OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Enhancements/5110
Full headers

From: f.huiskens@science-computing.de
Subject: back-ldap, proxy authentication fails when chasing referrals
 Compose comment
Download message
State:
2 replies: 1 2
0 followups:

Major security issue: yes  no

Notes:

Notification: 


Date: Tue, 28 Aug 2007 16:20:40 GMT
From: f.huiskens@science-computing.de
To: openldap-its@OpenLDAP.org
Subject: back-ldap, proxy authentication fails when chasing referrals

Full_Name: Florian Huiskens
Version: 2.3.30
OS: Ubuntu 7.04
URL: 
Submission from: (NULL) (85.216.39.101)


I try to set up an environment, where a client communicates with an LDAP-Proxy.

The Proxy forwards the client's query (using the ldap-backend) to an
LDAP-Slave.
The authentication mechanism I use (proxy - slave) is SASL (GSSAPI).
The proxy has a kerberos ticket available.

Proxy Authentication works in general (using PROXAUTHZ), but fails on referrals
(though rebind-as-user is set).
This means that if information is written and the proxy receives a referral to
the master, the bind-informations gets lost.

Thanks for any help, regards
Florian

Config-files:

Master:

	include         /etc/ldap/schema/core.schema
	include         /etc/ldap/schema/cosine.schema
	include         /etc/ldap/schema/nis.schema
	include         /etc/ldap/schema/inetorgperson.schema

	pidfile         /var/run/slapd/slapd.pid

	argsfile        /var/run/slapd/slapd.args

	loglevel        0

	# Where the dynamically loaded modules are stored
	modulepath      /usr/lib/ldap
	moduleload      back_bdb
	moduleload      syncprov

	# The maximum number of entries that is returned for a search operation
	sizelimit 500

	# The tool-threads parameter sets the actual amount of cpu's that is used
	# for indexing.
	tool-threads 1

	backend         bdb
	checkpoint 512 30

	#######################################################################
	# Specific Directives for database #1, of type bdb:
	# Database specific directives apply to this databasse until another
	# 'database' directive occurs
	database        bdb
	suffix          "dc=idm,dc=local"

	# rootdn directive for specifying a superuser on the database. This is needed
	# for syncrepl.
	rootdn          "dc=idm,dc=local"

	directory       "/var/lib/ldap"

	dbconfig set_cachesize 0 2097152 0

	dbconfig set_lk_max_objects 1500
	dbconfig set_lk_max_locks 1500
	dbconfig set_lk_max_lockers 1500

	index           objectClass eq

	# Save the time that the entry gets modified, for database #1
	lastmod         on


	access to attrs=userPassword,shadowLastChange
	        by dn="cn=admin,dc=idm,dc=local" write
	        by dn="uid=ldap/extubuntu.idm.local,ou=slaves,dc=idm,dc=local" read
	        by anonymous auth
	        by * none

	access to dn.base="" by * read

	access to *
	        by dn="cn=admin,dc=idm,dc=local" write
	        by * read


	# syncrepl config
	overlay syncprov
	syncprov-checkpoint 100 1
	syncprov-sessionlog 100



	# SASL setup
	#sasl-host ubuntu-desktop
	sasl-authz-policy To
	sasl-secprops minssf=56
	sasl-realm idm.local
	sasl-regexp uid=(.*),cn=idm.local,cn=gssapi,cn=auth
	            ldap:///dc=idm,dc=local??sub?(|(uid=$1)(cn=$1))

