[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL External Mechanism



Thanks for your helps. I've double checked my configuration and reread the Administrator's Guide. I'm sure I've asserted the client's certificate.

The server's "slapd.conf" file contains:

TLSCACertificateFile    /etc/openldap/cacert.pem
TLSVerifyClient demand

The client's "ldap.conf" file contains:

TLS_CERT        /etc/ldap/cert.pem
TLS_KEY /etc/ldap/key.pem

The server's "cacert.pem" belongs to the certificate authority which signed the client's "cert.pem".

On the server, "slapd -d 7 -h "ldap:// ldaps:///"":

@(#) $OpenLDAP: slapd 2.1.22 (Nov 20 2003 17:03:41) $
root@scarface:/private/var/tmp/OpenLDAP/OpenLDAP-37.0.1.obj~1/servers/ slapd
daemon_init: ldap:// ldaps:///
daemon_init: listen on ldap://
daemon_init: listen on ldaps:///
daemon_init: 2 listeners to open...
ldap_url_parse_ext(ldap://)
daemon: initialized ldap://
ldap_url_parse_ext(ldaps:///)
daemon: initialized ldaps:///
daemon_init: 4 listeners opened
slapd init: initiated server.
slap_sasl_init: initialized!
bdb_initialize: initialize BDB backend
bdb_initialize: Sleepycat Software: Berkeley DB 4.1.25: (December 19, 2002)
>>> dnNormalize: <cn=Subschema>
=> ldap_bv2dn(cn=Subschema,0)
<= ldap_bv2dn(cn=Subschema,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=subschema,272)=0
<<< dnNormalize: <cn=subschema>
/etc/openldap/slapd.conf: line 15: schema checking disabled! your mileage may vary!
bdb_db_init: Initializing BDB database
>>> dnPrettyNormal: <dc=lat>
=> ldap_bv2dn(dc=lat,0)
<= ldap_bv2dn(dc=lat,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=lat,272)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=lat,272)=0
<<< dnPrettyNormal: <dc=lat>, <dc=lat>
>>> dnNormalize: <cn=admin,dc=lat>
=> ldap_bv2dn(cn=admin,dc=lat,0)
<= ldap_bv2dn(cn=admin,dc=lat,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=admin,dc=lat,272)=0
<<< dnNormalize: <cn=admin,dc=lat>
ldap_url_parse_ext(ldap://wum.lat)
matching_rule_use_init
1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: ( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( primaryGroupID $ rid $ pwdMustChange $ pwdCanChange $ kickoffTime $ logoffTime $ logonTime $ pwdLastSet $ oncRpcNumber $ ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $ shadowInactive $ shadowWarning $ shadowMax $ shadowMin $ shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $ supportedLDAPVersion ) )
1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: ( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES ( primaryGroupID $ rid $ pwdMustChange $ pwdCanChange $ kickoffTime $ logoffTime $ logonTime $ pwdLastSet $ oncRpcNumber $ ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $ shadowInactive $ shadowWarning $ shadowMax $ shadowMin $ shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $ supportedLDAPVersion ) )
1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( apple-preset-user-is-admin $ apple-config-realname $ apple-data-stamp $ apple-password-server-location $ apple-printer-attributes $ mountPassNo $ mountDumpFrequency $ mountOption $ mountType $ apple-machine-serves $ apple-machine-hardware $ apple-machine-software $ apple-group-homeowner $ apple-group-homeurl $ apple-user-homesoftquota $ apple-user-homequota $ apple-user-class $ apple-user-homeurl $ domain $ smbHome $ userWorkstations $ profilePath $ scriptPath $ homeDrive $ acctFlags $ ntPassword $ lmPassword $ rfc822MailMember $ mailRoutingAddress $ mailHost $ mailLocalAddress $ nisMapEntry $ bootFile $ macAddress $ ipNetmaskNumber $ ipNetworkNumber $ ipHostNumber $ memberNisNetgroup $ memberUid $ loginShell $ gecos $ janetMailbox $ cNAMERecord $ sOARecord $ nSRecord $ mXRecord $ mDRecord $ aRecord $ email $ associatedDomain $ dc $ mail $ altServer ) )
