--On Wednesday, February 21, 2007 11:52 PM +0100 Pierangelo Masarati ando@sys-net.it wrote:
Quanah Gibson-Mount wrote:
--On Wednesday, February 21, 2007 2:39 PM -0800 Quanah Gibson-Mount quanah@stanford.edu wrote:
I'm trying to set up a very simply slapd that takes incoming requests locally, and forwards them on to a remote server using SASL/GSSAPI to get the information, so that a internal app that doesn't understand SASL/GSSAPI can get the information it needs.
Never mind, I forgot to load the core schema. duh. :P
The proxy was a bit too dumb ;)
Heh.
The problem I'm having now, is I can't get it to perform SASL/GSSAPI auth to the remote proxy.
If I have:
# /etc/ldap/slapd.conf -- LDAP proxy slapd configuration file. # $Id$ include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/krb5-kdc.schema include /etc/ldap/schema/suacct.schema # Global Options
modulepath /usr/lib/ldap moduleload back_ldap.la
readonly on access to * by * read
# LDAP Proxy Options
database ldap suffix "dc=stanford,dc=edu" uri "ldap://ldap-test1.stanford.edu" idassert-bind bindmethod=none
It correctly talks to the remote server with an anonymous bind. However, if I change things around:
idassert-bind bindmethod=sasl saslmech=gssapi realm=stanford.edu authcID=proxy credentials=proxy mode=self
I get:
ldapsearch -LLL -x -h localhost -b "dc=stanford,dc=edu" uid=quanah Inappropriate authentication (48)
The KRB5CCNAME is set in slapd's environment, so it has access to the ticket cache it needs to use to perform SASL/GSSAPI. It is not talking to the remote server at all.
Is there something here I'm missing?
I've also tried:
idassert-bind bindmethod=sasl saslmech=gssapi realm=stanford.edu authcID=service/mailrouter@stanford.edu
authzID=dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu
But then I get:
Authentication method not supported (7)
And again, it didn't talk to the remote server.
Thanks, Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
Quanah Gibson-Mount wrote:
--On Wednesday, February 21, 2007 11:52 PM +0100 Pierangelo Masarati ando@sys-net.it wrote:
Quanah Gibson-Mount wrote:
--On Wednesday, February 21, 2007 2:39 PM -0800 Quanah Gibson-Mount quanah@stanford.edu wrote:
I'm trying to set up a very simply slapd that takes incoming requests locally, and forwards them on to a remote server using SASL/GSSAPI to get the information, so that a internal app that doesn't understand SASL/GSSAPI can get the information it needs.
Never mind, I forgot to load the core schema. duh. :P
The proxy was a bit too dumb ;)
Heh.
The problem I'm having now, is I can't get it to perform SASL/GSSAPI auth to the remote proxy.
If I have:
# /etc/ldap/slapd.conf -- LDAP proxy slapd configuration file. # $Id$ include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/krb5-kdc.schema include /etc/ldap/schema/suacct.schema # Global Options
modulepath /usr/lib/ldap moduleload back_ldap.la
readonly on access to * by * read
# LDAP Proxy Options
database ldap suffix "dc=stanford,dc=edu" uri "ldap://ldap-test1.stanford.edu" idassert-bind bindmethod=none
It correctly talks to the remote server with an anonymous bind. However, if I change things around:
idassert-bind bindmethod=sasl saslmech=gssapi realm=stanford.edu authcID=proxy credentials=proxy mode=self
I get:
ldapsearch -LLL -x -h localhost -b "dc=stanford,dc=edu" uid=quanah Inappropriate authentication (48)
The KRB5CCNAME is set in slapd's environment, so it has access to the ticket cache it needs to use to perform SASL/GSSAPI. It is not talking to the remote server at all.
Is there something here I'm missing?
I've also tried:
idassert-bind bindmethod=sasl saslmech=gssapi realm=stanford.edu authcID=service/mailrouter@stanford.edu
authzID=dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu
But then I get:
Authentication method not supported (7)
And again, it didn't talk to the remote server.
I have never tested back-ldap with GSSAPI; however, config parsing exploits the slap_bindconf() code that's used throughout slapd (e.g. in syncrepl), and the related SASL bind code was basically adapted from the same source, and it is known to work with other SASL mechs. I guess the devil is in the details, as usual. Can you debug it a little bit further, e.g. by running with -d "stats,args,trace", or even more?
