[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8008) proxyauth with saslmech EXTERNAL not working
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8008) proxyauth with saslmech EXTERNAL not working
- From: hyc@symas.com
- Date: Tue, 16 Dec 2014 14:10:29 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
dkastens@uos.de wrote:
> Full_Name: Dirk Kastens
> Version: 2.4.40
> OS: RedHat SL 7.0
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (2001:638:508:3d0:8d09:a681:a06e:29f0)
>
>
> This is a duplicate of bug #7993 that has been closed.
>
> Meanwhile I compiled openldap myself.
>
> At first, I compiled openldap-2.4.40. I configured ldap as a replica server. It
> connects with saslmech EXTERNAL to the master server.
> When I configure idassert-bind with saslmech EXTERNAL and try to change an
> entry, ldapmodify fails with
>
> ldap_modify: Other (e.g., implementation specific) error (80)
>
> slapd logs the message:
> ---------------------------
> send_ldap_result: referral="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de"
> >>> dnPrettyNormal:
> <uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>
> <<< dnPrettyNormal:
> <uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>,
> <uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>
> conn=1000 op=1 ldap_chain_op:
> ref="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de"
> -> "ldap://ldap-master.rz.uni-osnabrueck.de"
> conn=1000 op=1 ldap_chain_op:
> ref="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de":
> URI="ldap://ldap-master.rz.uni-osnabrueck.de" found in cache
> =>ldap_back_getconn: conn=1000 op=1: lc=0x7faca820bc70 inserted refcnt=1
> rc=0
> Error: ldap_back_is_proxy_authz returned 0, misconfigured URI?
> send_ldap_result: conn=1000 op=1 p=3
> send_ldap_result: err=80 matched="" text="misconfigured URI?"
> send_ldap_result: conn=1000 op=1 p=3
> send_ldap_result: err=80 matched="" text=""
> send_ldap_response: msgid=2 tag=103 err=80
> ---------------------------
>
> Then I compiled openldap-2.4.26 and used the same configuration. The modify with
> saslmech EXTERNAL succeeded:
>
> ---------------------------
> send_ldap_result: conn=1001 op=1 p=3
> send_ldap_result: err=10 matched="" text=""
> send_ldap_result: referral="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de"
> >>> dnPrettyNormal:
> <uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>
> <<< dnPrettyNormal:
> <uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>,
> <uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>
> conn=1001 op=1 ldap_chain_op:
> ref="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de"
> -> "ldap://ldap-master.rz.uni-osnabrueck.de"
> conn=1001 op=1 ldap_chain_op:
> ref="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de":
> URI="ldap://ldap-master.rz.uni-osnabrueck.de" found in cache
> =>ldap_back_getconn: conn=1001 op=1: lc=0x7f4f201fe6f0 inserted refcnt=1
> rc=0
> send_ldap_result: conn=1001 op=1 p=3
> send_ldap_result: err=0 matched="" text=""
> send_ldap_response: msgid=2 tag=103 err=0
> ---------------------------
>
> With a quick look I found out, that the function ldap_back_dobind_int in
> server/slapd/back-ldap/bind.c differs. In 2.4.26 you have:
>
> ---------------------------
> if ( LDAP_BACK_CONN_ISIDASSERT( lc ) ) {
> if ( BER_BVISEMPTY( &binddn ) && BER_BVISEMPTY(
> &bindcred ) ) {
> /* if we got here, it shouldn't return result */
> rc = ldap_back_is_proxy_authz( op, rs,
> LDAP_BACK_DONTSEND, &binddn, &bindcred );A A assert( rc ==
> 1 );
> }
> rc = ldap_back_proxy_authz_bind( lc, op, rs, sendok, &binddn,
> &bindcred );
> goto done;
> }
> ---------------------------
>
> while in 2.4.40 there is:
>
> ---------------------------
> if ( LDAP_BACK_CONN_ISIDASSERT( lc ) ) {
> if ( BER_BVISEMPTY( &binddn ) && BER_BVISEMPTY( &bindcred ) )
> {
> /* if we got here, it shouldn't return result */
> rc = ldap_back_is_proxy_authz( op, rs,
> LDAP_BACK_DONTSEND, &binddn,2&bindcred );
> if ( rc != 1 ) {
> Debug( LDAP_DEBUG_ANY, "Error: ldap_back_is_proxy_authz "
> "returned %d, misconfigured URI?\n", rc, 0, 0 );
> rs->sr_err = LDAP_OTHER;
> rs->sr_text = "misconfigured URI?";
> LP_P_BACK_CONN_ISBOUND_CLEAR( lc );
> if ( sendok & LDAP_BACK_SENDERR ) {
> send_ldap_result( op, rs );
> }
> goto done;
> }
> rc = ldap_back_proxy_authz_bind( lc, op, rs, sendok, &binddn,
> &bindcred );
> goto done;
> }
> --------------------------
>
> This is where the error message comes from ("misconfigured URI?")
Looks like you've compiled without DEBUG enabled, otherwise your 2.4.26
build would have died with an assert() failure there.
Send a complete config that reproduces the issue. Also give the complete
command you used. So far this just looks like a misconfiguration to me.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/