1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( apple-preset-user-is-admin $ apple-config-realname $ apple-data-stamp $ apple-password-server-location $ apple-printer-attributes $ mountPassNo $ mountDumpFrequency $ mountOption $ mountType $ apple-machine-serves $ apple-machine-hardware $ apple-machine-software $ apple-group-homeowner $ apple-group-homeurl $ apple-user-homesoftquota $ apple-user-homequota $ apple-user-class $ apple-user-homeurl $ domain $ smbHome $ userWorkstations $ profilePath $ scriptPath $ homeDrive $ acctFlags $ ntPassword $ lmPassword $ rfc822MailMember $ mailRoutingAddress $ mailHost $ mailLocalAddress $ nisMapEntry $ bootFile $ macAddress $ ipNetmaskNumber $ ipNetworkNumber $ ipHostNumber $ memberNisNetgroup $ memberUid $ loginShell $ gecos $ janetMailbox $ cNAMERecord $ sOARecord $ nSRecord $ mXRecord $ mDRecord $ aRecord $ email $ associatedDomain $ dc $ mail $ altServer ) )
2.5.13.34 (certificateExactMatch): matchingRuleUse: ( 2.5.13.34 NAME 'certificateExactMatch' APPLIES ( cACertificate $ userCertificate ) )
2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse: ( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES ( supportedApplicationContext $ ldapSyntaxes $ matchingRuleUse $ objectClasses $ attributeTypes $ matchingRules $ supportedFeatures $ supportedExtension $ supportedControl $ structuralObjectClass $ objectClass ) )
2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: ( 2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES ( primaryGroupID $ rid $ pwdMustChange $ pwdCanChange $ kickoffTime $ logoffTime $ logonTime $ pwdLastSet $ oncRpcNumber $ ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $ shadowInactive $ shadowWarning $ shadowMax $ shadowMin $ shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $ supportedLDAPVersion ) )
2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27 NAME 'generalizedTimeMatch' APPLIES ( modifyTimestamp $ createTimestamp ) )
2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24 NAME 'protocolInformationMatch' APPLIES protocolInformation )
2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME 'uniqueMemberMatch' APPLIES uniqueMember )
2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22 NAME 'presentationAddressMatch' APPLIES presentationAddress )
2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20 NAME 'telephoneNumberMatch' APPLIES ( pager $ mobile $ homePhone $ telephoneNumber ) )
2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME 'octetStringMatch' APPLIES userPassword )
2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME 'bitStringMatch' APPLIES x500UniqueIdentifier )
2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME 'integerMatch' APPLIES ( primaryGroupID $ rid $ pwdMustChange $ pwdCanChange $ kickoffTime $ logoffTime $ logonTime $ pwdLastSet $ oncRpcNumber $ ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $ shadowInactive $ shadowWarning $ shadowMax $ shadowMin $ shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $ supportedLDAPVersion ) )
2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME 'booleanMatch' APPLIES hasSubordinates )
2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME 'caseIgnoreListMatch' APPLIES ( homePostalAddress $ registeredAddress $ postalAddress ) )
