(ITS#6518) Slapd-ldap proxy between replica and mirror - openldap-bugs

13 Apr 2010


      Full_Name: Ubay Dorta
Version: 2.4.21
OS: Suse Linux Enterprise Server 10 SP2
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (161.72.9.46)
We have problems when we introduce a back-ldap proxy server between a
delta-syncrepl server and a mirror configuration of two servers.
The modifications through the replica server (with chaining configuration) over
the first mirror server are made without problems. The problem appears when we
introduce a back-ldap proxy between replica and the two servers in mirror mode.
First Scenario:
---------------------
A delta syncrepl server replicating from the first server of a mirror.
IPs: delta syncrepl (192.168.1.5), mirror server 1 (192.168.1.10), mirror server
2 (192.168.1.20)
replica slapd.conf
#####################
#  Chaining configuration #
#####################
overlay chain
chain-uri               "ldap://mirror1:389"
chain-idassert-bind     bindmethod="simple"
                        binddn="cn=replicator,dc=example,dc=com"
                        credentials="secret"
                        mode="self"
chain-return-error      TRUE
##########
#  Replica  #
##########
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Administrator,dc=example,dc=com"
rootpw "secret"
checkpoint 1024 5
cachesize 10000
index objectClass,uidNumber,gidNumber eq
index member,mail eq,pres
index cn,displayname,uid,sn,givenname sub,eq,pres
overlay ppolicy
ppolicy_default "cn=Default Password Policy,dc=example,dc=com"
ppolicy_forward_updates
ppolicy_hash_cleartext
overlay memberof
##################
# Syncrepl directives #
##################
syncrepl  rid=001
          provider=ldap://mirror1:389
type=refreshAndPersist
          retry="60 +"
          searchbase="dc=example,dc=com"
          filter="(objectclass=*)"
          scope=sub
          attrs="*"
          schemachecking=on
          binddn="cn=replicator,dc=example,dc=com"
          bindmethod=simple
          credentials=secret
          sizelimit=unlimited
          logbase="cn=accesslog"
          logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
          syncdata=accesslog
# Refer updates to the master
updateref               ldap://mirror1:389
-------------------------
-------------------------
slapd.conf  of mirror server #1
-------------------------------------------
# Global section
serverID 1
moduleload memberof
access to dn.base=""                                    
        by * read
access to dn.base="cn=Subschema"
        by * read
access to attrs=userPassword,userPKCS12
        by self write                 
        by dn.base="cn=replicator,dc=example,dc=com" read
        by * auth
access to attrs=shadowLastChange
        by self write          
        by * read
# Give the replica DN unlimited read access.  This ACL needs to be
# merged with other ACL statements, and/or moved within the scope
# of a database.  The "by * break" portion causes evaluation of  
# subsequent rules.  See slapd.access(5) for details.
access to *                                                      
        by dn.base="cn=replicator,dc=example,dc=com" read             
        by * break
access to *
        by * read
# Load the accesslog overlay
moduleload accesslog.la
#Load the syncprov overlay
moduleload syncprov.la
# Accesslog database definitions
database bdb
monitoring off
suffix cn=accesslog
rootdn cn=accesslog                                                   
index default eq                                                      
index entryCSN,objectClass,reqEnd,reqResult,reqStart
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
# Let the replica DN have limitless searches
limits dn.exact="cn=replicator,dc=example,dc=com" time.soft=unlimited
time.hard=unlimited size.soft=unlimited size.hard=unlimited
#######################################################################
