[Date Prev][Date Next] [Chronological] [Thread] [Top]
why does ldapsearch just hang with SASL/EXTERNAL authentication started?

To: openldap-technical@openldap.org
Subject: why does ldapsearch just hang with SASL/EXTERNAL authentication started?
From: borderline_ocd-er <javafreelancer@gmail.com>
Date: Mon, 8 Dec 2008 18:34:07 +0000
Content-disposition: inline
hello list,

:¬O H-E-E-E-E-E-L-L-L-L-P-P-P!!!!

for the past week and a half, i've been trying to get an openldap
client on a mac os x 10.4.11 (OpenLDAP 2.2) to talk to an ldap
directory server (sun iPlanet directory server 5.1) on a solaris 9
sparc box; using client authentication with x509 certificates for both
the server and the client.

i have successfully configured client authn between the directory
server (ds) on the solaris box and a precompiled ldapsearch binary
client (also running on that same solaris box). the ldapsearch binary
is part of the netscape security services (nss) ldap c sdk 6.0.x that
came bundled with - what sun calls it's - "ds resource kit 5.2
(dsrk)".

since client authn works successfully between those 2 components
running local to each other, i figured a remote client authn setup
shouldn't be much of a stretch (if the openldap.org docs are to be
believed). BOY! was i wrong!

after copying to my mac os x box, the same ca cert and client cert (in
.pem format) that worked successfully on the solaris box, i configured
ldap.conf and .ldaprc to point to the certs and keys (see below).

when i run an openldap ldapsearch on the mac, the tls handshake
appears to succeed (see below); then the sasl/external client authn
appears to kick off; then it just hangs! the last thing that's output
to the shell is "SASL/EXTERNAL authentication started". but the shell
cursor just hangs there; flashing away - doing nothing!

the solaris ds access logs seem to report that a bind took place as a
result of the mac openldap ldapsearch attempt:

  "...conn=45 SSL client bound as cn=bilbo,ou=development,o=helpme.com"

please, will you help me to get my mac openldap ldapsearch client to
authenticate to my solaris ds using a client cert?

i've read and reread the openldap.org tls docs
(http://www.openldap.org/doc/admin24/tls.html); i've read and reread
the openldap.org sasl docs
(http://www.openldap.org/doc/admin24/sasl.html); i've scoured this
list; i've scoured the cyrus sasl list
(http://asg.andrew.cmu.edu/archive/index.php?mailbox=archive.cyrus-sasl);
i've tried adding the "-I" switch to the ldapsearch command, but that
results in an endless loop of being prompted over and over to enter an
authorization id.

i've tried editing /etc/syslog.conf with the following:


   "local4.*    /var/log/openldap.log"
	
but nothing ever gets logged to that file!

i've spent so much time trying to solve this problem on my own, that
my wife has threatened to leave me for my best friend if i don't stop
spending so much time on this! my dog snarled at me and bit my behind
today because he doesn't recognize me anymore! my daughter is talking
about becoming an "exotic dancer" because i don't pay her enough
attention from working on this! my failure to accomplish such a
seemingly simple task has made me consider taking my own life!

seriously though: I NEED YOUR HELP!

thanks in advance for your help.



==========================================================
ds access logs after successful ldapsearch on solaris box:
==========================================================
...
[07/Dec/2008:04:29:38 +0000] conn=0 fd=49 slot=49 SSL connection from
127.0.0.1 to 127.0.0.1
[07/Dec/2008:04:29:38 +0000] conn=0 SSL 128-bit RC4; client
O=helpme.com, OU=Development, CN=bilbo; issuer E=ldapca@helpme.com,
CN=ldapca, OU=development, O=helpme.com, L=Chicago, ST=IL, C=US
[07/Dec/2008:04:29:38 +0000] conn=0 SSL client bound as
cn=bilbo,ou=development,o=helpme.com
[07/Dec/2008:04:29:38 +0000] conn=0 op=0 BIND dn="" method=sasl
version=3 mech=EXTERNAL
[07/Dec/2008:04:29:38 +0000] conn=0 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=bilbo,ou=development,o=helpme.com"
[07/Dec/2008:04:29:38 +0000] conn=0 op=1 SRCH
base="ou=development,o=helpme.com" scope=2 filter="(cn=bilbo)"
attrs=ALL
[07/Dec/2008:04:29:38 +0000] conn=0 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[07/Dec/2008:04:29:38 +0000] conn=0 op=2 UNBIND
[07/Dec/2008:04:29:38 +0000] conn=0 op=2 fd=49 closed - U1
...

