OpenLdap to proxy (with the module back-ldap) to a eDirectory LDAP
server.
Every once and a while I have long lasting connections re-binding as anonymous,
breaking the actual bind.
This usualy happen after hitting either the idle-timeout or the conn-ttl limit.
I wasn't able to find out what these values are when not set... but setting them
low can help reproduce the problem : 

Dec  5 12:50:19 qxpldp01 slapd[40707]: conn=1095 fd=39 ACCEPT from
IP=10.100.64.68:33906 (IP=0.0.0.0:389)
Dec  5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=0 BIND
dn="cn=ldapintbind,o=corp" method=128
Dec  5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=0 BIND
dn="cn=ldapintbind,o=shq" mech=SIMPLE ssf=0
Dec  5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=0 RESULT tag=97 err=0 text=
Dec  5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=1 SRCH base="o=corp" scope=2
deref=3 filter="(&(objectClass=*)(uid=pry))"
Dec  5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=1 SRCH attr=uid
Dec  5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=
Dec  5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=2 CMP
dn="cn=00-BASICAUTH,o=corp" attr="member"
Dec  5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=2 RESULT tag=111 err=6
text=
Dec  6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 SRCH base="o=corp" scope=2
deref=3 filter="(&(objectClass=*)(uid=dln))"
Dec  6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 SRCH attr=uid
Dec  6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 ldap_back_retry: retrying
URI="ldaps://10.100.120.153" DN="cn=ldapintbindo=corp"
Dec  6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 ldap_back_dobind_int:
DN="cn=ldapintbind,o=corp" without creds, binding anonymously
Dec  6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 SEARCH RESULT tag=101
err=0 nentries=1 text=
Dec  6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=4 CMP
dn="cn=00-BASICAUTH,o=corp" attr="member"
Dec  6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=4 RESULT tag=111 err=5
text=
Dec  6 09:23:28 qxpldp01 slapd[40707]: conn=1095 fd=39 closed (slapd shutdown)

There, the connection is opened on december the 5... then idle... then another
search is done on december the 6... and leads to a re-bind...

Either, I don't understand why :

- openldap don't re-use the credential of the first bind
OR
- openldap simply end the TCP connection when the timeout is reached instead of
re-using it like if it was a new connection --- > the client is not aware of
that and still thinks the last bind is valid.

I tried every option I could without success... 

For now, I set the conn-ttl and idle-timeout to the max an unsigned long could
support : 4294967294

Any other solution apreciated...

Followup 1

Download message
Date: Thu, 6 Dec 2012 18:20:26 +0100
Subject: Re: (ITS#7464) ldap_back_dobind_int breaking binded user
From: "Pierangelo Masarati" <masarati@aero.polimi.it>
To: prune@lecentre.net
Cc: openldap-its@openldap.org
> Full_Name: Sebastien Prune THOMAS
> Version: slapd 2.4.31
> OS: Linux CentOS
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (206.167.157.64)
>
>
> I use OpenLdap to proxy (with the module back-ldap) to a eDirectory LDAP
> server.
> Every once and a while I have long lasting connections re-binding as
> anonymous,
> breaking the actual bind.
> This usualy happen after hitting either the idle-timeout or the conn-ttl
> limit.
> I wasn't able to find out what these values are when not set... but
> setting them
> low can help reproduce the problem :

What is the configuration of back-ldap?  Can you post it (after sanitizing
sensitive info)?

p.

-- 
Pierangelo Masarati
Associate Professor
Dipartimento di Ingegneria Aerospaziale
Politecnico di Milano



Followup 2

Download message
Date: Thu, 6 Dec 2012 12:57:57 -0500
Subject: Re: (ITS#7464) ldap_back_dobind_int breaking binded user
From: Sebastien Thomas <prune@lecentre.net>
To: Pierangelo Masarati <masarati@aero.polimi.it>
Cc: openldap-its@openldap.org
--20cf307811d0d379c404d032d6ee
Content-Type: text/plain; charset=ISO-8859-1

Config is basic (with special timeout tests commented out) :

database      ldap
suffix            "o=corp"
uri                 ldaps://10.100.120.153

# close connection after a timeout
#idletimeout     100
# causes a cached connection to be dropped an recreated after a given ttl
#conn-ttl        4294967294
# close connection after a timeout for ldap backend
#idle-timeout    4294967294
# Discards current cached connection when the client rebinds - default to No
#single-conn     no

overlay         rwm
rwm-suffixmassage "o=corp" "o=int"


