I have a user who tries to connect from an IP x.x.x.31, but they keep getting rejected. The ACL is using IPs to allow anonymous read-only connections. I have a client at another host that's also in the ACL by IP which is set to use an anonymous connection and that works. What should I be looking for with this client that's not working? Also, I built OpenLDAP without SASL on purpose. This is serving a simple database that could potentially have lots of reads and no writes from a couple of trusted hosts. Any help in this matter would be greatly appreciated!
This is OpenLDAP from FreeBSD ports built supposedly without SASL.
Dec 11 13:34:19 x slapd[2566]: conn=28 fd=10 ACCEPT from IP=x.x.x.31:1691 (IP=0.0.0.0:389) Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SRCH attr=supportedCapabilities Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SRCH attr=supportedSASLMechanisms Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 11 13:34:19 x slapd[2566]: conn=28 op=2 BIND dn="" method=137 Dec 11 13:34:19 x slapd[2566]: conn=28 op=2 RESULT tag=97 err=7 text=unknown authentication method Dec 11 13:34:19 x slapd[2566]: conn=28 op=3 UNBIND Dec 11 13:34:19 x slapd[2566]: conn=28 fd=10 closed
-- Mark Hennessy
Mark Hennessy wrote:
I have a user who tries to connect from an IP x.x.x.31, but they keep getting rejected. The ACL is using IPs to allow anonymous read-only connections. I have a client at another host that's also in the ACL by IP which is set to use an anonymous connection and that works. What should I be looking for with this client that's not working? Also, I built OpenLDAP without SASL on purpose. This is serving a simple database that could potentially have lots of reads and no writes from a couple of trusted hosts. Any help in this matter would be greatly appreciated!
This is OpenLDAP from FreeBSD ports built supposedly without SASL.
Dec 11 13:34:19 x slapd[2566]: conn=28 fd=10 ACCEPT from IP=x.x.x.31:1691 (IP=0.0.0.0:389) Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SRCH attr=supportedCapabilities Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SRCH attr=supportedSASLMechanisms Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 11 13:34:19 x slapd[2566]: conn=28 op=2 BIND dn="" method=137 Dec 11 13:34:19 x slapd[2566]: conn=28 op=2 RESULT tag=97 err=7 text=unknown authentication method Dec 11 13:34:19 x slapd[2566]: conn=28 op=3 UNBIND Dec 11 13:34:19 x slapd[2566]: conn=28 fd=10 closed
The log shows they're trying to Bind with a "method=137" and correctly getting an unknown authentication method response back. I.e., they're trying to Bind with a mechanism that slapd doesn't recognize. It's certainly not an anonymous LDAP Simple Bind. Seems like a broken client.
They're trying to connect from an AD client running on a Windows machine.
I see a message from back in 2000 that indicates that method 137 may be NTLM.
How would I get slapd to support method 137? Would it require anything like Kerberos to be built-in?
Thanks again!
-- Mark Hennessy
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Monday, December 11, 2006 7:42 PM To: Mark Hennessy Cc: openldap-software@openldap.org Subject: Re: Question about OpenLDAP
Mark Hennessy wrote:
I have a user who tries to connect from an IP x.x.x.31, but
they keep getting
rejected. The ACL is using IPs to allow anonymous
read-only connections. I
have a client at another host that's also in the ACL by IP
which is set to
use an anonymous connection and that works. What should I
be looking for
with this client that's not working? Also, I built
OpenLDAP without SASL on
purpose. This is serving a simple database that could
potentially have lots
of reads and no writes from a couple of trusted hosts. Any
help in this
matter would be greatly appreciated!
This is OpenLDAP from FreeBSD ports built supposedly without SASL.
