Hello,
Hoping someone can help me with this issue I'm having. I'm building OpenLDAP from source using the following command:
./configure --prefix=/usr/local \
--with-tls \
--with-cyrus-sasl \
--enable-overlays \
--enable-modules \
--enable-argon2 \
--enable-remoteauth && \
make depend && make -j$(nproc) && make install && \
ldconfig
It looks like it builds correctly, however I'm not seeing the remoteauth.la or remoteauth.so module under /usr/local/libexec/openldap directory. I'm only seeing the argon2.so and argon2.la. When I bootstrap the server with the following it doesn't throw any errors:
modulepath /usr/local/libexec/openldap
moduleload back_mdb.la
moduleload argon2.la
moduleload remoteauth.la
The weird thing is that when I run this command it shows the installed modules with remoteauth being one of them:
ldapsearch -Y EXTERNAL -H "$LDAPI_URI" -b "cn=module{0},cn=config" olcModuleLoad
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=module{0},cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: olcModuleLoad
#
# module{0}, config
dn: cn=module{0},cn=config
olcModuleLoad: {0}back_mdb.la
olcModuleLoad: {1}argon2.la
olcModuleLoad: {2}remoteauth.la
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
So, I'm not sure how it's loading remoteauth.la since it's not present under the /usr/local/libexec/openldap directory. As a matter of fact, it doesn't seem to be anywhere on the file system.
I tried authenticating a user using remoteauth to a remote AD directory and it didn't seem to work. In all fairness, I'm not sure if I was doing it correctly.
Thanks in advance
Dino Edwards wrote:
Hello,
Hoping someone can help me with this issue Im having. Im building OpenLDAP from source using the following command:
./configure --prefix=/usr/local \
--with-tls \
--with-cyrus-sasl \
--enable-overlays \
--enable-modules \
--enable-argon2 \
--enable-remoteauth && \
make depend && make -j$(nproc) && make install && \
ldconfig
It looks like it builds correctly, however Im not seeing the remoteauth.la or remoteauth.so module under /usr/local/libexec/openldap directory. Im only seeing the argon2.so and argon2.la. When I bootstrap the server with the following it doesnt throw any errors:
Probably you're seeing an argon2 left over from some other build. When you just use "--enable-remoteauth" it defaults to a static build, not a dynamic module. So there is no remoteauth.la to install, the code is just part of the slapd binary.
modulepath /usr/local/libexec/openldap
moduleload back_mdb.la
moduleload argon2.la
moduleload remoteauth.la
The weird thing is that when I run this command it shows the installed modules with remoteauth being one of them:
ldapsearch -Y EXTERNAL -H "$LDAPI_URI" -b "cn=module{0},cn=config" olcModuleLoad
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=module{0},cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: olcModuleLoad
#
# module{0}, config
dn: cn=module{0},cn=config
olcModuleLoad: {0}back_mdb.la
olcModuleLoad: {1}argon2.la
olcModuleLoad: {2}remoteauth.la
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
So, Im not sure how its loading remoteauth.la since its not present under the /usr/local/libexec/openldap directory. As a matter of fact, it doesnt seem to be anywhere on the file system.
It's not really loading remoteauth. The moduleload command knows if a module was built statically and just silently succeeds for those. It works that way to allow easy migration between builds with static vs dynamic modules.
I tried authenticating a user using remoteauth to a remote AD directory and it didnt seem to work. In all fairness, Im not sure if I was doing it correctly.
Thanks in advance
Probably you're seeing an argon2 left over from some other build. When you
just use "--enable-remoteauth" it defaults to a static build, not a dynamic module. So there is > no remoteauth.la to install, the code is just part of the slapd binary.
So, if I'm understanding you correctly, using --enable-remoteauth is doing a static build not a dynamic. How would I go about doing a dynamic build then?
It's not really loading remoteauth. The moduleload command knows if a
module was built statically and just silently succeeds for those. It works that way to allow easy
migration between builds with static vs dynamic modules.
So, what parameters should I use to build dynamically?
Thanks
Dino Edwards wrote:
Probably you're seeing an argon2 left over from some other build. When you
just use "--enable-remoteauth" it defaults to a static build, not a dynamic module. So there is > no remoteauth.la to install, the code is just part of the slapd binary.
So, if I'm understanding you correctly, using --enable-remoteauth is doing a static build not a dynamic. How would I go about doing a dynamic build then?
