[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5971) Debug mode "fixes" authentication issue
ngarratt@gmail.com wrote:
> I'm testing OpenLDAP 2.4.14 on Centos 5.2, used as a reverse proxy to AD. When
> slapd is run with debugging disabled (or set to 0), search requests throw the
> following error:
>
> DSID-0C090627: In order to perform this operation a successful bind must be
> completed on the connection.
>
> When run with any other debug value, it returns the results correctly. In both
> cases, the logs show a successful bind with the acl-bind user, the search finds
> the correct result, and acl's show access granted to read. The only difference
> is what is returned.
>
> If I hammer the requests through, I do occasionally get the correct answer when
> using -d 0, and I also occasionally get the error with -d 1.
>
> http://www.nu.co.za/slapd/slapd.conf
> http://www.nu.co.za/slapd/d0-ldapsearch.txt
> http://www.nu.co.za/slapd/d0-slapdlog.txt
> http://www.nu.co.za/slapd/d1-ldapsearch.txt
> http://www.nu.co.za/slapd/d1-slapdlog.txt
>
> The d0 files are from slapd started with -d 0 (failing)
> The d1 files are from slapd started with -d 1 (working)
The problem seems to be not so repeatable. First of all, the right
response is the error, since it fails while chasing referrals, and you
didn't instruct it to chase referrals with authentication.
Moreover, I've set up a system that mimics your setup, and the host
containing the referred object is always returning the error, but the
proxy is presenting it only occasionally. So the proxy's behavior looks
erratic, and this is a bug, but your configuration looks broken.
I'll look at the bug; in the meanwhile, you may want to fix your
configuration by adding
chase-referrals no
overlay chain
chain-uri <the referred URI with no DN>
chain-idassert-bind <info to allow proxyauthz of users>
# ...
See slapo-chain for details. Another option is to use
chase-referrals no
rebind-as-user yes
but I suspect it's broken and, in any case, it does not allow you to
control what hosts are actually given the user's credentials, or to
proxyauthz as.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando@sys-net.it
-----------------------------------