Logged in as guest
Viewing Software Bugs/7464 Full headers
Major security issue: yes no
Notes: Notification:
Date: Thu, 06 Dec 2012 16:58:40 +0000 From: prune@lecentre.net To: openldap-its@OpenLDAP.org Subject: ldap_back_dobind_int breaking binded user
Full_Name: Sebastien Prune THOMAS Version: slapd 2.4.31 OS: Linux CentOS URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (206.167.157.64) I use OpenLdap to proxy (with the module back-ldap) to a eDirectory LDAP server. Every once and a while I have long lasting connections re-binding as anonymous, breaking the actual bind. This usualy happen after hitting either the idle-timeout or the conn-ttl limit. I wasn't able to find out what these values are when not set... but setting them low can help reproduce the problem : Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 fd=39 ACCEPT from IP=10.100.64.68:33906 (IP=0.0.0.0:389) Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=0 BIND dn="cn=ldapintbind,o=corp" method=128 Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=0 BIND dn="cn=ldapintbind,o=shq" mech=SIMPLE ssf=0 Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=0 RESULT tag=97 err=0 text= Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=1 SRCH base="o=corp" scope=2 deref=3 filter="(&(objectClass=*)(uid=pry))" Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=1 SRCH attr=uid Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=2 CMP dn="cn=00-BASICAUTH,o=corp" attr="member" Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=2 RESULT tag=111 err=6 text= Dec 6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 SRCH base="o=corp" scope=2 deref=3 filter="(&(objectClass=*)(uid=dln))" Dec 6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 SRCH attr=uid Dec 6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 ldap_back_retry: retrying URI="ldaps://10.100.120.153" DN="cn=ldapintbindo=corp" Dec 6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 ldap_back_dobind_int: DN="cn=ldapintbind,o=corp" without creds, binding anonymously Dec 6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=4 CMP dn="cn=00-BASICAUTH,o=corp" attr="member" Dec 6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=4 RESULT tag=111 err=5 text= Dec 6 09:23:28 qxpldp01 slapd[40707]: conn=1095 fd=39 closed (slapd shutdown) There, the connection is opened on december the 5... then idle... then another search is done on december the 6... and leads to a re-bind... Either, I don't understand why : - openldap don't re-use the credential of the first bind OR - openldap simply end the TCP connection when the timeout is reached instead of re-using it like if it was a new connection --- > the client is not aware of that and still thinks the last bind is valid. I tried every option I could without success... For now, I set the conn-ttl and idle-timeout to the max an unsigned long could support : 4294967294 Any other solution apreciated...
Date: Thu, 6 Dec 2012 18:20:26 +0100 Subject: Re: (ITS#7464) ldap_back_dobind_int breaking binded user From: "Pierangelo Masarati" <masarati@aero.polimi.it> To: prune@lecentre.net Cc: openldap-its@openldap.org
> Full_Name: Sebastien Prune THOMAS > Version: slapd 2.4.31 > OS: Linux CentOS > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (206.167.157.64) > > > I use OpenLdap to proxy (with the module back-ldap) to a eDirectory LDAP > server. > Every once and a while I have long lasting connections re-binding as > anonymous, > breaking the actual bind. > This usualy happen after hitting either the idle-timeout or the conn-ttl > limit. > I wasn't able to find out what these values are when not set... but > setting them > low can help reproduce the problem : What is the configuration of back-ldap? Can you post it (after sanitizing sensitive info)? p. -- Pierangelo Masarati Associate Professor Dipartimento di Ingegneria Aerospaziale Politecnico di Milano
