Error: `ldap_bind: Invalid credentials (49)`
polarathene opened this issue · comments
Problem
Migrating from an old unmaintained OpenLDAP image osixia/docker-openldap, users added via LDIF fail to authenticate with "Invalid credentials (49)".
Reproduction
ldapwhoami and ldapsearch commands within the same running container (docker exec -it ldap-test bash) are both sufficient at illustrating the problem.
# Default internal admin user is successful:
$ ldapwhoami -v -H 'ldap://ldap.example.test' -D 'cn=admin,dc=example,dc=test' -w adminpassword
ldap_initialize( ldap://ldap.example.test:389/??base )
dn:cn=admin,dc=example,dc=test
Result: Success (0)
# Custom user added is not:
$ ldapwhoami -v -H 'ldap://ldap.example.test' -D 'userid=john.doe,ou=people,dc=example,dc=test' -w secret
ldap_initialize( ldap://ldap.example.test:389/??base )
ldap_bind: Invalid credentials (49)Admin user can query the LDIF record successfully:
$ ldapsearch -v -x -H 'ldap://ldap.example.test' -b 'ou=people,dc=example,dc=test' -D 'cn=admin,dc=example,dc=test' -w adminpassword '(&(userid=john.doe)(mailEnabled=TRUE))'
ldap_initialize( ldap://ldap.example.test:389/??base )
filter: (&(userid=john.doe)(mailEnabled=TRUE))
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=example,dc=test> with scope subtree
# filter: (&(userid=john.doe)(mailEnabled=TRUE))
# requesting: ALL
#
# john.doe, people, example.test
dn: uid=john.doe,ou=people,dc=example,dc=test
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: PostfixBookMailAccount
objectClass: extensibleObject
cn: John Doe
givenName: John
sn: Doe
uid: john.doe
userPassword:: c2VjcmV0
mail: john.doe@example.test
mailEnabled: TRUE
mailUidNumber: 5000
mailGidNumber: 5000
mailAlias: postmaster@example.test
mailGroupMember: employees@example.test
mailHomeDirectory: /var/mail/example.test/john.doe/
mailStorageDirectory: maildir:/var/mail/example.test/john.doe/
mailQuota: 10240
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1Where userPassword is base64 encoded in the response to c2VjcmV0 (aka secret).
Related log output from the `ldapsearch` command
64dc88f8 conn=1008 fd=12 ACCEPT from IP=172.17.0.2:54138 (IP=0.0.0.0:389)
64dc88f8 conn=1008 op=0 BIND dn="cn=admin,dc=example,dc=test" method=128
64dc88f8 conn=1008 op=0 BIND dn="cn=admin,dc=example,dc=test" mech=SIMPLE ssf=0
64dc88f8 conn=1008 op=0 RESULT tag=97 err=0 text=
64dc88f8 conn=1008 op=1 SRCH base="ou=people,dc=example,dc=test" scope=2 deref=0 filter="(&(uid=john.doe)(mailEnabled=TRUE))"
64dc88f8 <= mdb_equality_candidates: (uid) not indexed
64dc88f8 <= mdb_equality_candidates: (mailEnabled) not indexed
64dc88f8 conn=1008 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
64dc88f8 conn=1008 op=2 UNBIND
64dc88f8 conn=1008 fd=12 closed
Whereas the equivalent for the custom user fails with:
$ ldapsearch -v -x -H 'ldap://ldap.example.test' -b 'ou=people,dc=example,dc=test' -D 'userid=john.doe,ou=people,dc=example,dc=test' -w secret '(&(userid=john.doe)(mailEnabled=TRUE))'
ldap_initialize( ldap://ldap.example.test:389/??base )
ldap_bind: Invalid credentials (49)
# Related log output from container logs:
64dc8a08 conn=1010 fd=12 ACCEPT from IP=172.17.0.2:42226 (IP=0.0.0.0:389)
64dc8a08 conn=1010 op=0 BIND dn="uid=john.doe,ou=people,dc=example,dc=test" method=128
64dc8a08 conn=1010 op=0 RESULT tag=97 err=49 text=
64dc8a08 conn=1010 op=1 UNBIND
64dc8a08 conn=1010 fd=12 closeddocker run
docker run --rm --name ldap-test \
--env LDAP_ROOT='dc=example,dc=test' \
--env LDAP_HASH_PASSWORD='NONE' \
--env LDAP_PORT_NUMBER=389 \
--env BITNAMI_DEBUG=true \
--volume '/tmp/ldif/:/migrations/:ro' \
--hostname 'ldap.example.test' \
registry.gitlab.com/bitspur/rock8s/docker-openldap- The hash method is set to
NONEjust to keep it simple. I triedSHAfor a predictable SHA-1 (due to no salt,slappasswd -s secret -h '{SHA}'always outputs{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=), but I am unsure why credentials are "invalid". - The custom
.ldiffiles are mounted to/migrationsas your README advises due to usingchangetypeto do so. It doesn't seem to make any difference either way.
