Hi all,
I am wondering if I am going about my setup the right way and am hoping someone can give me a bit of input.
Using openldap-2.4.23 on Debian Linux, I have nssov configured to retrieve host, user and group information on my primary server, with back-ldap and nssov configured on a secondary machine doing the same.
The back-ldap configuration is as follows:
database ldap suffix dc=zivios,dc=net uri "ldap://dev03.zivios.net" acl-bind bindmethod=simple binddn="" credentials=""
idassert-bind bindmethod=simple mode=self binddn="uid=zproxyauth,ou=zusers,ou=core control,ou=zivios,dc=zivios,dc=net" credentials="foo" idassert-authzFrom "dn.regex:.*"
overlay nssov nssov-map group uniqueMember member nssov-ssd passwd ldap:///dc=zivios,dc=net??sub nssov-ssd group ldap:///dc=zivios,dc=net??sub nssov-ssd hosts ldap:///dc=zivios,dc=net??sub nssov-pam hostservice nssov-pam-session sshd nssov-pam-session login
On the primary server, I have the authz policy set to "to", with an authzto rule as follows for the zproxyauth user:
{0}ldap:///dc=zivios,dc=net??sub?(objectClass=posixAccount)
I have setup appropriate ACLs that allow access to the authorizedService attribute for certain groups and, testing ssh & logins is working as required (on the primary server). However, when connections come in from the back-ldap server, the proxy auth works initially, with every "other" request failing. The back-ldap server log reports:
send_ldap_result: err=123 matched="" text="anonymous proxied authorization not allowed"
This is quite easily reproducible via simple getent passwd/group calls. Every second request fails with the aforementioned error. SSH access to the secondary server (with a successful regex, id-assertion and compare operation) works if I restart the back-ldap server, however, all subsequent requests fail.
Below is the complete log of a failed request from the back-ldap server on a getent passwd command:
dev02:/opt/zivios/openldap/etc/openldap# getent passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin zopenldap:x:945:945::/home/zopenldap:/bin/false daemon: activity on 1 descriptor daemon: activity on: 10r daemon: read active on 10 daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: epoll: listen=9 active_threads=0 tvp=NULL connection_get(10) connection_get(10): got connid=0 nssov: connection from uid=0 gid=0 daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: epoll: listen=9 active_threads=0 tvp=NULL nssov_passwd_all() str2filter "(objectClass=posixAccount)" put_filter: "(objectClass=posixAccount)" put_filter: simple put_simple_filter: "objectClass=posixAccount" begin get_filter EQUALITY ber_scanf fmt ({mm}) ber: ber_dump: buf=0xf6e8f010 ptr=0xf6e8f010 end=0xf6e8f02d len=29 0000: a3 1b 04 0b 6f 62 6a 65 63 74 43 6c 61 73 73 04 ....objectClass. 