[Date Prev][Date Next] [Chronological] [Thread] [Top]

anonymous proxy and idassert-bind



Hello list,

I'm trying to install an anonymous proxy with OpenLDAP in order to
anonymously bind an active directory server.

With an old version of OpenLDAP (v2.3.11), I had no problem. Using the
v2.3.11 configuration file on a v2.3.27 or a v2.3.31, is not working. It
seems that a lot of things change for the "LDAP" backend.

Here is what I have in my configuration file :

-------------8<-------------------------
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/ad.schema
include         /usr/local/etc/openldap/schema/dyngroup.schema

allow bind_v2

loglevel 4095

pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args

authz-policy none

database ldap
        lastmod         off
        suffix          "dc=x1,dc=f0,dc=enterprise"
        uri             "ldap://192.168.AD.IP:3268/";
        idassert-bind bindmethod=simple
                mode=anonymous
                binddn="CN=FwSvcMetatest1,OU=Domain-wide
Services,DC=f1,DC=enterprise"
                credentials="password"
                flags=non-prescriptive
-------------8<-------------------------

Here is my request and its answer :

-------------8<-------------------------
# ldapsearch -vvv -b "dc=x1,dc=f0,dc=enterprise" -h 127.0.0.1 -p 389 -x -s
sub "(cn=Berlamont*)"
ldap_initialize( ldap://127.0.0.1:389 )
filter: (cn=Berlamont*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=x1,dc=f0,dc=enterprise> with scope subtree
# filter: (cn=Berlamont*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
-------------8<-------------------------

A tethereal confirms me that there has been no connection to the AD.

And finally, if it can help, here is the debug log (only for the ldapsearch):

-------------8<-------------------------
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: >>>
slap_listener(ldap://*:389)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: listen=7,
new connection on 8
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: added 8r
(active) listener=(nil)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 fd=8
ACCEPT from IP=127.0.0.1:35477 (IP=0.0.0.0:389)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:  8r
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: read
active on 8
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_get(8)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_get(8): got connid=1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_read(8): checking for input on id=1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: ber_get_next on
fd 8 failed errno=11 (Resource temporarily unavailable)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_bind
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: >>>
dnPrettyNormal: <>
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: <<<
dnPrettyNormal: <>, <>
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_bind:
version=3 dn="" method=128
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=0 BIND
dn="" method=128
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: send_ldap_result:
conn=1 op=0 p=3
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: send_ldap_result:
err=0 matched="" text=""
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
send_ldap_response: msgid=1 tag=97 err=0
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=0
RESULT tag=97 err=0 text=
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_bind: v3
anonymous bind
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:  8r
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: read
active on 8
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_get(8)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_get(8): got connid=1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_read(8): checking for input on id=1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: ber_get_next on
fd 8 failed errno=11 (Resource temporarily unavailable)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_search
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: >>>
dnPrettyNormal: <dc=x1,dc=f0,dc=enterprise>
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: <<<
dnPrettyNormal: <dc=x1,dc=f0,dc=enterprise>, <dc=x1,dc=f0,dc=enterprise>
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: SRCH
"dc=x1,dc=f0,dc=enterprise" 2 0
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:     0 0 0
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: begin get_filter
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: SUBSTRINGS
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: begin get_ssa
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:   INITIAL
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: end get_ssa
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: end get_filter 0
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:     filter:
(cn=berlamont*)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:     attrs:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=1 SRCH
base="dc=x1,dc=f0,dc=enterprise" scope=2 deref=0 filter="(cn=berlamont*)"
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: send_ldap_result:
conn=1 op=1 p=3
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: send_ldap_result:
err=10 matched="" text=""
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
send_ldap_response: msgid=2 tag=101 err=32
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=1
SEARCH RESULT tag=101 err=32 nentries=0 text=
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:  8r
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: read
active on 8
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_get(8)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_get(8): got connid=1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_read(8): checking for input on id=1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: ber_get_next on
fd 8 failed errno=0 (Success)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_read(8): input error=-2 id=1, closing.
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_closing: readying conn=1 sd=8 for close
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_close:
deferring conn=1 sd=-1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_unbind
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=2 UNBIND
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_resched: attempting closing conn=1 sd=8
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_close:
conn=1 sd=-1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
=>ldap_back_conn_destroy: fetching conn 1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: removing 8
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 fd=8
closed ()
-------------8<-------------------------

I don't understand why it doesn't, at least, try to connect to the AD to
try to bind with the account defined by the "binddn" directive in the
"idassert-bind" section.

Can anyone give an hint?

Regards,

-- 
Raphael Berlamont