(ITS#5110) back-ldap, proxy authentication fails when chasing referrals - openldap-bugs

28 Aug 2007


      Full_Name: Florian Huiskens
Version: 2.3.30
OS: Ubuntu 7.04
URL: 
Submission from: (NULL) (85.216.39.101)
I try to set up an environment, where a client communicates with an LDAP-Proxy.
The Proxy forwards the client's query (using the ldap-backend) to an
LDAP-Slave.
The authentication mechanism I use (proxy - slave) is SASL (GSSAPI).
The proxy has a kerberos ticket available.
Proxy Authentication works in general (using PROXAUTHZ), but fails on referrals
(though rebind-as-user is set).
This means that if information is written and the proxy receives a referral to
the master, the bind-informations gets lost.
Thanks for any help, regards
Florian
Config-files:
Master:
include         /etc/ldap/schema/core.schema
    include         /etc/ldap/schema/cosine.schema
    include         /etc/ldap/schema/nis.schema
    include         /etc/ldap/schema/inetorgperson.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        0
# Where the dynamically loaded modules are stored
    modulepath      /usr/lib/ldap
    moduleload      back_bdb
    moduleload      syncprov
# The maximum number of entries that is returned for a search operation
    sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used
    # for indexing.
    tool-threads 1
backend         bdb
    checkpoint 512 30
#######################################################################
    # Specific Directives for database #1, of type bdb:
    # Database specific directives apply to this databasse until another
    # 'database' directive occurs
    database        bdb
    suffix          "dc=idm,dc=local"
# rootdn directive for specifying a superuser on the database. This is needed
    # for syncrepl.
    rootdn          "dc=idm,dc=local"
directory       "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
    dbconfig set_lk_max_locks 1500
    dbconfig set_lk_max_lockers 1500
index           objectClass eq
# Save the time that the entry gets modified, for database #1
    lastmod         on
access to attrs=userPassword,shadowLastChange
            by dn="cn=admin,dc=idm,dc=local" write
            by dn="uid=ldap/extubuntu.idm.local,ou=slaves,dc=idm,dc=local" read
            by anonymous auth
            by * none
access to dn.base="" by * read
access to *
            by dn="cn=admin,dc=idm,dc=local" write
            by * read
# syncrepl config
    overlay syncprov
    syncprov-checkpoint 100 1
    syncprov-sessionlog 100
# SASL setup
    #sasl-host ubuntu-desktop
    sasl-authz-policy To
    sasl-secprops minssf=56
    sasl-realm idm.local
    sasl-regexp uid=(.*),cn=idm.local,cn=gssapi,cn=auth
                ldap:///dc=idm,dc=local??sub?(|(uid=$1)(cn=$1))
Slave:
include         /etc/ldap/schema/core.schema
    include         /etc/ldap/schema/cosine.schema
    include         /etc/ldap/schema/nis.schema
    include         /etc/ldap/schema/inetorgperson.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        0
modulepath      /usr/lib/ldap
    moduleload      back_bdb
sizelimit 500
tool-threads 1
backend         bdb
    checkpoint 512 30
database        bdb
suffix          "dc=idm,dc=local"
    #rootdn         "dc=idm,dc=local"
    rootdn          "dc=nowhere,dc=nouniverse"
directory       "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
    dbconfig set_lk_max_locks 1500
    dbconfig set_lk_max_lockers 1500
index           objectClass eq
lastmod         on
access to attrs=userPassword,shadowLastChange
            by dn="cn=admin,dc=idm,dc=local" write
            by anonymous auth
            by self write
            by * none
    #       by dn="cn=repl-admin,dc=idm,dc=local" write
access to dn.base="" by * read
access to *
            by dn="cn=admin,dc=idm,dc=local" write
            by self write
            by * read
    #       by dn="cn=repl-admin,dc=idm,dc=local" write
    #       by * read
syncrepl rid=1
            provider=ldap://ubuntu-desktop:389
            searchbase="dc=idm,dc=local"
            type=refreshAndPersist
            retry="60 10 300 +"
            bindmethod=sasl
            saslmethod=GSSAPI
    updateref ldap://ubuntu-desktop:389
# SASL setup
    sasl-authz-policy To
    sasl-secprops   minssf=56
    sasl-realm      idm.local
    sasl-regexp     uid=(.*),cn=idm.local,cn=gssapi,cn=auth
                    ldap:///dc=idm,dc=local??sub?(|(uid=$1)(cn=$1))
Proxy (running on the same host as the Slave):
include         /etc/ldap/schema/core.schema
    include         /etc/ldap/schema/cosine.schema
    include         /etc/ldap/schema/nis.schema
    include         /etc/ldap/schema/inetorgperson.schema
pidfile         /var/run/slapd/slapd.pid
    argsfile        /var/run/slapd/slapd.args
loglevel 1
modulepath      /usr/lib/ldap
    moduleload      back_ldap
database        ldap
    uri             ldap://extubuntu.idm.local:390/
    suffix          "dc=idm,dc=local"
    chase-referrals yes
    rebind-as-user  yes
# SASL setup
    sasl-secprops   minssf=56
    sasl-realm      idm.local
    sasl-regexp     uid=(.*),cn=idm.local,cn=gssapi,cn=auth
                    ldap:///dc=idm,dc=local??sub?(|(uid=$1)(cn=$1))
    idassert-bind   bindmethod=sasl
                    mode=self
                    authcid=ldap/extubuntu.idm.local # should come from ticket but
does not.
