[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSF Question, PHP problems with TLS



At 07:41 AM 8/31/2004, Mark Hendricks wrote:
>Hello,
> 
>I have a couple questions relating to LDAP, PHP and TLS.  I have spent considerable time investigating this and am still having problems.
>I used the openldap FAQ-O-Matic instructions to re-generate my self signed certificate.  See certificate generation.
> 
>My production ACL forces ssf=40 for the userPassword attribute to force encryption of the password, so getting encryption working properly 
> 
>is especially vital. 
> 
>From the command line I am only able to Start-TLS using the -x or "Simple Bind" switch.  
> 
>without the simple bind
>error = ldap_sasl_interactive_bind_s: Local error (82)
>        additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No credentials cache found)
> 
>with the simple bind (-x)
>success
> 
>I understand that version 2.0 requires this switch for SASL.

-x is required for select (anonymous, unauthenticated, or
authenticated mechanisms of the) LDAP simple bind method.

>QUESTION # 1. Why do I see SSF=0 in the log? Does this meant that the session is not encrypted??

Depends on context.  Below it indicating that the Bind operation
did not cause the installation of any data security layers.  It
says nothing to whether the session is otherwise protected.

>Aug 30 11:29:06 testServer slapd[10463]: conn=2 op=0 BIND dn="uid=testacct,ou=users,dc=test,dc=com" mech=SIMPLE ssf=0
> 
># ldapsearch -H <ldap://testserver.test.com>ldap://testserver.test.com -x -ZZ -D uid=testuid,ou=users,dc=test,dc=com -b ou=users,dc=test,dc=com -w secret 
> 
>Aug 30 11:48:44 testServer slapd[10518]: <= check a_authz.sai_ssf: ACL 40 > OP 256

This shows that the access clause is requiring an SSF of 40
and the operation has a 256 SSF associated with it.

>QUESTION # 2.
> 
>I am having problems that I consider related when I attempt to use TLS with php.
>phpLDAPadmin works fine without TLS
> 
>
>For this case though I switched back to the default ACL to avoid any ACL related problems.
> 
>when I start TLS the browser states "Could not start TLS. Please check your LDAP server configuration"

If ldapsearch(1) can establish TLS, then there should be no (LDAP
server configuration) reason why phpLDAPadmin cannot.  I suggest
you make sure everything server feature you need works well with
ldapsearch(1) first, then only then attempt to duplicate that
success using phpLDAPadmin.  When you then try to get phpLDAPadmin
working, you'll be relatively confident that any problem arises
is specific to phpLDAPadmin.  Such problems should be directed
to a list specific to phpLDAPadmin.

Kurt