[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using back-ldap as a dumb proxy



Quanah Gibson-Mount wrote:

> Sure.  Which configuration do you want me to try it with? ;)  Here is -d
> -1 with this config:
> 
> idassert-bind   bindmethod=sasl
>                saslmech=gssapi
>                realm=stanford.edu
>                authcID=service/mailrouter@stanford.edu
> 
> authzID=dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu

First of all, what's missing here is the "mode" parameter; what do you
want the proxy to do?  bind as "service/mailrouter@stanford.edu", SASL
authorize as
"dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" and
then?  proxy authorize as the incoming request?  just keep the
"cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" identity?

> 
> 
> 
> daemon: activity on 1 descriptor
>>>> slap_listener(ldap:///)daemon: listen=7, new connection on 8
> ldap_pvt_gethostbyname_a: host=smtp-dev.stanford.edu, r=0
> daemon: added 8r (active) listener=(nil)
> conn=0 fd=8 ACCEPT from IP=127.0.0.1:43402 (IP=0.0.0.0:389)
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptor
> daemon: activity on: 8r
> daemon: read activity on 8
> connection_get(8)
> connection_get(8): got connid=0
> connection_read(8): checking for input on id=0
> ber_get_next
> ldap_read: want=8, got=8
>  0000:  30 0c 02 01 01 60 07 02                            0....`..
> ldap_read: want=6, got=6
>  0000:  01 03 04 00 80 00                                  ......
> ber_get_next: tag 0x30 len 12 contents:
> ber_dump: buf=0x08193c48 ptr=0x08193c48 end=0x08193c54 len=12
>  0000:  02 01 01 60 07 02 01 03  04 00 80 00               ...`........
> ber_get_next
> ldap_read: want=8 error=Resource temporarily unavailable
> ber_get_next on fd 8 failed errno=11 (Resource temporarily unavailable)
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> do_bind
> ber_scanf fmt ({imt) ber:
> ber_dump: buf=0x08193c48 ptr=0x08193c4b end=0x08193c54 len=9
>  0000:  60 07 02 01 03 04 00 80  00                        `........
> ber_scanf fmt (m}) ber:
> ber_dump: buf=0x08193c48 ptr=0x08193c52 end=0x08193c54 len=2
>  0000:  00 00                                              ..
>>>> dnPrettyNormal: <>
> <<< dnPrettyNormal: <>, <>
> do_bind: version=3 dn="" method=128
> conn=0 op=0 BIND dn="" method=128
> send_ldap_result: conn=0 op=0 p=3
> send_ldap_result: err=0 matched="" text=""
> send_ldap_response: msgid=1 tag=97 err=0
> ber_flush: 14 bytes to sd 8
>  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00         0....a........
> ldap_write: want=14, written=14
>  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00         0....a........
> conn=0 op=0 RESULT tag=97 err=0 text=
> do_bind: v3 anonymous bind
> daemon: activity on 1 descriptor
> daemon: activity on: 8r
> daemon: read activity on 8
> connection_get(8)
> connection_get(8): got connid=0
> connection_read(8): checking for input on id=0
> ber_get_next
> ldap_read: want=8, got=8
>  0000:  30 39 02 01 02 63 34 04                            09...c4.
> ldap_read: want=51, got=51
>  0000:  12 64 63 3d 73 74 61 6e  66 6f 72 64 2c 64 63 3d   .dc=stanford,dc=
>  0010:  65 64 75 0a 01 02 0a 01  00 02 01 00 02 01 00 01   edu.............
>  0020:  01 00 a3 0d 04 03 75 69  64 04 06 71 75 61 6e 61   ......uid..quana
>  0030:  68 30 00                                           h0.
> ber_get_next: tag 0x30 len 57 contents:
> ber_dump: buf=0x08195738 ptr=0x08195738 end=0x08195771 len=57
>  0000:  02 01 02 63 34 04 12 64  63 3d 73 74 61 6e 66 6f   ...c4..dc=stanfo
>  0010:  72 64 2c 64 63 3d 65 64  75 0a 01 02 0a 01 00 02   rd,dc=edu.......
>  0020:  01 00 02 01 00 01 01 00  a3 0d 04 03 75 69 64 04   ............uid.
>  0030:  06 71 75 61 6e 61 68 30  00                        .quanah0.
> ber_get_next
> ldap_read: want=8 error=Resource temporarily unavailable
> ber_get_next on fd 8 failed errno=11 (Resource temporarily unavailable)
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> do_search
> ber_scanf fmt ({miiiib) ber:
> ber_dump: buf=0x08195738 ptr=0x0819573b end=0x08195771 len=54
>  0000:  63 34 04 12 64 63 3d 73  74 61 6e 66 6f 72 64 2c   c4..dc=stanford,
>  0010:  64 63 3d 65 64 75 0a 01  02 0a 01 00 02 01 00 02   dc=edu..........
>  0020:  01 00 01 01 00 a3 0d 04  03 75 69 64 04 06 71 75   .........uid..qu
>  0030:  61 6e 61 68 30 00                                  anah0.
>>>> dnPrettyNormal: <dc=stanford,dc=edu>
> => ldap_bv2dn(dc=stanford,dc=edu,0)
> <= ldap_bv2dn(dc=stanford,dc=edu)=0
> => ldap_dn2bv(272)
> <= ldap_dn2bv(dc=stanford,dc=edu)=0
> => ldap_dn2bv(272)
> <= ldap_dn2bv(dc=stanford,dc=edu)=0
> <<< dnPrettyNormal: <dc=stanford,dc=edu>, <dc=stanford,dc=edu>
> SRCH "dc=stanford,dc=edu" 2 0    0 0 0
> begin get_filter
> EQUALITY
> ber_scanf fmt ({mm}) ber:
> ber_dump: buf=0x08195738 ptr=0x08195760 end=0x08195771 len=17
>  0000:  a3 0d 04 03 75 69 64 04  06 71 75 61 6e 61 68 30   ....uid..quanah0
>  0010:  00                                                 .
> end get_filter 0
>    filter: (uid=quanah)
> ber_scanf fmt ({M}}) ber:
> ber_dump: buf=0x08195738 ptr=0x0819576f end=0x08195771 len=2
>  0000:  00 00                                              ..
>    attrs:
> conn=0 op=1 SRCH base="dc=stanford,dc=edu" scope=2 deref=0
> filter="(uid=quanah)"
> ==> limits_get: conn=0 op=1 dn="[anonymous]"
> ldap_create
> ldap_url_parse_ext(ldap://ldap-test1.stanford.edu)
> =>ldap_back_getconn: conn 0x81a17c0 inserted refcnt=1 binding=1
> send_ldap_result: conn=0 op=1 p=3
> send_ldap_result: err=7 matched="" text=""

^^^ This is where the problem occurs; you seem to be using old code,
since that log message in ldap_back_getconn() changed from 2.3.32 and
2.3.33.  I'd recommend you use 2.3.34 anyway, although I'm not sure it's
going to fix your problem.

The issue seems to occur between ldap_back_getconn() and the
ldap_sasl_interactive_bind_s() that occurs during the proxy authz bind.
 Unfortunately, there seems to be very little trace level debug in
between, so a gdb session might be required...

p.




Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------