Log output during startup
rm: cannot remove '/opt/bitnami/openldap/ldifs': Permission denied
08:21:29.93 INFO ==> ** Starting LDAP setup **
08:21:29.95 INFO ==> Validating settings in LDAP_* env vars
08:21:29.95 INFO ==> Initializing OpenLDAP...
08:21:29.95 DEBUG ==> Ensuring expected directories/files exist...
08:21:29.96 INFO ==> Creating LDAP online configuration
08:21:29.96 INFO ==> Creating slapd.ldif
08:21:29.98 INFO ==> Starting OpenLDAP server in background
64dc8709 @(#) $OpenLDAP: slapd 2.4.57+dfsg-3+deb11u1 (May 14 2022 18:32:57) $
Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
64dc8709 slapd starting
08:21:30.99 INFO ==> Configure LDAP credentials for admin user
SASL/EXTERNAL authentication started
64dc870a conn=1000 fd=12 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
64dc870a conn=1000 op=0 BIND dn="" method=163
64dc870a conn=1000 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
64dc870a conn=1000 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
64dc870a conn=1000 op=0 RESULT tag=97 err=0 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
64dc870a conn=1000 op=1 MOD dn="olcDatabase={2}mdb,cn=config"
64dc870a conn=1000 op=1 MOD attr=olcSuffix
64dc870a conn=1000 op=1 RESULT tag=103 err=0 text=
64dc870a conn=1000 op=2 MOD dn="olcDatabase={2}mdb,cn=config"
64dc870a conn=1000 op=2 MOD attr=olcRootDN
64dc870a conn=1000 op=2 RESULT tag=103 err=0 text=
64dc870a conn=1000 op=3 MOD dn="olcDatabase={2}mdb,cn=config"
64dc870a conn=1000 op=3 MOD attr=olcRootPW
64dc870a conn=1000 op=3 RESULT tag=103 err=0 text=
64dc870a conn=1000 op=4 MOD dn="olcDatabase={1}monitor,cn=config"
64dc870a conn=1000 op=4 MOD attr=olcAccess
64dc870a conn=1000 op=4 RESULT tag=103 err=0 text=
64dc870a conn=1000 op=5 UNBIND
64dc870a conn=1000 fd=12 closed
modifying entry "olcDatabase={2}mdb,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
modifying entry "olcDatabase={1}monitor,cn=config"
08:21:30.99 INFO ==> Adding LDAP extra schemas
SASL/EXTERNAL authentication started
64dc870b conn=1001 fd=12 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
64dc870b conn=1001 op=0 BIND dn="" method=163
64dc870b conn=1001 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
64dc870b conn=1001 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
64dc870b conn=1001 op=0 RESULT tag=97 err=0 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
64dc870b conn=1001 op=1 ADD dn="cn=cosine,cn=schema,cn=config"
64dc870b conn=1001 op=1 RESULT tag=105 err=0 text=
adding new entry "cn=cosine,cn=schema,cn=config"
64dc870b conn=1001 op=2 UNBIND
64dc870b conn=1001 fd=12 closed
SASL/EXTERNAL authentication started
64dc870b conn=1002 fd=12 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
64dc870b conn=1002 op=0 BIND dn="" method=163
64dc870b conn=1002 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
64dc870b conn=1002 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
64dc870b conn=1002 op=0 RESULT tag=97 err=0 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
64dc870b conn=1002 op=1 ADD dn="cn=inetorgperson,cn=schema,cn=config"
64dc870b conn=1002 op=1 RESULT tag=105 err=0 text=
adding new entry "cn=inetorgperson,cn=schema,cn=config"
64dc870b conn=1002 op=2 UNBIND
64dc870b conn=1002 fd=12 closed
SASL/EXTERNAL authentication started
64dc870b conn=1003 fd=12 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
64dc870b conn=1003 op=0 BIND dn="" method=163
