[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Output differs when searching via translucent proxy

To: openldap-technical@openldap.org
Subject: Re: Output differs when searching via translucent proxy
From: "M. P." <kisscoolandthegangbang@hotmail.fr>
Date: Fri, 15 Jan 2016 14:43:32 +0100
In-reply-to: <BLU436-SMTP2144190E5B4C83084E73D5A0CC0@phx.gbl>
References: <BLU436-SMTP2144190E5B4C83084E73D5A0CC0@phx.gbl>
User-agent: Roundcube Webmail/1.1.1

Le 2016-01-14 18:10, M. P. a écrit :

Hello all,

We have an installation of openldap like this: master <- slave <-
translucent proxy. All the installation is on debian Jessie 8.2 with
slapd version 2.4.40+dfsg-1+deb8u1.

When searching/binding with ldapsearch everything seems ok. I mean I
have the results I expect.

We have an application called CAS to authenticate users on web
appplications and there is where things start to be strange. When
configuring CAS to communicate with the slave, there is no problem,
users can authenticate without issue. But when CAS is configured to
communicate with the translucent proxy, there is not possible for
users to be authenticated.

I looked a different places, changed different parameters playing with
ldap protocol, search reference responses, automatic referral chasing,
... but can't make it work.

In the logs I have this:

ldapsearch request: the output is ok

from client to translucent proxy:

slapd[8845]: conn=1019 fd=13 ACCEPT from IP=10.93.64.180:57730(IP=0.0.0.0:389)

slapd[8845]: conn=1019 op=0 BIND
dn="uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com" method=128
slapd[8845]: conn=1019 op=0 BIND
dn="uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com" mech=SIMPLE ssf=0
slapd[8845]: conn=1019 op=0 RESULT tag=97 err=0 text=
slapd[8845]: conn=1019 op=1 SRCH base="ou=people,dc=domain,dc=com"
scope=2 deref=3 filter="(uid=myuser)"
slapd[8845]: conn=1019 op=1 SRCH attr=1.1

slapd[8845]: conn=1019 op=1 SEARCH RESULT tag=101 err=0 nentries=1text=

slapd[8845]: conn=1019 op=2 UNBIND
slapd[8845]: conn=1019 fd=13 closed

from tranlucent proxy to slave:

slapd[6491]: conn=1759 fd=25 ACCEPT from IP=10.93.64.207:37513(IP=0.0.0.0:389)

slapd[6491]: conn=1759 op=0 [IP=10.93.64.180
USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] BIND
dn="uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com" method=128
slapd[6491]: conn=1759 op=0 [IP=10.93.64.180
USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] BIND
dn="uid=cas-auth,ou=SI,ou=Access,dc=domain,dc=com" mech=SIMPLE ssf=0
slapd[6491]: conn=1759 op=0 [IP=10.93.64.180
USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] RESULT tag=97
err=0 text=
slapd[6491]: conn=1759 op=1 [IP=10.93.64.180
USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] SRCH
base="ou=people,dc=domain,dc=com" scope=2 deref=3
filter="(uid=myuser)"
slapd[6491]: conn=1759 op=1 [IP=10.93.64.180
USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] SRCH attr=* +
slapd[6491]: conn=1759 op=1 [IP=10.93.64.180
USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] SEARCH RESULT
tag=101 err=0 nentries=1 text=
slapd[6491]: conn=1759 op=2 UNBIND
slapd[6491]: conn=1759 fd=25 closed


CAS request: I don't have the output I expect

from client to translucent proxy:

slapd[8845]: conn=1017 fd=13 ACCEPT from IP=10.93.64.180:57109(IP=0.0.0.0:389)

slapd[8845]: conn=1017 op=0 BIND
dn="uid=cas-auth,ou=si,ou=access,dc=domain,dc=com" method=128
slapd[8845]: conn=1017 op=0 BIND
dn="uid=cas-auth,ou=si,ou=access,dc=domain,dc=com" mech=SIMPLE ssf=0
slapd[8845]: conn=1017 op=0 RESULT tag=97 err=0 text=
slapd[8845]: conn=1017 op=1 SRCH base="ou=People,dc=domain,dc=com"
scope=2 deref=3 filter="(uid=myuser)"
slapd[8845]: conn=1017 op=1 SRCH attr=1.1

slapd[8845]: conn=1017 op=1 SEARCH RESULT tag=101 err=0 nentries=0text=

slapd[8845]: conn=1017 fd=13 closed (connection lost)

from tranlucent proxy to slave:

slapd[6491]: conn=1747 fd=13 ACCEPT from IP=10.93.64.207:35881(IP=0.0.0.0:389)

