LDAP
 » 
PADL Lists
 » 
PAM LDAP

 « Return to Thread: Using certificate per host to secure communication to OpenLDAP

Re: Using certificate per host to secure communication to OpenLDAP

by Mathieu Millet :: Rate this Message:

Reply to Author | View in Thread


On Mon, 08 Sep 2008 11:35:25 -0700, Howard Chu <hyc@...> wrote:
> Mathieu Millet wrote:
>> I set up authz-regexp parameter in openldap, to match the "CN" of the
>> certificate to the DN in LDAP tree.
>>
[snip]

>>
>> But when, configuring pam_ldap (and nss_ldap), the TLS connection is OK
>> (from the debug log), but it seems that the DN used to performing the
>> requests is "empty".
>
> That's normal (and correct). No Bind DN is used for SASL Binds.
>
>> Is there a parameter that I'm missing ? I tried to use the parameter
>> "pam_sasl_mech EXTERNAL" in /etc/ldap.conf with no effect.
>>
>> The followings are the log excerpt from Openldap when "binding" :
>>
>> The log when Pam_ldap "binds" :
>> Sep  8 15:02:13 slxcvm01 slapd[22188]: conn=14 fd=18 TLS established
>> tls_ssf=256 ssf=256
[snip]
>> Sep  8 15:02:13 slxcvm01 slapd[22188]: conn=14 op=1 BIND dn=""
> method=128
>> Sep  8 15:02:13 slxcvm01 slapd[22188]: send_ldap_result: err=0
matched=""
>> text=""
>> Sep  8 15:02:13 slxcvm01 slapd[22188]: conn=14 op=1 RESULT tag=97 err=0
>> text=
>> -------------------
>> The log when ldapsearch (with certificate) binds :
>> Sep  8 15:01:55 slxcvm01 slapd[22188]: conn=13 fd=18 TLS established
>> tls_ssf=256 ssf=256
>> [snip]
>> Sep  8 15:01:55 slxcvm01 slapd[22188]: conn=13 op=1 BIND dn=""
method=163
>> Sep  8 15:01:56 slxcvm01 slapd[22188]: ==>  sasl_bind: dn=""
mech=EXTERNAL
[snip]

>> dn="cn=<myhostname>,ou=computers,dc=<mybase>" mech=EXTERNAL sasl_ssf=0
>> ssf=256
>> Sep  8 15:01:56 slxcvm01 slapd[22188]: conn=13 op=1 RESULT tag=97 err=0
>> text=
>> Sep  8 15:01:56 slxcvm01 slapd[22188]: daemon: activity on 1 descriptor
>> Sep  8 15:01:56 slxcvm01 slapd[22188]: daemon: activity on:
>> Sep  8 15:01:56 slxcvm01 slapd[22188]:  18r
>> -------------------
>
>> Has anybody succeeded doing this ?
>
> Your log shows that everything is working, you've already succeeded.

Well, on the contrary, the correct log (with the conversion from "SASL DN"
to right "dn") is when I perform ldap searches manually.

When, NSS or PAM, are making ldap searches the conversion from SASL DN to
right dn is not performed at all.

Any Hints ?
 
> --
>    -- Howard Chu
>    CTO, Symas Corp.           http://www.symas.com
>    Director, Highland Sun     http://highlandsun.com/hyc/
>    Chief Architect, OpenLDAP  http://www.openldap.org/project/

Thanks for the answer,
Mathieu MILLET.

--
Mathieu MILLET
mailto:ldap@...

 « Return to Thread: Using certificate per host to secure communication to OpenLDAP

Free embeddable forum powered by Nabble Forum Help