DUO and OpenLDAP Replication error

reynico · ‎06-18-2019

I have a provider-consumer openldap structure which works perfect. Replication over TLS works great.

If I set DUO auth proxy in front of the provider Openldap, the consumer openldap doesn’t synchronize, and I have some errors like:

Jun 18 20:27:03 ldap02.example.io slapd[9199]: do_syncrep2: rid=000 unknown message (0x78)

Logs from DUO’s consumer:

2019-06-18T20:27:03+0000 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x7f2877427250>
2019-06-18T20:27:03+0000 [_ADServiceClientProtocol,client] [Request from 10.10.12.12:52706] Exempt OU: cn=admin,dc=example,dc=io
2019-06-18T20:27:03+0000 [stdout#info] BERDecoderContext has no tag 0x59: <L■■■■■■■■■■■■■■■■■■■■_LDAPMessage identities={0x80: LDAPControls, 0x53: L■■■■■■■■■■■■■■■■■■■■ence} fallback=<L■■■■■■■■■■■■■■■■■■■■ identities={0x40: LDAPBindRequest, 0x41: LDAPBindResponse, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: L■■■■■■■■■■■■■■■■■■■■, 0x45: LDAPSearchResultDone, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x83: LDAPReferral, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse} fallback=<BERDecoderContext identities={0x01: BERBoolean, 0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None> inherit=<L■■■■■■■■■■■■■■■■■■■■ identities={0x40: LDAPBindRequest, 0x41: LDAPBindResponse, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: L■■■■■■■■■■■■■■■■■■■■, 0x45: LDAPSearchResultDone, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x83: LDAPReferral, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse} fallback=<BERDecoderContext identities={0x01: BERBoolean, 0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None>>
2019-06-18T20:27:03+0000 [_ADServiceClientProtocol,client] Unhandled Error
        Traceback (most recent call last):
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/python/log.py", line 103, in callWithLogger
            return callWithContext({"system": lp}, func, *args, **kw)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/python/log.py", line 86, in callWithContext
            return context.call({ILogContext: newCtx}, func, *args, **kw)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/python/context.py", line 122, in callWithContext
            return self.currentContext().callWithContext(ctx, func, *args, **kw)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/python/context.py", line 85, in callWithContext
            return func(*args,**kw)
        --- <exception caught here> ---
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/posixbase.py", line 614, in _doReadOrWrite
            why = selectable.doRead()
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/tcp.py", line 243, in doRead
            return self._dataReceived(data)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/tcp.py", line 249, in _dataReceived
            rval = self.protocol.dataReceived(data)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/protocols/tls.py", line 330, in dataReceived
            self._flushReceiveBIO()
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/protocols/tls.py", line 295, in _flushReceiveBIO
            ProtocolWrapper.dataReceived(self, bytes)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/protocols/policies.py", line 120, in dataReceived
            self.wrappedProtocol.dataReceived(data)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/ldaptor/protocols/ldap/ldapclient.py", line 56, in dataReceived
            o, bytes = pureber.berDecodeObject(self.berdecoder, self.buffer)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/ldaptor/protocols/pureber.py", line 374, in berDecodeObject
            berdecoder=inh)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/ldaptor/protocols/pureldap.py", line 61, in fromBER
            value=l[1]
        exceptions.IndexError: list index out of range

2019-06-18T20:27:03+0000 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x7f2877427250>

authproxy.cfg:

[main]
debug=false

[ad_client]
host=ldap01.example.io
service_account_username=cn=admin,dc=example,dc=io
bind_dn=cn=admin,dc=example,dc=io
auth_type=plain
service_account_password=xxx
search_dn=ou=people,dc=example,dc=io
username_attribute=uid
transport=starttls
ssl_ca_certs_file=/etc/ssl/certs/cacert.pem

[ldap_server_auto]
ikey=xxx
skey=xxx
api_host=xxx
failmode=safe
client=ad_client
interface=10.10.11.57
exempt_primary_bind=false
ssl_key_path=/etc/ssl/private/ldap01_slapd_key.pem
ssl_cert_path=/etc/ssl/certs/ldap01_slapd_cert.pem
exempt_ou_1=cn=admin,dc=example,dc=io

What am I missing here?