[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SASL External Mechanism
Thanks for your helps. I've double checked my configuration and reread
the Administrator's Guide. I'm sure I've asserted the client's
certificate.
The server's "slapd.conf" file contains:
TLSCACertificateFile /etc/openldap/cacert.pem
TLSVerifyClient demand
The client's "ldap.conf" file contains:
TLS_CERT /etc/ldap/cert.pem
TLS_KEY /etc/ldap/key.pem
The server's "cacert.pem" belongs to the certificate authority which
signed the client's "cert.pem".
On the server, "slapd -d 7 -h "ldap:// ldaps:///"":
@(#) $OpenLDAP: slapd 2.1.22 (Nov 20 2003 17:03:41) $
root@scarface:/private/var/tmp/OpenLDAP/OpenLDAP-37.0.1.obj~1/servers/
slapd
daemon_init: ldap:// ldaps:///
daemon_init: listen on ldap://
daemon_init: listen on ldaps:///
daemon_init: 2 listeners to open...
ldap_url_parse_ext(ldap://)
daemon: initialized ldap://
ldap_url_parse_ext(ldaps:///)
daemon: initialized ldaps:///
daemon_init: 4 listeners opened
slapd init: initiated server.
slap_sasl_init: initialized!
bdb_initialize: initialize BDB backend
bdb_initialize: Sleepycat Software: Berkeley DB 4.1.25: (December 19,
2002)
>>> dnNormalize: <cn=Subschema>
=> ldap_bv2dn(cn=Subschema,0)
<= ldap_bv2dn(cn=Subschema,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=subschema,272)=0
<<< dnNormalize: <cn=subschema>
/etc/openldap/slapd.conf: line 15: schema checking disabled! your
mileage may vary!
bdb_db_init: Initializing BDB database
>>> dnPrettyNormal: <dc=lat>
=> ldap_bv2dn(dc=lat,0)
<= ldap_bv2dn(dc=lat,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=lat,272)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=lat,272)=0
<<< dnPrettyNormal: <dc=lat>, <dc=lat>
>>> dnNormalize: <cn=admin,dc=lat>
=> ldap_bv2dn(cn=admin,dc=lat,0)
<= ldap_bv2dn(cn=admin,dc=lat,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=admin,dc=lat,272)=0
<<< dnNormalize: <cn=admin,dc=lat>
ldap_url_parse_ext(ldap://wum.lat)
matching_rule_use_init
1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: (
1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES (
primaryGroupID $ rid $ pwdMustChange $ pwdCanChange $ kickoffTime $
logoffTime $ logonTime $ pwdLastSet $ oncRpcNumber $ ipProtocolNumber $
ipServicePort $ shadowFlag $ shadowExpire $ shadowInactive $
shadowWarning $ shadowMax $ shadowMin $ shadowLastChange $ gidNumber $
uidNumber $ mailPreferenceOption $ supportedLDAPVersion ) )
1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: (
1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES (
primaryGroupID $ rid $ pwdMustChange $ pwdCanChange $ kickoffTime $
logoffTime $ logonTime $ pwdLastSet $ oncRpcNumber $ ipProtocolNumber $
ipServicePort $ shadowFlag $ shadowExpire $ shadowInactive $
shadowWarning $ shadowMax $ shadowMin $ shadowLastChange $ gidNumber $
uidNumber $ mailPreferenceOption $ supportedLDAPVersion ) )
1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse: (
1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES (
apple-preset-user-is-admin $ apple-config-realname $ apple-data-stamp $
apple-password-server-location $ apple-printer-attributes $ mountPassNo
$ mountDumpFrequency $ mountOption $ mountType $ apple-machine-serves $
apple-machine-hardware $ apple-machine-software $ apple-group-homeowner
$ apple-group-homeurl $ apple-user-homesoftquota $ apple-user-homequota
$ apple-user-class $ apple-user-homeurl $ domain $ smbHome $
userWorkstations $ profilePath $ scriptPath $ homeDrive $ acctFlags $
ntPassword $ lmPassword $ rfc822MailMember $ mailRoutingAddress $
mailHost $ mailLocalAddress $ nisMapEntry $ bootFile $ macAddress $
ipNetmaskNumber $ ipNetworkNumber $ ipHostNumber $ memberNisNetgroup $
memberUid $ loginShell $ gecos $ janetMailbox $ cNAMERecord $ sOARecord
$ nSRecord $ mXRecord $ mDRecord $ aRecord $ email $ associatedDomain $
dc $ mail $ altServer ) )
1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: (
1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES (
apple-preset-user-is-admin $ apple-config-realname $ apple-data-stamp $
apple-password-server-location $ apple-printer-attributes $ mountPassNo
$ mountDumpFrequency $ mountOption $ mountType $ apple-machine-serves $
