[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldap_sasl_interactive_bind_s: Local error ???

To: "openldap-software@OpenLDAP.org" <openldap-software@OpenLDAP.org>
Subject: ldap_sasl_interactive_bind_s: Local error ???
From: "Zhang Fei" <zhfei@sdb.ac.cn>
Date: Wed, 20 Nov 2002 16:20:14 +0800
Organization: CNIC,CAS of CHINA

Hi all，
   I've tried many times in testing OpenLDAP/TLS/SSL,but I'm still confused.

   After installing OpenLDAP 2.0.25 in my RH Linux 7.3 box(2.4.18) 
 with option "--with-tls",I decided to create my own root CA to sign
 the server certificate and client ones as the following steps:
  i.	Creating rootCA--->
  ii	Creating ldap server's certificates --->
  iii.	Creating client's certificates---> 
  iv.	Configuring sldap.conf,ldap.conf,.ldaprc files --->
  v.	Starting LDAP service with TLS/SSL.
  vi.	Testing TLS/SSL Query.

 But I can't query information from ldap server in TLS/SSL and get "ldap_sasl_interactive_bind_s: Local error".
 The following steps are details:

1.Create root CA as root in /usr/shares/ssl/misc/ :
  $./CA -newca
   ...
  the CA's subject is : /c=CN/o=CNIC/cn=CAManager

2.Create ldap server's key and CSR(Certificate Signing Request) files as root in /usr/local/etc/openldap/ :
  $openssl genrsa -out server.key 1024 
  $openssl req -new -key server.key -out server.csr
  ...
  the Server's certificate subject is : /c=CN/o=CNIC/ou=SDB/cn=moon.rd.sdb.ac.cn

3.Signing the server's request file as root:
  $cp server.csr /usr/shares/ssl/misc/newreq.pem
  $cd /usr/shares/ssl/misc
  $./CA -sign
  $cp newcert.pem /usr/local/etc/openldap/server.crt
 Now,server.crt,server.csr,server.key are all in /usr/local/etc/openldap/ directory.

4.Get the hash number of cacert.pem in /usr/shares/ssl/misc/demoCA/ (as root):
  $openssl x509 -hash -in /usr/shares/ssl/misc/demoCA/cacert.pem
  52026275
  $cp cacert.pem 52026275.0

5.Then,switch to normal user count "demo" and create its key/request file in /home/demo/ldapcert/ :
  $openssl genrsa -out user.key 1024 
  $openssl req -new -key user.key -out user.csr
  the subject is : /c=CN/o=CNIC/ou=SDB/cn=demo
 
6.Signing the demo user's request file:
  $cp user.csr /usr/shares/ssl/misc/newreq.pem
  $cd /usr/shares/ssl/misc
  $./CA -sign
  $cp newcert.pem /home/demo/ldapcert/user.crt
 Now,user.crt,user.csr,user.key are all in /home/demo/ldapcert/ directory.

7.Configure the "sldap.conf" as root :
#============begin==================
include         		/usr/local/etc/openldap/schema/core.schema
pidfile         		/usr/local/var/slapd.pid
argsfile        		/usr/local/var/slapd.args
database        		ldbm
suffix          		"o=MyTest,c=CN"
rootdn          		"cn=Manager,o=MyTest,c=CN"
rootpw          		secret
directory       		/usr/local/var/openldap-ldbm
index   objectClass     eq
TLSCertificateFile    	/usr/local/etc/openldap/server.crt
TLSCertificateKeyFile 	/usr/local/etc/openldap/server.key
TLSCACertificateFile  	/usr/share/ssl/misc/demoCA/52026275.0
#============end====================

8.Adding a line in "ldap.conf" as root:
TLS_CACERT      		/usr/share/ssl/misc/demoCA/52026275.0

9.Configure the ".ldaprc" file as demo in /home/demo/ :
#=============begin=================================
TLS_CERT        		/home/demo/ldapcert/user.crt
TLS_KEY         		/home/demo/ldapcert/user.key 
#=============end===================================

10.Start LDAP server as root in /usr/local/libexec/:
 $sladp -h "ldap:/// ldaps:///"
 $ps -el | grep "slapd"
 040 S     0  3677     1  0  77   0    -  1945 rt_sig ?        00:00:00 slapd
 040 S     0  3678  3677  0  75   0    -  1945 schedu ?        00:00:00 slapd
 040 S     0  3679  3678  0  80   0    -  1945 schedu ?        00:00:00 slapd

11.Create a database in LDAP Server:
  edit a testldap.ldif file as :
 #===========begin==================
 dn: o=MyTest,c=CN
 objectClass: top
 objectClass: organization
 o: MyTest Organization

 dn: cn=Manager,o=MyTest,c=CN
 objectClass: organizationalRole
 cn: Manager
 #===========end====================
  Then inport this LDIF file to create database:
 $ldapadd -f testldap.ldif -f -x -D "cn=Manager,dc=example,dc=com" -w secret

 adding new entries OK!I can browser them with ldap browser/editor tools.

12.Query information in the LDAP server with TLS/SSL as demo :
 $ldapsearch -h moon.rd.sdb.ac.cn -p 389 -b "o=MyTest,c=CN"  -s sub "(objectclass=*)" -Z -v
  ldap_init( moon.rd.sdb.ac.cn, 389 )
  SASL/GSSAPI authentication started
  ldap_sasl_interactive_bind_s: Local error

 when goes:
 $ldapsearch localhost -b "o=MyTest,c=CN"  -s sub "(objectclass=*)" -Z -v
  ldap_initialize( <DEFAULT> )
  ldap_start_tls: Connect error
  SASL/GSSAPI authentication started
  ldap_sasl_interactive_bind_s: Local error     	

 when goes with "-x" (Simple authentication）option:
  $ldapsearch localhost -b "o=MyTest,c=CN"  -s sub "(objectclass=*)" -x
 //returns correct results without inputting any password! Why ???

######################################################################################

 Can anyone give me some suggestion or hints?
 Is there any omit or error in above steps?

 Thanks in advance sincerely for any help ；－）

Zhang Fei
zhfei@sdb.ac.cn
2002-11-20

===========================================================
R&D of SDB Department
CNIC,CAS,Beijing of CHINA
100080

Follow-Ups:
- Re: ldap_sasl_interactive_bind_s: Local error ???
  - From: Tony Earnshaw <tonni@billy.demon.nl>

Prev by Date: Re: how to set a attribute to ldap server's timestamp?
Next by Date: Re: aliasing entries
Index(es):
- Chronological
- Thread