[Date Prev][Date Next] [Chronological] [Thread] [Top]

Meta proxy to AD headaches.

To: "'openldap-technical@openldap.org'" <openldap-technical@openldap.org>
Subject: Meta proxy to AD headaches.
From: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
Date: Wed, 30 Jul 2014 00:43:42 +0000
Accept-language: en-US
Authentication-results: spf=pass (sender IP is 199.135.140.12) smtp.mailfrom=bnordgren@fs.fed.us;
Content-language: en-US
Thread-index: Ac+riqJGcxXS0MIjRRSsry+RGcH3GA==
Thread-topic: Meta proxy to AD headaches.

Hello list,

Using openldap 2.4.39 on Centos 7, I've been trying to set up a metadirectory which proxies "my" current AD server, "my" future AD server, and my FreeIPA server (note: I only have control over the FreeIPA server). I have configured idassert-bind with my AD credentials so web apps can search for users. I want binds against my proxy as users in one of the proxied databases to work (for authentication). Anonymous binds to my proxy are working fine:

ldapsearch -x -H ldap://localhost -b ou=ds.fs.fed.us,ou=users,ou=remapped,dc=usfs-i2,dc=umt,dc=edu '(uid=bnordgren)'

What is not working fine is providing credentials via the client, and the breaking point is TLS between my proxy and AD. Specifically, wireshark tells me there is an Encrypted Alert #21, which is a decryption error. For instance, this:

ldapsearch -x -H ldap://localhost:390/ -b ou=users,ou=remapped,dc=usfs-i2,dc=umt,dc=edu -D cn=bnordgren,ou=RMRS,ou=RESEARCH,ou=ds.fs.fed.us,ou=users,ou=remapped,dc=usfs-i2,dc=umt,dc=edu -W (uid=bnordgren)

Results in:
...
Frame 20: 91 bytes on wire (728 bits), 91 bytes captured (728 bits) on interface 0
Ethernet II, Src: CadmusCo_99:90:db (08:00:27:99:90:db), Dst: RealtekU_12:35:02 (52:54:00:12:35:02)
Internet Protocol Version 4, Src: 10.0.2.15 (10.0.2.15), Dst: 166.7.3.102 (166.7.3.102)
Transmission Control Protocol, Src Port: 37058 (37058), Dst Port: ldap (389), Seq: 394, Ack: 5716, Len: 37
Secure Sockets Layer
    TLSv1 Record Layer: Encrypted Alert
        Content Type: Alert (21)
        Version: TLS 1.0 (0x0301)
        Length: 32
        Alert Message: Encrypted Alert

Where 166.7.3.102 is AD, and 10.0.2.15 is my proxy. This failure is reported by the client as "ldap_bind: Server is unavailable (52)". Once this failure occurs, then anonymous binds fail with "ldap_bind: Invalid DN Syntax (34)" To fix things, I need to restart my proxy server. The relevant portion of my proxy config file is:

database meta
suffix ou=users,ou=remapped,dc=usfs-i2,dc=umt,dc=edu
uri ldap://166.7.3.102/ou=ds.fs.fed.us,ou=users,ou=remapped,dc=usfs-i2,dc=umt,dc=edu

idle-timeout 600
tls ldaps
idassert-authzFrom dn.regex:.*
idassert-bind bindmethod=simple
 binddn=cn=bnordgren,ou=RMRS,ou=RESEARCH,ou=ENDUSERS,ou=_FOREST_SERVICE,dc=ds,dc=fs,dc=fed,dc=us
 credentials=secret
 mode=none
 tls_reqcert=never
 flags=override

suffixmassage "ou=ds.fs.fed.us,ou=users,ou=remapped,dc=usfs-i2,dc=umt,dc=edu" "OU=ENDUSERS,OU=_FOREST_SERVICE,DC=ds,DC=fs,DC=fed,DC=us"

Wireshark confirms that in spite of my efforts to turn TLS off, TLS is used successfully for the anonymous binds. Yet TLS fails for the case where credentials are provided by the client. And once its failed once, the proxy is broken until restart. What is different between how the proxy uses TLS when it is id-asserting and when it isn't?

I'd really appreciate your advice on this.

Thanks,
Bryce




This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.

Prev by Date: Problem Using Chain Overlay, unable to figure out dontusecopy control to fix it
Next by Date: Re: Problem Using Chain Overlay, unable to figure out dontusecopy control to fix it
Index(es):
- Chronological
- Thread