anonymous proxy and idassert-bind

8 Jan 2007


      Hello list,
I'm trying to install an anonymous proxy with OpenLDAP in order to
anonymously bind an active directory server.
With an old version of OpenLDAP (v2.3.11), I had no problem. Using the
v2.3.11 configuration file on a v2.3.27 or a v2.3.31, is not working. It
seems that a lot of things change for the "LDAP" backend.
Here is what I have in my configuration file :
-------------8<-------------------------
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/ad.schema
include         /usr/local/etc/openldap/schema/dyngroup.schema
allow bind_v2
loglevel 4095
pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args
authz-policy none
database ldap
        lastmod         off
        suffix          "dc=x1,dc=f0,dc=enterprise"
        uri             "ldap://192.168.AD.IP:3268/"
        idassert-bind bindmethod=simple
                mode=anonymous
                binddn="CN=FwSvcMetatest1,OU=Domain-wide
Services,DC=f1,DC=enterprise"
                credentials="password"
                flags=non-prescriptive
-------------8<-------------------------
Here is my request and its answer :
-------------8<-------------------------
# ldapsearch -vvv -b "dc=x1,dc=f0,dc=enterprise" -h 127.0.0.1 -p 389 -x -s
sub "(cn=Berlamont*)"
ldap_initialize( ldap://127.0.0.1:389 )
filter: (cn=Berlamont*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=x1,dc=f0,dc=enterprise> with scope subtree
# filter: (cn=Berlamont*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
-------------8<-------------------------
A tethereal confirms me that there has been no connection to the AD.
And finally, if it can help, here is the debug log (only for the ldapsearch):
-------------8<-------------------------
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: >>>
slap_listener(ldap://*:389)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: listen=7,
new connection on 8
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: added 8r
(active) listener=(nil)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 fd=8
ACCEPT from IP=127.0.0.1:35477 (IP=0.0.0.0:389)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:  8r
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: read
active on 8
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_get(8)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_get(8): got connid=1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_read(8): checking for input on id=1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: ber_get_next on
fd 8 failed errno=11 (Resource temporarily unavailable)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_bind
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: >>>
dnPrettyNormal: <>
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: <<<
dnPrettyNormal: <>, <>
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_bind:
version=3 dn="" method=128
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=0 BIND
dn="" method=128
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: send_ldap_result:
conn=1 op=0 p=3
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: send_ldap_result:
err=0 matched="" text=""
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
send_ldap_response: msgid=1 tag=97 err=0
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=0
RESULT tag=97 err=0 text=
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_bind: v3
anonymous bind
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:  8r
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: read
active on 8
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_get(8)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_get(8): got connid=1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_read(8): checking for input on id=1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: ber_get_next on
fd 8 failed errno=11 (Resource temporarily unavailable)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_search
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: >>>
dnPrettyNormal: <dc=x1,dc=f0,dc=enterprise>
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: <<<
dnPrettyNormal: <dc=x1,dc=f0,dc=enterprise>, <dc=x1,dc=f0,dc=enterprise>
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: SRCH
"dc=x1,dc=f0,dc=enterprise" 2 0
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:     0 0 0
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: begin get_filter
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: SUBSTRINGS
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: begin get_ssa
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:   INITIAL
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: end get_ssa
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: end get_filter 0
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:     filter:
(cn=berlamont*)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:     attrs:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=1 SRCH
base="dc=x1,dc=f0,dc=enterprise" scope=2 deref=0 filter="(cn=berlamont*)"
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: send_ldap_result:
conn=1 op=1 p=3
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: send_ldap_result:
err=10 matched="" text=""
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
send_ldap_response: msgid=2 tag=101 err=32
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=1
SEARCH RESULT tag=101 err=32 nentries=0 text=
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:  8r
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: read
active on 8
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_get(8)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_get(8): got connid=1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_read(8): checking for input on id=1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: ber_get_next on
fd 8 failed errno=0 (Success)
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_read(8): input error=-2 id=1, closing.
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_closing: readying conn=1 sd=8 for close
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_close:
deferring conn=1 sd=-1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity
on 1 descriptor
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: activity on:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: epoll:
listen=7 active_threads=0 tvp=NULL
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: do_unbind
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 op=2 UNBIND
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
connection_resched: attempting closing conn=1 sd=8
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: connection_close:
conn=1 sd=-1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]:
=>ldap_back_conn_destroy: fetching conn 1
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: daemon: removing 8
Jan  8 06:48:17 xen-dev-rt36-fedorafc5-ncso slapd[6484]: conn=1 fd=8
closed ()
-------------8<-------------------------
I don't understand why it doesn't, at least, try to connect to the AD to
try to bind with the account defined by the "binddn" directive in the
"idassert-bind" section.
Can anyone give an hint?
Regards,
-- 
Raphael Berlamont

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

anonymous proxy and idassert-bind