06-18-2019 01:33 PM
I have a provider-consumer openldap structure which works perfect. Replication over TLS works great.
If I set DUO auth proxy in front of the provider Openldap, the consumer openldap doesn’t synchronize, and I have some errors like:
Jun 18 20:27:03 ldap02.example.io slapd[9199]: do_syncrep2: rid=000 unknown message (0x78)
Logs from DUO’s consumer:
2019-06-18T20:27:03+0000 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x7f2877427250>
2019-06-18T20:27:03+0000 [_ADServiceClientProtocol,client] [Request from 10.10.12.12:52706] Exempt OU: cn=admin,dc=example,dc=io
2019-06-18T20:27:03+0000 [stdout#info] BERDecoderContext has no tag 0x59: <L■■■■■■■■■■■■■■■■■■■■_LDAPMessage identities={0x80: LDAPControls, 0x53: L■■■■■■■■■■■■■■■■■■■■ence} fallback=<L■■■■■■■■■■■■■■■■■■■■ identities={0x40: LDAPBindRequest, 0x41: LDAPBindResponse, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: L■■■■■■■■■■■■■■■■■■■■, 0x45: LDAPSearchResultDone, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x83: LDAPReferral, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse} fallback=<BERDecoderContext identities={0x01: BERBoolean, 0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None> inherit=<L■■■■■■■■■■■■■■■■■■■■ identities={0x40: LDAPBindRequest, 0x41: LDAPBindResponse, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: L■■■■■■■■■■■■■■■■■■■■, 0x45: LDAPSearchResultDone, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x83: LDAPReferral, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse} fallback=<BERDecoderContext identities={0x01: BERBoolean, 0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None>>
2019-06-18T20:27:03+0000 [_ADServiceClientProtocol,client] Unhandled Error
Traceback (most recent call last):
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/python/log.py", line 103, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/python/log.py", line 86, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/python/context.py", line 122, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/python/context.py", line 85, in callWithContext
return func(*args,**kw)
--- <exception caught here> ---
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/posixbase.py", line 614, in _doReadOrWrite
why = selectable.doRead()
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/tcp.py", line 243, in doRead
return self._dataReceived(data)
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/tcp.py", line 249, in _dataReceived
rval = self.protocol.dataReceived(data)
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/protocols/tls.py", line 330, in dataReceived
self._flushReceiveBIO()
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/protocols/tls.py", line 295, in _flushReceiveBIO
ProtocolWrapper.dataReceived(self, bytes)
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/protocols/policies.py", line 120, in dataReceived
self.wrappedProtocol.dataReceived(data)
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/ldaptor/protocols/ldap/ldapclient.py", line 56, in dataReceived
o, bytes = pureber.berDecodeObject(self.berdecoder, self.buffer)
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/ldaptor/protocols/pureber.py", line 374, in berDecodeObject
berdecoder=inh)
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/ldaptor/protocols/pureldap.py", line 61, in fromBER
value=l[1]
exceptions.IndexError: list index out of range
2019-06-18T20:27:03+0000 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x7f2877427250>
authproxy.cfg:
[main]
debug=false
[ad_client]
host=ldap01.example.io
service_account_username=cn=admin,dc=example,dc=io
bind_dn=cn=admin,dc=example,dc=io
auth_type=plain
service_account_password=xxx
search_dn=ou=people,dc=example,dc=io
username_attribute=uid
transport=starttls
ssl_ca_certs_file=/etc/ssl/certs/cacert.pem
[ldap_server_auto]
ikey=xxx
skey=xxx
api_host=xxx
failmode=safe
client=ad_client
interface=10.10.11.57
exempt_primary_bind=false
ssl_key_path=/etc/ssl/private/ldap01_slapd_key.pem
ssl_cert_path=/etc/ssl/certs/ldap01_slapd_cert.pem
exempt_ou_1=cn=admin,dc=example,dc=io
What am I missing here?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide