[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS Client auth and ACL's, how to map certs to ACL or LDAP-users?



On Thursday 24 March 2005 07:42, Kurt D. Zeilenga wrote:

Thank you Kurt for your answers, I managed to get SASL working with ldapsearch 
but not with pam_ldap/nss_ldap.

> At 01:16 PM 3/23/2005, Kimmo Koivisto wrote:
> >Questions:
> >2. How to map TLS client authenticated server to the ACL or LDAP user
> > names so I can give read-write rights to those servers.
>
> If your LDAP client is establishing its credentials via TLS and
> advising the server to use an identity associated with those
> credentials for directory authorization via the SASL EXTERNAL
> mechanism, then one can use this identity directly in server
> ACLs.  ldapwhoami(1) is useful to determine what identity the
> server is using for directory authorization purposes.
>
So, it's now working with ldapsearch but not with pam_ldap/nss_ldap:

I configured slapd.conf as follows:
<slapd.conf>
...
TLSCACertificateFile /usr/share/ssl/certs/cacerts.pem
TLSCertificateFile /usr/share/ssl/certs/ldapserver.pub
TLSCertificateKeyFile /usr/share/ssl/ldapserver.priv
security ssf=112 update_ssf=112 simple_bind=112
access to *
 by dn="CN=server2.mydomain.fi,O=servers,C=FI" write
 by * none
TLSVerifyClient demand
...
</slapd.conf>

and created .ldaprc for root as follows:
<.ldaprc>
URI ldap://server1.mydomain.fi
BASE c=fi
SASL_MECH EXTERNAL
TLS_CACERT /etc/ssl/cacerts.pem
TLS_CERT /etc/certs/server2.pub
TLS_KEY /etc/certs/server2.priv
TLS_REQCERT demand
</.ldaprc>

Now, "ldapwhoami -Z" shows:
# ldapwhoami -Z
SASL/EXTERNAL authentication started
SASL username: CN=server2.mydomain.fi,O=servers,C=FI
SASL SSF: 0
dn:cn=server2.mydomain.fi,o=servers,c=fi

and "ldapsearch -Z uid=kim* uid -LLL" shows: 
SASL/EXTERNAL authentication started
SASL username: CN=server2.mydomain.fi,O=servers,C=FI
SASL SSF: 0
dn: uid=kimmok,o=users,c=fi
uid: kimmok
 
Other tls-client-enabled servers cannot read ldap, so ACL is working :)

But, when I try to log in to server2, pam_ldap tries to authenticate user 
against ldap but does not use SASL EXTERNAL and gets mapped as anonymous 
which the ACL denies as it should.

I have configured /etc/ldap.conf as follows:
< /etc/ldap.conf>
pam_sasl_mech EXTERNAL
pam_password md5
host server1.mydomain.fi
base c=fi
ssl start_tls
tls_cacertfile /etc/ssl/cacerts.pem
tls_ciphers TLSv1
ssl on
tls_checkpeer yes
tls_cert /etc/certs/server2.pub
tls_key /etc/certs/server2.priv
</ /etc/ldap.conf>

I think this is not openldap related problem anymore, but I'm hoping that 
someone would know what I'm doing wrong here? Is the /etc/ldap.conf proper 
config file for pam_ldap when using RHEL4 or FC3?


