[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldapi:// confidentiality required: different olcSecurity settings (cn=config and olcDatabase={-1}frontend.ldif)

To: openldap-technical@openldap.org
Subject: ldapi:// confidentiality required: different olcSecurity settings (cn=config and olcDatabase={-1}frontend.ldif)
From: openldap-ml@stresst.net
Date: Mon, 19 Jul 2010 01:10:54 +0200
User-agent: Thunderbird 2.0.0.24 (Windows/20100228)

It took me quite some time to figure out a small configuration error(concerning ldapi:// confidentiality required) and I just want to letyou know about it and possibly save you some time during your nextdebugging session:

Security strength factor "olcSecurity: ..." values that are differingbetween cn=config.ldif and for examplecn=config/olcDatabase={-1}frontend.ldif might lead to strangeldapi-related "confidentiality required" effects that temporarilydisappear right after online-re-configuration (via cn=config) - but theyappear again right after any slapd restart...


Disclaimer:

The cause for the problem (differing cn=config database-specificolcSecurity values) is a result of a mis-configuration and don't seemsto be a general slapd problem, but as we are all able to online(mis-)configure slapd via cn=config it's possibly of common interest. ;-)Only in case there's no need for these kind of differences (for anyspecial slapd configuration scenario) might be slapd could detect themand inform the user about it?

After re-aligning cn=config.ldif's andcn=config/olcDatabase={-1}frontend.ldif's olcSecurity settings thefollowing strange behavior has disappeared and slapd runs and answersfine - even after its restart.



slapd version: CVS HEAD



1.) empty database directory:

root@tingletangle:/usr/local/openldap/etc/openldap# ls -al/usr/local/openldap/var/openldap-data/foo.bar/*-rw-r--r-- 1 openldap openldap 368 Jun 17 22:50/usr/local/openldap/var/openldap-data/foo.bar/DB_CONFIG


2.) relevant slapd.d's content:
root@tingletangle:/usr/local/openldap/etc/openldap# grep -r olcSec slapd.d/
slapd.d/cn=config.ldif:olcSecurity: simple_bind=128
slapd.d/cn=config.ldif:olcSecurity: ssf=128
slapd.d/cn=config.ldif:olcSecurity: tls=0
slapd.d/cn=config/olcDatabase={1}monitor.ldif:olcSecurity: ssf=128
slapd.d/cn=config/olcDatabase={1}monitor.ldif:olcSecurity: tls=128
slapd.d/cn=config/olcDatabase={1}monitor.ldif:olcSecurity: update_ssf=128
slapd.d/cn=config/olcDatabase={1}monitor.ldif:olcSecurity: simple_bind=128

slapd.d/cn=config/cn=schema.ldif:olcAttributeTypes: ( OLcfgGlAt:59 NAME'olcSecurity' EQUALITY caseIgnoreMatchslapd.d/cn=config/cn=schema.ldif: ontUseCopyIgnore $ olcSaslHost $olcSaslRealm $ olcSaslSecProps $ olcSecurityslapd.d/cn=config/cn=schema.ldif: cRequires $ olcRestrict $ olcRootDN $olcRootPW $ olcSchemaDN $ olcSecurity $

slapd.d/cn=config/olcDatabase={-1}frontend.ldif:olcSecurity: ssf=128
slapd.d/cn=config/olcDatabase={-1}frontend.ldif:olcSecurity: tls=128
slapd.d/cn=config/olcDatabase={-1}frontend.ldif:olcSecurity: update_ssf=128
slapd.d/cn=config/olcDatabase={-1}frontend.ldif:olcSecurity: simple_bind=128

root@tingletangle:/usr/local/openldap/etc/openldap# grep -r olcLocalslapd.d/

slapd.d/cn=config.ldif:olcLocalSSF: 128

slapd.d/cn=config/cn=schema.ldif:olcAttributeTypes: ( OLcfgGlAt:26 NAME'olcLocalSSF' SYNTAX OMsInteger SINGLE-slapd.d/cn=config/cn=schema.ldif: p $ olcIndexIntLen $ olcLocalSSF $olcLogFile $ olcLogLevel $ olcPasswordCryp

root@tingletangle:/usr/local/openldap/etc/openldap# grep -rolcSaslSecProps slapd.d/

