'ldap_bind: Operations error (1)' with ldapd-5.6

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

'ldap_bind: Operations error (1)' with ldapd-5.6

Olivier Mehani-5
Hi all,

I'm currently doing a long overdue upgrade from 5.5 to 5.7, but I hit
what appears to be a regression in ldapd-5.6. Namely, a functional
ldapsearch with ldapd-5.5 fails with -5.6. Where this is more
problematic is that all other authentication attempts similarly fail
with 'Operations error (1)'. The root user, however, has no issue
binding, reading or writing the directory.

I have the following configuration file:

        #       $OpenBSD: ldapd.conf,v 1.2 2010/06/29 02:50:22 martinh Exp $

        schema "/etc/ldap/core.schema"
        schema "/etc/ldap/inetorgperson.schema"
        schema "/etc/ldap/nis.schema"

        listen on lo0 secure
        listen on sis0 ldaps
        listen on "/var/run/ldapi"

        namespace "dc=example,dc=net" {
               rootdn          "cn=operator,dc=example,dc=net"
               rootpw          "{BSDAUTH}operator"
               index           cn
               index           uid
               index           mail
               # deny access to any by any
               # allow bind access to "cn=lookup,dc=example,dc=net" by any
               # allow read access to any by "cn=lookup,dc=example,dc=net"
               # #allow read access to children of "ou=people,dc=example,dc=net" by "cn=lookup,dc=example,dc=net"
               # allow bind access to children of "ou=people,dc=example,dc=net" by any
               # allow read access to any by self
        }

With ldapd-5.5, running the following command and providing the user's password
returns the LDIF record for this user as expected.

        ldapsearch -x -W -D uid=user,ou=people,dc=example,dc=net uid=user

Meanwhile, the ldapd-5.5 reports the following at -dv

        Jul 14 12:59:17.570 [22255] accepted connection from 127.0.0.1 on fd 17
        Jul 14 12:59:17.572 [22255] consumed 66 bytes
        Jul 14 12:59:17.572 [22255] got request type 0, id 1
        Jul 14 12:59:17.572 [22255] bind dn = uid=user,ou=people,dc=example,dc=net
        Jul 14 12:59:17.572 [22255] requesting 10 access to uid=user,ou=people,dc=example,dc=net by any, in namespace dc=example,dc=net
        Jul 14 12:59:17.573 [22255] successfully authenticated as uid=user,ou=people,dc=example,dc=net
        Jul 14 12:59:17.573 [22255] sending response 1 with result 0
        Jul 14 12:59:17.574 [22255] consumed 63 bytes
        Jul 14 12:59:17.574 [22255] got request type 3, id 2
        Jul 14 12:59:17.574 [22255] base dn = dc=example,dc=net, scope = 2
        Jul 14 12:59:17.574 [22255] requesting 01 access to dc=example,dc=net by uid=user,ou=people,dc=example,dc=net, in namespace dc=example,dc=net
        Jul 14 12:59:17.575 [22255] init index scan on [uid=user,]
        Jul 14 12:59:17.575 [22255] found index uid=user,uid=user,ou=people,
        Jul 14 12:59:17.575 [22255] lookup indexed key [uid=user,ou=people,dc=example,dc=net]
        Jul 14 12:59:17.575 [22255] found dn uid=user,ou=people,dc=example,dc=net
        Jul 14 12:59:17.575 [22255] requesting 01 access to uid=user,ou=people,dc=example,dc=net by uid=user,ou=people,dc=example,dc=net, in namespace dc=example,dc=net
        Jul 14 12:59:17.576 [22255] found index uid=thom,uid=thom,ou=people,
        Jul 14 12:59:17.576 [22255] scanned past index prefix [uid=user,]
        Jul 14 12:59:17.576 [22255] 1 scanned, 1 matched, 0 dups
        Jul 14 12:59:17.576 [22255] sending response 5 with result 0
        Jul 14 12:59:17.576 [22255] finished search on msgid 2
        Jul 14 12:59:17.576 [22255] consumed 7 bytes
        Jul 14 12:59:17.576 [22255] got request type 2, id 3
        Jul 14 12:59:17.576 [22255] current bind dn = uid=user,ou=people,dc=example,dc=net
        Jul 14 12:59:17.576 [22255] closing connection 17

With ldapd-5.6, however, the same ldapsearch command results in the following error.

        ldap_bind: Operations error (1)

There is also some binding errors in the much shorter server log.

        Jul 14 13:02:18.732 [30050] accepted connection from 127.0.0.1 on fd 17
        Jul 14 13:02:18.734 [30050] consumed 66 bytes
        Jul 14 13:02:18.734 [30050] got request type 0, id 1
        Jul 14 13:02:18.734 [30050] bind dn = uid=user,ou=people,dc=example,dc=net
        Jul 14 13:02:18.734 [30050] requesting 10 access to uid=user,ou=people,dc=example,dc=net by any, in namespace dc=example,dc=net
        Jul 14 13:02:18.734 [30050] sending response 1 with result 1
        Jul 14 13:02:18.735 [30050] consumed 7 bytes
        Jul 14 13:02:18.735 [30050] got request type 2, id 2
        Jul 14 13:02:18.735 [30050] current bind dn = (null)
        Jul 14 13:02:18.735 [30050] closing connection 17

Apparently, there is a problem authenticating (yes, I did type the password
properly), resulting in an empty bind, which leads to a failure to continue
further.