64dc870b conn=1003 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
64dc870b conn=1003 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
64dc870b conn=1003 op=0 RESULT tag=97 err=0 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
64dc870b conn=1003 op=1 ADD dn="cn=misc,cn=schema,cn=config"
64dc870b conn=1003 op=1 RESULT tag=105 err=0 text=
adding new entry "cn=misc,cn=schema,cn=config"
64dc870b conn=1003 op=2 UNBIND
64dc870b conn=1003 fd=12 closed
SASL/EXTERNAL authentication started
64dc870b conn=1004 fd=12 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
64dc870b conn=1004 op=0 BIND dn="" method=163
64dc870b conn=1004 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
64dc870b conn=1004 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
64dc870b conn=1004 op=0 RESULT tag=97 err=0 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
64dc870b conn=1004 op=1 ADD dn="cn=nis,cn=schema,cn=config"
64dc870b conn=1004 op=1 RESULT tag=105 err=0 text=
64dc870b conn=1004 op=2 UNBIND
64dc870b conn=1004 fd=12 closed
adding new entry "cn=nis,cn=schema,cn=config"
SASL/EXTERNAL authentication started
64dc870b conn=1005 fd=12 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
64dc870b conn=1005 op=0 BIND dn="" method=163
64dc870b conn=1005 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
64dc870b conn=1005 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
64dc870b conn=1005 op=0 RESULT tag=97 err=0 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
64dc870b conn=1005 op=1 ADD dn="cn=ppolicy,cn=schema,cn=config"
64dc870b conn=1005 op=1 RESULT tag=105 err=0 text=
64dc870b conn=1005 op=2 UNBIND
64dc870b conn=1005 fd=12 closed
adding new entry "cn=ppolicy,cn=schema,cn=config"
08:21:31.02 INFO ==> Adding custom schemas : /opt/bitnami/openldap/schemas ...
64dc870b daemon: shutdown requested and initiated.
64dc870b slapd shutdown: waiting for 0 operations/tasks to finish
64dc870b slapd stopped.
08:21:32.21 INFO ==> Starting OpenLDAP server in background
64dc870c @(#) $OpenLDAP: slapd 2.4.57+dfsg-3+deb11u1 (May 14 2022 18:32:57) $
Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
64dc870c slapd starting
08:21:33.22 INFO ==> Creating LDAP default tree
64dc870d conn=1000 fd=12 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
64dc870d conn=1000 op=0 BIND dn="cn=admin,dc=example,dc=test" method=128
64dc870d conn=1000 op=0 BIND dn="cn=admin,dc=example,dc=test" mech=SIMPLE ssf=0
64dc870d conn=1000 op=0 RESULT tag=97 err=0 text=
64dc870d conn=1000 op=1 ADD dn="dc=example,dc=test"
64dc870d conn=1000 op=1 RESULT tag=105 err=0 text=
64dc870d conn=1000 op=2 ADD dn="ou=users,dc=example,dc=test"
64dc870d conn=1000 op=2 RESULT tag=105 err=0 text=
64dc870d conn=1000 op=3 ADD dn="cn=user01,ou=users,dc=example,dc=test"
64dc870d conn=1000 op=3 RESULT tag=105 err=0 text=
64dc870d conn=1000 op=4 ADD dn="cn=user02,ou=users,dc=example,dc=test"
64dc870d conn=1000 op=4 RESULT tag=105 err=0 text=
64dc870d conn=1000 op=5 ADD dn="cn=readers,ou=users,dc=example,dc=test"
64dc870d conn=1000 op=5 RESULT tag=105 err=0 text=
64dc870d conn=1000 op=6 UNBIND
64dc870d conn=1000 fd=12 closed
adding new entry "dc=example,dc=test"
adding new entry "ou=users,dc=example,dc=test"
adding new entry "cn=user01,ou=users,dc=example,dc=test"
adding new entry "cn=user02,ou=users,dc=example,dc=test"
adding new entry "cn=readers,ou=users,dc=example,dc=test"
64dc870d daemon: shutdown requested and initiated.
