SSF Question, PHP problems with TLS

["Mark Hendricks" <Mark.Hendricks@humboldt.edu>]

Hello,

 

I have a couple questions relating to LDAP, PHP and TLS.  I have spent considerable time investigating this and am still having problems.
I used the openldap FAQ-O-Matic instructions to re-generate my self signed certificate.  See certificate generation.

 

My production ACL forces ssf=40 for the userPassword attribute to force encryption of the password, so getting encryption working properly

 

is especially vital.

 

From the command line I am only able to Start-TLS using the -x or "Simple Bind" switch. 

 

without the simple bind
error = ldap_sasl_interactive_bind_s: Local error (82)
        additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No credentials cache found)

 

with the simple bind (-x)
success

 

I understand that version 2.0 requires this switch for SASL.

 

QUESTION # 1. Why do I see SSF=0 in the log? Does this meant that the session is not encrypted??

 

I have noted ssf=0 in previous slapd.log files when I start-TLS with -x where I would expect something higher

 

# ldapsearch -H ldaps://testserver.test.com -x -D uid=testuid,ou=users,dc=test,dc=com -b ou=users,dc=test,dc=com -w secret uid=testaccount
Aug 30 11:29:06 testServer slapd[10463]: => access_allowed: auth access granted by auth(=x)
Aug 30 11:29:06 testServer slapd[10463]: conn=2 op=0 BIND dn="uid=testacct,ou=users,dc=test,dc=com" mech=SIMPLE ssf=0

 

# ldapsearch -H ldap://testserver.test.com -x -ZZ -D uid=testuid,ou=users,dc=test,dc=com -b ou=users,dc=test,dc=com -w secret

 

uid=testaccount
Aug 30 11:48:44 testServer slapd[10518]: do_extended: oid=1.3.6.1.4.1.1466.20037
Aug 30 11:48:44 testServer slapd[10518]: connection_get(14)
Aug 30 11:48:44 testServer last message repeated 2 times
Aug 30 11:48:44 testServer slapd[10518]: conn=0 op=1 BIND dn="uid=testacct,ou=users,dc=test,dc=com" method=128
Aug 30 11:48:44 testServer slapd[10518]: ==> bdb_bind: dn: uid=testacct,ou=users,dc=test,dc=com
Aug 30 11:48:44 testServer slapd[10518]: => access_allowed: auth access to "uid=testacct,cn=users,dc=test,dc=com" "userPassword" requested
Aug 30 11:48:44 testServer slapd[10518]: => dnpat: [1] (.*,)cn=users,dc=test,dc=com nsub: 1
Aug 30 11:48:44 testServer slapd[10518]: => acl_get: [1] matched
Aug 30 11:48:44 testServer slapd[10518]: => acl_get: [1] check attr userPassword
Aug 30 11:48:44 testServer slapd[10518]: <= acl_get: [1] acl uid=testacct,cn=users,dc=test,dc=com attr: userPassword
Aug 30 11:48:44 testServer slapd[10518]: => acl_mask: access to entry "uid=testacct,cn=users,dc=test,dc=com", attr "userPassword" requested
Aug 30 11:48:44 testServer slapd[10518]: => acl_mask: to all values by "", (=n)
Aug 30 11:48:44 testServer slapd[10518]: <= check a_dn_pat: *
Aug 30 11:48:44 testServer slapd[10518]: <= check a_authz.sai_ssf: ACL 40 > OP 256
Aug 30 11:48:44 testServer slapd[10518]: <= acl_mask: [1] applying auth(=x) (stop)
Aug 30 11:48:44 testServer slapd[10518]: <= acl_mask: [1] mask: auth(=x)
Aug 30 11:48:44 testServer slapd[10518]: => access_allowed: auth access granted by auth(=x)
Aug 30 11:48:44 testServer slapd[10518]: conn=0 op=1 BIND dn="uid=testacct,cn=users,dc=test,dc=com" mech=SIMPLE ssf=0

 

 

 

QUESTION # 2.