Date: Thu, 6 Dec 2012 12:57:57 -0500 Subject: Re: (ITS#7464) ldap_back_dobind_int breaking binded user From: Sebastien Thomas <prune@lecentre.net> To: Pierangelo Masarati <masarati@aero.polimi.it> Cc: openldap-its@openldap.org
--20cf307811d0d379c404d032d6ee Content-Type: text/plain; charset=ISO-8859-1 Config is basic (with special timeout tests commented out) : database ldap suffix "o=corp" uri ldaps://10.100.120.153 # close connection after a timeout #idletimeout 100 # causes a cached connection to be dropped an recreated after a given ttl #conn-ttl 4294967294 # close connection after a timeout for ldap backend #idle-timeout 4294967294 # Discards current cached connection when the client rebinds - default to No #single-conn no overlay rwm rwm-suffixmassage "o=corp" "o=int" 2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it> > > > Full_Name: Sebastien Prune THOMAS > > Version: slapd 2.4.31 > > OS: Linux CentOS > > URL: ftp://ftp.openldap.org/incoming/ > > Submission from: (NULL) (206.167.157.64) > > > > > > I use OpenLdap to proxy (with the module back-ldap) to a eDirectory LDAP > > server. > > Every once and a while I have long lasting connections re-binding as > > anonymous, > > breaking the actual bind. > > This usualy happen after hitting either the idle-timeout or the conn-ttl > > limit. > > I wasn't able to find out what these values are when not set... but > > setting them > > low can help reproduce the problem : > > What is the configuration of back-ldap? Can you post it (after sanitizing > sensitive info)? > > p. > > -- > Pierangelo Masarati > Associate Professor > Dipartimento di Ingegneria Aerospaziale > Politecnico di Milano > > --20cf307811d0d379c404d032d6ee Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable <div style=3D"font-family:Tahoma;font-size:13px">Config is basic (with spec= ial timeout tests commented out) :</div><div style=3D"font-family:Tahoma;fo= nt-size:13px">=A0</div><div style=3D"font-family:Tahoma;font-size:13px">dat= abase =A0 =A0 =A0ldap<br> suffix =A0 =A0 =A0 =A0 =A0 =A0"o=3Dcorp"<br>uri=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0 =A0 =A0<a>ldaps://10.100.120.153</a></div><div style= =3D"font-family:Tahoma;font-size:13px">=A0</div><div style=3D"font-family:T= ahoma;font-size:13px"># close connection after a timeout<br> #idletimeout=A0=A0=A0=A0 100<br># causes a cached connection to be dropped = an recreated after a given ttl<br>#conn-ttl=A0=A0=A0=A0=A0=A0=A0 4294967294= <br># close connection after a timeout for ldap backend<br>#idle-timeout=A0= =A0=A0 4294967294<br># Discards current cached connection when the client r= ebinds - default to No<br> #single-conn=A0=A0=A0=A0 no</div><div style=3D"font-family:Tahoma;font-size= :13px"><br>overlay=A0=A0=A0=A0=A0=A0=A0=A0 rwm<br>rwm-suffixmassage "o= =3Dcorp" "o=3Dint"</div><div class=3D"gmail_extra"><br><br><= div class=3D"gmail_quote">2012/12/6 Pierangelo Masarati <span dir=3D"ltr">&= lt;<a href=3D"mailto:masarati@aero.polimi.it" target=3D"_blank">masarati@ae= ro.polimi.it</a>></span><br> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p= x #ccc solid;padding-left:1ex"><br> > Full_Name: Sebastien Prune THOMAS<br> > Version: slapd 2.4.31<br> > OS: Linux CentOS<br> > URL: <a href=3D"ftp://ftp.openldap.org/incoming/" target=3D"_blank">ft= p://ftp.openldap.org/incoming/</a><br> > Submission from: (NULL) (206.167.157.64)<br> ><br> ><br> > I use OpenLdap to proxy (with the module back-ldap) to a eDirectory LD= AP<br> > server.<br> > Every once and a while I have long lasting connections re-binding as<b= r> > anonymous,<br> > breaking the actual bind.<br> > This usualy happen after hitting either the idle-timeout or the conn-t= tl<br> > limit.<br> > I wasn't able to find out what these values are when not set... bu= t<br> > setting them<br> > low can help reproduce the problem :<br> <br> What is the configuration of back-ldap? =A0Can you post it (after sanitizin= g<br> sensitive info)?<br> <span class=3D"HOEnZb"><font color=3D"#888888"><br> p.<br> <br> --<br> Pierangelo Masarati<br> Associate Professor<br> Dipartimento di Ingegneria Aerospaziale<br> Politecnico di Milano<br> <br> </font></span></blockquote></div><br></div> --20cf307811d0d379c404d032d6ee--
