Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5902: Ldapproxy is rejecting query with authentication request

17 October,16 at 04:13 PM

Applies to: All versions of Centrify DirectControl 5.2.3 and packaged ldapproxy on all platforms (AIX not applicable)

Problem:

The ldap query I've used for an extended period of time now fails with an error staying "authentication required". My query looks similar to this:

ldapsearch -p 389 -h localhost -x -b "DC=centrify,DC=ts" "(cn=demouser*)"


Cause:

This behavior is expected. In 5.2.3, we added a new default parameter to 'slapd.conf', which prevents anonymous binding, which was determined to be a security vulnerability.
Here is the relevant snippet from our release notes:

====
The configuration parameter “require authc” is added to slapd.conf. With this change, authentication is required for anonymous bind in ldap session. This fix works for all platforms except AIX. (Ref: 79259)
====

Here is an example from our lab, which demonstrates this behavior:

====
[root@centos openldap]# cat slapd.conf | grep authc
#require authc
[root@centos openldap]# rpm -qa | grep ldapproxy
CentrifyDC-ldapproxy-5.2.3-429.x86_64
[root@centos openldap]# ldapsearch -x -h localhost -b "DC=iltest,DC=net" '(CN=zones)' dn
# extended LDIF
#
# LDAPv3
# base <DC=iltest,DC=net> with scope subtree
# filter: (CN=zones)
# requesting: dn 
# with pagedResults control: size=100
#

# Zones, Centrify, Program Data, iltest.net
dn: cn=Zones,cn=Centrify,cn=Program Data,dc=iltest,dc=net

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1



===== And before removing 'require authc':

[root@centos openldap]# cat slapd.conf | grep authc
require authc
[root@centos openldap]# /etc/init.d/centrify-ldapproxy restart
Stopping Centrify ldapproxy:                               [  OK  ]
Starting Centrify ldapproxy:                               [  OK  ]
[root@centos openldap]# ldapsearch -x -h localhost -b "DC=iltest,DC=net" '(CN=zones)' dn
# extended LDIF
#
# LDAPv3
# base <DC=iltest,DC=net> with scope subtree
# filter: (CN=zones)
# requesting: dn 
# with pagedResults control: size=100
#

# search result
search: 2
result: 53 Server is unwilling to perform
text: authentication required

# numResponses: 1

====



Workaround:

To workaround this (if desired), we have three options:

1) Disable the autoedit of slapd.conf(via the following parameter) and comment out 'require authc' from /usr/share/centrifydc/openldap/slapd.conf. This will revert to previous behavior and allow anonymous bind.

adclient.autoedit.slapd: false

Then restart 'centrifydc' to apply the change. You may also need to restart slapd(centrify-ldapproxy) to reload the running configuration.

OR

2) Modify /etc/centrifydc/centrifydc.conf to include the following parameter:

ldapproxy.require.authc: false

Then restart 'centrifydc' to apply the change. You may also need to restart slapd(centrify-ldapproxy) to reload the running configuration.

OR

3) Provide authentication. If you want to maintain simple authentication (-x), you will need to also specify '-D <upn> -W' for a successful authentication. Alternatively, you can simply remove the -x and use SASL to bind.


Resolution:

N/A. This behavior is intentional and expected. This change was to address a security concern with anonymous binds.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.