apple-machine-hardware $ apple-machine-software $ apple-group-homeowner
$ apple-group-homeurl $ apple-user-homesoftquota $ apple-user-homequota
$ apple-user-class $ apple-user-homeurl $ domain $ smbHome $
userWorkstations $ profilePath $ scriptPath $ homeDrive $ acctFlags $
ntPassword $ lmPassword $ rfc822MailMember $ mailRoutingAddress $
mailHost $ mailLocalAddress $ nisMapEntry $ bootFile $ macAddress $
ipNetmaskNumber $ ipNetworkNumber $ ipHostNumber $ memberNisNetgroup $
memberUid $ loginShell $ gecos $ janetMailbox $ cNAMERecord $ sOARecord
$ nSRecord $ mXRecord $ mDRecord $ aRecord $ email $ associatedDomain $
dc $ mail $ altServer ) )
2.5.13.34 (certificateExactMatch): matchingRuleUse: ( 2.5.13.34
NAME 'certificateExactMatch' APPLIES ( cACertificate $ userCertificate
) )
2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse: (
2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES (
supportedApplicationContext $ ldapSyntaxes $ matchingRuleUse $
objectClasses $ attributeTypes $ matchingRules $ supportedFeatures $
supportedExtension $ supportedControl $ structuralObjectClass $
objectClass ) )
2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: (
2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES ( primaryGroupID $
rid $ pwdMustChange $ pwdCanChange $ kickoffTime $ logoffTime $
logonTime $ pwdLastSet $ oncRpcNumber $ ipProtocolNumber $
ipServicePort $ shadowFlag $ shadowExpire $ shadowInactive $
shadowWarning $ shadowMax $ shadowMin $ shadowLastChange $ gidNumber $
uidNumber $ mailPreferenceOption $ supportedLDAPVersion ) )
2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27 NAME
'generalizedTimeMatch' APPLIES ( modifyTimestamp $ createTimestamp ) )
2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24
NAME 'protocolInformationMatch' APPLIES protocolInformation )
2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME
'uniqueMemberMatch' APPLIES uniqueMember )
2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22
NAME 'presentationAddressMatch' APPLIES presentationAddress )
2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20 NAME
'telephoneNumberMatch' APPLIES ( pager $ mobile $ homePhone $
telephoneNumber ) )
2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME
'octetStringMatch' APPLIES userPassword )
2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME
'bitStringMatch' APPLIES x500UniqueIdentifier )
2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME
'integerMatch' APPLIES ( primaryGroupID $ rid $ pwdMustChange $
pwdCanChange $ kickoffTime $ logoffTime $ logonTime $ pwdLastSet $
oncRpcNumber $ ipProtocolNumber $ ipServicePort $ shadowFlag $
shadowExpire $ shadowInactive $ shadowWarning $ shadowMax $ shadowMin $
shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $
supportedLDAPVersion ) )
2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME
'booleanMatch' APPLIES hasSubordinates )
2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME
'caseIgnoreListMatch' APPLIES ( homePostalAddress $ registeredAddress $
postalAddress ) )
2.5.13.8 (numericStringMatch): matchingRuleUse: ( 2.5.13.8 NAME
'numericStringMatch' APPLIES ( internationaliSDNNumber $ x121Address )
)
2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7
NAME 'caseExactSubstringsMatch' APPLIES ( dnQualifier $
destinationIndicator $ serialNumber ) )
2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6 NAME
'caseExactOrderingMatch' APPLIES ( dnQualifier $ destinationIndicator $
serialNumber ) )
2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME
'caseExactMatch' APPLIES ( apple-dns-nameserver $ apple-dns-domain $
apple-kdc-configdata $ apple-kdc-authkey $ apple-ldap-writable-replica
$ apple-ldap-replica $ apple-password-server-list $ apple-xmlplist $
apple-computer-list-groups $ apple-computers $ apple-realname $
apple-printer-note $ apple-printer-type $ apple-printer-lprqueue $
apple-printer-lprhost $ mountDirectory $ apple-machine-suffix $
apple-group-realname $ apple-generateduid $ apple-keyword $
apple-user-passwordpolicy $ apple-user-authenticationhint $
apple-user-adminlimits $ apple-user-printattribute $ apple-user-picture