Date: Thu, 6 Dec 2012 19:25:30 +0100 Subject: Re: (ITS#7464) ldap_back_dobind_int breaking binded user From: "Pierangelo Masarati" <masarati@aero.polimi.it> To: prune@lecentre.net Cc: openldap-its@openldap.org
> --20cf307811d0d379c404d032d6ee > Content-Type: text/plain; charset=ISO-8859-1 > > Config is basic (with special timeout tests commented out) : > > database ldap > suffix "o=corp" > uri ldaps://10.100.120.153 > > # close connection after a timeout > #idletimeout 100 > # causes a cached connection to be dropped an recreated after a given ttl > #conn-ttl 4294967294 > # close connection after a timeout for ldap backend > #idle-timeout 4294967294 > # Discards current cached connection when the client rebinds - default to > No > #single-conn no Try adding a "rebind-as-user" here. This forces back-ldap to store client's credentials in order to rebind when needed (e.g. because a persistent connection timed out). p. > overlay rwm > rwm-suffixmassage "o=corp" "o=int" > > > 2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it> > >> >> > Full_Name: Sebastien Prune THOMAS >> > Version: slapd 2.4.31 >> > OS: Linux CentOS >> > URL: ftp://ftp.openldap.org/incoming/ >> > Submission from: (NULL) (206.167.157.64) >> > >> > >> > I use OpenLdap to proxy (with the module back-ldap) to a eDirectory >> LDAP >> > server. >> > Every once and a while I have long lasting connections re-binding as >> > anonymous, >> > breaking the actual bind. >> > This usualy happen after hitting either the idle-timeout or the >> conn-ttl >> > limit. >> > I wasn't able to find out what these values are when not set... but >> > setting them >> > low can help reproduce the problem : >> >> What is the configuration of back-ldap? Can you post it (after >> sanitizing >> sensitive info)? >> >> p. >> >> -- >> Pierangelo Masarati >> Associate Professor >> Dipartimento di Ingegneria Aerospaziale >> Politecnico di Milano >> >> > > --20cf307811d0d379c404d032d6ee > Content-Type: text/html; charset=ISO-8859-1 > Content-Transfer-Encoding: quoted-printable > > <div style=3D"font-family:Tahoma;font-size:13px">Config is basic (with > spec= > ial timeout tests commented out) :</div><div > style=3D"font-family:Tahoma;fo= > nt-size:13px">=A0</div><div > style=3D"font-family:Tahoma;font-size:13px">dat= > abase =A0 =A0 =A0ldap<br> > suffix =A0 =A0 =A0 =A0 =A0 > =A0"o=3Dcorp"<br>uri=A0=A0=A0=A0=A0=A0= > =A0=A0=A0=A0=A0=A0=A0 =A0 =A0<a>ldaps://10.100.120.153</a></div><div > style= > =3D"font-family:Tahoma;font-size:13px">=A0</div><div > style=3D"font-family:T= > ahoma;font-size:13px"># close connection after a timeout<br> > #idletimeout=A0=A0=A0=A0 100<br># causes a cached connection to be dropped > = > an recreated after a given ttl<br>#conn-ttl=A0=A0=A0=A0=A0=A0=A0 > 4294967294= > <br># close connection after a timeout for ldap > backend<br>#idle-timeout=A0= > =A0=A0 4294967294<br># Discards current cached connection when the client > r= > ebinds - default to No<br> > #single-conn=A0=A0=A0=A0 no</div><div > style=3D"font-family:Tahoma;font-size= > :13px"><br>overlay=A0=A0=A0=A0=A0=A0=A0=A0 rwm<br>rwm-suffixmassage > "o= > =3Dcorp" "o=3Dint"</div><div > class=3D"gmail_extra"><br><br><= > div class=3D"gmail_quote">2012/12/6 Pierangelo Masarati <span > dir=3D"ltr">&= > lt;<a href=3D"mailto:masarati@aero.polimi.it" > target=3D"_blank">masarati@ae= > ro.polimi.it</a>></span><br> > <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 > .8ex;border-left:1p= > x #ccc solid;padding-left:1ex"><br> > > Full_Name: Sebastien Prune THOMAS<br> > > Version: slapd 2.4.31<br> > > OS: Linux CentOS<br> > > URL: <a href=3D"ftp://ftp.openldap.org/incoming/" > target=3D"_blank">ft= > p://ftp.openldap.org/incoming/</a><br> > > Submission from: (NULL) (206.167.157.64)<br> > ><br> > ><br> > > I use OpenLdap to proxy (with the module back-ldap) to a eDirectory > LD= > AP<br> > > server.