64dc870d slapd shutdown: waiting for 0 operations/tasks to finish
64dc870d slapd stopped.
08:21:34.28 INFO ==> ** LDAP setup finished! **
08:21:34.30 INFO ==> ** Starting slapd **
64dc870e @(#) $OpenLDAP: slapd 2.4.57+dfsg-3+deb11u1 (May 14 2022 18:32:57) $
Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
64dc870e slapd starting
64dc870e conn=1000 fd=12 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
64dc870e conn=1000 op=0 BIND dn="" method=163
64dc870e conn=1000 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
64dc870e conn=1000 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
64dc870e conn=1000 op=0 RESULT tag=97 err=0 text=
64dc870e conn=1000 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.3
64dc870e conn=1000 op=1 WHOAMI
64dc870e conn=1000 op=1 RESULT oid= err=0 text=
dn:gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
64dc870e conn=1000 op=2 UNBIND
64dc870e conn=1000 fd=12 closed
ldapmodify -Y EXTERNAL -H ldapi:/// -f /opt/bitnami/openldap/migrations/00-access.ldif
SASL/EXTERNAL authentication started
64dc870e conn=1001 fd=12 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
64dc870e conn=1001 op=0 BIND dn="" method=163
64dc870e conn=1001 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
64dc870e conn=1001 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
64dc870e conn=1001 op=0 RESULT tag=97 err=0 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
64dc870e conn=1001 op=1 MOD dn="olcDatabase={2}mdb,cn=config"
64dc870e conn=1001 op=1 MOD attr=olcAccess
64dc870e conn=1001 op=1 RESULT tag=103 err=0 text=
modifying entry "olcDatabase={2}mdb,cn=config"
64dc870e conn=1001 op=2 UNBIND
64dc870e conn=1001 fd=12 closed
ldapmodify -Y EXTERNAL -H ldapi:/// -f /opt/bitnami/openldap/migrations/01_mail-tree.ldif
SASL/EXTERNAL authentication started
64dc870e conn=1002 fd=12 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
64dc870e conn=1002 op=0 BIND dn="" method=163
64dc870e conn=1002 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
64dc870e conn=1002 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
64dc870e conn=1002 op=0 RESULT tag=97 err=0 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
64dc870e conn=1002 op=1 ADD dn="ou=people,dc=example,dc=test"
64dc870e conn=1002 op=1 RESULT tag=105 err=0 text=
64dc870e conn=1002 op=2 UNBIND
adding new entry "ou=people,dc=example,dc=test"
64dc870e conn=1002 fd=12 closed
ldapmodify -Y EXTERNAL -H ldapi:/// -f /opt/bitnami/openldap/migrations/02_user-email.ldif
SASL/EXTERNAL authentication started
64dc870e conn=1003 fd=12 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
64dc870e conn=1003 op=0 BIND dn="" method=163
64dc870e conn=1003 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
64dc870e conn=1003 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
64dc870e conn=1003 op=0 RESULT tag=97 err=0 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
64dc870e conn=1003 op=1 ADD dn="uid=john.doe,ou=people,dc=example,dc=test"
64dc870e conn=1003 op=1 RESULT tag=105 err=0 text=
64dc870e conn=1003 op=2 UNBIND
64dc870e conn=1003 fd=12 closed
adding new entry "userid=john.doe,ou=people,dc=example,dc=test"
ldapmodify -Y EXTERNAL -H ldapi:/// -f /opt/bitnami/openldap/migrations/auditlog.ldif
SASL/EXTERNAL authentication started
64dc870e conn=1004 fd=12 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
64dc870e conn=1004 op=0 BIND dn="" method=163
64dc870e conn=1004 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
64dc870e conn=1004 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