2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it>

>
> > Full_Name: Sebastien Prune THOMAS
> > Version: slapd 2.4.31
> > OS: Linux CentOS
> > URL: ftp://ftp.openldap.org/incoming/
> > Submission from: (NULL) (206.167.157.64)
> >
> >
> > I use OpenLdap to proxy (with the module back-ldap) to a eDirectory
LDAP
> > server.
> > Every once and a while I have long lasting connections re-binding as
> > anonymous,
> > breaking the actual bind.
> > This usualy happen after hitting either the idle-timeout or the
conn-ttl
> > limit.
> > I wasn't able to find out what these values are when not set... but
> > setting them
> > low can help reproduce the problem :
>
> What is the configuration of back-ldap?  Can you post it (after sanitizing
> sensitive info)?
>
> p.
>
> --
> Pierangelo Masarati
> Associate Professor
> Dipartimento di Ingegneria Aerospaziale
> Politecnico di Milano
>
>

--20cf307811d0d379c404d032d6ee
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div style=3D"font-family:Tahoma;font-size:13px">Config is basic (with
spec=
ial timeout tests commented out) :</div><div
style=3D"font-family:Tahoma;fo=
nt-size:13px">=A0</div><div
style=3D"font-family:Tahoma;font-size:13px">dat=
abase =A0 =A0 =A0ldap<br>
suffix =A0 =A0 =A0 =A0 =A0
=A0&quot;o=3Dcorp&quot;<br>uri=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0 =A0
=A0<a>ldaps://10.100.120.153</a></div><div style=
=3D"font-family:Tahoma;font-size:13px">=A0</div><div
style=3D"font-family:T=
ahoma;font-size:13px"># close connection after a timeout<br>
#idletimeout=A0=A0=A0=A0 100<br># causes a cached connection to be dropped
=
an recreated after a given ttl<br>#conn-ttl=A0=A0=A0=A0=A0=A0=A0
4294967294=
<br># close connection after a timeout for ldap
backend<br>#idle-timeout=A0=
=A0=A0 4294967294<br># Discards current cached connection when the client
r=
ebinds - default to No<br>
#single-conn=A0=A0=A0=A0 no</div><div
style=3D"font-family:Tahoma;font-size=
:13px"><br>overlay=A0=A0=A0=A0=A0=A0=A0=A0
rwm<br>rwm-suffixmassage &quot;o=
=3Dcorp&quot; &quot;o=3Dint&quot;</div><div
class=3D"gmail_extra"><br><br><=
div class=3D"gmail_quote">2012/12/6 Pierangelo Masarati <span
dir=3D"ltr">&=
lt;<a href=3D"mailto:masarati@aero.polimi.it"
target=3D"_blank">masarati@ae=
ro.polimi.it</a>&gt;</span><br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><br>
&gt; Full_Name: Sebastien Prune THOMAS<br>
&gt; Version: slapd 2.4.31<br>
&gt; OS: Linux CentOS<br>
&gt; URL: <a href=3D"ftp://ftp.openldap.org/incoming/"
target=3D"_blank">ft=
p://ftp.openldap.org/incoming/</a><br>
&gt; Submission from: (NULL) (206.167.157.64)<br>
&gt;<br>
&gt;<br>
&gt; I use OpenLdap to proxy (with the module back-ldap) to a eDirectory LD=
AP<br>
&gt; server.<br>
&gt; Every once and a while I have long lasting connections re-binding
as<b=
r>
&gt; anonymous,<br>
&gt; breaking the actual bind.<br>
&gt; This usualy happen after hitting either the idle-timeout or the conn-t=
tl<br>
&gt; limit.<br>
&gt; I wasn&#39;t able to find out what these values are when not set...
bu=
t<br>
&gt; setting them<br>
&gt; low can help reproduce the problem :<br>
<br>
What is the configuration of back-ldap? =A0Can you post it (after sanitizin=
g<br>
sensitive info)?<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
p.<br>
<br>
--<br>
Pierangelo Masarati<br>
Associate Professor<br>
Dipartimento di Ingegneria Aerospaziale<br>
Politecnico di Milano<br>
<br>
</font></span></blockquote></div><br></div>

--20cf307811d0d379c404d032d6ee--



Followup 3

Download message
Date: Thu, 6 Dec 2012 19:25:30 +0100
Subject: Re: (ITS#7464) ldap_back_dobind_int breaking binded user
From: "Pierangelo Masarati" <masarati@aero.polimi.it>
To: prune@lecentre.net
Cc: openldap-its@openldap.org
> --20cf307811d0d379c404d032d6ee
> Content-Type: text/plain; charset=ISO-8859-1
>
> Config is basic (with special timeout tests commented out) :
>
> database      ldap
> suffix            "o=corp"
> uri                 ldaps://10.100.120.153
>
> # close connection after a timeout
> #idletimeout     100
> # causes a cached connection to be dropped an recreated after a given ttl
> #conn-ttl        4294967294
> # close connection after a timeout for ldap backend
> #idle-timeout    4294967294
> # Discards current cached connection when the client rebinds - default to
> No
> #single-conn     no


Try adding a "rebind-as-user" here.  This forces back-ldap to store
client's credentials in order to rebind when needed (e.g. because a
persistent connection timed out).

p.

> overlay         rwm
> rwm-suffixmassage "o=corp" "o=int"
>
>
> 2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it>
>
>>
>> > Full_Name: Sebastien Prune THOMAS
>> > Version: slapd 2.4.31
>> > OS: Linux CentOS
>> > URL: ftp://ftp.openldap.org/incoming/
>> > Submission from: (NULL) (206.167.157.64)
>> >
>> >
>> > I use OpenLdap to proxy (with the module back-ldap) to a
eDirectory
>> LDAP
>> > server.
>> > Every once and a while I have long lasting connections re-binding
as
>> > anonymous,
>> > breaking the actual bind.
>> > This usualy happen after hitting either the idle-timeout or the
>> conn-ttl
>> > limit.
>> > I wasn't able to find out what these values are when not set...
but
>> > setting them
>> > low can help reproduce the problem :
>>
>> What is the configuration of back-ldap?  Can you post it (after
>> sanitizing
>> sensitive info)?
>>
>> p.
>>
>> --
>> Pierangelo Masarati
>> Associate Professor
>> Dipartimento di Ingegneria Aerospaziale
>> Politecnico di Milano
>>
>>
>
> --20cf307811d0d379c404d032d6ee
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
>
> <div style=3D"font-family:Tahoma;font-size:13px">Config is basic
(with
> spec=
> ial timeout tests commented out) :</div><div
> style=3D"font-family:Tahoma;fo=
> nt-size:13px">=A0</div><div
> style=3D"font-family:Tahoma;font-size:13px">dat=
> abase =A0 =A0 =A0ldap<br>
> suffix =A0 =A0 =A0 =A0 =A0
> =A0&quot;o=3Dcorp&quot;<br>uri=A0=A0=A0=A0=A0=A0=
> =A0=A0=A0=A0=A0=A0=A0 =A0
=A0<a>ldaps://10.100.120.153</a></div><div
> style=
> =3D"font-family:Tahoma;font-size:13px">=A0</div><div
> style=3D"font-family:T=
> ahoma;font-size:13px"># close connection after a timeout<br>
> #idletimeout=A0=A0=A0=A0 100<br># causes a cached connection to be
dropped
> =
> an recreated after a given ttl<br>#conn-ttl=A0=A0=A0=A0=A0=A0=A0
> 4294967294=
> <br># close connection after a timeout for ldap
> backend<br>#idle-timeout=A0=
> =A0=A0 4294967294<br># Discards current cached connection when the
client
> r=
> ebinds - default to No<br>
> #single-conn=A0=A0=A0=A0 no</div><div
> style=3D"font-family:Tahoma;font-size=
> :13px"><br>overlay=A0=A0=A0=A0=A0=A0=A0=A0
rwm<br>rwm-suffixmassage
> &quot;o=
> =3Dcorp&quot; &quot;o=3Dint&quot;</div><div
> class=3D"gmail_extra"><br><br><=
> div class=3D"gmail_quote">2012/12/6 Pierangelo Masarati <span
> dir=3D"ltr">&=
> lt;<a href=3D"mailto:masarati@aero.polimi.it"
> target=3D"_blank">masarati@ae=
> ro.polimi.it</a>&gt;</span><br>
> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
> .8ex;border-left:1p=
> x #ccc solid;padding-left:1ex"><br>
> &gt; Full_Name: Sebastien Prune THOMAS<br>
> &gt; Version: slapd 2.4.31<br>
> &gt; OS: Linux CentOS<br>
> &gt; URL: <a href=3D"ftp://ftp.openldap.org/incoming/"
> target=3D"_blank">ft=
> p://ftp.openldap.org/incoming/</a><br>
> &gt; Submission from: (NULL) (206.167.157.64)<br>
> &gt;<br>
> &gt;<br>
> &gt; I use OpenLdap to proxy (with the module back-ldap) to a
eDirectory
> LD=
> AP<br>
> &gt; server.<br>
> &gt; Every once and a while I have long lasting connections re-binding
> as<b=
> r>
> &gt; anonymous,<br>
> &gt; breaking the actual bind.<br>
> &gt; This usualy happen after hitting either the idle-timeout or the
> conn-t=
> tl<br>
> &gt; limit.<br>
> &gt; I wasn&