<br> > > Every once and a while I have long lasting connections re-binding > as<b= > r> > > anonymous,<br> > > breaking the actual bind.<br> > > This usualy happen after hitting either the idle-timeout or the > conn-t= > tl<br> > > limit.<br> > > I wasn&
Date: Thu, 6 Dec 2012 14:30:15 -0500 Subject: Re: (ITS#7464) ldap_back_dobind_int breaking binded user From: Sebastien Thomas <prune@lecentre.net> To: Pierangelo Masarati <masarati@aero.polimi.it> Cc: openldap-its@openldap.org
--20cf307811d0eb756704d0342092 Content-Type: text/plain; charset=ISO-8859-1 Actualy I had this before and that did not change anything. I don't think this directive is used for this kind of "timeouts"... I also tried : *chase-referrals yes (this is default)* *rebind-as-user yes (as suggested here)** * *single-conn yes (default to NO)** * * * I also tried some combinings of idassert-bind options with no luck (as the backend does not support identity assertion). 2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it> > > > --20cf307811d0d379c404d032d6ee > > Content-Type: text/plain; charset=ISO-8859-1 > > > > Config is basic (with special timeout tests commented out) : > > > > database ldap > > suffix "o=corp" > > uri ldaps://10.100.120.153 > > > > # close connection after a timeout > > #idletimeout 100 > > # causes a cached connection to be dropped an recreated after a given ttl > > #conn-ttl 4294967294 > > # close connection after a timeout for ldap backend > > #idle-timeout 4294967294 > > # Discards current cached connection when the client rebinds - default to > > No > > #single-conn no > > > Try adding a "rebind-as-user" here. This forces back-ldap to store > client's credentials in order to rebind when needed (e.g. because a > persistent connection timed out). > > p. > > > overlay rwm > > rwm-suffixmassage "o=corp" "o=int" > > > > > > 2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it> > > > >> > >> > Full_Name: Sebastien Prune THOMAS > >> > Version: slapd 2.4.31 > >> > OS: Linux CentOS > >> > URL: ftp://ftp.openldap.org/incoming/ > >> > Submission from: (NULL) (206.167.157.64) > >> > > >> > > >> > I use OpenLdap to proxy (with the module back-ldap) to a eDirectory > >> LDAP > >> > server. > >> > Every once and a while I have long lasting connections re-binding as > >> > anonymous, > >> > breaking the actual bind. > >> > This usualy happen after hitting either the idle-timeout or the > >> conn-ttl > >> > limit. > >> > I wasn't able to find out what these values are when not set... but > >> > setting them > >> > low can help reproduce the problem : > >> > >> What is the configuration of back-ldap? Can you post it (after > >> sanitizing > >> sensitive info)? > >> > >> p. > >> > >> -- > >> Pierangelo Masarati > >> Associate Professor > >> Dipartimento di Ingegneria Aerospaziale > >> Politecnico di Milano > >> > >> > > > > --20cf307811d0d379c404d032d6ee > > Content-Type: text/html; charset=ISO-8859-1 > > Content-Transfer-Encoding: quoted-printable > > > > <div style=3D"font-family:Tahoma;font-size:13px">Config is basic (with > > spec= > > ial timeout tests commented out) :</div><div > > style=3D"font-family:Tahoma;fo= > > nt-size:13px">=A0</div><div > > style=3D"font-family:Tahoma;font-size:13px">dat= > > abase =A0 =A0 =A0ldap<br> > > suffix =A0 =A0 =A0 =A0 =A0 > > =A0"o=3Dcorp"<br>uri=A0=A0=A0=A0=A0=A0= > > =A0=A0=A0=A0=A0=A0=A0 =A0 =A0<a>ldaps://10.100.120.153</a></div><div > > style= > > =3D"font-family:Tahoma;font-size:13px">=A0</div><div > > style=3D"font-family:T= > > ahoma;font-size:13px"># close