[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Translucent overlay search fails with TLS "cannot find private key for certificate"



>sigh< It's amazing what you see as you hit the Send button...

Here is my ldap.conf file: 

TLS_CACERTDIR   /opt/issinc/local/certs/nssdb
TLS_KEY               /opt/issinc/local/certs/.nss_tmp_pwd
TLS_REQCERT      allow

It did have TLS_REQCERT=demand, which was apparently causing the attempt to load the private key, etc. Setting it to allow got rid of the TLS messages, but didn't change the result. 

Here's what the debug output looks like now:

55fb193d ==> translucent_search: <dc=acme,dc=com> (&(objectClass=organizationalPerson)(|(givenName=john.doe)(sn=john.doe)(sAMAccountName=john.doe)(userPrincipalName=john.doe)))
55fb193d =>ldap_back_getconn: conn 0x7f1a041a9960 fetched refcnt=1.
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
55fb193d send_ldap_result: conn=1009 op=1 p=3
55fb193d send_ldap_result: err=52 matched="" text="Proxy operation retry failed"
55fb193d send_ldap_result: conn=1009 op=1 p=3
55fb193d send_ldap_result: err=52 matched="" text=""


On Thu, Sep 17, 2015 at 1:43 PM, Ernie Kovak <ernie.kovak@gmail.com> wrote:
Hello -

I'm running openldap 2.4.39 on centos 7, using the translucent overlay and moznss for connections to the backend Active Directory server. When I issue a search request for users in the backend directory I get no results and a "server not available" error - see the debug output below.

The same slapd.conf configuration, but on centos 5.10 and using OpenSSL, works correctly. So, I imagine it's related to moznss.

I've verified (firewall logs) that openldap successfully connects to the backend on startup, but not when the search request is submitted. It looks like it's trying to use client-authenticated TLS, even though the backend is not set up for that??

Any ideas?

Thanks!
Ernie

===============================================================================================
slapd.conf
===============================================================================================
include   /etc/openldap/schema/core.schema
include   /etc/openldap/schema/cosine.schema
include   /etc/openldap/schema/inetorgperson.schema
include   /etc/openldap/schema/ppolicy.schema
include   /etc/openldap/schema/we_person_and_npe.schema

pidfile   /var/run/openldap/slapd.pid

loglevel    stats
#loglevel   -1
#loglevel   trace conns filter stats

# Path to dynamic modules:
modulepath /usr/lib64/openldap
moduleload back_mdb
moduleload back_ldap
moduleload translucent
moduleload accesslog
moduleload auditlog
moduleload valsort
moduleload ppolicy
moduleload memberof

# TLS server certs (TLS client config is in ldap.conf)
#TLSCACertificateFile    /opt/acme/global/certs/ca/ca.pem
#TLSCertificateFile      /opt/acme/global/certs/server-cert.pem
#TLSCertificateKeyFile   /opt/acme/global/certs/server-key.pem

# not working in our docker container since openldap is linked against NSS and not OpenSSL
#TLSCipherSuite          TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL:!SSLv2

# path of the directory containing the NSS certificate and key database files
TLSCACertificatePath /opt/acme/local/certs/nssdb/

# specifies the name of the certificate to use
TLSCertificateFile server

# name of a file that contains the password for the key for the certificate specified with TLSCertificateFile
TLSCertificateKeyFile /opt/acme/local/certs/.nss_tmp_pwd  (contains clear text pasword for keystore and server cert private key)

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to attrs=clearance,citizenship,sciControl
  by dn="cn=npe-user-mgmt,ou=NPEs,ou=Native,dc=acme,dc=com" write
  by dn="cn=npe-sts,ou=NPEs,ou=Native,dc=acme,dc=com" read
access to attrs=gimmeeOrg,gimmeeRegion,gimmeeTopic,gimmeeIsAICP,gimmeeGroup,gimmeeProject,gimmeeProjectGroup
  by dn="cn=npe-user-mgmt,ou=NPEs,ou=Native,dc=acme,dc=com" write
  by dn="cn=npe-sts,ou=NPEs,ou=Native,dc=acme,dc=com" read
access to attrs=UUID
  by dn="cn=npe-user-mgmt,ou=NPEs,ou=Native,dc=acme,dc=com" write
    by users read
access to attrs=userPassword
  by dn="cn=npe-user-mgmt,ou=NPEs,ou=Native,dc=acme,dc=com" write
    by self write
    by anonymous auth
access to attrs=currentLoginDate,lastLoginDate,lastFailedLoginDate,currentLoginIpAddr,lastLoginIpAddr,lastFailedLoginIpAddr
  by dn="cn=npe-user-mgmt,ou=NPEs,ou=Native,dc=acme,dc=com" write
  by dn="cn=npe-openid,ou=NPEs,ou=Native,dc=acme,dc=com" write
  by users read
access to *
  by dn="cn=npe-user-mgmt,ou=NPEs,ou=Native,dc=acme,dc=com" write
    by users read
    by anonymous auth

#######################################################################
# Database for Native accounts (NPEs and users)
#######################################################################

database    mdb
suffix      "ou=Native,dc=acme,dc=com"
rootdn      "cn=weAdmin,dc=acme,dc=com"
directory   "/opt/acme/global/data/openldap/db/native-user-db"
subordinate
index       objectClass                 eq,pres
index       ou,cn,mail,surname          eq,pres,sub
index       clearance,scicontrol        eq,pres,sub
index       citizenship                 eq,pres,sub
password-hash   {SSHA}

# Apply password policy overlay to Native accounts, with a default policy.
overlay         ppolicy
ppolicy_default "cn=default,ou=Policies,ou=Native,dc=acme,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext

#######################################################################
# Database for additional attributes for enterprise accounts.
#######################################################################

database    mdb
suffix      "dc=acme,dc=com"
rootdn      "cn=weAdmin,dc=acme,dc=com"
rootpw      {SSHA}73M5MnfH97O8KAN8anAbneD2wf0C6VSg
directory   "/opt/acme/global/data/openldap/db/enterprise-user-db"
index       objectClass             eq,pres
index       ou,cn,mail,surname      eq,pres,sub
index       clearance,scicontrol    eq,pres,sub
index       citizenship             eq,pres,sub

#######################################################################
# Translucent LDAP proxy to Active Directory
#######################################################################
overlay       translucent
uri           "ldaps://atlas.acme.com:636"
chase-referrals no
idassert-bind   bindmethod=simple
  binddn="cn=devadmin,ou=Users,ou=System Accounts,ou=Acme,dc=acme,dc=com"
  credentials="******"
  mode=none
  tls_cacert=/opt/acme/global/certs/ca/gd-class2-root-2.pem
  tls_reqcert=demand

# Attributes to be searched for in local database. Only the classes that
# apply to proxied accounts are candidates for translucent_local:
# local wePerson attributes:
translucent_local       objectClass
translucent_local       UUID,accountStatus
translucent_local       rank,grade,position,command,agency
translucent_local       DSN
translucent_local       weGrp,weOrg
translucent_local       clearance,citizenship,scicontrol

# wePerson attributes pulled from remote directory:
translucent_remote      objectClass
translucent_remote      cn,givenName,sn,mail,o,mobile
translucent_remote      displayName,sAMAccountName,userPrincipalName

===============================================================================================
From output when setting SLAPD_OPTIONS="-d 65535"
===============================================================================================

<snip>  loads slapd.conf

55f854a6 config_build_entry: "olcDatabase={2}mdb"
55f854a6 config_build_entry: "olcOverlay={0}translucent"
55f854a6 ==> translucent_cfadd
55f854a6 config_build_entry: "olcDatabase={0}ldap"
55f854a6 config_build_entry: "olcOverlay={1}glue"
55f854a6 backend_startup_one: starting "ou=Native,dc=acme,dc=com"
55f854a6 mdb_db_open: "ou=Native,dc=acme,dc=com"
55f854a6 mdb_db_open: database "ou=Native,dc=acme,dc=com": dbenv_open(/opt/acme/global/data/openldap/db/native-user-db).
55f854a6 mdb_monitor_db_open: monitoring disabled; configure monitor database to enable
55f854a6 backend_startup_one: starting "dc=acme,dc=com"
55f854a6 mdb_db_open: "dc=acme,dc=com"
55f854a6 mdb_db_open: database "dc=acme,dc=com": dbenv_open(/opt/acme/global/data/openldap/db/enterprise-user-db).
55f854a6 ==> translucent_db_open
55f854a6 backend_startup_one: starting "dc=acme,dc=com"
55f854a6 ldap_back_db_open: URI=ldaps://atlas.acme.com:636
55f854a6 ldap_back_monitor_db_open: monitoring disabled; configure monitor database to enable
55f854a6 slapd starting

<snip>

55f876ea ==> translucent_search: <dc=acme,dc=com> (sAMAccountName=admin)
ldap_create
ldap_url_parse_ext(ldaps://atlas.acme.com:636)
55f876ea =>ldap_back_getconn: conn=1000 op=1: lc=0x7f3e581a9950 inserted refcnt=1 rc=0
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP atlas.acme.com:636
55f876ea daemon: activity on 1 descriptor
55f876ea daemon: activity on:55f876ea 
55f876ea daemon: epoll: listen=6 active_threads=0 tvp=NULL
55f876ea daemon: epoll: listen=7 active_threads=0 tvp=NULL
ldap_new_socket: 17
ldap_prepare_socket: 17
ldap_connect_to_host: Trying 172.12.3.45:636
ldap_pvt_connect: fd: 17 tm: -1 async: 0
attempting to connect: 
connect success
TLS: certdb config: configDir='/opt/acme/local/certs/nssdb/' tokenDescription='ldap(1)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /opt/acme/local/certs/nssdb/ prefix .
TLS: loaded CA certificate file /opt/acme/global/certs/ca/gd-class2-root-2.pem.
TLS: certificate 'server' successfully loaded from moznss database.
TLS: no unlocked certificate for certificate 'CN=mv22.acme.com,OU=Development,O=Acme,L=Denver,ST=Colorado,C=US'.
TLS: cannot find private key for certificate 'CN=mv22.acme.com,OU=Development,O=Acme,L=Denver,ST=Colorado,C=US' (error -12285: Unable to find the certificate or key necessary for authentication.)
TLS: error: unable to set up client certificate authentication for certificate named CN=mv22.acme.com,OU=Development,O=Acme,L=Denver,ST=Colorado,C=US
TLS: error: unable to set up client certificate authentication using 'CN=mv22.acme.com,OU=Development,O=Acme,L=Denver,ST=Colorado,C=US'
TLS: error: could not initialize moznss security context - error -12285:Unable to find the certificate or key necessary for authentication.
TLS: can't create ssl handle.
55f876ea send_ldap_result: conn=1000 op=1 p=3
55f876ea send_ldap_result: err=52 matched="" text="Proxy operation retry failed"