Message of length 5905 truncated


Followup 4

Download message
Date: Thu, 6 Dec 2012 14:30:15 -0500
Subject: Re: (ITS#7464) ldap_back_dobind_int breaking binded user
From: Sebastien Thomas <prune@lecentre.net>
To: Pierangelo Masarati <masarati@aero.polimi.it>
Cc: openldap-its@openldap.org
--20cf307811d0eb756704d0342092
Content-Type: text/plain; charset=ISO-8859-1

Actualy I had this before and that did not change anything. I don't think
this directive is used for this kind of "timeouts"...

I also tried :

*chase-referrals yes (this is default)*
*rebind-as-user yes (as suggested here)**
*
*single-conn yes (default to NO)**
*
*
*
I also tried some combinings of idassert-bind options with no luck (as the
backend does not support identity assertion).


2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it>

>
> > --20cf307811d0d379c404d032d6ee
> > Content-Type: text/plain; charset=ISO-8859-1
> >
> > Config is basic (with special timeout tests commented out) :
> >
> > database      ldap
> > suffix            "o=corp"
> > uri                 ldaps://10.100.120.153
> >
> > # close connection after a timeout
> > #idletimeout     100
> > # causes a cached connection to be dropped an recreated after a given
ttl
> > #conn-ttl        4294967294
> > # close connection after a timeout for ldap backend
> > #idle-timeout    4294967294
> > # Discards current cached connection when the client rebinds - default
to
> > No
> > #single-conn     no
>
>
> Try adding a "rebind-as-user" here.  This forces back-ldap to store
> client's credentials in order to rebind when needed (e.g. because a
> persistent connection timed out).
>
> p.
>
> > overlay         rwm
> > rwm-suffixmassage "o=corp" "o=int"
> >
> >
> > 2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it>
> >
> >>
> >> > Full_Name: Sebastien Prune THOMAS
> >> > Version: slapd 2.4.31
> >> > OS: Linux CentOS
> >> > URL: ftp://ftp.openldap.org/incoming/
> >> > Submission from: (NULL) (206.167.157.64)
> >> >
> >> >
> >> > I use OpenLdap to proxy (with the module back-ldap) to a
eDirectory
> >> LDAP
> >> > server.
> >> > Every once and a while I have long lasting connections
re-binding as
> >> > anonymous,
> >> > breaking the actual bind.
> >> > This usualy happen after hitting either the idle-timeout or
the
> >> conn-ttl
> >> > limit.
> >> > I wasn't able to find out what these values are when not
set... but
> >> > setting them
> >> > low can help reproduce the problem :
> >>
> >> What is the configuration of back-ldap?  Can you post it (after
> >> sanitizing
> >> sensitive info)?
> >>
> >> p.
> >>
> >> --
> >> Pierangelo Masarati
> >> Associate Professor
> >> Dipartimento di Ingegneria Aerospaziale
> >> Politecnico di Milano
> >>
> >>
> >
> > --20cf307811d0d379c404d032d6ee
> > Content-Type: text/html; charset=ISO-8859-1
> > Content-Transfer-Encoding: quoted-printable
> >
> > <div style=3D"font-family:Tahoma;font-size:13px">Config is basic
(with
> > spec=
> > ial timeout tests commented out) :</div><div
> > style=3D"font-family:Tahoma;fo=
> > nt-size:13px">=A0</div><div
> > style=3D"font-family:Tahoma;font-size:13px">dat=
> > abase =A0 =A0 =A0ldap<br>
> > suffix =A0 =A0 =A0 =A0 =A0
> > =A0&quot;o=3Dcorp&quot;<br>uri=A0=A0=A0=A0=A0=A0=
> > =A0=A0=A0=A0=A0=A0=A0 =A0
=A0<a>ldaps://10.100.120.153</a></div><div
> > style=
> > =3D"font-family:Tahoma;font-size:13px">=A0</div><div
> > style=3D"font-family:T=
> > ahoma;font-size:13px"># close connection after a timeout<br>
> > #idletimeout=A0=A0=A0=A0 100<br># causes a cached connection to
be
> dropped
> > =
> > an recreated after a given ttl<br>#conn-ttl=A0=A0=A0=A0=A0=A0=A0
> > 4294967294=
> > <br># close connection after a timeout for ldap
> > backend<br>#idle-timeout=A0=
> > =A0=A0 4294967294<br># Discards current cached connection when
the client
> > r=
> > ebinds - default to No<br>
> > #single-conn=A0=A0=A0=A0 no</div><div
> > style=3D"font-family:Tahoma;font-size=
> > :13px"><br>overlay=A0=A0=A0=A0=A0=A0=A0=A0
rwm<br>rwm-suffixmassage
> > &quot;o=
> > =3Dcorp&quot; &quot;o=3Dint&quot;</div><div
> > class=3D"gmail_extra"><br><br><=
> > div class=3D"gmail_quote">2012/12/6 Pierangelo Masarati <span
> > dir=3D"ltr">&=
> > lt;<a href=3D"mailto:masarati@aero.polimi.it"
> > target=3D"_blank">masarati@ae=
> > ro.polimi.it</a>&gt;</sp

