LDAP Proxy + privacyidea

Mohammed · November 2, 2017, 7:42pm

Hi,

I want to authenticate ldap users against OTP. installed ldap proxy plug-in and i configured. when i authenticate users against the LDAP Proxy, i get the error “invalid credentials 49”. I’m using the default realm and ldap resolver to fetch the users. this how i configured the LDAP Proxy:

[privacyidea]
instance = https://127.0.0.1
verify = False

[ldap-backend]
endpoint = tcp:host=172.29.4.130:port=389
use-tls = false
test-connection = true

[service-account]
dn = "cn=directory manager"
password = test123456

[ldap-proxy]
endpoint = tcp:port=389
passthrough-binds = "dc=com1,dc=nl"
bind-service-account = yes
allow-search = yes
allow-connection-reuse = yes
ignore-search-result-references = false
forward-anonymous-binds = true

[user-mapping]
strategy = lookup
attribute = uid

[realm-mapping]
strategy = static
realm = test

[bind-cache]
enabled = false
timeout = 3

[app-cache]
enabled = false

fredreichbier · November 2, 2017, 8:23pm

Hi Mohammed,

the service account DN and the passthrough bind DN look weird to me – be sure to specify complete DNs there.

Can you provide the LDAP proxy logs? If you run the LDAP proxy via systemd, you can find them via journalctl -u privacyidea-ldap-proxy.service. Otherwise, they’re written to stdout.

Best Regards

Friedrich

Mohammed · November 2, 2017, 8:48pm

Hi fredreichbier,

i changed the pasthrough bind DN, but i’m still getting the same error. see the logs below:

Nov 02 21:24:09 privacyidea.local systemd[1]: Starting privacyIDEA LDAP proxy…
Nov 02 21:24:10 privacyidea.local twistd[22215]: 2017-11-02T21:24:10+0100 [pi_ldapproxy.proxy#info] privacyIDEA HTTPS certificate will be checked against system certificate store
Nov 02 21:24:10 privacyidea.local twistd[22215]: 2017-11-02T21:24:10+0100 [pi_ldapproxy.proxy#info] Passthrough DNs: [‘cn=directory manager’]
Nov 02 21:24:10 privacyidea.local twistd[22215]: 2017-11-02T21:24:10+0100 [pi_ldapproxy.proxy#info] Using user mapping strategy: <class ‘pi_ldapproxy.usermapping.LookupMappingStrategy’>
Nov 02 21:24:10 privacyidea.local twistd[22215]: 2017-11-02T21:24:10+0100 [pi_ldapproxy.proxy#info] Using realm mapping strategy: <class ‘pi_ldapproxy.realmmapping.StaticMappingStrategy’>
Nov 02 21:24:10 privacyidea.local twistd[22215]: 2017-11-02T21:24:10+0100 [twisted.internet.endpoints.OneShotFactory#info] Starting factory <twisted.internet.endpoints.OneShotFactory instance at 0x3b73f80>
Nov 02 21:24:10 privacyidea.local twistd[22215]: 2017-11-02T21:24:10+0100 [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 16.6.0 (/root/venv/bin/python 2.7.5) starting up.
Nov 02 21:24:10 privacyidea.local twistd[22215]: 2017-11-02T21:24:10+0100 [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor.
Nov 02 21:24:10 privacyidea.local twistd[22215]: 2017-11-02T21:24:10+0100 [-] ProxyServerFactory starting on 389
Nov 02 21:24:10 privacyidea.local twistd[22215]: 2017-11-02T21:24:10+0100 [pi_ldapproxy.proxy.ProxyServerFactory#info] Starting factory <pi_ldapproxy.proxy.ProxyServerFactory instance at 0x3b73d88>
Nov 02 21:24:10 privacyidea.local twistd[22215]: 2017-11-02T21:24:10+0100 [pi_ldapproxy.proxy#info] Successfully tested the connection to the LDAP backend using the service account
Nov 02 21:24:10 privacyidea.local twistd[22215]: 2017-11-02T21:24:10+0100 [twisted.internet.endpoints.OneShotFactory#info] Stopping factory <twisted.internet.endpoints.OneShotFactory instance at 0x3b73f80>
Nov 02 21:24:20 privacyidea.local twistd[22215]: 2017-11-02T21:24:20+0100 [twisted.internet.endpoints.OneShotFactory#info] Starting factory <twisted.internet.endpoints.OneShotFactory instance at 0x3b74830>
Nov 02 21:24:20 privacyidea.local twistd[22215]: 2017-11-02T21:24:20+0100 [pi_ldapproxy.proxy#info] BindRequest for ‘cn=directory manager’, passing through …
Nov 02 21:24:20 privacyidea.local twistd[22215]: 2017-11-02T21:24:20+0100 [twisted.internet.endpoints.OneShotFactory#info] Stopping factory <twisted.internet.endpoints.OneShotFactory instance at 0x3b74830>
Nov 02 21:24:21 privacyidea.local twistd[22215]: 2017-11-02T21:24:21+0100 [twisted.internet.endpoints.OneShotFactory#info] Starting factory <twisted.internet.endpoints.OneShotFactory instance at 0x3b74bd8>
Nov 02 21:24:21 privacyidea.local twistd[22215]: 2017-11-02T21:24:21+0100 [twisted.internet.endpoints.OneShotFactory#info] Starting factory <twisted.internet.endpoints.OneShotFactory instance at 0x3b74fc8>
Nov 02 21:24:21 privacyidea.local twistd[22215]: 2017-11-02T21:24:21+0100 [pi_ldapproxy.proxy#info] BindRequest for ‘uid=mohammed.abdirahman,ou=People,dc=com1,dc=nl’ received …
Nov 02 21:24:21 privacyidea.local twistd[22215]: 2017-11-02T21:24:21+0100 [twisted.internet.endpoints.OneShotFactory#info] Starting factory <twisted.internet.endpoints.OneShotFactory instance at 0x3cd6560>
Nov 02 21:24:21 privacyidea.local twistd[22215]: 2017-11-02T21:24:21+0100 [pi_ldapproxy.proxy#info] BindRequest for ‘cn=directory manager’, passing through …
Nov 02 21:24:21 privacyidea.local twistd[22215]: 2017-11-02T21:24:21+0100 [pi_ldapproxy.proxy#info] Resolved ‘uid=mohammed.abdirahman,ou=People,dc=com1,dc=nl’ to ‘mohammed.abdirahman’@’’ (’’)
Nov 02 21:24:21 privacyidea.local twistd[22215]: 2017-11-02T21:24:21+0100 [twisted.web.client._HTTP11ClientFactory#info] Starting factory <twisted.web.client._HTTP11ClientFactory instance at 0x3cd9950>