 

I am having problems that I consider related when I attempt to use TLS with php.
phpLDAPadmin works fine without TLS

 

For this case though I switched back to the default ACL to avoid any ACL related problems.

 

when I start TLS the browser states "Could not start TLS. Please check your LDAP server configuration"

 

the slapd.log
Aug 30 09:46:40 testServer slapd[3964]: conn=27 fd=14 ACCEPT from IP=1.2.3.4:37580 (IP=4.3.2.1:389)
Aug 30 09:46:40 testServer slapd[3964]: connection_get(14)
Aug 30 09:46:40 testServer slapd[3964]: do_extended: oid=1.3.6.1.4.1.1466.20037
Aug 30 09:46:40 testServer slapd[3964]: connection_get(14)
Aug 30 09:46:40 testServer slapd[3964]: conn=27 fd=14 closed

 

I have attempted to solve this problem based on several php and phpldapadmin posts relating to configuring the ldap.conf, .ldaprc files

 

with out success.

 

I tried to use an ldaps connection with PHP (phpldapadmin) with no success.

 

 

 

I greatly appreciate your comments and assistance.

 

Thanks

 

Mark

 

BACKGROUND

 

########################################################

 

########################################################
########################################################
Question 1:
Why do I see SSF=0 in the log? Does this meant that the session is not encrypted??

 

I am able to start TLS and bind using the -x switch for simple bind

 

server3231:~ # ldapsearch -h testServer.test.com -p 389 -ZZ -x -D "cn=ldap=admin,dc=test,dc=com" -w secret-b ou=users,dc=test,dc=com

 

uid=testacct
# extended LDIF
#
# LDAPv3
# base <ou=users,dc=test,dc=com> with scope sub
# filter: uid=testacct
# requesting: ALL
#

 

# testacct, users, test.com
dn: uid=testacct,ou=users,dc=test,dc=com
uid: testacct
telephoneNumber: xxx
title: yyyyy
departmentNumber: 221
description: /Users/labusers
employeeType: faculty
employeeNumber: 104372
roomNumber: VMH207 & GH 213
userPassword:: 12312312313213213hghgf
sn: LastName
givenName: First
displayName: TLS is a pain
cn: wholename
mailRoutingAddress: testacct@test.com
mailHost: mail.test.com
eduPersonPrimaryAffiliation: Staff
eduPersonAffiliation: Staff
objectClass: inetOrgPerson
objectClass: hsuPerson
objectClass: person
objectClass: eduPerson
objectClass: top
objectClass: organizationalPerson
objectClass: inetLocalMailRecipient

 

# search result
search: 3
result: 0 Success

 

# numResponses: 2
# numEntries: 1

 

 

 

