[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Useless ldapwhoami behavior?



On Monday, 14 December 2009 02:04:23 Jaap Winius wrote:
> Hi all,
> 
> The utility of the "ldapwhoami" tool is a mystery to me. As opposed to
> the usual Unix "whoami" command, which prints the effective userid,
> "ldapwhoami" doesn't seem to print the matching LDAP DN... at least
> not for me.
> 
> My test setup includes an OpenLDAP server and a separate client. The
> server's slapd.conf includes these ACLs:
> 
>     access to attrs=userPassword,shadowLastChange
>             by dn="cn=admin,dc=umrk,dc=nl" write
>             by anonymous auth
>             by self write
>             by * none
> 
>     access to dn.base=""
>             by * read
> 
>     access to *
>             by dn="cn=admin,dc=umrk,dc=nl" write
>             by * read
> 
> My LDAP DIT includes an account for a normal user with a password.
> Without any problem I can use this to login to the client host, but
> when I want to test, or verify, the account's LDAP DN, all I get is
> this:
> 
>     ~$ ldapwhoami -x
>     anonymous
>     ~$ _

Well, you are doing an anonymous simple bind here, so the result is expected, 
and may have ended up showing you something you had incorrectly assumed would 
magically do something, does not.

> Even stranger, if I supply the account's DN and password (although
> this would seem a useless thing to do, since it's the very same info
> I'm asking for),

Well, you may just want to test that authentication *is* working the way you 
intended, without doing a search.

> I get this error:
> 
>     ~$ ldapwhoami -x -D "cn=testuser,dc=umrk,dc=nl" -w testpass
>     ldap_bind: Invalid credentials (49)
>     ~$ _

So, now you know your DN or password is wrong, or your ACLs don't allow simple 
authtentication. Which should make you wonder how your "login" is working. It 
may not be the way you think it is working ...

> On the other hand, this does work if I supply the admin DN and password:
> 
>     ~$ ldapwhoami -x -D "cn=admin,dc=umrk,dc=nl" -w adminpass
>     dn:cn=admin,dc=umrk,dc=nl
>     ~$ _
> 
> The "ldapsearch" command is the same: I can get a response when
> binding anonymously ("-x"), as well as when binding as the admin user,
> but not when I use a normal user account, which results in the same
> error 49 as above.
> 
> This behavior seems rather useless to me. Surely I've made a mistake
> somewhere. Can anyone say what it might be?


Well, in the case of an environment with only simply binds, the only utility 
of ldapwhoami is to test authentication (and, account policy status with -E 
ppolicy option).

However, in environments where other types of binds are available (e.g., SASL 
GSSAPI, SASL EXTERNAL), you may want to be able to test that you get the DN 
you should (from your Kerberos ticket, SSL certificate, user/group). In the 
case where OpenLDAP is the server, this may help when testing sasl-regexp's.

E.g.:

# ldapwhoami
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:uid=account admin,ou=system accounts,dc=ranger,dc=dnsalias,dc=com


[bgmilne@tiger ~]$ ldapwhoami -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: bgmilne@RANGER.DNSALIAS.COM
SASL SSF: 56
SASL data security layer installed.
dn:uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com


Regards,
Buchan