LDAP Proxy multi domain

volga629 · May 4, 2020, 1:11pm

Hello Everyone,
Latest git ldap proxy in multi domain environment can’t authenticate more then one domain.
Setup is zimbra ldap and zimbra configured as external ldap to use ldap-proxy. That setup works for one domain, but not other .
Second domain mapped exactly as first one.
Setup is Centos PrivacyIDea 3.3.1 latest.
Ldap Proxy log which shows one domain working and another failing.

May  4 08:53:41 caprv00 twistd: 2020-05-04T08:53:41-0400 [twisted.internet.endpoints.OneShotFactory#info] Starting factory <twisted.internet.endpoints.OneShotFactory instance at 0x7f17deede4d0>
May  4 08:53:41 caprv00 twistd: 2020-05-04T08:53:41-0400 [pi_ldapproxy.proxy#info] BindRequest for 'uid=volga629,ou=people,dc=skillsearch,dc=ca' received ...
May  4 08:53:41 caprv00 twistd: 2020-05-04T08:53:41-0400 [twisted.internet.endpoints.OneShotFactory#info] Starting factory <twisted.internet.endpoints.OneShotFactory instance at 0x7f17dc9aa830>
May  4 08:53:41 caprv00 twistd: 2020-05-04T08:53:41-0400 [pi_ldapproxy.proxy#critical] Could not bind
May  4 08:53:41 caprv00 twistd: Traceback (most recent call last):
May  4 08:53:41 caprv00 twistd: File "/opt/privacyidea/lib/python2.7/site-packages/twisted/internet/defer.py", line 498, in errback
May  4 08:53:41 caprv00 twistd: self._startRunCallbacks(fail)
May  4 08:53:41 caprv00 twistd: File "/opt/privacyidea/lib/python2.7/site-packages/twisted/internet/defer.py", line 565, in _startRunCallbacks
May  4 08:53:41 caprv00 twistd: self._runCallbacks()
May  4 08:53:41 caprv00 twistd: File "/opt/privacyidea/lib/python2.7/site-packages/twisted/internet/defer.py", line 651, in _runCallbacks
May  4 08:53:41 caprv00 twistd: current.result = callback(current.result, *args, **kw)
May  4 08:53:41 caprv00 twistd: File "/opt/privacyidea/lib/python2.7/site-packages/twisted/internet/defer.py", line 1355, in gotResult
May  4 08:53:41 caprv00 twistd: _inlineCallbacks(r, g, deferred)
May  4 08:53:41 caprv00 twistd: --- <exception caught here> ---
May  4 08:53:41 caprv00 twistd: File "/opt/privacyidea/lib/python2.7/site-packages/twisted/internet/defer.py", line 1297, in _inlineCallbacks
May  4 08:53:41 caprv00 twistd: result = result.throwExceptionIntoGenerator(g)
May  4 08:53:41 caprv00 twistd: File "/opt/privacyidea/lib/python2.7/site-packages/twisted/python/failure.py", line 389, in throwExceptionIntoGenerator
May  4 08:53:41 caprv00 twistd: return g.throw(self.type, self.value, self.tb)
May  4 08:53:41 caprv00 twistd: File "/opt/privacyidea/lib/python2.7/site-packages/pi_ldapproxy/proxy.py", line 101, in authenticate_bind_request
May  4 08:53:41 caprv00 twistd: user = yield self.factory.resolve_user(request.dn)
May  4 08:53:41 caprv00 twistd: File "/opt/privacyidea/lib/python2.7/site-packages/twisted/internet/defer.py", line 1299, in _inlineCallbacks
May  4 08:53:41 caprv00 twistd: result = g.send(result)
May  4 08:53:41 caprv00 twistd: File "/opt/privacyidea/lib/python2.7/site-packages/pi_ldapproxy/usermapping.py", line 86, in resolve
May  4 08:53:41 caprv00 twistd: assert len(login_name_set) == 1
May  4 08:53:41 caprv00 twistd: exceptions.AssertionError:
