[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd-sock as overlay and PASSMOD

To: openldap-technical@openldap.org
Subject: slapd-sock as overlay and PASSMOD
From: Michael Ströder <michael@stroeder.com>
Date: Mon, 20 Mar 2017 21:45:13 +0100
Openpgp: id=43C8730E84A20E560722806C07DC7AE36A8BC938
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 SeaMonkey/2.46

HI!

As said I'd like to intercept password changes (clear-text password) via back-sock used
as overlay. Especially the client (Mac OS X) sends a Password Modify ext. op.

Unfortunately back-sock does not send the PASSMOD itself to the external listener (which
could parse the ASN.1) and therefore I have to look at the MODIFY messages.

I'm using my package: https://pypi.python.org/pypi/slapdsock

Problem:
Everything works as expected with this configuration when rootdn is used with ldappasswd
but not as normal user.

Excerpt of slapd.conf:

database  mdb
suffix    "ou=realdb,dc=example,dc=org"
rootdn    "cn=root,ou=realdb,dc=example,dc=org"
[..]
overlay sock
extensions binddn peername ssf connid
socketpath sockoverlay-listener
sockops modify

Command:
ldappasswd -H ldapi:// -s test uid=test1,ou=realdb,dc=example,dc=org

slapd's log (LDAPI and SASL/EXTERNAL maps local user to rootdn):

58d03e84 conn=1000 fd=15 ACCEPT from
PATH=/home/michael/Proj/slapd_sockd/examples/openldap/ldapi
(PATH=/home/michael/Proj/slapd_sockd/examples/openldap/ldapi)
58d03e84 conn=1000 op=0 BIND dn="" method=163
58d03e84 conn=1000 op=0 BIND
authcid="gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth"
authzid="gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth"
58d03e84 conn=1000 op=0 BIND dn="cn=root,ou=realdb,dc=example,dc=org" mech=EXTERNAL
sasl_ssf=0 ssf=71
58d03e84 conn=1000 op=0 RESULT tag=97 err=0 text=
58d03e84 conn=1000 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1
58d03e84 conn=1000 op=1 PASSMOD id="uid=test1,ou=realdb,dc=example,dc=org" new
58d03e84 sock search reading line (CONTINUE
)
58d03e84 conn=1000 op=1 RESULT oid= err=0 text=
58d03e84 conn=1000 op=2 UNBIND
58d03e84 conn=1000 fd=15 closed


The log of my external listener:

2017-03-20 21:41:40,620 DEBUG 140544537579816 ----- incoming request via
'openldap/sockoverlay-listener' from pid=28285 uid=1000 gid=100 -----
2017-03-20 21:41:40,620 DEBUG 140544537579816 request_data='MODIFY\nmsgid: 2\nbinddn:
cn=root,ou=realdb,dc=example,dc=org\npeername:
PATH=/home/michael/Proj/slapd_sockd/examples/openldap/ldapi\nssf: 71\nconnid:
1000\nsuffix: ou=realdb,dc=example,dc=org\ndn:
uid=test1,ou=realdb,dc=example,dc=org\nreplace: userPassword\nuserPassword:: dGVzdA==\n-\n\n'
2017-03-20 21:41:40,620 DEBUG 140544537579816 reqtype='MODIFY'
2017-03-20 21:41:40,620 DEBUG 140544537579816 sock_req=<slapdsock.message.MODIFYRequest
object at 0x7fd3133f10d0> // {'dn': 'uid=test1,ou=realdb,dc=example,dc=org', 'binddn':
u'cn=root,ou=realdb,dc=example,dc=org', 'connid': 1000, 'suffix':
u'ou=realdb,dc=example,dc=org', '_linecount': 7, 'msgid': 2, '_req_lines': ['MODIFY',
'msgid: 2', 'binddn: cn=root,ou=realdb,dc=example,dc=org', 'peername:
PATH=/home/michael/Proj/slapd_sockd/examples/openldap/ldapi', 'ssf: 71', 'connid: 1000',
'suffix: ou=realdb,dc=example,dc=org', 'dn: uid=test1,ou=realdb,dc=example,dc=org',
'changetype: modify', 'replace: userPassword', 'userPassword:: dGVzdA==', '-', '', ''],
'peername': u'PATH=/home/michael/Proj/slapd_sockd/examples/openldap/ldapi', 'modops':
[(2, 'userPassword', ['test'])], 'reqtype': 'MODIFY', 'ssf': 71}
2017-03-20 21:41:40,620 DEBUG 140544537579816 connid=1000 msgid=2 Request not cached:
cache_key=None
2017-03-20 21:41:40,620 DEBUG 140544537579816 connid=1000 msgid=2 response_str='CONTINUE\n'
2017-03-20 21:41:40,620 DEBUG 140544537579816 connid=1000 msgid=2 response_delay=0.001

So far so good.

But with this command (own password change) there's no MODIFY sent to the extenal
listener at all:

$ ldappasswd -H
ldapi://%2Fhome%2Fmichael%2FProj%2Fslapd_sockd%2Fexamples%2Fopenldap%2Fldapi -D
"uid=test1,ou=realdb,dc=example,dc=org" -w test -s test23
uid=test1,ou=realdb,dc=example,dc=org
ldap_parse_extended_result: Bad parameter to an ldap routine (-9)

slapd's log:

58d03f05 conn=1003 fd=15 ACCEPT from
PATH=/home/michael/Proj/slapd_sockd/examples/openldap/ldapi
(PATH=/home/michael/Proj/slapd_sockd/examples/openldap/ldapi)
58d03f05 conn=1003 op=0 BIND dn="uid=test1,ou=realdb,dc=example,dc=org" method=128
58d03f05 conn=1003 op=0 BIND dn="uid=test1,ou=realdb,dc=example,dc=org" mech=SIMPLE ssf=0
58d03f05 conn=1003 op=0 RESULT tag=97 err=0 text=
58d03f05 conn=1003 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1
58d03f05 conn=1003 op=1 PASSMOD id="uid=test1,ou=realdb,dc=example,dc=org" new
58d03f05 conn=1003 op=1 RESULT tag=103 err=50 text=
58d03f05 conn=1003 op=1 RESULT oid= err=50 text=
58d03f05 conn=1003 op=2 UNBIND
58d03f05 conn=1003 fd=15 closed

Any clue what's going on?

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- Re: slapd-sock as overlay and PASSMOD
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: slapd-sock as overlay, internal modifications
Next by Date: Re: slapd-sock as overlay and PASSMOD
Index(es):
- Chronological
- Thread