The directory auth plugin appears to require the LDAP server that it uses for authentication to support anonymous binds. Our environment has anonymous binds disabled, so user auth fails. Dogtag should support using a specific LDAP user to perform these group membership searches via an authenticated bind over LDAPS/STARTTLS. Another approach might be to conduct the group membership search following authenticating the user and perform the search as this user.
LDAP logs during an auth attempt:
[28/Jul/2015:16:45:26 -0400] conn=169089 fd=84 slot=84 SSL connection from 192.168.1.22 to 192.168.1.10 [28/Jul/2015:16:45:26 -0400] conn=169089 op=0 SRCH base="dc=example,dc=com" scope=2 filter="(uid=bob)" attrs="memberOf" [28/Jul/2015:16:45:26 -0400] conn=169089 op=0 RESULT err=0 tag=101 nentries=1 etime=0
^^^^^^^^^^ this is what fails with anon. binds disabled ^^^^^^^^^^^
[28/Jul/2015:16:45:26 -0400] conn=169089 op=1 BIND dn="uid=bob,ou=users,dc=example,dc=com" method=128 version=2 [28/Jul/2015:16:45:26 -0400] conn=169089 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=bob,ou=users,dc=example,dc=com" [28/Jul/2015:16:45:26 -0400] conn=169089 op=2 SRCH base="uid=bob,ou=users,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="mail cn uid mail cn" [28/Jul/2015:16:45:26 -0400] conn=169089 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [28/Jul/2015:16:45:26 -0400] conn=169089 op=3 UNBIND
Per meeting of 07/31/2015: 10.2.7 (blocker)
commit c13593770108b6d683ab3d3b43b92d67ac64a1ef Author: Christina Fu cfu@redhat.com Date: Wed Aug 5 16:21:51 2015 -0700
Ticket 1531 Directory auth plugin requires LDAP anonymous binds - This patch adds a feature to allow a directory based authentication plugin to use bound ldap conneciton instead of anonymous. Two files need to be edited 1. <instance>/conf/password.conf add a "tag" and the password of the binding user dn to the file e.g. externalLDAP=password123 2. <instance>/ca/CS.cfg add the tag to cms.passwordlist: e.g. cms.passwordlist=internaldb,replicationdb,externalLDAP add the authPrefix of the auths entry for the authentication instance e.g. externalLDAP.authPrefix=auths.instance.UserDirEnrollment add relevant entries to the authentication instance e.g. auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=uid=rhcs,ou=ser auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalL
Modified in 10.2.6-5.
Metadata Update from @bja: - Issue assigned to cfu - Issue set to the milestone: 10.2.6
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2090
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.