Dec 11 13:34:19 x slapd[2566]: conn=28 fd=10 ACCEPT from
IP=x.x.x.31:1691
(IP=0.0.0.0:389) Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SRCH base=""
scope=0 deref=0
filter="(objectClass=*)" Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SRCH
attr=supportedCapabilities
Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SEARCH RESULT
tag=101 err=0
nentries=1 text= Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SRCH base=""
scope=0 deref=0
filter="(objectClass=*)" Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SRCH
attr=supportedSASLMechanisms
Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SEARCH RESULT
tag=101 err=0
nentries=1 text= Dec 11 13:34:19 x slapd[2566]: conn=28 op=2 BIND dn="" method=137 Dec 11 13:34:19 x slapd[2566]: conn=28 op=2 RESULT tag=97
err=7 text=unknown
authentication method Dec 11 13:34:19 x slapd[2566]: conn=28 op=3 UNBIND Dec 11 13:34:19 x slapd[2566]: conn=28 fd=10 closed
The log shows they're trying to Bind with a "method=137" and correctly getting an unknown authentication method response back. I.e., they're trying to Bind with a mechanism that slapd doesn't recognize. It's certainly not an anonymous LDAP Simple Bind. Seems like a broken client.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
My client was able to resolve the connection issue he was having by changing the binding from "Anonymous" to "None" in his configuration.
Thanks for your assistance in this matter!
-- Mark Hennessy
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Monday, December 11, 2006 7:42 PM To: Mark Hennessy Cc: openldap-software@openldap.org Subject: Re: Question about OpenLDAP
Mark Hennessy wrote:
I have a user who tries to connect from an IP x.x.x.31, but
they keep getting
rejected. The ACL is using IPs to allow anonymous
read-only connections. I
have a client at another host that's also in the ACL by IP
which is set to
use an anonymous connection and that works. What should I
be looking for
with this client that's not working? Also, I built
OpenLDAP without SASL on
purpose. This is serving a simple database that could
potentially have lots
of reads and no writes from a couple of trusted hosts. Any
help in this
matter would be greatly appreciated!
This is OpenLDAP from FreeBSD ports built supposedly without SASL.
Dec 11 13:34:19 x slapd[2566]: conn=28 fd=10 ACCEPT from
IP=x.x.x.31:1691
(IP=0.0.0.0:389) Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SRCH base=""
scope=0 deref=0
filter="(objectClass=*)" Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SRCH
attr=supportedCapabilities
Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SEARCH RESULT
tag=101 err=0
nentries=1 text= Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SRCH base=""
scope=0 deref=0
filter="(objectClass=*)" Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SRCH
attr=supportedSASLMechanisms
Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SEARCH RESULT
tag=101 err=0
nentries=1 text= Dec 11 13:34:19 x slapd[2566]: conn=28 op=2 BIND dn="" method=137 Dec 11 13:34:19 x slapd[2566]: conn=28 op=2 RESULT tag=97
err=7 text=unknown
authentication method Dec 11 13:34:19 x slapd[2566]: conn=28 op=3 UNBIND Dec 11 13:34:19 x slapd[2566]: conn=28 fd=10 closed
The log shows they're trying to Bind with a "method=137" and correctly getting an unknown authentication method response back. I.e., they're trying to Bind with a mechanism that slapd doesn't recognize. It's certainly not an anonymous LDAP Simple Bind. Seems like a broken client.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
Sorry for the top-posting on my part.
Here are some more details about the resolution in case anyone is interested:
"The default setting in .NET 1.1 was Bind.None when no authentication method was supplied. In the new .NET 2.0 the default methond is Bind.Secure. Therefore, I needed to explicitly declare Bind.None. The only issue with this is that if we ever use a username and password it will be sent in clear text."
I hope this is helpful for anyone who encounters a similar issue.
-- Mark Hennessy
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Monday, December 11, 2006 7:42 PM To: Mark Hennessy Cc: openldap-software@openldap.org Subject: Re: Question about OpenLDAP
Mark Hennessy wrote:
I have a user who tries to connect from an IP x.x.x.31, but
they keep getting
rejected. The ACL is using IPs to allow anonymous
read-only connections. I
have a client at another host that's also in the ACL by IP
which is set to
use an anonymous connection and that works. What should I
be looking for
with this client that's not working? Also, I built
OpenLDAP without SASL on
purpose. This is serving a simple database that could
potentially have lots
of reads and no writes from a couple of trusted hosts. Any
help in this
matter would be greatly appreciated!