slapd.log
Aug 27 14:18:29 testServer slapd[3640]: conn=4 fd=13 ACCEPT from IP=1.2.3.4:34261 (IP=4.3.2.1:389)
Aug 27 14:18:29 testServer slapd[3640]: connection_get(13)
Aug 27 14:18:29 testServer slapd[3640]: do_extended: oid=1.3.6.1.4.1.1466.20037
Aug 27 14:18:29 testServer slapd[3640]: connection_get(13)
Aug 27 14:18:29 testServer last message repeated 2 times
Aug 27 14:18:29 testServer slapd[3640]: conn=4 op=1 BIND dn="cn=ldap-admin,dc=test,dc=com" method=128
Aug 27 14:18:29 testServer slapd[3640]: ==> bdb_bind: dn: cn=ldap-admin,dc=test,dc=com
Aug 27 14:18:29 testServer slapd[3640]: conn=4 op=1 BIND dn="cn=ldap-admin,dc=test,dc=com" mech=SIMPLE ssf=0
Aug 27 14:18:29 testServer slapd[3640]: send_ldap_result: err=0 matched="" text=""
Aug 27 14:18:29 testServer slapd[3640]: conn=4 op=1 RESULT tag=97 err=0 text=
Aug 27 14:18:29 testServer slapd[3640]: connection_get(13)
Aug 27 14:18:29 testServer slapd[3640]: SRCH "ou=users,dc=test,dc=com" 2 0
Aug 27 14:18:29 testServer slapd[3640]:     0 0 0
Aug 27 14:18:29 testServer slapd[3640]: begin get_filter
Aug 27 14:18:29 testServer slapd[3640]: EQUALITY
Aug 27 14:18:29 testServer slapd[3640]: end get_filter 0
Aug 27 14:18:29 testServer slapd[3640]:     filter: (uid=testacct)
Aug 27 14:18:29 testServer slapd[3640]:     attrs:
Aug 27 14:18:29 testServer slapd[3640]: 
Aug 27 14:18:29 testServer slapd[3640]: conn=4 op=2 SRCH base="ou=users,dc=test,dc=com" scope=2 filter="(uid=testacct)"
Aug 27 14:18:29 testServer slapd[3640]: => bdb_filter_candidates
Aug 27 14:18:29 testServer slapd[3640]: ^IAND
Aug 27 14:18:29 testServer slapd[3640]: => bdb_list_candidates 0xa0
Aug 27 14:18:29 testServer slapd[3640]: => bdb_filter_candidates
Aug 27 14:18:29 testServer slapd[3640]: ^IDN SUBTREE
Aug 27 14:18:29 testServer slapd[3640]: bdb_idl_fetch_key: @ou=users,dc=test,dc=com
Aug 27 14:18:29 testServer slapd[3640]: <= bdb_filter_candidates: id=25381 first=3 last=25465
Aug 27 14:18:29 testServer slapd[3640]: => bdb_filter_candidates
Aug 27 14:18:29 testServer slapd[3640]: ^IOR
Aug 27 14:18:29 testServer slapd[3640]: => bdb_list_candidates 0xa1
Aug 27 14:18:29 testServer slapd[3640]: => bdb_filter_candidates
Aug 27 14:18:29 testServer slapd[3640]: ^IEQUALITY
Aug 27 14:18:29 testServer slapd[3640]: bdb_idl_fetch_key: [b49d1940]
Aug 27 14:18:29 testServer slapd[3640]: <= bdb_filter_candidates: id=0 first=0 last=0
Aug 27 14:18:29 testServer slapd[3640]: => bdb_filter_candidates
Aug 27 14:18:29 testServer slapd[3640]: ^IEQUALITY
Aug 27 14:18:29 testServer slapd[3640]: bdb_idl_fetch_key: [45f58aed]
Aug 27 14:18:29 testServer slapd[3640]: <= bdb_filter_candidates: id=1 first=785 last=785
Aug 27 14:18:29 testServer slapd[3640]: <= bdb_list_candidates: id=1 first=785 last=785
Aug 27 14:18:29 testServer slapd[3640]: <= bdb_filter_candidates: id=1 first=785 last=785
Aug 27 14:18:29 testServer slapd[3640]: <= bdb_list_candidates: id=1 first=785 last=785
Aug 27 14:18:29 testServer slapd[3640]: <= bdb_filter_candidates: id=1 first=785 last=785
Aug 27 14:18:29 testServer slapd[3640]: => test_filter
Aug 27 14:18:29 testServer slapd[3640]:     EQUALITY
Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: search access to "uid=testacct,ou=users,dc=test,dc=com" "uid" requested
Aug 27 14:18:29 testServer slapd[3640]: <= root access granted
Aug 27 14:18:29 testServer slapd[3640]: <= test_filter 6
Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com" "entry" requested
Aug 27 14:18:29 testServer slapd[3640]: <= root access granted
Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com" "uid" requested
Aug 27 14:18:29 testServer slapd[3640]: <= root access granted
Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com" "telephoneNumber"

