Hello experts,
I setup an openLDAP server some time ago and am to create a newer server for TLS 1.3 support.
I am using a fully patched CentOS 7 server with OpenLDAP 2.4.44 and am seeing 'invalid DN' when authenticating to the server from my Linux client.
I will attempt to supply all the config and tests I have done thus far:
########################################
ldap.conf:
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net
URI ldap://
openldapsec.brm.acslab.wokyourdog.net#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
TLS_CACERTDIR /etc/openldap/certs
TLS_CACERT /etc/openldap/certs/RootCA.pem
TLSCACertificateFile /etc/openldap/certs/RootCA.pem
TLSCertificateFile /etc/openldap/certs/Identity.pem
TLSCertificateKeyFile /etc/openldap/certs/Identity.key
TLSVerifyClient never
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
########################################
slapd.conf
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
# Added for policy
include /etc/openldap/schema/ppolicy.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
moduleload
ppolicy.la # The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client software
# may balk at self-signed certificates, however.
TLSCACertificateFile /etc/openldap/certs/RootCA.pem
TLSCertificateFile /etc/openldap/certs/Identity.pem
TLSCertificateKeyFile /etc/openldap/certs/Identity.key
database bdb
suffix "dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net"
rootdn "cn=root,dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net"
rootpw {SSHA}C6RcppHr0rweEVCQW6pio6tnPCIHCGnt
# PPolicy Configuration
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net"
ppolicy_use_lockout
ppolicy_hash_cleartext
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
########################################
ldapsearch output:
[root@OpenLDAP_Server openldap]# ldapsearch -H ldap://
openldapsec.brm.acslab.wokyourdog.net -D "cn=root,dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net" -w Siladmin123 -ZZ
# extended LDIF
#
# LDAPv3
# base <dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
#
openldapsec.brm.acslab.wokyourdog.netdn: dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net
dc: openldapsec
objectClass: top
objectClass: domain
# people,
openldapsec.brm.acslab.wokyourdog.netdn: ou=people,dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net
objectClass: top
objectClass: organizationalUnit
ou: people
# swadmin3,
openldapsec.brm.acslab.wokyourdog.netdn: cn=swadmin3,dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net
objectClass: person
objectClass: uidObject
cn: swadmin3
sn: admin user
uid: swadmin3
userPassword:: e1NTSEF9WDdRQ2xzallYUDUvWU9sZnJyc3ZWVXhnS0xkbXB2U1o=
# search result
search: 3
result: 0 Success
# numResponses: 4
# numEntries: 3
########################################
ldapwhoami
[root@OpenLDAP_Server openldap]# ldapwhoami -vvv -h
openldapsec.brm.acslab.wokyourdog.net -p 389 -D "cn=swadmin3,dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net" -x -w Siladmin123
ldap_initialize( ldap://
openldapsec.brm.acslab.wokyourdog.net:389 )
dn:cn=swadmin3,dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net
Result: Success (0)
########################################
client authentication failure logs
ber_dump: buf=0x7fe684117870 ptr=0x7fe684117870 end=0x7fe68411788d len=29
0000: 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 ...w...1.3.6.1.4
0010: 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .1.1466.20037
ber_dump: buf=0x7fe684117870 ptr=0x7fe684117873 end=0x7fe68411788d len=26
0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1.
0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
ber_dump: buf=0x7fe684115be0 ptr=0x7fe684115be0 end=0x7fe684115c23 len=67
0000: 02 01 02 60 3e 02 01 03 04 2c 73 77 61 64 6d 69 ...`>....,swadmi
0010: 6e 33 40 6f 70 65 6e 6c 64 61 70 73 65 63 2e 62 n3@openldapsec.b
0020: 72 6d 2e 62 73 6e 6c 61 62 2e 62 72 6f 61 64 63 rm.acslab.wokyou
0030: 6f 6d 2e 6e 65 74 80 0b 53 69 6c 61 64 6d 69 6e rdog.net..Siladmin
0040: 31 32 33 123
ber_dump: buf=0x7fe684115be0 ptr=0x7fe684115be3 end=0x7fe684115c23 len=64
0000: 60 3e 02 01 03 04 2c 73 77 61 64 6d 69 6e 33 40 `>....,swadmin3@
0010: 6f 70 65 6e 6c 64 61 70 73 65 63 2e 62 72 6d 2e openldapsec.brm.