2.5.13.8 (numericStringMatch): matchingRuleUse: ( 2.5.13.8 NAME 'numericStringMatch' APPLIES ( internationaliSDNNumber $ x121Address ) )
2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7 NAME 'caseExactSubstringsMatch' APPLIES ( dnQualifier $ destinationIndicator $ serialNumber ) )
2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6 NAME 'caseExactOrderingMatch' APPLIES ( dnQualifier $ destinationIndicator $ serialNumber ) )
2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME 'caseExactMatch' APPLIES ( apple-dns-nameserver $ apple-dns-domain $ apple-kdc-configdata $ apple-kdc-authkey $ apple-ldap-writable-replica $ apple-ldap-replica $ apple-password-server-list $ apple-xmlplist $ apple-computer-list-groups $ apple-computers $ apple-realname $ apple-printer-note $ apple-printer-type $ apple-printer-lprqueue $ apple-printer-lprhost $ mountDirectory $ apple-machine-suffix $ apple-group-realname $ apple-generateduid $ apple-keyword $ apple-user-passwordpolicy $ apple-user-authenticationhint $ apple-user-adminlimits $ apple-user-printattribute $ apple-user-picture $ apple-mcxsettings $ apple-mcxflags $ apple-user-mailattribute $ preferredLanguage $ employeeType $ employeeNumber $ displayName $ departmentNumber $ carLicense $ nisMapName $ ipServiceProtocol $ homeDirectory $ documentPublisher $ buildingName $ organizationalStatus $ uniqueIdentifier $ co $ personalTitle $ documentLocation $ documentVersion $ documentTitle $ documentIdentifier $ host $ userClass $ roomNumber $ drink $ info $ textEncodedORAddress $ uid $ labeledURI $ dmdName $ houseIdentifier $ dnQualifier $ generationQualifier $ initials $ givenName $ destinationIndicator $ physicalDeliveryOfficeName $ postOfficeBox $ postalCode $ businessCategory $ description $ title $ ou $ o $ street $ st $ l $ c $ serialNumber $ sn $ knowledgeInformation $ authAuthority $ cn $ name $ ref $ vendorVersion $ vendorName $ supportedSASLMechanisms ) )
2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3 NAME 'caseIgnoreOrderingMatch' APPLIES ( dnQualifier $ destinationIndicator $ serialNumber ) )
2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME 'caseIgnoreMatch' APPLIES ( apple-dns-nameserver $ apple-dns-domain $ apple-kdc-configdata $ apple-kdc-authkey $ apple-ldap-writable-replica $ apple-ldap-replica $ apple-password-server-list $ apple-xmlplist $ apple-computer-list-groups $ apple-computers $ apple-realname $ apple-printer-note $ apple-printer-type $ apple-printer-lprqueue $ apple-printer-lprhost $ mountDirectory $ apple-machine-suffix $ apple-group-realname $ apple-generateduid $ apple-keyword $ apple-user-passwordpolicy $ apple-user-authenticationhint $ apple-user-adminlimits $ apple-user-printattribute $ apple-user-picture $ apple-mcxsettings $ apple-mcxflags $ apple-user-mailattribute $ preferredLanguage $ employeeType $ employeeNumber $ displayName $ departmentNumber $ carLicense $ nisMapName $ ipServiceProtocol $ homeDirectory $ documentPublisher $ buildingName $ organizationalStatus $ uniqueIdentifier $ co $ personalTitle $ documentLocation $ documentVersion $ documentTitle $ documentIdentifier $ host $ userClass $ roomNumber $ drink $ info $ textEncodedORAddress $ uid $ labeledURI $ dmdName $ houseIdentifier $ dnQualifier $ generationQualifier $ initials $ givenName $ destinationIndicator $ physicalDeliveryOfficeName $ postOfficeBox $ postalCode $ businessCategory $ description $ title $ ou $ o $ street $ st $ l $ c $ serialNumber $ sn $ knowledgeInformation $ authAuthority $ cn $ name $ ref $ vendorVersion $ vendorName $ supportedSASLMechanisms ) )
