search

kvspb / nginx-auth-ldap

LDAP authentication module for nginx
BSD 2-Clause "Simplified" License
731 stars 251 forks source link

ldap server still sees lots of searches even with caching enabled? #228

Open mmguero opened 4 years ago

mmguero commented 4 years ago

I realize this is less likely an issue an more likely something with my config, but hopefully someone can set me straight.

Everything is working correctly as far aw connectivity, authentication, searches, etc. However, I'm seeing a lot of traffic between nginx and my OpenLDAP server even with caching enabled, and I just want to know if I'm doing something wrong.

Working from the LDAP server backwards, I've got OpenLDAP running in docker. I have a read-only bind_dn account configured, requests from both ldapsearch and nginx with nginx-auth-ldap are working correctly.

In my nginx.conf, in the http section, I have this:

auth_ldap_cache_enabled on;
auth_ldap_cache_expiration_time 10000;
auth_ldap_cache_size 1000;

ldap_server ad_server {
  url "ldap://192.168.0.54:389/dc=whatever,dc=abc,dc=lan?uid?sub?(|(objectClass=posixAccount)(objectClass=account))";

  binddn "cn=bind_dn,dc=whatever,dc=abc,dc=lan";
  binddn_passwd "password";

  require valid_user;
  satisfy all;
}

In the rest of my nginx.conf file I have nginx set up to do reverse proxy for an Elasticsearch instance. Then, on the client side, I have several Elastic beats configured to connect to nginx over https, authenticating with credentials that match those stored on the OpenLDAP server.

So, like I said before, everything "works." The beats clients connect, nginx authenticates through nginx-auth-ldap to my ldap server, proxying works correctly, the beats' data gets written to elasticsearch. The only problem, if it is a problem, is I see this in the log of my OpenLDAP server:

openldap        | 5df13efc conn=1170 op=41713 SRCH base="dc=whatever,dc=abc,dc=lan" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=account))(uid=sensor))"
openldap        | 5df13efc conn=1170 op=41713 SRCH attr=1.1
openldap        | 5df13efc conn=1170 op=41713 SEARCH RESULT tag=101 err=0 nentries=1 text=
openldap        | 5df13efc conn=1170 op=41714 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1170 op=41714 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1170 op=41714 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1170 op=41714 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1170 op=41715 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1170 op=41715 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1170 op=41715 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1170 op=41715 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1172 op=33095 SRCH base="dc=whatever,dc=abc,dc=lan" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=account))(uid=sensor))"
openldap        | 5df13efc conn=1172 op=33095 SRCH attr=1.1
openldap        | 5df13efc conn=1172 op=33095 SEARCH RESULT tag=101 err=0 nentries=1 text=
openldap        | 5df13efc conn=1172 op=33096 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1172 op=33096 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1172 op=33096 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1172 op=33096 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1172 op=33097 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1172 op=33097 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1172 op=33097 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1172 op=33097 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1170 op=41716 SRCH base="dc=whatever,dc=abc,dc=lan" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=account))(uid=sensor))"
openldap        | 5df13efc conn=1170 op=41716 SRCH attr=1.1
openldap        | 5df13efc conn=1170 op=41716 SEARCH RESULT tag=101 err=0 nentries=1 text=
openldap        | 5df13efc conn=1170 op=41717 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1170 op=41717 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1170 op=41717 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1170 op=41717 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1170 op=41718 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1170 op=41718 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1170 op=41718 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1170 op=41718 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1172 op=33098 SRCH base="dc=whatever,dc=abc,dc=lan" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=account))(uid=sensor))"
openldap        | 5df13efc conn=1172 op=33098 SRCH attr=1.1
openldap        | 5df13efc conn=1172 op=33098 SEARCH RESULT tag=101 err=0 nentries=1 text=
openldap        | 5df13efc conn=1172 op=33099 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1172 op=33099 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1172 op=33099 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1172 op=33099 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1172 op=33100 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1172 op=33100 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1172 op=33100 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1172 op=33100 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1170 op=41719 SRCH base="dc=whatever,dc=abc,dc=lan" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=account))(uid=sensor))"
openldap        | 5df13efc conn=1170 op=41719 SRCH attr=1.1
openldap        | 5df13efc conn=1170 op=41719 SEARCH RESULT tag=101 err=0 nentries=1 text=
openldap        | 5df13efc conn=1172 op=33101 SRCH base="dc=whatever,dc=abc,dc=lan" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=account))(uid=sensor))"
openldap        | 5df13efc conn=1172 op=33101 SRCH attr=1.1
openldap        | 5df13efc conn=1172 op=33101 SEARCH RESULT tag=101 err=0 nentries=1 text=
openldap        | 5df13efc conn=1170 op=41720 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1170 op=41720 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1170 op=41720 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1170 op=41720 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1172 op=33102 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1172 op=33102 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1172 op=33102 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1172 op=33102 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1172 op=33103 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1172 op=33103 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1172 op=33103 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1170 op=41721 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1170 op=41721 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1172 op=33103 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1170 op=41721 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1170 op=41721 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1172 op=33104 SRCH base="dc=whatever,dc=abc,dc=lan" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=account))(uid=sensor))"
openldap        | 5df13efc conn=1172 op=33104 SRCH attr=1.1
openldap        | 5df13efc conn=1172 op=33104 SEARCH RESULT tag=101 err=0 nentries=1 text=
openldap        | 5df13efc conn=1172 op=33105 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1172 op=33105 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1172 op=33105 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1172 op=33105 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1172 op=33106 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1172 op=33106 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1172 op=33106 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1172 op=33106 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1174 op=16528 SRCH base="dc=whatever,dc=abc,dc=lan" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=account))(uid=sensor))"
openldap        | 5df13efc conn=1174 op=16528 SRCH attr=1.1
openldap        | 5df13efc conn=1174 op=16528 SEARCH RESULT tag=101 err=0 nentries=1 text=
openldap        | 5df13efc conn=1174 op=16529 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1174 op=16529 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1174 op=16529 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1174 op=16529 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1174 op=16530 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1174 op=16530 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1174 op=16530 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1174 op=16530 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1174 op=16531 SRCH base="dc=whatever,dc=abc,dc=lan" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=account))(uid=sensor))"
openldap        | 5df13efc conn=1174 op=16531 SRCH attr=1.1
openldap        | 5df13efc conn=1174 op=16531 SEARCH RESULT tag=101 err=0 nentries=1 text=
openldap        | 5df13efc conn=1174 op=16532 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1174 op=16532 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1174 op=16532 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1174 op=16532 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1174 op=16533 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1174 op=16533 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1174 op=16533 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1174 op=16533 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1172 op=33107 SRCH base="dc=whatever,dc=abc,dc=lan" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=account))(uid=sensor))"
openldap        | 5df13efc conn=1172 op=33107 SRCH attr=1.1
openldap        | 5df13efc conn=1172 op=33107 SEARCH RESULT tag=101 err=0 nentries=1 text=
openldap        | 5df13efc conn=1172 op=33108 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1172 op=33108 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1172 op=33108 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1172 op=33108 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1172 op=33109 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1172 op=33109 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1172 op=33109 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1172 op=33109 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1170 op=41722 SRCH base="dc=whatever,dc=abc,dc=lan" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=account))(uid=sensor))"
openldap        | 5df13efc conn=1170 op=41722 SRCH attr=1.1
openldap        | 5df13efc conn=1170 op=41722 SEARCH RESULT tag=101 err=0 nentries=1 text=
openldap        | 5df13efc conn=1170 op=41723 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1170 op=41723 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1170 op=41723 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1170 op=41723 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1170 op=41724 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1170 op=41724 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1170 op=41724 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1170 op=41724 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1172 op=33110 SRCH base="dc=whatever,dc=abc,dc=lan" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=account))(uid=sensor))"
openldap        | 5df13efc conn=1172 op=33110 SRCH attr=1.1
openldap        | 5df13efc conn=1172 op=33110 SEARCH RESULT tag=101 err=0 nentries=1 text=
openldap        | 5df13efc conn=1172 op=33111 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1172 op=33111 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1172 op=33111 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1172 op=33111 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1172 op=33112 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1172 op=33112 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1172 op=33112 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1172 op=33112 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1170 op=41725 SRCH base="dc=whatever,dc=abc,dc=lan" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=account))(uid=sensor))"
openldap        | 5df13efc conn=1170 op=41725 SRCH attr=1.1
openldap        | 5df13efc conn=1170 op=41725 SEARCH RESULT tag=101 err=0 nentries=1 text=
openldap        | 5df13efc conn=1170 op=41726 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1170 op=41726 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1170 op=41726 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1170 op=41726 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1170 op=41727 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1170 op=41727 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1170 op=41727 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1170 op=41727 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1170 op=41728 SRCH base="dc=whatever,dc=abc,dc=lan" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=account))(uid=sensor))"
openldap        | 5df13efc conn=1170 op=41728 SRCH attr=1.1
openldap        | 5df13efc conn=1170 op=41728 SEARCH RESULT tag=101 err=0 nentries=1 text=
openldap        | 5df13efc conn=1170 op=41729 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1170 op=41729 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1170 op=41729 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1170 op=41729 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1170 op=41730 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1170 op=41730 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1170 op=41730 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1170 op=41730 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1170 op=41731 SRCH base="dc=whatever,dc=abc,dc=lan" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=account))(uid=sensor))"
openldap        | 5df13efc conn=1170 op=41731 SRCH attr=1.1
openldap        | 5df13efc conn=1170 op=41731 SEARCH RESULT tag=101 err=0 nentries=1 text=
openldap        | 5df13efc conn=1170 op=41732 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1170 op=41732 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1170 op=41732 BIND dn="uid=sensor,ou=sensors,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1170 op=41732 RESULT tag=97 err=0 text=
openldap        | 5df13efc conn=1170 op=41733 BIND anonymous mech=implicit ssf=0
openldap        | 5df13efc conn=1170 op=41733 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" method=128
openldap        | 5df13efc conn=1170 op=41733 BIND dn="cn=bind_dn,dc=whatever,dc=abc,dc=lan" mech=SIMPLE ssf=0
openldap        | 5df13efc conn=1170 op=41733 RESULT tag=97 err=0 text=

That is one second's worth of logs. As you can see in my config file, caching is enabled:

auth_ldap_cache_enabled on;
auth_ldap_cache_expiration_time 10000;
auth_ldap_cache_size 1000;

Am I misunderstanding the point of the auth_ldap_cache_enabled directive? Is this no big deal, or should I be concerned? Any advice?

opremicSebastian commented 3 years ago

Hi all,

I observe the same situation in my configuration. A lot of bindings to LDAP without any further action. Does anybody has an idea about the reason behind this behavior?

Thanks Sebastian

dpedu commented 2 years ago

Confirming this issue as well. Built from latest master. Configuration: 

auth_ldap_cache_enabled on;
auth_ldap_cache_expiration_time 180000;
auth_ldap_cache_size 1000;