 

requested
Aug 27 14:18:29 testServer slapd[3640]: <= root access granted
Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com" "title" requested
Aug 27 14:18:29 testServer slapd[3640]: <= root access granted
Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com" "departmentNumber"

 

requested
Aug 27 14:18:29 testServer slapd[3640]: <= root access granted
Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com" "description" requested
Aug 27 14:18:29 testServer slapd[3640]: <= root access granted
--------------------------------------------
Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com" "mailHost" requested
Aug 27 14:18:29 testServer slapd[3640]: <= root access granted
Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com"

 

"eduPersonPrimaryAffiliation" requested
Aug 27 14:18:29 testServer slapd[3640]: <= root access granted
Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com"

 

"calstateEduPersonFerpaFlag" requested
Aug 27 14:18:29 testServer slapd[3640]: <= root access granted
Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com" "eduPersonAffiliation"

 

requested
Aug 27 14:18:29 testServer slapd[3640]: <= root access granted
Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com" "objectClass" requested
Aug 27 14:18:29 testServer slapd[3640]: <= root access granted
Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com" "mailAlternateAddress"

 

requested
Aug 27 14:18:29 testServer slapd[3640]: <= root access granted
Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com" "mail" requested
Aug 27 14:18:29 testServer slapd[3640]: <= root access granted
Aug 27 14:18:29 testServer slapd[3640]: conn=4 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug 27 14:18:29 testServer slapd[3640]: connection_get(13)
Aug 27 14:18:29 testServer slapd[3640]: conn=4 op=3 UNBIND
Aug 27 14:18:29 testServer slapd[3640]: conn=4 fd=13 closed

 

########################################################

 

########################################################

 

PROBLEM # 2
PHP Can't connect to directory using SSL or TLS

 

PHP script - test
test using port 636, SSL

 

PHP script

 

<?php

 

{
$ldap_server = ldaps://testServer.test.com ;
$ldap_user  = "cn=ldap-admin,dc=test,dc=com" ;
$ldap_pass  = "secret" ;

 

$ad = ldap_connect($ldap_server) ;
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3) ;
$bound = ldap_bind($ad, $ldap_user, $ldap_pass);

 

return $ad ;
}
?>

 

html output

 

Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/src/phpldapadmin-0.9.4b/ssl-test.php on line 10

 

slapd.log output

 

Aug 30 08:52:42 testServer slapd[3964]: conn=24 fd=14 ACCEPT from IP=1.2.3.4:37533 (IP=4.3.2.1:636)
Aug 30 08:52:42 testServer slapd[3964]: connection_get(14)
Aug 30 08:52:42 testServer slapd[3964]: conn=24 fd=14 closed

 

########################################################

 

########################################################

 

Question # 2 Continued
PHPldap admin Can't connect to directory using TLS

 

4 A Successful Bind test using port 389, No-TLS
phpldapadmin config.php for this server

 

phpldapadmin
config.php
$i++;
$servers[$i]['name'] = 'testServer.test.com';
$servers[$i]['host'] = 'testServer.test.com';
$servers[$i]['base'] = 'dc=test,dc=com';
$servers[$i]['port'] = 4032;
$servers[$i]['auth_type'] = 'cookie';
$servers[$i]['login_dn'] = '';
$servers[$i]['login_pass'] = '';
$servers[$i]['tls'] = false;
$servers[$i]['low_bandwidth'] = false;
$servers[$i]['default_hash'] = 'crypt';
$servers[$i]['login_attr'] = 'dn';
$servers[$i]['login_class'] = '';
$servers[$i]['read_only'] = false;
$servers[$i]['show_create'] = true;
$servers[$i]['enable_auto_uid_numbers'] = false;
$servers[$i]['auto_uid_number_mechanism'] = 'search';
$servers[$i]['auto_uid_number_search_base'] = 'ou=People,dc=example,dc=com';
$servers[$i]['auto_uid_number_min'] = 1000;
$servers[$i]['auto_uid_number_uid_pool_dn'] = 'cn=uidPool,dc=example,dc=com';

