Hello list,
I'm trying to install an anonymous proxy with OpenLDAP in order to
anonymously bind an active directory server.
With an old version of OpenLDAP (v2.3.11), I had no problem. Using the
v2.3.11 configuration file on a v2.3.27 or a v2.3.31, is not working. It
seems that a lot of things change for the "LDAP" backend.
Here is what I have in my configuration file :
-------------8<-------------------------
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/ad.schema
include /usr/local/etc/openldap/schema/dyngroup.schema
allow bind_v2
loglevel 4095
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
authz-policy none
database ldap
lastmod off
suffix "dc=x1,dc=f0,dc=enterprise"
uri "ldap://192.168.AD.IP:3268/"
idassert-bind bindmethod=simple
mode=anonymous
binddn="CN=FwSvcMetatest1,OU=Domain-wide
Services,DC=f1,DC=enterprise"
credentials="password"
flags=non-prescriptive
-------------8<-------------------------
Here is my request and its answer :
-------------8<-------------------------
# ldapsearch -vvv -b "dc=x1,dc=f0,dc=enterprise" -h 127.0.0.1 -p 389 -x -s
sub "(cn=Berlamont*)"
ldap_initialize( ldap://127.0.0.1:389 )
filter: (cn=Berlamont*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=x1,dc=f0,dc=enterprise> with scope subtree
# filter: (cn=Berlamont*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
-------------8<-------------------------
A tethereal confirms me that there has been no connection to the AD.
And finally, if it can help, here is the debug log (only for the ldapsearch):
-------------8<-------------------------
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: >>>
slap_listener(ldap://*:389)
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: listen=7,
new connection on 8
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: added 8r
(active) listener=(nil)
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 fd=8
ACCEPT from IP=127.0.0.1:35477 (IP=0.0.0.0:389)
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: 8r
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: read
active on 8
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_get(8)
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_get(8): got connid=1
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_read(8): checking for input on id=1
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: ber_get_next on
fd 8 failed errno=11 (Resource temporarily unavailable)
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_bind
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: >>>
dnPrettyNormal: <>
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: <<<
dnPrettyNormal: <>, <>
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_bind:
version=3 dn="" method=128
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=0 BIND
dn="" method=128
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: send_ldap_result:
conn=1 op=0 p=3
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: send_ldap_result:
err=0 matched="" text=""
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
send_ldap_response: msgid=1 tag=97 err=0
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=0
RESULT tag=97 err=0 text=
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_bind: v3
anonymous bind
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: 8r
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: read
active on 8
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_get(8)
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_get(8): got connid=1
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_read(8): checking for input on id=1
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: ber_get_next on
fd 8 failed errno=11 (Resource temporarily unavailable)
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_search
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: >>>
dnPrettyNormal: <dc=x1,dc=f0,dc=enterprise>
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: <<<
dnPrettyNormal: <dc=x1,dc=f0,dc=enterprise>, <dc=x1,dc=f0,dc=enterprise>
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: SRCH
"dc=x1,dc=f0,dc=enterprise" 2 0
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: 0 0 0
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: begin get_filter
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: SUBSTRINGS
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: begin get_ssa
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: INITIAL
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: end get_ssa
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: end get_filter 0
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: filter:
(cn=berlamont*)
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: attrs:
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=1 SRCH
base="dc=x1,dc=f0,dc=enterprise" scope=2 deref=0 filter="(cn=berlamont*)"
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: send_ldap_result:
conn=1 op=1 p=3
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: send_ldap_result:
err=10 matched="" text=""
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
send_ldap_response: msgid=2 tag=101 err=32
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=1
SEARCH RESULT tag=101 err=32 nentries=0 text=
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: 8r
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: read
active on 8
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_get(8)
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_get(8): got connid=1
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_read(8): checking for input on id=1
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: ber_get_next on
fd 8 failed errno=0 (Success)
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_read(8): input error=-2 id=1, closing.
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_closing: readying conn=1 sd=8 for close
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_close:
deferring conn=1 sd=-1
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_unbind
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=2 UNBIND
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_resched: attempting closing conn=1 sd=8
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_close:
conn=1 sd=-1
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
=>ldap_back_conn_destroy: fetching conn 1
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: removing 8
Jan 8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 fd=8
closed ()
-------------8<-------------------------
I don't understand why it doesn't, at least, try to connect to the AD to
try to bind with the account defined by the "binddn" directive in the
"idassert-bind" section.