[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL External Mechanism

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: SASL External Mechanism
From: ms419@freezone.co.uk
Date: Wed, 31 Dec 2003 09:37:23 -0800
Cc: openldap-software@OpenLDAP.org, Dieter Kluenter <dieter@dkluenter.de>
In-reply-to: <6.0.0.22.0.20031229085212.027a8b38@127.0.0.1>
References: <F8593836-3862-11D8-9CB1-000A95C71776@freezone.co.uk> <m3k74fh9qn.fsf@marin.l4b.de> <6.0.0.22.0.20031229085212.027a8b38@127.0.0.1>

Thanks for your helps. I've double checked my configuration and reread the Administrator's Guide. I'm sure I've asserted the client's certificate.

The server's "slapd.conf" file contains:

TLSCACertificateFile    /etc/openldap/cacert.pem
TLSVerifyClient demand

The client's "ldap.conf" file contains:

TLS_CERT        /etc/ldap/cert.pem
TLS_KEY /etc/ldap/key.pem

The server's "cacert.pem" belongs to the certificate authority which signed the client's "cert.pem".

On the server, "slapd -d 7 -h "ldap:// ldaps:///"":

@(#) $OpenLDAP: slapd 2.1.22 (Nov 20 2003 17:03:41) $ root@scarface:/private/var/tmp/OpenLDAP/OpenLDAP-37.0.1.obj~1/servers/ slapd daemon_init: ldap:// ldaps:/// daemon_init: listen on ldap:// daemon_init: listen on ldaps:/// daemon_init: 2 listeners to open... ldap_url_parse_ext(ldap://) daemon: initialized ldap:// ldap_url_parse_ext(ldaps:///) daemon: initialized ldaps:/// daemon_init: 4 listeners opened slapd init: initiated server. slap_sasl_init: initialized! bdb_initialize: initialize BDB backend bdb_initialize: Sleepycat Software: Berkeley DB 4.1.25: (December 19, 2002) >>> dnNormalize: <cn=Subschema> => ldap_bv2dn(cn=Subschema,0) <= ldap_bv2dn(cn=Subschema,0)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=subschema,272)=0 <<< dnNormalize: <cn=subschema> /etc/openldap/slapd.conf: line 15: schema checking disabled! your mileage may vary! bdb_db_init: Initializing BDB database >>> dnPrettyNormal: <dc=lat> => ldap_bv2dn(dc=lat,0) <= ldap_bv2dn(dc=lat,0)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=lat,272)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=lat,272)=0 <<< dnPrettyNormal: <dc=lat>, <dc=lat> >>> dnNormalize: <cn=admin,dc=lat> => ldap_bv2dn(cn=admin,dc=lat,0) <= ldap_bv2dn(cn=admin,dc=lat,0)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=admin,dc=lat,272)=0 <<< dnNormalize: <cn=admin,dc=lat> ldap_url_parse_ext(ldap://wum.lat) matching_rule_use_init 1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: ( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( primaryGroupID $ rid $ pwdMustChange $ pwdCanChange $ kickoffTime $ logoffTime $ logonTime $ pwdLastSet $ oncRpcNumber $ ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $ shadowInactive $ shadowWarning $ shadowMax $ shadowMin $ shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $ supportedLDAPVersion ) ) 1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: ( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES ( primaryGroupID $ rid $ pwdMustChange $ pwdCanChange $ kickoffTime $ logoffTime $ logonTime $ pwdLastSet $ oncRpcNumber $ ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $ shadowInactive $ shadowWarning $ shadowMax $ shadowMin $ shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $ supportedLDAPVersion ) ) 1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( apple-preset-user-is-admin $ apple-config-realname $ apple-data-stamp $ apple-password-server-location $ apple-printer-attributes $ mountPassNo $ mountDumpFrequency $ mountOption $ mountType $ apple-machine-serves $ apple-machine-hardware $ apple-machine-software $ apple-group-homeowner $ apple-group-homeurl $ apple-user-homesoftquota $ apple-user-homequota $ apple-user-class $ apple-user-homeurl $ domain $ smbHome $ userWorkstations $ profilePath $ scriptPath $ homeDrive $ acctFlags $ ntPassword $ lmPassword $ rfc822MailMember $ mailRoutingAddress $ mailHost $ mailLocalAddress $ nisMapEntry $ bootFile $ macAddress $ ipNetmaskNumber $ ipNetworkNumber $ ipHostNumber $ memberNisNetgroup $ memberUid $ loginShell $ gecos $ janetMailbox $ cNAMERecord $ sOARecord $ nSRecord $ mXRecord $ mDRecord $ aRecord $ email $ associatedDomain $ dc $ mail $ altServer ) ) 1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( apple-preset-user-is-admin $ apple-config-realname $ apple-data-stamp $ apple-password-server-location $ apple-printer-attributes $ mountPassNo $ mountDumpFrequency $ mountOption $ mountType $ apple-machine-serves $ apple-machine-hardware $ apple-machine-software $ apple-group-homeowner $ apple-group-homeurl $ apple-user-homesoftquota $ apple-user-homequota $ apple-user-class $ apple-user-homeurl $ domain $ smbHome $ userWorkstations $ profilePath $ scriptPath $ homeDrive $ acctFlags $ ntPassword $ lmPassword $ rfc822MailMember $ mailRoutingAddress $ mailHost $ mailLocalAddress $ nisMapEntry $ bootFile $ macAddress $ ipNetmaskNumber $ ipNetworkNumber $ ipHostNumber $ memberNisNetgroup $ memberUid $ loginShell $ gecos $ janetMailbox $ cNAMERecord $ sOARecord $ nSRecord $ mXRecord $ mDRecord $ aRecord $ email $ associatedDomain $ dc $ mail $ altServer ) ) 2.5.13.34 (certificateExactMatch): matchingRuleUse: ( 2.5.13.34 NAME 'certificateExactMatch' APPLIES ( cACertificate $ userCertificate ) ) 2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse: ( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES ( supportedApplicationContext $ ldapSyntaxes $ matchingRuleUse $ objectClasses $ attributeTypes $ matchingRules $ supportedFeatures $ supportedExtension $ supportedControl $ structuralObjectClass $ objectClass ) ) 2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: ( 2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES ( primaryGroupID $ rid $ pwdMustChange $ pwdCanChange $ kickoffTime $ logoffTime $ logonTime $ pwdLastSet $ oncRpcNumber $ ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $ shadowInactive $ shadowWarning $ shadowMax $ shadowMin $ shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $ supportedLDAPVersion ) ) 2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27 NAME 'generalizedTimeMatch' APPLIES ( modifyTimestamp $ createTimestamp ) ) 2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24 NAME 'protocolInformationMatch' APPLIES protocolInformation ) 2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME 'uniqueMemberMatch' APPLIES uniqueMember ) 2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22 NAME 'presentationAddressMatch' APPLIES presentationAddress ) 2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20 NAME 'telephoneNumberMatch' APPLIES ( pager $ mobile $ homePhone $ telephoneNumber ) ) 2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME 'octetStringMatch' APPLIES userPassword ) 2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME 'bitStringMatch' APPLIES x500UniqueIdentifier ) 2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME 'integerMatch' APPLIES ( primaryGroupID $ rid $ pwdMustChange $ pwdCanChange $ kickoffTime $ logoffTime $ logonTime $ pwdLastSet $ oncRpcNumber $ ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $ shadowInactive $ shadowWarning $ shadowMax $ shadowMin $ shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $ supportedLDAPVersion ) ) 2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME 'booleanMatch' APPLIES hasSubordinates ) 2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME 'caseIgnoreListMatch' APPLIES ( homePostalAddress $ registeredAddress $ postalAddress ) ) 2.5.13.8 (numericStringMatch): matchingRuleUse: ( 2.5.13.8 NAME 'numericStringMatch' APPLIES ( internationaliSDNNumber $ x121Address ) ) 2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7 NAME 'caseExactSubstringsMatch' APPLIES ( dnQualifier $ destinationIndicator $ serialNumber ) ) 2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6 NAME 'caseExactOrderingMatch' APPLIES ( dnQualifier $ destinationIndicator $ serialNumber ) ) 2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME 'caseExactMatch' APPLIES ( apple-dns-nameserver $ apple-dns-domain $ apple-kdc-configdata $ apple-kdc-authkey $ apple-ldap-writable-replica $ apple-ldap-replica $ apple-password-server-list $ apple-xmlplist $ apple-computer-list-groups $ apple-computers $ apple-realname $ apple-printer-note $ apple-printer-type $ apple-printer-lprqueue $ apple-printer-lprhost $ mountDirectory $ apple-machine-suffix $ apple-group-realname $ apple-generateduid $ apple-keyword $ apple-user-passwordpolicy $ apple-user-authenticationhint $ apple-user-adminlimits $ apple-user-printattribute $ apple-user-picture $ apple-mcxsettings $ apple-mcxflags $ apple-user-mailattribute $ preferredLanguage $ employeeType $ employeeNumber $ displayName $ departmentNumber $ carLicense $ nisMapName $ ipServiceProtocol $ homeDirectory $ documentPublisher $ buildingName $ organizationalStatus $ uniqueIdentifier $ co $ personalTitle $ documentLocation $ documentVersion $ documentTitle $ documentIdentifier $ host $ userClass $ roomNumber $ drink $ info $ textEncodedORAddress $ uid $ labeledURI $ dmdName $ houseIdentifier $ dnQualifier $ generationQualifier $ initials $ givenName $ destinationIndicator $ physicalDeliveryOfficeName $ postOfficeBox $ postalCode $ businessCategory $ description $ title $ ou $ o $ street $ st $ l $ c $ serialNumber $ sn $ knowledgeInformation $ authAuthority $ cn $ name $ ref $ vendorVersion $ vendorName $ supportedSASLMechanisms ) ) 2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3 NAME 'caseIgnoreOrderingMatch' APPLIES ( dnQualifier $ destinationIndicator $ serialNumber ) ) 2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME 'caseIgnoreMatch' APPLIES ( apple-dns-nameserver $ apple-dns-domain $ apple-kdc-configdata $ apple-kdc-authkey $ apple-ldap-writable-replica $ apple-ldap-replica $ apple-password-server-list $ apple-xmlplist $ apple-computer-list-groups $ apple-computers $ apple-realname $ apple-printer-note $ apple-printer-type $ apple-printer-lprqueue $ apple-printer-lprhost $ mountDirectory $ apple-machine-suffix $ apple-group-realname $ apple-generateduid $ apple-keyword $ apple-user-passwordpolicy $ apple-user-authenticationhint $ apple-user-adminlimits $ apple-user-printattribute $ apple-user-picture $ apple-mcxsettings $ apple-mcxflags $ apple-user-mailattribute $ preferredLanguage $ employeeType $ employeeNumber $ displayName $ departmentNumber $ carLicense $ nisMapName $ ipServiceProtocol $ homeDirectory $ documentPublisher $ buildingName $ organizationalStatus $ uniqueIdentifier $ co $ personalTitle $ documentLocation $ documentVersion $ documentTitle $ documentIdentifier $ host $ userClass $ roomNumber $ drink $ info $ textEncodedORAddress $ uid $ labeledURI $ dmdName $ houseIdentifier $ dnQualifier $ generationQualifier $ initials $ givenName $ destinationIndicator $ physicalDeliveryOfficeName $ postOfficeBox $ postalCode $ businessCategory $ description $ title $ ou $ o $ street $ st $ l $ c $ serialNumber $ sn $ knowledgeInformation $ authAuthority $ cn $ name $ ref $ vendorVersion $ vendorName $ supportedSASLMechanisms ) ) 2.5.13.1 (distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( dITRedirect $ associatedName $ secretary $ documentAuthor $ manager $ seeAlso $ roleOccupant $ owner $ member $ distinguishedName $ aliasedObjectName $ namingContexts $ subschemaSubentry $ modifiersName $ creatorsName ) ) 2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedApplicationContext $ supportedFeatures $ supportedExtension $ supportedControl $ structuralObjectClass $ objectClass ) ) slapd startup: initiated. bdb_db_open: dc=lat bdb_db_open: dbenv_open(/var/db/openldap/openldap-data) slapd starting put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" ber_scanf fmt (m) ber: connection_get(15) connection_get(15): got connid=0 connection_read(15): checking for input on id=0 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 16 03 01 00 4c 01 00 00 48 03 01 ....L...H.. tls_read: want=70, got=70 0000: 3f f2 76 da ed 69 40 4d 29 17 ac 8c e4 64 de ba ?.v..i@M)....d.. 0010: cc ee 45 57 3d 1c 4f 9a c7 47 39 e4 0b 62 29 30 ..EW=.O..G9..b)0 0020: 00 00 18 00 33 00 16 00 39 00 2f 00 0a 00 35 00 ....3...9./...5. 0030: 05 00 04 00 32 00 13 00 38 00 66 02 01 00 00 06 ....2...8.f..... 0040: 00 00 00 02 00 00 ...... TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write certificate request A tls_write: want=1214, written=1214 0000: 16 03 01 00 4a 02 00 00 46 03 01 3f f2 76 d9 c3 ....J...F..?.v.. 0010: 18 89 0e 77 3b f5 d2 63 87 e4 6e 0e cd 59 68 dc ...w;..c..n..Yh. 0020: 33 18 d3 2d a6 d9 64 9b f4 b5 2c 20 1b d3 9f 4c 3..-..d..., ...L 0030: 36 b2 21 d9 12 69 2b f3 ea 6f 6f e1 bd ba 92 37 6.!..i+..oo....7 0040: 66 72 50 49 93 64 23 4a 2c b5 f5 bc 00 2f 00 16 frPI.d#J,..../.. 0050: 03 01 04 46 0b 00 04 42 00 04 3f 00 02 3c 30 82 ...F...B..?..<0. 0060: 02 38 30 82 01 a1 a0 03 02 01 02 02 01 03 30 0d .80...........0. 0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 0e 31 ..*.H........0.1 0080: 0c 30 0a 06 03 55 04 0a 13 03 64 61 72 30 1e 17 .0...U....dar0.. 0090: 0d 30 33 31 32 33 31 30 35 30 34 32 30 5a 17 0d .031231050420Z.. 00a0: 30 34 31 32 33 30 30 35 30 34 32 30 5a 30 20 31 041230050420Z0 1 00b0: 0c 30 0a 06 03 55 04 0a 13 03 64 61 72 31 10 30 .0...U....dar1.0 00c0: 0e 06 03 55 04 03 13 07 66 69 73 2e 6c 61 74 30 ...U....fis.lat0 00d0: 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 ..0...*.H....... 00e0: 00 03 81 8d 00 30 81 89 02 81 81 00 e2 46 b8 03 .....0.......F.. 00f0: d6 2a 98 31 40 9f 48 f2 de 2f b7 53 7f 21 cb ba .*.1@.H../.S.!.. 0100: d2 c4 b1 9d db 72 48 b6 7a 0f f6 e2 f9 2b 97 58 .....rH.z....+.X 0110: 65 03 b0 7c 2a 6a 30 15 3f fd 8e 44 8f 1e 0a 50 e..|*j0.?..D...P 0120: ca d2 95 a5 96 8b 97 c5 d1 50 6c 7a b6 e8 cf 63 .........Plz...c 0130: f7 27 70 4b 93 d8 7a 3f 0b 4b de 10 aa 29 31 25 .'pK..z?.K...)1% 0140: bd b0 15 b3 af 44 92 38 17 79 ff 16 ad 29 9b 40 .....D.8.y...).@ 0150: 5d 60 fe 2a ed 62 16 78 1b af 02 ed 30 5e ad 95 ]`.*.b.x....0^.. 0160: fe 80 12 e5 88 f7 8f 96 ff 0b c7 99 02 03 01 00 ................ 0170: 01 a3 81 93 30 81 90 30 09 06 03 55 1d 13 04 02 ....0..0...U.... 0180: 30 00 30 2c 06 09 60 86 48 01 86 f8 42 01 0d 04 0.0,..`.H...B... 0190: 1f 16 1d 4f 70 65 6e 53 53 4c 20 47 65 6e 65 72 ...OpenSSL Gener 01a0: 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 65 ated Certificate 01b0: 30 1d 06 03 55 1d 0e 04 16 04 14 4b 74 e3 35 09 0...U......Kt.5. 01c0: ad e3 1d a0 8d f1 0e 18 72 c1 24 ef e9 86 60 30 ........r.$...`0 01d0: 36 06 03 55 1d 23 04 2f 30 2d 80 14 f0 69 81 14 6..U.#./0-...i.. 01e0: 20 ea ad 97 9a 6e ba 86 31 ed 9b 52 5d 12 91 b7 ....n..1..R]... 01f0: a1 12 a4 10 30 0e 31 0c 30 0a 06 03 55 04 0a 13 ....0.1.0...U... 0200: 03 64 61 72 82 01 00 30 0d 06 09 2a 86 48 86 f7 .dar...0...