auto.master in ldap + simple bind

auto.master in ldap + simple bind

[Ondrej Valousek]

Hi all,
I am trying to configure autofs (RHEL 5.2) to gather all maps from
Active Directory using simple bind using proxy user.
I have already managed to configure the PADL nss switch to do so using this:

host 192.168.60.172
base dc=ad,dc=s3group,dc=cz
binddn cn=ldapproxy,cn=Users,dc=ad,dc=s3group,dc=cz
bindpw password

Now I am wondering how to do the same with the automounter. Does anyone
know?
I see lots of options on how to configure TLS or SASL, but I just need a
simple bind.
Many thanks,

Ondrej

Re: auto.master in ldap + simple bind

[Ian Kent]

On Fri, 2009-01-16 at 15:54 +0100, Ondrej Valousek wrote:
> Hi all,
> I am trying to configure autofs (RHEL 5.2) to gather all maps from
> Active Directory using simple bind using proxy user.
> I have already managed to configure the PADL nss switch to do so using this:
> 
> host 192.168.60.172
> base dc=ad,dc=s3group,dc=cz
> binddn cn=ldapproxy,cn=Users,dc=ad,dc=s3group,dc=cz
> bindpw password
> 
> Now I am wondering how to do the same with the automounter. Does anyone
> know?
> I see lots of options on how to configure TLS or SASL, but I just need a
> simple bind.

This might work.

authrequired="yes"
user="cn=ldapproxy,cn=Users,dc=ad,dc=s3group,dc=cz"
secret="password"

You might also need to play with authtype.

Ian

Re: auto.master in ldap + simple bind

[Ian Kent]

On Sat, 2009-01-17 at 01:12 +0900, Ian Kent wrote:
> On Fri, 2009-01-16 at 15:54 +0100, Ondrej Valousek wrote:
> > Hi all,
> > I am trying to configure autofs (RHEL 5.2) to gather all maps from
> > Active Directory using simple bind using proxy user.
> > I have already managed to configure the PADL nss switch to do so using this:
> > 
> > host 192.168.60.172
> > base dc=ad,dc=s3group,dc=cz
> > binddn cn=ldapproxy,cn=Users,dc=ad,dc=s3group,dc=cz
> > bindpw password
> > 
> > Now I am wondering how to do the same with the automounter. Does anyone
> > know?
> > I see lots of options on how to configure TLS or SASL, but I just need a
> > simple bind.
> 
> This might work.
> 
> authrequired="yes"
> user="cn=ldapproxy,cn=Users,dc=ad,dc=s3group,dc=cz"
> secret="password"
> 
> You might also need to play with authtype.

Of course that's contained in /etc/autofs_ldap_auth.conf

> 
> Ian
> 
> 
> _______________________________________________
> autofs mailing list
> autofs@linux.kernel.org
> http://linux.kernel.org/mailman/listinfo/autofs

Re: auto.master in ldap + simple bind

[webserv]

Hi Ian,
I tried that already, also played with several authtypes and still no joy.
So I enabled autofs debugging and saw that no matter what I try,
automounter tries to bind anonymously - that fails with AD. I need to bind
using the proxy user...
Thanks,
Ondrej
> On Sat, 2009-01-17 at 01:12 +0900, Ian Kent wrote:
>> On Fri, 2009-01-16 at 15:54 +0100, Ondrej Valousek wrote:
>> > Hi all,
>> > I am trying to configure autofs (RHEL 5.2) to gather all maps from
>> > Active Directory using simple bind using proxy user.
>> > I have already managed to configure the PADL nss switch to do so using
>> this:
>> >
>> > host 192.168.60.172
>> > base dc=ad,dc=s3group,dc=cz
>> > binddn cn=ldapproxy,cn=Users,dc=ad,dc=s3group,dc=cz
>> > bindpw password
>> >
>> > Now I am wondering how to do the same with the automounter. Does
>> anyone
>> > know?
>> > I see lots of options on how to configure TLS or SASL, but I just need
>> a
>> > simple bind.
>>
>> This might work.
>>
>> authrequired="yes"
>> user="cn=ldapproxy,cn=Users,dc=ad,dc=s3group,dc=cz"
>> secret="password"
>>
>> You might also need to play with authtype.
>
> Of course that's contained in /etc/autofs_ldap_auth.conf
>
>>
>> Ian
>>
>>
>> _______________________________________________
>> autofs mailing list
>> autofs@linux.kernel.org
>> http://linux.kernel.org/mailman/listinfo/autofs
>
>



The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s).
Please direct any additional queries to: communications@s3group.com.
Thank You.
Silicon and Software Systems Limited. Registered in Ireland no. 378073.
Registered Office: South County Business Park, Leopardstown, Dublin 18

Re: auto.master in ldap + simple bind

[Ian Kent]

On Sun, 2009-01-18 at 19:01 +0000, webserv@s3group.com wrote:
> Hi Ian,
> I tried that already, also played with several authtypes and still no joy.
> So I enabled autofs debugging and saw that no matter what I try,
> automounter tries to bind anonymously - that fails with AD. I need to bind
> using the proxy user...

