|
»
»
« Return to Thread: Using certificate per host to secure communication to OpenLDAP
Using certificate per host to secure communication to OpenLDAP
by Mathieu Millet
::
Rate this Message:
Hi everyone,
I'm trying to configure pam_ldap (and nss_ldap) for using certificate on my servers, so that pam_ldap doesn't bind my openldap directory, using DN+password but using certificate. The users still authenticate to my ldap using login+password.
Here are all the step performed...
First, I configured pam_ldap et nss_ldap to authenticate to OpenLDAP in clear text, without rootdn (and rootbinddn). OK
And then with rootdn (and rootbinddn) and password specified. OK (the OpenLDAP contains a DN for every server as LDAP client)
Anonymous search and bind are now forbidden by ACL.
Configuration of TLS on LDAP is OK. still using rootdn+password.
Now the big part, I configure LDAP to "try" certificate authentification.
So, I generated one certificate per server.
I set up authz-regexp parameter in openldap, to match the "CN" of the certificate to the DN in LDAP tree.
When I use ldapwhoami manually, using the certificate of the client server (and SASL EXTERNAL) it returns the right DN.
Using the same parameters, I can perform the ldapsearches I have seen pam_ldap try to perform.
But when, configuring pam_ldap (and nss_ldap), the TLS connection is OK (from the debug log), but it seems that the DN used to performing the requests is "empty".
Is there a parameter that I'm missing ? I tried to use the parameter "pam_sasl_mech EXTERNAL" in /etc/ldap.conf with no effect.
The followings are the log excerpt from Openldap when "binding" :
The log when Pam_ldap "binds" :
Sep 8 15:02:13 slxcvm01 slapd[22188]: conn=14 fd=18 TLS established tls_ssf=256 ssf=256
[snip]
Sep 8 15:02:13 slxcvm01 slapd[22188]: conn=14 op=1 BIND dn="" method=128
Sep 8 15:02:13 slxcvm01 slapd[22188]: send_ldap_result: err=0 matched="" text=""
Sep 8 15:02:13 slxcvm01 slapd[22188]: conn=14 op=1 RESULT tag=97 err=0 text=
-------------------
The log when ldapsearch (with certificate) binds :
Sep 8 15:01:55 slxcvm01 slapd[22188]: conn=13 fd=18 TLS established tls_ssf=256 ssf=256
[snip]
Sep 8 15:01:55 slxcvm01 slapd[22188]: conn=13 op=1 BIND dn="" method=163
Sep 8 15:01:56 slxcvm01 slapd[22188]: ==> sasl_bind: dn="" mech=EXTERNAL datalen=0
Sep 8 15:01:56 slxcvm01 slapd[22188]: SASL Canonicalize [conn=13]: authcid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr"
Sep 8 15:01:56 slxcvm01 slapd[22188]: slap_sasl_getdn: conn 13 id=cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr [len=79]
Sep 8 15:01:56 slxcvm01 slapd[22188]: [rw] authid: "cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr" -> "cn=<myhostname>,ou=computers,dc=<mybase>"
Sep 8 15:01:56 slxcvm01 slapd[22188]: SASL Canonicalize [conn=13]: slapAuthcDN="cn=<myhostname>,ou=computers,dc=<mybase>"
Sep 8 15:01:56 slxcvm01 slapd[22188]: SASL [conn=13] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory
Sep 8 15:01:56 slxcvm01 slapd[22188]: SASL [conn=13] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory
Sep 8 15:01:56 slxcvm01 slapd[22188]: SASL proxy authorize [conn=13]: authcid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr" authzid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr"
Sep 8 15:01:56 slxcvm01 slapd[22188]: conn=13 op=1 BIND authcid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr" authzid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr"
Sep 8 15:01:56 slxcvm01 slapd[22188]: conn=13 op=1 BIND dn="cn=<myhostname>,ou=computers,dc=<mybase>" mech=EXTERNAL sasl_ssf=0 ssf=256
Sep 8 15:01:56 slxcvm01 slapd[22188]: conn=13 op=1 RESULT tag=97 err=0 text=
Sep 8 15:01:56 slxcvm01 slapd[22188]: daemon: activity on 1 descriptor
Sep 8 15:01:56 slxcvm01 slapd[22188]: daemon: activity on:
Sep 8 15:01:56 slxcvm01 slapd[22188]: 18r
-------------------
my /etc/ldap.conf file :
host <myldapserver>
base dc=<mybase>
timelimit 120
bind_timelimit 120
idle_timelimit 3600
pam_groupdn cn=<mygroup>,ou=groups,dc=<mybase>
pam_member_attribute uniquemember
pam_password exop
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts/cacert.pem
tls_ciphers TLSv1
tls_cert /etc/openldap/<mycert>
tls_key /etc/openldap/<mykey>
--------------------
Has anybody succeeded doing this ?
My client servers are using Red Hat Entreprise Linux 4. The OpenLDAP is 2.4.10 from sources.
Thank you in advance for any response.