64dc870e conn=1004 op=0 RESULT tag=97 err=0 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
64dc870e conn=1004 op=1 UNBIND
64dc870e conn=1004 fd=12 closed
ldapmodify -Y EXTERNAL -H ldapi:/// -f /opt/bitnami/openldap/migrations/ppolicy.ldif
SASL/EXTERNAL authentication started
64dc870e conn=1005 fd=12 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
64dc870e conn=1005 op=0 BIND dn="" method=163
64dc870e conn=1005 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
64dc870e conn=1005 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
64dc870e conn=1005 op=0 RESULT tag=97 err=0 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
64dc870e conn=1005 op=1 UNBIND
64dc870e conn=1005 fd=12 closed
ldapmodify -Y EXTERNAL -H ldapi:/// -f /opt/bitnami/openldap/migrations/smbkrb5pwd.ldif
SASL/EXTERNAL authentication started
64dc870e conn=1006 fd=12 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
64dc870e conn=1006 op=0 BIND dn="" method=163
64dc870e conn=1006 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
64dc870e conn=1006 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
64dc870e conn=1006 op=0 RESULT tag=97 err=0 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
64dc870e conn=1006 op=1 UNBIND
64dc870e conn=1006 fd=12 closed
ldapmodify -Y EXTERNAL -H ldapi:/// -f /opt/bitnami/openldap/migrations/syncrepl.ldif
SASL/EXTERNAL authentication started
64dc870e conn=1007 fd=12 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
64dc870e conn=1007 op=0 BIND dn="" method=163
64dc870e conn=1007 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
64dc870e conn=1007 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
64dc870e conn=1007 op=0 RESULT tag=97 err=0 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
64dc870e conn=1007 op=1 UNBIND
64dc870e conn=1007 fd=12 closed
Relevant snippet from above log (for the two custom LDIF files)
ldapmodify -Y EXTERNAL -H ldapi:/// -f /opt/bitnami/openldap/migrations/01_mail-tree.ldif
SASL/EXTERNAL authentication started
64dc870e conn=1002 fd=12 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
64dc870e conn=1002 op=0 BIND dn="" method=163
64dc870e conn=1002 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
64dc870e conn=1002 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
64dc870e conn=1002 op=0 RESULT tag=97 err=0 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
64dc870e conn=1002 op=1 ADD dn="ou=people,dc=example,dc=test"
64dc870e conn=1002 op=1 RESULT tag=105 err=0 text=
64dc870e conn=1002 op=2 UNBIND
adding new entry "ou=people,dc=example,dc=test"
64dc870e conn=1002 fd=12 closed
ldapmodify -Y EXTERNAL -H ldapi:/// -f /opt/bitnami/openldap/migrations/02_user-email.ldif
SASL/EXTERNAL authentication started
64dc870e conn=1003 fd=12 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
64dc870e conn=1003 op=0 BIND dn="" method=163
64dc870e conn=1003 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth"
64dc870e conn=1003 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
64dc870e conn=1003 op=0 RESULT tag=97 err=0 text=
SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
SASL SSF: 0
64dc870e conn=1003 op=1 ADD dn="uid=john.doe,ou=people,dc=example,dc=test"
64dc870e conn=1003 op=1 RESULT tag=105 err=0 text=
64dc870e conn=1003 op=2 UNBIND
64dc870e conn=1003 fd=12 closed
adding new entry "userid=john.doe,ou=people,dc=example,dc=test"
Custom LDIF
Minimized to the two files below (2nd relies on the postfix-book.schema this image already provides). Creates a single mail user account to test against.
