SASL Authentication Pass-through
by t04s@thomas-march.com
Hi,
Hopefully someone can help.
I'm trying to get SASL passthrough working in OpenLDAP to Active Directory. AD is the primary directory but I need Linux users to be able to authenticate to AD (via OpenLDAP) such that they don't have to manage multiple passwords.
However, I've set things up as per various guidance (here<https://www.openldap.com/doc/admin21/sasl.html>, here<https://archive.camratus.com/2017/01/24/openldap-lsc-active-directory-syn...>, here<https://www.ltb-project.org/documentation/sasl_delegation.html> and here<https://www.hellovinoth.com/pass-through-openldap-authentication-using-sa...>) and it doesn't seem to work for me on Debian 10.
After configuring everything I can run the following successfully:
ldapsearch -x -H ldap://server.company.com:389 -D cn=ldapbind,cn=Users,DC=company,DC=com -w examplebindpassword -b '' -s base
ldapsearch -x -H ldap://server.company.com:389 -D cn=ldapbind,cn=Users,DC=company,DC=com -w examplebindpassword -b "OU=Users,OU=IT,OU=Departments,OU=Group,DC=company,DC=com" "(userPrincipalName=testuser(a)company.com)"
ldapsearch -x -H ldap://server.company.com:389 -D "CN=Test User,OU=Users,OU=IT,OU=Departments,OU=Group,DC=company,DC=com" -w exampleuserpassword -b "CN=Test User,OU=Users,OU=IT,OU=Departments,OU=Group,DC=company,DC=com" -s base "(objectclass=*)"
These all return the correct results from Active Directory, so this works fine.
Finally, I can run:
sudo testsaslauthd -u testuser(a)company.com<mailto:grahambrooke@thomas-march.com> -p exampleuserpassword
and I get:
0: OK "Success."
So finally I create the same user in local OpenLDAP as Test User and add the password as {SASL}testuser(a)company.com<mailto:{SASL}testuser@thomas-march.com> and try to test pass-through authentication to AD:
ldapsearch -x -H ldap://localhost -b dc=testing-prod,dc=com -D uid=testuser,ou=users,dc=testing-prod,dc=com -w exampleuserpassword
But this doesn't work. I get the error:
ldap_bind: Invalid credentials (49)
So SASL passthrough just isn't working and it isn't reading the password attribute as such because if I do:
ldapsearch -x -H ldap://localhost -b dc=testing-prod,dc=com -D uid=testuser,ou=users,dc=testing-prod,dc=com -w {SASL}testuser(a)company.com
This returns the local LDAP user. So it's reading the password literally as a password instead of interpreting it as SASL passthrough to AD.
Have I missed some steps here? What am I missing?
I have checked that --enable-spasswd has been compiled in by running ldd /usr/sbin/slapd:
linux-vdso.so.1 (0x00007ffcbd7b8000)
libldap_r-2.4.so.2 => /lib/x86_64-linux-gnu/libldap_r-2.4.so.2 (0x00007f3e72bc2000)
liblber-2.4.so.2 => /lib/x86_64-linux-gnu/liblber-2.4.so.2 (0x00007f3e72bb1000)
libdb-5.3.so => /lib/x86_64-linux-gnu/libdb-5.3.so (0x00007f3e729f5000)
libodbc.so.2 => /lib/x86_64-linux-gnu/libodbc.so.2 (0x00007f3e72785000)
libsasl2.so.2 => /lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007f3e72768000)
libgnutls.so.30 => /lib/x86_64-linux-gnu/libgnutls.so.30 (0x00007f3e725bb000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f3e7257f000)
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f3e72565000)
libslapi-2.4.so.2 => /lib/x86_64-linux-gnu/libslapi-2.4.so.2 (0x00007f3e72543000)
libltdl.so.7 => /lib/x86_64-linux-gnu/libltdl.so.7 (0x00007f3e72538000)
libwrap.so.0 => /lib/x86_64-linux-gnu/libwrap.so.0 (0x00007f3e7252c000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f3e7250b000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f3e72349000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f3e72344000)
libp11-kit.so.0 => /lib/x86_64-linux-gnu/libp11-kit.so.0 (0x00007f3e72215000)
libidn2.so.0 => /lib/x86_64-linux-gnu/libidn2.so.0 (0x00007f3e721f6000)
libunistring.so.2 => /lib/x86_64-linux-gnu/libunistring.so.2 (0x00007f3e72072000)
libtasn1.so.6 => /lib/x86_64-linux-gnu/libtasn1.so.6 (0x00007f3e71e5f000)
libnettle.so.6 => /lib/x86_64-linux-gnu/libnettle.so.6 (0x00007f3e71e25000)
libhogweed.so.4 => /lib/x86_64-linux-gnu/libhogweed.so.4 (0x00007f3e71dec000)
libgmp.so.10 => /lib/x86_64-linux-gnu/libgmp.so.10 (0x00007f3e71d69000)
/lib64/ld-linux-x86-64.so.2 (0x00007f3e72dac000)
libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007f3e71d50000)
libffi.so.6 => /lib/x86_64-linux-gnu/libffi.so.6 (0x00007f3e71d46000)
I can see libsasl2.so.2 there so I think that's fine.