Read `configure --help`
Read `configure --help`
I have built with the following and now I see the modules in /usr/local/libexec/openldap:
./configure \ --enable-dynamic \ --enable-modules \ --enable-syslog \ --enable-overlays=mod \ --enable-argon2=yes \ --enable-remoteauth=mod \ --with-tls \ --with-cyrus-sasl \ --enable-mdb=mod && \ make depend && make -j$(nproc) && make install && \ ldconfig
I bootstrap with the following:
cat >/tmp/min-slapd.conf <<EOF include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/remoteauth.schema
modulepath /usr/local/libexec/openldap moduleload back_mdb.la moduleload argon2.la moduleload remoteauth.la password-hash {ARGON2}
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
database config rootdn cn=config access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none
database mdb maxsize 1073741824 suffix $REAL_SUFFIX directory $LDAP_DB_DIR rootdn $REAL_ADMIN_DN
index objectClass eq index uid,uidNumber,gidNumber,memberUid eq index cn,sn,mail eq,sub
access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none EOF slaptest -f /tmp/min-slapd.conf -F "$SLAPD_CONFIG_DIR" -n 0
The server seems to come up fine but I'm having a problem trying to authenticate any users that I add. I generate the password using ARGON as follows:
slappasswd -o module-load=argon2.la -h {ARGON2} -s "somepassword"
I take the generated hash and I add it to my LDIF file and I add the user using ldpadd. Here's the LDIF file I'm using:
dn: cn=jimbob,ou=users,dc=mydomain,dc=local objectClass: inetOrgPerson givenName: Jim sn: Bob displayName: Jim Bob userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$aItdFWfjJ02G7gKy1Rx2yg$nd6/J9rqccyU3F+A AqsIPblx1G65ClGp4NgGj94nmTY mail: someone@domain.tld uid: jimbob
The logs show that it fails with bad credentials:
690234b6.2d3669c1 0x7f232cca96c0 conn=1030 fd=13 ACCEPT from IP=172.16.32.108:44114 (IP=0.0.0.0:389) 690234b6.2d37af2b 0x7f232d4aa6c0 conn=1030 op=0 BIND dn="cn=mydomain-ldap-admin,dc=mydomain,dc=local" method=128 690234b6.2d985910 0x7f232d4aa6c0 conn=1030 op=0 BIND dn="cn=mydomain-ldap-admin,dc=mydomain,dc=local" mech=SIMPLE bind_ssf=0 ssf=0 690234b6.2d9d9ff4 0x7f232d4aa6c0 conn=1030 op=0 RESULT tag=97 err=0 qtime=0.000014 etime=0.006778 text= 690234b6.2da06aaf 0x7f232eeac6c0 conn=1030 op=1 SRCH base="ou=users,dc=mydomain,dc=local" scope=2 deref=0 filter="(&(uid=jimbob)(objectClass=inetOrgPerson))" 690234b6.2da109db 0x7f232eeac6c0 conn=1030 op=1 SRCH attr=uid mail displayName 690234b6.2da49773 0x7f232eeac6c0 conn=1030 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000008 etime=0.000325 nentries=1 text= 690234b6.2dad6316 0x7f232cca96c0 conn=1031 fd=14 ACCEPT from IP=172.16.32.108:44116 (IP=0.0.0.0:389) 690234b6.2dadee16 0x7f232cca96c0 conn=1031 op=0 BIND dn="cn=jimbob,ou=users,dc=mydomain,dc=local" method=128 690234b6.2daebb74 0x7f232cca96c0 conn=1031 op=0 RESULT tag=97 err=49 qtime=0.000006 etime=0.000067 text=
I have verified that the password is correct. Any idea what could be the cause of this. Argon2 module shows as loaded:
ldapsearch -Y EXTERNAL -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -b "cn=module{0},cn=config" olcModuleLoad SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <cn=module{0},cn=config> with scope subtree # filter: (objectclass=*) # requesting: olcModuleLoad #
# module{0}, config dn: cn=module{0},cn=config olcModuleLoad: {0}back_mdb.la olcModuleLoad: {1}argon2.la olcModuleLoad: {2}remoteauth.la
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Thanks
I have verified that the password is correct. Any idea what could be the
cause of this. Argon2
module shows as loaded:
Answering my own question. Thanks to Clement's answer to Hamza's question about ACLs, that turned out to be the solution to my problem also. Adding the following ACLs fixed it:
dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * break olcAccess: {1}to * by dn.exact="cn=admin,dc=mydomain,dc=local" manage by * break olcAccess: {2}to attrs=userPassword by anonymous auth by * break olcAccess: {3}to * by * none
Thanks to all!
openldap-technical@openldap.org
-
Dino Edwards -
Howard Chu