|
»
»
« Return to Thread: Using certificate per host to secure communication to OpenLDAP
Re: Using certificate per host to secure communication to OpenLDAP
by Howard Chu
::
Rate this Message:
Mathieu Millet wrote:
> I set up authz-regexp parameter in openldap, to match the "CN" of the
> certificate to the DN in LDAP tree.
>
> When I use ldapwhoami manually, using the certificate of the client server
> (and SASL EXTERNAL) it returns the right DN.
> Using the same parameters, I can perform the ldapsearches I have seen
> pam_ldap try to perform.
>
> But when, configuring pam_ldap (and nss_ldap), the TLS connection is OK
> (from the debug log), but it seems that the DN used to performing the
> requests is "empty".
That's normal (and correct). No Bind DN is used for SASL Binds.
> Is there a parameter that I'm missing ? I tried to use the parameter
> "pam_sasl_mech EXTERNAL" in /etc/ldap.conf with no effect.
>
> The followings are the log excerpt from Openldap when "binding" :
>
> The log when Pam_ldap "binds" :
> Sep 8 15:02:13 slxcvm01 slapd[22188]: conn=14 fd=18 TLS established
> tls_ssf=256 ssf=256
> [snip]
> Sep 8 15:02:13 slxcvm01 slapd[22188]: conn=14 op=1 BIND dn="" method=128
> Sep 8 15:02:13 slxcvm01 slapd[22188]: send_ldap_result: err=0 matched=""
> text=""
> Sep 8 15:02:13 slxcvm01 slapd[22188]: conn=14 op=1 RESULT tag=97 err=0
> text=
> -------------------
> The log when ldapsearch (with certificate) binds :
> Sep 8 15:01:55 slxcvm01 slapd[22188]: conn=13 fd=18 TLS established
> tls_ssf=256 ssf=256
> [snip]
> Sep 8 15:01:55 slxcvm01 slapd[22188]: conn=13 op=1 BIND dn="" method=163
> Sep 8 15:01:56 slxcvm01 slapd[22188]: ==> sasl_bind: dn="" mech=EXTERNAL
> datalen=0
> Sep 8 15:01:56 slxcvm01 slapd[22188]: SASL Canonicalize [conn=13]:
> authcid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr"
> Sep 8 15:01:56 slxcvm01 slapd[22188]: slap_sasl_getdn: conn 13
> id=cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr [len=79]
> Sep 8 15:01:56 slxcvm01 slapd[22188]: [rw] authid:
> "cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr" ->
> "cn=<myhostname>,ou=computers,dc=<mybase>"
> Sep 8 15:01:56 slxcvm01 slapd[22188]: SASL Canonicalize [conn=13]:
> slapAuthcDN="cn=<myhostname>,ou=computers,dc=<mybase>"
> Sep 8 15:01:56 slxcvm01 slapd[22188]: SASL [conn=13] Error: unable to open
> Berkeley db /etc/sasldb2: No such file or directory
> Sep 8 15:01:56 slxcvm01 slapd[22188]: SASL [conn=13] Error: unable to open
> Berkeley db /etc/sasldb2: No such file or directory
> Sep 8 15:01:56 slxcvm01 slapd[22188]: SASL proxy authorize [conn=13]:
> authcid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr"
> authzid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr"
> Sep 8 15:01:56 slxcvm01 slapd[22188]: conn=13 op=1 BIND
> authcid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr"
> authzid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr"
> Sep 8 15:01:56 slxcvm01 slapd[22188]: conn=13 op=1 BIND
> dn="cn=<myhostname>,ou=computers,dc=<mybase>" mech=EXTERNAL sasl_ssf=0
> ssf=256
> Sep 8 15:01:56 slxcvm01 slapd[22188]: conn=13 op=1 RESULT tag=97 err=0
> text=
> Sep 8 15:01:56 slxcvm01 slapd[22188]: daemon: activity on 1 descriptor
> Sep 8 15:01:56 slxcvm01 slapd[22188]: daemon: activity on:
> Sep 8 15:01:56 slxcvm01 slapd[22188]: 18r
> -------------------
> Has anybody succeeded doing this ?