connection after a timeout<br> > > #idletimeout=A0=A0=A0=A0 100<br># causes a cached connection to be > dropped > > = > > an recreated after a given ttl<br>#conn-ttl=A0=A0=A0=A0=A0=A0=A0 > > 4294967294= > > <br># close connection after a timeout for ldap > > backend<br>#idle-timeout=A0= > > =A0=A0 4294967294<br># Discards current cached connection when the client > > r= > > ebinds - default to No<br> > > #single-conn=A0=A0=A0=A0 no</div><div > > style=3D"font-family:Tahoma;font-size= > > :13px"><br>overlay=A0=A0=A0=A0=A0=A0=A0=A0 rwm<br>rwm-suffixmassage > > "o= > > =3Dcorp" "o=3Dint"</div><div > > class=3D"gmail_extra"><br><br><= > > div class=3D"gmail_quote">2012/12/6 Pierangelo Masarati <span > > dir=3D"ltr">&= > > lt;<a href=3D"mailto:masarati@aero.polimi.it" > > target=3D"_blank">masarati@ae= > > ro.polimi.it</a>></sp
Date: Thu, 6 Dec 2012 14:37:57 -0500 Subject: Re: (ITS#7464) ldap_back_dobind_int breaking binded user From: Sebastien Thomas <prune@lecentre.net> To: Pierangelo Masarati <masarati@aero.polimi.it> Cc: openldap-its@openldap.org
--20cf307d04d2686d3904d0343c02 Content-Type: text/plain; charset=ISO-8859-1 Here is a quick python script that can be used to query a LDAP proxy. Running it while the proxy is configured with conn-ttl = 5 will trigget the error after 5 seconds: import ldap, sys, pprint, time ldap_server = "localhost" dn="cn=ldapintbind,o=corp" pw="your password here" con = ldap.initialize('ldap://' + ldap_server) try: #l.start_tls_s() con.simple_bind_s(dn, pw) con.set_option(ldap.OPT_DEREF,3) scope = ldap.SCOPE_SUBTREE base = "o=corp" filter ="(&(objectClass=*)(uid=dln))" retrieve_attributes = ["uid"] result_data = [] result_set = [] timeout = 0 essai=0 while 1: print(str(essai) + ".") essai+=1 result_id = con.search_s(base, scope, filter, retrieve_attributes) #pprint.pprint(result_id) time.sleep(1) except ldap.LDAPError, e: print e.message['info'] if type(e.message) == dict and e.message.has_key('desc'): print e.message['desc'] else: print e sys.exit() 2012/12/6 Sebastien Thomas <prune@lecentre.net> > Actualy I had this before and that did not change anything. I don't think > this directive is used for this kind of "timeouts"... > > I also tried : > > *chase-referrals yes (this is default)* > *rebind-as-user yes (as suggested here)** > * > *single-conn yes (default to NO)** > * > * > * > I also tried some combinings of idassert-bind options with no luck (as > the backend does not support identity assertion). > > > 2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it> > >> >> > --20cf307811d0d379c404d032d6ee >> > Content-Type: text/plain; charset=ISO-8859-1 >> > >> > Config is basic (with special timeout tests commented out) : >> > >> > database ldap >> > suffix "o=corp" >> > uri ldaps://10.100.120.153 >> > >> > # close connection after a timeout >> > #idletimeout 100 >> > # causes a cached connection to be dropped an recreated after a given >> ttl >> > #conn-ttl 4294967294 >> > # close connection after a timeout for ldap backend >> > #idle-timeout 4294967294 >> > # Discards current cached connection when the client rebinds - default >> to >> > No >> > #single-conn no >> >> >> Try adding a "rebind-as-user" here. This forces back-ldap to store >> client's credentials in order to rebind when needed (e.g. because a >> persistent connection timed out). >> >> p. >> >> > overlay rwm >> > rwm-suffixmassage "o=corp" "o=int" >> > >> > >> > 2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it> >> > >> >> >> >> > Full_Name: Sebastien Prune THOMAS >> >> > Version: slapd 2.4.31 >> >> > OS: Linux CentOS >> >> > URL: ftp://ftp.openldap.org/incoming/ >> >> > Submission from: (NULL) (206.167.157.64) >> >> > >> >> > >> >> > I use OpenLdap to proxy (with the module back-ldap) to a eDirectory >> >> LDAP >> >> > server. >> >> > Every once and a while I have long lasting connections