openldap-technical April 2022

openldap-technical@openldap.org

27 participants
27 discussions

Re: SASL Authentication Pass-through
by Quanah Gibson-Mount 11 Apr '22

11 Apr '22

--On Monday, April 11, 2022 5:00 PM +0000 Dean Lewis <deanlewis(a)thomas-march.com> wrote: > > Thanks, that sounds like an easier method but I'm running 2.4.47 > unfortunately. I would strongly advise upgrading to OpenLDAP 2.5 or later and using remoteauth for this. Regards, Quanah

1 0

SASL Authentication Pass-through
by t04s＠thomas-march.com 10 Apr '22

10 Apr '22

Hi, Hopefully someone can help. I'm trying to get SASL passthrough working in OpenLDAP to Active Directory. AD is the primary directory but I need Linux users to be able to authenticate to AD (via OpenLDAP) such that they don't have to manage multiple passwords. However, I've set things up as per various guidance (here<https://www.openldap.com/doc/admin21/sasl.html>, here<https://archive.camratus.com/2017/01/24/openldap-lsc-active-directory-sync-…>, here<https://www.ltb-project.org/documentation/sasl_delegation.html> and here<https://www.hellovinoth.com/pass-through-openldap-authentication-using-sasl…>) and it doesn't seem to work for me on Debian 10. After configuring everything I can run the following successfully: ldapsearch -x -H ldap://server.company.com:389 -D cn=ldapbind,cn=Users,DC=company,DC=com -w examplebindpassword -b '' -s base ldapsearch -x -H ldap://server.company.com:389 -D cn=ldapbind,cn=Users,DC=company,DC=com -w examplebindpassword -b "OU=Users,OU=IT,OU=Departments,OU=Group,DC=company,DC=com" "(userPrincipalName=testuser(a)company.com)" ldapsearch -x -H ldap://server.company.com:389 -D "CN=Test User,OU=Users,OU=IT,OU=Departments,OU=Group,DC=company,DC=com" -w exampleuserpassword -b "CN=Test User,OU=Users,OU=IT,OU=Departments,OU=Group,DC=company,DC=com" -s base "(objectclass=*)" These all return the correct results from Active Directory, so this works fine. Finally, I can run: sudo testsaslauthd -u testuser(a)company.com<mailto:grahambrooke@thomas-march.com> -p exampleuserpassword and I get: 0: OK "Success." So finally I create the same user in local OpenLDAP as Test User and add the password as {SASL}testuser(a)company.com<mailto:{SASL}testuser@thomas-march.com> and try to test pass-through authentication to AD: ldapsearch -x -H ldap://localhost -b dc=testing-prod,dc=com -D uid=testuser,ou=users,dc=testing-prod,dc=com -w exampleuserpassword But this doesn't work. I get the error: ldap_bind: Invalid credentials (49) So SASL passthrough just isn't working and it isn't reading the password attribute as such because if I do: ldapsearch -x -H ldap://localhost -b dc=testing-prod,dc=com -D uid=testuser,ou=users,dc=testing-prod,dc=com -w {SASL}testuser(a)company.com This returns the local LDAP user. So it's reading the password literally as a password instead of interpreting it as SASL passthrough to AD. Have I missed some steps here? What am I missing? I have checked that --enable-spasswd has been compiled in by running ldd /usr/sbin/slapd: linux-vdso.so.1 (0x00007ffcbd7b8000) libldap_r-2.4.so.2 => /lib/x86_64-linux-gnu/libldap_r-2.4.so.2 (0x00007f3e72bc2000) liblber-2.4.so.2 => /lib/x86_64-linux-gnu/liblber-2.4.so.2 (0x00007f3e72bb1000) libdb-5.3.so => /lib/x86_64-linux-gnu/libdb-5.3.so (0x00007f3e729f5000) libodbc.so.2 => /lib/x86_64-linux-gnu/libodbc.so.2 (0x00007f3e72785000) libsasl2.so.2 => /lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007f3e72768000) libgnutls.so.30 => /lib/x86_64-linux-gnu/libgnutls.so.30 (0x00007f3e725bb000) libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f3e7257f000) libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f3e72565000) libslapi-2.4.so.2 => /lib/x86_64-linux-gnu/libslapi-2.4.so.2 (0x00007f3e72543000) libltdl.so.7 => /lib/x86_64-linux-gnu/libltdl.so.7 (0x00007f3e72538000) libwrap.so.0 => /lib/x86_64-linux-gnu/libwrap.so.0 (0x00007f3e7252c000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f3e7250b000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f3e72349000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f3e72344000) libp11-kit.so.0 => /lib/x86_64-linux-gnu/libp11-kit.so.0 (0x00007f3e72215000) libidn2.so.0 => /lib/x86_64-linux-gnu/libidn2.so.0 (0x00007f3e721f6000) libunistring.so.2 => /lib/x86_64-linux-gnu/libunistring.so.2 (0x00007f3e72072000) libtasn1.so.6 => /lib/x86_64-linux-gnu/libtasn1.so.6 (0x00007f3e71e5f000) libnettle.so.6 => /lib/x86_64-linux-gnu/libnettle.so.6 (0x00007f3e71e25000) libhogweed.so.4 => /lib/x86_64-linux-gnu/libhogweed.so.4 (0x00007f3e71dec000) libgmp.so.10 => /lib/x86_64-linux-gnu/libgmp.so.10 (0x00007f3e71d69000) /lib64/ld-linux-x86-64.so.2 (0x00007f3e72dac000) libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007f3e71d50000) libffi.so.6 => /lib/x86_64-linux-gnu/libffi.so.6 (0x00007f3e71d46000) I can see libsasl2.so.2 there so I think that's fine. And, I've also run both saslauthd and slapd in debug mode but I get no useful output that I can see. It looks like saslauthd and slapd just aren't talking. Any help or pointers are really appreciated. t04s /---

