Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ignore bind error in use_connection #375

Open
HynekPetrak opened this issue Aug 19, 2020 · 6 comments
Open

ignore bind error in use_connection #375

HynekPetrak opened this issue Aug 19, 2020 · 6 comments

Comments

@HynekPetrak
Copy link

HynekPetrak commented Aug 19, 2020

In situation when OpenLDAP is configured with "disallow bind_anon" in slapd.conf, the bind operation will return "LDAP_INAPPROPRIATE_AUTH - anonymous bind disallowed".
According to https://www.openldap.org/doc/admin23/security.html#Authentication%20Methods a anonymous bind is not fatal for an LDAP server and server will still respond to search or other operations, according to ACLs.
Quoting: "Note that disabling the anonymous bind mechanism does not prevent anonymous access to the directory."

Can you remove the line return result unless result.result_code == Net::LDAP::ResultCodeSuccess from use_connection method?
https://github.com/ruby-ldap/ruby-net-ldap/blob/master/lib/net/ldap.rb#L1310

To be able to perform search and other operation even after bind has failed?

@HynekPetrak HynekPetrak changed the title ignore bind error on use_connection ignore bind error in use_connection Aug 26, 2020
@HarlemSquirrel
Copy link
Member

Interesting. We'll have to see if we can reproduce this with an OpenLDAP container.

@HarlemSquirrel
Copy link
Member

I was able to get this response doing the following

# Run an OpenLDAP container in a separate terminal
scripts/ldap-docker

# Make a successful anonymous bind and search
ldapsearch -x -H ldap://localhost -b '' -s base namingContexts

# Change the configuration to disallow anonymous bind
ldapmodify -x -H ldap://localhost -D 'cn=admin,cn=config' -w 'config' <<+
dn: cn=config
changetype: modify
replace: olcDisallows
olcDisallows: bind_anon
+

# Make an unsuccessful bind and search
ldapsearch -x -H ldap://localhost -b '' -s base namingContexts
# ldap_bind: Inappropriate authentication (48)
#         additional info: anonymous bind disallowed

We see that when the anonymous bind fails, we do not get a successful search result back using ldapsearch.

@HarlemSquirrel
Copy link
Member

This reproduces the issue as well

require_relative 'lib/net-ldap'

@ldap = Net::LDAP.new host: 'localhost',
                     port: 389,
                     auth: { method: :anonymous }
                     
@ldap_config = Net::LDAP.new host: 'localhost',
                            port: 389,
                            auth: { 
                              method: :simple,
                              username: 'cn=admin,cn=config',
                              password: 'config'
                            }

def print_naming_contexts
  puts "\nSearching anonymously"
  puts @ldap.search(base: '', scope: Net::LDAP::SearchScope_BaseObject, attributes: %w[namingContexts])
           .map(&:to_ldif)
  puts @ldap.get_operation_result.message
end

puts "\nEnabling anonymous bind"
@ldap_config.modify dn: 'cn=config', 
                   operations: [
                     [:delete, 'olcDisallows']
                   ]
puts @ldap_config.get_operation_result.message
                            
print_naming_contexts

puts "\nDisabling anonymous bind"
@ldap_config.modify dn: 'cn=config', 
                   operations: [
                     [:replace, 'olcDisallows', ['bind_anon']]
                   ]
puts @ldap_config.get_operation_result.message

print_naming_contexts

@HarlemSquirrel
Copy link
Member

I'm thinking we'll want to indicate somehow that the bind failed but the search succeeded. Perhaps print a warning?

# Yields an open connection if there is one, otherwise establishes a new
  # connection, binds, and yields it. If binding fails, it will return the
  # result from that, and :use_connection: will not yield at all. If not
  # the return value is whatever is returned from the block.
  def use_connection(args)
    if @open_connection
      yield @open_connection
    else
      begin
        conn = new_connection
        auth = args[:auth] || @auth
        result = conn.bind(auth)

        unless [Net::LDAP::ResultCodeSuccess, 
                Net::LDAP::ResultCodeInappropriateAuthentication].include?(result.result_code)
          return result
        end
        
        if result.result_code == Net::LDAP::ResultCodeInappropriateAuthentication
          warn "Inappropriate authentication occurred with #{auth[:method]} auth."
        end

        yield conn
      ensure
        conn.close if conn
      end
    end
  end

@HynekPetrak
Copy link
Author

Ldapsearch perhaps does not print a search result when an anonymous bind fails, however the server returns the result. Tested when you run the search within a #open |ldap| block

@HarlemSquirrel
Copy link
Member

We should also test this with another LDAP server such as OpenDJ to see what would happen there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants