[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL EXTERNAL auth issues

Hi,

   I am using RHEL7 and openldap from LTB project(to test out SSHA password hashing). Currently I am having issues to configure SASL EXTERNAL auth. Maybe I am missing something, any pointers would be appreciated.

[root@oldp4-dk-vm ~]# /usr/local/openldap/libexec/slapd -V
@(#) $OpenLDAP: slapd 2.4.44 (Feb 15 2016 11:14:35) $
        clement@centos7.unix.example.com:/home/clement/build/BUILD/openldap-2.4.44/servers/slapd

[root@oldp4-dk-vm ~]#

After adding the ldapi:/// listener to the startup script, I verified its working using lsof. 

[root@oldp4-dk-vm ~]# lsof | grep ldap  | grep -e  '\(unix\|LISTEN\)'
slapd      7988                ldap    3u     unix 0xffff880077fc23c0       0t0     603136 socket
slapd      7988                ldap    7u     IPv4             603140       0t0        TCP *:ldap (LISTEN)
slapd      7988                ldap    8u     IPv6             603141       0t0        TCP *:ldap (LISTEN)
slapd      7988                ldap    9u     IPv4             603144       0t0        TCP *:ldaps (LISTEN)
slapd      7988                ldap   10u     IPv6             603145       0t0        TCP *:ldaps (LISTEN)
slapd      7988                ldap   11u     unix 0xffff880077fc2000       0t0     603146 /usr/local/openldap/var/run/ldapi
slapd      7988 7989           ldap    3u     unix 0xffff880077fc23c0       0t0     603136 socket
slapd      7988 7989           ldap    7u     IPv4             603140       0t0        TCP *:ldap (LISTEN)
slapd      7988 7989           ldap    8u     IPv6             603141       0t0        TCP *:ldap (LISTEN)
slapd      7988 7989           ldap    9u     IPv4             603144       0t0        TCP *:ldaps (LISTEN)
slapd      7988 7989           ldap   10u     IPv6             603145       0t0        TCP *:ldaps (LISTEN)
slapd      7988 7989           ldap   11u     unix 0xffff880077fc2000       0t0     603146 /usr/local/openldap/var/run/ldapi
slapd      7988 7991           ldap    3u     unix 0xffff880077fc23c0       0t0     603136 socket
slapd      7988 7991           ldap    7u     IPv4             603140       0t0        TCP *:ldap (LISTEN)
slapd      7988 7991           ldap    8u     IPv6             603141       0t0        TCP *:ldap (LISTEN)
slapd      7988 7991           ldap    9u     IPv4             603144       0t0        TCP *:ldaps (LISTEN)
slapd      7988 7991           ldap   10u     IPv6             603145       0t0        TCP *:ldaps (LISTEN)
slapd      7988 7991           ldap   11u     unix 0xffff880077fc2000       0t0     603146 /usr/local/openldap/var/run/ldapi
[root@oldp4-dk-vm ~]#

Checking for supported sasl methods:

[root@oldp4-dk-vm ~]# ldapsearch -x   -H ldapi:/// -b "" -LLL -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN

[root@oldp4-dk-vm ~]#

Attempting to bind using sasl 

[root@oldp4-dk-vm ~]# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b   dn  -vv -d 5
ldap_url_parse_ext(ldapi:///)
ldap_initialize( ldapi:///??base )
ldap_create
ldap_url_parse_ext(ldapi:///??base)
ldap_sasl_interactive_bind: user selected: EXTERNAL
ldap_int_sasl_bind: EXTERNAL
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_path
ldap_new_socket: 3
ldap_connect_to_path: Trying /usr/local/openldap/var/run/ldapi
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_ndelay_off: 3
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Local error (-2)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
[root@oldp4-dk-vm ~]#

Configuration:

[root@oldp4-dk-vm ~]# cat config.ldif
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /usr/local/openldap/etc/openldap/slapd.conf.bak
olcConfigDir: /usr/local/openldap/etc/openldap/slapd.d
olcAllows: bind_v2
olcArgsFile: /usr/local/openldap/var/run/slapd.args
olcAttributeOptions: x-hidden lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcPidFile: /usr/local/openldap/var/run/slapd.pid
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcSaslSecProps: noplain,noanonymous
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTLSCACertificateFile: /usr/local/openldap/etc/openldap/certs/ca-chain.cert.pem
olcTLSCertificateFile: /usr/local/openldap/etc/openldap/certs/server.pem
olcTLSCertificateKeyFile: /usr/local/openldap/etc/openldap/certs/server.key.pem
olcTLSVerifyClient: never
olcToolThreads: 1
olcWriteTimeout: 0
structuralObjectClass: olcGlobal


dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

include: file:///usr/local/openldap/etc/openldap/schema/core.ldif
include: file:///usr/local/openldap/etc/openldap/schema/cosine.ldif
include: file:///usr/local/openldap/etc/openldap/schema/inetorgperson.ldif
include: file:///usr/local/openldap/etc/openldap/schema/nis.ldif

## We serve small clients that do not handle referrals,
## so handle remote lookups on their behalf.
#dn: olcDatabase=ldap,cn=config
#objectClass: olcDatabaseConfig
#objectClass: olcLdapConfig
#olcDatabase: ldap
#olcSuffix: ""
#olcDbUri: ldap://ldap.some-server.com/

dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAddContentAcl: TRUE
olcAccess: to attrs=name;x-hidden by * =cs
olcAccess: to attrs=userPassword  by * auth
olcAccess: to * by * read
olcLastMod: TRUE
olcMaxDerefDepth: 0
olcReadOnly: FALSE
olcSchemaDN: cn=Subschema
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig


dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage  by * none
olcAddContentAcl: TRUE
olcRootPW: {SSHA}dWIRB+xNhhBABixGgVrRKv7/J93NrgW7
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=config
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig


dn: olcDatabase={1}monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read  by dn.base="cn=manager,dc=myds,dc=example,dc=com" read  by * none
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig


dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcAccess: {0} to attrs=userPassword,shadowLastChange by self write by anonymous auth by  dn="cn=manager,dc=myds,dc=example,dc=com" write by * none
olcAccess: {1} to dn.base="" by * read
olcAccess: {2} to * by self write by dn="cn=manager,dc=myds,dc=example,dc=com" write by * read
olcAddContentAcl: FALSE
olcDatabase: {2}hdb
olcDbCacheFree: 1
olcDbCacheSize: 1000
olcDbCheckpoint: 512 15
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 3000
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbDirectory: /usr/local/openldap/var/openldap-data
olcDbDirtyRead: FALSE
olcDbDNcacheSize: 0
olcDbIDLcacheSize: 3000
olcDbIndex:     cn,sn,mail   pres,eq,approx,sub
olcDbIndex:     objectClass  eq
olcDbLinearIndex: FALSE
olcDbMode: 0600
olcDbNoSync: FALSE
olcDbSearchStack: 16
olcDbShmKey: 0
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=manager,dc=myds,dc=example,dc=com
olcRootPW: {SSHA}dWIRB+xNhhBABixGgVrRKv7/J93NrgW7
olcSuffix: dc=myds,dc=example,dc=com
structuralObjectClass: olcHdbConfig
[root@oldp4-dk-vm ~]#

Regards
Kenneth