[bitnami/openldap] Pass-Through authentication

[kimkihoon0515]

Name and Version

bitnami/openldap:2.6.3

What is the problem this feature will solve?

Refer to Openldap guide https://www.openldap.org/doc/admin26/guide.html

Since OpenLDAP 2.0 slapd has had the ability to delegate password verification to a separate process. This uses the sasl_checkpass(3) function so it can use any back-end server that Cyrus SASL supports for checking passwords. The choice is very wide, as one option is to use saslauthd(8) which in turn can use local files, Kerberos, an IMAP server, another LDAP server, or anything supported by the PAM mechanism.

The server must be built with the --enable-spasswd configuration option to enable pass-through authentication.

Note: This is not the same as using a SASL mechanism to authenticate the LDAP session.
Pass-Through authentication works only with plaintext passwords, as used in the "simple bind" and "SASL PLAIN" authentication mechanisms.

Pass-Through authentication is selective: it only affects users whose userPassword attribute has a value marked with the "{SASL}" scheme. The format of the attribute is:

 userPassword: {SASL}username@realm
The username and realm are passed to the SASL authentication mechanism and are used to identify the account whose password is to be verified. This allows arbitrary mapping between entries in OpenLDAP and accounts known to the backend authentication service.

It would be wise to use access control to prevent users from changing their passwords through LDAP where they have pass-through authentication enabled.

14.5.1. Configuring slapd to use an authentication provider

The server must be built with the --enable-spasswd configuration option to enable pass-through authentication How can I do this in bitnami container???

What is the feature you are proposing to solve the problem?

Trying to figure out how to do this in bitnami openldap container. But couldn't find any configure filesss

What alternatives have you considered?

No response

[javsalgar]

Hi!

Thank you so much for the input! I will forward this to the engineering team so they can check the current compilation recipe. As soon as there are news we will update the issue

[javsalgar]

Hi,

We reviewed the compilation recipe and it is compiled with --enable-spasswd. Could you detail what issue you are finding with the container?

[kimkihoon0515]

@javsalgar If i install openldap in normal containers like ubuntu or debian, I have to download openldap zip files and run make build. Before running make build command, I have to run configure --enable-spasswd --with-cyrus-sasl. But in Bitnami openldap container, I don't know how to do that. Can you tell me how?

[javsalgar]

Hi,

Both flags are already enabled in the Bitnami OpenLDAP container, so you can use it directly.

[kimkihoon0515]

@javsalgar One more when I run

ldapsearch -x -d 1 -ZZ

I always get this response

dap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect: 
connect errno: 111
ldap_close_socket: 3
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect: 
connect errno: 99
ldap_close_socket: 3
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)

Is this ok??

[javsalgar]

Could you share with us the configuration you set for reproducing the issue?

[kimkihoon0515]

@javsalgar Nvm it wasn't a big problem. Btw, I have one more question. Is there a way to add saslmechanism? The only method ldapi:/// support is now EXTERNAL, but I wanna add PLAIN method.

[javsalgar]

You can use your custom init scripts in the container to add the missing configuration elements.

https://github.com/bitnami/containers/tree/main/bitnami/openldap#initializing-a-new-instance

[kimkihoon0515]

@javsalgar Any examples for that?

[javsalgar]

For example, this script would enable a module:

#!/bin/bash

    cat > /opt/bitnami/openldap/share/enable_module_accesslog.ldif" << EOF
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModulePath: /opt/bitnami/openldap/lib/openldap
olcModuleLoad: accesslog.so
EOF

You would need to check the upstream instructions to enable the feature you want to enable.

