[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6642) back-meta idassert with SASL EXTERNAL ignoring parameters



> Just to make sure, can you pull the entire HEAD? =A0Thanks for checking, =
in
> any case. =A0p.
I finally had the time to reproduce the issue using the cvs source
code from HEAD.
The following command was used to build OpenLDAP:
--------------------------------
CPPFLAGS=3D"-I/home/openldap/software/include -D_AVL_H" \
LDFLAGS=3D"-L/home/openldap/software/lib -Wl,-rpath=3D/home/openldap/softwa=
re/lib" \
./configure --prefix=3D/home/openldap/software --enable-rewrite --enable-dn=
ssrv \
  --enable-ldap --enable-meta --enable-auditlog --enable-rwm --enable-sssvl=
v \
  --with-cyrus-sasl --with-tls=3Dopenssl --enable-bdb
make depend; make; make install
--------------------------------

The necessary SSL certificates are selfsigned:
--------------------------------
openssl genrsa -out server1.key 2048
openssl req -new -key server1.key -x509 -days 365 -out server1.crt
openssl genrsa -out server2.key 2048
openssl req -new -key server2.key -x509 -days 365 -out server2.crt
--------------------------------

"server2" was started with the command:
slapd -f /home/openldap/config/slapd.conf.server2 -h "ldaps://server2:6361"
At this point I could already authenticate via SASL EXTERNAL using the
ldapsearch command:
LDAPTLS_CACERT=3Dserver2.crt LDAPTLS_CERT=3Dserver1.crt LDAPTLS_KEY=3Dserve=
r1.key \
  ldapsearch -H "ldaps://server2:6361" -b "" -s base -Y EXTERNAL 'objectcla=
ss=3D*'

Now I started "server1":
slapd -f /home/openldap/config/slapd.conf.server1 -h "ldap://server1:3891";

Searching with
ldapsearch -H ldap://server1:3891 -b "dc=3Dserver2,dc=3Dexample,dc=3Dcom" -=
x
gives me no result, but the following output on server1's debug log (level =
1):
--------------------------------
ldap_connect_to_host: Trying 127.0.0.1:6361
ldap_pvt_connect: fd: 9 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 18, subject:
/C=3DAU/ST=3DSome-State/O=3DInternet Widgits Pty Ltd/CN=3Dserver2, issuer:
/C=3DAU/ST=3DSome-State/O=3DInternet Widgits Pty Ltd/CN=3Dserver2
TLS certificate verification: Error, self signed certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self
signed certificate).
conn=3D1000 op=3D1 meta_search_dobind_init[0]: retrying
URI=3D"ldaps://server2:6361" DN=3D"".
--------------------------------

And again:
Starting "server1" with the environment variables and everything works fine=
:
LDAPTLS_CACERT=3Dserver2.crt LDAPTLS_CERT=3Dserver1.crt LDAPTLS_KEY=3Dserve=
r1.key \
  slapd -f /home/openldap/config/slapd.conf.server1 -h "ldap://server1:3891=
"

I hope you can reproduce this issue using the information I provided.
The configurations of both servers are attached below.

Best Regards,
Manuel


slapd.conf.server1
--------------------------------
include         /home/openldap/software/etc/openldap/schema/core.schema
include         /home/openldap/software/etc/openldap/schema/cosine.schema
include         /home/openldap/software/etc/openldap/schema/inetorgperson.s=
chema
database meta
suffix "dc=3Dexample,dc=3Dcom"
uri "ldaps://server2:6361/dc=3Dserver2,dc=3Dexample,dc=3Dcom"
idassert-authzFrom "*"
idassert-bind bindmethod=3Dsasl
              saslmech=3DEXTERNAL
              tls_cert=3D/home/openldap/config/server1.crt
              tls_key=3D/home/openldap/config/server1.key
              tls_cacert=3D/home/openldap/config/server2.crt
              mode=3Dnone
--------------------------------


slapd.conf.server2
--------------------------------
include         /home/openldap/software/etc/openldap/schema/core.schema
include         /home/openldap/software/etc/openldap/schema/cosine.schema
include         /home/openldap/software/etc/openldap/schema/inetorgperson.s=
chema
TLSCertificateFile /home/openldap/config/server2.crt
TLSCertificateKeyFile /home/openldap/config/server2.key
TLSCACertificateFile /home/openldap/config/server1.crt
TLSVerifyClient demand
database bdb
suffix "dc=3Dserver2,dc=3Dexample,dc=3Dcom"
rootdn "cn=3Dmanager,dc=3Dserver2,dc=3Dexample,dc=3Dcom"
directory /home/openldap/db.server2
--------------------------------