We have a FreeBSD server running Gitea, agilo, DokuWiki, NextCloud, ... authenticating against a self-hosted OpenLDAP instance running on the same server and it works flawlessly.
Recently, we have introduced Subversion into our pipeline. I'm trying to make Subversion authenticate against the same LDAP directory but hit the break wall with the OpenLDAP authentication part.
I followed this and this guides, without any success.
This is what I see in the logs for a successful login from other services (e.g. DokuWiki):
When I run testsaslauthd:
And here is the slapd log for the failed login with testsaslauthd:
And saslauthd verbose logs:
Here are my config files:
/usr/local/etc/openldap/slapd.conf
/usr/local/etc/openldap/ldap.conf
/usr/local/etc/saslauthd.conf
I believe the difference between DokuWiki and testsaslauthd lies here:
I'm not sure how to force testsaslauthd to do the mech=SIMPLE ssf=0 part.
Recently, we have introduced Subversion into our pipeline. I'm trying to make Subversion authenticate against the same LDAP directory but hit the break wall with the OpenLDAP authentication part.
I followed this and this guides, without any success.
This is what I see in the logs for a successful login from other services (e.g. DokuWiki):
Code:
Jul 29 16:35:06 core slapd[49965]: conn=1028 fd=16 ACCEPT from PATH=/var/run/openldap/ldapi (PATH=/var/run/openldap/ldapi)
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=0 BIND dn="cn=root,dc=cheetah,dc=com" method=128
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=0 BIND dn="cn=root,dc=cheetah,dc=com" mech=SIMPLE ssf=0
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=0 RESULT tag=97 err=0 text=
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=1 BIND anonymous mech=implicit ssf=0
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=1 BIND dn="cn=root,dc=cheetah,dc=com" method=128
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=1 BIND dn="cn=root,dc=cheetah,dc=com" mech=SIMPLE ssf=0
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=1 RESULT tag=97 err=0 text=
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=2 SRCH base="ou=people,dc=cheetah,dc=com" scope=2 deref=0 filter="(&(uid=mohammad.babaei))"
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=3 SRCH base="ou=groups,dc=cheetah,dc=com" scope=2 deref=0 filter="(&(memberOf=cn=cheetah.com,ou=groups,dc=cheetah,dc=com)(memberOf=cn=dokuwiki,ou=groups,dc=cheetah,dc=com))"
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=3 SRCH attr=1.1
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=4 BIND anonymous mech=implicit ssf=0
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=4 BIND dn="uid=mohammad.babaei,ou=people,dc=cheetah,dc=com" method=128
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=4 BIND dn="uid=mohammad.babaei,ou=people,dc=cheetah,dc=com" mech=SIMPLE ssf=0
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=4 RESULT tag=97 err=0 text=
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=5 BIND anonymous mech=implicit ssf=0
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=5 BIND dn="cn=root,dc=cheetah,dc=com" method=128
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=5 BIND dn="cn=root,dc=cheetah,dc=com" mech=SIMPLE ssf=0
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=5 RESULT tag=97 err=0 text=
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=6 SRCH base="ou=people,dc=cheetah,dc=com" scope=2 deref=0 filter="(&(uid=mohammad.babaei))"
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=7 SRCH base="ou=groups,dc=cheetah,dc=com" scope=2 deref=0 filter="(&(memberOf=cn=cheetah.com,ou=groups,dc=cheetah,dc=com)(memberOf=cn=dokuwiki,ou=groups,dc=cheetah,dc=com))"
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=7 SRCH attr=1.1
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=7 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=8 UNBIND
Jul 29 16:35:06 core slapd[49965]: conn=1028 fd=16 closed
Jul 29 16:35:06 core slapd[49965]: conn=1029 fd=16 ACCEPT from PATH=/var/run/openldap/ldapi (PATH=/var/run/openldap/ldapi)
Jul 29 16:35:06 core slapd[49965]: conn=1029 op=0 BIND dn="cn=root,dc=cheetah,dc=com" method=128
Jul 29 16:35:06 core slapd[49965]: conn=1029 op=0 BIND dn="cn=root,dc=cheetah,dc=com" mech=SIMPLE ssf=0
Jul 29 16:35:06 core slapd[49965]: connection_input: conn=1029 deferring operation: binding
Jul 29 16:35:06 core slapd[49965]: conn=1029 op=0 RESULT tag=97 err=0 text=
Jul 29 16:35:06 core slapd[49965]: conn=1029 op=1 SRCH base="ou=people,dc=cheetah,dc=com" scope=2 deref=0 filter="(&(uid=vahab.ahmadvand))"
Jul 29 16:35:06 core slapd[49965]: conn=1029 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 29 16:35:06 core slapd[49965]: conn=1029 op=2 SRCH base="ou=groups,dc=cheetah,dc=com" scope=2 deref=0 filter="(&(memberOf=cn=cheetah.com,ou=groups,dc=cheetah,dc=com)(memberOf=cn=dokuwiki,ou=groups,dc=cheetah,dc=com))"
Jul 29 16:35:06 core slapd[49965]: conn=1029 op=2 SRCH attr=1.1
Jul 29 16:35:06 core slapd[49965]: conn=1029 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jul 29 16:35:06 core slapd[49965]: conn=1029 op=3 UNBIND
Jul 29 16:35:06 core slapd[49965]: conn=1029 fd=16 closed
When I run testsaslauthd:
Code:
$ testsaslauthd -u mohammad.babaei -p password -f /var/run/saslauthd/mux
0: NO "authentication failed"
And here is the slapd log for the failed login with testsaslauthd:
Code:
Jul 29 16:38:01 core slapd[49965]: conn=1030 fd=16 ACCEPT from PATH=/var/run/openldap/ldapi (PATH=/var/run/openldap/ldapi)
Jul 29 16:38:01 core slapd[49965]: conn=1030 op=0 BIND dn="cn=root,dc=cheetah,dc=com" method=128
Jul 29 16:38:01 core slapd[49965]: conn=1030 op=0 RESULT tag=97 err=49 text=
And saslauthd verbose logs:
Code:
saslauthd[51398] :rel_accept_lock : released accept lock
saslauthd[51399] :get_accept_lock : acquired accept lock
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x802e20030 msgid 1
wait4msg ld 0x802e20030 msgid 1 (infinite timeout)
wait4msg continue ld 0x802e20030 msgid 1 all 1
** ld 0x802e20030 Connections:
* host: (null) port: 0 (default)
refcnt: 2 status: Connected
last used: Sun Jul 29 16:52:03 2018
** ld 0x802e20030 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x802e20030 request count 1 (abandoned 0)
** ld 0x802e20030 Response Queue:
Empty
ld 0x802e20030 response count 0
ldap_chkResponseList ld 0x802e20030 msgid 1 all 1
ldap_chkResponseList returns ld 0x802e20030 NULL
ldap_int_select
read1msg: ld 0x802e20030 msgid 1 all 1
read1msg: ld 0x802e20030 msgid 1 message type bind
read1msg: ld 0x802e20030 0 new referrals
read1msg: mark request completed, ld 0x802e20030 msgid 1
request done: ld 0x802e20030 msgid 1
res_errno: 49, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
saslauthd[51398] :do_auth : auth failure: [user=mohammad.babaei] [service=imap] [realm=] [mech=ldap] [reason=Unknown]
saslauthd[51398] :do_request : response: NO
Here are my config files:
/usr/local/etc/openldap/slapd.conf
Code:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/collective.schema
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/duaconf.schema
include /usr/local/etc/openldap/schema/dyngroup.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/java.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/pmi.schema
include /usr/local/etc/openldap/schema/ppolicy.schema
include /usr/local/etc/openldap/schema/custom-additions.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
# moduleload back_mdb
# moduleload back_ldap
moduleload pw-sha2
moduleload back_mdb
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
#security ssf=256 update_ssf=256 simple_bind=256
#security ssf=128 update_ssf=128 simple_bind=128
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
disallow bind_anon
access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=root,dc=cheetah,dc=com" write
by * none
access to *
by self write
by dn.base="cn=root,dc=cheetah,dc=com" write
by * read
#######################################################################
# MDB database definitions
#######################################################################
database mdb
maxsize 1073741824
suffix "dc=cheetah,dc=com"
rootdn "cn=root,dc=cheetah,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SHA512}EWZsDXlOewqSeOvnuTt+A0Al4WZg8cGd06vU/s2B5up/NM2qbMH4FHtb9545XasonZXIKJK79xJ1MzCDxJQI8Q==
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/db/openldap-data
# Indices to maintain
index objectClass eq
index uid,uidNumber,gidNumber pres,eq
index cn,sn,gn pres,eq,sub,approx
index mail pres,eq
index owner,member,memberOf,uniqueMember,manager eq
index memberUid eq
overlay memberof
TLSCipherSuite HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2
TLSCertificateFile /etc/ssl/certs/cheetah.com.crt
TLSCertificateKeyFile /etc/ssl/certs/cheetah.com.key
TLSCACertificateFile /etc/ssl/certs/cheetah.com.crt
TLSDHParamFile /etc/ssl/certs/dhparam.pem
TLSVerifyClient allow
logfile /var/log/openldap/slapd.log
loglevel 0x100
/usr/local/etc/openldap/ldap.conf
Code:
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
base dc=cheetah,dc=com
uri ldapi:///
#ssl start_tls
#tls_cacert /etc/ssl/certs/cheetah.com.crt
#tls_cacertdir /etc/ssl/certs
#tls_reqcert allow
#tls_reqcert never
/usr/local/etc/saslauthd.conf
Code:
ldap_servers: ldapi:///
ldap_version: 3
ldap_timeout: 60
ldap_use_sasl: no
ldap_start_tls: no
ldap_mech: PLAIN LOGIN
ldap_auth_method: bind
ldap_bind_dn: cn=root,dc=cheetah,dc=com
ldap_bind_pw: password
ldap_search_base: ou=people,dc=cheetah,dc=com
ldap_filter: (&(uid=%u))
#ldap_filter: (&(memberOf=cn=cheetah.com,ou=groups,dc=cheetah,dc=com)(memberOf=cn=Subversion,ou=groups,dc=cheetah,dc=com)(uid=%u))
ldap_debug: 1
I believe the difference between DokuWiki and testsaslauthd lies here:
Code:
/// DokuWiki
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=0 BIND dn="cn=root,dc=cheetah,dc=com" method=128
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=0 BIND dn="cn=root,dc=cheetah,dc=com" mech=SIMPLE ssf=0
/// testsaslauthd
Jul 29 16:38:01 core slapd[49965]: conn=1030 op=0 BIND dn="cn=root,dc=cheetah,dc=com" method=128
I'm not sure how to force testsaslauthd to do the mech=SIMPLE ssf=0 part.