Nov 02 21:24:21 privacyidea.local twistd[22215]: 2017-11-02T21:24:21+0100 [twisted.internet.endpoints.OneShotFactory#info] Stopping factory <twisted.internet.endpoints.OneShotFactory instance at 0x3cd6560>
Nov 02 21:24:21 privacyidea.local twistd[22215]: 2017-11-02T21:24:21+0100 [pi_ldapproxy.proxy#critical] Could not bind
Nov 02 21:24:21 privacyidea.local twistd[22215]: Traceback (most recent call last):
Nov 02 21:24:21 privacyidea.local twistd[22215]: Failure: twisted.web._newclient.RequestTransmissionFailed: [<twisted.python.failure.Failure OpenSSL.SSL.Error: [(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)]>]
Nov 02 21:24:21 privacyidea.local twistd[22215]: 2017-11-02T21:24:21+0100 [pi_ldapproxy.proxy#info] Sending BindResponse “invalid credentials”: LDAP Proxy failed.
Nov 02 21:24:21 privacyidea.local twistd[22215]: 2017-11-02T21:24:21+0100 [HTTP11ClientProtocol (TLSMemoryBIOProtocol),client] Unexpected exception from twisted.web.client.FileBodyProducer.stopProducing
Nov 02 21:24:21 privacyidea.local twistd[22215]: Traceback (most recent call last):
Nov 02 21:24:21 privacyidea.local twistd[22215]: File “/root/venv/lib/python2.7/site-packages/twisted/internet/endpoints.py”, line 130, in connectionLost
Nov 02 21:24:21 privacyidea.local twistd[22215]: return self._wrappedProtocol.connectionLost(reason)
Nov 02 21:24:21 privacyidea.local twistd[22215]: File “/root/venv/lib/python2.7/site-packages/twisted/web/_newclient.py”, line 929, in dispatcher
Nov 02 21:24:21 privacyidea.local twistd[22215]: return func(*args, **kwargs)
Nov 02 21:24:21 privacyidea.local twistd[22215]: File “/root/venv/lib/python2.7/site-packages/twisted/web/_newclient.py”, line 1599, in _connectionLost_TRANSMITTING
Nov 02 21:24:21 privacyidea.local twistd[22215]: self._currentRequest.stopWriting()
Nov 02 21:24:21 privacyidea.local twistd[22215]: File “/root/venv/lib/python2.7/site-packages/twisted/web/_newclient.py”, line 830, in stopWriting
Nov 02 21:24:21 privacyidea.local twistd[22215]: _callAppFunction(self.bodyProducer.stopProducing)
Nov 02 21:24:21 privacyidea.local twistd[22215]: — —
Nov 02 21:24:21 privacyidea.local twistd[22215]: File “/root/venv/lib/python2.7/site-packages/twisted/web/_newclient.py”, line 194, in _callAppFunction
Nov 02 21:24:21 privacyidea.local twistd[22215]: function()
Nov 02 21:24:21 privacyidea.local twistd[22215]: File “/root/venv/lib/python2.7/site-packages/twisted/web/client.py”, line 1041, in stopProducing
Nov 02 21:24:21 privacyidea.local twistd[22215]: self._task.stop()
Nov 02 21:24:21 privacyidea.local twistd[22215]: File “/root/venv/lib/python2.7/site-packages/twisted/internet/task.py”, line 497, in stop
Nov 02 21:24:21 privacyidea.local twistd[22215]: self._checkFinish()
Nov 02 21:24:21 privacyidea.local twistd[22215]: File “/root/venv/lib/python2.7/site-packages/twisted/internet/task.py”, line 507, in _checkFinish
Nov 02 21:24:21 privacyidea.local twistd[22215]: raise self._completionState
Nov 02 21:24:21 privacyidea.local twistd[22215]: twisted.internet.task.TaskStopped:
Nov 02 21:24:21 privacyidea.local twistd[22215]: 2017-11-02T21:24:21+0100 [twisted.web.client._HTTP11ClientFactory#info] Stopping factory <twisted.web.client._HTTP11ClientFactory instance at 0x3cd9950>
Nov 02 21:24:21 privacyidea.local twistd[22215]: 2017-11-02T21:24:21+0100 [twisted.internet.endpoints.OneShotFactory#info] Stopping factory <twisted.internet.endpoints.OneShotFactory instance at 0x3b74fc8>
Nov 02 21:24:21 privacyidea.local twistd[22215]: 2017-11-02T21:24:21+0100 [twisted.internet.endpoints.OneShotFactory#info] Stopping factory <twisted.internet.endpoints.OneShotFactory instance at 0x3b74bd8>
Nov 02 21:26:01 privacyidea.local systemd[1]: Stopping privacyIDEA LDAP proxy…