$ apple-mcxsettings $ apple-mcxflags $ apple-user-mailattribute $
preferredLanguage $ employeeType $ employeeNumber $ displayName $
departmentNumber $ carLicense $ nisMapName $ ipServiceProtocol $
homeDirectory $ documentPublisher $ buildingName $ organizationalStatus
$ uniqueIdentifier $ co $ personalTitle $ documentLocation $
documentVersion $ documentTitle $ documentIdentifier $ host $ userClass
$ roomNumber $ drink $ info $ textEncodedORAddress $ uid $ labeledURI $
dmdName $ houseIdentifier $ dnQualifier $ generationQualifier $
initials $ givenName $ destinationIndicator $
physicalDeliveryOfficeName $ postOfficeBox $ postalCode $
businessCategory $ description $ title $ ou $ o $ street $ st $ l $ c $
serialNumber $ sn $ knowledgeInformation $ authAuthority $ cn $ name $
ref $ vendorVersion $ vendorName $ supportedSASLMechanisms ) )
2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3
NAME 'caseIgnoreOrderingMatch' APPLIES ( dnQualifier $
destinationIndicator $ serialNumber ) )
2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME
'caseIgnoreMatch' APPLIES ( apple-dns-nameserver $ apple-dns-domain $
apple-kdc-configdata $ apple-kdc-authkey $ apple-ldap-writable-replica
$ apple-ldap-replica $ apple-password-server-list $ apple-xmlplist $
apple-computer-list-groups $ apple-computers $ apple-realname $
apple-printer-note $ apple-printer-type $ apple-printer-lprqueue $
apple-printer-lprhost $ mountDirectory $ apple-machine-suffix $
apple-group-realname $ apple-generateduid $ apple-keyword $
apple-user-passwordpolicy $ apple-user-authenticationhint $
apple-user-adminlimits $ apple-user-printattribute $ apple-user-picture
$ apple-mcxsettings $ apple-mcxflags $ apple-user-mailattribute $
preferredLanguage $ employeeType $ employeeNumber $ displayName $
departmentNumber $ carLicense $ nisMapName $ ipServiceProtocol $
homeDirectory $ documentPublisher $ buildingName $ organizationalStatus
$ uniqueIdentifier $ co $ personalTitle $ documentLocation $
documentVersion $ documentTitle $ documentIdentifier $ host $ userClass
$ roomNumber $ drink $ info $ textEncodedORAddress $ uid $ labeledURI $
dmdName $ houseIdentifier $ dnQualifier $ generationQualifier $
initials $ givenName $ destinationIndicator $
physicalDeliveryOfficeName $ postOfficeBox $ postalCode $
businessCategory $ description $ title $ ou $ o $ street $ st $ l $ c $
serialNumber $ sn $ knowledgeInformation $ authAuthority $ cn $ name $
ref $ vendorVersion $ vendorName $ supportedSASLMechanisms ) )
2.5.13.1 (distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME
'distinguishedNameMatch' APPLIES ( dITRedirect $ associatedName $
secretary $ documentAuthor $ manager $ seeAlso $ roleOccupant $ owner $
member $ distinguishedName $ aliasedObjectName $ namingContexts $
subschemaSubentry $ modifiersName $ creatorsName ) )
2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME
'objectIdentifierMatch' APPLIES ( supportedApplicationContext $
supportedFeatures $ supportedExtension $ supportedControl $
structuralObjectClass $ objectClass ) )
slapd startup: initiated.
bdb_db_open: dc=lat
bdb_db_open: dbenv_open(/var/db/openldap/openldap-data)
slapd starting
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ber_scanf fmt (m) ber:
connection_get(15)
connection_get(15): got connid=0
connection_read(15): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 16 03 01 00 4c 01 00 00 48 03 01 ....L...H..
tls_read: want=70, got=70
0000: 3f f2 76 da ed 69 40 4d 29 17 ac 8c e4 64 de ba
?.v..i@M)....d..
0010: cc ee 45 57 3d 1c 4f 9a c7 47 39 e4 0b 62 29 30
..EW=.O..G9..b)0
0020: 00 00 18 00 33 00 16 00 39 00 2f 00 0a 00 35 00
....3...9./...5.
0030: 05 00 04 00 32 00 13 00 38 00 66 02 01 00 00 06
....2...8.f.....
0040: 00 00 00 02 00 00 ......
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
tls_write: want=1214, written=1214
0000: 16 03 01 00 4a 02 00 00 46 03 01 3f f2 76 d9 c3
....J...F..?.v..
0010: 18 89 0e 77 3b f5 d2 63 87 e4 6e 0e cd 59 68 dc
...w;..c..n..Yh.
0020: 33 18 d3 2d a6 d9 64 9b f4 b5 2c 20 1b d3 9f 4c 3..-..d...,
...L
0030: 36 b2 21 d9 12 69 2b f3 ea 6f 6f e1 bd ba 92 37
6.!..i+..oo....7
0040: 66 72 50 49 93 64 23 4a 2c b5 f5 bc 00 2f 00 16
frPI.d#J,..../..