2.5.13.1 (distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( dITRedirect $ associatedName $ secretary $ documentAuthor $ manager $ seeAlso $ roleOccupant $ owner $ member $ distinguishedName $ aliasedObjectName $ namingContexts $ subschemaSubentry $ modifiersName $ creatorsName ) )
2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedApplicationContext $ supportedFeatures $ supportedExtension $ supportedControl $ structuralObjectClass $ objectClass ) )
slapd startup: initiated.
bdb_db_open: dc=lat
bdb_db_open: dbenv_open(/var/db/openldap/openldap-data)
slapd starting
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ber_scanf fmt (m) ber:
connection_get(15)
connection_get(15): got connid=0
connection_read(15): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 16 03 01 00 4c 01 00 00 48 03 01 ....L...H..
tls_read: want=70, got=70
0000: 3f f2 76 da ed 69 40 4d 29 17 ac 8c e4 64 de ba ?.v..i@M)....d..
0010: cc ee 45 57 3d 1c 4f 9a c7 47 39 e4 0b 62 29 30 ..EW=.O..G9..b)0
0020: 00 00 18 00 33 00 16 00 39 00 2f 00 0a 00 35 00 ....3...9./...5.
0030: 05 00 04 00 32 00 13 00 38 00 66 02 01 00 00 06 ....2...8.f.....
0040: 00 00 00 02 00 00 ......
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
tls_write: want=1214, written=1214
0000: 16 03 01 00 4a 02 00 00 46 03 01 3f f2 76 d9 c3 ....J...F..?.v..
0010: 18 89 0e 77 3b f5 d2 63 87 e4 6e 0e cd 59 68 dc ...w;..c..n..Yh.
0020: 33 18 d3 2d a6 d9 64 9b f4 b5 2c 20 1b d3 9f 4c 3..-..d..., ...L
0030: 36 b2 21 d9 12 69 2b f3 ea 6f 6f e1 bd ba 92 37 6.!..i+..oo....7
0040: 66 72 50 49 93 64 23 4a 2c b5 f5 bc 00 2f 00 16 frPI.d#J,..../..
0050: 03 01 04 46 0b 00 04 42 00 04 3f 00 02 3c 30 82 ...F...B..?..<0.
0060: 02 38 30 82 01 a1 a0 03 02 01 02 02 01 03 30 0d .80...........0.
0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 0e 31 ..*.H........0.1
0080: 0c 30 0a 06 03 55 04 0a 13 03 64 61 72 30 1e 17 .0...U....dar0..
0090: 0d 30 33 31 32 33 31 30 35 30 34 32 30 5a 17 0d .031231050420Z..
00a0: 30 34 31 32 33 30 30 35 30 34 32 30 5a 30 20 31 041230050420Z0 1
00b0: 0c 30 0a 06 03 55 04 0a 13 03 64 61 72 31 10 30 .0...U....dar1.0
00c0: 0e 06 03 55 04 03 13 07 66 69 73 2e 6c 61 74 30 ...U....fis.lat0
00d0: 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 ..0...*.H.......
00e0: 00 03 81 8d 00 30 81 89 02 81 81 00 e2 46 b8 03 .....0.......F..
00f0: d6 2a 98 31 40 9f 48 f2 de 2f b7 53 7f 21 cb ba .*.1@.H../.S.!..
0100: d2 c4 b1 9d db 72 48 b6 7a 0f f6 e2 f9 2b 97 58 .....rH.z....+.X
0110: 65 03 b0 7c 2a 6a 30 15 3f fd 8e 44 8f 1e 0a 50 e..|*j0.?..D...P
0120: ca d2 95 a5 96 8b 97 c5 d1 50 6c 7a b6 e8 cf 63 .........Plz...c
0130: f7 27 70 4b 93 d8 7a 3f 0b 4b de 10 aa 29 31 25 .'pK..z?.K...)1%
0140: bd b0 15 b3 af 44 92 38 17 79 ff 16 ad 29 9b 40 .....D.8.y...).@
0150: 5d 60 fe 2a ed 62 16 78 1b af 02 ed 30 5e ad 95 ]`.*.b.x....0^..
0160: fe 80 12 e5 88 f7 8f 96 ff 0b c7 99 02 03 01 00 ................
0170: 01 a3 81 93 30 81 90 30 09 06 03 55 1d 13 04 02 ....0..0...U....
0180: 30 00 30 2c 06 09 60 86 48 01 86 f8 42 01 0d 04 0.0,..`.H...B...
0190: 1f 16 1d 4f 70 65 6e 53 53 4c 20 47 65 6e 65 72 ...OpenSSL Gener
01a0: 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 65 ated Certificate
01b0: 30 1d 06 03 55 1d 0e 04 16 04 14 4b 74 e3 35 09 0...U......Kt.5.
01c0: ad e3 1d a0 8d f1 0e 18 72 c1 24 ef e9 86 60 30 ........r.$...`0
01d0: 36 06 03 55 1d 23 04 2f 30 2d 80 14 f0 69 81 14 6..U.#./0-...i..
01e0: 20 ea ad 97 9a 6e ba 86 31 ed 9b 52 5d 12 91 b7 ....n..1..R]...
01f0: a1 12 a4 10 30 0e 31 0c 30 0a 06 03 55 04 0a 13 ....0.1.0...U...