Message of length 20229 truncated


Followup 5

Download message
Date: Thu, 6 Dec 2012 14:37:57 -0500
Subject: Re: (ITS#7464) ldap_back_dobind_int breaking binded user
From: Sebastien Thomas <prune@lecentre.net>
To: Pierangelo Masarati <masarati@aero.polimi.it>
Cc: openldap-its@openldap.org
--20cf307d04d2686d3904d0343c02
Content-Type: text/plain; charset=ISO-8859-1

Here is a quick python script that can be used to query a LDAP proxy.
Running it while the proxy is configured with conn-ttl = 5 will trigget the
error after 5 seconds:



import ldap, sys, pprint, time

ldap_server = "localhost"
dn="cn=ldapintbind,o=corp"
pw="your password here"

con = ldap.initialize('ldap://' + ldap_server)
try:
    #l.start_tls_s()
    con.simple_bind_s(dn, pw)
    con.set_option(ldap.OPT_DEREF,3)

    scope = ldap.SCOPE_SUBTREE
    base = "o=corp"
    filter ="(&(objectClass=*)(uid=dln))"
    retrieve_attributes = ["uid"]
    result_data = []
    result_set = []
    timeout = 0

    essai=0
    while 1:
        print(str(essai) + ".")
        essai+=1

        result_id = con.search_s(base, scope, filter, retrieve_attributes)
        #pprint.pprint(result_id)

        time.sleep(1)


except ldap.LDAPError, e:
    print e.message['info']
    if type(e.message) == dict and e.message.has_key('desc'):
        print e.message['desc']
    else:
        print e
    sys.exit()