 

Successfully logged into server testServer.test.com

 

Aug 30 09:41:33 testServer slapd[3964]: conn=25 fd=14 ACCEPT from IP=1.2.3.4:37574 (IP=4.3.2.1:4032)
Aug 30 09:41:33 testServer slapd[3964]: connection_get(14)
Aug 30 09:41:33 testServer slapd[3964]: conn=25 op=0 BIND dn="cn=ldap-admin,dc=test,dc=com" method=128
Aug 30 09:41:33 testServer slapd[3964]: ==> bdb_bind: dn: cn=ldap-admin,dc=test,dc=com
Aug 30 09:41:33 testServer slapd[3964]: conn=25 op=0 BIND dn="cn=ldap-admin,dc=test,dc=com" mech=SIMPLE ssf=0
Aug 30 09:41:33 testServer slapd[3964]: send_ldap_result: err=0 matched="" text=""
Aug 30 09:41:33 testServer slapd[3964]: conn=25 op=0 RESULT tag=97 err=0 text=
Aug 30 09:41:33 testServer slapd[3964]: connection_get(14)
Aug 30 09:41:33 testServer slapd[3964]: conn=25 op=1 UNBIND
Aug 30 09:41:33 testServer slapd[3964]: conn=25 fd=14 closed
Aug 30 09:41:33 testServer slapd[3964]: conn=26 fd=14 ACCEPT from IP=1.2.3.4:37575 (IP=4.3.2.1:4032)
Aug 30 09:41:33 testServer slapd[3964]: connection_get(14)
Aug 30 09:41:33 testServer slapd[3964]: conn=26 op=0 BIND dn="cn=ldap-admin,dc=test,dc=com" method=128
Aug 30 09:41:33 testServer slapd[3964]: ==> bdb_bind: dn: cn=ldap-admin,dc=test,dc=com
Aug 30 09:41:33 testServer slapd[3964]: conn=26 op=0 BIND dn="cn=ldap-admin,dc=test,dc=com" mech=SIMPLE ssf=0
Aug 30 09:41:33 testServer slapd[3964]: send_ldap_result: err=0 matched="" text=""
Aug 30 09:41:33 testServer slapd[3964]: conn=26 op=0 RESULT tag=97 err=0 text=
Aug 30 09:41:33 testServer slapd[3964]: connection_get(14)
Aug 30 09:41:33 testServer slapd[3964]: SRCH "dc=test,dc=com" 1 0
Aug 30 09:41:33 testServer slapd[3964]:     51 0 -1
Aug 30 09:41:33 testServer slapd[3964]: begin get_filter
Aug 30 09:41:33 testServer slapd[3964]: PRESENT
Aug 30 09:41:33 testServer slapd[3964]: end get_filter 0
Aug 30 09:41:33 testServer slapd[3964]:     filter: (objectClass=*)
Aug 30 09:41:33 testServer slapd[3964]:     attrs:
Aug 30 09:41:33 testServer slapd[3964]:  dn
Aug 30 09:41:33 testServer slapd[3964]: 
Aug 30 09:41:33 testServer slapd[3964]: conn=26 op=1 SRCH base="dc=test,dc=com" scope=1 filter="(objectClass=*)"
Aug 30 09:41:33 testServer slapd[3964]: conn=26 op=1 SRCH attr=dn
Aug 30 09:41:33 testServer slapd[3964]: => bdb_filter_candidates
Aug 30 09:41:33 testServer slapd[3964]: ^IAND
Aug 30 09:41:33 testServer slapd[3964]: => bdb_list_candidates 0xa0
Aug 30 09:41:33 testServer slapd[3964]: => bdb_filter_candidates
Aug 30 09:41:33 testServer slapd[3964]: ^IDN ONE
Aug 30 09:41:33 testServer slapd[3964]: bdb_idl_fetch_key: %dc=test,dc=com
Aug 30 09:41:33 testServer slapd[3964]: <= bdb_filter_candidates: id=5 first=2 last=22516
Aug 30 09:41:33 testServer slapd[3964]: => bdb_filter_candidates
Aug 30 09:41:33 testServer slapd[3964]: ^IPRESENT
Aug 30 09:41:33 testServer slapd[3964]: <= bdb_filter_candidates: id=-1 first=1 last=25465
Aug 30 09:41:33 testServer slapd[3964]: <= bdb_list_candidates: id=5 first=2 last=22516
Aug 30 09:41:33 testServer slapd[3964]: <= bdb_filter_candidates: id=5 first=2 last=22516
Aug 30 09:41:33 testServer slapd[3964]: => test_filter
Aug 30 09:41:33 testServer slapd[3964]:     PRESENT
Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: search access to "cn=ldap-admin,dc=test,dc=com" "objectClass" requested
Aug 30 09:41:33 testServer slapd[3964]: <= root access granted
Aug 30 09:41:33 testServer slapd[3964]: <= test_filter 6
Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: read access to "cn=ldap-admin,dc=test,dc=com" "entry" requested
Aug 30 09:41:33 testServer slapd[3964]: <= root access granted
Aug 30 09:41:33 testServer slapd[3964]: => test_filter
Aug 30 09:41:33 testServer slapd[3964]:     PRESENT
Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: search access to "ou=users,dc=test,dc=com" "objectClass" requested