Show us the logs.

> Thanks,
> Ondrej
> > On Sat, 2009-01-17 at 01:12 +0900, Ian Kent wrote:
> >> On Fri, 2009-01-16 at 15:54 +0100, Ondrej Valousek wrote:
> >> > Hi all,
> >> > I am trying to configure autofs (RHEL 5.2) to gather all maps from
> >> > Active Directory using simple bind using proxy user.
> >> > I have already managed to configure the PADL nss switch to do so using
> >> this:
> >> >
> >> > host 192.168.60.172
> >> > base dc=ad,dc=s3group,dc=cz
> >> > binddn cn=ldapproxy,cn=Users,dc=ad,dc=s3group,dc=cz
> >> > bindpw password
> >> >
> >> > Now I am wondering how to do the same with the automounter. Does
> >> anyone
> >> > know?
> >> > I see lots of options on how to configure TLS or SASL, but I just need
> >> a
> >> > simple bind.
> >>
> >> This might work.
> >>
> >> authrequired="yes"
> >> user="cn=ldapproxy,cn=Users,dc=ad,dc=s3group,dc=cz"
> >> secret="password"
> >>
> >> You might also need to play with authtype.
> >
> > Of course that's contained in /etc/autofs_ldap_auth.conf
> >
> >>
> >> Ian
> >>
> >>
> >> _______________________________________________
> >> autofs mailing list
> >> autofs@linux.kernel.org
> >> http://linux.kernel.org/mailman/listinfo/autofs
> >
> >
> 
> 
> 
> The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s).
> Please direct any additional queries to: communications@s3group.com.
> Thank You.
> Silicon and Software Systems Limited. Registered in Ireland no. 378073.
> Registered Office: South County Business Park, Leopardstown, Dublin 18

Re: auto.master in ldap + simple bind

[Ondrej Valousek]

> Show us the logs.
>
>   
Hi Ian,

I did some digging around and found this:
1. autofs 5 as shipped with RHEL 5.2 does not seem to support simple
bind (i.e. something like ldapsearch -x .....) to a LDAP server not
supporting anonymous access - like Active Directory (note for the
record: Autofs 4 does only support anonymous ldap server)
2. The only other thing autofs 5 can do is various SASL authentication
schemes (GSSAPI, PLAIN,.....).
3. Active Directory can do SASL and the common mechanisms that both can
do is GSSAPI and DIGEST-MD5.
4. I tried with DIGEST-MD5:

[root@dorado_v1 etc]# cat /etc/sysconfig/autofs
LDAP_URI="ldap://WIN-UG29HR9IEGY"
SEARCH_BASE="cn=praguetest,cn=prague,dc=ad,dc=s3group,dc=cz"
....
[root@dorado_v1 etc]# cat /etc/autofs_ldap_auth.conf
<autofs_ldap_sasl_conf
        usetls="no"
        tlsrequired="no"
        authrequired="yes"
        authtype="DIGEST-MD5"
        user="ldapproxy"
        secret="1234proxy$"
/>
Verified with ldapsearch its functionality:
[root@dorado_v1 etc]# ldapsearch -H ldap://WIN-UG29HR9IEGY -Y DIGEST-MD5
-U ldapproxy -w 1234proxy$ -b
"cn=praguetest,cn=prague,dc=ad,dc=s3group,dc=cz" objectClass=nisMap
SASL/DIGEST-MD5 authentication started
SASL username: ldapproxy
SASL SSF: 128
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <cn=praguetest,cn=prague,dc=ad,dc=s3group,dc=cz> with scope subtree
# filter: objectClass=nisMap
# requesting: ALL
#