And, I've also run both saslauthd and slapd in debug mode but I get no useful output that I can see. It looks like saslauthd and slapd just aren't talking.
Any help or pointers are really appreciated.
t04s
/---
2 months, 3 weeks
Official way to import schema with cn=config
by David Timber
I had to write my own schema for my application and I was struggling to
figure out how to import the schema I wrote to cn=config. I had though I
was missing something until I found this.
https://gist.github.com/jaseg/8577024
Notice the name of the script. Someone had to write this because there's
no tool that you can use to import schemas when the slapd is configured
with cn=config. You can get away with it by using include directive with
slapd.conf. I know there's a way to do it with slaptest, but that method
is just unacceptable. So, how I understood is, either you have to use
slaptest to rebuild the entirety of the schema in ldif format, or you
have to handcraft the schema in ldif by figuring out with {} index to
start with. This is all backwards.
slapadd and slapmodify are just cranky tools you can only use in
specific cases(eg: restoring from mdb_copy backup data). In most cases,
using those tools to manipulate cn=config is near impossible.
I like the idea behind cn=config, but I believe that calling slapd.conf
deprecated is just unfair with problems like these. Is there a set
date/version for the drop of support for slapd.conf? I'd like to stick
with slapd.conf if it's not going to happen in like 5 years time.
2 months, 3 weeks
STARTTLS vs LDAPS
by thomaswilliampritchard@gmail.com
At risk of beating a dead horse, I'd like to hear considerations on STARTTLS vs LDAPS. I'm also particularly interested if openldap plans to support LDAPS long term or if there's actually a deprecation effort going on around LDAPS where it would one day no longer be supported by openldap.
This seems to be the most comprehensive post discussing the virtue of the two. https://security.stackexchange.com/questions/257749/is-ldaps-or-starttls-...
I also found a post in this Archive from 2018 that seems to indicate a change of opinion where LDAPS should be preferred, and not deprecated.
https://lists.openldap.org/hyperkitty/list/openldap-technical@openldap.or...
Does openldap agree that LDAPS should now be the preferred implementation and STARTLS should be discouraged?
I do not have a security background and there is certainly a lot of room for me to misunderstand, but it seems like STARTTLS leaves the door open for a "tls downgrade attack" where a man in the middle could essentially reply to a client effectively saying start tls is not supported and then the client falls back to non tls communication (which is obviously unfortunate). Even if the backend server is properly not responding to clients until STARTTLS is initiated, the man in the middle could initiate a connection with STARTTLS to the ldap server and be talking plaintext to the client. Is that legitimately possible or am I missing a nuance? If one were to only support clients over LDAPS it seems this would be mitigated?
Thanks for the considerations, looking forward to hearing the expert opinions on the topic.
3 months
delete glue entry
by Michael Ströder
HI!
Had a MDB database with a glue entry in it on all replicas in a
multi-provider setup (release 2.6.1). I could not update this entry anymore.
Is it possible to delete a glue entry via LDAP? All subordinate entries
were already removed before.
Ciao, Michael.
3 months
RE26 testing call #1 (OpenLDAP 2.6.2)
by Quanah Gibson-Mount
This is the first testing call for OpenLDAP 2.6.2. Depending on the
results, this may be the only testing call.
Generally, get the code for RE26:
<https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_6...>
Extract, configure, and build.
Execute the test suite (via make test) after it is built. Optionally, cd
tests && make its to run through the regression suite.
Thanks!