Snippets of an ldapsearch:
debugging information from the proxy
    	conn=10 fd=9 ACCEPT from IP=127.0.0.1:3380 (IP=0.0.0.0:389)
    	conn=10 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
    	conn=10 op=0 SRCH attr=supportedSASLMechanisms
    	conn=10 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
    	conn=10 op=1 BIND dn="" method=163
    	conn=10 op=2 BIND dn="" method=163
    	conn=10 op=2 RESULT tag=97 err=14 text=
    	conn=10 op=3 BIND dn="" method=163
    	conn=10 op=1 RESULT tag=97 err=14 text=
    	request done: ld 0x81dd960 msgid 3
    	SASL [conn=10] Error: unable to open Berkeley db /etc/sasldb2: No such file or
directory
    	conn=10 op=3 BIND authcid="admin@idm.local" authzid="admin@idm.local"
    	conn=10 op=3 BIND dn="cn=admin,dc=idm,dc=local" mech=GSSAPI ssf=56
    	conn=10 op=3 RESULT tag=97 err=0 text=
    	conn=10 op=4 SRCH base="dc=idm,dc=local" scope=2 deref=0 filter="(cn=fhuisk)"
    	request done: ld 0x8197038 msgid 1
    	request done: ld 0x8197038 msgid 2
    	request done: ld 0x8197038 msgid 3
    	request done: ld 0x8197038 msgid 4
    	request done: ld 0x8197038 msgid 5
    	conn=10 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
    	conn=10 op=5 UNBIND
    	conn=10 fd=9 closed
debugging information from the slave
    	conn=0 op=2 SRCH base="dc=idm,dc=local" scope=2 deref=0
filter="(|(uid=admin)(cn=admin))"
    	conn=0 op=2 SRCH attr=1.1
    	<= bdb_equality_candidates: (uid) index_param failed (18)
    	<= bdb_equality_candidates: (cn) index_param failed (18)
    	conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
    	conn=2 fd=16 ACCEPT from IP=127.0.1.1:2814 (IP=0.0.0.0:390)
    	conn=2 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
    	conn=2 op=0 SRCH attr=supportedSASLMechanisms
    	conn=2 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
    	conn=2 op=1 BIND dn="" method=163
    	conn=2 op=2 BIND dn="" method=163
    	conn=2 op=2 RESULT tag=97 err=14 text=
    	conn=2 op=3 BIND dn="" method=163
    	<= bdb_equality_candidates: (uid) index_param failed (18)
    	<= bdb_equality_candidates: (cn) index_param failed (18)
    	SASL [conn=2] Error: unable to open Berkeley db /etc/sasldb2: No such file or
directory
    	conn=2 op=3 BIND authcid="ldap/extubuntu.idm.local@idm.local"
authzid="ldap/extubuntu.idm.local@idm.local"
    	conn=2 op=3 BIND dn="uid=ldap/extubuntu.idm.local,ou=slaves,dc=idm,dc=local"
mech=GSSAPI ssf=56
    	conn=2 op=3 RESULT tag=97 err=0 text=
    	conn=2 op=4 PROXYAUTHZ dn="cn=admin,dc=idm,dc=local"
    	conn=2 op=4 SRCH base="dc=idm,dc=local" scope=2 deref=0 filter="(cn=fhuisk)"
    	<= bdb_equality_candidates: (cn) index_param failed (18)
    	conn=2 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
    	conn=2 op=1 RESULT tag=97 err=14 text=
    	conn=2 op=5 UNBIND
    	conn=2 fd=16 closed
    
    ldapsearch call and result
    	root@extUbuntu:/etc/ldap# ldapsearch cn=fhuisk
    	SASL/GSSAPI authentication started
    	SASL username: admin@IDM.LOCAL
    	SASL SSF: 56
    	SASL installing layers
    	# extended LDIF
    	#
    	# LDAPv3
    	# base <> with scope subtree
    	# filter: cn=fhuisk
    	# requesting: ALL
    	#
# fhuisk, users, idm.local
    	dn: cn=fhuisk,ou=users,dc=idm,dc=local
    	uid: fhuisk
    	givenName:: RmxvcmlhbiA=
    	objectClass: top
    	objectClass: person
    	objectClass: organizationalPerson
    	objectClass: inetOrgPerson
    	sn: Huiskens
    	cn: fhuisk
    	userPassword:: dGVzdA==
# search result
    	search: 5
    	result: 0 Success
# numResponses: 2
    	# numEntries: 1
    	root@extUbuntu:/etc/ldap#
fyi: ldapwhoami
    	root@extUbuntu:/etc/ldap# ldapwhoami 
    	SASL/GSSAPI authentication started
    	SASL username: admin@IDM.LOCAL
    	SASL SSF: 56
    	SASL installing layers
    	dn:cn=admin,dc=idm,dc=local
    	Result: Success (0)
