[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#8008) proxyauth with saslmech EXTERNAL not working
- To: openldap-its@OpenLDAP.org
- Subject: (ITS#8008) proxyauth with saslmech EXTERNAL not working
- From: dkastens@uos.de
- Date: Tue, 16 Dec 2014 07:37:35 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Full_Name: Dirk Kastens
Version: 2.4.40
OS: RedHat SL 7.0
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (2001:638:508:3d0:8d09:a681:a06e:29f0)
This is a duplicate of bug #7993 that has been closed.
Meanwhile I compiled openldap myself.
At first, I compiled openldap-2.4.40. I configured ldap as a replica server. It
connects with saslmech EXTERNAL to the master server.
When I configure idassert-bind with saslmech EXTERNAL and try to change an
entry, ldapmodify fails with
ldap_modify: Other (e.g., implementation specific) error (80)
slapd logs the message:
---------------------------
send_ldap_result: referral="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de";
>>> dnPrettyNormal:
<uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>
<<< dnPrettyNormal:
<uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>,
<uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>
conn=1000 op=1 ldap_chain_op:
ref="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de";
-> "ldap://ldap-master.rz.uni-osnabrueck.de";
conn=1000 op=1 ldap_chain_op:
ref="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de":
URI="ldap://ldap-master.rz.uni-osnabrueck.de"; found in cache
=>ldap_back_getconn: conn=1000 op=1: lc=0x7faca820bc70 inserted refcnt=1
rc=0
Error: ldap_back_is_proxy_authz returned 0, misconfigured URI?
send_ldap_result: conn=1000 op=1 p=3
send_ldap_result: err=80 matched="" text="misconfigured URI?"
send_ldap_result: conn=1000 op=1 p=3
send_ldap_result: err=80 matched="" text=""
send_ldap_response: msgid=2 tag=103 err=80
---------------------------
Then I compiled openldap-2.4.26 and used the same configuration. The modify with
saslmech EXTERNAL succeeded:
---------------------------
send_ldap_result: conn=1001 op=1 p=3
send_ldap_result: err=10 matched="" text=""
send_ldap_result: referral="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de";
>>> dnPrettyNormal:
<uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>
<<< dnPrettyNormal:
<uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>,
<uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>
conn=1001 op=1 ldap_chain_op:
ref="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de";
-> "ldap://ldap-master.rz.uni-osnabrueck.de";
conn=1001 op=1 ldap_chain_op:
ref="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de":
URI="ldap://ldap-master.rz.uni-osnabrueck.de"; found in cache
=>ldap_back_getconn: conn=1001 op=1: lc=0x7f4f201fe6f0 inserted refcnt=1
rc=0
send_ldap_result: conn=1001 op=1 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=2 tag=103 err=0
---------------------------
With a quick look I found out, that the function ldap_back_dobind_int in
server/slapd/back-ldap/bind.c differs. In 2.4.26 you have:
---------------------------
if ( LDAP_BACK_CONN_ISIDASSERT( lc ) ) {
if ( BER_BVISEMPTY( &binddn ) && BER_BVISEMPTY(
&bindcred ) ) {
/* if we got here, it shouldn't return result */
rc = ldap_back_is_proxy_authz( op, rs,
LDAP_BACK_DONTSEND, &binddn, &bindcred );A A assert( rc ==
1 );
}
rc = ldap_back_proxy_authz_bind( lc, op, rs, sendok, &binddn,
&bindcred );
goto done;
}
---------------------------
while in 2.4.40 there is:
---------------------------
if ( LDAP_BACK_CONN_ISIDASSERT( lc ) ) {
if ( BER_BVISEMPTY( &binddn ) && BER_BVISEMPTY( &bindcred ) )
{
/* if we got here, it shouldn't return result */
rc = ldap_back_is_proxy_authz( op, rs,
LDAP_BACK_DONTSEND, &binddn,2&bindcred );
if ( rc != 1 ) {
Debug( LDAP_DEBUG_ANY, "Error: ldap_back_is_proxy_authz "
"returned %d, misconfigured URI?\n", rc, 0, 0 );
rs->sr_err = LDAP_OTHER;
rs->sr_text = "misconfigured URI?";
LP_P_BACK_CONN_ISBOUND_CLEAR( lc );
if ( sendok & LDAP_BACK_SENDERR ) {
send_ldap_result( op, rs );
}
goto done;
}
rc = ldap_back_proxy_authz_bind( lc, op, rs, sendok, &binddn,
&bindcred );
goto done;
}
--------------------------
This is where the error message comes from ("misconfigured URI?")