Aug 30 09:41:33 testServer slapd[3964]: <= root access granted
Aug 30 09:41:33 testServer slapd[3964]: <= test_filter 6
Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: read access to "ou=users,dc=test,dc=com" "entry" requested
Aug 30 09:41:33 testServer slapd[3964]: <= root access granted
Aug 30 09:41:33 testServer slapd[3964]: => test_filter
Aug 30 09:41:33 testServer slapd[3964]:     PRESENT
Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: search access to "ou=groups,dc=test,dc=com" "objectClass" requested
Aug 30 09:41:33 testServer slapd[3964]: <= root access granted
Aug 30 09:41:33 testServer slapd[3964]: <= test_filter 6
Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: read access to "ou=groups,dc=test,dc=com" "entry" requested
Aug 30 09:41:33 testServer slapd[3964]: <= root access granted
Aug 30 09:41:33 testServer slapd[3964]: => test_filter
Aug 30 09:41:33 testServer slapd[3964]:     PRESENT
Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: search access to "ou=samba,dc=test,dc=com" "objectClass" requested
Aug 30 09:41:33 testServer slapd[3964]: <= root access granted
Aug 30 09:41:33 testServer slapd[3964]: <= test_filter 6
Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: read access to "ou=samba,dc=test,dc=com" "entry" requested
Aug 30 09:41:33 testServer slapd[3964]: <= root access granted
Aug 30 09:41:33 testServer slapd[3964]: => test_filter
Aug 30 09:41:33 testServer slapd[3964]:     PRESENT
Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: search access to "ou=Computers,dc=test,dc=com" "objectClass" requested
Aug 30 09:41:33 testServer slapd[3964]: <= root access granted
Aug 30 09:41:33 testServer slapd[3964]: <= test_filter 6
Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: read access to "ou=Computers,dc=test,dc=com" "entry" requested
Aug 30 09:41:33 testServer slapd[3964]: <= root access granted
Aug 30 09:41:33 testServer slapd[3964]: conn=26 op=1 SEARCH RESULT tag=101 err=0 nentries=5 text=
Aug 30 09:41:33 testServer slapd[3964]: connection_get(14)
Aug 30 09:41:33 testServer slapd[3964]: SRCH "dc=test,dc=com" 0 1
Aug 30 09:41:33 testServer slapd[3964]:     0 0 0
Aug 30 09:41:33 testServer slapd[3964]: begin get_filter
Aug 30 09:41:33 testServer slapd[3964]: PRESENT
Aug 30 09:41:33 testServer slapd[3964]: end get_filter 0
Aug 30 09:41:33 testServer slapd[3964]:     filter: (objectClass=*)
Aug 30 09:41:33 testServer slapd[3964]:     attrs:
Aug 30 09:41:33 testServer slapd[3964]:  objectClass
Aug 30 09:41:33 testServer slapd[3964]: 
Aug 30 09:41:33 testServer slapd[3964]: conn=26 op=2 SRCH base="dc=test,dc=com" scope=0 filter="(objectClass=*)"
Aug 30 09:41:33 testServer slapd[3964]: conn=26 op=2 SRCH attr=objectClass
Aug 30 09:41:33 testServer slapd[3964]: base_candidates: base: "dc=test,dc=com" (0x00000001)
Aug 30 09:41:33 testServer slapd[3964]: => test_filter
Aug 30 09:41:33 testServer slapd[3964]:     PRESENT
Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: search access to "dc=test,dc=com" "objectClass" requested
Aug 30 09:41:33 testServer slapd[3964]: <= root access granted
Aug 30 09:41:33 testServer slapd[3964]: <= test_filter 6
Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: read access to "dc=test,dc=com" "entry" requested
Aug 30 09:41:33 testServer slapd[3964]: <= root access granted
Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: read access to "dc=test,dc=com" "objectClass" requested
Aug 30 09:41:33 testServer slapd[3964]: <= root access granted
Aug 30 09:41:33 testServer slapd[3964]: conn=26 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug 30 09:41:33 testServer slapd[3964]: connection_get(14)
Aug 30 09:41:33 testServer slapd[3964]: connection_get(14)
Aug 30 09:41:33 testServer slapd[3964]: conn=26 op=3 UNBIND
Aug 30 09:41:33 testServer slapd[3964]: conn=26 fd=14 closed