0200: 03 64 61 72 82 01 00 30 0d 06 09 2a 86 48 86 f7 .dar...0...*.H..
0210: 0d 01 01 04 05 00 03 81 81 00 29 12 db 96 ef 86 ..........).....
0220: 40 57 8f 08 60 31 2e 1b 60 60 74 81 37 04 db e9 @W..`1..``t.7...
0230: f0 62 6a ab cc 45 83 51 6f e0 1f b8 d2 34 e9 50 .bj..E.Qo....4.P
0240: 75 03 19 bd 4c 43 6a 39 a9 c1 b4 7c 34 d5 c6 ee u...LCj9...|4...
0250: 9c ed 30 97 fd dd ef 1a 32 fb 1b d0 d1 4e df 92 ..0.....2....N..
0260: 86 3a cd 18 35 75 e6 69 d4 91 91 1b a0 93 44 66 .:..5u.i......Df
0270: 08 39 8f 79 8a 40 80 25 ee 23 43 3c 2d bd 1a 94 .9.y.@.%.#C<-...
0280: df b7 20 7a 29 06 9e de d3 9a ab 05 78 9c f3 43 .. z).......x..C
0290: 24 46 fe 35 51 04 a5 f1 5d fd 00 01 fd 30 82 01 $F.5Q...]....0..
02a0: f9 30 82 01 62 a0 03 02 01 02 02 01 00 30 0d 06 .0..b........0..
02b0: 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 0e 31 0c .*.H........0.1.
02c0: 30 0a 06 03 55 04 0a 13 03 64 61 72 30 1e 17 0d 0...U....dar0...
02d0: 30 33 31 32 32 38 30 30 34 31 33 30 5a 17 0d 30 031228004130Z..0
02e0: 34 31 32 32 37 30 30 34 31 33 30 5a 30 0e 31 0c 41227004130Z0.1.
02f0: 30 0a 06 03 55 04 0a 13 03 64 61 72 30 81 9f 30 0...U....dar0..0
0300: 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 ...*.H..........
0310: 8d 00 30 81 89 02 81 81 00 c7 e8 87 e1 90 39 49 ..0...........9I
0320: 3b 82 de 5d 17 4f d0 e0 6e 9c 44 fe de 73 39 ee ;..].O..n.D..s9.
0330: 9f d9 19 bd f0 fb 5d c4 a5 ba 4f 9b 14 49 7b 65 ......]...O..I{e
0340: c1 84 ca d7 34 95 1a 2e d3 4c 4b 55 16 51 7d ab ....4....LKU.Q}.
0350: 9c 88 73 0a 00 69 92 1a 14 6f c3 24 52 2b 66 e9 ..s..i...o.$R+f.
0360: 70 e5 42 f4 9d c2 2f a6 80 aa 7b c1 1a e2 c4 6a p.B.../...{....j
0370: 00 d5 cb e3 6c e6 ad bb af c1 d1 f5 68 e7 a2 ea ....l.......h...
0380: 30 2d 5e 74 a6 84 e6 f8 50 f4 82 4f dc 14 6c b6 0-^t....P..O..l.
0390: d3 c6 29 2e d7 6e 8f 86 41 02 03 01 00 01 a3 67 ..)..n..A......g
03a0: 30 65 30 1d 06 03 55 1d 0e 04 16 04 14 f0 69 81 0e0...U.......i.
03b0: 14 20 ea ad 97 9a 6e ba 86 31 ed 9b 52 5d 12 91 . ....n..1..R]..
03c0: b7 30 36 06 03 55 1d 23 04 2f 30 2d 80 14 f0 69 .06..U.#./0-...i
03d0: 81 14 20 ea ad 97 9a 6e ba 86 31 ed 9b 52 5d 12 .. ....n..1..R].
03e0: 91 b7 a1 12 a4 10 30 0e 31 0c 30 0a 06 03 55 04 ......0.1.0...U.
03f0: 0a 13 03 64 61 72 82 01 00 30 0c 06 03 55 1d 13 ...dar...0...U..
0400: 04 05 30 03 01 01 ff 30 0d 06 09 2a 86 48 86 f7 ..0....0...*.H..
0410: 0d 01 01 04 05 00 03 81 81 00 78 e9 4e 98 d7 ea ..........x.N...
0420: 71 c6 f4 8b e3 cb f5 6e 2a 4c a9 65 1c f5 38 98 q......n*L.e..8.
0430: 09 bd b4 83 fb e7 ea 3c f5 52 81 17 6e fc 94 a1 .......<.R..n...
0440: e9 4c 52 25 8e 96 7f f7 71 42 17 f4 18 93 38 81 .LR%....qB....8.
0450: 89 3a e6 7c 79 9e 36 94 5f 0c 51 bb d0 c5 4c 0f .:.|y.6._.Q...L.
0460: c4 d6 00 0d 28 7e 13 52 ec 3e 8a a9 8e f6 dc 5a ....(~.R.>.....Z
0470: a6 9d 6f 58 53 e4 42 dd e9 e5 52 c1 d0 bb 30 58 ..oXS.B...R...0X
0480: e8 f6 02 da 6a ed 3b 89 1d af 32 c3 8f 2a 97 06 ....j.;...2..*..
0490: c8 af ee 46 ab 3c 00 81 42 b2 16 03 01 00 1f 0d ...F.<..B.......
04a0: 00 00 17 02 01 02 00 12 00 10 30 0e 31 0c 30 0a ..........0.1.0.
04b0: 06 03 55 04 0a 13 03 64 61 72 0e 00 00 00 ..U....dar....
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5, got=5
0000: 16 03 01 00 07 .....
tls_read: want=7, got=7
0000: 0b 00 00 03 00 00 00 .......
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 28 ......(
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept.
TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr.c:1976
connection_read(15): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=15 for close
connection_close: conn=0 sd=15