0020: 62 73 6e 6c 61 62 2e 62 72 6f 61 64 63 6f 6d 2e acslab.wokyourdog.
0030: 6e 65 74 80 0b 53 69 6c 61 64 6d 69 6e 31 32 33 net..Siladmin123
ber_dump: buf=0x7fe684115be0 ptr=0x7fe684115c16 end=0x7fe684115c23 len=13
0000: 00 0b 53 69 6c 61 64 6d 69 6e 31 32 33 ..Siladmin123
5d10d347 conn=1048 op=1 do_bind: invalid dn (
swadmin3@openldapsec.brm.acslab.wokyourdog.net)
0000: 30 16 02 01 02 61 11 0a 01 22 04 00 04 0a 69 6e 0....a..."....in
0010: 76 61 6c 69 64 20 44 4e valid DN
ber_dump: buf=0x7fe6841171a0 ptr=0x7fe6841171a0 end=0x7fe6841171a5 len=5
0000: 02 01 03 42 00 ...B.
ber_dump: buf=0x7fe684107eb0 ptr=0x7fe684107eb0 end=0x7fe684107ecd len=29
0000: 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 ...w...1.3.6.1.4
0010: 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .1.1466.20037
ber_dump: buf=0x7fe684107eb0 ptr=0x7fe684107eb3 end=0x7fe684107ecd len=26
0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1.
0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
ber_dump: buf=0x7fe684002250 ptr=0x7fe684002250 end=0x7fe6840022ae len=94
0000: 02 01 02 60 59 02 01 03 04 47 63 6e 3d 73 77 61 ...`Y....Gcn=swa
0010: 64 6d 69 6e 33 2c 63 6e 3d 75 73 65 72 73 2c 64 dmin3,cn=users,d
0020: 63 3d 6f 70 65 6e 6c 64 61 70 73 65 63 2c 64 63 c=openldapsec,dc
0030: 3d 62 72 6d 2c 64 63 3d 62 73 6e 6c 61 62 2c 64 =brm,dc=acslab,d
0040: 63 3d 62 72 6f 61 64 63 6f 6d 2c 64 63 3d 6e 65 c=wokyourdog,dc=ne
0050: 74 80 0b 53 69 6c 61 64 6d 69 6e 31 32 33 t..Siladmin123
ber_dump: buf=0x7fe684002250 ptr=0x7fe684002253 end=0x7fe6840022ae len=91
0000: 60 59 02 01 03 04 47 63 6e 3d 73 77 61 64 6d 69 `Y....Gcn=swadmi
0010: 6e 33 2c 63 6e 3d 75 73 65 72 73 2c 64 63 3d 6f n3,cn=users,dc=o
0020: 70 65 6e 6c 64 61 70 73 65 63 2c 64 63 3d 62 72 penldapsec,dc=br
0030: 6d 2c 64 63 3d 62 73 6e 6c 61 62 2c 64 63 3d 62 m,dc=acslab,dc=w
0040: 72 6f 61 64 63 6f 6d 2c 64 63 3d 6e 65 74 80 0b kyourdog,dc=net..
0050: 53 69 6c 61 64 6d 69 6e 31 32 33 Siladmin123
ber_dump: buf=0x7fe684002250 ptr=0x7fe6840022a1 end=0x7fe6840022ae len=13
0000: 00 0b 53 69 6c 61 64 6d 69 6e 31 32 33 ..Siladmin123
0000: 30 0c 02 01 02 61 07 0a 01 31 04 00 04 00 0....a...1....
ber_dump: buf=0x7fe684118dd0 ptr=0x7fe684118dd0 end=0x7fe684118dd5 len=5
0000: 02 01 03 42 00 ...B.
Please let me know if you can see my mis-configuration or if you have any questions about my setup.
Thanks,
Chris