Nov 02 21:26:01 privacyidea.local twistd[22215]: 2017-11-02T21:26:01+0100 [-] Received SIGTERM, shutting down.
Nov 02 21:26:01 privacyidea.local twistd[22215]: 2017-11-02T21:26:01+0100 [-] (TCP Port 389 Closed)
Nov 02 21:26:01 privacyidea.local twistd[22215]: 2017-11-02T21:26:01+0100 [pi_ldapproxy.proxy.ProxyServerFactory#info] Stopping factory <pi_ldapproxy.proxy.ProxyServerFactory instance at 0x3b73d88>
Nov 02 21:26:01 privacyidea.local twistd[22215]: 2017-11-02T21:26:01+0100 [-] Main loop terminated.
Nov 02 21:26:01 privacyidea.local twistd[22215]: 2017-11-02T21:26:01+0100 [twisted.scripts._twistd_unix.UnixAppLogger#info] Server Shut Down.
Nov 02 21:26:01 privacyidea.local systemd[1]: Started privacyIDEA LDAP proxy.
Nov 02 21:26:01 privacyidea.local systemd[1]: Starting privacyIDEA LDAP proxy…
Nov 02 21:26:02 privacyidea.local twistd[22331]: 2017-11-02T21:26:02+0100 [pi_ldapproxy.proxy#info] privacyIDEA HTTPS certificate will be checked against system certificate store
Nov 02 21:26:02 privacyidea.local twistd[22331]: 2017-11-02T21:26:02+0100 [pi_ldapproxy.proxy#info] Passthrough DNs: [‘cn=directory manager’]
Nov 02 21:26:02 privacyidea.local twistd[22331]: 2017-11-02T21:26:02+0100 [pi_ldapproxy.proxy#info] Using user mapping strategy: <class ‘pi_ldapproxy.usermapping.LookupMappingStrategy’>
Nov 02 21:26:02 privacyidea.local twistd[22331]: 2017-11-02T21:26:02+0100 [pi_ldapproxy.proxy#info] Using realm mapping strategy: <class ‘pi_ldapproxy.realmmapping.StaticMappingStrategy’>
Nov 02 21:26:02 privacyidea.local twistd[22331]: 2017-11-02T21:26:02+0100 [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 16.6.0 (/root/venv/bin/python 2.7.5) starting up.
Nov 02 21:26:02 privacyidea.local twistd[22331]: 2017-11-02T21:26:02+0100 [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor.
Nov 02 21:26:02 privacyidea.local twistd[22331]: 2017-11-02T21:26:02+0100 [-] ProxyServerFactory starting on 389
Nov 02 21:26:02 privacyidea.local twistd[22331]: 2017-11-02T21:26:02+0100 [pi_ldapproxy.proxy.ProxyServerFactory#info] Starting factory <pi_ldapproxy.proxy.ProxyServerFactory instance at 0x36d6d88>
Nov 02 21:26:23 privacyidea.local twistd[22331]: 2017-11-02T21:26:23+0100 [twisted.internet.endpoints.OneShotFactory#info] Starting factory <twisted.internet.endpoints.OneShotFactory instance at 0x36d7518>
Nov 02 21:26:23 privacyidea.local twistd[22331]: 2017-11-02T21:26:23+0100 [pi_ldapproxy.proxy#info] BindRequest for ‘cn=directory manager’, passing through …
Nov 02 21:26:23 privacyidea.local twistd[22331]: 2017-11-02T21:26:23+0100 [twisted.internet.endpoints.OneShotFactory#info] Stopping factory <twisted.internet.endpoints.OneShotFactory instance at 0x36d7518>
Nov 02 21:26:24 privacyidea.local twistd[22331]: 2017-11-02T21:26:24+0100 [twisted.internet.endpoints.OneShotFactory#info] Starting factory <twisted.internet.endpoints.OneShotFactory instance at 0x36d7a28>
Nov 02 21:26:24 privacyidea.local twistd[22331]: 2017-11-02T21:26:24+0100 [twisted.internet.endpoints.OneShotFactory#info] Starting factory <twisted.internet.endpoints.OneShotFactory instance at 0x36d7e18>
Nov 02 21:26:24 privacyidea.local twistd[22331]: 2017-11-02T21:26:24+0100 [pi_ldapproxy.proxy#info] BindRequest for ‘uid=mohammed.abdirahman,ou=People,dc=com1,dc=nl’ received …
Nov 02 21:26:24 privacyidea.local twistd[22331]: 2017-11-02T21:26:24+0100 [twisted.internet.endpoints.OneShotFactory#info] Starting factory <twisted.internet.endpoints.OneShotFactory instance at 0x387b3b0>
Nov 02 21:26:24 privacyidea.local twistd[22331]: 2017-11-02T21:26:24+0100 [pi_ldapproxy.proxy#info] BindRequest for ‘cn=directory manager’, passing through …
Nov 02 21:26:24 privacyidea.local twistd[22331]: 2017-11-02T21:26:24+0100 [pi_ldapproxy.proxy#info] Resolved ‘uid=mohammed.abdirahman,ou=People,dc=com1,dc=nl’ to ‘mohammed.abdirahman’@’’ (’’)