    	root@extUbuntu:/etc/ldap#
Snippets of an ldapmodify
    debugging information from the proxy 
    	conn=0 fd=9 ACCEPT from IP=127.0.0.1:3145 (IP=0.0.0.0:389)
    	conn=0 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
    	conn=0 op=0 SRCH attr=supportedSASLMechanisms
    	conn=0 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
    	conn=0 op=1 BIND dn="" method=163
    	conn=0 op=2 BIND dn="" method=163
    	conn=0 op=2 RESULT tag=97 err=14 text=
    	conn=0 op=3 BIND dn="" method=163
    	request done: ld 0x81a39f8 msgid 1
    	conn=0 op=1 RESULT tag=97 err=14 text=
    	request done: ld 0x81a39f8 msgid 2
    	SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: No such file or
directory
    	conn=0 op=3 BIND authcid="admin@idm.local" authzid="admin@idm.local"
    	conn=0 op=3 BIND dn="cn=admin,dc=idm,dc=local" mech=GSSAPI ssf=56
    	conn=0 op=3 RESULT tag=97 err=0 text=
    	conn=0 op=4 MOD dn="cn=fhuisk,ou=users,dc=idm,dc=local"
    	conn=0 op=4 MOD attr=cn
    	request done: ld 0x8192200 msgid 1
    	request done: ld 0x8192200 msgid 2
    	request done: ld 0x8192200 msgid 3
    	request done: ld 0x8192200 msgid 4
    	request done: ld 0x8192200 msgid 7
    	request done: ld 0x8192200 msgid 5
    	conn=0 op=4 RESULT tag=103 err=47 text=anonymous proxyAuthz not allowed
    	conn=0 op=5 UNBIND
    	conn=0 fd=9 closed
debugging information from the slave 
    	conn=0 fd=13 ACCEPT from IP=127.0.1.1:2862 (IP=0.0.0.0:390)
    	conn=0 op=0 BIND dn="" method=128
    	conn=0 op=0 RESULT tag=97 err=0 text=
    	conn=0 op=1 SRCH base="dc=idm,dc=local" scope=2 deref=0
filter="(|(uid=admin)(cn=admin))"
    	conn=0 op=1 SRCH attr=1.1
    	<= bdb_equality_candidates: (uid) index_param failed (18)
    	<= bdb_equality_candidates: (cn) index_param failed (18)
    	conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
    	conn=1 fd=15 ACCEPT from IP=127.0.1.1:2863 (IP=0.0.0.0:390)
    	conn=1 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
    	conn=1 op=0 SRCH attr=supportedSASLMechanisms
    	conn=1 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
    	conn=1 op=1 BIND dn="" method=163
    	conn=1 op=2 BIND dn="" method=163
    	conn=1 op=3 BIND dn="" method=163
    	<= bdb_equality_candidates: (uid) index_param failed (18)
    	<= bdb_equality_candidates: (cn) index_param failed (18)
    	SASL [conn=1] Error: unable to open Berkeley db /etc/sasldb2: No such file or
directory
    	conn=1 op=3 BIND authcid="ldap/extubuntu.idm.local@idm.local"
authzid="ldap/extubuntu.idm.local@idm.local"
    	conn=1 op=3 BIND dn="uid=ldap/extubuntu.idm.local,ou=slaves,dc=idm,dc=local"
mech=GSSAPI ssf=56
    	conn=1 op=2 RESULT tag=97 err=14 text=
    	conn=1 op=4 PROXYAUTHZ dn="cn=admin,dc=idm,dc=local"
    	conn=1 op=4 MOD dn="cn=fhuisk,ou=users,dc=idm,dc=local"
    	conn=1 op=4 MOD attr=cn
    	conn=1 op=4 RESULT tag=103 err=10 text=
    	conn=1 op=3 RESULT tag=97 err=0 text=
    	conn=1 op=1 RESULT tag=97 err=14 text=
    	conn=1 op=5 UNBIND
    	conn=1 fd=15 closed
debugging information from the master
    	conn=1 fd=14 ACCEPT from IP=172.16.82.240:1290 (IP=0.0.0.0:389)
    	conn=1 op=0 BIND dn="" method=128
    	conn=1 op=0 RESULT tag=97 err=0 text=
    	conn=1 op=1 RESULT tag=103 err=47 text=anonymous proxyAuthz not allowed
    	do_modify: get_ctrls failed
    	conn=1 op=2 UNBIND
    	conn=1 fd=14 closed
ldapmodify call and result
    	root@extUbuntu:/etc/ldap# ldapmodify 
    	SASL/GSSAPI authentication started
    	SASL username: admin@IDM.LOCAL
    	SASL SSF: 56
    	SASL installing layers
    	dn: cn=fhuisk,ou=users,dc=idm,dc=local
    	changetype: modify
    	add: cn
    	cn: newCN
    	-
modifying entry "cn=fhuisk,ou=users,dc=idm,dc=local"
    	ldapmodify: Proxy Authorization Failure (47)
    	        additional info: anonymous proxyAuthz not allowed
root@extUbuntu:/etc/ldap#