dogtagpki

Clone
Source Code
GIT

#1531 Directory auth plugin requires LDAP anonymous binds
Closed: Fixed None Opened 8 years ago by bja.

Closed: Fixed
Reopen Issue

The directory auth plugin appears to require the LDAP server that it uses for authentication to support anonymous binds. Our environment has anonymous binds disabled, so user auth fails. Dogtag should support using a specific LDAP user to perform these group membership searches via an authenticated bind over LDAPS/STARTTLS. Another approach might be to conduct the group membership search following authenticating the user and perform the search as this user.

LDAP logs during an auth attempt:

[28/Jul/2015:16:45:26 -0400] conn=169089 fd=84 slot=84 SSL connection
from 192.168.1.22 to 192.168.1.10
[28/Jul/2015:16:45:26 -0400] conn=169089 op=0 SRCH
base="dc=example,dc=com" scope=2 filter="(uid=bob)" attrs="memberOf"
[28/Jul/2015:16:45:26 -0400] conn=169089 op=0 RESULT err=0 tag=101
nentries=1 etime=0

^^^^^^^^^^ this is what fails with anon. binds disabled ^^^^^^^^^^^

[28/Jul/2015:16:45:26 -0400] conn=169089 op=1 BIND
dn="uid=bob,ou=users,dc=example,dc=com" method=128 version=2
[28/Jul/2015:16:45:26 -0400] conn=169089 op=1 RESULT err=0 tag=97
nentries=0 etime=0 dn="uid=bob,ou=users,dc=example,dc=com"
[28/Jul/2015:16:45:26 -0400] conn=169089 op=2 SRCH
base="uid=bob,ou=users,dc=example,dc=com" scope=0
filter="(objectClass=*)" attrs="mail cn uid mail cn"
[28/Jul/2015:16:45:26 -0400] conn=169089 op=2 RESULT err=0 tag=101
nentries=1 etime=0
[28/Jul/2015:16:45:26 -0400] conn=169089 op=3 UNBIND

Per meeting of 07/31/2015: 10.2.7 (blocker)

commit c13593770108b6d683ab3d3b43b92d67ac64a1ef
Author: Christina Fu cfu@redhat.com
Date: Wed Aug 5 16:21:51 2015 -0700

Ticket 1531 Directory auth plugin requires LDAP anonymous binds
-
This patch adds a feature to allow a directory based authentication plugin
to use bound ldap conneciton instead of anonymous.
Two files need to be edited
1. <instance>/conf/password.conf
  add a "tag" and the password of the binding user dn to the file
  e.g. externalLDAP=password123
2. <instance>/ca/CS.cfg
  add the tag to cms.passwordlist:
  e.g. cms.passwordlist=internaldb,replicationdb,externalLDAP
  add the authPrefix of the auths entry for the authentication instance
  e.g. externalLDAP.authPrefix=auths.instance.UserDirEnrollment
  add relevant entries to the authentication instance
  e.g. auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true
       auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth
       auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=uid=rhcs,ou=ser
       auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalL

Modified in 10.2.6-5.

Metadata Update from @bja:
- Issue assigned to cfu
- Issue set to the milestone: 10.2.6
7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2090

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata
None
None
None
blocker
None
None
enhancement
None
None
None
None
None
RHCust
None
None
None
None
None
None
CA
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.