Hello
I'm trying to get multiple syncrepl-powered replicas available under the same DNS name. I use OpenLDAP-2.3.32
Each replica has a certificate with subjectAltName=DNS:ldap.example.net,DNS:host.example.net Clients can hapily conntect to it, that part works.
syncrepl is working with the provider using a certificate, but now I'd like the consumers to use certificate too, so that the provider does not push sensitive data to anyone that pretend being a replica.
After two days of fight against the machine, I discovered that I could not use a different certificate for the syncrepl consumer and the LDAP service running on the replica. This is a bug in 2.3.x, as explained by Howard Chu: http://www.openldap.org/lists/openldap-software/200604/msg00202.html http://www.openldap.org/lists/openldap-software/200604/msg00201.html
So I have to use the same certificate. I could live with that, but it does not work: I add this to the syncrepl statement on the consumers' slapd.conf bindmethod=sasl saslmech=EXTERNAL
And when restarting it, I get this error: do_syncrep1: rid 217 ldap_sasl_interactive_bind_s failed (7)
I tried to use my certificate with ldapsearch. With an appropriate .ldaprc, I can try this (the server here is the provider):
# ldapsearch -b "" -s base + SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Authentication method not supported (7) additional info: SASL(-4): no mechanism available:
Using a certificate that does not have subjectAltName, it works fine, so the provider is not rejecting me.
Here are my certificates Subjects, the one without subjectAltName that works, and the other one that breaks (obtained by openssl x509 -text, a bit modified, but you have the point: yes there are ISO-8859-1 chars in O)
WORKS: C=FR, ST=France, O=Exemple d'organisation accentuée, OU=foobarbuz, CN=host.example.net/emailAddress=root@example.net
BREAKS: C=FR, ST=France, O=Exemple d'organisation accentuée, OU=foobarbuz/subjectAltName=DNS:ldap.example.net,DNS:host.example.net CN=ldap.example.net/emailAddress=root@example.net
Playing with gdb shows that the server rejects the certificate in libraries/libldap_r/utf-8.c:ldap_ucs_to_utf8s(), returning LDAP_INVALID_SYNTAX
I searched the web, and it seems that ISO-8859-1 chars in certificate subjects are not a good idea. Changing that means also changing the certificate authority, that's something I'd like to avoid. Do I have another solution?
That kind of problem has been discussed already on the mailing list. It seems Howard Chu added ldap_ucs_to_utf8s() to address non UTF-8 chars in certificates subjects: http://www.openldap.org/lists/openldap-devel/200205/msg00037.html
ldap_ucs_to_utf8s() contains really black magic, it would require one more day for me to understand what happens there. Is it possible that it is smart enough to workaround non UTF-8 chars in the general case, but fails when subjectAltName is used?
Please help! How can I get this mess working?
Emmanuel Dreyfus wrote:
Hello
I'm trying to get multiple syncrepl-powered replicas available under the same DNS name. I use OpenLDAP-2.3.32
Each replica has a certificate with subjectAltName=DNS:ldap.example.net,DNS:host.example.net Clients can hapily conntect to it, that part works.
And when restarting it, I get this error: do_syncrep1: rid 217 ldap_sasl_interactive_bind_s failed (7)
I tried to use my certificate with ldapsearch. With an appropriate .ldaprc, I can try this (the server here is the provider):
# ldapsearch -b "" -s base + SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Authentication method not supported (7) additional info: SASL(-4): no mechanism available:
Using a certificate that does not have subjectAltName, it works fine, so the provider is not rejecting me.
Here are my certificates Subjects, the one without subjectAltName that works, and the other one that breaks (obtained by openssl x509 -text, a bit modified, but you have the point: yes there are ISO-8859-1 chars in O)
WORKS: C=FR, ST=France, O=Exemple d'organisation accentuée, OU=foobarbuz, CN=host.example.net/emailAddress=root@example.net
BREAKS: C=FR, ST=France, O=Exemple d'organisation accentuée, OU=foobarbuz/subjectAltName=DNS:ldap.example.net,DNS:host.example.net CN=ldap.example.net/emailAddress=root@example.net
Playing with gdb shows that the server rejects the certificate in libraries/libldap_r/utf-8.c:ldap_ucs_to_utf8s(), returning LDAP_INVALID_SYNTAX
From what you've posted above, I'm pretty sure you're not using "subjectAltName" correctly. It is not a component of the certificate's subject, it is an X.509 certificate extension. Read the OpenSSL documentation and fix your certificates.
