[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP binding failure to Active Directory using certificates

To: openldap-technical@openldap.org
Subject: LDAP binding failure to Active Directory using certificates
From: Clayton Tucker <ctucker@cs.uwaterloo.ca>
Date: Thu, 10 Jul 2008 11:36:06 -0400
User-agent: Thunderbird 2.0.0.12 (Windows/20080213)

Greetings:

I'm wondering if anyone has had any experience with this problem.

I am endevouring to use ldapmodify (from OpenLDAP 2.3) to connect to a domain controller (named intacta) in our Active Directory forest and perform account management operations. For this purpose, the bind to the AD's LDAP must provide credentials of a user with the rights to manage accounts in the domain in question. I'm attempting to perform the authentication using certificates generated by a certificate authority which we have established on a domain controller in the forest root domain of our AD (not the same domain as the domain where we are trying to perform account management but is the same forest). The bind account is named test_account_manager and the user certificate CSCFForestAccount.cer (listed below) is name mapped to the account.

All domain controllers in the forest have domain controller certificates distributed to them from the forest's certificate authority.

Below is the content of my .ldaprc file on the Solaris 8 host where I'm attempting to run ldapmodify. As stated above, the TLS_CERT certificate is name mapped to the test_account_manager account in the AD. The account of coarse, has a password but the key file has no access password as I believe is necessary for the current version of openldap.

TLS_CACERT /u/ctucker/LDAP_Cert/CSCFTrustedCA.pem.cer
TLS_CERT /u/ctucker/LDAP_Cert/CSCFForestAccount.cer
TLS_KEY /u/ctucker/LDAP_Cert/private_test1.pem
TLS_REQCERT demand

Below is the output of an ldapmodify command run on the Solaris 8 host. When this command is run entries confirming the logon of the test_account_manager account appear in the security event logs of the domain controller intacta as a successful logon. This suggests that the connection was properly authenticated by the certificates for the user test_account_manager. However, the subsequent binding to LDAP fails with the error "Authentication method not supported"

Any help with this persistent problem would be greatly appriciated.

Thanks.
Clayton

% ldapmodify -d13 -H ldaps://intacta.cs.uwaterloo.ca/ ldap_create ldap_url_parse_ext(ldaps://intacta.cs.uwaterloo.ca/) ldap_pvt_sasl_getmech ldap_search put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" ldap_build_search_req ATTRS: supportedSASLMechanisms ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP intacta.cs.uwaterloo.ca:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 129.97.152.158:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /DC=ca/DC=uwaterloo/DC=cscf/CN=CSCF Forest CA, issuer: /DC=ca/DC=uwaterloo/DC=cscf/CN=CSCF Forest CA TLS certificate verification: depth: 0, err: 0, subject: /CN=intacta.cs.uwaterloo.ca, issuer: /DC=ca/DC=uwaterloo/DC=cscf/CN=CSCF Forest CA TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write certificate verify A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 64 bytes to sd 3 ldap_result ld 30748 msgid 1 ldap_chkResponseList ld 30748 msgid 1 all 1 ldap_chkResponseList returns ld 30748 NULL wait4msg ld 30748 msgid 1 (infinite timeout) wait4msg continue ld 30748 msgid 1 all 1 ** ld 30748 Connections: * host: intacta.cs.uwaterloo.ca port: 636 (default) refcnt: 2 status: Connected last used: Thu Jul 10 09:50:43 2008

** ld 30748 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 30748 Response Queue: Empty ldap_chkResponseList ld 30748 msgid 1 all 1 ldap_chkResponseList returns ld 30748 NULL ldap_int_select read1msg: ld 30748 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 96 contents: read1msg: ld 30748 msgid 1 message type search-entry ber_get_next ber_get_next: tag 0x30 len 16 contents: read1msg: ld 30748 msgid 1 message type search-result ber_scanf fmt ({eaa) ber: read1msg: ld 30748 0 new referrals read1msg: mark request completed, ld 30748 msgid 1 request done: ld 30748 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 adding response ld 30748 msgid 1 type 101: ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_get_values ber_scanf fmt ({x{{a) ber: ber_scanf fmt ([v]) ber: ldap_msgfree ldap_sasl_interactive_bind_s: server supports: GSSAPI GSS-SPNEGO EXTERNAL DIGEST-MD5 ldap_int_sasl_bind: GSSAPI GSS-SPNEGO EXTERNAL DIGEST-MD5 ldap_int_sasl_open: host=intacta.cs.uwaterloo.ca => ldap_dn2bv(16) <= ldap_dn2bv(CN=test_account_manager,OU=Test User,OU=Unassigned,DC=cs,DC=uwaterloo,DC=ca)=0 SASL/EXTERNAL authentication started ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush: 26 bytes to sd 3 ldap_result ld 30748 msgid 2 ldap_chkResponseList ld 30748 msgid 2 all 1 ldap_chkResponseList returns ld 30748 NULL wait4msg ld 30748 msgid 2 (infinite timeout) wait4msg continue ld 30748 msgid 2 all 1 ** ld 30748 Connections: * host: intacta.cs.uwaterloo.ca port: 636 (default) refcnt: 2 status: Connected last used: Thu Jul 10 09:50:43 2008

** ld 30748 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ** ld 30748 Response Queue: Empty ldap_chkResponseList ld 30748 msgid 2 all 1 ldap_chkResponseList returns ld 30748 NULL ldap_int_select read1msg: ld 30748 msgid 2 all 1 ber_get_next ber_get_next: tag 0x30 len 103 contents: read1msg: ld 30748 msgid 2 message type bind ber_scanf fmt ({eaa) ber: read1msg: ld 30748 0 new referrals read1msg: mark request completed, ld 30748 msgid 2 request done: ld 30748 msgid 2 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 2, msgid 2) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_sasl_bind_result ber_scanf fmt ({eaa) ber: ldap_msgfree ldap_perror ldap_sasl_interactive_bind_s: Authentication method not supported (7) additional info: 00002027: LdapErr: DSID-0C090499, comment: Invalid Authentication method, data 0, vece

Follow-Ups:
- Re: LDAP binding failure to Active Directory using certificates
  - From: Clayton Tucker <ctucker@cs.uwaterloo.ca>

Prev by Date: Re: Problems using OpenLPAP for authentification of users: Client library issues STARTTLS but TLS is not configured
Next by Date: Newbie OpenLDAP woes
Index(es):
- Chronological
- Thread