Using LD Bridge with the RCDevs Directory as LDAP backend

[Jaco Stienstra]

Hi,

I'm trying to implement LDAP with OTP for vCenter using the new LDAP bridge. I also i want to use the default RCDevs Directory as the backend LDAP directory and i'm running into a problem: ldap requests are not forwarded to the rcdevs directory but authentication goes to the OTP service regardless of the openotp-ignored_dn setting. I've created a LDAP user with read only access to the directory and tested with ldapsearch:

 

ldapsearch -x -D "cn=ldproxy,o=Root" -w 123 -H ldap://0.0.0.0:389

Searching via the LDAP proxy does not work: 

ldapsearch -D "cn=ldproxy,o=Root" -w 123 -H ldap://0.0.0.0:10389 -b o=Root

The authentication request goes to the OpenOTP service which it cannot access because it is a LDAP account and not a webadm account.

These are settings in slapd.conf:

# IP address or hostname of your LDAP back-end.
uri             ldap://0.0.0.0/

# Proxy user used to proxy queries to the LDAP back-end.
acl-bind        bindmethod="simple"
                binddn="cn=ldproxy,o=Root"
                credentials="123"

# Proxy user used for OTP user binds to the LDAP back-end.
openotp-bind_dn "cn=ldproxy,o=Root"
openotp-bind_pw "123"

openotp-ignored_dn "cn=ldproxy,o=Root"

The authentication log, this user should not be authenticated by the webservice but should go directly to 

2015-12-04 12:21:49] [127.0.0.1] [OpenOTP:D1619830] New openotpSimpleLogin SOAP request
[2015-12-04 12:21:49] [127.0.0.1] [OpenOTP:D1619830] > Username: ldproxy
[2015-12-04 12:21:49] [127.0.0.1] [OpenOTP:D1619830] > Domain: mydomain
[2015-12-04 12:21:49] [127.0.0.1] [OpenOTP:D1619830] > Password: xxxxxxxxxxxx
[2015-12-04 12:21:49] [127.0.0.1] [OpenOTP:D1619830] > Client ID: ldproxy
[2015-12-04 12:21:49] [127.0.0.1] [OpenOTP:D1619830] > Source IP: 127.0.0.1
[2015-12-04 12:21:49] [127.0.0.1] [OpenOTP:D1619830] > Settings: ChallengeMode=No
[2015-12-04 12:21:49] [127.0.0.1] [OpenOTP:D1619830] > Options: -U2F
[2015-12-04 12:21:49] [127.0.0.1] [OpenOTP:D1619830] Enforcing client policy: ldproxy

Did i configure it correctly, and is this setup possible? Also what is the difference between the acl-bind user and the openotp-bind user? Do i need to create separate accounts for these options? 

[Administrators]

acl-bind user is used to proxy LDAP requests to the backend. So ldproxy always binds as all-bind user for searches and other LDAP requests to the back-end.

This user must be able to do all your LDAP operations on the back-end.

openotp-bind_dn is used to handle user binds to the backend while it runs the OpenOTP password check.

This is a bind-only user

your cn=ldproxy should not be used by the client application. It is a user for the ldproxy itself.

[Jaco Stienstra]

So does that mean that every request (like ldapsearch) is forwarded to the backend with the configured backend user? I did some digging in the logs to compare searches but i'm not seeing any authentication as the acl-bind user in the rcdevs directory slapd logs when searching anonymous on the ldproxy server:

ldapsearch -x -H ldap://0.0.0.0:10389 -b "o=Root"

This fails with "Insufficient access" error. I'm new to ldap, any chance you could elaborate a bit on how to configure this? Thanks.

Also i ran into a small bug while testing, searching with the webadm user kills the ldproxy:

ldapsearch -x -D "cn=webadm,dc=WebADM" -w Password1234 -H ldap://0.0.0.0:10389 -b "o=Root"

56654c38 openotp_bind: converting cn=webadm,dc=webadm to name, using attribute 'uid'.
56654c38 openotp_bind: could not find 'uid' among attributes of 'cn=webadm,dc=webadm'.
56654c38 openotp_bind: converting cn=webadm,dc=webadm to name, using attribute 'sAMAccountName'.
rcdevs-ldproxy: ad.c:178: slap_bv2ad: Assertion `*ad == ((void *)0)' failed.
/etc/init.d/ldproxy: line 52: 24411 Aborted                 rcdevs-ldproxy -d any -u $USER -h "ldap://$INTERFACE:$PORT_STD ldaps://$INTERFACE:$PORT_SSL"

Op vrijdag 4 december 2015 14:26:00 UTC+1 schreef Administrators:

[Spyridon Gouliarmis (RCDevs)]

Hello Jaco,

the ignored DN must be in lowercase (actually, in the format OpenOTP considers "normalised"; I don't know if this is standard or not). The next version will automatically convert the string, but right now, you have to do it by hand.

The acl-bind user is used by LDProxy to find the DN of the object associated to a username (looking inside the attributes you specify, usually 'uid' and 'sAMAccountName').

Any access through LDProxy, except from the ignored DN, is done as the bind-dn.

Can you show us the debug output when LDProxy crashes? As the manual recommends, start with 'service ldproxy debug | grep openotp'.

[Spyridon Gouliarmis (RCDevs)]

Oh, I didn't see the log bits you posted. Yes, that's a bug that somehow got past the tests. It's an easy fix, for the next version.

Did things work with the modified ignored-dn?

[Spyridon Gouliarmis (RCDevs)]

There's a new version of LDProxy out that should fix your issues.

[Jaco Stienstra]

Excellent thanks, got it working! I made a separate user with read access to the rcdevs directory and added it to ignored_dn option (lowercase)

Op woensdag 9 december 2015 13:47:08 UTC+1 schreef Spyridon Gouliarmis (RCDevs):