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
--On Thursday, February 22, 2007 12:23 AM +0100 Pierangelo Masarati ando@sys-net.it wrote:
I have never tested back-ldap with GSSAPI; however, config parsing exploits the slap_bindconf() code that's used throughout slapd (e.g. in syncrepl), and the related SASL bind code was basically adapted from the same source, and it is known to work with other SASL mechs. I guess the devil is in the details, as usual. Can you debug it a little bit further, e.g. by running with -d "stats,args,trace", or even more?
Sure. Which configuration do you want me to try it with? ;) Here is -d -1 with this config:
idassert-bind bindmethod=sasl saslmech=gssapi realm=stanford.edu authcID=service/mailrouter@stanford.edu
authzID=dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu
daemon: activity on 1 descriptor
slap_listener(ldap:///)daemon: listen=7, new connection on 8
ldap_pvt_gethostbyname_a: host=smtp-dev.stanford.edu, r=0 daemon: added 8r (active) listener=(nil) conn=0 fd=8 ACCEPT from IP=127.0.0.1:43402 (IP=0.0.0.0:389) daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: 8r daemon: read activity on 8 connection_get(8) connection_get(8): got connid=0 connection_read(8): checking for input on id=0 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 01 60 07 02 0....`.. ldap_read: want=6, got=6 0000: 01 03 04 00 80 00 ...... ber_get_next: tag 0x30 len 12 contents: ber_dump: buf=0x08193c48 ptr=0x08193c48 end=0x08193c54 len=12 0000: 02 01 01 60 07 02 01 03 04 00 80 00 ...`........ ber_get_next ldap_read: want=8 error=Resource temporarily unavailable ber_get_next on fd 8 failed errno=11 (Resource temporarily unavailable) daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0x08193c48 ptr=0x08193c4b end=0x08193c54 len=9 0000: 60 07 02 01 03 04 00 80 00 `........ ber_scanf fmt (m}) ber: ber_dump: buf=0x08193c48 ptr=0x08193c52 end=0x08193c54 len=2 0000: 00 00 ..
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> do_bind: version=3 dn="" method=128 conn=0 op=0 BIND dn="" method=128 send_ldap_result: conn=0 op=0 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=1 tag=97 err=0 ber_flush: 14 bytes to sd 8 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........ conn=0 op=0 RESULT tag=97 err=0 text= do_bind: v3 anonymous bind daemon: activity on 1 descriptor daemon: activity on: 8r daemon: read activity on 8 connection_get(8) connection_get(8): got connid=0 connection_read(8): checking for input on id=0 ber_get_next ldap_read: want=8, got=8 0000: 30 39 02 01 02 63 34 04 09...c4. ldap_read: want=51, got=51 0000: 12 64 63 3d 73 74 61 6e 66 6f 72 64 2c 64 63 3d .dc=stanford,dc= 0010: 65 64 75 0a 01 02 0a 01 00 02 01 00 02 01 00 01 edu............. 0020: 01 00 a3 0d 04 03 75 69 64 04 06 71 75 61 6e 61 ......uid..quana 0030: 68 30 00 h0. ber_get_next: tag 0x30 len 57 contents: ber_dump: buf=0x08195738 ptr=0x08195738 end=0x08195771 len=57 0000: 02 01 02 63 34 04 12 64 63 3d 73 74 61 6e 66 6f ...c4..dc=stanfo 0010: 72 64 2c 64 63 3d 65 64 75 0a 01 02 0a 01 00 02 rd,dc=edu....... 0020: 01 00 02 01 00 01 01 00 a3 0d 04 03 75 69 64 04 ............uid. 0030: 06 71 75 61 6e 61 68 30 00 .quanah0. ber_get_next ldap_read: want=8 error=Resource temporarily unavailable ber_get_next on fd 8 failed errno=11 (Resource temporarily unavailable) daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL do_search ber_scanf fmt ({miiiib) ber: ber_dump: buf=0x08195738 ptr=0x0819573b end=0x08195771 len=54 0000: 63 34 04 12 64 63 3d 73 74 61 6e 66 6f 72 64 2c c4..dc=stanford, 0010: 64 63 3d 65 64 75 0a 01 02 0a 01 00 02 01 00 02 dc=edu.......... 0020: 01 00 01 01 00 a3 0d 04 03 75 69 64 04 06 71 75 .........uid..qu 0030: 61 6e 61 68 30 00 anah0.