On the client, "ldapsearch -d 7 -x -H "ldaps://fis.lat" -s base -b "" supportedSASLMechanisms":

ldap_create
ldap_url_parse_ext(ldaps://fis.lat)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP fis.lat:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.24.106:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_is_socket_ready: error on socket 3: errno: 113 (No route to host)
ldap_close_socket: 3
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.179.43:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=fis.lat
tls_write: want=81, written=81
0000: 16 03 01 00 4c 01 00 00 48 03 01 3f f2 76 da ed ....L...H..?.v..
0010: 69 40 4d 29 17 ac 8c e4 64 de ba cc ee 45 57 3d i@M)....d....EW=
0020: 1c 4f 9a c7 47 39 e4 0b 62 29 30 00 00 18 00 33 .O..G9..b)0....3
0030: 00 16 00 39 00 2f 00 0a 00 35 00 05 00 04 00 32 ...9./...5.....2
0040: 00 13 00 38 00 66 02 01 00 00 06 00 00 00 02 00 ...8.f..........
0050: 00 .
tls_read: want=5, got=5
0000: 16 03 01 00 4a ....J
tls_read: want=74, got=74
0000: 02 00 00 46 03 01 3f f2 76 d9 c3 18 89 0e 77 3b ...F..?.v.....w;
0010: f5 d2 63 87 e4 6e 0e cd 59 68 dc 33 18 d3 2d a6 ..c..n..Yh.3..-.
0020: d9 64 9b f4 b5 2c 20 1b d3 9f 4c 36 b2 21 d9 12 .d..., ...L6.!..
0030: 69 2b f3 ea 6f 6f e1 bd ba 92 37 66 72 50 49 93 i+..oo....7frPI.
0040: 64 23 4a 2c b5 f5 bc 00 2f 00 d#J,..../.
tls_read: want=5, got=5
0000: 16 03 01 04 46 ....F
tls_read: want=1094, got=1094
0000: 0b 00 04 42 00 04 3f 00 02 3c 30 82 02 38 30 82 ...B..?..<0..80.
0010: 01 a1 a0 03 02 01 02 02 01 03 30 0d 06 09 2a 86 ..........0...*.
0020: 48 86 f7 0d 01 01 04 05 00 30 0e 31 0c 30 0a 06 H........0.1.0..
0030: 03 55 04 0a 13 03 64 61 72 30 1e 17 0d 30 33 31 .U....dar0...031
0040: 32 33 31 30 35 30 34 32 30 5a 17 0d 30 34 31 32 231050420Z..0412
0050: 33 30 30 35 30 34 32 30 5a 30 20 31 0c 30 0a 06 30050420Z0 1.0..
0060: 03 55 04 0a 13 03 64 61 72 31 10 30 0e 06 03 55 .U....dar1.0...U
0070: 04 03 13 07 66 69 73 2e 6c 61 74 30 81 9f 30 0d ....fis.lat0..0.
0080: 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d ..*.H...........
0090: 00 30 81 89 02 81 81 00 e2 46 b8 03 d6 2a 98 31 .0.......F...*.1
00a0: 40 9f 48 f2 de 2f b7 53 7f 21 cb ba d2 c4 b1 9d @.H../.S.!......
00b0: db 72 48 b6 7a 0f f6 e2 f9 2b 97 58 65 03 b0 7c .rH.z....+.Xe..|
00c0: 2a 6a 30 15 3f fd 8e 44 8f 1e 0a 50 ca d2 95 a5 *j0.?..D...P....
00d0: 96 8b 97 c5 d1 50 6c 7a b6 e8 cf 63 f7 27 70 4b .....Plz...c.'pK
00e0: 93 d8 7a 3f 0b 4b de 10 aa 29 31 25 bd b0 15 b3 ..z?.K...)1%....
00f0: af 44 92 38 17 79 ff 16 ad 29 9b 40 5d 60 fe 2a .D.8.y...).@]`.*
0100: ed 62 16 78 1b af 02 ed 30 5e ad 95 fe 80 12 e5 .b.x....0^......
0110: 88 f7 8f 96 ff 0b c7 99 02 03 01 00 01 a3 81 93 ................
0120: 30 81 90 30 09 06 03 55 1d 13 04 02 30 00 30 2c 0..0...U....0.0,
0130: 06 09 60 86 48 01 86 f8 42 01 0d 04 1f 16 1d 4f ..`.H...B......O
0140: 70 65 6e 53 53 4c 20 47 65 6e 65 72 61 74 65 64 penSSL Generated
0150: 20 43 65 72 74 69 66 69 63 61 74 65 30 1d 06 03 Certificate0...