*.H.. 0210: 0d 01 01 04 05 00 03 81 81 00 29 12 db 96 ef 86 ..........)..... 0220: 40 57 8f 08 60 31 2e 1b 60 60 74 81 37 04 db e9 @W..`1..``t.7... 0230: f0 62 6a ab cc 45 83 51 6f e0 1f b8 d2 34 e9 50 .bj..E.Qo....4.P 0240: 75 03 19 bd 4c 43 6a 39 a9 c1 b4 7c 34 d5 c6 ee u...LCj9...|4... 0250: 9c ed 30 97 fd dd ef 1a 32 fb 1b d0 d1 4e df 92 ..0.....2....N.. 0260: 86 3a cd 18 35 75 e6 69 d4 91 91 1b a0 93 44 66 .:..5u.i......Df 0270: 08 39 8f 79 8a 40 80 25 ee 23 43 3c 2d bd 1a 94 .9.y.@.%.#C<-... 0280: df b7 20 7a 29 06 9e de d3 9a ab 05 78 9c f3 43 .. z).......x..C 0290: 24 46 fe 35 51 04 a5 f1 5d fd 00 01 fd 30 82 01 $F.5Q...]....0.. 02a0: f9 30 82 01 62 a0 03 02 01 02 02 01 00 30 0d 06 .0..b........0.. 02b0: 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 0e 31 0c .*.H........0.1. 02c0: 30 0a 06 03 55 04 0a 13 03 64 61 72 30 1e 17 0d 0...U....dar0... 02d0: 30 33 31 32 32 38 30 30 34 31 33 30 5a 17 0d 30 031228004130Z..0 02e0: 34 31 32 32 37 30 30 34 31 33 30 5a 30 0e 31 0c 41227004130Z0.1. 02f0: 30 0a 06 03 55 04 0a 13 03 64 61 72 30 81 9f 30 0...U....dar0..0 0300: 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 ...*.H.......... 0310: 8d 00 30 81 89 02 81 81 00 c7 e8 87 e1 90 39 49 ..0...........9I 0320: 3b 82 de 5d 17 4f d0 e0 6e 9c 44 fe de 73 39 ee ;..].O..n.D..s9. 0330: 9f d9 19 bd f0 fb 5d c4 a5 ba 4f 9b 14 49 7b 65 ......]...O..I{e 0340: c1 84 ca d7 34 95 1a 2e d3 4c 4b 55 16 51 7d ab ....4....LKU.Q}. 0350: 9c 88 73 0a 00 69 92 1a 14 6f c3 24 52 2b 66 e9 ..s..i...o.$R+f. 0360: 70 e5 42 f4 9d c2 2f a6 80 aa 7b c1 1a e2 c4 6a p.B.../...{....j 0370: 00 d5 cb e3 6c e6 ad bb af c1 d1 f5 68 e7 a2 ea ....l.......h... 0380: 30 2d 5e 74 a6 84 e6 f8 50 f4 82 4f dc 14 6c b6 0-^t....P..O..l. 0390: d3 c6 29 2e d7 6e 8f 86 41 02 03 01 00 01 a3 67 ..)..n..A......g 03a0: 30 65 30 1d 06 03 55 1d 0e 04 16 04 14 f0 69 81 0e0...U.......i. 03b0: 14 20 ea ad 97 9a 6e ba 86 31 ed 9b 52 5d 12 91 . ....n..1..R].. 03c0: b7 30 36 06 03 55 1d 23 04 2f 30 2d 80 14 f0 69 .06..U.#./0-...i 03d0: 81 14 20 ea ad 97 9a 6e ba 86 31 ed 9b 52 5d 12 .. ....n..1..R]. 03e0: 91 b7 a1 12 a4 10 30 0e 31 0c 30 0a 06 03 55 04 ......0.1.0...U. 03f0: 0a 13 03 64 61 72 82 01 00 30 0c 06 03 55 1d 13 ...dar...0...U.. 0400: 04 05 30 03 01 01 ff 30 0d 06 09 2a 86 48 86 f7 ..0....0...*.H.. 0410: 0d 01 01 04 05 00 03 81 81 00 78 e9 4e 98 d7 ea ..........x.N... 0420: 71 c6 f4 8b e3 cb f5 6e 2a 4c a9 65 1c f5 38 98 q......n*L.e..8. 0430: 09 bd b4 83 fb e7 ea 3c f5 52 81 17 6e fc 94 a1 .......<.R..n... 0440: e9 4c 52 25 8e 96 7f f7 71 42 17 f4 18 93 38 81 .LR%....qB....8. 0450: 89 3a e6 7c 79 9e 36 94 5f 0c 51 bb d0 c5 4c 0f .:.|y.6._.Q...L. 0460: c4 d6 00 0d 28 7e 13 52 ec 3e 8a a9 8e f6 dc 5a ....(~.R.>.....Z 0470: a6 9d 6f 58 53 e4 42 dd e9 e5 52 c1 d0 bb 30 58 ..oXS.B...R...0X 0480: e8 f6 02 da 6a ed 3b 89 1d af 32 c3 8f 2a 97 06 ....j.;...2..*.. 0490: c8 af ee 46 ab 3c 00 81 42 b2 16 03 01 00 1f 0d ...F.<..B....... 04a0: 00 00 17 02 01 02 00 12 00 10 30 0e 31 0c 30 0a ..........0.1.0. 04b0: 06 03 55 04 0a 13 03 64 61 72 0e 00 00 00 ..U....dar.... TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5, got=5 0000: 16 03 01 00 07 ..... tls_read: want=7, got=7 0000: 0b 00 00 03 00 00 00 ....... tls_write: want=7, written=7 0000: 15 03 01 00 02 02 28 ......( TLS trace: SSL3 alert write:fatal:handshake failure TLS trace: SSL_accept:error in SSLv3 read client certificate B TLS trace: SSL_accept:error in SSLv3 read client certificate B TLS: can't accept. TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr.c:1976 connection_read(15): TLS accept error error=-1 id=0, closing connection_closing: readying conn=0 sd=15 for close connection_close: conn=0 sd=15