2 1

Official way to import schema with cn=config
by David Timber 05 Apr '22

05 Apr '22

I had to write my own schema for my application and I was struggling to figure out how to import the schema I wrote to cn=config. I had though I was missing something until I found this. https://gist.github.com/jaseg/8577024 Notice the name of the script. Someone had to write this because there's no tool that you can use to import schemas when the slapd is configured with cn=config. You can get away with it by using include directive with slapd.conf. I know there's a way to do it with slaptest, but that method is just unacceptable. So, how I understood is, either you have to use slaptest to rebuild the entirety of the schema in ldif format, or you have to handcraft the schema in ldif by figuring out with {} index to start with. This is all backwards. slapadd and slapmodify are just cranky tools you can only use in specific cases(eg: restoring from mdb_copy backup data). In most cases, using those tools to manipulate cn=config is near impossible. I like the idea behind cn=config, but I believe that calling slapd.conf deprecated is just unfair with problems like these. Is there a set date/version for the drop of support for slapd.conf? I'd like to stick with slapd.conf if it's not going to happen in like 5 years time.

8 23

STARTTLS vs LDAPS
by thomaswilliampritchard＠gmail.com 01 Apr '22

01 Apr '22

At risk of beating a dead horse, I'd like to hear considerations on STARTTLS vs LDAPS. I'm also particularly interested if openldap plans to support LDAPS long term or if there's actually a deprecation effort going on around LDAPS where it would one day no longer be supported by openldap. This seems to be the most comprehensive post discussing the virtue of the two. https://security.stackexchange.com/questions/257749/is-ldaps-or-starttls-mo… I also found a post in this Archive from 2018 that seems to indicate a change of opinion where LDAPS should be preferred, and not deprecated. https://lists.openldap.org/hyperkitty/list/openldap-technical@openldap.org/… Does openldap agree that LDAPS should now be the preferred implementation and STARTLS should be discouraged? I do not have a security background and there is certainly a lot of room for me to misunderstand, but it seems like STARTTLS leaves the door open for a "tls downgrade attack" where a man in the middle could essentially reply to a client effectively saying start tls is not supported and then the client falls back to non tls communication (which is obviously unfortunate). Even if the backend server is properly not responding to clients until STARTTLS is initiated, the man in the middle could initiate a connection with STARTTLS to the ldap server and be talking plaintext to the client. Is that legitimately possible or am I missing a nuance? If one were to only support clients over LDAPS it seems this would be mitigated? Thanks for the considerations, looking forward to hearing the expert opinions on the topic.

9 20

delete glue entry
by Michael Ströder 01 Apr '22

01 Apr '22

HI! Had a MDB database with a glue entry in it on all replicas in a multi-provider setup (release 2.6.1). I could not update this entry anymore. Is it possible to delete a glue entry via LDAP? All subordinate entries were already removed before. Ciao, Michael.