# auto.master, praguetest, prague, ad.s3group.cz
dn: CN=auto.master,CN=praguetest,CN=prague,DC=ad,DC=s3group,DC=cz
objectClass: top
objectClass: nisMap
cn: auto.master
distinguishedName:
CN=auto.master,CN=praguetest,CN=prague,DC=ad,DC=s3group,DC=
 cz
instanceType: 4
whenCreated: 20090116124656.0Z
whenChanged: 20090116124656.0Z
uSNCreated: 20610
uSNChanged: 20610
showInAdvancedViewOnly: TRUE
name: auto.master
objectGUID:: 2T1wg8oG70G3VpHKlieoWQ==
objectCategory: CN=NisMap,CN=Schema,CN=Configuration,DC=ad,DC=s3group,DC=cz
dSCorePropagationData: 16010101000000.0Z
nisMapName: auto.master
....
eheeej should for with the automounter, ok? But it does not:

Jan 19 11:55:41 dorado_v1 automount[22886]: Starting automounter version
5.0.1-0.rc2.88.el5_2.1, master map auto.master
Jan 19 11:55:41 dorado_v1 automount[22886]: using kernel protocol
version 5.00
Jan 19 11:55:41 dorado_v1 automount[22886]: lookup_nss_read_master:
reading master files auto.master
Jan 19 11:55:41 dorado_v1 automount[22886]: parse_init: parse(sun): init
gathered global options: (null)
Jan 19 11:55:41 dorado_v1 automount[22886]: lookup_read_master:
lookup(file): read entry /misc
Jan 19 11:55:41 dorado_v1 automount[22886]: lookup_read_master:
lookup(file): read entry /net
Jan 19 11:55:41 dorado_v1 automount[22886]: lookup_read_master:
lookup(file): read entry +auto.master
Jan 19 11:55:41 dorado_v1 automount[22886]: lookup_nss_read_master:
reading master files auto.master
Jan 19 11:55:41 dorado_v1 automount[22886]: parse_init: parse(sun): init
gathered global options: (null)
Jan 19 11:55:41 dorado_v1 automount[22886]: lookup_nss_read_master:
reading master ldap auto.master
Jan 19 11:55:41 dorado_v1 automount[22886]: parse_server_string:
lookup(ldap): Attempting to parse LDAP information from string
"auto.master".
Jan 19 11:55:41 dorado_v1 automount[22886]: parse_server_string:
lookup(ldap): mapname auto.master
Jan 19 11:55:41 dorado_v1 automount[22886]: parse_ldap_config:
lookup(ldap): ldap authentication configured with the following options:
Jan 19 11:55:41 dorado_v1 automount[22886]: parse_ldap_config:
lookup(ldap): use_tls: 0, tls_required: 0, auth_required: 2, sasl_mech:
DIGEST-MD5
Jan 19 11:55:41 dorado_v1 automount[22886]: parse_ldap_config:
lookup(ldap): user: ldapproxy, secret: specified, client principal:
(null) credential cache: (null)
Jan 19 11:55:41 dorado_v1 automount[22886]: find_server: trying server
ldap://WIN-UG29HR9IEGY
Jan 19 11:55:41 dorado_v1 automount[22886]: sasl_bind_mech: Attempting
sasl bind with mechanism DIGEST-MD5
Jan 19 11:55:41 dorado_v1 automount[22886]: sasl_log_func: DIGEST-MD5
client step 2
Jan 19 11:55:41 dorado_v1 automount[22886]: getuser_func: called with
context (nil), id 16386.
Jan 19 11:55:41 dorado_v1 automount[22886]: getuser_func: called with
context (nil), id 16385.
Jan 19 11:55:41 dorado_v1 automount[22886]: getpass_func: context (nil),
id 16388
Jan 19 11:55:41 dorado_v1 automount[22886]: sasl_log_func: DIGEST-MD5
client step 3
Jan 19 11:55:41 dorado_v1 automount[22886]: sasl_bind_mech: sasl bind
with mechanism DIGEST-MD5 succeeded
Jan 19 11:55:41 dorado_v1 automount[22886]: do_bind: lookup(ldap):
auth_required: 2, sasl_mech DIGEST-MD5
Jan 19 11:55:41 dorado_v1 automount[22886]: sasl_bind_mech: Attempting
sasl bind with mechanism DIGEST-MD5
Jan 19 11:55:41 dorado_v1 automount[22886]: sasl_log_func: DIGEST-MD5
client step 1
Jan 19 11:55:41 dorado_v1 automount[22886]: getuser_func: called with
context (nil), id 16386.
Jan 19 11:55:41 dorado_v1 automount[22886]: getuser_func: called with
context (nil), id 16385.
Jan 19 11:55:41 dorado_v1 automount[22886]: getpass_func: context (nil),
id 16388
Jan 19 11:55:41 dorado_v1 automount[22886]: Error parsing response to
sasl_bind request: Invalid credentials.
Jan 19 11:55:41 dorado_v1 automount[22886]: The LDAP server indicated
that the LDAP SASL bind was incomplete, but did not provide the required
data to proceed. LDAP SASL bind with mechanism DIGEST-MD5 failed.
Jan 19 11:55:41 dorado_v1 automount[22886]: sasl bind with mechanism
DIGEST-MD5 failed
Jan 19 11:55:41 dorado_v1 automount[22886]: do_bind: lookup(ldap):
autofs_sasl_bind returned -1
Jan 19 11:55:41 dorado_v1 automount[22886]: connect_to_server:
lookup(ldap): cannot bind to server
Jan 19 11:55:41 dorado_v1 automount[22886]: lookup_init: lookup(ldap):
failed to find available server

