Using certificate per host to secure communication to OpenLDAP

Hi everyone,

I'm trying to configure pam_ldap (and nss_ldap) for using certificate on my servers, so that pam_ldap doesn't bind my openldap directory, using DN+password but using certificate. The users still authenticate to my ldap using login+password.

Here are all the step performed...

First, I configured pam_ldap et nss_ldap to authenticate to OpenLDAP in clear text, without rootdn (and rootbinddn). OK
And then with rootdn (and rootbinddn) and password specified. OK (the OpenLDAP contains a DN for every server as LDAP client)

Anonymous search and bind are now forbidden by ACL.

Configuration of TLS on LDAP is OK. still using rootdn+password.

Now the big part, I configure LDAP to "try" certificate authentification.

So, I generated one certificate per server.

I set up authz-regexp parameter in openldap, to match the "CN" of the certificate to the DN in LDAP tree.

When I use ldapwhoami manually,  using the certificate of the client server (and SASL EXTERNAL) it returns the right DN.
Using the same parameters, I can perform the ldapsearches I have seen pam_ldap try to perform.

But when, configuring pam_ldap (and nss_ldap), the TLS connection is OK (from the debug log), but it seems that the DN used to performing the requests is "empty".

Is there a parameter that I'm missing ? I tried to use the parameter "pam_sasl_mech EXTERNAL" in /etc/ldap.conf with no effect.

The followings are the log excerpt from Openldap when "binding" :

The log when Pam_ldap "binds" :
Sep  8 15:02:13 slxcvm01 slapd[22188]: conn=14 fd=18 TLS established tls_ssf=256 ssf=256
[snip]
Sep  8 15:02:13 slxcvm01 slapd[22188]: conn=14 op=1 BIND dn="" method=128
Sep  8 15:02:13 slxcvm01 slapd[22188]: send_ldap_result: err=0 matched="" text=""
Sep  8 15:02:13 slxcvm01 slapd[22188]: conn=14 op=1 RESULT tag=97 err=0 text=
-------------------
The log when ldapsearch (with certificate) binds :
Sep  8 15:01:55 slxcvm01 slapd[22188]: conn=13 fd=18 TLS established tls_ssf=256 ssf=256
[snip]
Sep  8 15:01:55 slxcvm01 slapd[22188]: conn=13 op=1 BIND dn="" method=163
Sep  8 15:01:56 slxcvm01 slapd[22188]: ==> sasl_bind: dn="" mech=EXTERNAL datalen=0
Sep  8 15:01:56 slxcvm01 slapd[22188]: SASL Canonicalize [conn=13]: authcid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr"
Sep  8 15:01:56 slxcvm01 slapd[22188]: slap_sasl_getdn: conn 13 id=cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr [len=79]
Sep  8 15:01:56 slxcvm01 slapd[22188]: [rw] authid: "cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr" -> "cn=<myhostname>,ou=computers,dc=<mybase>"
Sep  8 15:01:56 slxcvm01 slapd[22188]: SASL Canonicalize [conn=13]: slapAuthcDN="cn=<myhostname>,ou=computers,dc=<mybase>"
Sep  8 15:01:56 slxcvm01 slapd[22188]: SASL [conn=13] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory
Sep  8 15:01:56 slxcvm01 slapd[22188]: SASL [conn=13] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory
Sep  8 15:01:56 slxcvm01 slapd[22188]: SASL proxy authorize [conn=13]: authcid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr" authzid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr"
Sep  8 15:01:56 slxcvm01 slapd[22188]: conn=13 op=1 BIND authcid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr" authzid="cn=<myhostname>,ou=<myou>,o=<myorg>,l=<myloc>,c=fr"
Sep  8 15:01:56 slxcvm01 slapd[22188]: conn=13 op=1 BIND dn="cn=<myhostname>,ou=computers,dc=<mybase>" mech=EXTERNAL sasl_ssf=0 ssf=256
Sep  8 15:01:56 slxcvm01 slapd[22188]: conn=13 op=1 RESULT tag=97 err=0 text=
Sep  8 15:01:56 slxcvm01 slapd[22188]: daemon: activity on 1 descriptor
Sep  8 15:01:56 slxcvm01 slapd[22188]: daemon: activity on:
Sep  8 15:01:56 slxcvm01 slapd[22188]:  18r
-------------------

