Re: Translucent overlay search fails with TLS "cannot find private key f

On Thu, Sep 17, 2015 at 1:43 PM, Ernie Kovak <ernie.kovak@gmail.com> wrote:

Hello -

I'm running openldap 2.4.39 on centos 7, using the translucent overlay and moznss for connections to the backend Active Directory server. When I issue a search request for users in the backend directory I get no results and a "server not available" error - see the debug output below.

The same slapd.conf configuration, but on centos 5.10 and using OpenSSL, works correctly. So, I imagine it's related to moznss.

I've verified (firewall logs) that openldap successfully connects to the backend on startup, but not when the search request is submitted. It looks like it's trying to use client-authenticated TLS, even though the backend is not set up for that??

Any ideas?

Thanks!
Ernie

===============================================================================================
slapd.conf
===============================================================================================
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/we_person_and_npe.schema

pidfile /var/run/openldap/slapd.pid

loglevel stats
#loglevel -1
#loglevel trace conns filter stats

# Path to dynamic modules:
modulepath /usr/lib64/openldap
moduleload back_mdb
moduleload back_ldap
moduleload translucent
moduleload accesslog
moduleload auditlog
moduleload valsort
moduleload ppolicy
moduleload memberof

# TLS server certs (TLS client config is in ldap.conf)
#TLSCACertificateFile /opt/acme/global/certs/ca/ca.pem
#TLSCertificateFile /opt/acme/global/certs/server-cert.pem
#TLSCertificateKeyFile /opt/acme/global/certs/server-key.pem

# not working in our docker container since openldap is linked against NSS and not OpenSSL
#TLSCipherSuite TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL:!SSLv2

# path of the directory containing the NSS certificate and key database files
TLSCACertificatePath /opt/acme/local/certs/nssdb/

# specifies the name of the certificate to use
TLSCertificateFile server

# name of a file that contains the password for the key for the certificate specified with TLSCertificateFile
TLSCertificateKeyFile /opt/acme/local/certs/.nss_tmp_pwd (contains clear text pasword for keystore and server cert private key)

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to attrs=clearance,citizenship,sciControl
by dn="cn=npe-user-mgmt,ou=NPEs,ou=Native,dc=acme,dc=com" write
by dn="cn=npe-sts,ou=NPEs,ou=Native,dc=acme,dc=com" read
access to attrs=gimmeeOrg,gimmeeRegion,gimmeeTopic,gimmeeIsAICP,gimmeeGroup,gimmeeProject,gimmeeProjectGroup
by dn="cn=npe-user-mgmt,ou=NPEs,ou=Native,dc=acme,dc=com" write
by dn="cn=npe-sts,ou=NPEs,ou=Native,dc=acme,dc=com" read
access to attrs=UUID
by dn="cn=npe-user-mgmt,ou=NPEs,ou=Native,dc=acme,dc=com" write
by users read
access to attrs=userPassword
by dn="cn=npe-user-mgmt,ou=NPEs,ou=Native,dc=acme,dc=com" write
by self write
by anonymous auth
access to attrs=currentLoginDate,lastLoginDate,lastFailedLoginDate,currentLoginIpAddr,lastLoginIpAddr,lastFailedLoginIpAddr
by dn="cn=npe-user-mgmt,ou=NPEs,ou=Native,dc=acme,dc=com" write
by dn="cn=npe-openid,ou=NPEs,ou=Native,dc=acme,dc=com" write
by users read
access to *
by dn="cn=npe-user-mgmt,ou=NPEs,ou=Native,dc=acme,dc=com" write
by users read
by anonymous auth

#######################################################################
# Database for Native accounts (NPEs and users)
#######################################################################

database mdb
suffix "ou=Native,dc=acme,dc=com"
rootdn "cn=weAdmin,dc=acme,dc=com"
directory "/opt/acme/global/data/openldap/db/native-user-db"
subordinate
index objectClass eq,pres
index ou,cn,mail,surname eq,pres,sub
index clearance,scicontrol eq,pres,sub
index citizenship eq,pres,sub
password-hash {SSHA}

# Apply password policy overlay to Native accounts, with a default policy.
overlay ppolicy
ppolicy_default "cn=default,ou=Policies,ou=Native,dc=acme,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext

#######################################################################
# Database for additional attributes for enterprise accounts.
#######################################################################

database mdb
suffix "dc=acme,dc=com"
rootdn "cn=weAdmin,dc=acme,dc=com"
rootpw {SSHA}73M5MnfH97O8KAN8anAbneD2wf0C6VSg
directory "/opt/acme/global/data/openldap/db/enterprise-user-db"
index objectClass eq,pres
index ou,cn,mail,surname eq,pres,sub
index clearance,scicontrol eq,pres,sub
index citizenship eq,pres,sub

