Re: anonymous proxy and idassert-bind

8 Jan 2007


      Raphael Berlamont wrote:
...
Hello list,
I'm trying to install an anonymous proxy with OpenLDAP in order to
anonymously bind an active directory server.
With an old version of OpenLDAP (v2.3.11), I had no problem. Using the
v2.3.11 configuration file on a v2.3.27 or a v2.3.31, is not working. It
seems that a lot of things change for the "LDAP" backend.
Here is what I have in my configuration file :
-------------8<-------------------------
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/ad.schema
include         /usr/local/etc/openldap/schema/dyngroup.schema
allow bind_v2
loglevel 4095
pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args
authz-policy none
database ldap
        lastmod         off
        suffix          "dc=x1,dc=f0,dc=enterprise"
        uri             "ldap://192.168.AD.IP:3268/"
        idassert-bind bindmethod=simple
                mode=anonymous
                binddn="CN=FwSvcMetatest1,OU=Domain-wide
Services,DC=f1,DC=enterprise"
                credentials="password"
                flags=non-prescriptive
-------------8<-------------------------
Here is my request and its answer :
-------------8<-------------------------
# ldapsearch -vvv -b "dc=x1,dc=f0,dc=enterprise" -h 127.0.0.1 -p 389 -x -s
sub "(cn=Berlamont*)"
ldap_initialize( ldap://127.0.0.1:389 )
filter: (cn=Berlamont*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=x1,dc=f0,dc=enterprise> with scope subtree
# filter: (cn=Berlamont*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
-------------8<-------------------------
A tethereal confirms me that there has been no connection to the AD.
And finally, if it can help, here is the debug log (only for the ldapsearch):
-------------8<-------------------------
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: >>>
slap_listener(ldap://*:389)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: listen=7,
new connection on 8
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: added 8r
(active) listener=(nil)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 fd=8
ACCEPT from IP=127.0.0.1:35477 (IP=0.0.0.0:389)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:  8r
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: read
active on 8
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_get(8)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_get(8): got connid=1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_read(8): checking for input on id=1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: ber_get_next on
fd 8 failed errno=11 (Resource temporarily unavailable)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_bind
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: >>>
dnPrettyNormal: <>
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: <<<
dnPrettyNormal: <>, <>
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_bind:
version=3 dn="" method=128
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=0 BIND
dn="" method=128
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: send_ldap_result:
conn=1 op=0 p=3
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: send_ldap_result:
err=0 matched="" text=""
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
send_ldap_response: msgid=1 tag=97 err=0
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=0
RESULT tag=97 err=0 text=
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_bind: v3
anonymous bind
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:  8r
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: read
active on 8
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_get(8)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_get(8): got connid=1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_read(8): checking for input on id=1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: ber_get_next on
fd 8 failed errno=11 (Resource temporarily unavailable)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_search
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: >>>
dnPrettyNormal: <dc=x1,dc=f0,dc=enterprise>
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: <<<
dnPrettyNormal: <dc=x1,dc=f0,dc=enterprise>, <dc=x1,dc=f0,dc=enterprise>
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: SRCH
"dc=x1,dc=f0,dc=enterprise" 2 0
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:     0 0 0
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: begin get_filter
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: SUBSTRINGS
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: begin get_ssa
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:   INITIAL
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: end get_ssa
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: end get_filter 0
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:     filter:
(cn=berlamont*)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:     attrs:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=1 SRCH
base="dc=x1,dc=f0,dc=enterprise" scope=2 deref=0 filter="(cn=berlamont*)"
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: send_ldap_result:
conn=1 op=1 p=3
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: send_ldap_result:
err=10 matched="" text=""
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
send_ldap_response: msgid=2 tag=101 err=32
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=1
SEARCH RESULT tag=101 err=32 nentries=0 text=
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:  8r
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: read
active on 8
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_get(8)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_get(8): got connid=1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_read(8): checking for input on id=1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: ber_get_next on
fd 8 failed errno=0 (Success)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_read(8): input error=-2 id=1, closing.
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_closing: readying conn=1 sd=8 for close
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_close:
deferring conn=1 sd=-1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_unbind
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=2 UNBIND
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_resched: attempting closing conn=1 sd=8
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_close:
conn=1 sd=-1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
=>ldap_back_conn_destroy: fetching conn 1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: removing 8
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 fd=8
closed ()
-------------8<-------------------------
I don't understand why it doesn't, at least, try to connect to the AD to
try to bind with the account defined by the "binddn" directive in the
"idassert-bind" section.
I have no idea of why it ever gets to return "no such object"; if the 
above is your slapd.conf, I see too many whitespaces in front of too 
many directives to yield a valid slapd-ldap configuration, though.
In any case, I don't remember what actually changed between 2.3.11 and 
2.3.X, but lots of things did.
In your tentative setup I see a couple of (potential) issues.  First of 
all let me clarify the context: you want identity assertion because the 
remote server needs authentication, but you want anonymous operations to 
be performed anonymously.  This requires that the proxy binds with the 
specified identity and then authorizes as the empty DN, so that the 
operation is performed with the privileges of anonymous, is this correct?
In this case, there seems to be a bug in identity assertion, which 
prevents mode=anonymous from working as expected.  I suggest you file an 
ITS so that this bug gets tracked.
In any case, if you specify flags=non-prescriptive, anonymous operations 
will not use identity assertion; in fact, non-prescriptive means that 
operations whose identity cannot be authorized are performed 
anonymously; the default is to reject them with "inappropriate 
authentication".
On the contrary, to enable the feature you need, you should rather allow 
anonymous to use identity assertion, by adding
idassert-authzfrom "dn.regex=.*"
which means that any identity, including the empty DN, is allowed to use 
identity assertion.
A configuration like
database        ldap
suffix          "dc=example,dc=com"
uri             ldap://:9011
idassert-bind   bindmethod=simple
                 mode=self
                 binddn="cn=Manager,dc=example,dc=com"
                 credentials="secret"
idassert-authzFrom      "dn.regex:.*"
will do the trick (although, with the above bug, no proxyauthz wil occur 
and, as such, the operation will be performed with the identity defined 
in binddn).
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

Re: anonymous proxy and idassert-bind