[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Forcing TLS, but keep working SASL authentication

To: Wiebe Cazemier <wiebe@halfgaar.net>
Subject: Re: Forcing TLS, but keep working SASL authentication
From: Dan White <dwhite@olp.net>
Date: Mon, 31 Dec 2012 11:21:28 -0600
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <2140823563.16975.1356965823423.JavaMail.root@halfgaar.net>
References: <916270750.16916.1356963720126.JavaMail.root@halfgaar.net> <2140823563.16975.1356965823423.JavaMail.root@halfgaar.net>
User-agent: Mutt/1.5.21 (2010-09-15)

On 12/31/12 15:57 +0100, Wiebe Cazemier wrote:

I want to force SSL on my OpenLDAP server (2.4.21-0ubuntu5.7, Ubuntu 10.04
LTS), but then the SASL authentication breaks.

I did this to enable tls-only:


# feed to ldapmodify
dn: cn=config
changetype:  modify
add: olcSecurity
olcSecurity: tls=1


But, then I can't use "-Y EXTERNAL" anymore, because it then demands a TLS
connection. When I enable TLS (-ZZ) on tools like ldapmodify and use
ldap://hostname/ and bind with my rootDN (admin user), it doesn't work
(insufficient access (50)). I guess it needs the socket to know I'm root.


You can apply olcSecurity to a specific database as well (see man
slapd-config). Configuring olcSecurity: tls=0 on
olcDatabase={0}config,cn=config should have the intended behavior, if you
only ever modify your config via ldapi:///.

Inspecting all DB's with "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b
cn=config", it appears the config DB's have an olcAccess rule like:


olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break


Consider creating an authz-regexp to map:

gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

to your olcRootDN below. Your above ACL is not necessary in that case,
since your root dn will bypass any ACL restrictions.

gid and uid = 0, so I guess it's the system's root account.

I tried adding an olcRootDN and olcRootPW to
olcDatabase={0}config,cn=config so that I could modify the cn=config, but
adding them gave an error: "<olcRootPW> can only be set when rootdn is
under suffix". When I tried adding olcSuffix to "dc=domain,dc=tld", it
said: "<olcSuffix> handler exited with 1". I also tried specifying a
olcRootDN only (no olcRootPW) (like cn=admin,dc=domain,dc=tld) and then
add that user to "dc=domain,dc=tld", but it didn't work. Unfortunately, I
don't remember what went wrong.


If you're performing EXTERNAL sasl authentication over ldapi:///, you won't
need a olcRootPW, but you will need an authz-regexp.

I don't believe olcRootDN will need to exist, underneath dc=domain,dc=tld,
in that case.

--
Dan White

References:
- Forcing TLS, but keep working SASL authentication
  - From: Wiebe Cazemier <wiebe@halfgaar.net>

Prev by Date: Re: missing structuralObjectClass
Next by Date: Re: Multi-Master OpenLDAP Replication for 3 nodes -- slapadd command failing
Index(es):
- Chronological
- Thread