[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Anonymous bind with TLS problem
If I do a ngrep -e port 389 on the server when I use the -Z I see the
initial certificate transfer and then all the data is gibberish (aka.
encrypted). If I don't have the -Z all the data is transferred plain text
and if I have the -ZZ I get this in response:
ldap_initialize( <DEFAULT> )
ldap_start_tls: Success
A look through ngrep shows a transfer of the certificate and then that is
it, no other data transferred. In the slapd.log all I get is the same
response the getent passwd command gives me:
ber_get_next on fd 15 failed errno=0 (Success)
do_unbind.
So I wasn't forcing the TLS with the -Z and -ZZ does enforce it. So what is
encrypting the transfer with the -Z? And what is not allowing the TLS
handshake to be successful, even though it says it is, when I use -ZZ?
Thanks,
Joe B.
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Kent Soper
Sent: Wednesday, May 21, 2003 12:51 PM
To: openldap-software@OpenLDAP.org; owner-openldap-software@OpenLDAP.org
Subject: Re: Anonymous bind with TLS problem
-Z doesn't force TLS, it only tries to start it. -ZZ forces TLS. I don't
see any TLS handshake output in the slapd log so I don't think it's being
used.
Cheers,
Kent Soper
"You don't stop playing because you grow old ...
you grow old because you stop playing."
Linux Technology Center, Linux Security
tie line: 678-9216
external: 1-512-838-9216
e-mail: dksoper@us.ibm.com
"Joe Bardgett"
<jbardgett@godaddy.com> To:
<openldap-software@OpenLDAP.org>
Sent by: cc:
owner-openldap-software@O Subject: Anonymous
bind with TLS problem
penLDAP.org
05/21/2003 01:34 PM
Greetings,
I am having trouble connecting to my OpenLDAP Server utilizing
TLS. First, here is the info for my setup:
Server:
RHLinux 7.2
Kernel 2.4.18-18.7.x
Openldap-2.1.17
Db-4.1.25
Openssl-0.9.6b
Client:
RHLinux 7.2
Kernel 2.4.18-18.7.x
Nss_ldap-207
Pam_ldap-161
Openssl-0.9.6b
I have created the certificates and key on the server and added the
corresponding entries to the slapd.conf, I also have my ACL set to access
to * by * read. On my client I have the basic host and base entries plus
ssl start_tls in the ldap.conf. My nssswitch.conf is set to select from
files first and then ldap for passwd, shadow and group. I have not changed
any entries in /etc/pam.d/ yet.
What I believe is happening is that my client is not doing a
simple/anonymous bind with I have ssl start_tls set in the ldap.conf, I
think it is trying to do a SASL bind. My reasoning for this is that when I
try to do ldapsearch -v -Z -b "dc=myserver,dc=net" "(objectclass=*)" I get
the error of:
ldap_initialize( <DEFAULT> )
ldap_start_tls: Success
ldap_sasl_interactive_bind_s: Local error
And no data is transferred. The -Z forces it to use TLS but it tries to
utilize SASL also. But if I do ldapsearch -v -Z -x -b "dc=myserver,dc=net"
"(objectclass=*)" I get:
ldap_initialize( <DEFAULT> )
ldap_start_tls: Success
filter: (objectclass=*)
requesting: ALL
version: 2
And all the data is transferred. The -Z forces it to use TLS but the -x
forces it to do a simple bind.
If I try to use something that will utilize the ldap.conf file on the
client, like getent passwd, nothing is transferred if I have the ssl
start_tls set. If I turn it off, communication works fine and all data
requested is transferred but not encrypted.
I cannot find where in the ldap.conf you can force it to use simple binds
and I cannot find anything online about it. Does anyone know how to do
this? Or am I looking at this the wrong way? Please help.
Example data taken from the slapd.log file on the server is attached here.
When I test the connection from the client utilizing ldapsearch -v -Z -x -b
"dc=myserver,dc=net" "(objectclass=*)" I successfully receive all the info
from my server and the data is transferred across the wire encrypted and
this is what I get in the slapd.log, I have removed unnecessary extra info:
----SNIP----
daemon: read activity on 15
connection_get(15)
connection_get(15): got connid=35
connection_read(15): checking for input on id=35
ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable)
daemon: select: listen=6 active_threads=1 tvp=NULL
do_extended
do_extended: oid=1.3.6.1.4.1.1466.20037
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
daemon: activity on 1 descriptors
daemon: activity on:
15r
----SNIP----
daemon: read activity on 15
connection_get(15)
connection_get(15): got connid=35
connection_read(15): checking for input on id=35
connection_read(15): unable to get TLS client DN error=49 id=35
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on:
15r
daemon: read activity on 15
connection_get(15)
connection_get(15): got connid=35
connection_read(15): checking for input on id=35
ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable)
do_bind
daemon: select: listen=6 active_threads=1 tvp=NULL
>>> dnPrettyNormal: <>
daemon: activity on 1 descriptors
<<< dnPrettyNormal: <>, <>
daemon: select: listen=6 active_threads=1 tvp=NULL
do_bind: version=3 dn="" method=128
conn=35 op=1 BIND dn="" method=128
send_ldap_result: conn=35 op=1 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=2 tag=97 err=0
conn=35 op=1 RESULT tag=97 err=0 text=
do_bind: v3 anonymous bind
daemon: activity on 1 descriptors
daemon: activity on:
15r
daemon: read activity on 15
connection_get(15)
connection_get(15): got connid=35
connection_read(15): checking for input on id=35
ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable)
do_search
----SNIP----
When I try to get some info from the getent passwd command and I have TLS
turned on I get nothing from my server and this is in the slapd.log, I have
removed unnecessary extra info:
----SNIP----
daemon: read activity on 15
connection_get(15)
connection_get(15): got connid=34
connection_read(15): checking for input on id=34
ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable)
do_extended
daemon: select: listen=6 active_threads=1 tvp=NULL
do_extended: oid=1.3.6.1.4.1.1466.20037
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
daemon: activity on 1 descriptors
daemon: activity on:
15r
----SNIP----
daemon: read activity on 15
connection_get(15)
connection_get(15): got connid=34
connection_read(15): checking for input on id=34
connection_read(15): unable to get TLS client DN error=49 id=34
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on:
15r
daemon: read activity on 15
connection_get(15)
connection_get(15): got connid=34
connection_read(15): checking for input on id=34
ber_get_next on fd 15 failed errno=0 (Success)
do_unbind
connection_read(15): input error=-2 id=34, closing.
conn=34 op=1 UNBIND
connection_closing: readying conn=34 sd=15 for close
connection_close: deferring conn=34 sd=15
daemon: select: listen=6 active_threads=1 tvp=NULL
connection_resched: attempting closing conn=34 sd=15
daemon: activity on 1 descriptors
connection_close: conn=34 sd=15
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: removing 15
conn=34 fd=15 closed
Thanks for any help,
Joe B.