Your log shows that everything is working, you've already succeeded.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
> I set up authz-regexp parameter in openldap, to match the "CN" of the
> certificate to the DN in LDAP tree.
>
> When I use ldapwhoami manually, using the certificate of the client server
> (and SASL EXTERNAL) it returns the right DN.
> Using the same parameters, I can perform the ldapsearches I have seen
> pam_ldap try to perform.
>
> But when, configuring pam_ldap (and nss_ldap), the TLS connection is OK
> (from the debug log), but it seems that the DN used to performing the
> requests is "empty".
That's normal (and correct). No Bind DN is used for SASL Binds.
> Is there a parameter that I'm missing ? I tried to use the parameter
> "pam_sasl_mech EXTERNAL" in /etc/ldap.conf with no effect.
>
> The followings are the log excerpt from Openldap when "binding" :
>
> The log when Pam_ldap "binds" :
> Sep 8 15:02:13 slxcvm01 slapd[22188]: conn=14 fd=18 TLS established
> tls_ssf=256 ssf=256
> [snip]
> Sep 8 15:02:13 slxcvm01 slapd[22188]: conn=14 op=1 BIND dn="" method=128
> Sep 8 15:02:13 slxcvm01 slapd[22188]: send_ldap_result: err=0 matched=""
> text=""
> Sep 8 15:02:13 slxcvm01 slapd[22188]: conn=14 op=1 RESULT tag=97 err=0
> text=
> -------------------
> The log when ldapsearch (with certificate) binds :
> Sep 8 15:01:55 slxcvm01 slapd[22188]: conn=13 fd=18 TLS established
> tls_ssf=256 ssf=256
> [snip]
> Sep 8 15:01:55 slxcvm01 slapd[22188]: conn=13 op=1 BIND dn="" method=163
> Sep 8 15:01:56 slxcvm01 slapd[22188]: ==> sasl_bind: dn="" mech=EXTERNAL
> datalen=0
> Sep 8 15:01:56 slxcvm01 slapd[22188]: SASL Canonicalize [conn=13]:
> authcid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr"
> Sep 8 15:01:56 slxcvm01 slapd[22188]: slap_sasl_getdn: conn 13
> id=cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr [len=79]
> Sep 8 15:01:56 slxcvm01 slapd[22188]: [rw] authid:
> "cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr" ->
> "cn=<myhostname>,ou=computers,dc=<mybase>"
> Sep 8 15:01:56 slxcvm01 slapd[22188]: SASL Canonicalize [conn=13]:
> slapAuthcDN="cn=<myhostname>,ou=computers,dc=<mybase>"
> Sep 8 15:01:56 slxcvm01 slapd[22188]: SASL [conn=13] Error: unable to open
> Berkeley db /etc/sasldb2: No such file or directory
> Sep 8 15:01:56 slxcvm01 slapd[22188]: SASL [conn=13] Error: unable to open
> Berkeley db /etc/sasldb2: No such file or directory
> Sep 8 15:01:56 slxcvm01 slapd[22188]: SASL proxy authorize [conn=13]:
> authcid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr"
> authzid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr"
> Sep 8 15:01:56 slxcvm01 slapd[22188]: conn=13 op=1 BIND
> authcid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr"
> authzid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr"
> Sep 8 15:01:56 slxcvm01 slapd[22188]: conn=13 op=1 BIND
> dn="cn=<myhostname>,ou=computers,dc=<mybase>" mech=EXTERNAL sasl_ssf=0
> ssf=256
> Sep 8 15:01:56 slxcvm01 slapd[22188]: conn=13 op=1 RESULT tag=97 err=0
> text=
> Sep 8 15:01:56 slxcvm01 slapd[22188]: daemon: activity on 1 descriptor
> Sep 8 15:01:56 slxcvm01 slapd[22188]: daemon: activity on:
> Sep 8 15:01:56 slxcvm01 slapd[22188]: 18r
> -------------------
> Has anybody succeeded doing this ?
Your log shows that everything is working, you've already succeeded.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
« Return to Thread: Using certificate per host to secure communication to OpenLDAP
| Free embeddable forum powered by Nabble | Forum Help |
