Mark Hennessy wrote:
I have a user who tries to connect from an IP x.x.x.31, but they keep getting rejected. The ACL is using IPs to allow anonymous read-only connections. I have a client at another host that's also in the ACL by IP which is set to use an anonymous connection and that works. What should I be looking for with this client that's not working? Also, I built OpenLDAP without SASL on purpose. This is serving a simple database that could potentially have lots of reads and no writes from a couple of trusted hosts. Any help in this matter would be greatly appreciated!
This is OpenLDAP from FreeBSD ports built supposedly without SASL.
Dec 11 13:34:19 x slapd[2566]: conn=28 fd=10 ACCEPT from IP=x.x.x.31:1691 (IP=0.0.0.0:389) Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SRCH attr=supportedCapabilities Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SRCH attr=supportedSASLMechanisms Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 11 13:34:19 x slapd[2566]: conn=28 op=2 BIND dn="" method=137 Dec 11 13:34:19 x slapd[2566]: conn=28 op=2 RESULT tag=97 err=7 text=unknown authentication method Dec 11 13:34:19 x slapd[2566]: conn=28 op=3 UNBIND Dec 11 13:34:19 x slapd[2566]: conn=28 fd=10 closed
The log shows they're trying to Bind with a "method=137" and correctly getting an unknown authentication method response back. I.e., they're trying to Bind with a mechanism that slapd doesn't recognize. It's certainly not an anonymous LDAP Simple Bind. Seems like a broken client.