2 1

RE26 testing call #1 (OpenLDAP 2.6.2)
by Quanah Gibson-Mount 01 Apr '22

01 Apr '22

This is the first testing call for OpenLDAP 2.6.2. Depending on the results, this may be the only testing call. Generally, get the code for RE26: <https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_6/o…> Extract, configure, and build. Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite. Thanks! OpenLDAP 2.6.2 Engineering Added libldap support for OpenSSL 3.0 (ITS#9436) Added slapd support for OpenSSL 3.0 (ITS#9436) Fixed ldapdelete to prune LDAP subentries (ITS#9737) Fixed libldap to drop connection when non-LDAP data is received (ITS#9803) Fixed libldap to allow newlines at end of included file (ITS#9811) Fixed slapd slaptest conversion of olcLastBind (ITS#9808) Fixed slapd to correctly init global_host earlier (ITS#9787) Fixed slapd bconfig locking for cn=config replication (ITS#9584) Fixed slapd usage of thread local counters (ITS#9789) Fixed slapd to clear runqueue task correctly (ITS#9785) Fixed slapd syncrepl handling of new sessions (ITS#9584) Fixed slapd to clear connections on bind (ITS#9799) Fixed slapd syncrepl ODSEE replication of unknown attr (ITS#9801) Fixed slapd-asyncmeta memory leak in keepalive setting (ITS#9802) Fixed slapd-ldap memory leak in keepalive setting (ITS#9802) Fixed slapd-meta SEGV on config rewrite (ITS#9802) Fixed slapd-meta ordering on config rewrite (ITS#9802) Fixed slapd-meta memory leak in keepalive setting (ITS#9802) Fixed slapd-monitor SEGV on shutdown (ITS#9809) Added slapo-autoca support for OpenSSL 3.0 (ITS#9436) Added slapo-otp support for OpenSSL 3.0 (ITS#9436) Fixed slapo-pcache SEGV on shutdown (ITS#9809) Fixed slapo-ppolicy operation handling to be consistent (ITS#9794) Build Enviornment Add ability to override default compile time paths (ITS#9675) Fix compiliation with certain versions of gcc (ITS#9790) Fix compilation with openssl exclusions (ITS#9791) Fix warnings from make jobserver (ITS#9788) Documentation admin26 Document new lloadd features (ITS#9780) Fixed slapd.conf(5)/slapd-config(5) syncrepl sizelimit/timelimit documentation (ITS#9804) Fixed slapd-sock(5) to clarify "sockresps result" behavior (ITS#8255) Regards, Quanah

6 9

RE25 Testing call #1 (OpenLDAP 2.5.12)
by Quanah Gibson-Mount 01 Apr '22

01 Apr '22

This is the first testing call for OpenLDAP 2.5.12. Depending on the results, this may be the only testing call. Generally, get the code for RE25: <https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_5/o…> Extract, configure, and build. Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite. Thanks! OpenLDAP 2.5.12 Engineering Fixed libldap to drop connection when non-LDAP data is received (ITS#9803) Fixed libldap to allow newlines at end of included file (ITS#9811) Fixed slapd slaptest conversion of olcLastBind (ITS#9808) Fixed slapd usage of thread local counters (ITS#9789) Fixed slapd to clear runqueue task correctly (ITS#9785) Fixed slapd bconfig locking for cn=config replication (ITS#9584) Fixed slapd syncrepl handling of new sessions (ITS#9584) Fixed slapd to clear connections on bind (ITS#9799) Fixed slapd syncrepl ODSEE replication of unknown attr (ITS#9801) Fixed slapd-asyncmeta memory leak in keepalive setting (ITS#9802) Fixed slapd-ldap memory leak in keepalive setting (ITS#9802) Fixed slapd-meta SEGV on config rewrite (ITS#9802) Fixed slapd-meta ordering on config rewrite (ITS#9802) Fixed slapd-meta memory leak in keepalive setting (ITS#9802) Fixed slapd-monitor SEGV on shutdown (ITS#9809) Fixed slapo-pcache SEGV on shutdown (ITS#9809) Fixed slapo-ppolicy operation handling to be consistent (ITS#9794) Build Environment Fix compilation with openssl exclusions (ITS#9791) Fix warnings from make jobserver (ITS#9788) Fix compiliation with certain versions of gcc (ITS#9790) Documentation Fixed slapd.conf(5)/slapd-config(5) syncrepl sizelimit/timelimit documentation (ITS#9804) Regards, Quanah

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2022