Disable or remove Bind DN syntax check
by Giuseppe
Hi to all,
for my companty I'm triing to setup a LDAP proxy to our Active Direcory implementation, after some time I have found several problems on some critical application that does not support multiple OU anche CN formed by "Surname Name" caused by the bad structure and nomenclature on the AD, but we cant change it.
To work around the problem I have used the rwm module to rewrite the client binddn query part to AD format name.surname@domain, but the proxy return:
[root@client ~]# ldapsearch -H ldap://192.168.29.134 ��-D "CN=Name.Surname,OU=subou,OU=Users HOUSE,DC=domain,DC=int" -W
ldap_bind: Invalid syntax (21)
�� �� �� �� additional info: bindDN massage error
���� ������ ��
some logs:
Nov ��3 21:32:33 proxy slapd[1309]: conn=1001 op=0 do_bind
Nov ��3 21:32:33 proxy slapd[1309]: >>> dnPrettyNormal: <CN=Name.Surname,OU=subou,OU=Users HOUSE,DC=domain,DC=int>
Nov ��3 21:32:33 proxy slapd[1309]: <<< dnPrettyNormal: <cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int>, <cn=Name.Surname,ou=subou,ou=users house,dc=domain,dc=int>
Nov ��3 21:32:33 proxy slapd[1309]: conn=1001 op=0 BIND dn="cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int" method=128
Nov ��3 21:32:33 proxy slapd[1309]: do_bind: version=3 dn="cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int" method=128
Nov ��3 21:32:33 proxy slapd[1309]: daemon: activity on 1 descriptor
Nov ��3 21:32:33 proxy slapd[1309]: daemon: activity on:
Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_context_apply [depth=1] string='cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int'
Nov ��3 21:32:33 proxy slapd[1309]:
Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_rule_apply rule='^([C,c][N,n]=)([^.]*)\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$' string='cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int' [1 pass(es)]
Nov ��3 21:32:33 proxy slapd[1309]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov ��3 21:32:33 proxy slapd[1309]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov ��3 21:32:33 proxy slapd[1309]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov ��3 21:32:33 proxy slapd[1309]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_rule_apply rule='^([C,c][N,n]=)([^.]*)\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$' string='cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int' [1 pass(es)]
Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_rule_apply rule='^([C,c][N,n]=)([^.]*)\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$' string='cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int' [1 pass(es)]
Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_rule_apply rule='^([C,c][N,n]=)([^.]*)\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$' string='cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int' [1 pass(es)]
Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_rule_apply rule='^([C,c][N,n]=)([^.]*)\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$' string='cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int' [1 pass(es)]
Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_context_apply [depth=1] res={0,'Name.Surname(a)domain.int'}
Nov ��3 21:32:33 proxy slapd[1309]: [rw] bindDN: "cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int" -> "Name.Surname(a)domain.int"
Nov ��3 21:32:33 proxy slapd[1309]: >>> dnPrettyNormal: <Name.Surname(a)domain.int>
Nov ��3 21:32:33 proxy slapd[1309]: send_ldap_result: conn=1001 op=0 p=3
Nov ��3 21:32:33 proxy slapd[1309]: send_ldap_result: err=21 matched="" text="bindDN massage error"
Nov ��3 21:32:33 proxy slapd[1309]: send_ldap_response: msgid=1 tag=97 err=21
Nov ��3 21:32:33 proxy slapd[1309]: conn=1001 op=0 RESULT tag=97 err=21 text=bindDN massage error
I have downloaded the source code for try to remove or skip this check, but with my few programming skills after a month I haven't find the solution.
So there is a way (or a better way) to accomplish this need?
Best regards,
Giuseppe.
