Issue 9468 - slapd-ldap does anonymous bind even if rebind-as-user is set
Summary: slapd-ldap does anonymous bind even if rebind-as-user is set
Status: VERIFIED FIXED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: backends (show other issues)
Version: unspecified
Hardware: All All
: --- normal
Target Milestone: 2.6.0
Assignee: Howard Chu
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-17 07:58 UTC by tero.saarni
Modified: 2022-06-30 20:42 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description tero.saarni 2021-02-17 07:58:28 UTC 
When back-ldap retries bind operation after connection retry, it will do it as anonymous even if rebind-as-user is set to yes.  

Expected behavior is that (re)bind is done with user's credentials from the initial bind operation.

I observed following (Warning: I might have understood details of the code incorrectly):

When rebind-as-user is set and bind operation from client is processed, proxy will copy the credentials to ldapconn_t representing the remote LDAP connection. When remote LDAP connection is closed (e.g. by the proxy itself due to timeout), the bind credentials information is lost when freeing the old ldapconn_t.  At this point, client still holds the connection to proxy and is unaware of the remote connection being lost.  Proxy then re-establishes the connection and "synthetically" generates new bind itself, but since it does not have the credentials stored in memory anymore, it sends anonymous bind on behalf of the client.

As a side effect, slapd currently crashes if remote server does not allow anonymous bind and responds with InvalidCredentials instead. The crash is due to assert(), which is handled in separate issue https://bugs.openldap.org/show_bug.cgi?id=9288
Comment 1 tero.saarni 2021-03-05 09:37:33 UTC 
Mege request with proposed test case and code change https://git.openldap.org/openldap/openldap/-/merge_requests/273

Here is a notice of origin and rights statement for the patch in the merge request:

The attached patch file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Tero Saarni tero.saarni@est.tech. I have not assigned rights and/or interest in this work to any party.

Ericsson Software Technology AB hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.
Comment 2 Quanah Gibson-Mount 2021-05-11 18:20:21 UTC 
Commits: 
  • 6b55a3ba 
by Tero Saarni at 2021-05-11T15:05:50+00:00 
ITS#9468 Added test case for proxy re-binding anonymously


  • 97217da5 
by Tero Saarni at 2021-05-11T15:05:50+00:00 
ITS#9468 back-ldap: Return disconect if rebind cannot be done


  • b1226f56 
by Tero Saarni at 2021-05-11T15:05:50+00:00 
ITS#9468 removed accidental unicode characters


  • de6c9390 
by Tero Saarni at 2021-05-11T15:05:50+00:00 
ITS#9468 documented that re-connecting does not happen after idle-timeout or conn-ttl


  • 06ed7871 
by Tero Saarni at 2021-05-11T15:05:50+00:00 
ITS#9468 summarize discussion about rebind-as-user


  • 255a3746 
by Tero Saarni at 2021-05-11T15:05:50+00:00 
ITS#9468 fixed typos
Comment 3 Quanah Gibson-Mount 2021-05-13 16:35:23 UTC 
Current commit causes issues
Comment 4 Quanah Gibson-Mount 2021-06-08 16:43:42 UTC 
Commits: 
  • 2f880087 
by Howard Chu at 2021-06-08T15:41:40+00:00 
ITS#9468 always init lc_time and lc_create_time
Comment 5 Quanah Gibson-Mount 2022-06-30 20:42:13 UTC 
head:

  • b9173d30 
by Quanah Gibson-Mount at 2022-06-30T20:24:50+00:00 
ITS#9468 - Fix script logic

RE26:

  • 8c970e33 
by Quanah Gibson-Mount at 2022-06-30T20:38:13+00:00 
ITS#9468 - Fix script logic