# BDB database definitions                                            
#######################################################################
database bdb
monitoring off
suffix "dc=example,dc=com"
rootdn "cn=Administrator,dc=example,dc=com"
rootpw "secret"                      
checkpoint 1024 5                                            
cachesize 10000                                              
index objectClass,uidNumber,gidNumber eq                     
index member,mail eq,pres                                    
index cn,displayname,uid,sn,givenname sub,eq,pres            
overlay ppolicy
ppolicy_default "cn=Default Password Policy,dc=example,dc=com"
ppolicy_hash_cleartext
overlay memberof
# Habilitar authz-policiy
authz-policy to
index entryCSN eq
index entryUUID eq
# syncrepl Provider for primary db
overlay syncprov
syncprov-checkpoint 1000 60
# accesslog overlay definitions for primary db
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
logpurge 07+00:00 01+00:00
# Let the replica DN have limitless searches
limits dn.exact="cn=replicator,dc=example,dc=com" time.soft=unlimited
time.hard=unlimited size.soft=unlimited size.hard=unlimited
####################################################
# MirrorMode - Syncrepl directive
syncrepl        rid=001
                provider=ldap://mirror2:389
                bindmethod=simple
                binddn="cn=Administrator,dc=example,dc=com"
                credentials=secret
searchbase="dc=example,dc=com"
                schemachecking=on
                type=refreshAndPersist
                retry="60 +"
mirrormode on
---------------
---------------
In the mirror servers we have set the attribute authzTo for the replicator dn:
ldapsearch -x -b 'cn=replicator,dc=example,dc=com' -H ldap://mirror1:389 -D
'cn=Administrator,dc=example,dc=com' -w secret authzTo
# replicator, example.com
dn: cn=replicator,dc=example,dc=com
authzTo: ldap:///dc=example,dc=com??sub?(objectClass=person)
When we launch the following modification through the replica:
ldapmodify -x -H ldap://replica:389 -f pass1_user.ldif -D
'uid=user,ou=people,dc=example,dc=com' -W
Enter LDAP Password:
modifying entry "uid=user,ou=people,dc=example,dc=com"
In the mirror server we get:
ldap-mirror1[2649]: conn=1002 op=2 PROXYAUTHZ
dn="uid=user,ou=people,dc=example,dc=com"
ldap-mirror1[2649]: conn=1002 op=2 MOD
dn="uid=user,ou=people,dc=example,dc=com"
ldap-mirror1[2649]: conn=1002 op=2 MOD attr=userPassword
ldap-mirror1[2649]: conn=1002 op=2 RESULT tag=103 err=0 text=
Therefore modifying through the replica server is possible with the chaining
configuration.
Second sceneario
--------------------------
The problem appears when we introduce the back-ldap proxy server to set the high
availability feature that provides the mirror mode.
IPs:
-----
192.168.1.5 -> delta syncrepl
192.168.1.10 -> Back-ldap proxy
192.168.1.20 -> Mirror mode server 1  
192.168.1.30 -> Mirror mode server 2
back-ldap proxy slapd.conf:
database        ldap
suffix          "dc=example,dc=com"
uri             "ldap://mirror1:389 ldap://mirror2:389"
rootdn          "cn=Administrator,dc=example,dc=com"
overlay ppolicy
Launching the modification to the proxy, it works:
ldapmodify -x -H ldap://proxy:389 -f pass1_user.ldif -D
'uid=user,ou=people,dc=example,dc=com' -W
Enter LDAP Password:
modifying entry "uid=udg77530,ou=people,dc=example,dc=com"
The /var/log/messages of proxy and mirror shows the following:
ldap-proxy[4051]: conn=1000 fd=8 ACCEPT from IP=192.168.1.5:42921
(IP=192.168.1.10:389)
ldap-proxy[4051]: conn=1000 op=0 BIND dn="uid=user,ou=people,dc=example,dc=com"
method=128
ldap-mirror1[3438]: conn=1015 fd=19 ACCEPT from IP=192.168.1.10:18103
(IP=192.168.1.20:1389)
ldap-mirror1[3438]: conn=1015 op=0 BIND dn="" method=128
ldap-mirror1[3438]: conn=1015 op=0 RESULT tag=97 err=0 text=
ldap-mirror1[3438]: conn=1015 op=1 SRCH
base="uid=user,ou=people,dc=example,dc=com" scope=0 deref=0
filter="(objectClass=*)"
ldap-mirror1[3438]: conn=1015 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