 

########################################################

 

########################################################

 

Question 2 Continued
PHPldap admin Can't connect to directory using TLS

 

Un-Successful Bind test using port 389, TLS

 

phpldapadmin config.php for this server

 

phpldapadmin
config.php

 

phpldapadmin config.php for this server
test using port 389, Start-TLS

 

$servers[$i]['name'] = 'testServer.test.com';
$servers[$i]['host'] = 'testServer.test.com';
$servers[$i]['base'] = 'dc=test,dc=com';
$servers[$i]['port'] = 389;
$servers[$i]['auth_type'] = 'cookie';
$servers[$i]['login_dn'] = '';
$servers[$i]['login_pass'] = '';
$servers[$i]['tls'] = true;
$servers[$i]['low_bandwidth'] = false;
$servers[$i]['default_hash'] = 'crypt';
$servers[$i]['login_attr'] = 'dn';
$servers[$i]['login_class'] = '';
$servers[$i]['read_only'] = false;
$servers[$i]['show_create'] = true;
$servers[$i]['enable_auto_uid_numbers'] = false;
$servers[$i]['auto_uid_number_mechanism'] = 'search';
$servers[$i]['auto_uid_number_search_base'] = 'ou=People,dc=example,dc=com';
$servers[$i]['auto_uid_number_min'] = 1000;
$servers[$i]['auto_uid_number_uid_pool_dn'] = 'cn=uidPool,dc=example,dc=com';

 

(html)
Error
Could not start TLS. Please check your LDAP server configuration.

