I am running openldap 2.2.13. I am having a problem getting TLS to work. I have done numerous searches, but most web pages seem to deal with LDAP/kerberos issues. We do not run kerberos. I am only trying to prevent passwords from being sent in the clear.
I have followed the instructions on this page:
http://www.ibm.com/developerworks/linux/library/l-openldap/
I am able to run ldapsearch with simple auth:
ldapsearch -x
but, am not able to do any of the following:
ldapsearch ldapsearch -X u:myuid ldapsearch -X dn:uid=myuid,ou=People,dc=example,dc=com
The error is (with "-d 255"): ... SASL/GSSAPI authentication started ldap_perror ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No credentials cache found)
It looks like the server is running fine. But, the logs don't really indicate what the problem is. (It seems to be more of a client issue, but still the server should give some hint in the logs.)
If you need more debugging info, just let me know.
Any help would be greatly appreciated.
TIA Craig
--On Tuesday, May 22, 2007 6:36 PM -0700 Craig craig5@pobox.com wrote:
I am running openldap 2.2.13. I am having a problem getting TLS to work. I have done numerous searches, but most web pages seem to deal with LDAP/kerberos issues. We do not run kerberos. I am only trying to prevent passwords from being sent in the clear.
I have followed the instructions on this page:
http://www.ibm.com/developerworks/linux/library/l-openldap/
I am able to run ldapsearch with simple auth:
ldapsearch -x
but, am not able to do any of the following:
ldapsearch ldapsearch -X u:myuid ldapsearch -X dn:uid=myuid,ou=People,dc=example,dc=com
The error is (with "-d 255"): ... SASL/GSSAPI authentication started
You need to use a lower case x to disable GSSAPI. i.e.,
ldapsearch -x <whatever>
--Quanah
-- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
I know about the "-x" option. But, once that happens, it looks like the passwords are sent in clear text. (I did some packet traces and that's what it looks like to me.)
I need to have passwords sent over an encrypted connection. "-x" doesn't give me that.
Thanx for the thought, though. :)
Quanah Gibson-Mount wrote:
--On Tuesday, May 22, 2007 6:36 PM -0700 Craig craig5@pobox.com wrote:
I am running openldap 2.2.13. I am having a problem getting TLS to work. I have done numerous searches, but most web pages seem to deal with LDAP/kerberos issues. We do not run kerberos. I am only trying to prevent passwords from being sent in the clear.
I have followed the instructions on this page:
http://www.ibm.com/developerworks/linux/library/l-openldap/
I am able to run ldapsearch with simple auth:
ldapsearch -x
but, am not able to do any of the following:
ldapsearch ldapsearch -X u:myuid ldapsearch -X dn:uid=myuid,ou=People,dc=example,dc=com
The error is (with "-d 255"): ... SASL/GSSAPI authentication started
You need to use a lower case x to disable GSSAPI. i.e.,
ldapsearch -x <whatever>
--Quanah
-- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
Craig said: [...]
I know about the "-x" option. But, once that happens, it looks like the passwords are sent in clear text. (I did some packet traces and that's what it looks like to me.)
That would only happen because an SSL or TLS connection is not being established. See slapd.conf(5) and ldap.conf(5) for information on forcing OpenLDAP to use SSL or TLS connections.
Using ldapsearch -d 7 -x -D <yourdn> -w <yourpassword> ... will show you if a successful SSL handshake is taking place. If it is not, then there will be no encryption.
I need to have passwords sent over an encrypted connection. "-x" doesn't give me that.
If you've set things up so that either an LDAP over SSL connection (ldaps) or an LDAP with TLS (StartTLS) connection is established then everything that is sent over the link, including passwords, is encrypted.
Unfortunately you've been handed a version of OpenLDAP that is years out of date. You will probably have better luck on this list (and ultimately with the software itself) if you upgrade to a current version of OpenLDAP. There are a number of newer packages available from various sources, including Symas. Failing that, you can contact your distro provider (Red Hat?).