slapd.d/cn=config.ldif:olcSaslSecProps: noplain,noanonymous

slapd.d/cn=config/cn=schema.ldif:olcAttributeTypes: ( OLcfgGlAt:56 NAME'olcSaslSecProps' SYNTAX OMsDirectoryStslapd.d/cn=config/cn=schema.ldif: ontUseCopyIgnore $ olcSaslHost $olcSaslRealm $ olcSaslSecProps $ olcSecurity


summary (cn=config.ldif):
olcSecurity: simple_bind=128
olcSecurity: ssf=128
olcSecurity: tls=0
olcLocalSSF: 128
olcSaslSecProps: noplain,noanonymous

summary (olcDatabase={-1}frontend.ldif and olcDatabase={1}monitor.ldif)
olcSecurity: ssf=128
olcSecurity: tls=128
olcSecurity: update_ssf=128
olcSecurity: simple_bind=128

So, now let's have some fun with the above configuration especially withpoints 8.) 12.) 14.) 22.) 23.)


3.) populate slapd's database (data + cn=config) and index the data:

/usr/local/openldap/sbin/slapadd -v -F slapd.d -b "dc=foo,dc=bar" -ldump-dc\=foo\,dc\=bar-20100718.ldif

/usr/local/openldap/sbin/slapindex -v -F slapd.d -b "dc=foo,dc=bar"
chown -R openldap:openldap /usr/local/openldap

4.) start slapd:
/usr/local/openldap/libexec/slapd \
-F /usr/local/openldap/etc/openldap/slapd.d \
-u openldap -g openldap \
-l local4 \

-h "ldaps://0.0.0.0:636/ ldap://0.0.0.0:389 ldapi:/// ldap://[::]:389/ldaps://[::]:636/"


5.) check whether slapd is running:

root@tingletangle:/usr/local/openldap/etc/openldap# ps -ef | grep slapd| grep -v grepopenldap 1605 1 1 23:43 ? 00:00:00/usr/local/openldap/libexec/slapd -F/usr/local/openldap/etc/openldap/slapd.d -u openldap -g openldap -llocal4 -h ldaps://0.0.0.0:636/ ldap://0.0.0.0:389 ldapi:///ldap://[::]:389/ ldaps://[::]:636/


6.) check slapd's listeners:

root@tingletangle:/usr/local/openldap/etc/openldap# netstat -nap | grepslapdtcp 0 0 0.0.0.0:389 0.0.0.0:*LISTEN 1605/slapdtcp 0 0 0.0.0.0:636 0.0.0.0:*LISTEN 1605/slapdtcp6 0 0 :::389 :::*LISTEN 1605/slapdtcp6 0 0 :::636 :::*LISTEN 1605/slapdunix 2 [ ACC ] STREAM LISTENING 47301605/slapd /usr/local/openldap/var/run/ldapi

unix  2      [ ]         DGRAM                    4724     1605/slapd

7.) check cn=config's content:
7a1.) ldapsearch cn=config (ldapi:// without -Z):

root@tingletangle:/usr/local/openldap/etc/openldap#/usr/local/openldap/bin/ldapsearch -x -Hldapi://%2Fusr%2Flocal%2Fopenldap%2Fvar%2Frun%2Fldapi -D"cn=ldapmanager,cn=config" -W -b 'cn=config' -s base olcSecurityolcSaslSecProps olcLocalSSF

Enter LDAP Password:
ldap_bind: Confidentiality required (13)
       additional info: TLS confidentiality required
7a2.) ldapsearch cn=config (ldap:// without -Z):

root@tingletangle:/usr/local/openldap/etc/openldap#/usr/local/openldap/bin/ldapsearch -x -H ldap://localhost -D"cn=ldapmanager,cn=config" -W -b 'cn=config' -s base olcSecurityolcSaslSecProps olcLocalSSF

Enter LDAP Password:
ldap_bind: Confidentiality required (13)
       additional info: TLS confidentiality required

7b1.) ldapsearch cn=config (ldapi:// with -Z):

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope baseObject
# filter: (objectclass=*)
# requesting: olcSecurity olcSaslSecProps olcLocalSSF
#

# config
dn: cn=config
olcLocalSSF: 128
olcSaslSecProps: noplain,noanonymous
olcSecurity: simple_bind=128
olcSecurity: ssf=128
olcSecurity: tls=0

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

7b2.) ldapsearch cn=config (ldap:// with -Z):

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope baseObject
# filter: (objectclass=*)
# requesting: olcSecurity olcSaslSecProps olcLocalSSF
#