re-binding as >> >> > anonymous, >> >> > breaking the actual bind. >> >> > This usualy happen after hitting either the idle-timeout or the >> >> conn-ttl >> >> > limit. >> >> > I wasn't able to find out what these values are when not set... but >> >> > setting them >> >> > low can help reproduce the problem : >> >> >> >> What is the configuration of back-ldap? Can you post it (after >> >> sanitizing >> >> sensitive info)? >> >> >> >> p. >> >> >> >> -- >> >> Pierangelo Masarati >> >> Associate Professor >> >> Dipartimento di Ingegneria Aerospaziale >> >> Politecnico di Milano >> >> >> >> >> > >> > --20cf307811d0d379c404d032d6ee >> > Content-Type: text/html; charset=ISO-8859-1 >> > Content-Transfer-Encoding: quoted-printable >> > >> > <div style=3D"font-family:Tahoma;font-size:13px">Config is basic (with >> > spec= >> > ial timeout tests commented out) :</div><div >> > style=3D"font-family:Tahoma;fo= >> > nt-size:13px">=A0</div><div >> > style=3D"font-family:Tahoma;font-size:13px">dat= >> > abase =A0 =A0 =A0ldap<br> >> > s
Date: Fri, 7 Dec 2012 01:13:50 +0100 Subject: Re: (ITS#7464) ldap_back_dobind_int breaking binded user From: "Pierangelo Masarati" <masarati@aero.polimi.it> To: prune@lecentre.net Cc: openldap-its@openldap.org
> --20cf307811d0eb756704d0342092 > Content-Type: text/plain; charset=ISO-8859-1 > > Actualy I had this before and that did not change anything. I don't think > this directive is used for this kind of "timeouts"... > > I also tried : > > *chase-referrals yes (this is default)* > *rebind-as-user yes (as suggested here)** > * > *single-conn yes (default to NO)** > * > * > * > I also tried some combinings of idassert-bind options with no luck (as the > backend does not support identity assertion). By backend do you mean the remote server you're trying to proxy? I see your problem. Indeed, when a connection is pruned (in your case because it timed out), information about client's credentials is lost. Back-ldap is working incorrectly, since it falls back to trying to rebind anonymously. However, the only other reasonable option could only be to return a meaningful error (or dropping the connection with the client). Things work fine with identity assertion, because in that case the client's credentials are no longer needed, what counts is that the client's connection is alive and authenticated, so the client's identity can be asserted. You'd need to do something like idassert-bind bindmethod=simple binddn="<authorizing dn>" credentials="<authorizing credentials>" mode=self flags=override (tested, works fine). However, I understood from what you wrote above that this is not an option. I see one quick solution: bail out when the connection is lost and idassert is not going to take place. This requires a minimal patch. An alternative could be to find a decent manner to store the client's credentials in the frontend's connection with the client (as much as we do for the client's identity in c_authz). This will live as long as the client's connection stays alive (something like what we do for paged results). [disclaimer: I'll look into this time permitting; I can't commit to fixing it any soon] p. -- Pierangelo Masarati Associate Professor Dipartimento di Ingegneria Aerospaziale Politecnico di Milano
Date: Fri, 7 Dec 2012 09:18:53 -0500 Subject: Re: (ITS#7464) ldap_back_dobind_int breaking binded user From: Sebastien Thomas <prune@lecentre.net> To: Pierangelo Masarati <masarati@aero.polimi.it> Cc: openldap-its@openldap.org