Cheers,
Matthew Hardin Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Thanx for the thought, though. :)
Quanah Gibson-Mount wrote:
--On Tuesday, May 22, 2007 6:36 PM -0700 Craig craig5@pobox.com wrote:
I am running openldap 2.2.13. I am having a problem getting TLS to
work.
I have done numerous searches, but most web pages seem to deal with LDAP/kerberos issues. We do not run kerberos. I am only trying to
prevent
passwords from being sent in the clear.
I have followed the instructions on this page:
http://www.ibm.com/developerworks/linux/library/l-openldap/
I am able to run ldapsearch with simple auth:
ldapsearch -x
but, am not able to do any of the following:
ldapsearch ldapsearch -X u:myuid ldapsearch -X dn:uid=myuid,ou=People,dc=example,dc=com
The error is (with "-d 255"): ... SASL/GSSAPI authentication started
You need to use a lower case x to disable GSSAPI. i.e.,
ldapsearch -x <whatever>
--Quanah
-- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
Matthew Hardin wrote:
Craig said: [...]
I know about the "-x" option. But, once that happens, it looks like the passwords are sent in clear text. (I did some packet traces and that's what it looks like to me.)
That would only happen because an SSL or TLS connection is not being established. See slapd.conf(5) and ldap.conf(5) for information on forcing OpenLDAP to use SSL or TLS connections.
Using ldapsearch -d 7 -x -D <yourdn> -w <yourpassword> ... will show you if a successful SSL handshake is taking place. If it is not, then there will be no encryption.
It looks like there is NO encryption. But, I'm not really sure what I am looking for...
date. You will probably have better luck on this list (and ultimately with the software itself) if you upgrade to a current version of OpenLDAP. There
I compiled and installed 2.3.35, so, that's one less thing to worry about. :)
I just got the new version running, so I haven't tweaked anything yet. I just thought I'd see if you had any more ideas...
TIA
On Wednesday, 23 May 2007, Craig wrote:
I know about the "-x" option. But, once that happens, it looks like the passwords are sent in clear text. (I did some packet traces and that's what it looks like to me.)
I need to have passwords sent over an encrypted connection. "-x" doesn't give me that.
(I dropped the rest of the thread, since you top-posted ...).
It seems you don't seem to understand the difference between SASL and TLS. Since the subject of your mail is about TLS, I assume that simple binds (where the cleartext password is sent to the LDAP server) are acceptable, *if* they are sent over an encrypted connection (e.g. TLS).
You didn't provide the full commandline your were using, nor any configuration you have done on your side, so you can try any of these, depending on your requirements:
1)Always use -ZZ (with -x of course) if your LDAP server supports the STARTTLS operation 2)Use an ldaps:// URI, if your LDAP server is listening on the ldaps port (e.g. slapd started with -h 'ldap:/// ldaps:///') 3)Set the URI in the OpenLDAP library configuration file (usually /etc/openldap/ldap.conf, or /etc/ldap/ldap.conf on Debian) to a URI containing ldaps:// 4)Enforce encryption on the server side for all operations via the 'security' directives in slapd.conf 5)Enforce encryption on the server side for operations on specific attributes via the ssf keyword in ACLs ("access" directives).
So, you may want to clarify exactly what you need, exactly what you are doing, and how that doesn't currently meet your requirements.
Regards, Buchan
Buchan Milne wrote:
It seems you don't seem to understand the difference between SASL and TLS.
As it turns out, that's probably true. (I thought it was "simpler" than it really is...)
Since the subject of your mail is about TLS, I assume that simple binds (where the cleartext password is sent to the LDAP server) are acceptable, *if* they are sent over an encrypted connection (e.g. TLS).
Exactly.
1)Always use -ZZ (with -x of course) if your LDAP server supports the STARTTLS operation 2)Use an ldaps:// URI, if your LDAP server is listening on the ldaps port (e.g. slapd started with -h 'ldap:/// ldaps:///') 3)Set the URI in the OpenLDAP library configuration file (usually /etc/openldap/ldap.conf, or /etc/ldap/ldap.conf on Debian) to a URI containing ldaps://
The following works: ldapsearch -x -ZZ -h ldap-server.example.com -or- ldapsearch -x -H ldaps://ldap-server.example.com -or- ldapsearch -x -H ldaps://ldap-server.example.com -D "cn=manager,dc=example,dc=com" -W
4)Enforce encryption on the server side for all operations via the 'security' directives in slapd.conf 5)Enforce encryption on the server side for operations on specific attributes via the ssf keyword in ACLs ("access" directives).
