https://bugs.openldap.org/show_bug.cgi?id=9205
Bug ID: 9205 Summary: Openldap 2.4.49 with overlays syncrepl+ppolicy+chain+ldap Product: OpenLDAP Version: 2.4.49 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: frederic.poisson@admin.gmessaging.net Target Milestone: ---
Created attachment 700 --> https://bugs.openldap.org/attachment.cgi?id=700&action=edit test script copied from test022-ppolicy and modified to show the trouble
Hello, I'm doing a OpenLDAP test with a master/slave replication configuration including ppolicy overlay. I would like to enable password change from the slave replica with chain overlay, in order to validate the ppolicy olcPPolicyForwardUpdates attribute to TRUE. I'm using LDAPS from slave to master with SASL External authentication with client certificate. The client certificate correspond to a user DN entry with "manage" rights on the master server (the same used for the replication). This user DN has authzTo attribute in order to match the correct PROXYAUTHZ request from its dn to user DN.
All of this configuration works on replica when i do first a failed authentication (err=49) on replica. The pwdFailureTime value is updated on the DN entry from replica to slave normally. I'm also able to do after some self entry update on some attribute such as password or others from replica to master.
But the weird behavior is that i need to run first an failed authentication, otherwise if i try to change attribute on the slave server, it respond an err=80 "Error: ldap_back_is_proxy_authz returned 0, misconfigured URI?". The only way to retrieve correct behavior is to restart slapd, and redo one failed authentication first. It seems that the chain overlay do not connect the master server at startup.
I've done a modification of test script test022-ppolicy to test022-policy-chain which use the same LDIF source and show the problem of modification on the consumer not "relayed" to the supplier if a fail operation is not done before.
Regards
https://bugs.openldap.org/show_bug.cgi?id=9205
--- Comment #1 from Ondřej Kuzník ondra@mistotebe.net --- On Tue, Apr 07, 2020 at 07:26:50AM +0000, openldap-its@openldap.org wrote:
Hello, I'm doing a OpenLDAP test with a master/slave replication configuration including ppolicy overlay. I would like to enable password change from the slave replica with chain overlay, in order to validate the ppolicy olcPPolicyForwardUpdates attribute to TRUE. I'm using LDAPS from slave to master with SASL External authentication with client certificate. The client certificate correspond to a user DN entry with "manage" rights on the master server (the same used for the replication). This user DN has authzTo attribute in order to match the correct PROXYAUTHZ request from its dn to user DN. [...] I've done a modification of test script test022-ppolicy to test022-policy-chain which use the same LDIF source and show the problem of modification on the consumer not "relayed" to the supplier if a fail operation is not done before.
Hi Frédéric, in your view, is this the same issue as ITS#9179? Does adding a fake binddn into the chain configuration help?
https://bugs.openldap.org/show_bug.cgi?id=9205
--- Comment #2 from Frédéric Poisson frederic.poisson@admin.gmessaging.net --- Hello,
I'm not so expert to say if this is the same issue, that sure it seems to be quite similar to my first description.
But when i start to wrote the test script i do it more simple without sasl authentication with simple bind, like it is done inside test022-ppolicy :
olcDbIDAssertBind: bindmethod=simple binddn="cn=manager,dc=example,dc=com" credentials=secret mode=self
But you're true when doing a fake binddn to the consumer first, that help. That's what do my test script, a first test with a fake which works, and second test after a restart of the consumer and a modification on it without a fake binddn.
Regards,
https://bugs.openldap.org/show_bug.cgi?id=9205
Frédéric Poisson frederic.poisson@admin.gmessaging.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Hardware|All |x86_64 OS|All |Linux
https://bugs.openldap.org/show_bug.cgi?id=9205
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9179
https://bugs.openldap.org/show_bug.cgi?id=9205
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.5.0 Keywords| |OL_2_5_REQ
https://bugs.openldap.org/show_bug.cgi?id=9205
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |replication
https://bugs.openldap.org/show_bug.cgi?id=9205
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.5.0 |2.5.1
https://bugs.openldap.org/show_bug.cgi?id=9205
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@openldap.org |ondra@mistotebe.net
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- Ondrej to confirm if this still occurs after the fix for ITS#9400
https://bugs.openldap.org/show_bug.cgi?id=9205
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |reviewed
https://bugs.openldap.org/show_bug.cgi?id=9205
--- Comment #4 from Ondřej Kuzník ondra@mistotebe.net --- Your script restarts slapd which is not using a persistent cn=config. When I fix that, things start to work again. Assuming this is a duplicate of ITS#9179 for now.
https://bugs.openldap.org/show_bug.cgi?id=9205
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |DUPLICATE Keywords|OL_2_5_REQ, replication, | |reviewed | Target Milestone|2.5.1 |---
--- Comment #5 from Quanah Gibson-Mount quanah@openldap.org ---
*** This issue has been marked as a duplicate of issue 9179 ***
https://bugs.openldap.org/show_bug.cgi?id=9205
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org