0010: 0c 70 6f 73 69 78 41 63 63 6f 75 6e 74 .posixAccount end get_filter 0 =>ldap_back_getconn: conn 0x9398940 fetched refcnt=1. ldap_search_ext put_filter: "(objectClass=posixAccount)" put_filter: simple put_simple_filter: "objectClass=posixAccount" ldap_build_search_req ATTRS: uid userPassword uidNumber gidNumber gecos cn homeDirectory loginShell objectClass ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0x9397070 ptr=0x9397070 end=0x939716f len=255 0000: 30 81 fc 02 01 13 63 81 9c 04 10 64 63 3d 7a 69 0.....c....dc=zi 0010: 76 69 6f 73 2c 64 63 3d 6e 65 74 0a 01 02 0a 01 vios,dc=net..... 0020: 00 02 01 00 02 01 00 01 01 00 a3 1b 04 0b 6f 62 ..............ob 0030: 6a 65 63 74 43 6c 61 73 73 04 0c 70 6f 73 69 78 jectClass..posix 0040: 41 63 63 6f 75 6e 74 30 5c 04 03 75 69 64 04 0c Account0..uid.. 0050: 75 73 65 72 50 61 73 73 77 6f 72 64 04 09 75 69 userPassword..ui 0060: 64 4e 75 6d 62 65 72 04 09 67 69 64 4e 75 6d 62 dNumber..gidNumb 0070: 65 72 04 05 67 65 63 6f 73 04 02 63 6e 04 0d 68 er..gecos..cn..h 0080: 6f 6d 65 44 69 72 65 63 74 6f 72 79 04 0a 6c 6f omeDirectory..lo 0090: 67 69 6e 53 68 65 6c 6c 04 0b 6f 62 6a 65 63 74 ginShell..object 00a0: 43 6c 61 73 73 a0 58 30 56 04 18 32 2e 31 36 2e Class.X0V..2.16. 00b0: 38 34 30 2e 31 2e 31 31 33 37 33 30 2e 33 2e 34 840.1.113730.3.4 00c0: 2e 31 38 04 3a 64 6e 3a 67 69 64 4e 75 6d 62 65 .18.:dn:gidNumbe 00d0: 72 3d 30 2b 75 69 64 4e 75 6d 62 65 72 3d 30 2c r=0+uidNumber=0, 00e0: 63 6e 3d 70 65 65 72 63 72 65 64 2c 63 6e 3d 65 cn=peercred,cn=e 00f0: 78 74 65 72 6e 61 6c 2c 63 6e 3d 61 75 74 68 xternal,cn=auth ber_scanf fmt ({) ber: ber_dump: buf=0x9397070 ptr=0x9397076 end=0x939716f len=249 0000: 63 81 9c 04 10 64 63 3d 7a 69 76 69 6f 73 2c 64 c....dc=zivios,d 0010: 63 3d 6e 65 74 0a 01 02 0a 01 00 02 01 00 02 01 c=net........... 0020: 00 01 01 00 a3 1b 04 0b 6f 62 6a 65 63 74 43 6c ........objectCl 0030: 61 73 73 04 0c 70 6f 73 69 78 41 63 63 6f 75 6e ass..posixAccoun 0040: 74 30 5c 04 03 75 69 64 04 0c 75 73 65 72 50 61 t0..uid..userPa 0050: 73 73 77 6f 72 64 04 09 75 69 64 4e 75 6d 62 65 ssword..uidNumbe 0060: 72 04 09 67 69 64 4e 75 6d 62 65 72 04 05 67 65 r..gidNumber..ge 0070: 63 6f 73 04 02 63 6e 04 0d 68 6f 6d 65 44 69 72 cos..cn..homeDir 0080: 65 63 74 6f 72 79 04 0a 6c 6f 67 69 6e 53 68 65 ectory..loginShe 0090: 6c 6c 04 0b 6f 62 6a 65 63 74 43 6c 61 73 73 a0 ll..objectClass. 00a0: 58 30 56 04 18 32 2e 31 36 2e 38 34 30 2e 31 2e X0V..2.16.840.1. 