dnPrettyNormal: <dc=stanford,dc=edu>
=> ldap_bv2dn(dc=stanford,dc=edu,0) <= ldap_bv2dn(dc=stanford,dc=edu)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=stanford,dc=edu)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=stanford,dc=edu)=0 <<< dnPrettyNormal: <dc=stanford,dc=edu>, <dc=stanford,dc=edu> SRCH "dc=stanford,dc=edu" 2 0 0 0 0 begin get_filter EQUALITY ber_scanf fmt ({mm}) ber: ber_dump: buf=0x08195738 ptr=0x08195760 end=0x08195771 len=17 0000: a3 0d 04 03 75 69 64 04 06 71 75 61 6e 61 68 30 ....uid..quanah0 0010: 00 . end get_filter 0 filter: (uid=quanah) ber_scanf fmt ({M}}) ber: ber_dump: buf=0x08195738 ptr=0x0819576f end=0x08195771 len=2 0000: 00 00 .. attrs: conn=0 op=1 SRCH base="dc=stanford,dc=edu" scope=2 deref=0 filter="(uid=quanah)" ==> limits_get: conn=0 op=1 dn="[anonymous]" ldap_create ldap_url_parse_ext(ldap://ldap-test1.stanford.edu) =>ldap_back_getconn: conn 0x81a17c0 inserted refcnt=1 binding=1 send_ldap_result: conn=0 op=1 p=3 send_ldap_result: err=7 matched="" text="" send_ldap_response: msgid=2 tag=101 err=7 ber_flush: 14 bytes to sd 8 0000: 30 0c 02 01 02 65 07 0a 01 07 04 00 04 00 0....e........ ldap_write: want=14, written=14 0000: 30 0c 02 01 02 65 07 0a 01 07 04 00 04 00 0....e........ conn=0 op=1 SEARCH RESULT tag=101 err=7 nentries=0 text= daemon: activity on 1 descriptor daemon: activity on: 8r daemon: read activity on 8 connection_get(8) connection_get(8): got connid=0 connection_read(8): checking for input on id=0 ber_get_next ldap_read: want=8, got=7 0000: 30 05 02 01 03 42 00 0....B. ber_get_next: tag 0x30 len 5 contents: ber_dump: buf=0x08195898 ptr=0x08195898 end=0x0819589d len=5 0000: 02 01 03 42 00 ...B. ber_get_next ldap_read: want=8, got=0 do_unbind conn=0 op=2 UNBIND ber_get_next on fd 8 failed errno=0 (Success) connection_read(8): input error=-2 id=0, closing. connection_closing: readying conn=0 sd=8 for close connection_close: deferring conn=0 sd=8 daemon: select: listen=6 active_threads=0 tvp=NULL connection_resched: attempting closing conn=0 sd=8 daemon: select: listen=7 active_threads=0 tvp=NULL connection_close: conn=0 sd=8 daemon: activity on 1 descriptor =>ldap_back_conn_destroy: fetching conn 0 daemon: waked daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL daemon: removing 8 conn=0 fd=8 closed
I don't actually see any activity on ldap-test1, either.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
Quanah Gibson-Mount wrote:
Sure. Which configuration do you want me to try it with? ;) Here is -d -1 with this config:
idassert-bind bindmethod=sasl saslmech=gssapi realm=stanford.edu authcID=service/mailrouter@stanford.edu
authzID=dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu
First of all, what's missing here is the "mode" parameter; what do you want the proxy to do? bind as "service/mailrouter@stanford.edu", SASL authorize as "dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" and then? proxy authorize as the incoming request? just keep the "cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" identity?
