Hello all,
I'm a newbie in LDAP/OpenLDAP.
I have to implement an LDAP proxy that "simply" authenticates a user against a first LDAP server and, if it fails for invalid credentials, tries to authenticate against a second LDAP server.
I've found OpenLDAP and the back-sock backend as a possible way to implement such a scheme, using a python script as a concurrent server listening on the UNIX socket that will be used by the backend back-sock.
I'm currently using Ubuntu 22.04 and OpenLDAP 2.5.19 for testing.
Now I have a concurrent server in python that works well: it accepts a connection on a UNIX socket, prints what it receives over the connection and closes it. I tested it with a simple python client.
On the OpenLDAP side, instead, I have a big issue: I tried to configure the backend using the legacy mode (the slapd.conf config file will follow), but when I try to run the command
ldapwhoami -x -D "cn=admin,dc=example,dc=com" -W -H ldap://localhost (with "dc=example,dc=com" replaced with the base DN I used in the configuration during the installation phase) on the same machine where slapd is running, the command returns:
ldap_bind: Invalid credentials (49)
using the right password input during installation phase, while on the server side in the log I found the error message:
socket connect(<socket_file_name>) failed
and the server python does not give any sign of accepting a connection.
Setting the loglevel to -1 or starting slapd with strace ( strace slapd -d -1 ) does not provide further information.
NOTE that the above ldapwhoami command worked fine with the original configuration with the new method in the slapd.d folder.
This is the config file I created to use the back-sock backend:
modulepath /usr/lib/ldap moduleload back_sock.la
include /etc/ldap/schema/core.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
#loglevel 256 loglevel -1
database sock socketpath /tmp/ldsock
suffix "dc=proxy,dc=ldap"
Any clue?
Thanks in advance Gianluca Ramunno
Hello,
I've found the solution with the help of a colleague.
Simply apparmor was blocking the access to the socket for slapd.
By enabling slapd to access the UNIX socket in apparmor, the communication between the back-sock backend and my python server worked fine.
Best regards Gianluca Ramunno ________________________________ From: Gianluca Ramunno g.ramunno@criticalcase.com Sent: Wednesday, May 28, 2025 18:09 To: openldap-technical@openldap.org openldap-technical@openldap.org Subject: back-sock module: error "socket connect(<socket_file_name>) failed"
Hello all,
I'm a newbie in LDAP/OpenLDAP.
I have to implement an LDAP proxy that "simply" authenticates a user against a first LDAP server and, if it fails for invalid credentials, tries to authenticate against a second LDAP server.
I've found OpenLDAP and the back-sock backend as a possible way to implement such a scheme, using a python script as a concurrent server listening on the UNIX socket that will be used by the backend back-sock.
I'm currently using Ubuntu 22.04 and OpenLDAP 2.5.19 for testing.
Now I have a concurrent server in python that works well: it accepts a connection on a UNIX socket, prints what it receives over the connection and closes it. I tested it with a simple python client.
On the OpenLDAP side, instead, I have a big issue: I tried to configure the backend using the legacy mode (the slapd.conf config file will follow), but when I try to run the command
ldapwhoami -x -D "cn=admin,dc=example,dc=com" -W -H ldap://localhost (with "dc=example,dc=com" replaced with the base DN I used in the configuration during the installation phase) on the same machine where slapd is running, the command returns:
ldap_bind: Invalid credentials (49)
using the right password input during installation phase, while on the server side in the log I found the error message:
socket connect(<socket_file_name>) failed
and the server python does not give any sign of accepting a connection.
Setting the loglevel to -1 or starting slapd with strace ( strace slapd -d -1 ) does not provide further information.
NOTE that the above ldapwhoami command worked fine with the original configuration with the new method in the slapd.d folder.
This is the config file I created to use the back-sock backend:
modulepath /usr/lib/ldap moduleload back_sock.la
include /etc/ldap/schema/core.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
#loglevel 256 loglevel -1
database sock socketpath /tmp/ldsock
suffix "dc=proxy,dc=ldap"
Any clue?
Thanks in advance Gianluca Ramunno
openldap-technical@openldap.org
-
Gianluca Ramunno