On the client, "ldapsearch -d 7 -x -H "ldaps://fis.lat" -s base -b "" supportedSASLMechanisms":

ldap_create ldap_url_parse_ext(ldaps://fis.lat) ldap_bind_s ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP fis.lat:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.24.106:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_ndelay_on: 3 ldap_is_sock_ready: 3 ldap_is_socket_ready: error on socket 3: errno: 113 (No route to host) ldap_close_socket: 3 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.179.43:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_ndelay_on: 3 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_int_sasl_open: host=fis.lat tls_write: want=81, written=81 0000: 16 03 01 00 4c 01 00 00 48 03 01 3f f2 76 da ed ....L...H..?.v.. 0010: 69 40 4d 29 17 ac 8c e4 64 de ba cc ee 45 57 3d i@M)....d....EW= 0020: 1c 4f 9a c7 47 39 e4 0b 62 29 30 00 00 18 00 33 .O..G9..b)0....3 0030: 00 16 00 39 00 2f 00 0a 00 35 00 05 00 04 00 32 ...9./...5.....2 0040: 00 13 00 38 00 66 02 01 00 00 06 00 00 00 02 00 ...8.f.......... 0050: 00 . tls_read: want=5, got=5 0000: 16 03 01 00 4a ....J tls_read: want=74, got=74 0000: 02 00 00 46 03 01 3f f2 76 d9 c3 18 89 0e 77 3b ...F..?.v.....w; 0010: f5 d2 63 87 e4 6e 0e cd 59 68 dc 33 18 d3 2d a6 ..c..n..Yh.3..-. 0020: d9 64 9b f4 b5 2c 20 1b d3 9f 4c 36 b2 21 d9 12 .d..., ...L6.!.. 0030: 69 2b f3 ea 6f 6f e1 bd ba 92 37 66 72 50 49 93 i+..oo....7frPI. 0040: 64 23 4a 2c b5 f5 bc 00 2f 00 d#J,..../. tls_read: want=5, got=5 0000: 16 03 01 04 46 ....F tls_read: want=1094, got=1094 0000: 0b 00 04 42 00 04 3f 00 02 3c 30 82 02 38 30 82 ...B..?..<0..80. 0010: 01 a1 a0 03 02 01 02 02 01 03 30 0d 06 09 2a 86 ..........0...*. 0020: 48 86 f7 0d 01 01 04 05 00 30 0e 31 0c 30 0a 06 H........0.1.0.. 0030: 03 55 04 0a 13 03 64 61 72 30 1e 17 0d 30 33 31 .U....dar0...031 0040: 32 33 31 30 35 30 34 32 30 5a 17 0d 30 34 31 32 231050420Z..0412 0050: 33 30 30 35 30 34 32 30 5a 30 20 31 0c 30 0a 06 30050420Z0 1.0.. 0060: 03 55 04 0a 13 03 64 61 72 31 10 30 0e 06 03 55 .U....dar1.0...U 0070: 04 03 13 07 66 69 73 2e 6c 61 74 30 81 9f 30 0d ....fis.lat0..0. 0080: 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d ..*.H........... 0090: 00 30 81 89 02 81 81 00 e2 46 b8 03 d6 2a 98 31 .0.......F...*.1 00a0: 40 9f 48 f2 de 2f b7 53 7f 21 cb ba d2 c4 b1 9d @.H../.S.!...... 00b0: db 72 48 b6 7a 0f f6 e2 f9 2b 97 58 65 03 b0 7c .rH.z....+.Xe..| 00c0: 2a 6a 30 15 3f fd 8e 44 8f 1e 0a 50 ca d2 95 a5 *j0.?..D...P.... 00d0: 96 8b 97 c5 d1 50 6c 7a b6 e8 cf 63 f7 27 70 4b .....Plz...c.'pK 00e0: 93 d8 7a 3f 0b 4b de 10 aa 29 31 25 bd b0 15 b3 ..z?.K...)1%.... 00f0: af 44 92 38 17 79 ff 16 ad 29 9b 40 5d 60 fe 2a .D.8.y...).@]`.* 0100: ed 62 16 78 1b af 02 ed 30 5e ad 95 fe 80 12 e5 .b.x....0^...... 0110: 88 f7 8f 96 ff 0b c7 99 02 03 01 00 01 a3 81 93 ................ 0120: 30 81 90 30 09 06 03 55 1d 13 04 02 30 00 30 2c 0..0...U....0.0, 0130: 06 09 60 86 48 01 86 f8 42 01 0d 04 1f 16 1d 4f ..`.H...B......O 0140: 70 65 6e 53 53 4c 20 47 65 6e 65 72 61 74 65 64 penSSL Generated 0150: 20 43 65 72 74 69 66 69 63 61 74 65 30 1d 06 03 Certificate0... 0160: 55 1d 0e 04 16 04 14 4b 74 e3 35 09 ad e3 1d a0 U......Kt.5..... 0170: 8d f1 0e 18 72 c1 24 ef e9 86 60 30 36 06 03 55 ....r.$...`06..U 0180: 1d 23 04 2f 30 2d 80 14 f0 69 81 14 20 ea ad 97 .#./0-...i.. ... 0190: 9a 6e ba 86 31 ed 9b 52 5d 12 91 b7 a1 12 a4 10 .n..1..R]....... 01a0: 30 0e 31 0c 30 0a 06 03 55 04 0a 13 03 64 61 72 0.1.0...U....dar 01b0: 82 01 00 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 ...0...*.H...... 01c0: 05 00 03 81 81 00 29 12 db 96 ef 86 40 57 8f 08 ......).....@W.. 01d0: 60 31 2e 1b 60 60 74 81 37 04 db e9 f0 62 6a ab `1..``t.7....bj. 01e0: cc 45 83 51 6f e0 1f b8 d2 34 e9 50 75 03 19 bd .E.Qo....4.Pu... 01f0: 4c 43 6a 39 a9 c1 b4 7c 34 d5 c6 ee 9c ed 30 97 LCj9...|4.....0. 0200: fd dd ef 1a 32 fb 1b d0 d1 4e df 92 86 3a cd 18 ....2....N...:.. 0210: 35 75 e6 69 d4 91 91 1b a0 93 44 66 08 39 8f 79 5u.i......Df.9.y 0220: 8a 40 80 25 ee 23 43 3c 2d bd 1a 94 df b7 20 7a .