daemon: activity on 1 descriptor
slap_listener(ldap:///)daemon: listen=7, new connection on 8
ldap_pvt_gethostbyname_a: host=smtp-dev.stanford.edu, r=0 daemon: added 8r (active) listener=(nil) conn=0 fd=8 ACCEPT from IP=127.0.0.1:43402 (IP=0.0.0.0:389) daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: 8r daemon: read activity on 8 connection_get(8) connection_get(8): got connid=0 connection_read(8): checking for input on id=0 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 01 60 07 02 0....`.. ldap_read: want=6, got=6 0000: 01 03 04 00 80 00 ...... ber_get_next: tag 0x30 len 12 contents: ber_dump: buf=0x08193c48 ptr=0x08193c48 end=0x08193c54 len=12 0000: 02 01 01 60 07 02 01 03 04 00 80 00 ...`........ ber_get_next ldap_read: want=8 error=Resource temporarily unavailable ber_get_next on fd 8 failed errno=11 (Resource temporarily unavailable) daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0x08193c48 ptr=0x08193c4b end=0x08193c54 len=9 0000: 60 07 02 01 03 04 00 80 00 `........ ber_scanf fmt (m}) ber: ber_dump: buf=0x08193c48 ptr=0x08193c52 end=0x08193c54 len=2 0000: 00 00 ..
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> do_bind: version=3 dn="" method=128 conn=0 op=0 BIND dn="" method=128 send_ldap_result: conn=0 op=0 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=1 tag=97 err=0 ber_flush: 14 bytes to sd 8 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........ conn=0 op=0 RESULT tag=97 err=0 text= do_bind: v3 anonymous bind daemon: activity on 1 descriptor daemon: activity on: 8r daemon: read activity on 8 connection_get(8) connection_get(8): got connid=0 connection_read(8): checking for input on id=0 ber_get_next ldap_read: want=8, got=8 0000: 30 39 02 01 02 63 34 04 09...c4. ldap_read: want=51, got=51 0000: 12 64 63 3d 73 74 61 6e 66 6f 72 64 2c 64 63 3d .dc=stanford,dc= 0010: 65 64 75 0a 01 02 0a 01 00 02 01 00 02 01 00 01 edu............. 0020: 01 00 a3 0d 04 03 75 69 64 04 06 71 75 61 6e 61 ......uid..quana 0030: 68 30 00 h0. ber_get_next: tag 0x30 len 57 contents: ber_dump: buf=0x08195738 ptr=0x08195738 end=0x08195771 len=57 0000: 02 01 02 63 34 04 12 64 63 3d 73 74 61 6e 66 6f ...c4..dc=stanfo 0010: 72 64 2c 64 63 3d 65 64 75 0a 01 02 0a 01 00 02 rd,dc=edu....... 0020: 01 00 02 01 00 01 01 00 a3 0d 04 03 75 69 64 04 ............uid. 0030: 06 71 75 61 6e 61 68 30 00 .quanah0. ber_get_next ldap_read: want=8 error=Resource temporarily unavailable ber_get_next on fd 8 failed errno=11 (Resource temporarily unavailable) daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL do_search ber_scanf fmt ({miiiib) ber: ber_dump: buf=0x08195738 ptr=0x0819573b end=0x08195771 len=54 0000: 63 34 04 12 64 63 3d 73 74 61 6e 66 6f 72 64 2c c4..dc=stanford, 0010: 64 63 3d 65 64 75 0a 01 02 0a 01 00 02 01 00 02 dc=edu.......... 0020: 01 00 01 01 00 a3 0d 04 03 75 69 64 04 06 71 75 .........uid..qu 0030: 61 6e 61 68 30 00 anah0.
dnPrettyNormal: <dc=stanford,dc=edu>
=> ldap_bv2dn(dc=stanford,dc=edu,0) <= ldap_bv2dn(dc=stanford,dc=edu)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=stanford,dc=edu)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=stanford,dc=edu)=0 <<< dnPrettyNormal: <dc=stanford,dc=edu>, <dc=stanford,dc=edu> SRCH "dc=stanford,dc=edu" 2 0 0 0 0 begin get_filter EQUALITY ber_scanf fmt ({mm}) ber: ber_dump: buf=0x08195738 ptr=0x08195760 end=0x08195771 len=17 0000: a3 0d 04 03 75 69 64 04 06 71 75 61 6e 61 68 30 ....uid..quanah0 0010: 00 . end get_filter 0 filter: (uid=quanah) ber_scanf fmt ({M}}) ber: ber_dump: buf=0x08195738 ptr=0x0819576f end=0x08195771 len=2 0000: 00 00 .. attrs: conn=0 op=1 SRCH base="dc=stanford,dc=edu" scope=2 deref=0 filter="(uid=quanah)" ==> limits_get: conn=0 op=1 dn="[anonymous]" ldap_create ldap_url_parse_ext(ldap://ldap-test1.stanford.edu) =>ldap_back_getconn: conn 0x81a17c0 inserted refcnt=1 binding=1 send_ldap_result: conn=0 op=1 p=3 send_ldap_result: err=7 matched="" text=""
^^^ This is where the problem occurs; you seem to be using old code, since that log message in ldap_back_getconn() changed from 2.3.32 and 2.3.33. I'd recommend you use 2.3.34 anyway, although I'm not sure it's going to fix your problem.
