Hi, I have some problems understanding strong binds and proxy authc with back-ldap. It seems that back-ldap is not passing the bind credentials to the remote server, thus only an anonymous bind is enforced. On the other hand, a ldapwhoami results in success
,----[ ldapwhoami on back-ldap ] | ldapwhoami -Y digest-md5 -U dieter -w secret -H ldap://localhost:9004 | SASL/DIGEST-MD5 authentication started | SASL username: dieter | SASL SSF: 128 | SASL data security layer installed. | dn:cn=dieter kluenter,ou=partner,dc=dkluenter,dc=de `----
while a ldapsearch results in no success
ldapsearch -Y digest-md5 -Udieter -w pfeife -H ldap://localhost:9004 -b dc=dkluenter,dc=de -s sub sn=las* mail telephonenumber
,----[ log with loglevel acl ] | Slapd[7050]: => Acl_Mask: Access To Entry "Cn=Deszo | Laszlo,Ou=Adressbuch,O=Avci,C=De", Attr "Sn" Requested | Slapd[7050]: => Acl_Mask: To All Values By "", (=0) | Slapd[7050]: <= Check A_Dn_Pat: Cn=Admanager,O=Avci,C=De | Slapd[7050]: <= Check A_Dn_Pat: Users | Slapd[7050]: <= Acl_Mask: No More <Who> Clauses, Returning =0 (Stop) | Slapd[7050]: => Slap_Access_Allowed: Search Access Denied By =0 | Slapd[7050]: => Access_Allowed: No More Rules `----
the back-ldap configuration,
,----[ back-ldap slapd.conf ] | ..... | modulepath /opt/openldap/libexec/openldap | moduleload back_meta.la | moduleload back_ldap.la | moduleload pcache.la | moduleload rwm.la | authz-regexp uid=(.*),cn=.*,cn=auth | ldap:///dc=dkluenter,dc=de??sub?uid=$1 | | access to * by * read | database ldap | suffix dc=dkluenter,dc=de | rootdn cn=admin,dc=dkluenter,dc=de | uri ldap://localhost:389 | acl-bind | bindmethod=sasl | saslmech=digest-md5 | authcId=admanager | credentials=mailer | #idassert-authzFrom dn.regex:cn=(.*),ou=(*)?dc=dkluenter,dc=de | idassert-bind | bindmethod=sasl | saslmech=digest-md5 | authzId=u:admanager | authz=native | credentials=mailer | proxy-whoami yes | overlay rwm | rwm-rewriteEngine on | rwm-suffixmassage "dc=dkluenter,dc=de" "o=avci,c=de" | overlay pcache | proxycache bdb 10000 22 50 3600 | proxycachequeries 10000 | proxyattrset 0 mail telephonenumber | proxyattrset 1 mobile homephone | proxytemplate (sn=) 0 3600 | proxytemplate (cn=) 1 3600 | directory /opt/openldap/var/cache | cachesize 1000 | dbconfig set_cachesize 0 1048576 0 | index objectClass,queryid eq | index telephonenumber pres,eq | index cn,sn,mail pres,eq,sub | # | database monitor `----
the relevant access rules on the remote server
,----[ slapd.conf access rules ] | access to dn.subtree="ou=adressbuch,o=avci,c=de" | by dn.exact="cn=adManager,o=avci,c=de" write | by users read `----
Not to mention that the same search operation on the remote server is successful
-Dieter
Dieter Kluenter wrote:
Hi, I have some problems understanding strong binds and proxy authc with back-ldap. It seems that back-ldap is not passing the bind credentials to the remote server, thus only an anonymous bind is enforced. On the other hand, a ldapwhoami results in success
ldapwhoami doesn't use idassert, it binds and performs whoami exop on its own, eventually applying the proxyAuthz control if requested...