0160: 55 1d 0e 04 16 04 14 4b 74 e3 35 09 ad e3 1d a0 U......Kt.5.....
0170: 8d f1 0e 18 72 c1 24 ef e9 86 60 30 36 06 03 55 ....r.$...`06..U
0180: 1d 23 04 2f 30 2d 80 14 f0 69 81 14 20 ea ad 97 .#./0-...i.. ...
0190: 9a 6e ba 86 31 ed 9b 52 5d 12 91 b7 a1 12 a4 10 .n..1..R].......
01a0: 30 0e 31 0c 30 0a 06 03 55 04 0a 13 03 64 61 72 0.1.0...U....dar
01b0: 82 01 00 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 ...0...*.H......
01c0: 05 00 03 81 81 00 29 12 db 96 ef 86 40 57 8f 08 ......).....@W..
01d0: 60 31 2e 1b 60 60 74 81 37 04 db e9 f0 62 6a ab `1..``t.7....bj.
01e0: cc 45 83 51 6f e0 1f b8 d2 34 e9 50 75 03 19 bd .E.Qo....4.Pu...
01f0: 4c 43 6a 39 a9 c1 b4 7c 34 d5 c6 ee 9c ed 30 97 LCj9...|4.....0.
0200: fd dd ef 1a 32 fb 1b d0 d1 4e df 92 86 3a cd 18 ....2....N...:..
0210: 35 75 e6 69 d4 91 91 1b a0 93 44 66 08 39 8f 79 5u.i......Df.9.y
0220: 8a 40 80 25 ee 23 43 3c 2d bd 1a 94 df b7 20 7a .@.%.#C<-..... z
0230: 29 06 9e de d3 9a ab 05 78 9c f3 43 24 46 fe 35 ).......x..C$F.5
0240: 51 04 a5 f1 5d fd 00 01 fd 30 82 01 f9 30 82 01 Q...]....0...0..
0250: 62 a0 03 02 01 02 02 01 00 30 0d 06 09 2a 86 48 b........0...*.H
0260: 86 f7 0d 01 01 04 05 00 30 0e 31 0c 30 0a 06 03 ........0.1.0...
0270: 55 04 0a 13 03 64 61 72 30 1e 17 0d 30 33 31 32 U....dar0...0312
0280: 32 38 30 30 34 31 33 30 5a 17 0d 30 34 31 32 32 28004130Z..04122
0290: 37 30 30 34 31 33 30 5a 30 0e 31 0c 30 0a 06 03 7004130Z0.1.0...
02a0: 55 04 0a 13 03 64 61 72 30 81 9f 30 0d 06 09 2a U....dar0..0...*
02b0: 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 .H............0.
02c0: 89 02 81 81 00 c7 e8 87 e1 90 39 49 3b 82 de 5d ..........9I;..]
02d0: 17 4f d0 e0 6e 9c 44 fe de 73 39 ee 9f d9 19 bd .O..n.D..s9.....
02e0: f0 fb 5d c4 a5 ba 4f 9b 14 49 7b 65 c1 84 ca d7 ..]...O..I{e....
02f0: 34 95 1a 2e d3 4c 4b 55 16 51 7d ab 9c 88 73 0a 4....LKU.Q}...s.
0300: 00 69 92 1a 14 6f c3 24 52 2b 66 e9 70 e5 42 f4 .i...o.$R+f.p.B.
0310: 9d c2 2f a6 80 aa 7b c1 1a e2 c4 6a 00 d5 cb e3 ../...{....j....
0320: 6c e6 ad bb af c1 d1 f5 68 e7 a2 ea 30 2d 5e 74 l.......h...0-^t
0330: a6 84 e6 f8 50 f4 82 4f dc 14 6c b6 d3 c6 29 2e ....P..O..l...).
0340: d7 6e 8f 86 41 02 03 01 00 01 a3 67 30 65 30 1d .n..A......g0e0.
0350: 06 03 55 1d 0e 04 16 04 14 f0 69 81 14 20 ea ad ..U.......i.. ..
0360: 97 9a 6e ba 86 31 ed 9b 52 5d 12 91 b7 30 36 06 ..n..1..R]...06.
0370: 03 55 1d 23 04 2f 30 2d 80 14 f0 69 81 14 20 ea .U.#./0-...i.. .
0380: ad 97 9a 6e ba 86 31 ed 9b 52 5d 12 91 b7 a1 12 ...n..1..R].....
0390: a4 10 30 0e 31 0c 30 0a 06 03 55 04 0a 13 03 64 ..0.1.0...U....d
03a0: 61 72 82 01 00 30 0c 06 03 55 1d 13 04 05 30 03 ar...0...U....0.
03b0: 01 01 ff 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 ...0...*.H......
03c0: 05 00 03 81 81 00 78 e9 4e 98 d7 ea 71 c6 f4 8b ......x.N...q...
03d0: e3 cb f5 6e 2a 4c a9 65 1c f5 38 98 09 bd b4 83 ...n*L.e..8.....
03e0: fb e7 ea 3c f5 52 81 17 6e fc 94 a1 e9 4c 52 25 ...<.R..n....LR%