0050: 03 01 04 46 0b 00 04 42 00 04 3f 00 02 3c 30 82
...F...B..?..<0.
0060: 02 38 30 82 01 a1 a0 03 02 01 02 02 01 03 30 0d
.80...........0.
0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 0e 31
..*.H........0.1
0080: 0c 30 0a 06 03 55 04 0a 13 03 64 61 72 30 1e 17
.0...U....dar0..
0090: 0d 30 33 31 32 33 31 30 35 30 34 32 30 5a 17 0d
.031231050420Z..
00a0: 30 34 31 32 33 30 30 35 30 34 32 30 5a 30 20 31
041230050420Z0 1
00b0: 0c 30 0a 06 03 55 04 0a 13 03 64 61 72 31 10 30
.0...U....dar1.0
00c0: 0e 06 03 55 04 03 13 07 66 69 73 2e 6c 61 74 30
...U....fis.lat0
00d0: 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05
..0...*.H.......
00e0: 00 03 81 8d 00 30 81 89 02 81 81 00 e2 46 b8 03
.....0.......F..
00f0: d6 2a 98 31 40 9f 48 f2 de 2f b7 53 7f 21 cb ba
.*.1@.H../.S.!..
0100: d2 c4 b1 9d db 72 48 b6 7a 0f f6 e2 f9 2b 97 58
.....rH.z....+.X
0110: 65 03 b0 7c 2a 6a 30 15 3f fd 8e 44 8f 1e 0a 50
e..|*j0.?..D...P
0120: ca d2 95 a5 96 8b 97 c5 d1 50 6c 7a b6 e8 cf 63
.........Plz...c
0130: f7 27 70 4b 93 d8 7a 3f 0b 4b de 10 aa 29 31 25
.'pK..z?.K...)1%
0140: bd b0 15 b3 af 44 92 38 17 79 ff 16 ad 29 9b 40
.....D.8.y...).@
0150: 5d 60 fe 2a ed 62 16 78 1b af 02 ed 30 5e ad 95
]`.*.b.x....0^..
0160: fe 80 12 e5 88 f7 8f 96 ff 0b c7 99 02 03 01 00
................
0170: 01 a3 81 93 30 81 90 30 09 06 03 55 1d 13 04 02
....0..0...U....
0180: 30 00 30 2c 06 09 60 86 48 01 86 f8 42 01 0d 04
0.0,..`.H...B...
0190: 1f 16 1d 4f 70 65 6e 53 53 4c 20 47 65 6e 65 72 ...OpenSSL
Gener
01a0: 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 65 ated
Certificate
01b0: 30 1d 06 03 55 1d 0e 04 16 04 14 4b 74 e3 35 09
0...U......Kt.5.
01c0: ad e3 1d a0 8d f1 0e 18 72 c1 24 ef e9 86 60 30
........r.$...`0
01d0: 36 06 03 55 1d 23 04 2f 30 2d 80 14 f0 69 81 14
6..U.#./0-...i..
01e0: 20 ea ad 97 9a 6e ba 86 31 ed 9b 52 5d 12 91 b7
....n..1..R]...
01f0: a1 12 a4 10 30 0e 31 0c 30 0a 06 03 55 04 0a 13
....0.1.0...U...
0200: 03 64 61 72 82 01 00 30 0d 06 09 2a 86 48 86 f7
.dar...0...*.H..
0210: 0d 01 01 04 05 00 03 81 81 00 29 12 db 96 ef 86
..........).....
0220: 40 57 8f 08 60 31 2e 1b 60 60 74 81 37 04 db e9
@W..`1..``t.7...
0230: f0 62 6a ab cc 45 83 51 6f e0 1f b8 d2 34 e9 50
.bj..E.Qo....4.P
0240: 75 03 19 bd 4c 43 6a 39 a9 c1 b4 7c 34 d5 c6 ee
u...LCj9...|4...
0250: 9c ed 30 97 fd dd ef 1a 32 fb 1b d0 d1 4e df 92
..0.....2....N..
0260: 86 3a cd 18 35 75 e6 69 d4 91 91 1b a0 93 44 66
.:..5u.i......Df
0270: 08 39 8f 79 8a 40 80 25 ee 23 43 3c 2d bd 1a 94
.9.y.@.%.#C<-...
0280: df b7 20 7a 29 06 9e de d3 9a ab 05 78 9c f3 43 ..
z).......x..C
0290: 24 46 fe 35 51 04 a5 f1 5d fd 00 01 fd 30 82 01
$F.5Q...]....0..
