[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SSL client cert authc problems with OpenLDAP client and OpenDJ server
On 05/18/12 18:56 +0200, Michael Ströder wrote:
HI!
(cross-posted since OpenLDAP and OpenDJ are involved)
I have some SSL client cert authc problems with a OpenLDAP 2.4.23 LDAP client
(dynamically linked to OpenSSL 0.9.8e on RHEL 5.6) and OpenDJ 2.4.5 running
under control of Java 1.6.0_31. I cross-checked all the cert and trust stuff
several times. It seems to be correct. Unfortunately we're stuck with 2.4.23
in this setup because of OpenLDAP's ITS#6997.
(I manually obfuscated parameters and log lines herein.)
At first glance OpenLDAP's ldapwhoami seems to work correctly with the first
OpenDJ replica:
$ LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=client.key ldapwhoami -H
ldaps://master1.example.com -Y EXTERNAL
SASL/EXTERNAL authentication started
SASL username: cn=ldapclient,o=example,c=DE
SASL SSF: 0
dn:cn=ldapclient,ou=Users,cn=example
add a '-d -1' to your ldap client commands for debug output.
If your request for EXTERNAL authentication succeeded, then everything
appears to be successful from the perspective of your client. Perhaps the
error (on the server here) is a disagreement with how the connection should
be torn down.
Does it make a difference which SSL library you compile your client
utilities against?
But in OpenDJ's access-log file there's written:
[18/May/2012:16:52:00 +0200] CONNECT conn=15 from=x.x.x.x:33358
to=x.x.x.x:63677 protocol=LDAPS
[18/May/2012:16:52:00 +0200] BIND REQ conn=15 op=0 msgID=1 type=SASL
mechanism=EXTERNAL dn=""
[18/May/2012:16:52:00 +0200] BIND RES conn=15 op=0 msgID=1 result=0
authDN="cn=ldapclient,o=example,c=DE" etime=0
[18/May/2012:16:52:00 +0200] EXTENDED REQ conn=15 op=1 msgID=2 name="Who Am
I?" oid="1.3.6.1.4.1.4203.1.11.3"
[18/May/2012:16:52:00 +0200] EXTENDED RES conn=15 op=1 msgID=2 result=0
additionalInfo="authzID="dn:cn=ldapclient,ou=Users,cn=example"" etime=1
[18/May/2012:16:52:00 +0200] DISCONNECT conn=15 reason="Protocol Error"
msg="The client sent a request to the Directory Server that could not be
properly decoded as an LDAP message: javax.net.ssl.SSLException: Inbound
closed before receiving peer's close_notify: possible truncation attack?"
The attempt to do the same on another OpenDJ replica fails completely (no
differences in TLS configuration - checked cn=config for potential differences
with diff):
$ LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=client.key ldapwhoami -H
ldaps://consumer1.example.com -Y EXTERNAL
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
In OpenDJ's access-log file there's written:
[18/May/2012:16:52:38 +0200] CONNECT conn=6 from=x.x.x.x:61841
to=x.x.x.x:63677 protocol=LDAPS
[18/May/2012:16:52:38 +0200] DISCONNECT conn=6 reason="Protocol Error"
msg="The client sent a request to the Directory Server that could not be
properly decoded as an LDAP message: javax.net.ssl.SSLHandshakeException:
General SSLEngine problem"
[18/May/2012:16:53:06 +0200] CONNECT conn=7 from=x.x.x.x:61842
to=x.x.x.x:63677 protocol=LDAPS
[18/May/2012:16:53:07 +0200] DISCONNECT conn=7 reason="Protocol Error"
msg="The client sent a request to the Directory Server that could not be
properly decoded as an LDAP message: javax.net.ssl.SSLHandshakeException:
General SSLEngine problem"
--
Dan White