|
Greetings, I am having trouble connecting to my OpenLDAP Server utilizing TLS. First, here is the info for my setup:
Server: RHLinux 7.2 Kernel 2.4.18-18.7.x Openldap-2.1.17 Db-4.1.25 Openssl-0.9.6b
Client: RHLinux 7.2 Kernel 2.4.18-18.7.x Nss_ldap-207 Pam_ldap-161 Openssl-0.9.6b
I have created the certificates and key on the server and added the corresponding entries to the slapd.conf, I also have my ACL set to access to * by * read. On my client I have the basic host and base entries plus ssl start_tls in the ldap.conf. My nssswitch.conf is set to select from files first and then ldap for passwd, shadow and group. I have not changed any entries in /etc/pam.d/ yet.
What I believe is happening is that my client is not doing a simple/anonymous bind with I have ssl start_tls set in the ldap.conf, I think it is trying to do a SASL bind. My reasoning for this is that when I try to do ldapsearch -v -Z -b "dc=myserver,dc=net" "(objectclass=*)" I get the error of:
ldap_initialize( <DEFAULT> ) ldap_start_tls: Success ldap_sasl_interactive_bind_s: Local error
And no data is transferred. The –Z forces it to use TLS but it tries to utilize SASL also. But if I do ldapsearch -v -Z -x -b "dc=myserver,dc=net" "(objectclass=*)" I get:
ldap_initialize( <DEFAULT> ) ldap_start_tls: Success filter: (objectclass=*) requesting: ALL version: 2
And all the data is transferred. The –Z forces it to use TLS but the –x forces it to do a simple bind.
If I try to use something that will utilize the ldap.conf file on the client, like getent passwd, nothing is transferred if I have the ssl start_tls set. If I turn it off, communication works fine and all data requested is transferred but not encrypted.
I cannot find where in the ldap.conf you can force it to use simple binds and I cannot find anything online about it. Does anyone know how to do this? Or am I looking at this the wrong way? Please help.
Example data taken from the slapd.log file on the server is attached here.
When I test the connection from the client utilizing ldapsearch -v -Z -x -b "dc=myserver,dc=net" "(objectclass=*)" I successfully receive all the info from my server and the data is transferred across the wire encrypted and this is what I get in the slapd.log, I have removed unnecessary extra info:
----SNIP---- daemon: read activity on 15 connection_get(15) connection_get(15): got connid=35 connection_read(15): checking for input on id=35 ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable) daemon: select: listen=6 active_threads=1 tvp=NULL do_extended do_extended: oid=1.3.6.1.4.1.1466.20037 send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 daemon: activity on 1 descriptors daemon: activity on: 15r ----SNIP---- daemon: read activity on 15 connection_get(15) connection_get(15): got connid=35 connection_read(15): checking for input on id=35 connection_read(15): unable to get TLS client DN error=49 id=35 daemon: select: listen=6 active_threads=0 tvp=NULL daemon: activity on 1 descriptors daemon: activity on: 15r daemon: read activity on 15 connection_get(15) connection_get(15): got connid=35 connection_read(15): checking for input on id=35 ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable) do_bind daemon: select: listen=6 active_threads=1 tvp=NULL >>> dnPrettyNormal: <> daemon: activity on 1 descriptors <<< dnPrettyNormal: <>, <> daemon: select: listen=6 active_threads=1 tvp=NULL do_bind: version=3 dn="" method=128 conn=35 op=1 BIND dn="" method=128 send_ldap_result: conn=35 op=1 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=2 tag=97 err=0 conn=35 op=1 RESULT tag=97 err=0 text= do_bind: v3 anonymous bind daemon: activity on 1 descriptors daemon: activity on: 15r daemon: read activity on 15 connection_get(15) connection_get(15): got connid=35 connection_read(15): checking for input on id=35 ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable) do_search ----SNIP----
When I try to get some info from the getent passwd command and I have TLS turned on I get nothing from my server and this is in the slapd.log, I have removed unnecessary extra info:
----SNIP---- daemon: read activity on 15 connection_get(15) connection_get(15): got connid=34 connection_read(15): checking for input on id=34 ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable) do_extended daemon: select: listen=6 active_threads=1 tvp=NULL do_extended: oid=1.3.6.1.4.1.1466.20037 send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 daemon: activity on 1 descriptors daemon: activity on: 15r ----SNIP---- daemon: read activity on 15 connection_get(15) connection_get(15): got connid=34 connection_read(15): checking for input on id=34 connection_read(15): unable to get TLS client DN error=49 id=34 daemon: select: listen=6 active_threads=0 tvp=NULL daemon: activity on 1 descriptors daemon: activity on: 15r daemon: read activity on 15 connection_get(15) connection_get(15): got connid=34 connection_read(15): checking for input on id=34 ber_get_next on fd 15 failed errno=0 (Success) do_unbind connection_read(15): input error=-2 id=34, closing. conn=34 op=1 UNBIND connection_closing: readying conn=34 sd=15 for close connection_close: deferring conn=34 sd=15 daemon: select: listen=6 active_threads=1 tvp=NULL connection_resched: attempting closing conn=34 sd=15 daemon: activity on 1 descriptors connection_close: conn=34 sd=15 daemon: select: listen=6 active_threads=1 tvp=NULL daemon: removing 15 conn=34 fd=15 closed
Thanks for any help, Joe B. |