Howard Chu hyc@symas.com wrote:
From what you've posted above, I'm pretty sure you're not using "subjectAltName" correctly. It is not a component of the certificate's subject, it is an X.509 certificate extension. Read the OpenSSL documentation and fix your certificates.
A pointer to the good documentation? My favourite search engine does not return obvious results for configuring subjectAltName with OpenSSL...
Emmanuel Dreyfus wrote:
Howard Chu hyc@symas.com wrote:
From what you've posted above, I'm pretty sure you're not using "subjectAltName" correctly. It is not a component of the certificate's subject, it is an X.509 certificate extension. Read the OpenSSL documentation and fix your certificates.
A pointer to the good documentation? My favourite search engine does not return obvious results for configuring subjectAltName with OpenSSL...
http://openssl.org/docs/apps/ca.html# http://openssl.org/docs/apps/x509v3_config.html#
Howard Chu wrote:
Emmanuel Dreyfus wrote:
Howard Chu hyc@symas.com wrote:
From what you've posted above, I'm pretty sure you're not using "subjectAltName" correctly. It is not a component of the certificate's subject, it is an X.509 certificate extension. Read the OpenSSL documentation and fix your certificates.
A pointer to the good documentation? My favourite search engine does not return obvious results for configuring subjectAltName with OpenSSL...
http://openssl.org/docs/apps/ca.html# http://openssl.org/docs/apps/x509v3_config.html#
I should note that these are the same man pages that are bundled in the OpenSSL packages themselves. It seems odd to go to search engines when the info you're looking for is already on your own machine. It seems odd to go to search engines instead of the home web sites of the actual software you're working with...
Howard Chu hyc@symas.com wrote:
http://openssl.org/docs/apps/ca.html# http://openssl.org/docs/apps/x509v3_config.html#
I should note that these are the same man pages that are bundled in the OpenSSL packages themselves. It seems odd to go to search engines when the info you're looking for is already on your own machine. It seems odd to go to search engines instead of the home web sites of the actual software you're working with...
Well, that documentation (which I already checked) is a good reference documentation, but it's a very poor for learning how to actually do things.
I found no documentation what should exactly be done to generate certificates with subjectAltName for a bunch of machines sharing the same DNS address. After loosing a lot of time on it, I reported how I created certificates with subjectAltName, with the hope it could help others that would face the same problem: http://www.openldap.org/lists/openldap-software/200707/msg00326.html
Nobody told me it was wrong, which proves either that this setup is really not obvious for anyone, or that it is of no interest to anyone. I'll retain the first alternative and I'll post an update when I'll have found how this should be done.
However, having to loose days of work on problems that other already solved is very frustrating.
manu@netbsd.org (Emmanuel Dreyfus) writes:
Howard Chu hyc@symas.com wrote:
http://openssl.org/docs/apps/ca.html# http://openssl.org/docs/apps/x509v3_config.html#
I should note that these are the same man pages that are bundled in the OpenSSL packages themselves. It seems odd to go to search engines when the info you're looking for is already on your own machine. It seems odd to go to search engines instead of the home web sites of the actual software you're working with...
Well, that documentation (which I already checked) is a good reference documentation, but it's a very poor for learning how to actually do things.
[...]
As we ware talking about X.509, in openssl.cnf you have to declare, where x509 extensions can be found, in my config file they are in usr_cert part
... x509_extensions = usr_cert ... [ usr_cert ] ... subjectAltName=DNS:localhost ...
-Dieter
openldap-software@openldap.org
-
Dieter Kluenter -
Emmanuel Dreyfus -
Howard Chu -
manu@netbsd.org