OpenLDAP 2.6.2 Engineering
Added libldap support for OpenSSL 3.0 (ITS#9436)
Added slapd support for OpenSSL 3.0 (ITS#9436)
Fixed ldapdelete to prune LDAP subentries (ITS#9737)
Fixed libldap to drop connection when non-LDAP data is received
(ITS#9803)
Fixed libldap to allow newlines at end of included file (ITS#9811)
Fixed slapd slaptest conversion of olcLastBind (ITS#9808)
Fixed slapd to correctly init global_host earlier (ITS#9787)
Fixed slapd bconfig locking for cn=config replication (ITS#9584)
Fixed slapd usage of thread local counters (ITS#9789)
Fixed slapd to clear runqueue task correctly (ITS#9785)
Fixed slapd syncrepl handling of new sessions (ITS#9584)
Fixed slapd to clear connections on bind (ITS#9799)
Fixed slapd syncrepl ODSEE replication of unknown attr (ITS#9801)
Fixed slapd-asyncmeta memory leak in keepalive setting (ITS#9802)
Fixed slapd-ldap memory leak in keepalive setting (ITS#9802)
Fixed slapd-meta SEGV on config rewrite (ITS#9802)
Fixed slapd-meta ordering on config rewrite (ITS#9802)
Fixed slapd-meta memory leak in keepalive setting (ITS#9802)
Fixed slapd-monitor SEGV on shutdown (ITS#9809)
Added slapo-autoca support for OpenSSL 3.0 (ITS#9436)
Added slapo-otp support for OpenSSL 3.0 (ITS#9436)
Fixed slapo-pcache SEGV on shutdown (ITS#9809)
Fixed slapo-ppolicy operation handling to be consistent (ITS#9794)
Build Enviornment
Add ability to override default compile time paths (ITS#9675)
Fix compiliation with certain versions of gcc (ITS#9790)
Fix compilation with openssl exclusions (ITS#9791)
Fix warnings from make jobserver (ITS#9788)
Documentation
admin26 Document new lloadd features (ITS#9780)
Fixed slapd.conf(5)/slapd-config(5) syncrepl sizelimit/timelimit
documentation (ITS#9804)
Fixed slapd-sock(5) to clarify "sockresps result" behavior
(ITS#8255)
Regards,
Quanah
3 months
RE25 Testing call #1 (OpenLDAP 2.5.12)
by Quanah Gibson-Mount
This is the first testing call for OpenLDAP 2.5.12. Depending on the
results, this may be the only testing call.
Generally, get the code for RE25:
<https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_5...>
Extract, configure, and build.
Execute the test suite (via make test) after it is built. Optionally, cd
tests && make its to run through the regression suite.
Thanks!
OpenLDAP 2.5.12 Engineering
Fixed libldap to drop connection when non-LDAP data is received
(ITS#9803)
Fixed libldap to allow newlines at end of included file (ITS#9811)
Fixed slapd slaptest conversion of olcLastBind (ITS#9808)
Fixed slapd usage of thread local counters (ITS#9789)
Fixed slapd to clear runqueue task correctly (ITS#9785)
Fixed slapd bconfig locking for cn=config replication (ITS#9584)
Fixed slapd syncrepl handling of new sessions (ITS#9584)
Fixed slapd to clear connections on bind (ITS#9799)
Fixed slapd syncrepl ODSEE replication of unknown attr (ITS#9801)
Fixed slapd-asyncmeta memory leak in keepalive setting (ITS#9802)
Fixed slapd-ldap memory leak in keepalive setting (ITS#9802)
Fixed slapd-meta SEGV on config rewrite (ITS#9802)
Fixed slapd-meta ordering on config rewrite (ITS#9802)
Fixed slapd-meta memory leak in keepalive setting (ITS#9802)
Fixed slapd-monitor SEGV on shutdown (ITS#9809)
Fixed slapo-pcache SEGV on shutdown (ITS#9809)
Fixed slapo-ppolicy operation handling to be consistent (ITS#9794)
Build Environment
Fix compilation with openssl exclusions (ITS#9791)
Fix warnings from make jobserver (ITS#9788)
Fix compiliation with certain versions of gcc (ITS#9790)
Documentation
Fixed slapd.conf(5)/slapd-config(5) syncrepl sizelimit/timelimit
documentation (ITS#9804)
Regards,
Quanah
3 months
