(ITS#7993) proxyauth with saslmech EXTERNAL not working - openldap-bugs

5 Dec 2014


      Full_Name: Dirk Kastens
Version: 2.4.39
OS: RedHat SL 6.6
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (2001:638:508:3d0:12a:32c6:740c:8971)
We installed an ldap cluster with a mirrored master and several replicas on
RedHat SL 6.5 with openldap 2.4.23-34.el6_5.1.x86_64. Write requests to the
replicas are referred to the master server. The chain overlay follows the
referral. It connects with the saslmech EXTERNAL to the master. The master maps
the DN of the certificate to the replica admin. The replica admin has its
authzTo attribute set to the write admin. This way the writing perfectly worked
on our replica servers for all admins that are listed in the authzTo attribute.
Shortly the machines were updated to SL 6.6 with openldap 2.4.39-8.el6.x86_64.
The proxyauth stopped working. Write requests to the replica servers end with
the error
"ldap_modify: Other (e.g., implementationpepecific) error (80)".
I installed another replica under SL 7.0 with openldap-2.4.39-3.el7.x86_64: same
result. When I configure the idassertbind attribute to use simple bind with a
binddn and credentials, the proxyauth works.
This is the chain configuration that doesn't work any longer:
olcDbURI: "ldap://ldap-master"
olcDbStartTLS: none starttls=no
olcDbIDAssertAuthzFrom: {0}*
olcDbIDAssertBind: mode=self
 bindmethod=sasl saslmech=EXTERNAL starttls=yes
 tls_cert="/etc/openldap/certs/ldap-replica.pem"
 tls_key="/etc/openldap/certs/ldap-replica.key"
 tls_cacert="/etc/openldap/cacerts/cacerts.pem"
 tls_cacertdir="/etc/openldap/cacerts"
 tls_reqcert=demand
This is the configuration that works now:
olcDbStartTLS: none  starttls=no
olcDbURI: "ldap://ldap-master"
olcDbIDAssertAuthzFrom: {0}*
olcDbIDAssertBind: mode=self
 bindmethod=simple
 binddn="cn=proxyuser" credentials="secret"
 starttls=yes
 tls_cert="/etc/openldap/certs/ldap-replica.pem"
 tls_key="/etc/openldap/certs/ldap-replica.key"
 tls_cacert="/etc/openldap/cacerts/cacerts.pem"
 tls_cacertdir="/etc/openldap/cacerts"
 tls_reqcert=demand
I looked through the manual pages, but I didn't find a difference between 2.4.23
and 2.4.39. In 2.4.23 we had to load the chain module and now we load the
back_ldap module. But that's all.
Dirk