Now tell me - it looks good at the beginning, but then something goes
wrong...
Please advise...
Thanks,

Ondrej

Re: auto.master in ldap + simple bind

[Ondrej Valousek]

There is something rotten in the lookup_ldap.c but I can not point my
finger on it.
Things go bad in the lookup_init() function:
  5   4.389459 192.168.60.171 -> 192.168.60.172 LDAP bindRequest(1)
"<ROOT>" sasl
  6   4.390383 192.168.60.172 -> 192.168.60.171 LDAP bindResponse(1)
saslBindInProgress
  7   4.390396 192.168.60.171 -> 192.168.60.172 TCP 39957 > ldap [ACK]
Seq=27 Ack=218 Win=6912 Len=0 TSV=17330479 TSER=592592279
  8   4.390846 192.168.60.171 -> 192.168.60.172 LDAP bindRequest(2)
"<ROOT>" sasl
  9   4.392733 192.168.60.172 -> 192.168.60.171 LDAP bindResponse(2) success
 10   4.393095 192.168.60.171 -> 192.168.60.172 LDAP bindRequest(3)
"<ROOT>" sasl
 11   4.394062 192.168.60.172 -> 192.168.60.171 LDAP bindResponse(3)
invalidCredentials (00090313: LdapErr: DSID-0C0904D1, comment:
AcceptSecurityContext error, data 0, v1771)
 12   4.394188 192.168.60.171 -> 192.168.60.172 LDAP unbindRequest(4)

Packet 8,9 - we connect to the server to verify the authentication
mechanism, but then we should drop the connection - line 1286 - call to
ldap_unbind_connection(). But this never happens according to the
tcpdump. Instead, another bind follows and fails. The question is now:
1. Why is there no unbindRequest packet? In general, I see 3 bind
requests but only one unbindrequest....
2. Why the second bindRequest fails and the first one succeeds?

I do not want to be too picky, but Windows Server 2008 is the first
server OS from MS to support RFC2307 LDAP schema so I believe we should
be able to connect to it. I have opened a case #1887566 with RedHat
regarding this....
Ondrej

Re: auto.master in ldap + simple bind

[Ian Kent]

On Wed, 2009-01-21 at 10:36 +0100, Ondrej Valousek wrote:
> There is something rotten in the lookup_ldap.c but I can not point my
> finger on it.
> Things go bad in the lookup_init() function:
>   5   4.389459 192.168.60.171 -> 192.168.60.172 LDAP bindRequest(1)
> "<ROOT>" sasl
>   6   4.390383 192.168.60.172 -> 192.168.60.171 LDAP bindResponse(1)
> saslBindInProgress
>   7   4.390396 192.168.60.171 -> 192.168.60.172 TCP 39957 > ldap [ACK]
> Seq=27 Ack=218 Win=6912 Len=0 TSV=17330479 TSER=592592279
>   8   4.390846 192.168.60.171 -> 192.168.60.172 LDAP bindRequest(2)
> "<ROOT>" sasl
>   9   4.392733 192.168.60.172 -> 192.168.60.171 LDAP bindResponse(2) success
>  10   4.393095 192.168.60.171 -> 192.168.60.172 LDAP bindRequest(3)
> "<ROOT>" sasl
>  11   4.394062 192.168.60.172 -> 192.168.60.171 LDAP bindResponse(3)
> invalidCredentials (00090313: LdapErr: DSID-0C0904D1, comment:
> AcceptSecurityContext error, data 0, v1771)
>  12   4.394188 192.168.60.171 -> 192.168.60.172 LDAP unbindRequest(4)
> 
> Packet 8,9 - we connect to the server to verify the authentication
> mechanism, but then we should drop the connection - line 1286 - call to
> ldap_unbind_connection(). But this never happens according to the
> tcpdump. Instead, another bind follows and fails. The question is now:
> 1. Why is there no unbindRequest packet? In general, I see 3 bind
> requests but only one unbindrequest....
> 2. Why the second bindRequest fails and the first one succeeds?
> 
> I do not want to be too picky, but Windows Server 2008 is the first
> server OS from MS to support RFC2307 LDAP schema so I believe we should
> be able to connect to it. I have opened a case #1887566 with RedHat
> regarding this....