# config
dn: cn=config
olcLocalSSF: 128
olcSaslSecProps: noplain,noanonymous
olcSecurity: simple_bind=128
olcSecurity: ssf=128
olcSecurity: tls=0

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

8.) change "olcSecurity: tls=0" into "olcSecurity: tls=1"

root@tingletangle:/usr/local/openldap/etc/openldap#/usr/local/openldap/bin/ldapmodify -v -a -x -H ldap://localhost -D"cn=ldapmanager,cn=config" -W -Z -f tls_modify_0-1.ldif

ldap_initialize( ldap://localhost:389/??base )
Enter LDAP Password:
delete olcSecurity:
       tls=0
add olcSecurity:
       tls=1
modifying entry "cn=config"
modify complete

9.) check whether modify in deed completed:

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope baseObject
# filter: (objectclass=*)
# requesting: olcSecurity olcSaslSecProps olcLocalSSF
#

# config
dn: cn=config
olcLocalSSF: 128
olcSaslSecProps: noplain,noanonymous
olcSecurity: simple_bind=128
olcSecurity: ssf=128
olcSecurity: tls=1

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

10.) ldapsearch cn=config (ldapi:// without -Z):

Enter LDAP Password:
ldap_bind: Confidentiality required (13)
       additional info: TLS confidentiality required

11.) ldapsearch cn=config (ldapi:// with -Z):

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope baseObject
# filter: (objectclass=*)
# requesting: olcSecurity olcSaslSecProps olcLocalSSF
#

# config
dn: cn=config
olcLocalSSF: 128
olcSaslSecProps: noplain,noanonymous
olcSecurity: simple_bind=128
olcSecurity: ssf=128
olcSecurity: tls=1

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

12.) change "olcSecurity: tls=1" back into "olcSecurity: tls=0"

root@tingletangle:/usr/local/openldap/etc/openldap#/usr/local/openldap/bin/ldapmodify -v -a -x -H ldap://localhost -D"cn=ldapmanager,cn=config" -W -Z -f tls_modify_1-0.ldif

ldap_initialize( ldap://localhost:389/??base )
Enter LDAP Password:
delete olcSecurity:
       tls=1
add olcSecurity:
       tls=0
modifying entry "cn=config"
modify complete

13.) check whether modify in deed completed:

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope baseObject
# filter: (objectclass=*)
# requesting: olcSecurity olcSaslSecProps olcLocalSSF
#

# config
dn: cn=config
olcLocalSSF: 128
olcSaslSecProps: noplain,noanonymous
olcSecurity: simple_bind=128
olcSecurity: ssf=128
olcSecurity: tls=0

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

14.) ldapsearch cn=config (ldapi:// without -Z now seem to work?!):

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope baseObject
# filter: (objectclass=*)
# requesting: olcSecurity olcSaslSecProps olcLocalSSF
#

# config
dn: cn=config
olcLocalSSF: 128
olcSaslSecProps: noplain,noanonymous
olcSecurity: simple_bind=128
olcSecurity: ssf=128
olcSecurity: tls=0

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

15.) ldapsearch cn=config (ldapi:// with -Z):

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope baseObject
# filter: (objectclass=*)
# requesting: olcSecurity olcSaslSecProps olcLocalSSF
#

# config
dn: cn=config
olcLocalSSF: 128
olcSaslSecProps: noplain,noanonymous
olcSecurity: simple_bind=128
olcSecurity: ssf=128
olcSecurity: tls=0

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

16.) killall slapd:
root@tingletangle:/usr/local/openldap/etc/openldap# killall slapd
root@tingletangle:/usr/local/openldap/etc/openldap# ps -ef | grep slap
root      1650  1525  0 00:01 pts/0    00:00:00 grep slap

17.) re-check relevant slapd.d's content:
root@tingletangle:/usr/local/openldap/etc/openldap# grep -r olcSec slapd.d/
slapd.d/cn=config.ldif:olcSecurity: simple_bind=128
slapd.d/cn=config.ldif:olcSecurity: ssf=128
slapd.d/cn=config.ldif:olcSecurity: tls=0
slapd.d/cn=config/olcDatabase={1}monitor.ldif:olcSecurity: ssf=128
slapd.d/cn=config/olcDatabase={1}monitor.ldif:olcSecurity: tls=128
slapd.d/cn=config/olcDatabase={1}monitor.ldif:olcSecurity: update_ssf=128
slapd.d/cn=config/olcDatabase={1}monitor.ldif:olcSecurity: simple_bind=128