Slave:

	include         /etc/ldap/schema/core.schema
	include         /etc/ldap/schema/cosine.schema
	include         /etc/ldap/schema/nis.schema
	include         /etc/ldap/schema/inetorgperson.schema

	pidfile         /var/run/slapd/slapd.pid

	argsfile        /var/run/slapd/slapd.args

	loglevel        0

	modulepath      /usr/lib/ldap
	moduleload      back_bdb

	sizelimit 500

	tool-threads 1

	backend         bdb
	checkpoint 512 30


	database        bdb

	suffix          "dc=idm,dc=local"
	#rootdn         "dc=idm,dc=local"
	rootdn          "dc=nowhere,dc=nouniverse"

	directory       "/var/lib/ldap"

	dbconfig set_cachesize 0 2097152 0


	dbconfig set_lk_max_objects 1500
	dbconfig set_lk_max_locks 1500
	dbconfig set_lk_max_lockers 1500

	index           objectClass eq

	lastmod         on


	access to attrs=userPassword,shadowLastChange
	        by dn="cn=admin,dc=idm,dc=local" write
	        by anonymous auth
	        by self write
	        by * none
	#       by dn="cn=repl-admin,dc=idm,dc=local" write

	access to dn.base="" by * read

	access to *
	        by dn="cn=admin,dc=idm,dc=local" write
	        by self write
	        by * read
	#       by dn="cn=repl-admin,dc=idm,dc=local" write
	#       by * read

	syncrepl rid=1
	        provider=ldap://ubuntu-desktop:389
	        searchbase="dc=idm,dc=local"
	        type=refreshAndPersist
	        retry="60 10 300 +"
	        bindmethod=sasl
	        saslmethod=GSSAPI
	updateref ldap://ubuntu-desktop:389

	# SASL setup
	sasl-authz-policy To
	sasl-secprops   minssf=56
	sasl-realm      idm.local
	sasl-regexp     uid=(.*),cn=idm.local,cn=gssapi,cn=auth
	                ldap:///dc=idm,dc=local??sub?(|(uid=$1)(cn=$1))

Proxy (running on the same host as the Slave):

	include         /etc/ldap/schema/core.schema
	include         /etc/ldap/schema/cosine.schema
	include         /etc/ldap/schema/nis.schema
	include         /etc/ldap/schema/inetorgperson.schema

	pidfile         /var/run/slapd/slapd.pid
	argsfile        /var/run/slapd/slapd.args

	loglevel 1

	modulepath      /usr/lib/ldap
	moduleload      back_ldap


	database        ldap
	uri             ldap://extubuntu.idm.local:390/
	suffix          "dc=idm,dc=local"
	chase-referrals yes
	rebind-as-user  yes


	# SASL setup
	sasl-secprops   minss

Message of length 12606 truncated

Reply 1

Resend
From: Pierangelo Masarati <openldap-its@OpenLDAP.org>
To: f.huiskens@science-computing.de
Subject: Re: back-ldap, proxy authentication fails when chasing referrals (ITS#5110)
Date: Tue Aug 28 16:35:04 2007
CC: openldap-its@OpenLDAP.org

Same as ITS#3526; use "chase-referrals no" and slapo-chain(5) to alleviate.

p.

Reply 2

Resend
From: Pierangelo Masarati <openldap-its@OpenLDAP.org>
To: f.huiskens@science-computing.de
Subject: Re: back-ldap, proxy authentication fails when chasing referrals (ITS#5110)
Date: Wed Aug 29 07:42:42 2007
CC: openldap-its@openldap.org

> Same as ITS#3526; use "chase-referrals no" and slapo-chain(5) to
alleviate.

To further elaborate on this:

the "right" solution to "wisely" chasing referrals is to disable it within
libldap, and rather use a slapo-chain(5) approach.  Slapo-chain(5), which is
nothing but slapd-ldap(5) called to chase the referral, should be configured to
also disable automatic further chasing by libldap, since it allows to define
special configuration directives for well-known URIs, so that identity assertion
can be used for further referral chasing.

I think it needs to be improved to explicitly disable referral chasing, and to
repeatedly chasing them as soon as any further gets returned, keeping track of
those that were already chased to detect loops.  This would allow safe
authenticated referral chasing with identity assertion, while distributed
procedures (draft-distproc) get implemented.

This is why I'm moving your ITS to software development rather than bug
tracking: I consider referral chasing a "feature" to be performed anonymously.

p.
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org