@.%.#C<-..... z 0230: 29 06 9e de d3 9a ab 05 78 9c f3 43 24 46 fe 35 ).......x..C$F.5 0240: 51 04 a5 f1 5d fd 00 01 fd 30 82 01 f9 30 82 01 Q...]....0...0.. 0250: 62 a0 03 02 01 02 02 01 00 30 0d 06 09 2a 86 48 b........0...*.H 0260: 86 f7 0d 01 01 04 05 00 30 0e 31 0c 30 0a 06 03 ........0.1.0... 0270: 55 04 0a 13 03 64 61 72 30 1e 17 0d 30 33 31 32 U....dar0...0312 0280: 32 38 30 30 34 31 33 30 5a 17 0d 30 34 31 32 32 28004130Z..04122 0290: 37 30 30 34 31 33 30 5a 30 0e 31 0c 30 0a 06 03 7004130Z0.1.0... 02a0: 55 04 0a 13 03 64 61 72 30 81 9f 30 0d 06 09 2a U....dar0..0...* 02b0: 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 .H............0. 02c0: 89 02 81 81 00 c7 e8 87 e1 90 39 49 3b 82 de 5d ..........9I;..] 02d0: 17 4f d0 e0 6e 9c 44 fe de 73 39 ee 9f d9 19 bd .O..n.D..s9..... 02e0: f0 fb 5d c4 a5 ba 4f 9b 14 49 7b 65 c1 84 ca d7 ..]...O..I{e.... 02f0: 34 95 1a 2e d3 4c 4b 55 16 51 7d ab 9c 88 73 0a 4....LKU.Q}...s. 0300: 00 69 92 1a 14 6f c3 24 52 2b 66 e9 70 e5 42 f4 .i...o.$R+f.p.B. 0310: 9d c2 2f a6 80 aa 7b c1 1a e2 c4 6a 00 d5 cb e3 ../...{....j.... 0320: 6c e6 ad bb af c1 d1 f5 68 e7 a2 ea 30 2d 5e 74 l.......h...0-^t 0330: a6 84 e6 f8 50 f4 82 4f dc 14 6c b6 d3 c6 29 2e ....P..O..l...). 0340: d7 6e 8f 86 41 02 03 01 00 01 a3 67 30 65 30 1d .n..A......g0e0. 0350: 06 03 55 1d 0e 04 16 04 14 f0 69 81 14 20 ea ad ..U.......i.. .. 0360: 97 9a 6e ba 86 31 ed 9b 52 5d 12 91 b7 30 36 06 ..n..1..R]...06. 0370: 03 55 1d 23 04 2f 30 2d 80 14 f0 69 81 14 20 ea .U.#./0-...i.. . 0380: ad 97 9a 6e ba 86 31 ed 9b 52 5d 12 91 b7 a1 12 ...n..1..R]..... 0390: a4 10 30 0e 31 0c 30 0a 06 03 55 04 0a 13 03 64 ..0.1.0...U....d 03a0: 61 72 82 01 00 30 0c 06 03 55 1d 13 04 05 30 03 ar...0...U....0. 03b0: 01 01 ff 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 ...0...*.H...... 03c0: 05 00 03 81 81 00 78 e9 4e 98 d7 ea 71 c6 f4 8b ......x.N...q... 03d0: e3 cb f5 6e 2a 4c a9 65 1c f5 38 98 09 bd b4 83 ...n*L.e..8..... 03e0: fb e7 ea 3c f5 52 81 17 6e fc 94 a1 e9 4c 52 25 ...<.R..n....LR% 03f0: 8e 96 7f f7 71 42 17 f4 18 93 38 81 89 3a e6 7c ....qB....8..:.| 0400: 79 9e 36 94 5f 0c 51 bb d0 c5 4c 0f c4 d6 00 0d y.6._.Q...L..... 0410: 28 7e 13 52 ec 3e 8a a9 8e f6 dc 5a a6 9d 6f 58 (~.R.>.....Z..oX 0420: 53 e4 42 dd e9 e5 52 c1 d0 bb 30 58 e8 f6 02 da S.B...R...0X.... 0430: 6a ed 3b 89 1d af 32 c3 8f 2a 97 06 c8 af ee 46 j.;...2..*.....F 0440: ab 3c 00 81 42 b2 .<..B. tls_read: want=5, got=5 0000: 16 03 01 00 1f ..... tls_read: want=31, got=31 0000: 0d 00 00 17 02 01 02 00 12 00 10 30 0e 31 0c 30 ...........0.1.0 0010: 0a 06 03 55 04 0a 13 03 64 61 72 0e 00 00 00 ...U....dar.... tls_write: want=12, written=12 0000: 16 03 01 00 07 0b 00 00 03 00 00 00 ............ tls_write: want=139, written=139 0000: 16 03 01 00 86 10 00 00 82 00 80 38 83 97 1e b4 ...........8.... 0010: 53 73 a5 75 6b 78 39 93 06 b5 37 dc 3a 93 11 2c Ss.ukx9...7.:.., 0020: f4 7f fc 40 b0 3f c8 94 96 6f 20 ed 84 5a ed 49 ...@.?...o ..Z.I 0030: ee bb f2 69 f1 81 96 49 c3 29 de 7d b3 82 91 e0 ...i...I.).}.... 0040: 14 72 dd 7d 55 3c cc 09 f1 92 44 0f 30 47 49 ff .r.}U<....D.0GI. 0050: 80 34 88 17 cb fc ce dc 4b e9 f5 a1 59 3a bc 17 .4......K...Y:.. 0060: 46 62 da 6c 8f e0 28 07 e1 8a 93 8f 32 53 28 b8 Fb.l..(.....2S(. 0070: c7 8a 18 61 85 9b 37 91 cc 38 9f f4 fa e8 c6 17 ...a..7..8...... 0080: 7a 8c dd f0 b1 87 9c 99 77 a5 69 z.......w.i tls_write: want=6, written=6 0000: 14 03 01 00 01 01 ...... tls_write: want=69, written=69 0000: 16 03 01 00 40 37 d7 b8 a7 b6 c9 78 2a 98 09 26 ....@7.....x*..& 0010: e5 8b 94 fe 6c 9a b9 47 94 f4 f3 71 3c dd 21 8c ....l..G...q<.!. 0020: 56 2d 3d 3d f9 62 8b 92 f6 54 97 dc 80 a3 25 ea V-==.b...T....%. 0030: 79 74 b5 e3 0e 10 5b 86 55 de 19 f7 87 78 7d f6 yt....[.U....x}. 0040: 7c 41 fc 87 63 |A..c tls_read: want=5, got=5 0000: 15 03 01 00 02 ..... tls_read: want=2, got=2 0000: 02 28 .( TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (81) additional info: A TLS fatal alert has been received.