00b0: 31 31 33 37 33 30 2e 33 2e 34 2e 31 38 04 3a 64 113730.3.4.18.:d 00c0: 6e 3a 67 69 64 4e 75 6d 62 65 72 3d 30 2b 75 69 n:gidNumber=0+ui 00d0: 64 4e 75 6d 62 65 72 3d 30 2c 63 6e 3d 70 65 65 dNumber=0,cn=pee 00e0: 72 63 72 65 64 2c 63 6e 3d 65 78 74 65 72 6e 61 rcred,cn=externa 00f0: 6c 2c 63 6e 3d 61 75 74 68 l,cn=auth ber_flush2: 255 bytes to sd 13 0000: 30 81 fc 02 01 13 63 81 9c 04 10 64 63 3d 7a 69 0.....c....dc=zi 0010: 76 69 6f 73 2c 64 63 3d 6e 65 74 0a 01 02 0a 01 vios,dc=net..... 0020: 00 02 01 00 02 01 00 01 01 00 a3 1b 04 0b 6f 62 ..............ob 0030: 6a 65 63 74 43 6c 61 73 73 04 0c 70 6f 73 69 78 jectClass..posix 0040: 41 63 63 6f 75 6e 74 30 5c 04 03 75 69 64 04 0c Account0..uid.. 0050: 75 73 65 72 50 61 73 73 77 6f 72 64 04 09 75 69 userPassword..ui 0060: 64 4e 75 6d 62 65 72 04 09 67 69 64 4e 75 6d 62 dNumber..gidNumb 0070: 65 72 04 05 67 65 63 6f 73 04 02 63 6e 04 0d 68 er..gecos..cn..h 0080: 6f 6d 65 44 69 72 65 63 74 6f 72 79 04 0a 6c 6f omeDirectory..lo 0090: 67 69 6e 53 68 65 6c 6c 04 0b 6f 62 6a 65 63 74 ginShell..object 00a0: 43 6c 61 73 73 a0 58 30 56 04 18 32 2e 31 36 2e Class.X0V..2.16. 00b0: 38 34 30 2e 31 2e 31 31 33 37 33 30 2e 33 2e 34 840.1.113730.3.4 00c0: 2e 31 38 04 3a 64 6e 3a 67 69 64 4e 75 6d 62 65 .18.:dn:gidNumbe 00d0: 72 3d 30 2b 75 69 64 4e 75 6d 62 65 72 3d 30 2c r=0+uidNumber=0, 00e0: 63 6e 3d 70 65 65 72 63 72 65 64 2c 63 6e 3d 65 cn=peercred,cn=e 00f0: 78 74 65 72 6e 61 6c 2c 63 6e 3d 61 75 74 68 xternal,cn=auth ldap_write: want=255, written=255 0000: 30 81 fc 02 01 13 63 81 9c 04 10 64 63 3d 7a 69 0.....c....dc=zi 0010: 76 69 6f 73 2c 64 63 3d 6e 65 74 0a 01 02 0a 01 vios,dc=net..... 0020: 00 02 01 00 02 01 00 01 01 00 a3 1b 04 0b 6f 62 ..............ob 0030: 6a 65 63 74 43 6c 61 73 73 04 0c 70 6f 73 69 78 jectClass..posix 0040: 41 63 63 6f 75 6e 74 30 5c 04 03 75 69 64 04 0c Account0..uid.. 0050: 75 73 65 72 50 61 73 73 77 6f 72 64 04 09 75 69 userPassword..ui 0060: 64 4e 75 6d 62 65 72 04 09 67 69 64 4e 75 6d 62 dNumber..gidNumb 0070: 65 72 04 05 67 65 63 6f 73 04 02 63 6e 04 0d 68 er..gecos..cn..h 0080: 6f 6d 65 44 69 72 65 63 74 6f 72 79 04 0a 6c 6f omeDirectory..lo 0090: 67 69 6e 53 68 65 6c 6c 04 0b 6f 62 6a 65 63 74 ginShell..object 00a0: 43 6c 61 73 73 a0 58 30 56 04 18 32 2e 31 36 2e Class.X0V..2.16. 00b0: 38 34 30 2e 31 2e 31 31 33 37 33 30 2e 33 2e 34 840.1.113730.3.4 00c0: 2e 31 38 04 3a 64 6e 3a 67 69 64 4e 75 6d 62 65 .18.:dn:gidNumbe 00d0: 72 3d 30 2b 75 69 64 4e 75 6d 62 65 72 3d 30 2c r=0+uidNumber=0, 00e0: 63 6e 3d 70 65 65 72 63 72 65 64 2c 63 6e 3d 65 cn=peercred,cn=e 00f0: 78 74 65 72 6e 61 6c 2c 63 6e 3d 61 75 74 68 xternal,cn=auth ldap_result ld 0x9398980 msgid 19 wait4msg ld 0x9398980 msgid 19 (timeout 100000 usec) wait4msg continue ld 0x9398980 msgid 19 all 0 ** ld 0x9398980 Connections: * host: dev03.zivios.net port: 389 (default) refcnt: 2 status: Connected last used: Tue Aug 31 20:07:02 2010