--20cf307811d03117ef04d043e582 Content-Type: text/plain; charset=ISO-8859-1 Setting the timeout to 4294967294 should to the trick for now... but this is really a sort of bug to me as back-ldap should not behave this way when he have no credentials to use... Surely, closing the connexion with the client may be the best solution... 2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it> > > > --20cf307811d0eb756704d0342092 > > Content-Type: text/plain; charset=ISO-8859-1 > > > > Actualy I had this before and that did not change anything. I don't think > > this directive is used for this kind of "timeouts"... > > > > I also tried : > > > > *chase-referrals yes (this is default)* > > *rebind-as-user yes (as suggested here)** > > * > > *single-conn yes (default to NO)** > > * > > * > > * > > I also tried some combinings of idassert-bind options with no luck (as > the > > backend does not support identity assertion). > > By backend do you mean the remote server you're trying to proxy? > > I see your problem. Indeed, when a connection is pruned (in your case > because it timed out), information about client's credentials is lost. > Back-ldap is working incorrectly, since it falls back to trying to rebind > anonymously. However, the only other reasonable option could only be to > return a meaningful error (or dropping the connection with the client). > > Things work fine with identity assertion, because in that case the > client's credentials are no longer needed, what counts is that the > client's connection is alive and authenticated, so the client's identity > can be asserted. > > You'd need to do something like > > idassert-bind bindmethod=simple > binddn="<authorizing dn>" > credentials="<authorizing credentials>" > mode=self > flags=override > > (tested, works fine). However, I understood from what you wrote above > that this is not an option. > > I see one quick solution: bail out when the connection is lost and > idassert is not going to take place. This requires a minimal patch. > > An alternative could be to find a decent manner to store the client's > credentials in the frontend's connection with the client (as much as we do > for the client's identity in c_authz). This will live as long as the > client's connection stays alive (something like what we do for paged > results). > > [disclaimer: I'll look into this time permitting; I can't commit to fixing > it any soon] > > p. > > -- > Pierangelo Masarati > Associate Professor > Dipartimento di Ingegneria Aerospaziale > Politecnico di Milano > > --20cf307811d03117ef04d043e582 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Setting the timeout to=A0<span style=3D"color:rgb(80,0,80);font-family:aria= l,sans-serif;font-size:13px">4294967294 should to the trick for now... but = this is really a sort of bug to me as back-ldap should not behave this way = when he have no credentials to use...</span><div> <span style=3D"color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13= px">Surely, closing the connexion =A0with the client may be the best soluti= on...</span></div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_qu= ote"> 2012/12/6 Pierangelo Masarati <span dir=3D"ltr"><<a href=3D"mailto:masar= ati@aero.polimi.it" target=3D"_blank">masarati@aero.polimi.it</a>></span= ><br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-le= ft:1px #ccc solid;padding-left:1ex"> <br> > --20cf307811d0eb756704d0342092<br> > Content-Type: text/plain; charset=3DISO-8859-1<br> <div class=3D"im">><br> > Actualy I had this before and that did not change anything. I don'= t think<br> > this directive is used for this kind of "timeouts"...<br> ><br> > I also tried :<br> ><br> </div>> *chase-referrals yes (this is default)*<br> > *rebind-as-user yes (as suggested here)**<br> > *<br> > *single-conn yes (default to NO)**<br> > *<br> > *<br> <div class=3D"im">> *<br> > I also tried some combinings of idassert-bind options with no luck (as= the<br> > backend does not support identity assertion).<br> <br> </div>By backend do you mean the remote server you're trying to proxy?<= br> <br> I see your problem. =A0Indeed, when a connection is pruned (in your case<br= > because it timed out),
______________ © Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org
