[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLS Client auth and ACL's, how to map certs to ACL or LDAP-users?
On Thursday 24 March 2005 07:42, Kurt D. Zeilenga wrote:
Thank you Kurt for your answers, I managed to get SASL working with ldapsearch
but not with pam_ldap/nss_ldap.
> At 01:16 PM 3/23/2005, Kimmo Koivisto wrote:
> >Questions:
> >2. How to map TLS client authenticated server to the ACL or LDAP user
> > names so I can give read-write rights to those servers.
>
> If your LDAP client is establishing its credentials via TLS and
> advising the server to use an identity associated with those
> credentials for directory authorization via the SASL EXTERNAL
> mechanism, then one can use this identity directly in server
> ACLs. ldapwhoami(1) is useful to determine what identity the
> server is using for directory authorization purposes.
>
So, it's now working with ldapsearch but not with pam_ldap/nss_ldap:
I configured slapd.conf as follows:
<slapd.conf>
...
TLSCACertificateFile /usr/share/ssl/certs/cacerts.pem
TLSCertificateFile /usr/share/ssl/certs/ldapserver.pub
TLSCertificateKeyFile /usr/share/ssl/ldapserver.priv
security ssf=112 update_ssf=112 simple_bind=112
access to *
by dn="CN=server2.mydomain.fi,O=servers,C=FI" write
by * none
TLSVerifyClient demand
...
</slapd.conf>
and created .ldaprc for root as follows:
<.ldaprc>
URI ldap://server1.mydomain.fi
BASE c=fi
SASL_MECH EXTERNAL
TLS_CACERT /etc/ssl/cacerts.pem
TLS_CERT /etc/certs/server2.pub
TLS_KEY /etc/certs/server2.priv
TLS_REQCERT demand
</.ldaprc>
Now, "ldapwhoami -Z" shows:
# ldapwhoami -Z
SASL/EXTERNAL authentication started
SASL username: CN=server2.mydomain.fi,O=servers,C=FI
SASL SSF: 0
dn:cn=server2.mydomain.fi,o=servers,c=fi
and "ldapsearch -Z uid=kim* uid -LLL" shows:
SASL/EXTERNAL authentication started
SASL username: CN=server2.mydomain.fi,O=servers,C=FI
SASL SSF: 0
dn: uid=kimmok,o=users,c=fi
uid: kimmok
Other tls-client-enabled servers cannot read ldap, so ACL is working :)
But, when I try to log in to server2, pam_ldap tries to authenticate user
against ldap but does not use SASL EXTERNAL and gets mapped as anonymous
which the ACL denies as it should.
I have configured /etc/ldap.conf as follows:
< /etc/ldap.conf>
pam_sasl_mech EXTERNAL
pam_password md5
host server1.mydomain.fi
base c=fi
ssl start_tls
tls_cacertfile /etc/ssl/cacerts.pem
tls_ciphers TLSv1
ssl on
tls_checkpeer yes
tls_cert /etc/certs/server2.pub
tls_key /etc/certs/server2.priv
</ /etc/ldap.conf>
I think this is not openldap related problem anymore, but I'm hoping that
someone would know what I'm doing wrong here? Is the /etc/ldap.conf proper
config file for pam_ldap when using RHEL4 or FC3?
Regards
Kimmo Koivisto
<very long slapd log from pam_ldap connection>
connection_get(12): got connid=1
connection_read(12): checking for input on id=1
connection_get(12): got connid=1
connection_read(12): checking for input on id=1
connection_get(12): got connid=1
connection_read(12): checking for input on id=1
connection_get(12): got connid=1
connection_read(12): checking for input on id=1
ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
do_bind
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: version=3 dn="" method=128
send_ldap_result: conn=1 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
do_bind: v3 anonymous bind
connection_get(12): got connid=1
connection_read(12): checking for input on id=1
do_search
>>> dnPrettyNormal: <c=fi>
<<< dnPrettyNormal: <c=fi>, <c=fi>
==> limits_get: conn=1 op=1 dn="[anonymous]"
=> bdb_search
bdb_dn2entry("c=fi")
search_candidates: base="c=fi" (0x00000001) scope=2
=> bdb_dn2idl( "c=fi" )
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30990)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read 3 candidates
<= bdb_equality_candidates: id=3, first=6, last=8
=> bdb_equality_candidates (uid)
=> key_read
<= bdb_index_read 1 candidates
<= bdb_equality_candidates: id=1, first=7, last=7
bdb_search_candidates: id=1 first=7 last=7
bdb_search: 7 does not match filter
ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
send_ldap_result: conn=1 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=0
connection_get(12): got connid=1
connection_read(12): checking for input on id=1
ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
do_search
>>> dnPrettyNormal: <c=fi>
<<< dnPrettyNormal: <c=fi>, <c=fi>
==> limits_get: conn=1 op=2 dn="[anonymous]"
=> bdb_search
bdb_dn2entry("c=fi")
search_candidates: base="c=fi" (0x00000001) scope=2
=> bdb_dn2idl( "c=fi" )
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30990)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read 3 candidates
<= bdb_equality_candidates: id=3, first=6, last=8
=> bdb_equality_candidates (uid)
=> key_read
<= bdb_index_read 1 candidates
<= bdb_equality_candidates: id=1, first=7, last=7
