[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: anonymous proxy and idassert-bind



Raphael Berlamont wrote:
Hello list,

I'm trying to install an anonymous proxy with OpenLDAP in order to
anonymously bind an active directory server.

With an old version of OpenLDAP (v2.3.11), I had no problem. Using the
v2.3.11 configuration file on a v2.3.27 or a v2.3.31, is not working. It
seems that a lot of things change for the "LDAP" backend.

Here is what I have in my configuration file :

-------------8<-------------------------
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/ad.schema
include         /usr/local/etc/openldap/schema/dyngroup.schema

allow bind_v2

loglevel 4095

pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args

authz-policy none

database ldap
        lastmod         off
        suffix          "dc=x1,dc=f0,dc=enterprise"
        uri             "ldap://192.168.AD.IP:3268/";
        idassert-bind bindmethod=simple
                mode=anonymous
                binddn="CN=FwSvcMetatest1,OU=Domain-wide
Services,DC=f1,DC=enterprise"
                credentials="password"
                flags=non-prescriptive
-------------8<-------------------------

Here is my request and its answer :

-------------8<-------------------------
# ldapsearch -vvv -b "dc=x1,dc=f0,dc=enterprise" -h 127.0.0.1 -p 389 -x -s
sub "(cn=Berlamont*)"
ldap_initialize( ldap://127.0.0.1:389 )
filter: (cn=Berlamont*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=x1,dc=f0,dc=enterprise> with scope subtree
# filter: (cn=Berlamont*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
-------------8<-------------------------

A tethereal confirms me that there has been no connection to the AD.

And finally, if it can help, here is the debug log (only for the ldapsearch):

-------------8<-------------------------
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: >>>
slap_listener(ldap://*:389)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: listen=7,
new connection on 8
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: added 8r
(active) listener=(nil)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 fd=8
ACCEPT from IP=127.0.0.1:35477 (IP=0.0.0.0:389)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:  8r
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: read
active on 8
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_get(8)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_get(8): got connid=1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_read(8): checking for input on id=1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: ber_get_next on
fd 8 failed errno=11 (Resource temporarily unavailable)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_bind
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: >>>
dnPrettyNormal: <>
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: <<<
dnPrettyNormal: <>, <>
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_bind:
version=3 dn="" method=128
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=0 BIND
dn="" method=128
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: send_ldap_result:
conn=1 op=0 p=3
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: send_ldap_result:
err=0 matched="" text=""
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
send_ldap_response: msgid=1 tag=97 err=0
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=0
RESULT tag=97 err=0 text=
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_bind: v3
anonymous bind
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:  8r
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: read
active on 8
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_get(8)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_get(8): got connid=1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_read(8): checking for input on id=1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: ber_get_next on
fd 8 failed errno=11 (Resource temporarily unavailable)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_search
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: >>>
dnPrettyNormal: <dc=x1,dc=f0,dc=enterprise>
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: <<<
dnPrettyNormal: <dc=x1,dc=f0,dc=enterprise>, <dc=x1,dc=f0,dc=enterprise>
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: SRCH
"dc=x1,dc=f0,dc=enterprise" 2 0
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:     0 0 0
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: begin get_filter
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: SUBSTRINGS
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: begin get_ssa
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:   INITIAL
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: end get_ssa
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: end get_filter 0
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:     filter:
(cn=berlamont*)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:     attrs:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=1 SRCH
base="dc=x1,dc=f0,dc=enterprise" scope=2 deref=0 filter="(cn=berlamont*)"
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: send_ldap_result:
conn=1 op=1 p=3
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: send_ldap_result:
err=10 matched="" text=""
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
send_ldap_response: msgid=2 tag=101 err=32
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=1
SEARCH RESULT tag=101 err=32 nentries=0 text=
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:  8r
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: read
active on 8
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_get(8)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_get(8): got connid=1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_read(8): checking for input on id=1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: ber_get_next on
fd 8 failed errno=0 (Success)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_read(8): input error=-2 id=1, closing.
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_closing: readying conn=1 sd=8 for close
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_close:
deferring conn=1 sd=-1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_unbind
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=2 UNBIND
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_resched: attempting closing conn=1 sd=8
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_close:
conn=1 sd=-1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
=>ldap_back_conn_destroy: fetching conn 1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: removing 8
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 fd=8
closed ()
-------------8<-------------------------

I don't understand why it doesn't, at least, try to connect to the AD to
try to bind with the account defined by the "binddn" directive in the
"idassert-bind" section.

I have no idea of why it ever gets to return "no such object"; if the above is your slapd.conf, I see too many whitespaces in front of too many directives to yield a valid slapd-ldap configuration, though.


In any case, I don't remember what actually changed between 2.3.11 and 2.3.X, but lots of things did.

In your tentative setup I see a couple of (potential) issues. First of all let me clarify the context: you want identity assertion because the remote server needs authentication, but you want anonymous operations to be performed anonymously. This requires that the proxy binds with the specified identity and then authorizes as the empty DN, so that the operation is performed with the privileges of anonymous, is this correct?

In this case, there seems to be a bug in identity assertion, which prevents mode=anonymous from working as expected. I suggest you file an ITS so that this bug gets tracked.

In any case, if you specify flags=non-prescriptive, anonymous operations will not use identity assertion; in fact, non-prescriptive means that operations whose identity cannot be authorized are performed anonymously; the default is to reject them with "inappropriate authentication".

On the contrary, to enable the feature you need, you should rather allow anonymous to use identity assertion, by adding

idassert-authzfrom "dn.regex=.*"

which means that any identity, including the empty DN, is allowed to use identity assertion.

A configuration like

database        ldap
suffix          "dc=example,dc=com"
uri             ldap://:9011
idassert-bind   bindmethod=simple
                mode=self
                binddn="cn=Manager,dc=example,dc=com"
                credentials="secret"
idassert-authzFrom      "dn.regex:.*"

will do the trick (although, with the above bug, no proxyauthz wil occur and, as such, the operation will be performed with the identity defined in binddn).

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------