The issue seems to occur between ldap_back_getconn() and the ldap_sasl_interactive_bind_s() that occurs during the proxy authz bind. Unfortunately, there seems to be very little trace level debug in between, so a gdb session might be required...
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
--On Thursday, February 22, 2007 12:59 AM +0100 Pierangelo Masarati ando@sys-net.it wrote:
Quanah Gibson-Mount wrote:
Sure. Which configuration do you want me to try it with? ;) Here is -d -1 with this config:
idassert-bind bindmethod=sasl saslmech=gssapi realm=stanford.edu authcID=service/mailrouter@stanford.edu
authzID=dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu
First of all, what's missing here is the "mode" parameter; what do you want the proxy to do? bind as "service/mailrouter@stanford.edu", SASL authorize as "dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" and then? proxy authorize as the incoming request? just keep the "cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" identity?
What I want for it to do is bind using the Krb5 ticket cache specified in slapd's environment, and use whatever identity gets *automatically* negotiated on the remote servers side. All this authcID and authZID stuff is really unnecessary, since the remote server handles it anyway.
What "service/mailrouter@stanford.edu" gets mapped to on the remote server IS "cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" by the authz-regexp rule on the remote server.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
On Thursday 22 February 2007 02:51, Quanah Gibson-Mount wrote:
--On Thursday, February 22, 2007 12:59 AM +0100 Pierangelo Masarati
ando@sys-net.it wrote:
Quanah Gibson-Mount wrote:
Sure. Which configuration do you want me to try it with? ;) Here is -d -1 with this config:
idassert-bind bindmethod=sasl saslmech=gssapi realm=stanford.edu authcID=service/mailrouter@stanford.edu
authzID=dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu
First of all, what's missing here is the "mode" parameter; what do you want the proxy to do? bind as "service/mailrouter@stanford.edu", SASL authorize as "dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" and then? proxy authorize as the incoming request? just keep the "cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" identity?
What I want for it to do is bind using the Krb5 ticket cache specified in slapd's environment, and use whatever identity gets *automatically* negotiated on the remote servers side. All this authcID and authZID stuff is really unnecessary, since the remote server handles it anyway.
Hm, if I understand you correctly, then you probably want to set "mode=none" in idassert-bind. The following config worked for me with OpenLDAP 2.3.33 proxying to an Active Directory:
idassert-authzFrom dn.regex:.* idassert-bind bindmethod=SASL saslmech=GSSAPI mode=none
Note, that the idassert-authzFrom that I used will allow every user (even non-authenticated) to exploit the identity assertion feature. IIRC that means all queries against you proxy (regardless how they authenticated) will get to the proxied Server authenticated and authorized as the identity that is referenced in the Kerberos Ticket Cache that your proxy uses. At least that is how I interpreted the man-pages and how my test setup behaved.
So you probably want to restrict the idassert-authzFrom option in your enviroment.
What "service/mailrouter@stanford.edu" gets mapped to on the remote server IS "cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" by the authz-regexp rule on the remote server.
--On Thursday, February 22, 2007 3:17 PM +0100 Ralf Haferkamp rhafer@suse.de wrote:
Hm, if I understand you correctly, then you probably want to set "mode=none" in idassert-bind. The following config worked for me with OpenLDAP 2.3.33 proxying to an Active Directory:
idassert-authzFrom dn.regex:.* idassert-bind bindmethod=SASL saslmech=GSSAPI mode=none
Note, that the idassert-authzFrom that I used will allow every user (even non-authenticated) to exploit the identity assertion feature. IIRC that means all queries against you proxy (regardless how they authenticated) will get to the proxied Server authenticated and authorized as the identity that is referenced in the Kerberos Ticket Cache that your proxy uses. At least that is how I interpreted the man-pages and how my test setup behaved.