slapd.d/cn=config/olcDatabase={-1}frontend.ldif:olcSecurity: ssf=128
slapd.d/cn=config/olcDatabase={-1}frontend.ldif:olcSecurity: tls=128
slapd.d/cn=config/olcDatabase={-1}frontend.ldif:olcSecurity: update_ssf=128
slapd.d/cn=config/olcDatabase={-1}frontend.ldif:olcSecurity: simple_bind=128

root@tingletangle:/usr/local/openldap/etc/openldap# grep -r olcLocalslapd.d/

slapd.d/cn=config.ldif:olcLocalSSF: 128

root@tingletangle:/usr/local/openldap/etc/openldap# grep -rolcSaslSecProps slapd.d/

slapd.d/cn=config.ldif:olcSaslSecProps: noplain,noanonymous


summary (cn=config.ldif):
olcSecurity: simple_bind=128
olcSecurity: ssf=128
olcSecurity: tls=0
olcLocalSSF: 128
olcSaslSecProps: noplain,noanonymous

summary (olcDatabase={-1}frontend.ldif)
olcSecurity: ssf=128
olcSecurity: tls=128
olcSecurity: update_ssf=128
olcSecurity: simple_bind=128

18.) re-start slapd:
/usr/local/openldap/libexec/slapd \
-F /usr/local/openldap/etc/openldap/slapd.d \
-u openldap -g openldap \
-l local4 \

-h "ldaps://0.0.0.0:636/ ldap://0.0.0.0:389 ldapi:/// ldap://[::]:389/ldaps://[::]:636/"


19.) check whether slapd is running:

root@tingletangle:/usr/local/openldap/etc/openldap# ps -ef | grep slapd| grep -v grepopenldap 1656 1 1 00:07 ? 00:00:00/usr/local/openldap/libexec/slapd -F/usr/local/openldap/etc/openldap/slapd.d -u openldap -g openldap -llocal4 -h ldaps://0.0.0.0:636/ ldap://0.0.0.0:389 ldapi:///ldap://[::]:389/ ldaps://[::]:636/


20.) check slapd's listeners:

root@tingletangle:/usr/local/openldap/etc/openldap# netstat -npa | grepslapdtcp 0 0 0.0.0.0:389 0.0.0.0:*LISTEN 1656/slapdtcp 0 0 0.0.0.0:636 0.0.0.0:*LISTEN 1656/slapdtcp6 0 0 :::389 :::*LISTEN 1656/slapdtcp6 0 0 :::636 :::*LISTEN 1656/slapdunix 2 [ ACC ] STREAM LISTENING 52921656/slapd /usr/local/openldap/var/run/ldapi

unix  2      [ ]         DGRAM                    5286     1656/slapd

21.) ldapsearch cn=config (ldapi:// without -Z):

Enter LDAP Password:
ldap_bind: Confidentiality required (13)
       additional info: TLS confidentiality required

22.) ldapmodify cn=config olcSecurity: tls=0 --> tls=1 --> tls=0

root@tingletangle:/usr/local/openldap/etc/openldap#/usr/local/openldap/bin/ldapmodify -v -a -x -H ldap://localhost -D"cn=ldapmanager,cn=config" -W -Z -f tls_modify_0-1-0.ldif

ldap_initialize( ldap://localhost:389/??base )
Enter LDAP Password:
delete olcSecurity:
       tls=0
add olcSecurity:
       tls=1
delete olcSecurity:
       tls=1
add olcSecurity:
       tls=0
modifying entry "cn=config"
modify complete

23.) ldapsearch cn=config (ldapi:// without -Z now works again untilnext slapd restart):root@tingletangle:/usr/local/openldap/etc/openldap#/usr/local/openldap/bin/ldapsearch -x -Hldapi://%2Fusr%2Flocal%2Fopenldap%2Fvar%2Frun%2Fldapi -D"cn=ldapmanager,cn=config" -W -b 'cn=config' -s base olcSecurityolcSaslSecProps olcLocalSSF

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope baseObject
# filter: (objectclass=*)
# requesting: olcSecurity olcSaslSecProps olcLocalSSF
#

# config
dn: cn=config
olcLocalSSF: 128
olcSaslSecProps: noplain,noanonymous
olcSecurity: simple_bind=128
olcSecurity: ssf=128
olcSecurity: tls=0

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Prev by Date: Re: OpenLDAP authenticate the username/password with MS-AD?
Next by Date: back-sql caching
Index(es):
- Chronological
- Thread