Hello all,
We have an installation of openldap like this: master <- slave <- translucent proxy. All the installation is on debian Jessie 8.2 with slapd version 2.4.40+dfsg-1+deb8u1.
When searching/binding with ldapsearch everything seems ok. I mean I have the results I expect.
We have an application called CAS to authenticate users on web appplications and there is where things start to be strange. When configuring CAS to communicate with the slave, there is no problem, users can authenticate without issue. But when CAS is configured to communicate with the translucent proxy, there is not possible for users to be authenticated.
I looked a different places, changed different parameters playing with ldap protocol, search reference responses, automatic referral chasing, ... but can't make it work.
In the logs I have this:
ldapsearch request: the output is ok
from client to translucent proxy:
slapd[8845]: conn=1019 fd=13 ACCEPT from IP=10.93.64.180:57730 (IP=0.0.0.0:389) slapd[8845]: conn=1019 op=0 BIND dn="uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com" method=128 slapd[8845]: conn=1019 op=0 BIND dn="uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com" mech=SIMPLE ssf=0 slapd[8845]: conn=1019 op=0 RESULT tag=97 err=0 text= slapd[8845]: conn=1019 op=1 SRCH base="ou=people,dc=domain,dc=com" scope=2 deref=3 filter="(uid=myuser)" slapd[8845]: conn=1019 op=1 SRCH attr=1.1 slapd[8845]: conn=1019 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= slapd[8845]: conn=1019 op=2 UNBIND slapd[8845]: conn=1019 fd=13 closed
from tranlucent proxy to slave:
slapd[6491]: conn=1759 fd=25 ACCEPT from IP=10.93.64.207:37513 (IP=0.0.0.0:389) slapd[6491]: conn=1759 op=0 [IP=10.93.64.180 USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] BIND dn="uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com" method=128 slapd[6491]: conn=1759 op=0 [IP=10.93.64.180 USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] BIND dn="uid=cas-auth,ou=SI,ou=Access,dc=domain,dc=com" mech=SIMPLE ssf=0 slapd[6491]: conn=1759 op=0 [IP=10.93.64.180 USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] RESULT tag=97 err=0 text= slapd[6491]: conn=1759 op=1 [IP=10.93.64.180 USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] SRCH base="ou=people,dc=domain,dc=com" scope=2 deref=3 filter="(uid=myuser)" slapd[6491]: conn=1759 op=1 [IP=10.93.64.180 USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] SRCH attr=* + slapd[6491]: conn=1759 op=1 [IP=10.93.64.180 USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] SEARCH RESULT tag=101 err=0 nentries=1 text= slapd[6491]: conn=1759 op=2 UNBIND slapd[6491]: conn=1759 fd=25 closed
CAS request: I don't have the output I expect
from client to translucent proxy:
slapd[8845]: conn=1017 fd=13 ACCEPT from IP=10.93.64.180:57109 (IP=0.0.0.0:389) slapd[8845]: conn=1017 op=0 BIND dn="uid=cas-auth,ou=si,ou=access,dc=domain,dc=com" method=128 slapd[8845]: conn=1017 op=0 BIND dn="uid=cas-auth,ou=si,ou=access,dc=domain,dc=com" mech=SIMPLE ssf=0 slapd[8845]: conn=1017 op=0 RESULT tag=97 err=0 text= slapd[8845]: conn=1017 op=1 SRCH base="ou=People,dc=domain,dc=com" scope=2 deref=3 filter="(uid=myuser)" slapd[8845]: conn=1017 op=1 SRCH attr=1.1 slapd[8845]: conn=1017 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= slapd[8845]: conn=1017 fd=13 closed (connection lost)
from tranlucent proxy to slave:
slapd[6491]: conn=1747 fd=13 ACCEPT from IP=10.93.64.207:35881 (IP=0.0.0.0:389) slapd[6491]: conn=1747 op=0 [IP=10.93.64.180 USERNAME=uid=cas-auth,ou=si,ou=access,dc=domain,dc=com] BIND dn="uid=cas-auth,ou=si,ou=access,dc=domain,dc=com" method=128 slapd[6491]: conn=1747 op=0 [IP=10.93.64.180 USERNAME=uid=cas-auth,ou=si,ou=access,dc=domain,dc=com] BIND dn="uid=cas-auth,ou=SI,ou=Access,dc=domain,dc=com" mech=SIMPLE ssf=0 slapd[6491]: conn=1747 op=0 [IP=10.93.64.180 USERNAME=uid=cas-auth,ou=si,ou=access,dc=domain,dc=com] RESULT tag=97 err=0 text= slapd[6491]: conn=1747 op=1 UNBIND slapd[6491]: conn=1747 fd=13 closed
The configuration part relative to translucent:
# Entry 1: olcOverlay={3}translucent,olcDatabase={2}mdb,cn=config dn: olcOverlay={3}translucent,olcDatabase={2}mdb,cn=config objectclass: olcConfig objectclass: olcOverlayConfig objectclass: olcTranslucentConfig objectclass: top olcoverlay: {3}translucent olctranslucentbindlocal: TRUE
# Entry 2: olcDatabase={0}ldap,olcOverlay={3}translucent,olcDatabase={2}m... dn: olcDatabase={0}ldap,olcOverlay={3}translucent,olcDatabase={2}mdb,cn=conf ig objectclass: olcConfig objectclass: olcLDAPConfig objectclass: olcTranslucentDatabase objectclass: olcDatabaseConfig olcdatabase: {0}ldap olcdbchasereferrals: TRUE olcdbidassertauthzfrom: {0}* olcdbidassertbind: bindmethod="simple" binddn="uid=roaccess,ou=access,dc=dom ain,dc=com" credentials="hideme" mode="self" olcdbsessiontrackingrequest: TRUE olcdburi: ldap://ldap-data.domain.it
I do not really know where to look else. I'll continue to try different things to make it work but any idea/suggestion/correction is welcome.