01_mail-tree.ldif:
dn: ou=people,dc=example,dc=test
changetype: add
objectClass: organizationalUnit
objectClass: top
ou: people
02_user-email.ldif:
# --------------------------------------------------------------------
# Create mail accounts
# --------------------------------------------------------------------
# John Doe
dn: userid=john.doe,ou=people,dc=example,dc=test
changetype: add
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: PostfixBookMailAccount
objectClass: extensibleObject
cn: John Doe
givenName: John
surname: Doe
userid: john.doe
userPassword: secret
mail: john.doe@example.test
# postfix-book.schema:
mailEnabled: TRUE
mailUidNumber: 5000
mailGidNumber: 5000
mailAlias: postmaster@example.test
mailGroupMember: employees@example.test
mailHomeDirectory: /var/mail/example.test/john.doe/
mailStorageDirectory: maildir:/var/mail/example.test/john.doe/
mailQuota: 10240
Background
Over the past two days (no LDAP experience), I've been trying to migrate the docker-mailserver LDAP test away from the osixia/docker-openldap image (we've used an old pinned version from many years ago, the latest just crashes).
That image was last maintained 2 years ago, and the bitnami openldap image seems to be one of the only actively maintained ones I came across that seemed suitable. However I ran into some compatibility issues there and my inexperience with LDAP... but this variant image with improvements is almost working, last roadblock is getting created users to successfully authenticate.
FWIW, the goal is to integrate with the seperate docker-mailserver container using saslauthd to connect to the OpenLDAP container in our tests. I believe once this auth issue is resolved within the docker-openldap container it will work smoothly.
In the meantime, once the above ldapwhoami / ldapsearch commands work, the same running container can install, configure and test saslauthd with the following:
apt-get update && apt-get install sasl2-bin libsasl2-modules libsasl2-modules-ldap nano
nano /etc/saslauthd.confsaslauthd.conf:
ldap_servers: ldap://ldap.example.test
ldap_auth_method: bind
ldap_bind_dn: cn=admin,dc=example,dc=test
ldap_bind_pw: adminpassword
ldap_search_base: ou=people,dc=example,dc=test
ldap_filter: (&(userid=%u)(mailEnabled=TRUE))
ldap_start_tls: no
ldap_tls_check_peer: no
ldap_referrals: yes
log_level: 10
# Run the saslauthd daemon with the config and LDAP plugin to auth against ldap:
saslauthd -d -a ldap -O /etc/saslauthd.conf
# In a separate terminal shell, verify everything is working:
testsaslauthd -u john.doe -p secretResolved
I have identified a missing config was required for granting ACL to anonymous bind for auth (references: slapd docs for olcAccess, OpenLDAP docs access 8.2.2 + 8.4).
In the osixia/openldap image, this was configured via .ldif here (v1.1.6), while the current master of that image adds one more ACL rule that is similar to this projects (bitspur/rock8s/docker-openldap) image ACL (and the upstream bitnami image ACL)
This auth.ldif should carry that over by appending this rule? I've mounted it into /migrations. I'm not sure if the admin access is necessary, but could be templated as .tmpl instead of hard-coding the LDAP_ROOT.
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword
by self write
by dn="cn=admin,dc=example,dc=test" write
by anonymous auth
by * none
NOTE: My user account .ldif files also did not need the changetype: add. I didn't create the original files or setup the original openldap docker image. Those now reside in /ldifs.
--env LDAP_HASH_PASSWORD='NONE' has no relevance to the userPassword value (at least for the .ldif account files I mount). The README description isn't quite clear to me where that applies. Perhaps it's the fallback if no scheme prefix exists in the stored value?
Verified
Verified with ldapwhoami:
$ ldapwhoami -v -x -H ldap://ldap.example.test -D 'uid=john.doe,ou=people,dc=example,dc=test' -w secret
ldap_initialize( ldap://ldap.example.test:389/??base )
dn:uid=john.doe,ou=people,dc=example,dc=test
Result: Success (0)
# Relevant container log output:
64ddb03c conn=1007 fd=12 ACCEPT from IP=172.17.0.2:42292 (IP=0.0.0.0:389)
64ddb03c conn=1007 op=0 BIND dn="uid=john.doe,ou=people,dc=example,dc=test" method=128
64ddb03c conn=1007 op=0 BIND dn="uid=john.doe,ou=people,dc=example,dc=test" mech=SIMPLE ssf=0
64ddb03c conn=1007 op=0 RESULT tag=97 err=0 text=
64ddb03c conn=1007 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.3
64ddb03c conn=1007 op=1 WHOAMI
64ddb03c conn=1007 op=1 RESULT oid= err=0 text=
64ddb03c conn=1007 op=2 UNBIND
64ddb03c conn=1007 fd=12 closedVerified with saslauthd setup described in previous comment:
$ testsaslauthd -u john.doe -p secret
0: OK "Success."