Nov 02 21:26:24 privacyidea.local twistd[22331]: 2017-11-02T21:26:24+0100 [twisted.web.client._HTTP11ClientFactory#info] Starting factory <twisted.web.client._HTTP11ClientFactory instance at 0x387f758>
Nov 02 21:26:24 privacyidea.local twistd[22331]: 2017-11-02T21:26:24+0100 [twisted.internet.endpoints.OneShotFactory#info] Stopping factory <twisted.internet.endpoints.OneShotFactory instance at 0x387b3b0>
Nov 02 21:26:24 privacyidea.local twistd[22331]: 2017-11-02T21:26:24+0100 [pi_ldapproxy.proxy#critical] Could not bind
Nov 02 21:26:24 privacyidea.local twistd[22331]: Traceback (most recent call last):
Nov 02 21:26:24 privacyidea.local twistd[22331]: Failure: twisted.web._newclient.RequestTransmissionFailed: [<twisted.python.failure.Failure OpenSSL.SSL.Error: [(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)]>]
Nov 02 21:26:24 privacyidea.local twistd[22331]: 2017-11-02T21:26:24+0100 [pi_ldapproxy.proxy#info] Sending BindResponse “invalid credentials”: LDAP Proxy failed.
Nov 02 21:26:24 privacyidea.local twistd[22331]: 2017-11-02T21:26:24+0100 [HTTP11ClientProtocol (TLSMemoryBIOProtocol),client] Unexpected exception from twisted.web.client.FileBodyProducer.stopProducing
Nov 02 21:26:24 privacyidea.local twistd[22331]: Traceback (most recent call last):
Nov 02 21:26:24 privacyidea.local twistd[22331]: File “/root/venv/lib/python2.7/site-packages/twisted/internet/endpoints.py”, line 130, in connectionLost
Nov 02 21:26:24 privacyidea.local twistd[22331]: return self._wrappedProtocol.connectionLost(reason)
Nov 02 21:26:24 privacyidea.local twistd[22331]: File “/root/venv/lib/python2.7/site-packages/twisted/web/_newclient.py”, line 929, in dispatcher
Nov 02 21:26:24 privacyidea.local twistd[22331]: return func(*args, **kwargs)
Nov 02 21:26:24 privacyidea.local twistd[22331]: File “/root/venv/lib/python2.7/site-packages/twisted/web/_newclient.py”, line 1599, in _connectionLost_TRANSMITTING
Nov 02 21:26:24 privacyidea.local twistd[22331]: self._currentRequest.stopWriting()
Nov 02 21:26:24 privacyidea.local twistd[22331]: File “/root/venv/lib/python2.7/site-packages/twisted/web/_newclient.py”, line 830, in stopWriting
Nov 02 21:26:24 privacyidea.local twistd[22331]: _callAppFunction(self.bodyProducer.stopProducing)
Nov 02 21:26:24 privacyidea.local twistd[22331]: — —
Nov 02 21:26:24 privacyidea.local twistd[22331]: File “/root/venv/lib/python2.7/site-packages/twisted/web/_newclient.py”, line 194, in _callAppFunction
Nov 02 21:26:24 privacyidea.local twistd[22331]: function()
Nov 02 21:26:24 privacyidea.local twistd[22331]: File “/root/venv/lib/python2.7/site-packages/twisted/web/client.py”, line 1041, in stopProducing
Nov 02 21:26:24 privacyidea.local twistd[22331]: self._task.stop()
Nov 02 21:26:24 privacyidea.local twistd[22331]: File “/root/venv/lib/python2.7/site-packages/twisted/internet/task.py”, line 497, in stop
Nov 02 21:26:24 privacyidea.local twistd[22331]: self._checkFinish()
Nov 02 21:26:24 privacyidea.local twistd[22331]: File “/root/venv/lib/python2.7/site-packages/twisted/internet/task.py”, line 507, in _checkFinish
Nov 02 21:26:24 privacyidea.local twistd[22331]: raise self._completionState
Nov 02 21:26:24 privacyidea.local twistd[22331]: twisted.internet.task.TaskStopped:
Nov 02 21:26:24 privacyidea.local twistd[22331]: 2017-11-02T21:26:24+0100 [twisted.web.client._HTTP11ClientFactory#info] Stopping factory <twisted.web.client._HTTP11ClientFactory instance at 0x387f758>
Nov 02 21:26:24 privacyidea.local twistd[22331]: 2017-11-02T21:26:24+0100 [twisted.internet.endpoints.OneShotFactory#info] Stopping factory <twisted.internet.endpoints.OneShotFactory instance at 0x36d7e18>
Nov 02 21:26:24 privacyidea.local twistd[22331]: 2017-11-02T21:26:24+0100 [twisted.internet.endpoints.OneShotFactory#info] Stopping factory <twisted.internet.endpoints.OneShotFactory instance at 0x36d7a28>