Sincerely yours, Mathieu MILLET.
I'm trying to configure pam_ldap (and nss_ldap) for using certificate on my servers, so that pam_ldap doesn't bind my openldap directory, using DN+password but using certificate. The users still authenticate to my ldap using login+password.
Here are all the step performed...
First, I configured pam_ldap et nss_ldap to authenticate to OpenLDAP in clear text, without rootdn (and rootbinddn). OK
And then with rootdn (and rootbinddn) and password specified. OK (the OpenLDAP contains a DN for every server as LDAP client)
Anonymous search and bind are now forbidden by ACL.
Configuration of TLS on LDAP is OK. still using rootdn+password.
Now the big part, I configure LDAP to "try" certificate authentification.
So, I generated one certificate per server.
I set up authz-regexp parameter in openldap, to match the "CN" of the certificate to the DN in LDAP tree.
When I use ldapwhoami manually, using the certificate of the client server (and SASL EXTERNAL) it returns the right DN.
Using the same parameters, I can perform the ldapsearches I have seen pam_ldap try to perform.
But when, configuring pam_ldap (and nss_ldap), the TLS connection is OK (from the debug log), but it seems that the DN used to performing the requests is "empty".
Is there a parameter that I'm missing ? I tried to use the parameter "pam_sasl_mech EXTERNAL" in /etc/ldap.conf with no effect.
The followings are the log excerpt from Openldap when "binding" :
The log when Pam_ldap "binds" :
Sep 8 15:02:13 slxcvm01 slapd[22188]: conn=14 fd=18 TLS established tls_ssf=256 ssf=256
[snip]
Sep 8 15:02:13 slxcvm01 slapd[22188]: conn=14 op=1 BIND dn="" method=128
Sep 8 15:02:13 slxcvm01 slapd[22188]: send_ldap_result: err=0 matched="" text=""
Sep 8 15:02:13 slxcvm01 slapd[22188]: conn=14 op=1 RESULT tag=97 err=0 text=
-------------------
The log when ldapsearch (with certificate) binds :
Sep 8 15:01:55 slxcvm01 slapd[22188]: conn=13 fd=18 TLS established tls_ssf=256 ssf=256
[snip]
Sep 8 15:01:55 slxcvm01 slapd[22188]: conn=13 op=1 BIND dn="" method=163
Sep 8 15:01:56 slxcvm01 slapd[22188]: ==> sasl_bind: dn="" mech=EXTERNAL datalen=0
Sep 8 15:01:56 slxcvm01 slapd[22188]: SASL Canonicalize [conn=13]: authcid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr"
Sep 8 15:01:56 slxcvm01 slapd[22188]: slap_sasl_getdn: conn 13 id=cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr [len=79]
Sep 8 15:01:56 slxcvm01 slapd[22188]: [rw] authid: "cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr" -> "cn=<myhostname>,ou=computers,dc=<mybase>"
Sep 8 15:01:56 slxcvm01 slapd[22188]: SASL Canonicalize [conn=13]: slapAuthcDN="cn=<myhostname>,ou=computers,dc=<mybase>"
Sep 8 15:01:56 slxcvm01 slapd[22188]: SASL [conn=13] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory
Sep 8 15:01:56 slxcvm01 slapd[22188]: SASL [conn=13] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory
Sep 8 15:01:56 slxcvm01 slapd[22188]: SASL proxy authorize [conn=13]: authcid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr" authzid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr"
Sep 8 15:01:56 slxcvm01 slapd[22188]: conn=13 op=1 BIND authcid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr" authzid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr"
Sep 8 15:01:56 slxcvm01 slapd[22188]: conn=13 op=1 BIND dn="cn=<myhostname>,ou=computers,dc=<mybase>" mech=EXTERNAL sasl_ssf=0 ssf=256
Sep 8 15:01:56 slxcvm01 slapd[22188]: conn=13 op=1 RESULT tag=97 err=0 text=
Sep 8 15:01:56 slxcvm01 slapd[22188]: daemon: activity on 1 descriptor
Sep 8 15:01:56 slxcvm01 slapd[22188]: daemon: activity on:
Sep 8 15:01:56 slxcvm01 slapd[22188]: 18r
-------------------
my /etc/ldap.conf file :
host <myldapserver>
base dc=<mybase>
timelimit 120
bind_timelimit 120
idle_timelimit 3600
pam_groupdn cn=<mygroup>,ou=groups,dc=<mybase>
pam_member_attribute uniquemember
pam_password exop
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts/cacert.pem
tls_ciphers TLSv1
tls_cert /etc/openldap/<mycert>
tls_key /etc/openldap/<mykey>
--------------------
Has anybody succeeded doing this ?
My client servers are using Red Hat Entreprise Linux 4. The OpenLDAP is 2.4.10 from sources.
Thank you in advance for any response.
Sincerely yours, Mathieu MILLET.
« Return to Thread: Using certificate per host to secure communication to OpenLDAP
| Free embeddable forum powered by Nabble | Forum Help |