my /etc/ldap.conf file :

host <myldapserver>
base dc=<mybase>
timelimit 120
bind_timelimit 120
idle_timelimit 3600

pam_groupdn cn=<mygroup>,ou=groups,dc=<mybase>

pam_member_attribute uniquemember

pam_password exop
ssl start_tls
tls_checkpeer yes

tls_cacertfile /etc/openldap/cacerts/cacert.pem

tls_ciphers TLSv1

tls_cert /etc/openldap/<mycert>
tls_key /etc/openldap/<mykey>

--------------------

Has anybody succeeded doing this ?

My client servers are using Red Hat Entreprise Linux 4. The OpenLDAP is 2.4.10 from sources.

Thank you in advance for any response.
Sincerely yours, Mathieu MILLET.

Mathieu Millet wrote:
That's normal (and correct). No Bind DN is used for SASL Binds.

> Has anybody succeeded doing this ?

Your log shows that everything is working, you've already succeeded.

--
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

On Mon, 08 Sep 2008 11:35:25 -0700, Howard Chu <hyc@...> wrote:
> Mathieu Millet wrote:
>> I set up authz-regexp parameter in openldap, to match the "CN" of the
>> certificate to the DN in LDAP tree.
>>
[snip] [snip]
>> Sep  8 15:02:13 slxcvm01 slapd[22188]: conn=14 op=1 BIND dn=""
> method=128
>> Sep  8 15:02:13 slxcvm01 slapd[22188]: send_ldap_result: err=0
matched=""
>> text=""
>> Sep  8 15:02:13 slxcvm01 slapd[22188]: conn=14 op=1 RESULT tag=97 err=0
>> text=
>> -------------------
>> The log when ldapsearch (with certificate) binds :
>> Sep  8 15:01:55 slxcvm01 slapd[22188]: conn=13 fd=18 TLS established
>> tls_ssf=256 ssf=256
>> [snip]
>> Sep  8 15:01:55 slxcvm01 slapd[22188]: conn=13 op=1 BIND dn=""
method=163
>> Sep  8 15:01:56 slxcvm01 slapd[22188]: ==>  sasl_bind: dn=""
mech=EXTERNAL
[snip]
Well, on the contrary, the correct log (with the conversion from "SASL DN"
to right "dn") is when I perform ldap searches manually.

When, NSS or PAM, are making ldap searches the conversion from SASL DN to
right dn is not performed at all.

Any Hints ?
 
> --
>    -- Howard Chu
>    CTO, Symas Corp.           http://www.symas.com
>    Director, Highland Sun     http://highlandsun.com/hyc/
>    Chief Architect, OpenLDAP  http://www.openldap.org/project/

Thanks for the answer,
Mathieu MILLET.

--
Mathieu MILLET
mailto:ldap@...

Hello. I am also trying to bind from the O/S to LDAP using:

cat /etc/ldap.conf | grep -v "#" | sort

base dc=b,dc=c
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser
pam_password md5
# # guess, to be tried later: sasl_mech=external
ssl start_tls
timelimit 120
tls_cacertdir /etc/openldap/cacerts
tls_cacertfile /etc/openldap/cacerts/authconfig_downloaded.pem
tls_cert /root/tools/tomate/X9999990_2.pem
tls_key /root/tools/tomate/X9999990.key
uri ldap://a.b.c/


Firstly, I see a related post which is well worth reading:

http://www.nabble.com/Using-tls_cert-key-without-rootbinddn-td9089498.html

< and pointing me in the direction of SASL/EXTERNAL.
> I also misunderstood ! Can you please elaborate on the use of SASL/EXTERNAL ?

I inquired: For example, what options did you use in /etc/ldap.conf to enable SASL/EXTERNAL?

Iain replied: Due to other constraints, SASL/EXTERNAL was not pursued.

Q1. Can anyone else answer this question ?

Q2. My *.key file has no password.

For the record, I reckon I need the '-noDES' option if I don't want a
a key file password:

openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -days  7300 -noDES <<EOF
...
EOF

Q2. How might I specify the keyfile password in /etc/ldap.conf ?

Cdlt, Dave
---------