#######################################################################
# Translucent LDAP proxy to Active Directory
#######################################################################
overlay translucent
uri "ldaps://atlas.acme.com:636"
chase-referrals no
idassert-bind bindmethod=simple
binddn="cn=devadmin,ou=Users,ou=System Accounts,ou=Acme,dc=acme,dc=com"
credentials="******"
mode=none
tls_cacert=/opt/acme/global/certs/ca/gd-class2-root-2.pem
tls_reqcert=demand

# Attributes to be searched for in local database. Only the classes that
# apply to proxied accounts are candidates for translucent_local:
# local wePerson attributes:
translucent_local objectClass
translucent_local UUID,accountStatus
translucent_local rank,grade,position,command,agency
translucent_local DSN
translucent_local weGrp,weOrg
translucent_local clearance,citizenship,scicontrol

# wePerson attributes pulled from remote directory:
translucent_remote objectClass
translucent_remote cn,givenName,sn,mail,o,mobile
translucent_remote displayName,sAMAccountName,userPrincipalName

===============================================================================================
From output when setting SLAPD_OPTIONS="-d 65535"
===============================================================================================

<snip> loads slapd.conf

55f854a6 config_build_entry: "olcDatabase={2}mdb"
55f854a6 config_build_entry: "olcOverlay={0}translucent"
55f854a6 ==> translucent_cfadd
55f854a6 config_build_entry: "olcDatabase={0}ldap"
55f854a6 config_build_entry: "olcOverlay={1}glue"
55f854a6 backend_startup_one: starting "ou=Native,dc=acme,dc=com"
55f854a6 mdb_db_open: "ou=Native,dc=acme,dc=com"
55f854a6 mdb_db_open: database "ou=Native,dc=acme,dc=com": dbenv_open(/opt/acme/global/data/openldap/db/native-user-db).
55f854a6 mdb_monitor_db_open: monitoring disabled; configure monitor database to enable
55f854a6 backend_startup_one: starting "dc=acme,dc=com"
55f854a6 mdb_db_open: "dc=acme,dc=com"
55f854a6 mdb_db_open: database "dc=acme,dc=com": dbenv_open(/opt/acme/global/data/openldap/db/enterprise-user-db).
55f854a6 ==> translucent_db_open
55f854a6 backend_startup_one: starting "dc=acme,dc=com"
55f854a6 ldap_back_db_open: URI=ldaps://atlas.acme.com:636
55f854a6 ldap_back_monitor_db_open: monitoring disabled; configure monitor database to enable
55f854a6 slapd starting

<snip>

55f876ea ==> translucent_search: <dc=acme,dc=com> (sAMAccountName=admin)
ldap_create
ldap_url_parse_ext(ldaps://atlas.acme.com:636)
55f876ea =>ldap_back_getconn: conn=1000 op=1: lc=0x7f3e581a9950 inserted refcnt=1 rc=0
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP atlas.acme.com:636
55f876ea daemon: activity on 1 descriptor
55f876ea daemon: activity on:55f876ea
55f876ea daemon: epoll: listen=6 active_threads=0 tvp=NULL
55f876ea daemon: epoll: listen=7 active_threads=0 tvp=NULL
ldap_new_socket: 17
ldap_prepare_socket: 17
ldap_connect_to_host: Trying 172.12.3.45:636
ldap_pvt_connect: fd: 17 tm: -1 async: 0
attempting to connect:
connect success
TLS: certdb config: configDir='/opt/acme/local/certs/nssdb/' tokenDescription='ldap(1)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /opt/acme/local/certs/nssdb/ prefix .
TLS: loaded CA certificate file /opt/acme/global/certs/ca/gd-class2-root-2.pem.
TLS: certificate 'server' successfully loaded from moznss database.
TLS: no unlocked certificate for certificate 'CN=mv22.acme.com,OU=Development,O=Acme,L=Denver,ST=Colorado,C=US'.
TLS: cannot find private key for certificate 'CN=mv22.acme.com,OU=Development,O=Acme,L=Denver,ST=Colorado,C=US' (error -12285: Unable to find the certificate or key necessary for authentication.)
TLS: error: unable to set up client certificate authentication for certificate named CN=mv22.acme.com,OU=Development,O=Acme,L=Denver,ST=Colorado,C=US
TLS: error: unable to set up client certificate authentication using 'CN=mv22.acme.com,OU=Development,O=Acme,L=Denver,ST=Colorado,C=US'
TLS: error: could not initialize moznss security context - error -12285:Unable to find the certificate or key necessary for authentication.
TLS: can't create ssl handle.
55f876ea send_ldap_result: conn=1000 op=1 p=3
55f876ea send_ldap_result: err=52 matched="" text="Proxy operation retry failed"

Re: Translucent overlay search fails with TLS "cannot find private key for certificate"