Config file of my test env:
### Schema includes ###########################################################
#include �� �� �� �� /etc/ldap/schema/corba.schema
#include �� �� �� �� /etc/ldap/schema/core.schema
#include �� �� �� �� /etc/ldap/schema/cosine.schema
#include �� �� �� �� /etc/ldap/schema/duaconf.schema
#include �� �� �� �� /etc/ldap/schema/dyngroup.schema
#include �� �� �� �� /etc/ldap/schema/inetorgperson.schema
#include �� �� �� �� /etc/ldap/schema/java.schema
#include �� �� �� �� /etc/ldap/schema/misc.schema
#include �� �� �� �� /etc/ldap/schema/nis.schema
#include �� �� �� �� /etc/ldap/schema/openldap.schema
#include �� �� �� �� /etc/ldap/schema/ppolicy.schema
#include �� �� �� �� /etc/ldap/schema/collective.schema
#include �� �� �� �� /etc/openldap/schema/ad.schema
include �� �� �� �� /etc/openldap/schema/corba.schema
include �� �� �� �� /etc/openldap/schema/core.schema
include �� �� �� �� /etc/openldap/schema/cosine.schema
#include �� �� �� �� /etc/ldap/schema/duaconf.schema
#include �� �� �� �� /etc/ldap/schema/dyngroup.schema
include �� �� �� �� /etc/openldap/schema/inetorgperson.schema
#include �� �� �� �� /etc/ldap/schema/java.schema
include �� �� �� �� /etc/openldap/schema/misc.schema
include �� �� �� �� /etc/openldap/schema/nis.schema
#include �� �� �� �� /etc/ldap/schema/openldap.schema
#include �� �� �� �� /etc/ldap/schema/ppolicy.schema
#include �� �� �� �� /etc/ldap/schema/collective.schema
include �� �� �� �� /etc/openldap/schema/ad.schema
#
## Module paths ##############################################################
#modulepath �� �� �� �� �� �� ��/usr/lib/ldap/
moduleload �� �� �� �� �� �� ��back_ldap
moduleload �� �� �� �� �� �� ��rwm
overlay �� �� �� �� �� �� �� �� rwm
rwm-rewriteEngine �� �� �� on
rwm-rewriteContext �� �� ��bindDN
rwm-rewriteRule �� �� "^([C,c][N,n]=)([^.]*)\\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$" "$2.$3(a)domain.int" ":@I"
#rwm-rewriteRule �� �� "^([C,c][N,n]=)([^.]*)\\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$" "domain\\$2.$3" ":@I"
#rwm-rewriteRule �� �� "^([C,c][N,n]=)([^.]*)\\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$" "CN=$3 $2$4$5" ":@I"
# Main settings ###############################################################
pidfile �� �� �� �� �� �� �� �� /var/run/openldap/slapd.pid
argsfile �� �� �� �� �� �� �� ��/var/run/openldap/slapd.args
allow bind_v2
### Database definition (Proxy to AD) #########################################
database �� �� �� �� �� �� �� ��config
database �� �� �� �� �� �� �� ��ldap
readonly �� �� �� �� �� �� �� ��yes
protocol-version �� �� �� ��3
rebind-as-user
uri �� �� �� �� �� �� �� �� �� �� "ldap://192.168.29.133:389"
suffix �� �� �� �� �� �� �� �� ��"dc=domain,dc=int"
rootdn �� �� �� �� �� �� �� �� ��"CN=Administrator,CN=Users,DC=domain,DC=int"
rootpw �� �� �� �� �� �� �� �� ��"hidden"
idassert-bind bindmethod=simple
�� ��binddn="CN=Administrator,CN=Users,DC=domain,DC=int"
�� ��credentials="hidden"
�� ��mode=none
�� ��flags=non-prescriptive
idassert-authzFrom "*"
#overlay �� �� �� �� �� �� �� �� rwm
rwm-map �� �� �� �� �� �� �� �� attribute �� �� �� uid �� �� sAMAccountName
rwm-map �� �� �� �� �� �� �� �� attribute �� �� �� mail �� ��proxyAddresses
### Logging ###################################################################
loglevel �� �� �� �� �� �� �� ��-1
2 years, 2 months
ppolicy issues
by Kresimir Petkovic
Hi guys,
I'm having issues trying to setup multiple databases with different
password hash algos.
My first db has to have plaintext passwords and I'm using
password-hash {CLEARTEXT}
overlay ppolicy
ppolicy_hash_cleartext
and my second one needs to use SHA for password hash. I have it like
this in slapd.conf
password-hash {SHA}
overlay ppolicy
ppolicy_hash_cleartext
When I insert user in ldap via ldapadd it stores plaintext password for
that user in userPassword attribute.
Can I have different password-hash directives for each database? Or my
ppolicy overlay doesn't work.
Thanks in advance.
BR,
Kreso
2 years, 3 months
openldap on RHEL 8 - can't get TLS connectivity
by Heinemann, Peter G
Good Day,
Working on moving from RHEL6 to RHEL8. Given the drop in support for openldap in RHEL8 I've installed the symas-openldap distros.
