[Date Prev][Date Next] [Chronological] [Thread] [Top]

chain overlay does an anonymous bind and ignores the chain binddn (v2.4.44)



Hello,

I am testing the chain overlay from a read-only slave (consumer) slapd server to a read-write master (provider), but what I am seeing is an anonymous bind from the consumer to the provider instead of the authorization identity configurated in the chain directive.

consumer/10.112.107.53:
-------------------------------------

# slapd -V
@(#) $OpenLDAP: slapd 2.4.44 (Mar 23 2017 12:46:14) $
        root@consumer:/root/rpmbuild/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd


# grep -v -e '^#' -e '^$' slapd.conf
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema
include         /etc/openldap/schema/freeradius.schema
include         /etc/openldap/schema/authldap.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/custom.schema
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
moduleload      back_ldap.la
moduleload      unique.la
moduleload      ppolicy.la
moduleload      dynlist.la
moduleload      memberof.la
moduleload      syncprov.la
moduleload      accesslog.la
moduleload      auditlog.la
overlay                    chain
chain-uri                  "ldap://10.112.107.51"
chain-idassert-bind        bindmethod="simple"
                           binddn="cn=proxyuser,dc=example,dc=com"
                           credentials="12345678"
                           mode="self"
                           flags=non-prescriptive
chain-rebind-as-user       TRUE
chain-return-error         TRUE
access to *
        by * write
serverID 101
allow bind_v2
database        mdb
suffix          "dc=example,dc=com"
dbnosync
rootdn          "cn=Manager,dc=example,dc=com"
rootpw          12345678
directory       /var/lib/ldap
maxsize         106300440576
index   objectClass             eq
index   uid                     eq,sub
index   entryCSN,entryUUID      eq
loglevel        stats
syncrepl rid=101
        provider=ldap://10.112.107.51:389
        type=refreshAndPersist
        searchbase="dc=example,dc=com"
        schemachecking=off
        bindmethod=simple
        retry="60 10 300 +"
        binddn="cn=syncrepl,dc=example,dc=com"
        credentials=12345678
updateref                  "ldap://10.112.107.51:389"




provider/10.112.107.51:
-----------------------------------

# slapd -V
@(#) $OpenLDAP: slapd 2.4.44 (Mar 23 2017 12:46:14) $
        root@provider:/root/rpmbuild/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd


# grep -v -e '^#' -e '^$' slapd.conf
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema
include         /etc/openldap/schema/freeradius.schema
include         /etc/openldap/schema/authldap.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/custom.schema
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
modulepath      /usr/lib64/openldap
moduleload      back_ldap.la
moduleload      unique.la
moduleload      ppolicy.la
moduleload      dynlist.la
moduleload      memberof.la
moduleload      syncprov.la
moduleload      accesslog.la
moduleload      auditlog.la
access to *
        by * write
serverID 001
authz-policy            to
allow bind_v2
database        mdb
suffix          "dc=example,dc=com"
dbnosync
rootdn          "cn=Manager,dc=example,dc=com"
rootpw          12345678
directory       /var/lib/ldap
maxsize         106300440576
index   objectClass             eq
index   uid                     eq,sub
index   entryCSN,entryUUID      eq
loglevel        stats
limits dn="cn=proxyuser,dc=example,dc=com" size=unlimited
limits dn="cn=syncrepl,dc=example,dc=com" size=unlimited
overlay syncprov
syncprov-checkpoint 1000 1
syncprov-sessionlog 150000
syncprov-reloadhint TRUE



now I do an update in the consumer:

Apr 20 12:58:57 consumer slapd[23149]: conn=1004 fd=16 ACCEPT from IP=127.0.0.1:42198 (IP=0.0.0.0:389)
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=0 BIND dn="cn=Manager,dc=example,dc=com" mech=SIMPLE ssf=0
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=0 RESULT tag=97 err=0 text=
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=1 SRCH base="dc=example,dc=com" scope=2 deref=2 filter="(employeeid=759042)"
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=1 SRCH attr=* +
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=2 SRCH base="dc=example,dc=com" scope=2 deref=2 filter="(uid=endwmkhwl60nehf2c)"
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=2 SRCH attr=* +
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=3 MOD dn="uid=enDwmkHWl60NEHf2c,dc=example,dc=com"
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=3 MOD attr=description
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=3 RESULT tag=103 err=8 text=
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 fd=16 closed (connection lost)


and this is the corresponding log in the provider:

Apr 20 12:58:57 provider slapd[28974]: conn=3367 fd=16 ACCEPT from IP=10.112.107.53:58416 (IP=0.0.0.0:389)
Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=0 BIND dn="" method=128
Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=0 RESULT tag=97 err=0 text=
Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=1 MOD dn="uid=enDwmkHWl60NEHf2c,dc=example,dc=com"
Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=1 MOD attr=description
Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=1 RESULT tag=103 err=8 text=modifications require authentication
Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=2 UNBIND
Apr 20 12:58:57 provider slapd[28974]: conn=3367 fd=16 closed


afaik, the bind dn in the provider must be the chain binddn configured in the consumer, but it gets an anonymous bind.


any suggestion about what can be my mistake??