02a0: f9 30 82 01 62 a0 03 02 01 02 02 01 00 30 0d 06
.0..b........0..
02b0: 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 0e 31 0c
.*.H........0.1.
02c0: 30 0a 06 03 55 04 0a 13 03 64 61 72 30 1e 17 0d
0...U....dar0...
02d0: 30 33 31 32 32 38 30 30 34 31 33 30 5a 17 0d 30
031228004130Z..0
02e0: 34 31 32 32 37 30 30 34 31 33 30 5a 30 0e 31 0c
41227004130Z0.1.
02f0: 30 0a 06 03 55 04 0a 13 03 64 61 72 30 81 9f 30
0...U....dar0..0
0300: 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81
...*.H..........
0310: 8d 00 30 81 89 02 81 81 00 c7 e8 87 e1 90 39 49
..0...........9I
0320: 3b 82 de 5d 17 4f d0 e0 6e 9c 44 fe de 73 39 ee
;..].O..n.D..s9.
0330: 9f d9 19 bd f0 fb 5d c4 a5 ba 4f 9b 14 49 7b 65
......]...O..I{e
0340: c1 84 ca d7 34 95 1a 2e d3 4c 4b 55 16 51 7d ab
....4....LKU.Q}.
0350: 9c 88 73 0a 00 69 92 1a 14 6f c3 24 52 2b 66 e9
..s..i...o.$R+f.
0360: 70 e5 42 f4 9d c2 2f a6 80 aa 7b c1 1a e2 c4 6a
p.B.../...{....j
0370: 00 d5 cb e3 6c e6 ad bb af c1 d1 f5 68 e7 a2 ea
....l.......h...
0380: 30 2d 5e 74 a6 84 e6 f8 50 f4 82 4f dc 14 6c b6
0-^t....P..O..l.
0390: d3 c6 29 2e d7 6e 8f 86 41 02 03 01 00 01 a3 67
..)..n..A......g
03a0: 30 65 30 1d 06 03 55 1d 0e 04 16 04 14 f0 69 81
0e0...U.......i.
03b0: 14 20 ea ad 97 9a 6e ba 86 31 ed 9b 52 5d 12 91 .
....n..1..R]..
03c0: b7 30 36 06 03 55 1d 23 04 2f 30 2d 80 14 f0 69
.06..U.#./0-...i
03d0: 81 14 20 ea ad 97 9a 6e ba 86 31 ed 9b 52 5d 12 ..
....n..1..R].
03e0: 91 b7 a1 12 a4 10 30 0e 31 0c 30 0a 06 03 55 04
......0.1.0...U.
03f0: 0a 13 03 64 61 72 82 01 00 30 0c 06 03 55 1d 13
...dar...0...U..
0400: 04 05 30 03 01 01 ff 30 0d 06 09 2a 86 48 86 f7
..0....0...*.H..
0410: 0d 01 01 04 05 00 03 81 81 00 78 e9 4e 98 d7 ea
..........x.N...
0420: 71 c6 f4 8b e3 cb f5 6e 2a 4c a9 65 1c f5 38 98
q......n*L.e..8.
0430: 09 bd b4 83 fb e7 ea 3c f5 52 81 17 6e fc 94 a1
.......<.R..n...
0440: e9 4c 52 25 8e 96 7f f7 71 42 17 f4 18 93 38 81
.LR%....qB....8.
0450: 89 3a e6 7c 79 9e 36 94 5f 0c 51 bb d0 c5 4c 0f
.:.|y.6._.Q...L.
0460: c4 d6 00 0d 28 7e 13 52 ec 3e 8a a9 8e f6 dc 5a
....(~.R.>.....Z
0470: a6 9d 6f 58 53 e4 42 dd e9 e5 52 c1 d0 bb 30 58
..oXS.B...R...0X
0480: e8 f6 02 da 6a ed 3b 89 1d af 32 c3 8f 2a 97 06
....j.;...2..*..
0490: c8 af ee 46 ab 3c 00 81 42 b2 16 03 01 00 1f 0d
...F.<..B.......
04a0: 00 00 17 02 01 02 00 12 00 10 30 0e 31 0c 30 0a
..........0.1.0.
04b0: 06 03 55 04 0a 13 03 64 61 72 0e 00 00 00
..U....dar....
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5, got=5
0000: 16 03 01 00 07 .....
tls_read: want=7, got=7
0000: 0b 00 00 03 00 00 00 .......
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 28 ......(
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept.
TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did
not return a certificate s3_srvr.c:1976
connection_read(15): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=15 for close
connection_close: conn=0 sd=15
On the client, "ldapsearch -d 7 -x -H "ldaps://fis.lat" -s base -b ""
supportedSASLMechanisms":
ldap_create
ldap_url_parse_ext(ldaps://fis.lat)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP fis.lat:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.24.106:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_is_socket_ready: error on socket 3: errno: 113 (No route to host)
ldap_close_socket: 3
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.179.43:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=fis.lat
tls_write: want=81, written=81
0000: 16 03 01 00 4c 01 00 00 48 03 01 3f f2 76 da ed
....L...H..?.v..
0010: 69 40 4d 29 17 ac 8c e4 64 de ba cc ee 45 57 3d
i@M)....d....EW=
0020: 1c 4f 9a c7 47 39 e4 0b 62 29 30 00 00 18 00 33
.O..G9..b)0....3
0030: 00 16 00 39 00 2f 00 0a 00 35 00 05 00 04 00 32
...9./...5.....2
0040: 00 13 00 38 00 66 02 01 00 00 06 00 00 00 02 00
...8.f..........
0050: 00 .
tls_read: want=5, got=5
0000: 16 03 01 00 4a ....J
tls_read: want=74, got=74
0000: 02 00 00 46 03 01 3f f2 76 d9 c3 18 89 0e 77 3b
...F..?.v.....w;
0010: f5 d2 63 87 e4 6e 0e cd 59 68 dc 33 18 d3 2d a6
..c..n..Yh.3..-.
0020: d9 64 9b f4 b5 2c 20 1b d3 9f 4c 36 b2 21 d9 12 .d...,
...L6.!..
0030: 69 2b f3 ea 6f 6f e1 bd ba 92 37 66 72 50 49 93
i+..oo....7frPI.
0040: 64 23 4a 2c b5 f5 bc 00 2f 00 d#J,..../.
tls_read: want=5, got=5
0000: 16 03 01 04 46 ....F
tls_read: want=1094, got=1094
0000: 0b 00 04 42 00 04 3f 00 02 3c 30 82 02 38 30 82
...B..?..<0..80.
0010: 01 a1 a0 03 02 01 02 02 01 03 30 0d 06 09 2a 86
..........0...*.
0020: 48 86 f7 0d 01 01 04 05 00 30 0e 31 0c 30 0a 06
H........0.1.0..
0030: 03 55 04 0a 13 03 64 61 72 30 1e 17 0d 30 33 31
.U....dar0...031
0040: 32 33 31 30 35 30 34 32 30 5a 17 0d 30 34 31 32
231050420Z..0412
0050: 33 30 30 35 30 34 32 30 5a 30 20 31 0c 30 0a 06 30050420Z0
1.0..
0060: 03 55 04 0a 13 03 64 61 72 31 10 30 0e 06 03 55
.U....dar1.0...U
0070: 04 03 13 07 66 69 73 2e 6c 61 74 30 81 9f 30 0d
....fis.lat0..0.
0080: 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d
..*.H...........
0090: 00 30 81 89 02 81 81 00 e2 46 b8 03 d6 2a 98 31
.0.......F...*.1
00a0: 40 9f 48 f2 de 2f b7 53 7f 21 cb ba d2 c4 b1 9d
@.H../.S.!......
00b0: db 72 48 b6 7a 0f f6 e2 f9 2b 97 58 65 03 b0 7c
.rH.z....+.Xe..|
00c0: 2a 6a 30 15 3f fd 8e 44 8f 1e 0a 50 ca d2 95 a5
*j0.?..D...P....
00d0: 96 8b 97 c5 d1 50 6c 7a b6 e8 cf 63 f7 27 70 4b
.....Plz...c.'pK
00e0: 93 d8 7a 3f 0b 4b de 10 aa 29 31 25 bd b0 15 b3
..z?.K...)1%....
00f0: af 44 92 38 17 79 ff 16 ad 29 9b 40 5d 60 fe 2a
.D.8.y...).@]`.*
0100: ed 62 16 78 1b af 02 ed 30 5e ad 95 fe 80 12 e5
.b.x....0^......
0110: 88 f7 8f 96 ff 0b c7 99 02 03 01 00 01 a3 81 93
................
0120: 30 81 90 30 09 06 03 55 1d 13 04 02 30 00 30 2c
0..0...U....0.0,
0130: 06 09 60 86 48 01 86 f8 42 01 0d 04 1f 16 1d 4f
..`.H...B......O
0140: 70 65 6e 53 53 4c 20 47 65 6e 65 72 61 74 65 64 penSSL
Generated
0150: 20 43 65 72 74 69 66 69 63 61 74 65 30 1d 06 03
Certificate0...
0160: 55 1d 0e 04 16 04 14 4b 74 e3 35 09 ad e3 1d a0
U......Kt.5.....