slapd[6491]: conn=1747 op=0 [IP=10.93.64.180
USERNAME=uid=cas-auth,ou=si,ou=access,dc=domain,dc=com] BIND
dn="uid=cas-auth,ou=si,ou=access,dc=domain,dc=com" method=128
slapd[6491]: conn=1747 op=0 [IP=10.93.64.180
USERNAME=uid=cas-auth,ou=si,ou=access,dc=domain,dc=com] BIND
dn="uid=cas-auth,ou=SI,ou=Access,dc=domain,dc=com" mech=SIMPLE ssf=0
slapd[6491]: conn=1747 op=0 [IP=10.93.64.180
USERNAME=uid=cas-auth,ou=si,ou=access,dc=domain,dc=com] RESULT tag=97
err=0 text=
slapd[6491]: conn=1747 op=1 UNBIND
slapd[6491]: conn=1747 fd=13 closed


The configuration part relative to translucent:

# Entry 1: olcOverlay={3}translucent,olcDatabase={2}mdb,cn=config
dn: olcOverlay={3}translucent,olcDatabase={2}mdb,cn=config
objectclass: olcConfig
objectclass: olcOverlayConfig
objectclass: olcTranslucentConfig
objectclass: top
olcoverlay: {3}translucent
olctranslucentbindlocal: TRUE

# Entry 2:olcDatabase={0}ldap,olcOverlay={3}translucent,olcDatabase={2}m...dn:olcDatabase={0}ldap,olcOverlay={3}translucent,olcDatabase={2}mdb,cn=conf

 ig
objectclass: olcConfig
objectclass: olcLDAPConfig
objectclass: olcTranslucentDatabase
objectclass: olcDatabaseConfig
olcdatabase: {0}ldap
olcdbchasereferrals: TRUE
olcdbidassertauthzfrom: {0}*

olcdbidassertbind: bindmethod="simple"binddn="uid=roaccess,ou=access,dc=dom

 ain,dc=com" credentials="hideme" mode="self"
olcdbsessiontrackingrequest: TRUE
olcdburi: ldap://ldap-data.domain.it

I do not really know where to look else. I'll continue to try
different things to make it work but any idea/suggestion/correction is
welcome.

Thank you in advance for your time.

I don't know if it is related or not but I can reproduce, vialdapsearch, log entries between the proxy and the slave when CAS isconfigured with proxy as ldap backend.

# ldapsearch -x -b ou=people,dc=domain,dc=com -H ldap://ldap.domain.it-WD uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com -LLL -a always -n -vuid=myuser 1.1


Client -> Proxy

Jan 15 13:11:45 ldap-sudo slapd[29272]: conn=1057 fd=13 ACCEPT fromIP=10.93.64.180:38275 (IP=0.0.0.0:389)Jan 15 13:11:45 ldap-sudo slapd[29272]: conn=1057 op=0 BINDdn="uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com" method=128Jan 15 13:11:45 ldap-sudo slapd[29272]: conn=1057 op=0 BINDdn="uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com" mech=SIMPLE ssf=0Jan 15 13:11:45 ldap-sudo slapd[29272]: conn=1057 op=0 RESULT tag=97err=0 text=

Jan 15 13:11:45 ldap-sudo slapd[29272]: conn=1057 op=1 UNBIND
Jan 15 13:11:45 ldap-sudo slapd[29272]: conn=1057 fd=13 closed

Proxy -> Slave

Jan 15 13:11:45 ldap-data slapd[6491]: conn=2746 fd=22 ACCEPT fromIP=10.93.64.207:58162 (IP=0.0.0.0:389)Jan 15 13:11:45 ldap-data slapd[6491]: conn=2746 op=0 [IP=10.93.64.180USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] BINDdn="uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com" method=128Jan 15 13:11:45 ldap-data slapd[6491]: conn=2746 op=0 [IP=10.93.64.180USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] BINDdn="uid=cas-auth,ou=SI,ou=Access,dc=domain,dc=com" mech=SIMPLE ssf=0Jan 15 13:11:45 ldap-data slapd[6491]: conn=2746 op=0 [IP=10.93.64.180USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] RESULT tag=97err=0 text=

Jan 15 13:11:45 ldap-data slapd[6491]: conn=2746 op=1 UNBIND
Jan 15 13:11:45 ldap-data slapd[6491]: conn=2746 fd=22 closed

In the command I added the "-n" switch to simulate just the bind part.

If I compare with logs from CAS request, it is like the search part isnot forwarded from proxy to slave. Is there any special functionalitythat the client should support when requesting with via translucentoverlay ?



--
------------

M. P.

References:
- Output differs when searching via translucent proxy
  - From: "M. P." <kisscoolandthegangbang@hotmail.fr>

Prev by Date: Output differs when searching via translucent proxy
Next by Date: slapd dying with mdb databases
Index(es):
- Chronological
- Thread