Did anybody encounter the same issue? Is there a known cause? How could this be
solved?

I now this is 5.6, and I should be worrying about 5.7, but I would rather have
a fully functional system before I move on to the next step.

Cheers.

--
Olivier Mehani <[hidden email]>
PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE  F5F9 F012 A6E2 98C6 6655
Confidentiality cannot be guaranteed on emails sent or received unencrypted.

Reply | Threaded
Open this post in threaded view
|

Re: 'ldap_bind: Operations error (1)' with ldapd-5.6

Matthew Weigel
On 2015-07-14 6:07, Olivier Mehani wrote:

> Did anybody encounter the same issue? Is there a known cause? How could
> this be
> solved?

I'm running 5.6 and using ldapd without issue.  Can you clarify how your
test user is authenticated (BSD Auth?  A crypt hash in the userPassword
attribute?)?

--
  Matthew Weigel
  hacker
  unique & idempot . ent

Reply | Threaded
Open this post in threaded view
|

Re: 'ldap_bind: Operations error (1)' with ldapd-5.6

Olivier Mehani-5
Hey Matthew,

On 2015-07-14, Matthew Weigel <[hidden email]> wrote:
>> Did anybody encounter the same issue? Is there a known cause? How could
>> this be
>> solved?
> I'm running 5.6 and using ldapd without issue.  Can you clarify how your
> test user is authenticated (BSD Auth?  A crypt hash in the userPassword
> attribute?)?

My root user is authenticated with BSDAUTH. The rest of the users with
an md5crypt in the userPassword. This works with the version from 5.5
with a range of applications (ownCloud, Wordpress, PHPLDAPAdmin, ...).

--
Olivier Mehani <[hidden email]>
PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE  F5F9 F012 A6E2 98C6 6655
Confidentiality cannot be guaranteed on emails sent or received unencrypted.

Reply | Threaded
Open this post in threaded view
|

Re: 'ldap_bind: Operations error (1)' with ldapd-5.6

Matthew Weigel
On 7/18/15 4:27 AM, Olivier Mehani wrote:

> My root user is authenticated with BSDAUTH. The rest of the users with
> an md5crypt in the userPassword. This works with the version from 5.5
> with a range of applications (ownCloud, Wordpress, PHPLDAPAdmin, ...).

md5crypt...?  Well, there's your problem.

 From http://www.openbsd.org/plus56.html:

  * Removed md5crypt from crypt(3).

So ldapd(8) is passing the hash string along to crypt(3) when checking
the user's password and crypt(3) is unable to handle it.  You'll need to
start migrating these password hashes.
--
  Matthew Weigel
  hacker
  unique & idempot . ent

Reply | Threaded
Open this post in threaded view
|

Re: 'ldap_bind: Operations error (1)' with ldapd-5.6

Matthew Martin-2
I'm running ldapd on 5.7. {CRYPT} with bcrypt works fine for moodle,
dokuwiki, and phpbb. encrypt(1) can generate them or PHP's
password_hash() with (possibly without?) something like:
// {CRYPT} is part of the string at this point
$newdata['userPassword'][9] = 'b'; // $2y$ -> $2b$

Far as I know the LDAP RFC's only talk about md5/sha1, but who cares.

On 7/18/15, Matthew Weigel <[hidden email]> wrote:

> On 7/18/15 4:27 AM, Olivier Mehani wrote:
>
>> My root user is authenticated with BSDAUTH. The rest of the users with
>> an md5crypt in the userPassword. This works with the version from 5.5
>> with a range of applications (ownCloud, Wordpress, PHPLDAPAdmin, ...).
>
> md5crypt...?  Well, there's your problem.
>
>  From http://www.openbsd.org/plus56.html:
>
>   * Removed md5crypt from crypt(3).
>
> So ldapd(8) is passing the hash string along to crypt(3) when checking
> the user's password and crypt(3) is unable to handle it.  You'll need to
> start migrating these password hashes.
> --
>   Matthew Weigel
>   hacker
>   unique & idempot . ent

Reply | Threaded
Open this post in threaded view
|

[FIXED] Re: 'ldap_bind: Operations error (1)' with ldapd-5.6

Olivier Mehani-5
In reply to this post by Matthew Weigel
Hey Matthew,

On 2015-07-18, Matthew Weigel <[hidden email]> wrote:
>> My root user is authenticated with BSDAUTH. The rest of the users with
>> an md5crypt in the userPassword. This works with the version from 5.5
>> with a range of applications (ownCloud, Wordpress, PHPLDAPAdmin, ...).
> md5crypt...?  Well, there's your problem.
>  From http://www.openbsd.org/plus56.html:
>   * Removed md5crypt from crypt(3).
> So ldapd(8) is passing the hash string along to crypt(3) when checking
> the user's password and crypt(3) is unable to handle it.  You'll need to
> start migrating these password hashes.

This is correct. I migrated my personal and lookup users to crypt
passwords, and they can successfully authenticate. I'm not sure why I
went to md5crypt to start with, probably some confusion with the
apache-htpasswd format difference.

Anyway, I can confirm that using crypt passwords works well with
ldapd-5.6 and PHP application such as ownCloud, Wordpress or DokuWiki.

Thanks for your help!

--
Olivier Mehani <[hidden email]>
PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE  F5F9 F012 A6E2 98C6 6655
Confidentiality cannot be guaranteed on emails sent or received unencrypted.