Regards
Kimmo Koivisto

<very long slapd log from pam_ldap connection>

connection_get(12): got connid=1
 connection_read(12): checking for input on id=1
 connection_get(12): got connid=1
 connection_read(12): checking for input on id=1
 connection_get(12): got connid=1
 connection_read(12): checking for input on id=1
 connection_get(12): got connid=1
 connection_read(12): checking for input on id=1
 ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
 do_bind
 >>> dnPrettyNormal: <>
 <<< dnPrettyNormal: <>, <>
 do_bind: version=3 dn="" method=128
 send_ldap_result: conn=1 op=0 p=3
 send_ldap_response: msgid=1 tag=97 err=0
 do_bind: v3 anonymous bind
 connection_get(12): got connid=1
 connection_read(12): checking for input on id=1
 do_search
 >>> dnPrettyNormal: <c=fi>
 <<< dnPrettyNormal: <c=fi>, <c=fi>
 ==> limits_get: conn=1 op=1 dn="[anonymous]"
 => bdb_search
 bdb_dn2entry("c=fi")
 search_candidates: base="c=fi" (0x00000001) scope=2
 => bdb_dn2idl( "c=fi" )
 => bdb_equality_candidates (objectClass)
 => key_read
 <= bdb_index_read: failed (-30990)
 <= bdb_equality_candidates: id=0, first=0, last=0
 => bdb_equality_candidates (objectClass)
 => key_read
 <= bdb_index_read 3 candidates
 <= bdb_equality_candidates: id=3, first=6, last=8
 => bdb_equality_candidates (uid)
 => key_read
 <= bdb_index_read 1 candidates
 <= bdb_equality_candidates: id=1, first=7, last=7
 bdb_search_candidates: id=1 first=7 last=7
 bdb_search: 7 does not match filter
 ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
 send_ldap_result: conn=1 op=1 p=3
 send_ldap_response: msgid=2 tag=101 err=0
 connection_get(12): got connid=1
 connection_read(12): checking for input on id=1
 ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
 do_search
 >>> dnPrettyNormal: <c=fi>
 <<< dnPrettyNormal: <c=fi>, <c=fi>
 ==> limits_get: conn=1 op=2 dn="[anonymous]"
 => bdb_search
 bdb_dn2entry("c=fi")
 search_candidates: base="c=fi" (0x00000001) scope=2
 => bdb_dn2idl( "c=fi" )
 => bdb_equality_candidates (objectClass)
 => key_read
 <= bdb_index_read: failed (-30990)
 <= bdb_equality_candidates: id=0, first=0, last=0
 => bdb_equality_candidates (objectClass)
 => key_read
 <= bdb_index_read 3 candidates
 <= bdb_equality_candidates: id=3, first=6, last=8
 => bdb_equality_candidates (uid)
 => key_read
 <= bdb_index_read 1 candidates
 <= bdb_equality_candidates: id=1, first=7, last=7
 bdb_search_candidates: id=1 first=7 last=7
 bdb_search: 7 does not match filter
 send_ldap_result: conn=1 op=2 p=3
 send_ldap_response: msgid=3 tag=101 err=0
 connection_get(12): got connid=1
 connection_read(12): checking for input on id=1
 ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
 do_search
 >>> dnPrettyNormal: <c=fi>
 <<< dnPrettyNormal: <c=fi>, <c=fi>
 ==> limits_get: conn=1 op=3 dn="[anonymous]"
 => bdb_search
 bdb_dn2entry("c=fi")
 search_candidates: base="c=fi" (0x00000001) scope=2
 => bdb_dn2idl( "c=fi" )
 => bdb_equality_candidates (objectClass)
 => key_read
 <= bdb_index_read: failed (-30990)
 <= bdb_equality_candidates: id=0, first=0, last=0
 => bdb_equality_candidates (objectClass)
 => key_read
 <= bdb_index_read 3 candidates
 <= bdb_equality_candidates: id=3, first=6, last=8
 => bdb_equality_candidates (uid)
 => key_read
 <= bdb_index_read 1 candidates
 <= bdb_equality_candidates: id=1, first=7, last=7
 bdb_search_candidates: id=1 first=7 last=7
 bdb_search: 7 does not match filter
 send_ldap_result: conn=1 op=3 p=3
 send_ldap_response: msgid=4 tag=101 err=0
 connection_get(12): got connid=1
 connection_read(12): checking for input on id=1
 ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
 do_search
 >>> dnPrettyNormal: <c=fi>
 <<< dnPrettyNormal: <c=fi>, <c=fi>
 ==> limits_get: conn=1 op=4 dn="[anonymous]"
 => bdb_search
 bdb_dn2entry("c=fi")
 search_candidates: base="c=fi" (0x00000001) scope=2