==========================================================
hanging mac osx openldap ldapsearch command results:
==========================================================
bilbo$ ldapsearch -v -H ldap://bebop -s sub -b "" -LLL -d -7 -ZZ
ldap_initialize( ldap://bebop )
ldap_create
ldap_url_parse_ext(ldap://bebop)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP bebop:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.0.0.8:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 3
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: bebop  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Sun Dec  7 16:04:48 2008

** Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ber_get_next: tag 0x30 len 95 contents:
ber_dump: buf=0x004044b0 ptr=0x004044b0 end=0x0040450f len=95
  0000:  02 01 01 78 5a 0a 01 00  04 00 04 3b 53 74 61 72   ...xZ......;Star
  0010:  74 20 54 4c 53 20 72 65  71 75 65 73 74 20 61 63   t TLS request ac
  0020:  63 65 70 74 65 64 2e 53  65 72 76 65 72 20 77 69   cepted.Server wi
  0030:  6c 6c 69 6e 67 20 74 6f  20 6e 65 67 6f 74 69 61   lling to negotia
  0040:  74 65 20 53 53 4c 2e 8a  16 31 2e 33 2e 36 2e 31   te SSL...1.3.6.1
  0050:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37      .4.1.1466.20037
ldap_read: message type extended-result msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x004044b0 ptr=0x004044b3 end=0x0040450f len=92
  0000:  78 5a 0a 01 00 04 00 04  3b 53 74 61 72 74 20 54   xZ......;Start T
  0010:  4c 53 20 72 65 71 75 65  73 74 20 61 63 63 65 70   LS request accep
  0020:  74 65 64 2e 53 65 72 76  65 72 20 77 69 6c 6c 69   ted.Server willi
  0030:  6e 67 20 74 6f 20 6e 65  67 6f 74 69 61 74 65 20   ng to negotiate
  0040:  53 53 4c 2e 8a 16 31 2e  33 2e 36 2e 31 2e 34 2e   SSL...1.3.6.1.4.
  0050:  31 2e 31 34 36 36 2e 32  30 30 33 37               1.1466.20037
read1msg:  0 new referrals
read1msg:  mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x004044b0 ptr=0x004044b3 end=0x0040450f len=92
  0000:  78 5a 0a 01 00 04 00 04  3b 53 74 61 72 74 20 54   xZ......;Start T
  0010:  4c 53 20 72 65 71 75 65  73 74 20 61 63 63 65 70   LS request accep
  0020:  74 65 64 2e 53 65 72 76  65 72 20 77 69 6c 6c 69   ted.Server willi
  0030:  6e 67 20 74 6f 20 6e 65  67 6f 74 69 61 74 65 20   ng to negotiate
  0040:  53 53 4c 2e 8a 16 31 2e  33 2e 36 2e 31 2e 34 2e   SSL...1.3.6.1.4.
  0050:  31 2e 31 34 36 36 2e 32  30 30 33 37               1.1466.20037
ber_scanf fmt (a) ber:
ber_dump: buf=0x004044b0 ptr=0x004044f7 end=0x0040450f len=24
  0000:  8a 16 31 2e 33 2e 36 2e  31 2e 34 2e 31 2e 31 34   ..1.3.6.1.4.1.14
  0010:  36 36 2e 32 30 30 33 37                            66.20037
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x004044b0 ptr=0x004044b3 end=0x0040450f len=92
  0000:  78 5a 0a 01 00 04 00 04  3b 53 74 61 72 74 20 54   xZ......;Start T
  0010:  4c 53 20 72 65 71 75 65  73 74 20 61 63 63 65 70   LS request accep
  0020:  74 65 64 2e 53 65 72 76  65 72 20 77 69 6c 6c 69   ted.Server willi
  0030:  6e 67 20 74 6f 20 6e 65  67 6f 74 69 61 74 65 20   ng to negotiate
  0040:  53 53 4c 2e 8a 16 31 2e  33 2e 36 2e 31 2e 34 2e   SSL...1.3.6.1.4.
  0050:  31 2e 31 34 36 36 2e 32  30 30 33 37               1.1466.20037
ber_scanf fmt (x) ber:
ber_dump: buf=0x004044b0 ptr=0x004044f7 end=0x0040450f len=24
  0000:  8a 16 31 2e 33 2e 36 2e  31 2e 34 2e 31 2e 31 34   ..1.3.6.1.4.1.14
  0010:  36 36 2e 32 30 30 33 37                            66.20037
ber_scanf fmt (}) ber:
ber_dump: buf=0x004044b0 ptr=0x0040450f end=0x0040450f len=0

ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject:
/C=US/ST=IL/L=Chicago/O=helpme.com/OU=development/CN=ldapca/emailAddress=ldapca@helpme.com,
issuer: /C=US/ST=IL/L=Chicago/O=helpme.com/OU=development/CN=ldapca/emailAddress=ldapca@helpme.com
TLS certificate verification: depth: 0, err: 0, subject:
/C=US/ST=IL/L=Chicago/O=helpme.com/OU=development/CN=bebop, issuer:
/C=US/ST=IL/L=Chicago/O=helpme.com/OU=development/CN=ldapca/emailAddress=ldapca@helpme.com
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write certificate verify A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
ldap_sasl_interactive_bind_s: user selected: EXTERNAL
ldap_int_sasl_bind: EXTERNAL
ldap_int_sasl_open: host=bebop
=> ldap_dn2bv(16)
ldap_err2string
<= ldap_dn2bv(O=helpme.com,OU=Development,CN=bilbo)=0 Success
SASL/EXTERNAL authentication started
[shell just hangs here]
==========================================================
==========================================================
ds access logs after hanging ldapsearch from mac os x:
==========================================================
...
[07/Dec/2008:16:04:48 +0000] conn=45 fd=49 slot=49 connection from
10.0.0.9 to 10.0.0.8
[07/Dec/2008:16:04:48 +0000] conn=45 op=0 EXT oid="1.3.6.1.4.1.1466.20037"
[07/Dec/2008:16:04:48 +0000] conn=45 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[07/Dec/2008:16:04:49 +0000] conn=45 SSL 128-bit RC4; client
O=helpme.com, OU=Development, CN=bilbo; issuer E=ldapca@helpme.com,
CN=ldapca, OU=development, O=helpme.com, L=Chicago, ST=IL, C=US
[07/Dec/2008:16:04:49 +0000] conn=45 SSL client bound as
cn=bilbo,ou=development,o=helpme.com
[end of file]

==========================================================
ldap.conf file:
==========================================================

HOST	bebop
BASE	dc=bebop,dc=helpme,dc=net

TLS_REQCERT     demand
TLS_CACERT
/Users/bilbo/development/projects/tutorials/ldap/conf/.security/take5/bebopCACert.pem

==========================================================
.ldaprc file:
==========================================================
URI		ldaps://bebop:636
HOST		bebop
BASE		""
TLS_REQCERT     demand
TLS_CACERT
/Users/bilbo/development/projects/tutorials/ldap/conf/.security/take5/bebopCACert.pem
TLS_CERT	/Users/bilbo/development/projects/tutorials/ldap/conf/.security/take5/bilboClientCert.pem
TLS_KEY
/Users/bilbo/development/projects/tutorials/ldap/conf/.security/take5/bilboClientKey.pem
SASL_MECH	EXTERNAL
==========================================================
Prev by Date: Re: Needs Urgent HELP from You regarding exportiong of the data
Next by Date: Re: Needs Urgent HELP from You regarding exportiong of the data
Index(es):
- Chronological
- Thread