[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Using back-ldap as a dumb proxy
Quanah Gibson-Mount wrote:
> Sure. Which configuration do you want me to try it with? ;) Here is -d
> -1 with this config:
>
> idassert-bind bindmethod=sasl
> saslmech=gssapi
> realm=stanford.edu
> authcID=service/mailrouter@stanford.edu
>
> authzID=dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu
First of all, what's missing here is the "mode" parameter; what do you
want the proxy to do? bind as "service/mailrouter@stanford.edu", SASL
authorize as
"dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" and
then? proxy authorize as the incoming request? just keep the
"cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" identity?
>
>
>
> daemon: activity on 1 descriptor
>>>> slap_listener(ldap:///)daemon: listen=7, new connection on 8
> ldap_pvt_gethostbyname_a: host=smtp-dev.stanford.edu, r=0
> daemon: added 8r (active) listener=(nil)
> conn=0 fd=8 ACCEPT from IP=127.0.0.1:43402 (IP=0.0.0.0:389)
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptor
> daemon: activity on: 8r
> daemon: read activity on 8
> connection_get(8)
> connection_get(8): got connid=0
> connection_read(8): checking for input on id=0
> ber_get_next
> ldap_read: want=8, got=8
> 0000: 30 0c 02 01 01 60 07 02 0....`..
> ldap_read: want=6, got=6
> 0000: 01 03 04 00 80 00 ......
> ber_get_next: tag 0x30 len 12 contents:
> ber_dump: buf=0x08193c48 ptr=0x08193c48 end=0x08193c54 len=12
> 0000: 02 01 01 60 07 02 01 03 04 00 80 00 ...`........
> ber_get_next
> ldap_read: want=8 error=Resource temporarily unavailable
> ber_get_next on fd 8 failed errno=11 (Resource temporarily unavailable)
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> do_bind
> ber_scanf fmt ({imt) ber:
> ber_dump: buf=0x08193c48 ptr=0x08193c4b end=0x08193c54 len=9
> 0000: 60 07 02 01 03 04 00 80 00 `........
> ber_scanf fmt (m}) ber:
> ber_dump: buf=0x08193c48 ptr=0x08193c52 end=0x08193c54 len=2
> 0000: 00 00 ..
>>>> dnPrettyNormal: <>
> <<< dnPrettyNormal: <>, <>
> do_bind: version=3 dn="" method=128
> conn=0 op=0 BIND dn="" method=128
> send_ldap_result: conn=0 op=0 p=3
> send_ldap_result: err=0 matched="" text=""
> send_ldap_response: msgid=1 tag=97 err=0
> ber_flush: 14 bytes to sd 8
> 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........
> ldap_write: want=14, written=14
> 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........
> conn=0 op=0 RESULT tag=97 err=0 text=
> do_bind: v3 anonymous bind
> daemon: activity on 1 descriptor
> daemon: activity on: 8r
> daemon: read activity on 8
> connection_get(8)
> connection_get(8): got connid=0
> connection_read(8): checking for input on id=0
> ber_get_next
> ldap_read: want=8, got=8
> 0000: 30 39 02 01 02 63 34 04 09...c4.
> ldap_read: want=51, got=51
> 0000: 12 64 63 3d 73 74 61 6e 66 6f 72 64 2c 64 63 3d .dc=stanford,dc=
> 0010: 65 64 75 0a 01 02 0a 01 00 02 01 00 02 01 00 01 edu.............
> 0020: 01 00 a3 0d 04 03 75 69 64 04 06 71 75 61 6e 61 ......uid..quana
> 0030: 68 30 00 h0.
> ber_get_next: tag 0x30 len 57 contents:
> ber_dump: buf=0x08195738 ptr=0x08195738 end=0x08195771 len=57
> 0000: 02 01 02 63 34 04 12 64 63 3d 73 74 61 6e 66 6f ...c4..dc=stanfo
> 0010: 72 64 2c 64 63 3d 65 64 75 0a 01 02 0a 01 00 02 rd,dc=edu.......
> 0020: 01 00 02 01 00 01 01 00 a3 0d 04 03 75 69 64 04 ............uid.
> 0030: 06 71 75 61 6e 61 68 30 00 .quanah0.
> ber_get_next
> ldap_read: want=8 error=Resource temporarily unavailable
> ber_get_next on fd 8 failed errno=11 (Resource temporarily unavailable)
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> do_search
> ber_scanf fmt ({miiiib) ber:
> ber_dump: buf=0x08195738 ptr=0x0819573b end=0x08195771 len=54
> 0000: 63 34 04 12 64 63 3d 73 74 61 6e 66 6f 72 64 2c c4..dc=stanford,
> 0010: 64 63 3d 65 64 75 0a 01 02 0a 01 00 02 01 00 02 dc=edu..........
> 0020: 01 00 01 01 00 a3 0d 04 03 75 69 64 04 06 71 75 .........uid..qu
> 0030: 61 6e 61 68 30 00 anah0.
>>>> dnPrettyNormal: <dc=stanford,dc=edu>
> => ldap_bv2dn(dc=stanford,dc=edu,0)
> <= ldap_bv2dn(dc=stanford,dc=edu)=0
> => ldap_dn2bv(272)
> <= ldap_dn2bv(dc=stanford,dc=edu)=0
> => ldap_dn2bv(272)
> <= ldap_dn2bv(dc=stanford,dc=edu)=0
> <<< dnPrettyNormal: <dc=stanford,dc=edu>, <dc=stanford,dc=edu>
> SRCH "dc=stanford,dc=edu" 2 0 0 0 0
> begin get_filter
> EQUALITY
> ber_scanf fmt ({mm}) ber:
> ber_dump: buf=0x08195738 ptr=0x08195760 end=0x08195771 len=17
> 0000: a3 0d 04 03 75 69 64 04 06 71 75 61 6e 61 68 30 ....uid..quanah0
> 0010: 00 .
> end get_filter 0
> filter: (uid=quanah)
> ber_scanf fmt ({M}}) ber:
> ber_dump: buf=0x08195738 ptr=0x0819576f end=0x08195771 len=2
> 0000: 00 00 ..
> attrs:
> conn=0 op=1 SRCH base="dc=stanford,dc=edu" scope=2 deref=0
> filter="(uid=quanah)"
> ==> limits_get: conn=0 op=1 dn="[anonymous]"
> ldap_create
> ldap_url_parse_ext(ldap://ldap-test1.stanford.edu)
> =>ldap_back_getconn: conn 0x81a17c0 inserted refcnt=1 binding=1
> send_ldap_result: conn=0 op=1 p=3
> send_ldap_result: err=7 matched="" text=""
^^^ This is where the problem occurs; you seem to be using old code,
since that log message in ldap_back_getconn() changed from 2.3.32 and
2.3.33. I'd recommend you use 2.3.34 anyway, although I'm not sure it's
going to fix your problem.
The issue seems to occur between ldap_back_getconn() and the
ldap_sasl_interactive_bind_s() that occurs during the proxy authz bind.
Unfortunately, there seems to be very little trace level debug in
between, so a gdb session might be required...
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------