So you probably want to restrict the idassert-authzFrom option in your enviroment.
That's actually exactly what I want. The system is restricted to local binds only, so it is fine for any connection to use the authzFrom.
I'm getting an error with this config, unfortunately.
sh-2.05b# cat /etc/ldap/slapd.conf # /etc/ldap/slapd.conf -- LDAP proxy slapd configuration file. # $Id$
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/krb5-kdc.schema include /etc/ldap/schema/suacct.schema
# Global Options
modulepath /usr/lib/ldap moduleload back_ldap.la
readonly on access to * by * read
# LDAP Proxy Options
database ldap suffix "dc=stanford,dc=edu" uri "ldap://ldap-test1.stanford.edu" idassert-authzFrom dn.regex:.* idassert-bind bindmethod=SASL saslmech=GSSAPI mode=none
which is:
Internal (implementation specific) error (80)
conn=0 op=1 SRCH base="dc=stanford,dc=edu" scope=2 deref=0 filter="(objectClass=*)" ==> limits_get: conn=0 op=1 dn="[anonymous]" ldap_create ldap_url_parse_ext(ldap://ldap-test1.stanford.edu) =>ldap_back_getconn: conn 0x81a1718 inserted refcnt=1 binding=1 ===>slap_sasl_match: comparing DN to rule dn.regex:.* slap_parseURI: parsing dn.regex:.* <===slap_sasl_match: comparison returned 0 ldap_sasl_interactive_bind_s: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap-test1.stanford.edu:389 ldap_new_socket: 9 ldap_prepare_socket: 9 ldap_connect_to_host: Trying 171.64.11.148:389 ldap_connect_timeout: fd: 9 tm: -1 async: 0 ldap_int_sasl_open: host=ldap-test1.Stanford.EDU send_ldap_result: conn=0 op=1 p=3 send_ldap_result: err=80 matched="" text="" send_ldap_response: msgid=2 tag=101 err=80 ber_flush: 14 bytes to sd 8 0000: 30 0c 02 01 02 65 07 0a 01 50 04 00 04 00 0....e...P.... ldap_write: want=14, written=14 0000: 30 0c 02 01 02 65 07 0a 01 50 04 00 04 00 0....e...P.... conn=0 op=1 SEARCH RESULT tag=101 err=80 nentries=0 text= daemon: activity on 1 descriptor daemon: activity on: 8r daemon: read activity on 8 connection_get(8) connection_get(8): got connid=0 connection_read(8): checking for input on id=0 ber_get_next ldap_read: want=8, got=7 0000: 30 05 02 01 03 42 00 0....B. ber_get_next: tag 0x30 len 5 contents: ber_dump: buf=0x081a1a38 ptr=0x081a1a38 end=0x081a1a3d len=5 0000: 02 01 03 42 00 ...B. ber_get_next ldap_read: want=8, got=0
ber_get_next on fd 8 failed errno=0 (Success) connection_read(8): input error=-2 id=0, closing. connection_closing: readying conn=0 sd=8 for close connection_close: deferring conn=0 sd=8 daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: waked daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL do_unbind conn=0 op=2 UNBIND connection_resched: attempting closing conn=0 sd=8 connection_close: conn=0 sd=8 =>ldap_back_conn_destroy: fetching conn 0 daemon: removing 8 conn=0 fd=8 closed
On the remote server side, I see:
Feb 22 10:12:07 ldap-test1 slapd[20556]: conn=31708 fd=38 ACCEPT from IP=171.67.16.99:41602 (IP=0.0.0.0:389)
but no further steps in the negotiation process.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
--On Thursday, February 22, 2007 10:13 AM -0800 Quanah Gibson-Mount quanah@stanford.edu wrote:
I re-set this up using my own build of OpenLDAP, and it all works, so something is wrong with the package my co-worker is using. Thanks for the config! :)
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
openldap-software@openldap.org
-
Pierangelo Masarati -
Quanah Gibson-Mount -
Ralf Haferkamp