 

slapd.log error
Aug 30 09:46:40 testServer slapd[3964]: conn=27 fd=14 ACCEPT from IP=1.2.3.4:37580 (IP=4.3.2.1:389)
Aug 30 09:46:40 testServer slapd[3964]: connection_get(14)
Aug 30 09:46:40 testServer slapd[3964]: do_extended: oid=1.3.6.1.4.1.1466.20037
Aug 30 09:46:40 testServer slapd[3964]: connection_get(14)
Aug 30 09:46:40 testServer slapd[3964]: conn=27 fd=14 closed

 

########################################################
Changed slapd to run on ldap:/// and ldaps:/// rather than IP address of server

 

phpldapadmin config.php for this server
test using port 389, Start-TLS

 

$servers[$i]['name'] = 'testServer.test.com';
$servers[$i]['host'] = 'testServer.test.com';
$servers[$i]['base'] = 'dc=test,dc=com';
$servers[$i]['port'] = 389;
$servers[$i]['auth_type'] = 'cookie';
$servers[$i]['login_dn'] = '';
$servers[$i]['login_pass'] = '';
$servers[$i]['tls'] = true;
$servers[$i]['low_bandwidth'] = false;
$servers[$i]['default_hash'] = 'crypt';
$servers[$i]['login_attr'] = 'dn';
$servers[$i]['login_class'] = '';
$servers[$i]['read_only'] = false;
$servers[$i]['show_create'] = true;
$servers[$i]['enable_auto_uid_numbers'] = false;
$servers[$i]['auto_uid_number_mechanism'] = 'search';
$servers[$i]['auto_uid_number_search_base'] = 'ou=People,dc=example,dc=com';
$servers[$i]['auto_uid_number_min'] = 1000;
$servers[$i]['auto_uid_number_uid_pool_dn'] = 'cn=uidPool,dc=example,dc=com';

 

(html)
Error
Could not start TLS. Please check your LDAP server configuration.

 

slapd.log error

 

Aug 30 10:08:00 testServer slapd[10391]: str2filter "(objectclass=*)"
Aug 30 10:08:00 testServer slapd[10391]: begin get_filter
Aug 30 10:08:00 testServer slapd[10391]: PRESENT
Aug 30 10:08:00 testServer slapd[10391]: end get_filter 0
Aug 30 10:08:00 testServer slapd[10391]: conn=0 fd=14 ACCEPT from IP=1.2.3.4:37598 (IP=4.3.2.1:389)
Aug 30 10:08:00 testServer slapd[10391]: connection_get(14)
Aug 30 10:08:00 testServer slapd[10391]: do_extended: oid=1.3.6.1.4.1.1466.20037
Aug 30 10:08:00 testServer slapd[10391]: connection_get(14)
Aug 30 10:08:00 testServer slapd[10391]: conn=0 fd=14 closed

 

 

 

 

 

Certificate Generation:
OpenLDAP Faq-O-Matic : OpenLDAP Software FAQ : Configuration : How do I use TLS/SSL?

 

cd /var/myca
CA.sh -newca

 

openssl req -new -nodes -keyout newreq.pem -out newreq.pem

 

CA.sh -sign

 

cp cacert.pem /usr/local/etc/openldap/cacert.pem
mv newcert.pem /usr/local/etc/openldap/servercrt.pem
mv newreq.pem /usr/local/etc/openldap/serverkey.pem
chmod 600 /usr/local/etc/openldap/serverkey.pem

 

TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/servercrt.pem
TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem

 

install a copy of the CA certificate on all of your client machines. Configuration is done in /usr/local/etc/openldap/ldap.conf
TLS_CACERT /usr/local/etc/openldap/cacert.pem

 

What is simole bind

 

At 08:06 AM 10/31/00 -0800, Hans Zauner wrote:
>I had some troubles getting ldapadd to authenticate
>with slapd (Im using SASL/TSL) and I posted to this
>list.  I was told to use -x for simple bind (which
>worked) however I am curious.
>
>What is simple bind?

 

Simple bind refers to the DN/password authentication
mechanism supported by both LDAPv2 and LDAPv3.  This
mechanism offers integrity or confidentiality protection.

 

>I've read the FAQ and I used the ldapadd command
>syntax as described there, (which didn't work) however
>it did not mention -x (simple bind) at all.

 

The FAQ details OpenLDAP 1.2 which doesn't require the -x.
OpenLDAP 2.0 requires -x to avoid the defaulting to SASL
based authentication and security services.