0170: 8d f1 0e 18 72 c1 24 ef e9 86 60 30 36 06 03 55
....r.$...`06..U
0180: 1d 23 04 2f 30 2d 80 14 f0 69 81 14 20 ea ad 97
.#./0-...i.. ...
0190: 9a 6e ba 86 31 ed 9b 52 5d 12 91 b7 a1 12 a4 10
.n..1..R].......
01a0: 30 0e 31 0c 30 0a 06 03 55 04 0a 13 03 64 61 72
0.1.0...U....dar
01b0: 82 01 00 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04
...0...*.H......
01c0: 05 00 03 81 81 00 29 12 db 96 ef 86 40 57 8f 08
......).....@W..
01d0: 60 31 2e 1b 60 60 74 81 37 04 db e9 f0 62 6a ab
`1..``t.7....bj.
01e0: cc 45 83 51 6f e0 1f b8 d2 34 e9 50 75 03 19 bd
.E.Qo....4.Pu...
01f0: 4c 43 6a 39 a9 c1 b4 7c 34 d5 c6 ee 9c ed 30 97
LCj9...|4.....0.
0200: fd dd ef 1a 32 fb 1b d0 d1 4e df 92 86 3a cd 18
....2....N...:..
0210: 35 75 e6 69 d4 91 91 1b a0 93 44 66 08 39 8f 79
5u.i......Df.9.y
0220: 8a 40 80 25 ee 23 43 3c 2d bd 1a 94 df b7 20 7a
.@.%.#C<-..... z
0230: 29 06 9e de d3 9a ab 05 78 9c f3 43 24 46 fe 35
).......x..C$F.5
0240: 51 04 a5 f1 5d fd 00 01 fd 30 82 01 f9 30 82 01
Q...]....0...0..
0250: 62 a0 03 02 01 02 02 01 00 30 0d 06 09 2a 86 48
b........0...*.H
0260: 86 f7 0d 01 01 04 05 00 30 0e 31 0c 30 0a 06 03
........0.1.0...
0270: 55 04 0a 13 03 64 61 72 30 1e 17 0d 30 33 31 32
U....dar0...0312
0280: 32 38 30 30 34 31 33 30 5a 17 0d 30 34 31 32 32
28004130Z..04122
0290: 37 30 30 34 31 33 30 5a 30 0e 31 0c 30 0a 06 03
7004130Z0.1.0...
02a0: 55 04 0a 13 03 64 61 72 30 81 9f 30 0d 06 09 2a
U....dar0..0...*
02b0: 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81
.H............0.
02c0: 89 02 81 81 00 c7 e8 87 e1 90 39 49 3b 82 de 5d
..........9I;..]
02d0: 17 4f d0 e0 6e 9c 44 fe de 73 39 ee 9f d9 19 bd
.O..n.D..s9.....
02e0: f0 fb 5d c4 a5 ba 4f 9b 14 49 7b 65 c1 84 ca d7
..]...O..I{e....
02f0: 34 95 1a 2e d3 4c 4b 55 16 51 7d ab 9c 88 73 0a
4....LKU.Q}...s.
0300: 00 69 92 1a 14 6f c3 24 52 2b 66 e9 70 e5 42 f4
.i...o.$R+f.p.B.
0310: 9d c2 2f a6 80 aa 7b c1 1a e2 c4 6a 00 d5 cb e3
../...{....j....
0320: 6c e6 ad bb af c1 d1 f5 68 e7 a2 ea 30 2d 5e 74
l.......h...0-^t
0330: a6 84 e6 f8 50 f4 82 4f dc 14 6c b6 d3 c6 29 2e
....P..O..l...).
0340: d7 6e 8f 86 41 02 03 01 00 01 a3 67 30 65 30 1d
.n..A......g0e0.
0350: 06 03 55 1d 0e 04 16 04 14 f0 69 81 14 20 ea ad
..U.......i.. ..
0360: 97 9a 6e ba 86 31 ed 9b 52 5d 12 91 b7 30 36 06
..n..1..R]...06.
0370: 03 55 1d 23 04 2f 30 2d 80 14 f0 69 81 14 20 ea
.U.#./0-...i.. .
0380: ad 97 9a 6e ba 86 31 ed 9b 52 5d 12 91 b7 a1 12
...n..1..R].....
0390: a4 10 30 0e 31 0c 30 0a 06 03 55 04 0a 13 03 64
..0.1.0...U....d
03a0: 61 72 82 01 00 30 0c 06 03 55 1d 13 04 05 30 03
ar...0...U....0.
03b0: 01 01 ff 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04
...0...*.H......
03c0: 05 00 03 81 81 00 78 e9 4e 98 d7 ea 71 c6 f4 8b
......x.N...q...