[kimkihoon0515]

@javsalgar sry but you sure both flags

--enable-spasswd --with-cyrus-sasl 

are really enabled? Because testing saslauthd with testsaslauthd succeed but still can't get password through {SASL}email

[javsalgar]

Hi,

Yes, I confirm they are enabled, you can check it via ldd

I have no name!@b8816984d552:/opt/bitnami/openldap/sbin$ ldd slapd
        linux-vdso.so.1 (0x00007fffa59d5000)
        libldap.so.2 => /opt/bitnami/openldap/lib/libldap.so.2 (0x00007f3bedb57000)
        liblber.so.2 => /opt/bitnami/openldap/lib/liblber.so.2 (0x00007f3bedb45000)

        libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007f3bedb25000) <------ HERE

        libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f3bedaea000)
        libslapi.so.2 => /opt/bitnami/openldap/lib/libslapi.so.2 (0x00007f3bedac3000)
        libltdl.so.7 => /usr/lib/x86_64-linux-gnu/libltdl.so.7 (0x00007f3bedab8000)
        libwrap.so.0 => /usr/lib/x86_64-linux-gnu/libwrap.so.0 (0x00007f3bedaaa000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f3beda88000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f3bed8b4000)
        libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f3bed89a000)
        libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007f3bed807000)
        libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007f3bed513000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f3bed50b000)
        libnsl.so.2 => /usr/lib/x86_64-linux-gnu/libnsl.so.2 (0x00007f3bed4f0000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f3bede29000)
        libtirpc.so.3 => /lib/x86_64-linux-gnu/libtirpc.so.3 (0x00007f3bed4c0000)
        libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x00007f3bed46d000)
        libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007f3bed393000)
        libk5crypto.so.3 => /usr/lib/x86_64-linux-gnu/libk5crypto.so.3 (0x00007f3bed361000)
        libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007f3bed35b000)
        libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 (0x00007f3bed34c000)
        libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1 (0x00007f3bed345000)

[kimkihoon0515]

@javsalgar Do you have any idea how to disable sasl external mechanism?? Can't find how to do :(

[javsalgar]

Hi! I'm afraid that goes beyond the Bitnami packaging of OpenLDAP and it is more related on the usage of the application. My advice would be checking with the upstream OpenLDAP devs. Let's see if someone from the community wants to add insight on this.

[kimkihoon0515]

@javsalgar Thx for the help. https://github.com/openldap/openldap Is this the right link for upstream Openldap dev?

[javsalgar]

Hi! Yes, this is correct

[kimkihoon0515]

@javsalgar is --enable-sql option enabled?

[javsalgar]

Hi,

I confirm that --enable-sql is not enabled. Is this necessary for the pass-through authentication?

[kimkihoon0515]

@javsalgar no but also I'm trying to use external db server with ldap. Is it possible??

[javsalgar]

Let me forward this to the team for evaluation

[github-actions[bot]]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[gongomgra]

Hi @kimkihoon0515,

Thanks for your message. I will create a new task to evaluate the change and will keep you posted. I'm also adding the on-hold tag now to avoid it gets closed by the stale-bot.

[gongomgra]

Hi @kimkihoon0515,

Just a quick note to let you know we have released new revisions of our OpenLDAP docker images including the backend SQL module

root@191f14c2ed5a:/# ls -larth /opt/bitnami/openldap/lib/openldap/back_sql*
lrwxrwxrwx 1 root root   19 Apr  4 09:59 /opt/bitnami/openldap/lib/openldap/back_sql.so.2 -> back_sql.so.2.0.200
lrwxrwxrwx 1 root root   19 Apr  4 09:59 /opt/bitnami/openldap/lib/openldap/back_sql.so -> back_sql.so.2.0.200
-rwxr-xr-x 1 root root 201K Apr  4 09:59 /opt/bitnami/openldap/lib/openldap/back_sql.so.2.0.200

Hope it helps!

[github-actions[bot]]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[github-actions[bot]]

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

[johnstarxx]

Hi @javsalgar !

I have a problem configuring OpenLDAP authentication with Kerberos backend (using SASL). As specified in #13639, I need the packages sasl2-bin and libsasl2-modules-gssapi-mit.

Given the fact the the container does not run as root, these packages must be installed here.

Also we must add the user running slapd to the sasl group. (I think this user is 1001).

For reference I'm using Kubernetes and I can't connect as root to the container to be able to install the packages there and I think that using this does not help as it will not run as root.