I don't understand ... What's wrong?

Thanks again,

Jack

On Dec 29, 2003, at 8:57 AM, Kurt D. Zeilenga wrote:

At 08:25 AM 12/29/2003, Dieter Kluenter wrote:

ms419@freezone.co.uk writes:

I've successfully installed and configured openLDAP with TLS
support. I am trying to authenticate using the SASL EXTERNAL
mechanism, as described in the Administrator's Guide. I can use TLS,
but can't authenticate using EXTERNAL.

ldapsearch -x -H "ldaps://ldap" -s base -b "" supportedSASLMechanisms

[...]

How do I make the EXTERNAL mechanism available?


You have to initiate starttls by using the flag -Z
ldapsearch -Y EXTERNAL -ZZ -b "" -s base supportedSASLMechanisms


While -Z indicates to client to use the LDAP Start TLS
operation to initiate TLS (SSL), one can also use -H ldaps://
to implicitly initiate TLS (SSL) upon TCP connect (if the
server has been configured to support ldaps://).  See archives
for details.

The user's problem is more likely a case of not asserting
the client's certificate.

Kurt

Follow-Ups:
- Re: SASL External Mechanism
  - From: Peter Marschall <peter@adpm.de>

References:
- SASL External Mechanism
  - From: ms419@freezone.co.uk
- Re: SASL External Mechanism
  - From: Dieter Kluenter <dieter@dkluenter.de>
- Re: SASL External Mechanism
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: allocate oids
Next by Date: Happy New Year ACL
Index(es):
- Chronological
- Thread