Have you tried GSSAPI, doesn't Windows require Kerberos auth by default?
Are you sure that the Windows server is allowing simple binds (that was
what you wanted right)?

Ian

Re: auto.master in ldap + simple bind

[Ondrej Valousek]

Ian,
To recap:
Win2k8 comes with RFC2307 compliance so I wanted to try to connect
autofs (all maps) to it.
I did not want to play with GSSAPI - it is too complicated. But neither
I wanted simple anonymous bind - too insecure. So I see Win2k8 supports
SASL/DIGEST-MD5, verified with ldapsearch that it works, I also see
autofs5 supports it - so I wanted to use it.
Unfortunately it is broken at the autofs side (see my previous post).
Ondrej

> Have you tried GSSAPI, doesn't Windows require Kerberos auth by default?
> Are you sure that the Windows server is allowing simple binds (that was
> what you wanted right)?
>
> Ian
>
>
>   

Re: auto.master in ldap + simple bind

[Ian Kent]

On Wed, 2009-01-21 at 14:11 +0100, Ondrej Valousek wrote:
> Ian,
> To recap:
> Win2k8 comes with RFC2307 compliance so I wanted to try to connect
> autofs (all maps) to it.
> I did not want to play with GSSAPI - it is too complicated. But neither
> I wanted simple anonymous bind - too insecure. So I see Win2k8 supports
> SASL/DIGEST-MD5, verified with ldapsearch that it works, I also see
> autofs5 supports it - so I wanted to use it.
> Unfortunately it is broken at the autofs side (see my previous post).

What is the actual SASL user dn?
Does your ldapsearch work without the -b option?

> Ondrej
> 
> > Have you tried GSSAPI, doesn't Windows require Kerberos auth by default?
> > Are you sure that the Windows server is allowing simple binds (that was
> > what you wanted right)?
> >
> > Ian
> >
> >
> >   
> 

Re: auto.master in ldap + simple bind

[Ondrej Valousek]

>
> What is the actual SASL user dn?
> Does your ldapsearch work without the -b option?
>
>   

With SASL, we do not talk about user DN, we talk about authentication ID
for SASL bind instead.
This is an example of ldapsearch that works for me against Win2k8:
ldapsearch -H ldap://192.168.60.172 -Y DIGEST-MD5 -U "ldapproxy" -w
1234proxy$ -b "cn=praguetest,cn=prague,dc=ad,dc=s3group,dc=cz"
objectClass=* cn objectClass nisMapName nisMapEntry

Re: auto.master in ldap + simple bind

[Ian Kent]

On Wed, 2009-01-21 at 14:29 +0100, Ondrej Valousek wrote:
> >
> > What is the actual SASL user dn?
> > Does your ldapsearch work without the -b option?
> >
> >   
> 
> With SASL, we do not talk about user DN, we talk about authentication ID
> for SASL bind instead.
> This is an example of ldapsearch that works for me against Win2k8:
> ldapsearch -H ldap://192.168.60.172 -Y DIGEST-MD5 -U "ldapproxy" -w
> 1234proxy$ -b "cn=praguetest,cn=prague,dc=ad,dc=s3group,dc=cz"
> objectClass=* cn objectClass nisMapName nisMapEntry

I know but what happens to the authentication attempt if you do not
specify the -b option.

Re: auto.master in ldap + simple bind

[Ondrej Valousek]

I do not know what you are after. The -b option is no significance for
the authentication process. Anyway - it works without it, too (just tried).
Ondrej
> I know but what happens to the authentication attempt if you do not
> specify the -b option.
>
>   

Re: auto.master in ldap + simple bind

[Ian Kent]

On Wed, 2009-01-21 at 14:52 +0100, Ondrej Valousek wrote:
> I do not know what you are after. The -b option is no significance for
> the authentication process. Anyway - it works without it, too (just tried).

OK, I'll setup SASL and see what happens but I don't really know what is
needed for it to be like an AD connection. But maybe I've broken the
auth in some way over time.

> Ondrej
> > I know but what happens to the authentication attempt if you do not
> > specify the -b option.
> >
> >   
>