Mohammed · November 2, 2017, 9:27pm

Hi fredreichbier,

it was an ssl issue. i disabled python SSL certficate verification. thank you so much

Mohammed · November 2, 2017, 9:39pm

Hi fredreichbier,

I have another question. is this plugin also support ldaps?

fredreichbier · November 3, 2017, 7:55am

Hi Mohammed,

nice to hear that you got it working!

Currently, the LDAP proxy is able to communicate with the LDAP backend via LDAPS (see the example proxy.ini for more details). However, the LDAP proxy itself cannot serve LDAPS yet. We track the progress in this issue, contributions are very welcome!

Best Regards

Friedrich

Mohammed · March 16, 2018, 2:25pm

Hi Friedrich,

I’m trying to get the ldap proxy working over ssl, so for test i made a python file and i added ssl setting, but i get this error

File “/usr/lib64/python2.7/site-packages/twisted/internet/protocol.py”, line 140, in buildProtocol
p = self.protocol()
exceptions.TypeError: init() takes exactly 2 arguments (1 given)

those are my python file server.py commands:

import sys

from twisted.internet import ssl, protocol, task, defer
from twisted.python import log
from twisted.python.modules import getModule

import proxy

def main(reactor):
log.startLogging(sys.stdout)
certData = getModule(name).filePath.sibling(‘server.pem’).getContent()
certificate = ssl.PrivateCertificate.loadPEM(certData)
factory = protocol.Factory.forProtocol(proxy.ProxyServerFactory)
reactor.listenSSL(636, factory, certificate.options())
return defer.Deferred()

if name == ‘main’:
import server
task.react(server.main)

I’m not a programmer, could you help me please

fredreichbier · March 18, 2018, 5:22pm

Hi Mohammed,

unfortunately I haven’t checked how Twisted servers can implement SSL yet. Just from a quick look your snippet, I’d say that factory should probbaly be an instance of proxy.ProxyServerFactory. You can check how such an instance can be constructed in makeService in twisted/plugins/ldapproxy_plugin.py.

Best Regards

Friedrich

Mohammed · March 19, 2018, 10:47am

Hi fredreichbier,

Thank you very much. i changed the endpoint setting to:

endpoint_string = serverFromString(reactor, b"ssl:636:privateKey=/root/ssl/server.key:certKey=/root/ssl/server.pem")

and now ssl is working, but ldap-proxy is not using ssl/tls to communicate with the backend ldap server. do you know if it’s possible also to run tls in the backend?

Or is it possible to send the authentication requests to privacyidea server directly, because privacyidea use ldaps?

Mohammed · March 19, 2018, 11:06am

Hi fredreichbier,

Sorry starttls is working, but i forget to disable those codes in /venv/lib/python2.7/site-packages/pi_ldapproxy/proxy.py

   #if self.use_tls:
        # TODO: This seems to get lost if we use log.info
        #print 'LDAP over TLS is currently unsupported. Exiting.'
        #sys.exit(1)

Thank you very much. now i’m running ssl in front-end and starttls in back-end