# Relevant container log output:
64ddb13a conn=1008 fd=12 ACCEPT from IP=172.17.0.2:41852 (IP=0.0.0.0:389)
64ddb13a conn=1008 op=0 BIND dn="cn=admin,dc=example,dc=test" method=128
64ddb13a conn=1008 op=0 BIND dn="cn=admin,dc=example,dc=test" mech=SIMPLE ssf=0
64ddb13a conn=1008 op=0 RESULT tag=97 err=0 text=
64ddb13a conn=1008 op=1 SRCH base="ou=people,dc=example,dc=test" scope=2 deref=0 filter="(&(uid=john.doe)(mailEnabled=TRUE))"
64ddb13a conn=1008 op=1 SRCH attr=dn
64ddb13a <= mdb_equality_candidates: (uid) not indexed
64ddb13a <= mdb_equality_candidates: (mailEnabled) not indexed
64ddb13a conn=1008 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
64ddb13a conn=1008 op=2 BIND anonymous mech=implicit ssf=0
64ddb13a conn=1008 op=2 BIND dn="uid=john.doe,ou=people,dc=example,dc=test" method=128
64ddb13a conn=1008 op=2 BIND dn="uid=john.doe,ou=people,dc=example,dc=test" mech=SIMPLE ssf=0
64ddb13a conn=1008 op=2 RESULT tag=97 err=0 text=Here the testsaslauthd command sends the credentials to the saslauthd daemon, which connects to LDAP service with admin credentials (simple mechanism) and queries a user (dn attribute) with the search base and filter from saslauthd.conf settings. Afterwards it performs an anonymous bind (implicit mechanism?) presumably to retrieve the hashed userPassword value (granted by anonymous auth acl), performing auth for the actual user via bind dn (simple mechanism again, like ldapwhoami -x) which is successful.
If the anonymous auth acl is dropped, the ldapwhoami / ldapsearch commands likewise fail with "Invalid credentials (49)". Despite the container logs not mentioning any anonymous bind (Bind DN logged with mech=SIMPLE):
# Failure example when `anonymous auth` acl is not configured:
$ ldapwhoami -v -x -H ldap://ldap.example.test -D 'uid=john.doe,ou=people,dc=example,dc=test' -w secret
ldap_initialize( ldap://ldap.example.test:389/??base )
ldap_bind: Invalid credentials (49)
# Relevant container log output:
64ddb636 conn=1007 fd=12 ACCEPT from IP=172.17.0.2:59398 (IP=0.0.0.0:389)
64ddb636 conn=1007 op=0 BIND dn="uid=john.doe,ou=people,dc=example,dc=test" method=128
64ddb636 conn=1007 op=0 RESULT tag=97 err=49 text=
64ddb636 conn=1007 op=1 UNBIND
64ddb636 conn=1007 fd=12 closedSo the error message of "invalid credentials" was a bit misleading. It seems it was more of a problem retrieving userPassword due to lack of permissions?
Since I managed to get bitnami/openldap working and no response to this report, I'm going to stick with that for the time being: docker-mailserver/docker-mailserver#3494
I'll leave this issue open, as the bitnami/openldap image doesn't need the ACL migration, so that might be an unintended bug on your end, or should document the difference a bit more clearly as to why it was adjusted?
Off-topic: I recently noticed while looking through LDAP issues that you've previously engaged with docker-mailserver in the past, That was a nice surprise to recognize I had seen your name earlier when I landed here looking for an LDAP image replacement! 😁
@polarathene I actually made this image specifically for my use of docker-mailserver. I used to use osixia/docker-openldap as well.
I have a helm chart for this as well.
https://github.com/clayrisser/charts/tree/main/beta/openldap