,----[ ldapwhoami on back-ldap ] | ldapwhoami -Y digest-md5 -U dieter -w secret -H ldap://localhost:9004 | SASL/DIGEST-MD5 authentication started | SASL username: dieter | SASL SSF: 128 | SASL data security layer installed. | dn:cn=dieter kluenter,ou=partner,dc=dkluenter,dc=de `----
while a ldapsearch results in no success
ldapsearch -Y digest-md5 -Udieter -w pfeife -H ldap://localhost:9004 -b dc=dkluenter,dc=de -s sub sn=las* mail telephonenumber
,----[ log with loglevel acl ] | Slapd[7050]: => Acl_Mask: Access To Entry "Cn=Deszo | Laszlo,Ou=Adressbuch,O=Avci,C=De", Attr "Sn" Requested | Slapd[7050]: => Acl_Mask: To All Values By "", (=0) | Slapd[7050]: <= Check A_Dn_Pat: Cn=Admanager,O=Avci,C=De | Slapd[7050]: <= Check A_Dn_Pat: Users | Slapd[7050]: <= Acl_Mask: No More <Who> Clauses, Returning =0 (Stop) | Slapd[7050]: => Slap_Access_Allowed: Search Access Denied By =0 | Slapd[7050]: => Access_Allowed: No More Rules `----
the back-ldap configuration,
,----[ back-ldap slapd.conf ] | ..... | modulepath /opt/openldap/libexec/openldap | moduleload back_meta.la | moduleload back_ldap.la | moduleload pcache.la | moduleload rwm.la | authz-regexp uid=(.*),cn=.*,cn=auth | ldap:///dc=dkluenter,dc=de??sub?uid=$1 | | access to * by * read | database ldap | suffix dc=dkluenter,dc=de | rootdn cn=admin,dc=dkluenter,dc=de | uri ldap://localhost:389 | acl-bind | bindmethod=sasl | saslmech=digest-md5 | authcId=admanager | credentials=mailer | #idassert-authzFrom dn.regex:cn=(.*),ou=(*)?dc=dkluenter,dc=de | idassert-bind | bindmethod=sasl | saslmech=digest-md5 | authzId=u:admanager
^^^ you should use authcId=admanager (or whatever identity you want to use as the proxy identity) much like for acl-bind... With the above, as far as I understand, you sort of try to bind anonymously and authz as admanager, which is unlikely to succeed (but I think it's trapped earlier by the proxy and nothing is actually sent to the remote server with respect to identity assertion; then the failure at the server's side).
Hope this helps.
| authz=native | credentials=mailer | proxy-whoami yes | overlay rwm | rwm-rewriteEngine on | rwm-suffixmassage "dc=dkluenter,dc=de" "o=avci,c=de" | overlay pcache | proxycache bdb 10000 22 50 3600 | proxycachequeries 10000 | proxyattrset 0 mail telephonenumber | proxyattrset 1 mobile homephone | proxytemplate (sn=) 0 3600 | proxytemplate (cn=) 1 3600 | directory /opt/openldap/var/cache | cachesize 1000 | dbconfig set_cachesize 0 1048576 0 | index objectClass,queryid eq | index telephonenumber pres,eq | index cn,sn,mail pres,eq,sub | # | database monitor `----
the relevant access rules on the remote server
,----[ slapd.conf access rules ] | access to dn.subtree="ou=adressbuch,o=avci,c=de" | by dn.exact="cn=adManager,o=avci,c=de" write | by users read `----
Not to mention that the same search operation on the remote server is successful
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Hello,
Pierangelo Masarati ando@sys-net.it writes:
Dieter Kluenter wrote:
| uri ldap://localhost:389 | acl-bind | bindmethod=sasl | saslmech=digest-md5 | authcId=admanager | credentials=mailer | #idassert-authzFrom dn.regex:cn=(.*),ou=(*)?dc=dkluenter,dc=de | idassert-bind | bindmethod=sasl | saslmech=digest-md5 | authzId=u:admanager
^^^ you should use authcId=admanager (or whatever identity you want to use as the proxy identity) much like for acl-bind... With the above, as far as I understand, you sort of try to bind anonymously and authz as admanager, which is unlikely to succeed (but I think it's trapped earlier by the proxy and nothing is actually sent to the remote server with respect to identity assertion; then the failure at the server's side).
Hope this helps.
I used authcId already with no avail. I tested almost any possible parameter combination. On the remote server password assertion of admanager and dieter is successful performed but after password assertion no bind operation with any of those identities is performed.
,----[ password asertion by admanager ] | slapd[7079]: => slap_access_allowed: no res from state (userPassword) | slapd[7079]: => acl_mask: access to entry "cn=Dieter Kluenter,ou=Partner,o=avci | ,c=de", attr "userPassword" requested | slapd[7079]: => acl_mask: to value by "cn=admanager,o=avci,c=de", (=0) | slapd[7079]: <= check a_dn_pat: self | slapd[7079]: <= check a_dn_pat: users | slapd[7079]: <= acl_mask: [2] applying read(=rscxd) (stop) | slapd[7079]: <= acl_mask: [2] mask: read(=rscxd) | slapd[7079]: => slap_access_allowed: read access granted by read(=rscxd) | slapd[7079]: => access_allowed: read access granted by read(=rscxd) `----
,----[ anonymous search ] | slapd[7079]: => acl_mask: access to entry "cn=Deszo Laszlo,ou=adressbuch,o=avci | ,c=de", attr "sn" requested | slapd[7079]: => acl_mask: to all values by "", (=0) | slapd[7079]: <= check a_dn_pat: cn=admanager,o=avci,c=de | slapd[7079]: <= check a_dn_pat: users | slapd[7079]: <= acl_mask: no more <who> clauses, returning =0 (stop) | slapd[7079]: => slap_access_allowed: search access denied by =0 | slapd[7079]: => access_allowed: no more rules `----
I have got the impression that the idassert-bind parameters are never passed to the remote server. If I disable acl-bind parameters and only use idassert-bind parameters, back-ldap complains about SASL [conn=0] Failure: no secret in database but no connection is made to the remote server in order to verify the credentials.
I must admit that on the remote server I have successfully configured sasl proxyauthentication by means of ldapdb. All I want to do, is to put back-ldap on a postfix server and use sasl auxprop ldapdb against back-ldap.
-Dieter
Hello,
Pierangelo Masarati ando@sys-net.it writes:
Dieter Kluenter wrote:
Hi,
| acl-bind | bindmethod=sasl | saslmech=digest-md5 | authcId=admanager | credentials=xxx | #idassert-authzFrom dn.regex:cn=(.*),ou=(*)?dc=dkluenter,dc=de | idassert-bind | bindmethod=sasl | saslmech=digest-md5 | authzId=u:admanager
I got it properly working in the end. acl-bind rules as above
idassert-bind bindmethod=sasl saslmech=digest-md5 authcId=admanager credentials=xxx mode=self
the manual page slapd-ldap is not quite clear about mode parameters, so I was relying on default, thats why I configured authzId=u:admanager.
-Dieter
Dieter Kluenter wrote:
Hello,
Pierangelo Masarati ando@sys-net.it writes:
Dieter Kluenter wrote:
Hi,
| acl-bind | bindmethod=sasl | saslmech=digest-md5 | authcId=admanager | credentials=xxx | #idassert-authzFrom dn.regex:cn=(.*),ou=(*)?dc=dkluenter,dc=de | idassert-bind | bindmethod=sasl | saslmech=digest-md5 | authzId=u:admanager
I got it properly working in the end. acl-bind rules as above
idassert-bind bindmethod=sasl saslmech=digest-md5 authcId=admanager credentials=xxx mode=self
the manual page slapd-ldap is not quite clear about mode parameters, so I was relying on default, thats why I configured authzId=u:admanager.
Sorry for misleading you. I also thought the default was "self". This definitely needs clarification.
Cheers, p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
openldap-software@openldap.org
-
Dieter Kluenter -
Pierangelo Masarati