** ld 0x9398980 Outstanding Requests: * msgid 19, origid 19, status InProgress outstanding referrals 0, parent count 0 ld 0x9398980 request count 1 (abandoned 0) ** ld 0x9398980 Response Queue: Empty ld 0x9398980 response count 0 ldap_chkResponseList ld 0x9398980 msgid 19 all 0 ldap_chkResponseList returns ld 0x9398980 NULL ldap_int_select read1msg: ld 0x9398980 msgid 19 all 0 ber_get_next ldap_read: want=8, got=8 0000: 30 37 02 01 13 65 32 0a 07...e2. ldap_read: want=49, got=49 0000: 01 7b 04 00 04 2b 61 6e 6f 6e 79 6d 6f 75 73 20 .{...+anonymous 0010: 70 72 6f 78 69 65 64 20 61 75 74 68 6f 72 69 7a proxied authoriz 0020: 61 74 69 6f 6e 20 6e 6f 74 20 61 6c 6c 6f 77 65 ation not allowe 0030: 64 d ber_get_next: tag 0x30 len 55 contents: ber_dump: buf=0x93988f0 ptr=0x93988f0 end=0x9398927 len=55 0000: 02 01 13 65 32 0a 01 7b 04 00 04 2b 61 6e 6f 6e ...e2..{...+anon 0010: 79 6d 6f 75 73 20 70 72 6f 78 69 65 64 20 61 75 ymous proxied au 0020: 74 68 6f 72 69 7a 61 74 69 6f 6e 20 6e 6f 74 20 thorization not 0030: 61 6c 6c 6f 77 65 64 allowed read1msg: ld 0x9398980 msgid 19 message type search-result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x93988f0 ptr=0x93988f3 end=0x9398927 len=52 0000: 65 32 0a 01 7b 04 00 04 2b 61 6e 6f 6e 79 6d 6f e2..{...+anonymo 0010: 75 73 20 70 72 6f 78 69 65 64 20 61 75 74 68 6f us proxied autho 0020: 72 69 7a 61 74 69 6f 6e 20 6e 6f 74 20 61 6c 6c rization not all 0030: 6f 77 65 64 owed ldap_chase_referrals read1msg: V2 referral chased, mark request completed, id = 19 read1msg: ld 0x9398980 0 new referrals read1msg: mark request completed, ld 0x9398980 msgid 19 request done: ld 0x9398980 msgid 19 res_errno: 123, res_error: <anonymous proxied authorization not allowed>, res_matched: <> ldap_free_request (origid 19, msgid 19) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_dump: buf=0x93988f0 ptr=0x93988f3 end=0x9398927 len=52 0000: 65 32 0a 01 7b 04 00 04 2b 61 6e 6f 6e 79 6d 6f e2..{...+anonymo 0010: 75 73 20 70 72 6f 78 69 65 64 20 61 75 74 68 6f us proxied autho 0020: 72 69 7a 61 74 69 6f 6e 20 6e 6f 74 20 61 6c 6c rization not all 0030: 6f 77 65 64 owed ber_scanf fmt (}) ber: ber_dump: buf=0x93988f0 ptr=0x9398927 end=0x9398927 len=0
ldap_msgfree send_ldap_result: conn=-1 op=0 p=0 send_ldap_result: err=123 matched="" text="anonymous proxied authorization not allowed"
---- The primary server log shows only one line:
Aug 31 20:13:53 dev03 slapd[32705]: conn=1604 op=19 do_search: get_ctrls failed ----
I am not sure why an anonymous request is made by back-ldap -- probably my lack of understanding on how it should be configured. If anyone can point out where I am going wrong, it would be greatly appreciated.
Mustafa.