May  4 08:53:41 caprv00 twistd: 2020-05-04T08:53:41-0400 [pi_ldapproxy.proxy#info] Sending BindResponse "invalid credentials": LDAP Proxy failed.
May  4 08:53:41 caprv00 twistd: 2020-05-04T08:53:41-0400 [twisted.internet.endpoints.OneShotFactory#info] Stopping factory <twisted.internet.endpoints.OneShotFactory instance at 0x7f17dc9aa830>
May  4 08:53:41 caprv00 twistd: 2020-05-04T08:53:41-0400 [twisted.internet.endpoints.OneShotFactory#info] Stopping factory <twisted.internet.endpoints.OneShotFactory instance at 0x7f17deede4d0>
May  4 08:53:48 caprv00 twistd: 2020-05-04T08:53:48-0400 [twisted.internet.endpoints.OneShotFactory#info] Starting factory <twisted.internet.endpoints.OneShotFactory instance at 0x7f17dc9d2950>
May  4 08:53:48 caprv00 twistd: 2020-05-04T08:53:48-0400 [pi_ldapproxy.proxy#info] BindRequest for 'uid=slavab,ou=people,dc=networklab,dc=ca' received ...
May  4 08:53:48 caprv00 twistd: 2020-05-04T08:53:48-0400 [twisted.internet.endpoints.OneShotFactory#info] Starting factory <twisted.internet.endpoints.OneShotFactory instance at 0x7f17dc9da290>
May  4 08:53:48 caprv00 twistd: 2020-05-04T08:53:48-0400 [pi_ldapproxy.proxy#info] Resolved 'uid=slavab,ou=people,dc=networklab,dc=ca' to 'slavab@networklab.ca'@'' ('')
May  4 08:53:48 caprv00 twistd: 2020-05-04T08:53:48-0400 [twisted.web.client._HTTP11ClientFactory#info] Starting factory <twisted.web.client._HTTP11ClientFactory instance at 0x7f17dc9a47a0>
May  4 08:53:48 caprv00 twistd: 2020-05-04T08:53:48-0400 [twisted.internet.endpoints.OneShotFactory#info] Stopping factory <twisted.internet.endpoints.OneShotFactory instance at 0x7f17dc9da290>
May  4 08:53:48 caprv00 twistd: 2020-05-04T08:53:48-0400 [pi_ldapproxy.proxy#info] Successful authentication, authenticating as service user ...
May  4 08:53:48 caprv00 twistd: 2020-05-04T08:53:48-0400 [pi_ldapproxy.proxy#info] Binding service account ...
May  4 08:53:48 caprv00 twistd: 2020-05-04T08:53:48-0400 [twisted.web.client._HTTP11ClientFactory#info] Stopping factory <twisted.web.client._HTTP11ClientFactory instance at 0x7f17dc9a47a0>
May  4 08:53:48 caprv00 twistd: 2020-05-04T08:53:48-0400 [pi_ldapproxy.proxy#info] Sending BindResponse "success"
May  4 08:53:48 caprv00 twistd: 2020-05-04T08:53:48-0400 [twisted.internet.endpoints.OneShotFactory#info] Stopping factory <twisted.internet.endpoints.OneShotFactory instance at 0x7f17dc9d2950>
^C

Thank you for any advise.

volga629 · May 4, 2020, 5:20pm

I took TCP dump and I see that zimbra return success on volga629 username.

ldap-search

volga629 · May 5, 2020, 2:18am

After checking more. I think issue with mail attribute where ldap proxy can’t handle multi value return
If I set

strategy = lookup
attribute = mail

that failing, because this account contain multiply email aliases

If I set uid ldap-proxy process no problem

strategy = lookup
attribute = uid

Log

May  4 22:10:17 caprv00 twistd: 2020-05-04T22:10:17-0400 [pi_ldapproxy.proxy#info] Resolved 'uid=volga629,ou=people,dc=skillsearch,dc=ca' to 'volga629'@'' ('')
May  4 22:10:17 caprv00 twistd: 2020-05-04T22:10:17-0400 [twisted.web.client._HTTP11ClientFactory#info] Starting factory <twisted.web.client._HTTP11ClientFactory instance at 0x7f2634852098>