[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
LDAP binding failure to Active Directory using certificates
Greetings:
I'm wondering if anyone has had any experience with this problem.
I am endevouring to use ldapmodify (from OpenLDAP 2.3) to connect to a
domain controller (named intacta) in our Active Directory forest and
perform account management operations. For this purpose, the bind to the
AD's LDAP must provide credentials of a user with the rights to manage
accounts in the domain in question. I'm attempting to perform the
authentication using certificates generated by a certificate authority
which we have established on a domain controller in the forest root
domain of our AD (not the same domain as the domain where we are trying
to perform account management but is the same forest). The bind account
is named test_account_manager and the user certificate
CSCFForestAccount.cer (listed below) is name mapped to the account.
All domain controllers in the forest have domain controller certificates
distributed to them from the forest's certificate authority.
Below is the content of my .ldaprc file on the Solaris 8 host where I'm
attempting to run ldapmodify. As stated above, the TLS_CERT certificate
is name mapped to the test_account_manager account in the AD. The
account of coarse, has a password but the key file has no access
password as I believe is necessary for the current version of openldap.
TLS_CACERT /u/ctucker/LDAP_Cert/CSCFTrustedCA.pem.cer
TLS_CERT /u/ctucker/LDAP_Cert/CSCFForestAccount.cer
TLS_KEY /u/ctucker/LDAP_Cert/private_test1.pem
TLS_REQCERT demand
Below is the output of an ldapmodify command run on the Solaris 8 host.
When this command is run entries confirming the logon of the
test_account_manager account appear in the security event logs of the
domain controller intacta as a successful logon. This suggests that the
connection was properly authenticated by the certificates for the user
test_account_manager. However, the subsequent binding to LDAP fails with
the error "Authentication method not supported"
Any help with this persistent problem would be greatly appriciated.
Thanks.
Clayton
% ldapmodify -d13 -H ldaps://intacta.cs.uwaterloo.ca/
ldap_create
ldap_url_parse_ext(ldaps://intacta.cs.uwaterloo.ca/)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_build_search_req ATTRS:
supportedSASLMechanisms
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP intacta.cs.uwaterloo.ca:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 129.97.152.158:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject:
/DC=ca/DC=uwaterloo/DC=cscf/CN=CSCF Forest CA, issuer:
/DC=ca/DC=uwaterloo/DC=cscf/CN=CSCF Forest CA
TLS certificate verification: depth: 0, err: 0, subject:
/CN=intacta.cs.uwaterloo.ca, issuer: /DC=ca/DC=uwaterloo/DC=cscf/CN=CSCF
Forest CA
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write certificate verify A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 64 bytes to sd 3
ldap_result ld 30748 msgid 1
ldap_chkResponseList ld 30748 msgid 1 all 1
ldap_chkResponseList returns ld 30748 NULL
wait4msg ld 30748 msgid 1 (infinite timeout)
wait4msg continue ld 30748 msgid 1 all 1
** ld 30748 Connections:
* host: intacta.cs.uwaterloo.ca port: 636 (default)
refcnt: 2 status: Connected
last used: Thu Jul 10 09:50:43 2008
** ld 30748 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 30748 Response Queue:
Empty
ldap_chkResponseList ld 30748 msgid 1 all 1
ldap_chkResponseList returns ld 30748 NULL
ldap_int_select
read1msg: ld 30748 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 96 contents:
read1msg: ld 30748 msgid 1 message type search-entry
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 30748 msgid 1 message type search-result
ber_scanf fmt ({eaa) ber:
read1msg: ld 30748 0 new referrals
read1msg: mark request completed, ld 30748 msgid 1
request done: ld 30748 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
adding response ld 30748 msgid 1 type 101:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_get_values
ber_scanf fmt ({x{{a) ber:
ber_scanf fmt ([v]) ber:
ldap_msgfree
ldap_sasl_interactive_bind_s: server supports: GSSAPI GSS-SPNEGO
EXTERNAL DIGEST-MD5
ldap_int_sasl_bind: GSSAPI GSS-SPNEGO EXTERNAL DIGEST-MD5
ldap_int_sasl_open: host=intacta.cs.uwaterloo.ca
=> ldap_dn2bv(16)
<= ldap_dn2bv(CN=test_account_manager,OU=Test
User,OU=Unassigned,DC=cs,DC=uwaterloo,DC=ca)=0
SASL/EXTERNAL authentication started
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush: 26 bytes to sd 3
ldap_result ld 30748 msgid 2
ldap_chkResponseList ld 30748 msgid 2 all 1
ldap_chkResponseList returns ld 30748 NULL
wait4msg ld 30748 msgid 2 (infinite timeout)
wait4msg continue ld 30748 msgid 2 all 1
** ld 30748 Connections:
* host: intacta.cs.uwaterloo.ca port: 636 (default)
refcnt: 2 status: Connected
last used: Thu Jul 10 09:50:43 2008
** ld 30748 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
** ld 30748 Response Queue:
Empty
ldap_chkResponseList ld 30748 msgid 2 all 1
ldap_chkResponseList returns ld 30748 NULL
ldap_int_select
read1msg: ld 30748 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 103 contents:
read1msg: ld 30748 msgid 2 message type bind
ber_scanf fmt ({eaa) ber:
read1msg: ld 30748 0 new referrals
read1msg: mark request completed, ld 30748 msgid 2
request done: ld 30748 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({eaa) ber:
ldap_msgfree
ldap_perror
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
additional info: 00002027: LdapErr: DSID-0C090499, comment:
Invalid Authentication method, data 0, vece