[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Anonymous bind with TLS problem






-Z doesn't force TLS, it only tries to start it.  -ZZ forces TLS.  I don't
see any TLS handshake output in the slapd log so I don't think it's being
used.

Cheers,
Kent Soper

"You don't stop playing because you grow old ...
       you grow old because you stop playing."

Linux Technology Center, Linux Security
tie line:     678-9216
external:  1-512-838-9216
e-mail:  dksoper@us.ibm.com




                                                                                                                                    
                      "Joe Bardgett"                                                                                                
                      <jbardgett@godaddy.com>          To:       <openldap-software@OpenLDAP.org>                                   
                      Sent by:                         cc:                                                                          
                      owner-openldap-software@O        Subject:  Anonymous bind with TLS problem                                    
                      penLDAP.org                                                                                                   
                                                                                                                                    
                                                                                                                                    
                      05/21/2003 01:34 PM                                                                                           
                                                                                                                                    
                                                                                                                                    




Greetings,
            I am having trouble connecting to my OpenLDAP Server utilizing
TLS.  First, here is the info for my setup:

Server:
RHLinux 7.2
Kernel 2.4.18-18.7.x
Openldap-2.1.17
Db-4.1.25
Openssl-0.9.6b

Client:
RHLinux 7.2
Kernel 2.4.18-18.7.x
Nss_ldap-207
Pam_ldap-161
Openssl-0.9.6b

I have created the certificates and key on the server and added the
corresponding entries to the slapd.conf, I also have my ACL set to access
to * by * read.  On my client I have the basic host and base entries plus
ssl start_tls in the ldap.conf.  My nssswitch.conf is set to select from
files first and then ldap for passwd, shadow and group.  I have not changed
any entries in /etc/pam.d/ yet.

What I believe is happening is that my client is not doing a
simple/anonymous bind with I have ssl start_tls set in the ldap.conf, I
think it is trying to do a SASL bind.  My reasoning for this is that when I
try to do ldapsearch -v -Z -b "dc=myserver,dc=net" "(objectclass=*)" I get
the error of:

ldap_initialize( <DEFAULT> )
ldap_start_tls: Success
ldap_sasl_interactive_bind_s: Local error

And no data is transferred.  The –Z forces it to use TLS but it tries to
utilize SASL also.  But if I do ldapsearch -v -Z -x -b "dc=myserver,dc=net"
"(objectclass=*)" I get:

ldap_initialize( <DEFAULT> )
ldap_start_tls: Success
filter: (objectclass=*)
requesting: ALL
version: 2

And all the data is transferred.  The –Z forces it to use TLS but the –x
forces it to do a simple bind.

If I try to use something that will utilize the ldap.conf file on the
client, like getent passwd, nothing is transferred if I have the ssl
start_tls set.  If I turn it off, communication works fine and all data
requested is transferred but not encrypted.

I cannot find where in the ldap.conf you can force it to use simple binds
and I cannot find anything online about it.  Does anyone know how to do
this?  Or am I looking at this the wrong way?  Please help.

Example data taken from the slapd.log file on the server is attached here.

When I test the connection from the client utilizing ldapsearch -v -Z -x -b
"dc=myserver,dc=net" "(objectclass=*)" I successfully receive all the info
from my server and the data is transferred across the wire encrypted and
this is what I get in the slapd.log, I have removed unnecessary extra info:

----SNIP----
daemon: read activity on 15
connection_get(15)
connection_get(15): got connid=35
connection_read(15): checking for input on id=35
ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable)
daemon: select: listen=6 active_threads=1 tvp=NULL
do_extended
do_extended: oid=1.3.6.1.4.1.1466.20037
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
daemon: activity on 1 descriptors
daemon: activity on:
15r
----SNIP----
daemon: read activity on 15
connection_get(15)
connection_get(15): got connid=35
connection_read(15): checking for input on id=35
connection_read(15): unable to get TLS client DN error=49 id=35
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on:
15r
daemon: read activity on 15
connection_get(15)
connection_get(15): got connid=35
connection_read(15): checking for input on id=35
ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable)
do_bind
daemon: select: listen=6 active_threads=1 tvp=NULL
>>> dnPrettyNormal: <>
daemon: activity on 1 descriptors
<<< dnPrettyNormal: <>, <>
daemon: select: listen=6 active_threads=1 tvp=NULL
do_bind: version=3 dn="" method=128
conn=35 op=1 BIND dn="" method=128
send_ldap_result: conn=35 op=1 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=2 tag=97 err=0
conn=35 op=1 RESULT tag=97 err=0 text=
do_bind: v3 anonymous bind
daemon: activity on 1 descriptors
daemon: activity on:
15r
daemon: read activity on 15
connection_get(15)
connection_get(15): got connid=35
connection_read(15): checking for input on id=35
ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable)
do_search
----SNIP----

When I try to get some info from the getent passwd command and I have TLS
turned on I get nothing from my server and this is in the slapd.log, I have
removed unnecessary extra info:

----SNIP----
daemon: read activity on 15
connection_get(15)
connection_get(15): got connid=34
connection_read(15): checking for input on id=34
ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable)
do_extended
daemon: select: listen=6 active_threads=1 tvp=NULL
do_extended: oid=1.3.6.1.4.1.1466.20037
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
daemon: activity on 1 descriptors
daemon: activity on:
15r
----SNIP----
daemon: read activity on 15
connection_get(15)
connection_get(15): got connid=34
connection_read(15): checking for input on id=34
connection_read(15): unable to get TLS client DN error=49 id=34
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on:
15r
daemon: read activity on 15
connection_get(15)
connection_get(15): got connid=34
connection_read(15): checking for input on id=34
ber_get_next on fd 15 failed errno=0 (Success)
do_unbind
connection_read(15): input error=-2 id=34, closing.
conn=34 op=1 UNBIND
connection_closing: readying conn=34 sd=15 for close
connection_close: deferring conn=34 sd=15
daemon: select: listen=6 active_threads=1 tvp=NULL
connection_resched: attempting closing conn=34 sd=15
daemon: activity on 1 descriptors
connection_close: conn=34 sd=15
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: removing 15
conn=34 fd=15 closed

Thanks for any help,
Joe B.