Quanah Gibson-Mount wrote:
Sure. Which configuration do you want me to try it with? ;) Here is -d -1 with this config:
idassert-bind bindmethod=sasl saslmech=gssapi realm=stanford.edu authcID=service/mailrouter@stanford.edu
authzID=dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu
First of all, what's missing here is the "mode" parameter; what do you want the proxy to do? bind as "service/mailrouter@stanford.edu", SASL authorize as "dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" and then? proxy authorize as the incoming request? just keep the "cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" identity?
daemon: activity on 1 descriptor
slap_listener(ldap:///)daemon: listen=7, new connection on 8
ldap_pvt_gethostbyname_a: host=smtp-dev.stanford.edu, r=0 daemon: added 8r (active) listener=(nil) conn=0 fd=8 ACCEPT from IP=127.0.0.1:43402 (IP=0.0.0.0:389) daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: 8r daemon: read activity on 8 connection_get(8) connection_get(8): got connid=0 connection_read(8): checking for input on id=0 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 01 60 07 02 0....`.. ldap_read: want=6, got=6 0000: 01 03 04 00 80 00 ...... ber_get_next: tag 0x30 len 12 contents: ber_dump: buf=0x08193c48 ptr=0x08193c48 end=0x08193c54 len=12 0000: 02 01 01 60 07 02 01 03 04 00 80 00 ...`........ ber_get_next ldap_read: want=8 error=Resource temporarily unavailable ber_get_next on fd 8 failed errno=11 (Resource temporarily unavailable) daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0x08193c48 ptr=0x08193c4b end=0x08193c54 len=9 0000: 60 07 02 01 03 04 00 80 00 `........ ber_scanf fmt (m}) ber: ber_dump: buf=0x08193c48 ptr=0x08193c52 end=0x08193c54 len=2 0000: 00 00 ..
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> do_bind: version=3 dn="" method=128 conn=0 op=0 BIND dn="" method=128 send_ldap_result: conn=0 op=0 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=1 tag=97 err=0 ber_flush: 14 bytes to sd 8 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........ conn=0 op=0 RESULT tag=97 err=0 text= do_bind: v3 anonymous bind daemon: activity on 1 descriptor daemon: activity on: 8r daemon: read activity on 8 connection_get(8) connection_get(8): got connid=0 connection_read(8): checking for input on id=0 ber_get_next ldap_read: want=8, got=8 0000: 30 39 02 01 02 63 34 04 09...c4. ldap_read: want=51, got=51 0000: 12 64 63 3d 73 74 61 6e 66 6f 72 64 2c 64 63 3d .dc=stanford,dc= 0010: 65 64 75 0a 01 02 0a 01 00 02 01 00 02 01 00 01 edu............. 0020: 01 00 a3 0d 04 03 75 69 64 04 06 71 75 61 6e 61 ......uid..quana 0030: 68 30 00 h0. ber_get_next: tag 0x30 len 57 contents: ber_dump: buf=0x08195738 ptr=0x08195738 end=0x08195771 len=57 0000: 02 01 02 63 34 04 12 64 63 3d 73 74 61 6e 66 6f ...c4..dc=stanfo 0010: 72 64 2c 64 63 3d 65 64 75 0a 01 02 0a 01 00 02 rd,dc=edu....... 0020: 01 00 02 01 00 01 01 00 a3 0d 04 03 75 69 64 04 ............uid. 0030: 06 71 75 61 6e 61 68 30 00 .quanah0. ber_get_next ldap_read: want=8 error=Resource temporarily unavailable ber_get_next on fd 8 failed errno=11 (Resource temporarily unavailable) daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL do_search ber_scanf fmt ({miiiib) ber: ber_dump: buf=0x08195738 ptr=0x0819573b end=0x08195771 len=54 0000: 63 34 04 12 64 63 3d 73 74 61 6e 66 6f 72 64 2c c4..dc=stanford, 0010: 64 63 3d 65 64 75 0a 01 02 0a 01 00 02 01 00 02 dc=edu.......... 0020: 01 00 01 01 00 a3 0d 04 03 75 69 64 04 06 71 75 .........uid..qu 0030: 61 6e 61 68 30 00 anah0.
dnPrettyNormal: <dc=stanford,dc=edu>
=> ldap_bv2dn(dc=stanford,dc=edu,0) <= ldap_bv2dn(dc=stanford,dc=edu)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=stanford,dc=edu)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=stanford,dc=edu)=0 <<< dnPrettyNormal: <dc=stanford,dc=edu>, <dc=stanford,dc=edu> SRCH "dc=stanford,dc=edu" 2 0 0 0 0 begin get_filter EQUALITY ber_scanf fmt ({mm}) ber: ber_dump: buf=0x08195738 ptr=0x08195760 end=0x08195771 len=17 0000: a3 0d 04 03 75 69 64 04 06 71 75 61 6e 61 68 30 ....uid..quanah0 0010: 00 . end get_filter 0 filter: (uid=quanah) ber_scanf fmt ({M}}) ber: ber_dump: buf=0x08195738 ptr=0x0819576f end=0x08195771 len=2 0000: 00 00 .. attrs: conn=0 op=1 SRCH base="dc=stanford,dc=edu" scope=2 deref=0 filter="(uid=quanah)" ==> limits_get: conn=0 op=1 dn="[anonymous]" ldap_create ldap_url_parse_ext(ldap://ldap-test1.stanford.edu) =>ldap_back_getconn: conn 0x81a17c0 inserted refcnt=1 binding=1 send_ldap_result: conn=0 op=1 p=3 send_ldap_result: err=7 matched="" text=""
^^^ This is where the problem occurs; you seem to be using old code, since that log message in ldap_back_getconn() changed from 2.3.32 and 2.3.33. I'd recommend you use 2.3.34 anyway, although I'm not sure it's going to fix your problem.
The issue seems to occur between ldap_back_getconn() and the ldap_sasl_interactive_bind_s() that occurs during the proxy authz bind. Unfortunately, there seems to be very little trace level debug in between, so a gdb session might be required...
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------