Thank you in advance for your time.
Le 2016-01-14 18:10, M. P. a écrit :
Hello all,
We have an installation of openldap like this: master <- slave <- translucent proxy. All the installation is on debian Jessie 8.2 with slapd version 2.4.40+dfsg-1+deb8u1.
When searching/binding with ldapsearch everything seems ok. I mean I have the results I expect.
We have an application called CAS to authenticate users on web appplications and there is where things start to be strange. When configuring CAS to communicate with the slave, there is no problem, users can authenticate without issue. But when CAS is configured to communicate with the translucent proxy, there is not possible for users to be authenticated.
I looked a different places, changed different parameters playing with ldap protocol, search reference responses, automatic referral chasing, ... but can't make it work.
In the logs I have this:
ldapsearch request: the output is ok
from client to translucent proxy:
slapd[8845]: conn=1019 fd=13 ACCEPT from IP=10.93.64.180:57730 (IP=0.0.0.0:389) slapd[8845]: conn=1019 op=0 BIND dn="uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com" method=128 slapd[8845]: conn=1019 op=0 BIND dn="uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com" mech=SIMPLE ssf=0 slapd[8845]: conn=1019 op=0 RESULT tag=97 err=0 text= slapd[8845]: conn=1019 op=1 SRCH base="ou=people,dc=domain,dc=com" scope=2 deref=3 filter="(uid=myuser)" slapd[8845]: conn=1019 op=1 SRCH attr=1.1 slapd[8845]: conn=1019 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= slapd[8845]: conn=1019 op=2 UNBIND slapd[8845]: conn=1019 fd=13 closed
from tranlucent proxy to slave:
slapd[6491]: conn=1759 fd=25 ACCEPT from IP=10.93.64.207:37513 (IP=0.0.0.0:389) slapd[6491]: conn=1759 op=0 [IP=10.93.64.180 USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] BIND dn="uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com" method=128 slapd[6491]: conn=1759 op=0 [IP=10.93.64.180 USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] BIND dn="uid=cas-auth,ou=SI,ou=Access,dc=domain,dc=com" mech=SIMPLE ssf=0 slapd[6491]: conn=1759 op=0 [IP=10.93.64.180 USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] RESULT tag=97 err=0 text= slapd[6491]: conn=1759 op=1 [IP=10.93.64.180 USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] SRCH base="ou=people,dc=domain,dc=com" scope=2 deref=3 filter="(uid=myuser)" slapd[6491]: conn=1759 op=1 [IP=10.93.64.180 USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] SRCH attr=* + slapd[6491]: conn=1759 op=1 [IP=10.93.64.180 USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] SEARCH RESULT tag=101 err=0 nentries=1 text= slapd[6491]: conn=1759 op=2 UNBIND slapd[6491]: conn=1759 fd=25 closed
CAS request: I don't have the output I expect
from client to translucent proxy:
slapd[8845]: conn=1017 fd=13 ACCEPT from IP=10.93.64.180:57109 (IP=0.0.0.0:389) slapd[8845]: conn=1017 op=0 BIND dn="uid=cas-auth,ou=si,ou=access,dc=domain,dc=com" method=128 slapd[8845]: conn=1017 op=0 BIND dn="uid=cas-auth,ou=si,ou=access,dc=domain,dc=com" mech=SIMPLE ssf=0 slapd[8845]: conn=1017 op=0 RESULT tag=97 err=0 text= slapd[8845]: conn=1017 op=1 SRCH base="ou=People,dc=domain,dc=com" scope=2 deref=3 filter="(uid=myuser)" slapd[8845]: conn=1017 op=1 SRCH attr=1.1 slapd[8845]: conn=1017 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= slapd[8845]: conn=1017 fd=13 closed (connection lost)
from tranlucent proxy to slave:
slapd[6491]: conn=1747 fd=13 ACCEPT from IP=10.93.64.207:35881 (IP=0.0.0.0:389) slapd[6491]: conn=1747 op=0 [IP=10.93.64.180 USERNAME=uid=cas-auth,ou=si,ou=access,dc=domain,dc=com] BIND dn="uid=cas-auth,ou=si,ou=access,dc=domain,dc=com" method=128 slapd[6491]: conn=1747 op=0 [IP=10.93.64.180 USERNAME=uid=cas-auth,ou=si,ou=access,dc=domain,dc=com] BIND dn="uid=cas-auth,ou=SI,ou=Access,dc=domain,dc=com" mech=SIMPLE ssf=0 slapd[6491]: conn=1747 op=0 [IP=10.93.64.180 USERNAME=uid=cas-auth,ou=si,ou=access,dc=domain,dc=com] RESULT tag=97 err=0 text= slapd[6491]: conn=1747 op=1 UNBIND slapd[6491]: conn=1747 fd=13 closed
The configuration part relative to translucent:
# Entry 1: olcOverlay={3}translucent,olcDatabase={2}mdb,cn=config dn: olcOverlay={3}translucent,olcDatabase={2}mdb,cn=config objectclass: olcConfig objectclass: olcOverlayConfig objectclass: olcTranslucentConfig objectclass: top olcoverlay: {3}translucent olctranslucentbindlocal: TRUE
# Entry 2: olcDatabase={0}ldap,olcOverlay={3}translucent,olcDatabase={2}m... dn: olcDatabase={0}ldap,olcOverlay={3}translucent,olcDatabase={2}mdb,cn=conf ig objectclass: olcConfig objectclass: olcLDAPConfig objectclass: olcTranslucentDatabase objectclass: olcDatabaseConfig olcdatabase: {0}ldap olcdbchasereferrals: TRUE olcdbidassertauthzfrom: {0}* olcdbidassertbind: bindmethod="simple" binddn="uid=roaccess,ou=access,dc=dom ain,dc=com" credentials="hideme" mode="self" olcdbsessiontrackingrequest: TRUE olcdburi: ldap://ldap-data.domain.it
I do not really know where to look else. I'll continue to try different things to make it work but any idea/suggestion/correction is welcome.
Thank you in advance for your time.
I don't know if it is related or not but I can reproduce, via ldapsearch, log entries between the proxy and the slave when CAS is configured with proxy as ldap backend.
# ldapsearch -x -b ou=people,dc=domain,dc=com -H ldap://ldap.domain.it -WD uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com -LLL -a always -n -v uid=myuser 1.1
Client -> Proxy Jan 15 13:11:45 ldap-sudo slapd[29272]: conn=1057 fd=13 ACCEPT from IP=10.93.64.180:38275 (IP=0.0.0.0:389) Jan 15 13:11:45 ldap-sudo slapd[29272]: conn=1057 op=0 BIND dn="uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com" method=128 Jan 15 13:11:45 ldap-sudo slapd[29272]: conn=1057 op=0 BIND dn="uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com" mech=SIMPLE ssf=0 Jan 15 13:11:45 ldap-sudo slapd[29272]: conn=1057 op=0 RESULT tag=97 err=0 text= Jan 15 13:11:45 ldap-sudo slapd[29272]: conn=1057 op=1 UNBIND Jan 15 13:11:45 ldap-sudo slapd[29272]: conn=1057 fd=13 closed
Proxy -> Slave Jan 15 13:11:45 ldap-data slapd[6491]: conn=2746 fd=22 ACCEPT from IP=10.93.64.207:58162 (IP=0.0.0.0:389) Jan 15 13:11:45 ldap-data slapd[6491]: conn=2746 op=0 [IP=10.93.64.180 USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] BIND dn="uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com" method=128 Jan 15 13:11:45 ldap-data slapd[6491]: conn=2746 op=0 [IP=10.93.64.180 USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] BIND dn="uid=cas-auth,ou=SI,ou=Access,dc=domain,dc=com" mech=SIMPLE ssf=0 Jan 15 13:11:45 ldap-data slapd[6491]: conn=2746 op=0 [IP=10.93.64.180 USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] RESULT tag=97 err=0 text= Jan 15 13:11:45 ldap-data slapd[6491]: conn=2746 op=1 UNBIND Jan 15 13:11:45 ldap-data slapd[6491]: conn=2746 fd=22 closed
In the command I added the "-n" switch to simulate just the bind part.
If I compare with logs from CAS request, it is like the search part is not forwarded from proxy to slave. Is there any special functionality that the client should support when requesting with via translucent overlay ?
openldap-technical@openldap.org
-
M. P.