bdb_search_candidates: id=1 first=7 last=7
bdb_search: 7 does not match filter
send_ldap_result: conn=1 op=2 p=3
send_ldap_response: msgid=3 tag=101 err=0
connection_get(12): got connid=1
connection_read(12): checking for input on id=1
ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
do_search
>>> dnPrettyNormal: <c=fi>
<<< dnPrettyNormal: <c=fi>, <c=fi>
==> limits_get: conn=1 op=3 dn="[anonymous]"
=> bdb_search
bdb_dn2entry("c=fi")
search_candidates: base="c=fi" (0x00000001) scope=2
=> bdb_dn2idl( "c=fi" )
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30990)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read 3 candidates
<= bdb_equality_candidates: id=3, first=6, last=8
=> bdb_equality_candidates (uid)
=> key_read
<= bdb_index_read 1 candidates
<= bdb_equality_candidates: id=1, first=7, last=7
bdb_search_candidates: id=1 first=7 last=7
bdb_search: 7 does not match filter
send_ldap_result: conn=1 op=3 p=3
send_ldap_response: msgid=4 tag=101 err=0
connection_get(12): got connid=1
connection_read(12): checking for input on id=1
ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
do_search
>>> dnPrettyNormal: <c=fi>
<<< dnPrettyNormal: <c=fi>, <c=fi>
==> limits_get: conn=1 op=4 dn="[anonymous]"
=> bdb_search
bdb_dn2entry("c=fi")
search_candidates: base="c=fi" (0x00000001) scope=2
=> bdb_dn2idl( "c=fi" )
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30990)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read 3 candidates
<= bdb_equality_candidates: id=3, first=6, last=8
=> bdb_equality_candidates (uid)
=> key_read
<= bdb_index_read 1 candidates
<= bdb_equality_candidates: id=1, first=7, last=7
bdb_search_candidates: id=1 first=7 last=7
bdb_search: 7 does not match filter
send_ldap_result: conn=1 op=4 p=3
send_ldap_response: msgid=5 tag=101 err=0
connection_get(15): got connid=2
connection_read(15): checking for input on id=2
connection_get(15): got connid=2
connection_read(15): checking for input on id=2
connection_get(15): got connid=2
connection_read(15): checking for input on id=2
connection_get(15): got connid=2
connection_read(15): checking for input on id=2
do_bind
ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable)
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: version=3 dn="" method=128
send_ldap_result: conn=2 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
do_bind: v3 anonymous bind
connection_get(15): got connid=2
connection_read(15): checking for input on id=2
do_search
>>> dnPrettyNormal: <c=fi>
<<< dnPrettyNormal: <c=fi>, <c=fi>
==> limits_get: conn=2 op=1 dn="[anonymous]"
=> bdb_search
bdb_dn2entry("c=fi")
search_candidates: base="c=fi" (0x00000001) scope=2
=> bdb_dn2idl( "c=fi" )
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30990)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read 3 candidates
<= bdb_equality_candidates: id=3, first=6, last=8
=> bdb_equality_candidates (uid)
=> key_read
<= bdb_index_read 1 candidates
<= bdb_equality_candidates: id=1, first=7, last=7
bdb_search_candidates: id=1 first=7 last=7
bdb_search: 7 does not match filter
ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable)
send_ldap_result: conn=2 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=0
connection_get(15): got connid=2
connection_read(15): checking for input on id=2
ber_get_next on fd 15 failed errno=0 (Success)
connection_read(15): input error=-2 id=2, closing.
connection_closing: readying conn=2 sd=15 for close
connection_close: conn=2 sd=15
connection_get(15): got connid=3
connection_read(15): checking for input on id=3
connection_get(15): got connid=3
connection_read(15): checking for input on id=3
connection_get(15): got connid=3
connection_read(15): checking for input on id=3
connection_get(15): got connid=3
connection_read(15): checking for input on id=3
do_bind
ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable)
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: version=3 dn="" method=128
send_ldap_result: conn=3 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
do_bind: v3 anonymous bind
connection_get(15): got connid=3
connection_read(15): checking for input on id=3
do_search
>>> dnPrettyNormal: <c=fi>
<<< dnPrettyNormal: <c=fi>, <c=fi>
==> limits_get: conn=3 op=1 dn="[anonymous]"
=> bdb_search
bdb_dn2entry("c=fi")
search_candidates: base="c=fi" (0x00000001) scope=2
=> bdb_dn2idl( "c=fi" )
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30990)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_equality_candidates (uid)
=> key_read
<= bdb_index_read 1 candidates
<= bdb_equality_candidates: id=1, first=7, last=7
bdb_search_candidates: id=1 first=7 last=7
bdb_search: 7 does not match filter
ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable)
send_ldap_result: conn=3 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=0
</end of log>