03f0: 8e 96 7f f7 71 42 17 f4 18 93 38 81 89 3a e6 7c ....qB....8..:.|
0400: 79 9e 36 94 5f 0c 51 bb d0 c5 4c 0f c4 d6 00 0d y.6._.Q...L.....
0410: 28 7e 13 52 ec 3e 8a a9 8e f6 dc 5a a6 9d 6f 58 (~.R.>.....Z..oX
0420: 53 e4 42 dd e9 e5 52 c1 d0 bb 30 58 e8 f6 02 da S.B...R...0X....
0430: 6a ed 3b 89 1d af 32 c3 8f 2a 97 06 c8 af ee 46 j.;...2..*.....F
0440: ab 3c 00 81 42 b2 .<..B.
tls_read: want=5, got=5
0000: 16 03 01 00 1f .....
tls_read: want=31, got=31
0000: 0d 00 00 17 02 01 02 00 12 00 10 30 0e 31 0c 30 ...........0.1.0
0010: 0a 06 03 55 04 0a 13 03 64 61 72 0e 00 00 00 ...U....dar....
tls_write: want=12, written=12
0000: 16 03 01 00 07 0b 00 00 03 00 00 00 ............
tls_write: want=139, written=139
0000: 16 03 01 00 86 10 00 00 82 00 80 38 83 97 1e b4 ...........8....
0010: 53 73 a5 75 6b 78 39 93 06 b5 37 dc 3a 93 11 2c Ss.ukx9...7.:..,
0020: f4 7f fc 40 b0 3f c8 94 96 6f 20 ed 84 5a ed 49 ...@.?...o ..Z.I
0030: ee bb f2 69 f1 81 96 49 c3 29 de 7d b3 82 91 e0 ...i...I.).}....
0040: 14 72 dd 7d 55 3c cc 09 f1 92 44 0f 30 47 49 ff .r.}U<....D.0GI.
0050: 80 34 88 17 cb fc ce dc 4b e9 f5 a1 59 3a bc 17 .4......K...Y:..
0060: 46 62 da 6c 8f e0 28 07 e1 8a 93 8f 32 53 28 b8 Fb.l..(.....2S(.
0070: c7 8a 18 61 85 9b 37 91 cc 38 9f f4 fa e8 c6 17 ...a..7..8......
0080: 7a 8c dd f0 b1 87 9c 99 77 a5 69 z.......w.i
tls_write: want=6, written=6
0000: 14 03 01 00 01 01 ......
tls_write: want=69, written=69
0000: 16 03 01 00 40 37 d7 b8 a7 b6 c9 78 2a 98 09 26 ....@7.....x*..&
0010: e5 8b 94 fe 6c 9a b9 47 94 f4 f3 71 3c dd 21 8c ....l..G...q<.!.
0020: 56 2d 3d 3d f9 62 8b 92 f6 54 97 dc 80 a3 25 ea V-==.b...T....%.
0030: 79 74 b5 e3 0e 10 5b 86 55 de 19 f7 87 78 7d f6 yt....[.U....x}.
0040: 7c 41 fc 87 63 |A..c
tls_read: want=5, got=5
0000: 15 03 01 00 02 .....
tls_read: want=2, got=2
0000: 02 28 .(
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (81)
additional info: A TLS fatal alert has been received.


I don't understand ... What's wrong?

Thanks again,

Jack

On Dec 29, 2003, at 8:57 AM, Kurt D. Zeilenga wrote:

At 08:25 AM 12/29/2003, Dieter Kluenter wrote:
ms419@freezone.co.uk writes:

I've successfully installed and configured openLDAP with TLS
support. I am trying to authenticate using the SASL EXTERNAL
mechanism, as described in the Administrator's Guide. I can use TLS,
but can't authenticate using EXTERNAL.

ldapsearch -x -H "ldaps://ldap" -s base -b "" supportedSASLMechanisms
[...]

How do I make the EXTERNAL mechanism available?

You have to initiate starttls by using the flag -Z ldapsearch -Y EXTERNAL -ZZ -b "" -s base supportedSASLMechanisms

While -Z indicates to client to use the LDAP Start TLS operation to initiate TLS (SSL), one can also use -H ldaps:// to implicitly initiate TLS (SSL) upon TCP connect (if the server has been configured to support ldaps://). See archives for details.

The user's problem is more likely a case of not asserting
the client's certificate.

Kurt