2012/12/6 Sebastien Thomas <prune@lecentre.net>

> Actualy I had this before and that did not change anything. I don't think
> this directive is used for this kind of "timeouts"...
>
> I also tried :
>
> *chase-referrals yes (this is default)*
> *rebind-as-user yes (as suggested here)**
> *
> *single-conn yes (default to NO)**
> *
> *
> *
> I also tried some combinings of idassert-bind options with no luck (as
> the backend does not support identity assertion).
>
>
> 2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it>
>
>>
>> > --20cf307811d0d379c404d032d6ee
>> > Content-Type: text/plain; charset=ISO-8859-1
>> >
>> > Config is basic (with special timeout tests commented out) :
>> >
>> > database      ldap
>> > suffix            "o=corp"
>> > uri                 ldaps://10.100.120.153
>> >
>> > # close connection after a timeout
>> > #idletimeout     100
>> > # causes a cached connection to be dropped an recreated after a
given
>> ttl
>> > #conn-ttl        4294967294
>> > # close connection after a timeout for ldap backend
>> > #idle-timeout    4294967294
>> > # Discards current cached connection when the client rebinds -
default
>> to
>> > No
>> > #single-conn     no
>>
>>
>> Try adding a "rebind-as-user" here.  This forces back-ldap to store
>> client's credentials in order to rebind when needed (e.g. because a
>> persistent connection timed out).
>>
>> p.
>>
>> > overlay         rwm
>> > rwm-suffixmassage "o=corp" "o=int"
>> >
>> >
>> > 2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it>
>> >
>> >>
>> >> > Full_Name: Sebastien Prune THOMAS
>> >> > Version: slapd 2.4.31
>> >> > OS: Linux CentOS
>> >> > URL: ftp://ftp.openldap.org/incoming/
>> >> > Submission from: (NULL) (206.167.157.64)
>> >> >
>> >> >
>> >> > I use OpenLdap to proxy (with the module back-ldap) to a
eDirectory
>> >> LDAP
>> >> > server.
>> >> > Every once and a while I have long lasting connections
re-binding as
>> >> > anonymous,
>> >> > breaking the actual bind.
>> >> > This usualy happen after hitting either the idle-timeout
or the
>> >> conn-ttl
>> >> > limit.
>> >> > I wasn't able to find out what these values are when not
set... but
>> >> > setting them
>> >> > low can help reproduce the problem :
>> >>
>> >> What is the configuration of back-ldap?  Can you post it
(after
>> >> sanitizing
>> >> sensitive info)?
>> >>
>> >> p.
>> >>
>> >> --
>> >> Pierangelo Masarati
>> >> Associate Professor
>> >> Dipartimento di Ingegneria Aerospaziale
>> >> Politecnico di Milano
>> >>
>> >>
>> >
>> > --20cf307811d0d379c404d032d6ee
>> > Content-Type: text/html; charset=ISO-8859-1
>> > Content-Transfer-Encoding: quoted-printable
>> >
>> > <div style=3D"font-family:Tahoma;font-size:13px">Config is
basic (with
>> > spec=
>> > ial timeout tests commented out) :</div><div
>> > style=3D"font-family:Tahoma;fo=
>> > nt-size:13px">=A0</div><div
>> > style=3D"font-family:Tahoma;font-size:13px">dat=
>> > abase =A0 =A0 =A0ldap<br>
>> > s

Message of length 25237 truncated


Followup 6

Download message
Date: Fri, 7 Dec 2012 01:13:50 +0100
Subject: Re: (ITS#7464) ldap_back_dobind_int breaking binded user
From: "Pierangelo Masarati" <masarati@aero.polimi.it>
To: prune@lecentre.net
Cc: openldap-its@openldap.org
> --20cf307811d0eb756704d0342092
> Content-Type: text/plain; charset=ISO-8859-1
>
> Actualy I had this before and that did not change anything. I don't think
> this directive is used for this kind of "timeouts"...
>
> I also tried :
>
> *chase-referrals yes (this is default)*
> *rebind-as-user yes (as suggested here)**
> *
> *single-conn yes (default to NO)**
> *
> *
> *
> I also tried some combinings of idassert-bind options with no luck (as the
> backend does not support identity assertion).

By backend do you mean the remote server you're trying to proxy?

I see your problem.  Indeed, when a connection is pruned (in your case
because it timed out), information about client's credentials is lost. 
Back-ldap is working incorrectly, since it falls back to trying to rebind
anonymously.  However, the only other reasonable option could only be to
return a meaningful error (or dropping the connection with the client).

Things work fine with identity assertion, because in that case the
client's credentials are no longer needed, what counts is that the
client's connection is alive and authenticated, so the client's identity
can be asserted.

You'd need to do something like

idassert-bind bindmethod=simple
              binddn="<authorizing dn>"
              credentials="<authorizing credentials>"
              mode=self
              flags=override

(tested, works fine).  However, I understood from what you wrote above
that this is not an option.

I see one quick solution: bail out when the connection is lost and
idassert is not going to take place.  This requires a minimal patch.

An alternative could be to find a decent manner to store the client's
credentials in the frontend's connection with the client (as much as we do
for the client's identity in c_authz).  This will live as long as the
client's connection stays alive (something like what we do for paged
results).

[disclaimer: I'll look into this time permitting; I can't commit to fixing
it any soon]

p.

