HI!
As said I'd like to intercept password changes (clear-text password) via back-sock used as overlay. Especially the client (Mac OS X) sends a Password Modify ext. op.
Unfortunately back-sock does not send the PASSMOD itself to the external listener (which could parse the ASN.1) and therefore I have to look at the MODIFY messages.
I'm using my package: https://pypi.python.org/pypi/slapdsock
Problem: Everything works as expected with this configuration when rootdn is used with ldappasswd but not as normal user.
Excerpt of slapd.conf:
database mdb suffix "ou=realdb,dc=example,dc=org" rootdn "cn=root,ou=realdb,dc=example,dc=org" [..] overlay sock extensions binddn peername ssf connid socketpath sockoverlay-listener sockops modify
Command: ldappasswd -H ldapi:// -s test uid=test1,ou=realdb,dc=example,dc=org
slapd's log (LDAPI and SASL/EXTERNAL maps local user to rootdn):
58d03e84 conn=1000 fd=15 ACCEPT from PATH=/home/michael/Proj/slapd_sockd/examples/openldap/ldapi (PATH=/home/michael/Proj/slapd_sockd/examples/openldap/ldapi) 58d03e84 conn=1000 op=0 BIND dn="" method=163 58d03e84 conn=1000 op=0 BIND authcid="gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth" authzid="gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth" 58d03e84 conn=1000 op=0 BIND dn="cn=root,ou=realdb,dc=example,dc=org" mech=EXTERNAL sasl_ssf=0 ssf=71 58d03e84 conn=1000 op=0 RESULT tag=97 err=0 text= 58d03e84 conn=1000 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1 58d03e84 conn=1000 op=1 PASSMOD id="uid=test1,ou=realdb,dc=example,dc=org" new 58d03e84 sock search reading line (CONTINUE ) 58d03e84 conn=1000 op=1 RESULT oid= err=0 text= 58d03e84 conn=1000 op=2 UNBIND 58d03e84 conn=1000 fd=15 closed
The log of my external listener:
2017-03-20 21:41:40,620 DEBUG 140544537579816 ----- incoming request via 'openldap/sockoverlay-listener' from pid=28285 uid=1000 gid=100 ----- 2017-03-20 21:41:40,620 DEBUG 140544537579816 request_data='MODIFY\nmsgid: 2\nbinddn: cn=root,ou=realdb,dc=example,dc=org\npeername: PATH=/home/michael/Proj/slapd_sockd/examples/openldap/ldapi\nssf: 71\nconnid: 1000\nsuffix: ou=realdb,dc=example,dc=org\ndn: uid=test1,ou=realdb,dc=example,dc=org\nreplace: userPassword\nuserPassword:: dGVzdA==\n-\n\n' 2017-03-20 21:41:40,620 DEBUG 140544537579816 reqtype='MODIFY' 2017-03-20 21:41:40,620 DEBUG 140544537579816 sock_req=<slapdsock.message.MODIFYRequest object at 0x7fd3133f10d0> // {'dn': 'uid=test1,ou=realdb,dc=example,dc=org', 'binddn': u'cn=root,ou=realdb,dc=example,dc=org', 'connid': 1000, 'suffix': u'ou=realdb,dc=example,dc=org', '_linecount': 7, 'msgid': 2, '_req_lines': ['MODIFY', 'msgid: 2', 'binddn: cn=root,ou=realdb,dc=example,dc=org', 'peername: PATH=/home/michael/Proj/slapd_sockd/examples/openldap/ldapi', 'ssf: 71', 'connid: 1000', 'suffix: ou=realdb,dc=example,dc=org', 'dn: uid=test1,ou=realdb,dc=example,dc=org', 'changetype: modify', 'replace: userPassword', 'userPassword:: dGVzdA==', '-', '', ''], 'peername': u'PATH=/home/michael/Proj/slapd_sockd/examples/openldap/ldapi', 'modops': [(2, 'userPassword', ['test'])], 'reqtype': 'MODIFY', 'ssf': 71} 2017-03-20 21:41:40,620 DEBUG 140544537579816 connid=1000 msgid=2 Request not cached: cache_key=None 2017-03-20 21:41:40,620 DEBUG 140544537579816 connid=1000 msgid=2 response_str='CONTINUE\n' 2017-03-20 21:41:40,620 DEBUG 140544537579816 connid=1000 msgid=2 response_delay=0.001
So far so good.
But with this command (own password change) there's no MODIFY sent to the extenal listener at all:
$ ldappasswd -H ldapi://%2Fhome%2Fmichael%2FProj%2Fslapd_sockd%2Fexamples%2Fopenldap%2Fldapi -D "uid=test1,ou=realdb,dc=example,dc=org" -w test -s test23 uid=test1,ou=realdb,dc=example,dc=org ldap_parse_extended_result: Bad parameter to an ldap routine (-9)
slapd's log:
58d03f05 conn=1003 fd=15 ACCEPT from PATH=/home/michael/Proj/slapd_sockd/examples/openldap/ldapi (PATH=/home/michael/Proj/slapd_sockd/examples/openldap/ldapi) 58d03f05 conn=1003 op=0 BIND dn="uid=test1,ou=realdb,dc=example,dc=org" method=128 58d03f05 conn=1003 op=0 BIND dn="uid=test1,ou=realdb,dc=example,dc=org" mech=SIMPLE ssf=0 58d03f05 conn=1003 op=0 RESULT tag=97 err=0 text= 58d03f05 conn=1003 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1 58d03f05 conn=1003 op=1 PASSMOD id="uid=test1,ou=realdb,dc=example,dc=org" new 58d03f05 conn=1003 op=1 RESULT tag=103 err=50 text= 58d03f05 conn=1003 op=1 RESULT oid= err=50 text= 58d03f05 conn=1003 op=2 UNBIND 58d03f05 conn=1003 fd=15 closed
Any clue what's going on?
Ciao, Michael.