Re: SASL/EXTERNAL bind mech issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

what do you want to achieve, do you want to do client authentication via a certificate ? you have to provide configuration info in ldap.conf or .ldaprc or environment variables, so that the openldap libs built with nss can access the client certificate, it has to be in a nss database. 

with env it is something like this:

export LDAPTLS_CERT=Client-Cert
export LDAPTLS_KEY=/etc/dirsrv/slapd-EXAMPLE.COM/pwdfile.txt
export LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-EXAMPLE.COM

LDAPTLS_CERT is the nickname of a certificate in the certificate database
LDAPTLS_KEY is a file containing the password for the key database


in a config file omit the "LDAP" part of the option name.
and are you running your search against a 389 server ? I think the file /etc/openldap/slapd.d/cn\=config.ldif is only relevant for openldap server. 

Ludwig

On 02/15/2016 05:12 PM, Simon Pichugin wrote:

Hi team,

I am trying to set up SASL/EXTERNAL binding mechanism.
I perform all actions from our docs (Administration guide)

First, I've set up SSL/TLS on the clean instance:
1) Cert was created and imported
2) Trusted CA cert was imported too
3) cert8.db, key3.db, secmod.db were copied to /etc/openldap/certs/
4) Config was changed to accept SSL/TLS
5) Setup was tested and everything worked perfectly

Then client certificate was created and approved by our CA.

openssl x509 -in client_ds.crt -text
Certificate:
     Data:
         Version: 1 (0x0)
         Serial Number: 16371655739931625967 (0xe333ce279b9c09ef)
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=CZ, ST=Moravia, L=Brno, O=Default Company Ltd, OU=Dev, CN=Simon
         Validity
             Not Before: Feb 12 13:51:50 2016 GMT
             Not After : Oct 21 13:51:50 2029 GMT
         Subject: C=CZ, L=Default City, O=example.com, CN=simon pichugin/emailAddress=spichugi@xxxxxxxxxx

After that certificate was imported to "userCertificate" attr of
our user (I've cut the attr output):

# spichugin, People, example.com
dn: uid=spichugin,ou=People,dc=example,dc=com
mail: spichugi@xxxxxxxxxx
uid: spichugin
givenName: simon
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: pichugin
cn: simon pichugin
userPassword:: e1NTSEF9OVJhbUdER3prOE1JdENObnFJb3
userCertificate:: LS0tLS1CRUdJTiBDRVJUSUZJQ0FU
Next, /etc/dirsrv/slapd-stal/certmap.conf was modified with this contents:
certmap Example o=example.com
Example:DNComps
Example:FilterComps mail,cn
Also tried with this:
certmap Example cn=simon pichugin
Example:DNComps
Example:FilterComps mail,cn

Also I have added "olcTLSVerifyClient: demand" to /etc/openldap/slapd.d/cn\=config.ldif

/etc/openldap/ldap.conf contains only "TLS_CACERTDIR /etc/openldap/certs/", the rest options is by default

Then I've tested setup with this command:

[spichugi@rhel-ws ~]$ ldapsearch -H ldaps://rhel-ws.brq.redhat.com:636 -b "dc=example,dc=com" \
-Y EXTERNAL -U "dn:uid=spichugin,ou=People,dc=example,dc=com" -w Secret123 -d 1
ldap_url_parse_ext(ldaps://rhel-ws.brq.redhat.com:636)
ldap_create
ldap_url_parse_ext(ldaps://rhel-ws.brq.redhat.com:636/??base)
ldap_sasl_interactive_bind: user selected: EXTERNAL
ldap_int_sasl_bind: EXTERNAL
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP rhel-ws.brq.redhat.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: certdb config: configDir='/etc/openldap/certs/' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs/ prefix .
TLS: certificate [CN=rhel-ws.brq.redhat.com,OU=sdfsd,O=qwedasdf,L=VCrno,ST=Alabama,C=US] is valid
TLS certificate verification: subject: CN=rhel-ws.brq.redhat.com,OU=sdfsd,O=qwedasdf,L=VCrno,ST=Alabama,C=US, issuer: CN=Simon,OU=Dev,O=Default Company Ltd,L=Brno,ST=Moravia,C=CZ, cipher: AES-256, security level: high, secret key bits: 256, total key bits: 256, cache hits: 0, cache misses: 0, cache not reusable: 0
ldap_int_sasl_open: host=rhel-ws.brq.redhat.com
SASL/EXTERNAL authentication started
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
         additional info: SASL(-4): no mechanism available:
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed

Please, if someone has an idea what can be wrong, share it. :)

Thanks,
Simon
--
389-devel mailing list
389-devel@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-devel@xxxxxxxxxxxxxxxxxxxxxxx

--
389-devel mailing list
389-devel@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-devel@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Directory Announce]     [Fedora Users]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Review]     [Fedora Art]     [Fedora Music]     [Fedora Packaging]     [CentOS]     [Fedora SELinux]     [Big List of Linux Books]     [KDE Users]     [Fedora Art]     [Fedora Docs]

  Powered by Linux