[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS/SASL problems

To: openldap-software@OpenLDAP.org
Subject: TLS/SASL problems
From: "alan milligan" <alan_milligan@hotmail.com>
Date: Sat, 12 Jan 2002 18:30:33

Hi,

Someone asked a question somewhat similar to this the other day and did not receive a relevant answer at all. I too am very interested in the answer as it must be a very basic question.

I have installed openldap-2.0.19 and cyrus-sasl-1.5.27 and have authldap working fine as long as I don't use TLS or SASL. I run Linux 2.4.12 and OpenSSL-0.9.6b.

I have been doing a lot of frustrating testing over the last couple of weeks with the ldapsearch client, again to no avail. As long as I use the -x option ( simple authentication instead of SASL), it works fine. But when I try SASL authentication, I get a failure with: ldap_sasl_interactive_bind_s: No such attribute Debug on slapd suggests the attribute is supportedSASLMechanisms:

do_search
ber_scanf fmt ({aiiiib) ber:
SRCH "" 0 0    0 0 0
ber_scanf fmt (o) ber:
   filter: (objectClass=*)
ber_scanf fmt ({v}}) ber:
   attrs: supportedSASLMechanisms
=> send_search_entry: ""

supportedSASLMechanisms is a defined attribute type in core.schema, but there is no suggestion as to what objectClass this may relate to. I would like to set it to PLAIN within some object, but what???

My TLS efforts are equally frustrating. Whereas the slapd server has TLSCipherSuite, TLSCertificateFile and TLSCertificateKeyFile (which I have set as per my Courier mail suite and Apache mod_ssl), there seems to be no equivalent for any of the clients. My TLS connections (ldapsearch -ZZ) fail with: ldap_start_tls: Connect error

The slapd trace seems to get as far as exchanging ciphers before failing. I would be very surprised if my machine can't cooridinate a cipher suite amongst itsself for LDAP when I successfully use ssl for ssh, apache and mail. I have the allow tls_2_anon option set in my slapd.conf, which I expect allows for no client certificates ..??

connection_get(10)
connection_get(10): got connid=1
connection_read(10): checking for input on id=1
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
do_extended
ber_scanf fmt ({a) ber:
do_extended: oid=1.3.6.1.4.1.1466.20037
send_ldap_extended 0: (0)
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 10
connection_get(10)
connection_get(10): got connid=1
connection_read(10): checking for input on id=1
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(10)
connection_get(10): got connid=1
connection_read(10): checking for input on id=1
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_get(10)
connection_get(10): got connid=1
connection_read(10): checking for input on id=1
ber_get_next
ber_get_next on fd 10 failed errno=0 (Success)
connection_read(10): input error=-2 id=1, closing.
connection_closing: readying conn=1 sd=10 for close
connection_close: conn=1 sd=10
TLS trace: SSL3 alert write:warning:close notify


Can someone please tell me which pieces of this puzzle I am missing!

Cheers, Alan


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

Follow-Ups:
- RE: TLS/SASL problems
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: groupOfURLs objectClass
Next by Date: RE: TLS/SASL problems
Index(es):
- Chronological
- Thread