[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: .NET 2.0 and Anonymous bind with OpenLDAP (Was: RE: Question about OpenLDAP)

To: Mark Hennessy <mhennessy@cloud9.net>
Subject: Re: .NET 2.0 and Anonymous bind with OpenLDAP (Was: RE: Question about OpenLDAP)
From: Howard Chu <hyc@symas.com>
Date: Tue, 12 Dec 2006 06:57:46 -0800
Cc: openldap-software@openldap.org
In-reply-to: <BCB1151D5ACB514CB2531FE7B7B9D6137A172C@chai.cloud9.local>
References: <BCB1151D5ACB514CB2531FE7B7B9D6137A172C@chai.cloud9.local>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061211 Netscape/7.2 (ax) Firefox/1.5 SeaMonkey/1.5a

Mark Hennessy wrote:

Sorry for the top-posting on my part.

Here are some more details about the resolution in case anyone is interested:

"The default setting in .NET 1.1 was Bind.None when no authentication
method was supplied. In the new .NET 2.0 the default methond is
Bind.Secure. Therefore, I needed to explicitly declare Bind.None. The
only issue with this is that if we ever use a username and password it
will be sent in clear text."

I hope this is helpful for anyone who encounters a similar issue.

It would be wise to build slapd with SASL support if you actually need secure Binds.

-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Monday, December 11, 2006 7:42 PM To: Mark Hennessy Cc: openldap-software@openldap.org Subject: Re: Question about OpenLDAP

Mark Hennessy wrote:
I have a user who tries to connect from an IP x.x.x.31, but
they keep getting
rejected. The ACL is using IPs to allow anonymous
read-only connections. I
have a client at another host that's also in the ACL by IP
which is set to
use an anonymous connection and that works. What should I
be looking for
with this client that's not working? Also, I built
OpenLDAP without SASL on
purpose. This is serving a simple database that could
potentially have lots
of reads and no writes from a couple of trusted hosts. Any
help in this
matter would be greatly appreciated!
This is OpenLDAP from FreeBSD ports built supposedly without SASL.
Dec 11 13:34:19 x slapd[2566]: conn=28 fd=10 ACCEPT from
IP=x.x.x.31:1691
(IP=0.0.0.0:389) Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SRCH base=""
scope=0 deref=0
filter="(objectClass=*)" Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SRCH
attr=supportedCapabilities
Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SEARCH RESULT
tag=101 err=0
nentries=1 text= Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SRCH base=""
scope=0 deref=0
filter="(objectClass=*)" Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SRCH
attr=supportedSASLMechanisms
Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SEARCH RESULT
tag=101 err=0
nentries=1 text= Dec 11 13:34:19 x slapd[2566]: conn=28 op=2 BIND dn="" method=137 Dec 11 13:34:19 x slapd[2566]: conn=28 op=2 RESULT tag=97
err=7 text=unknown
authentication method
Dec 11 13:34:19 x slapd[2566]: conn=28 op=3 UNBIND
Dec 11 13:34:19 x slapd[2566]: conn=28 fd=10 closed
The log shows they're trying to Bind with a "method=137" and correctly getting an unknown authentication method response back. I.e., they're trying to Bind with a mechanism that slapd doesn't recognize. It's certainly not an anonymous LDAP Simple Bind. Seems like a broken client.


--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

References:
- .NET 2.0 and Anonymous bind with OpenLDAP (Was: RE: Question about OpenLDAP)
  - From: "Mark Hennessy" <mhennessy@cloud9.net>

Prev by Date: .NET 2.0 and Anonymous bind with OpenLDAP (Was: RE: Question about OpenLDAP)
Next by Date: Re: dnsDomain2.schema and aRecord
Index(es):
- Chronological
- Thread