ldap-mirror1[3438]: conn=1016 fd=20 ACCEPT from IP=192.168.1.10:18104
(IP=192.168.1.20:1389)
ldap-mirror1[3438]: conn=1016 op=0 BIND
dn="uid=user,ou=people,dc=example,dc=com" method=128
ldap-mirror1[3438]: conn=1016 op=0 BIND
dn="uid=user,ou=people,dc=example,dc=com" mech=SIMPLE ssf=0
ldap-mirror1[3438]: conn=1016 op=0 RESULT tag=97 err=0 text=
ldap-proxy[4051]: conn=1000 op=0 BIND dn="uid=user,ou=people,dc=example,dc=com"
mech=SIMPLE ssf=0
ldap-mirror1[3438]: conn=1015 op=2 SRCH
base="uid=user,ou=people,dc=example,dc=com" scope=0 deref=0
filter="(objectClass=*)"
ldap-mirror1[3438]: conn=1015 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
ldap-proxy[4051]: conn=1000 op=0 RESULT tag=97 err=0 text=
ldap-proxy[4051]: conn=1000 op=1 MOD dn="uid=user,ou=people,dc=example,dc=com"
ldap-proxy[4051]: conn=1000 op=1 MOD attr=userPassword
ldap-mirror1[3438]: conn=1015 op=3 SRCH
base="uid=user,ou=people,dc=example,dc=com" scope=0 deref=0
filter="(objectClass=*)"
ldap-mirror1[3438]: conn=1015 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
ldap-mirror1[3438]: conn=1016 op=1 MOD
dn="uid=user,ou=people,dc=example,dc=com"
ldap-mirror1[3438]: conn=1016 op=1 MOD attr=userPassword
ldap-mirror1[3438]: conn=1016 op=1 RESULT tag=103 err=0 text=
ldap-proxy[4051]: conn=1000 op=1 RESULT tag=103 err=0 text=
ldap-proxy[4051]: conn=1000 op=2 UNBIND
ldap-mirror1[3438]: conn=1016 op=2 UNBIND
ldap-mirror1[3438]: conn=1016 fd=20 closed
ldap-proxy[4051]: conn=1000 fd=8 closed
But when the modification is made through the replica server we get the error:
ldapmodify -x -H ldap://replica:389 -f pass1_user.ldif -D
'uid=user,ou=people,dc=example,dc=com' -W
Enter LDAP Password:
modifying entry "uid=user,ou=people,dc=rexample,dc=com"
ldap_modify: unknown result code (123)
ldap-proxy[3688]: daemon: activity on 1 descriptor
ldap-proxy[3688]: daemon: activity on:
ldap-proxy[3688]:  12r
ldap-proxy[3688]:
ldap-proxy[3688]: daemon: read active on 12
ldap-proxy[3688]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
ldap-proxy[3688]: connection_get(12)
ldap-proxy[3688]: connection_get(12): got connid=1001
ldap-proxy[3688]: connection_read(12): checking for input on id=1001
ldap-proxy[3688]: op tag 0x66, time 1271064513
ldap-proxy[3688]: conn=1001 op=2 do_modify
ldap-proxy[3688]: conn=1001 op=2 do_modify: dn
(uid=user,ou=people,dc=example,dc=com)
ldap-proxy[3688]: => get_ctrls
ldap-proxy[3688]: => get_ctrls: oid="2.16.840.1.113730.3.4.18" (noncritical)
ldap-proxy[3688]: parseProxyAuthz: conn 1001
authzid="dn:uid=user,ou=people,dc=example,dc=com"
ldap-proxy[3688]: slap_sasl_getdn: conn 1001
id=dn:uid=user,ou=people,dc=example,dc=com [len=38]
ldap-proxy[3688]: >>> dnNormalize: <uid=user,ou=people,dc=example,dc=com>
ldap-proxy[3688]: <<< dnNormalize: <uid=user,ou=people,dc=example,dc=com>
ldap-proxy[3688]: ==>slap_sasl2dn: converting SASL name
uid=user,ou=people,dc=example,dc=com to a DN
ldap-proxy[3688]: <==slap_sasl2dn: Converted SASL name to <nothing>
ldap-proxy[3688]: parseProxyAuthz: conn=1001
"uid=user,ou=people,dc=example,dc=com"
ldap-proxy[3688]: ==>slap_sasl_authorized: can cn=replicator,dc=example,dc=com
become uid=user,ou=people,dc=example,dc=com?
ldap-proxy[3688]: <== slap_sasl_authorized: return 48
ldap-proxy[3688]: <= get_ctrls: n=1 rc=123 err="not authorized to assume
identity"
ldap-proxy[3688]: send_ldap_result: conn=1001 op=2 p=3
ldap-proxy[3688]: send_ldap_result: err=123 matched="" text="not authorized to
assume identity"
ldap-proxy[3688]: send_ldap_response: msgid=3 tag=103 err=123
ldap-proxy[3688]: conn=1001 op=2 RESULT tag=103 err=123 text=not authorized to
assume identity
ldap-proxy[3688]: conn=1001 op=2 do_modify: get_ctrls failed
ldap-proxy[3688]: daemon: activity on 1 descriptor
ldap-proxy[3688]: daemon: activity on:
ldap-proxy[3688]:
ldap-proxy[3688]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
The file pass1_user.ldif has:
dn: uid=user,ou=people,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: ####CRYPT PASSWORD####
Thanks