03d0: e3 cb f5 6e 2a 4c a9 65 1c f5 38 98 09 bd b4 83
...n*L.e..8.....
03e0: fb e7 ea 3c f5 52 81 17 6e fc 94 a1 e9 4c 52 25
...<.R..n....LR%
03f0: 8e 96 7f f7 71 42 17 f4 18 93 38 81 89 3a e6 7c
....qB....8..:.|
0400: 79 9e 36 94 5f 0c 51 bb d0 c5 4c 0f c4 d6 00 0d
y.6._.Q...L.....
0410: 28 7e 13 52 ec 3e 8a a9 8e f6 dc 5a a6 9d 6f 58
(~.R.>.....Z..oX
0420: 53 e4 42 dd e9 e5 52 c1 d0 bb 30 58 e8 f6 02 da
S.B...R...0X....
0430: 6a ed 3b 89 1d af 32 c3 8f 2a 97 06 c8 af ee 46
j.;...2..*.....F
0440: ab 3c 00 81 42 b2 .<..B.
tls_read: want=5, got=5
0000: 16 03 01 00 1f .....
tls_read: want=31, got=31
0000: 0d 00 00 17 02 01 02 00 12 00 10 30 0e 31 0c 30
...........0.1.0
0010: 0a 06 03 55 04 0a 13 03 64 61 72 0e 00 00 00
...U....dar....
tls_write: want=12, written=12
0000: 16 03 01 00 07 0b 00 00 03 00 00 00 ............
tls_write: want=139, written=139
0000: 16 03 01 00 86 10 00 00 82 00 80 38 83 97 1e b4
...........8....
0010: 53 73 a5 75 6b 78 39 93 06 b5 37 dc 3a 93 11 2c
Ss.ukx9...7.:..,
0020: f4 7f fc 40 b0 3f c8 94 96 6f 20 ed 84 5a ed 49 ...@.?...o
..Z.I
0030: ee bb f2 69 f1 81 96 49 c3 29 de 7d b3 82 91 e0
...i...I.).}....
0040: 14 72 dd 7d 55 3c cc 09 f1 92 44 0f 30 47 49 ff
.r.}U<....D.0GI.
0050: 80 34 88 17 cb fc ce dc 4b e9 f5 a1 59 3a bc 17
.4......K...Y:..
0060: 46 62 da 6c 8f e0 28 07 e1 8a 93 8f 32 53 28 b8
Fb.l..(.....2S(.
0070: c7 8a 18 61 85 9b 37 91 cc 38 9f f4 fa e8 c6 17
...a..7..8......
0080: 7a 8c dd f0 b1 87 9c 99 77 a5 69 z.......w.i
tls_write: want=6, written=6
0000: 14 03 01 00 01 01 ......
tls_write: want=69, written=69
0000: 16 03 01 00 40 37 d7 b8 a7 b6 c9 78 2a 98 09 26
....@7.....x*..&
0010: e5 8b 94 fe 6c 9a b9 47 94 f4 f3 71 3c dd 21 8c
....l..G...q<.!.
0020: 56 2d 3d 3d f9 62 8b 92 f6 54 97 dc 80 a3 25 ea
V-==.b...T....%.
0030: 79 74 b5 e3 0e 10 5b 86 55 de 19 f7 87 78 7d f6
yt....[.U....x}.
0040: 7c 41 fc 87 63 |A..c
tls_read: want=5, got=5
0000: 15 03 01 00 02 .....
tls_read: want=2, got=2
0000: 02 28 .(
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (81)
additional info: A TLS fatal alert has been received.
I don't understand ... What's wrong?
Thanks again,
Jack
On Dec 29, 2003, at 8:57 AM, Kurt D. Zeilenga wrote:
At 08:25 AM 12/29/2003, Dieter Kluenter wrote:
ms419@freezone.co.uk writes:
I've successfully installed and configured openLDAP with TLS
support. I am trying to authenticate using the SASL EXTERNAL
mechanism, as described in the Administrator's Guide. I can use TLS,
but can't authenticate using EXTERNAL.
ldapsearch -x -H "ldaps://ldap" -s base -b "" supportedSASLMechanisms
[...]
How do I make the EXTERNAL mechanism available?
You have to initiate starttls by using the flag -Z
ldapsearch -Y EXTERNAL -ZZ -b "" -s base supportedSASLMechanisms
While -Z indicates to client to use the LDAP Start TLS
operation to initiate TLS (SSL), one can also use -H ldaps://
to implicitly initiate TLS (SSL) upon TCP connect (if the
server has been configured to support ldaps://). See archives
for details.
The user's problem is more likely a case of not asserting
the client's certificate.
Kurt