Here are the versions in play:
cat /etc/redhat-release
Red Hat Enterprise Linux release 8.2 (Ootpa)
sudo yum list installed | grep openldap
openldap.x86_64 2.4.46-9.el8 @rhel-8-for-x86_64-baseos-rpms
symas-openldap.x86_64 2.4.55-1.el8 @sofl
symas-openldap-clients.x86_64 2.4.55-1.el8 @sofl
symas-openldap-servers.x86_64 2.4.55-1.el8 @sofl
$ openssl version
OpenSSL 1.1.1c FIPS 28 May 2019
I can't get any TLS connections to succeed, even if I try ldapsearch from the local (ldap server) host. The net error is cipher incompatibility; here's the output from a local ldapsearch:
ldap_url_parse_ext(ldaps://dev-pnldap1.net.isc.upenn.edu:636)
ldap_create
ldap_url_parse_ext(ldaps://dev-pnldap1.net.isc.upenn.edu:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP dev-pnldap1.net.isc.upenn.edu:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 130.91.185.254:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I had slapd running in foreground for that ldapsearch, here's the output:
TLS trace: SSL_accept:before SSL initialization
tls_read: want=5, got=5
0000: 16 03 01 01 26 ....&
tls_read: want=294, got=294
0000: 01 00 01 22 03 03 cb 02 a0 2f ea 25 ad d7 c9 8e ..."...../.%....
0010: f0 32 a4 1e a9 46 be af 48 9e e6 23 53 44 d2 f7 .2...F..H..#SD..
0020: e0 9d 99 82 50 17 20 dd fa 96 00 76 ab ce a7 ec ....P. ....v....
0030: 2b b9 e6 51 e0 77 78 2d ca 73 4c f4 eb 62 ed 62 +..Q.wx-.sL..b.b
0040: 97 3b d4 ea ea 16 ab 00 48 13 02 13 03 13 01 13 .;......H.......
0050: 04 c0 2c c0 30 cc a9 cc a8 c0 ad c0 2b c0 2f c0 ..,.0.......+./.
0060: ac c0 23 c0 27 c0 0a c0 14 c0 09 c0 13 00 9d c0 ..#.'...........
0070: 9d 00 9c c0 9c 00 3d 00 3c 00 35 00 2f 00 9f cc ......=.<.5./...
0080: aa c0 9f 00 9e c0 9e 00 6b 00 67 00 39 00 33 00 ........k.g.9.3.
0090: ff 01 00 00 91 00 0b 00 04 03 00 01 02 00 0a 00 ................
00a0: 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 00 ..............#.
00b0: 00 00 16 00 00 00 17 00 00 00 0d 00 30 00 2e 04 ............0...
00c0: 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b 08 ................
00d0: 04 08 05 08 06 04 01 05 01 06 01 03 03 02 03 03 ................
00e0: 01 02 01 03 02 02 02 04 02 05 02 06 02 00 2b 00 ..............+.
00f0: 05 04 03 04 03 03 00 2d 00 02 01 01 00 33 00 26 .......-.....3.&
0100: 00 24 00 1d 00 20 8a 31 32 cf fd 40 46 5d aa b6 .$... .12..@F]..
0110: 4b 31 fb a2 6d 47 92 f9 46 25 02 ce 62 7a cf 0b K1..mG..F%..bz..
0120: 93 38 00 37 7f 2f .8.7./
TLS trace: SSL_accept:before SSL initialization
tls_write: want=7, written=7
0000: 15 03 03 00 02 02 28 ......(
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in error
TLS: can't accept: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher.
5fa072c7 connection_read(11): TLS accept failure error=-1 id=1000, closing
I've tried various combinations of TLSProtocolMin (3.3, 3.2, and not specifying at all) and the result is the same.
I tried specifiying the ciphers currently supported by openssl in TLSCipherSuite, same erros.
Running some outside utilities give the same information.
nmap: no ciphers returned for the rhel8 system:
nmap --script ssl-enum-ciphers -p 636 dev-pnldap1.net.isc.upenn.edu -Pn
Starting Nmap 5.51 ( http://nmap.org ) at 2020-11-02 16:25 EST
Nmap scan report for dev-pnldap1.net.isc.upenn.edu (130.91.185.254)
Host is up (0.0014s latency).
PORT STATE SERVICE
636/tcp open ldapssl
Nmap done: 1 IP address (1 host up) scanned in 0.85 seconds
rhel6 system:
$ nmap --script ssl-enum-ciphers -p 636 dev-pnldap2.net.isc.upenn.edu -Pn
Starting Nmap 5.51 ( http://nmap.org ) at 2020-11-02 16:25 EST
Nmap scan report for dev-pnldap2.net.isc.upenn.edu (130.91.185.136)
Host is up (0.0019s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (14)
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_ uncompressed
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
Thanks in advance for any suggestions or corrections.
Peter
2 years, 3 months