This is OpenLDAP from FreeBSD ports built supposedly without SASL.
Dec 11 13:34:19 x slapd[2566]: conn=28 fd=10 ACCEPT from
IP=x.x.x.31:1691
(IP=0.0.0.0:389) Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SRCH base=""
scope=0 deref=0
filter="(objectClass=*)" Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SRCH
attr=supportedCapabilities
Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SEARCH RESULT
tag=101 err=0
nentries=1 text= Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SRCH base=""
scope=0 deref=0
filter="(objectClass=*)" Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SRCH
attr=supportedSASLMechanisms
Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SEARCH RESULT
tag=101 err=0
nentries=1 text= Dec 11 13:34:19 x slapd[2566]: conn=28 op=2 BIND dn="" method=137 Dec 11 13:34:19 x slapd[2566]: conn=28 op=2 RESULT tag=97
err=7 text=unknown
authentication method Dec 11 13:34:19 x slapd[2566]: conn=28 op=3 UNBIND Dec 11 13:34:19 x slapd[2566]: conn=28 fd=10 closed
The log shows they're trying to Bind with a "method=137" and correctly getting an unknown authentication method response back. I.e., they're trying to Bind with a mechanism that slapd doesn't recognize. It's certainly not an anonymous LDAP Simple Bind. Seems like a broken client.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
Mark Hennessy wrote:
Sorry for the top-posting on my part.
Here are some more details about the resolution in case anyone is interested:
"The default setting in .NET 1.1 was Bind.None when no authentication method was supplied. In the new .NET 2.0 the default methond is Bind.Secure. Therefore, I needed to explicitly declare Bind.None. The only issue with this is that if we ever use a username and password it will be sent in clear text."
I hope this is helpful for anyone who encounters a similar issue.
It would be wise to build slapd with SASL support if you actually need secure Binds.
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Monday, December 11, 2006 7:42 PM To: Mark Hennessy Cc: openldap-software@openldap.org Subject: Re: Question about OpenLDAP
Mark Hennessy wrote:
I have a user who tries to connect from an IP x.x.x.31, but
they keep getting
rejected. The ACL is using IPs to allow anonymous
read-only connections. I
have a client at another host that's also in the ACL by IP
which is set to
use an anonymous connection and that works. What should I
be looking for
with this client that's not working? Also, I built
OpenLDAP without SASL on
purpose. This is serving a simple database that could
potentially have lots
of reads and no writes from a couple of trusted hosts. Any
help in this
matter would be greatly appreciated!
This is OpenLDAP from FreeBSD ports built supposedly without SASL.
Dec 11 13:34:19 x slapd[2566]: conn=28 fd=10 ACCEPT from
IP=x.x.x.31:1691
(IP=0.0.0.0:389) Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SRCH base=""
scope=0 deref=0
filter="(objectClass=*)" Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SRCH
attr=supportedCapabilities
Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SEARCH RESULT
tag=101 err=0
nentries=1 text= Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SRCH base=""
scope=0 deref=0
filter="(objectClass=*)" Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SRCH
attr=supportedSASLMechanisms
Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SEARCH RESULT
tag=101 err=0
nentries=1 text= Dec 11 13:34:19 x slapd[2566]: conn=28 op=2 BIND dn="" method=137 Dec 11 13:34:19 x slapd[2566]: conn=28 op=2 RESULT tag=97
err=7 text=unknown
authentication method Dec 11 13:34:19 x slapd[2566]: conn=28 op=3 UNBIND Dec 11 13:34:19 x slapd[2566]: conn=28 fd=10 closed
The log shows they're trying to Bind with a "method=137" and correctly getting an unknown authentication method response back. I.e., they're trying to Bind with a mechanism that slapd doesn't recognize. It's certainly not an anonymous LDAP Simple Bind. Seems like a broken client.
openldap-software@openldap.org