Perfect. That's next on my list.
It is possible that the upgrade to 2.3.35 (from 2.2.13) fixed whatever problem I was having.
Thanx so much for everyone's help.
Craig
Option -X is for SASL configuration. If you want TLS, perhaps you mean -ZZ?
I'm not sure what pages you're looking at that confuse TLS and Kerberos. They are separate topics; for example, the OpenLDAP Administrator's Guide has separate chapters for TLS and Kerberos. That may be a better source to use as reference as you work this out.
You might also want to consider upgrading to 2.3.35. TLS bugs were fixed quite recently. See http://www.openldap.org/software/release/changes.html for details.
On Tue, 22 May 2007, Craig wrote:
I am running openldap 2.2.13. I am having a problem getting TLS to work. I have done numerous searches, but most web pages seem to deal with LDAP/kerberos issues. We do not run kerberos. I am only trying to prevent passwords from being sent in the clear.
I have followed the instructions on this page:
http://www.ibm.com/developerworks/linux/library/l-openldap/
I am able to run ldapsearch with simple auth:
ldapsearch -x
but, am not able to do any of the following:
ldapsearch ldapsearch -X u:myuid ldapsearch -X dn:uid=myuid,ou=People,dc=example,dc=com
The error is (with "-d 255"): ... SASL/GSSAPI authentication started ldap_perror ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No credentials cache found)
It looks like the server is running fine. But, the logs don't really indicate what the problem is. (It seems to be more of a client issue, but still the server should give some hint in the logs.)
If you need more debugging info, just let me know.
Any help would be greatly appreciated.
TIA Craig
Craig, why do you feel this is a TLS issue? You may want to look at the FAQ page on TLS for some help.
http://www.openldap.org/faq/data/cache/185.html or the admin guide http://www.openldap.org/doc/admin23/tls.html
\Greg
Craig wrote:
I am running openldap 2.2.13. I am having a problem getting TLS to work. I have done numerous searches, but most web pages seem to deal with LDAP/kerberos issues. We do not run kerberos. I am only trying to prevent passwords from being sent in the clear.
I have followed the instructions on this page:
http://www.ibm.com/developerworks/linux/library/l-openldap/
I am able to run ldapsearch with simple auth:
ldapsearch -x
but, am not able to do any of the following:
ldapsearch ldapsearch -X u:myuid ldapsearch -X dn:uid=myuid,ou=People,dc=example,dc=com
The error is (with "-d 255"): ... SASL/GSSAPI authentication started ldap_perror ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No credentials cache found)
It looks like the server is running fine. But, the logs don't really indicate what the problem is. (It seems to be more of a client issue, but still the server should give some hint in the logs.)
If you need more debugging info, just let me know.
Any help would be greatly appreciated.
TIA Craig
Craig craig5@pobox.com writes:
I am running openldap 2.2.13. I am having a problem getting TLS to work. I have done numerous searches, but most web pages seem to deal with LDAP/kerberos issues. We do not run kerberos. I am only trying to prevent passwords from being sent in the clear.
I have followed the instructions on this page:
http://www.ibm.com/developerworks/linux/library/l-openldap/
I am able to run ldapsearch with simple auth:
ldapsearch -x
but, am not able to do any of the following:
ldapsearch ldapsearch -X u:myuid ldapsearch -X dn:uid=myuid,ou=People,dc=example,dc=com
You are trying proxy authorization, this requires a SASL mechanism, something like ldapsearch -X u:<uid> -Y digest-md5
-Dieter
openldap-software@openldap.org
-
Aaron Richton -
Buchan Milne -
Craig -
Dieter Kluenter -
Greg Martin -
Matthew Hardin -
Quanah Gibson-Mount