 => bdb_dn2idl( "c=fi" )
 => bdb_equality_candidates (objectClass)
 => key_read
 <= bdb_index_read: failed (-30990)
 <= bdb_equality_candidates: id=0, first=0, last=0
 => bdb_equality_candidates (objectClass)
 => key_read
 <= bdb_index_read 3 candidates
 <= bdb_equality_candidates: id=3, first=6, last=8
 => bdb_equality_candidates (uid)
 => key_read
 <= bdb_index_read 1 candidates
 <= bdb_equality_candidates: id=1, first=7, last=7
 bdb_search_candidates: id=1 first=7 last=7
 bdb_search: 7 does not match filter
 send_ldap_result: conn=1 op=4 p=3
 send_ldap_response: msgid=5 tag=101 err=0
 connection_get(15): got connid=2
 connection_read(15): checking for input on id=2
 connection_get(15): got connid=2
 connection_read(15): checking for input on id=2
 connection_get(15): got connid=2
 connection_read(15): checking for input on id=2
 connection_get(15): got connid=2
 connection_read(15): checking for input on id=2
 do_bind
 ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable)
 >>> dnPrettyNormal: <>
 <<< dnPrettyNormal: <>, <>
 do_bind: version=3 dn="" method=128
 send_ldap_result: conn=2 op=0 p=3
 send_ldap_response: msgid=1 tag=97 err=0
 do_bind: v3 anonymous bind
 connection_get(15): got connid=2
 connection_read(15): checking for input on id=2
 do_search
 >>> dnPrettyNormal: <c=fi>
 <<< dnPrettyNormal: <c=fi>, <c=fi>
 ==> limits_get: conn=2 op=1 dn="[anonymous]"
 => bdb_search
 bdb_dn2entry("c=fi")
 search_candidates: base="c=fi" (0x00000001) scope=2
 => bdb_dn2idl( "c=fi" )
 => bdb_equality_candidates (objectClass)
 => key_read
 <= bdb_index_read: failed (-30990)
 <= bdb_equality_candidates: id=0, first=0, last=0
 => bdb_equality_candidates (objectClass)
 => key_read
 <= bdb_index_read 3 candidates
 <= bdb_equality_candidates: id=3, first=6, last=8
 => bdb_equality_candidates (uid)
 => key_read
 <= bdb_index_read 1 candidates
 <= bdb_equality_candidates: id=1, first=7, last=7
 bdb_search_candidates: id=1 first=7 last=7
 bdb_search: 7 does not match filter
 ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable)
 send_ldap_result: conn=2 op=1 p=3
 send_ldap_response: msgid=2 tag=101 err=0
 connection_get(15): got connid=2
 connection_read(15): checking for input on id=2
 ber_get_next on fd 15 failed errno=0 (Success)
 connection_read(15): input error=-2 id=2, closing.
 connection_closing: readying conn=2 sd=15 for close
 connection_close: conn=2 sd=15
 connection_get(15): got connid=3
 connection_read(15): checking for input on id=3
 connection_get(15): got connid=3
 connection_read(15): checking for input on id=3
 connection_get(15): got connid=3
 connection_read(15): checking for input on id=3
 connection_get(15): got connid=3
 connection_read(15): checking for input on id=3
 do_bind
 ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable)
 >>> dnPrettyNormal: <>
 <<< dnPrettyNormal: <>, <>
 do_bind: version=3 dn="" method=128
 send_ldap_result: conn=3 op=0 p=3
 send_ldap_response: msgid=1 tag=97 err=0
 do_bind: v3 anonymous bind
 connection_get(15): got connid=3
 connection_read(15): checking for input on id=3
 do_search
 >>> dnPrettyNormal: <c=fi>
 <<< dnPrettyNormal: <c=fi>, <c=fi>
 ==> limits_get: conn=3 op=1 dn="[anonymous]"
 => bdb_search
 bdb_dn2entry("c=fi")
 search_candidates: base="c=fi" (0x00000001) scope=2
 => bdb_dn2idl( "c=fi" )
 => bdb_equality_candidates (objectClass)
 => key_read
 <= bdb_index_read: failed (-30990)
 <= bdb_equality_candidates: id=0, first=0, last=0
 => bdb_equality_candidates (uid)
 => key_read
 <= bdb_index_read 1 candidates
 <= bdb_equality_candidates: id=1, first=7, last=7
 bdb_search_candidates: id=1 first=7 last=7
 bdb_search: 7 does not match filter
 ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable)
 send_ldap_result: conn=3 op=1 p=3
 send_ldap_response: msgid=2 tag=101 err=0
</end of log>