-- 
Pierangelo Masarati
Associate Professor
Dipartimento di Ingegneria Aerospaziale
Politecnico di Milano



Followup 7

Download message
Date: Fri, 7 Dec 2012 09:18:53 -0500
Subject: Re: (ITS#7464) ldap_back_dobind_int breaking binded user
From: Sebastien Thomas <prune@lecentre.net>
To: Pierangelo Masarati <masarati@aero.polimi.it>
Cc: openldap-its@openldap.org
--20cf307811d03117ef04d043e582
Content-Type: text/plain; charset=ISO-8859-1

Setting the timeout to 4294967294 should to the trick for now... but this
is really a sort of bug to me as back-ldap should not behave this way when
he have no credentials to use...
Surely, closing the connexion  with the client may be the best solution...


2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it>

>
> > --20cf307811d0eb756704d0342092
> > Content-Type: text/plain; charset=ISO-8859-1
> >
> > Actualy I had this before and that did not change anything. I don't
think
> > this directive is used for this kind of "timeouts"...
> >
> > I also tried :
> >
> > *chase-referrals yes (this is default)*
> > *rebind-as-user yes (as suggested here)**
> > *
> > *single-conn yes (default to NO)**
> > *
> > *
> > *
> > I also tried some combinings of idassert-bind options with no luck (as
> the
> > backend does not support identity assertion).
>
> By backend do you mean the remote server you're trying to proxy?
>
> I see your problem.  Indeed, when a connection is pruned (in your case
> because it timed out), information about client's credentials is lost.
> Back-ldap is working incorrectly, since it falls back to trying to rebind
> anonymously.  However, the only other reasonable option could only be to
> return a meaningful error (or dropping the connection with the client).
>
> Things work fine with identity assertion, because in that case the
> client's credentials are no longer needed, what counts is that the
> client's connection is alive and authenticated, so the client's identity
> can be asserted.
>
> You'd need to do something like
>
> idassert-bind bindmethod=simple
>               binddn="<authorizing dn>"
>               credentials="<authorizing credentials>"
>               mode=self
>               flags=override
>
> (tested, works fine).  However, I understood from what you wrote above
> that this is not an option.
>
> I see one quick solution: bail out when the connection is lost and
> idassert is not going to take place.  This requires a minimal patch.
>
> An alternative could be to find a decent manner to store the client's
> credentials in the frontend's connection with the client (as much as we do
> for the client's identity in c_authz).  This will live as long as the
> client's connection stays alive (something like what we do for paged
> results).
>
> [disclaimer: I'll look into this time permitting; I can't commit to fixing
> it any soon]
>
> p.
>
> --
> Pierangelo Masarati
> Associate Professor
> Dipartimento di Ingegneria Aerospaziale
> Politecnico di Milano
>
>

--20cf307811d03117ef04d043e582
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Setting the timeout to=A0<span style=3D"color:rgb(80,0,80);font-family:aria=
l,sans-serif;font-size:13px">4294967294 should to the trick for now... but =
this is really a sort of bug to me as back-ldap should not behave this way =
when he have no credentials to use...</span><div>
<span style=3D"color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13=
px">Surely, closing the connexion =A0with the client may be the best soluti=
on...</span></div><div
class=3D"gmail_extra"><br><br><div class=3D"gmail_qu=
ote">
2012/12/6 Pierangelo Masarati <span dir=3D"ltr">&lt;<a
href=3D"mailto:masar=
ati@aero.polimi.it" target=3D"_blank">masarati@aero.polimi.it</a>&gt;</span=
><br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
.8ex;border-le=
ft:1px #ccc solid;padding-left:1ex">
<br>
&gt; --20cf307811d0eb756704d0342092<br>
&gt; Content-Type: text/plain; charset=3DISO-8859-1<br>
<div class=3D"im">&gt;<br>
&gt; Actualy I had this before and that did not change anything. I
don&#39;=
t think<br>
&gt; this directive is used for this kind of
&quot;timeouts&quot;...<br>
&gt;<br>
&gt; I also tried :<br>
&gt;<br>
</div>&gt; *chase-referrals yes (this is default)*<br>
&gt; *rebind-as-user yes (as suggested here)**<br>
&gt; *<br>
&gt; *single-conn yes (default to NO)**<br>
&gt; *<br>
&gt; *<br>
<div class=3D"im">&gt; *<br>
&gt; I also tried some combinings of idassert-bind options with no luck (as=
 the<br>
&gt; backend does not support identity assertion).<br>
<br>
</div>By backend do you mean the remote server you&#39;re trying to
proxy?<=
br>
<br>
I see your problem. =A0Indeed, when a connection is pruned (in your case<br=
>
because it timed out),

Message of length 7261 truncated

Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org