sigh< It's amazing what you see as you hit the Send button...
Here is my ldap.conf file:
TLS_CACERTDIR /opt/issinc/local/certs/nssdb TLS_KEY /opt/issinc/local/certs/.nss_tmp_pwd TLS_REQCERT allow
It did have TLS_REQCERT=demand, which was apparently causing the attempt to load the private key, etc. Setting it to allow got rid of the TLS messages, but didn't change the result.
Here's what the debug output looks like now:
55fb193d ==> translucent_search: <dc=acme,dc=com> (&(objectClass=organizationalPerson)(|(givenName=john.doe)(sn=john.doe)(sAMAccountName=john.doe)(userPrincipalName=john.doe))) 55fb193d =>ldap_back_getconn: conn 0x7f1a041a9960 fetched refcnt=1. ldap_sasl_bind ldap_send_initial_request ldap_send_server_request 55fb193d send_ldap_result: conn=1009 op=1 p=3 55fb193d send_ldap_result: err=52 matched="" text="Proxy operation retry failed" 55fb193d send_ldap_result: conn=1009 op=1 p=3 55fb193d send_ldap_result: err=52 matched="" text=""
On Thu, Sep 17, 2015 at 1:43 PM, Ernie Kovak ernie.kovak@gmail.com wrote:
Hello -
I'm running openldap 2.4.39 on centos 7, using the translucent overlay and moznss for connections to the backend Active Directory server. When I issue a search request for users in the backend directory I get no results and a "server not available" error - see the debug output below.
The same slapd.conf configuration, but on centos 5.10 and using OpenSSL, works correctly. So, I imagine it's related to moznss.
I've verified (firewall logs) that openldap successfully connects to the backend on startup, but not when the search request is submitted. It looks like it's trying to use client-authenticated TLS, even though the backend is not set up for that??
Any ideas?
Thanks! Ernie
=============================================================================================== slapd.conf
=============================================================================================== include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/we_person_and_npe.schema
pidfile /var/run/openldap/slapd.pid
loglevel stats #loglevel -1 #loglevel trace conns filter stats
# Path to dynamic modules: modulepath /usr/lib64/openldap moduleload back_mdb moduleload back_ldap moduleload translucent moduleload accesslog moduleload auditlog moduleload valsort moduleload ppolicy moduleload memberof
# TLS server certs (TLS client config is in ldap.conf) #TLSCACertificateFile /opt/acme/global/certs/ca/ca.pem #TLSCertificateFile /opt/acme/global/certs/server-cert.pem #TLSCertificateKeyFile /opt/acme/global/certs/server-key.pem
# not working in our docker container since openldap is linked against NSS and not OpenSSL #TLSCipherSuite TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL:!SSLv2
# path of the directory containing the NSS certificate and key database files TLSCACertificatePath /opt/acme/local/certs/nssdb/
# specifies the name of the certificate to use TLSCertificateFile server
# name of a file that contains the password for the key for the certificate specified with TLSCertificateFile TLSCertificateKeyFile /opt/acme/local/certs/.nss_tmp_pwd (contains clear text pasword for keystore and server cert private key)
access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=clearance,citizenship,sciControl by dn="cn=npe-user-mgmt,ou=NPEs,ou=Native,dc=acme,dc=com" write by dn="cn=npe-sts,ou=NPEs,ou=Native,dc=acme,dc=com" read access to attrs=gimmeeOrg,gimmeeRegion,gimmeeTopic,gimmeeIsAICP,gimmeeGroup,gimmeeProject,gimmeeProjectGroup by dn="cn=npe-user-mgmt,ou=NPEs,ou=Native,dc=acme,dc=com" write by dn="cn=npe-sts,ou=NPEs,ou=Native,dc=acme,dc=com" read access to attrs=UUID by dn="cn=npe-user-mgmt,ou=NPEs,ou=Native,dc=acme,dc=com" write by users read access to attrs=userPassword by dn="cn=npe-user-mgmt,ou=NPEs,ou=Native,dc=acme,dc=com" write by self write by anonymous auth access to attrs=currentLoginDate,lastLoginDate,lastFailedLoginDate,currentLoginIpAddr,lastLoginIpAddr,lastFailedLoginIpAddr by dn="cn=npe-user-mgmt,ou=NPEs,ou=Native,dc=acme,dc=com" write by dn="cn=npe-openid,ou=NPEs,ou=Native,dc=acme,dc=com" write by users read access to * by dn="cn=npe-user-mgmt,ou=NPEs,ou=Native,dc=acme,dc=com" write by users read by anonymous auth
####################################################################### # Database for Native accounts (NPEs and users) #######################################################################
database mdb suffix "ou=Native,dc=acme,dc=com" rootdn "cn=weAdmin,dc=acme,dc=com" directory "/opt/acme/global/data/openldap/db/native-user-db" subordinate index objectClass eq,pres index ou,cn,mail,surname eq,pres,sub index clearance,scicontrol eq,pres,sub index citizenship eq,pres,sub password-hash {SSHA}
# Apply password policy overlay to Native accounts, with a default policy. overlay ppolicy ppolicy_default "cn=default,ou=Policies,ou=Native,dc=acme,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext
####################################################################### # Database for additional attributes for enterprise accounts. #######################################################################
database mdb suffix "dc=acme,dc=com" rootdn "cn=weAdmin,dc=acme,dc=com" rootpw {SSHA}73M5MnfH97O8KAN8anAbneD2wf0C6VSg directory "/opt/acme/global/data/openldap/db/enterprise-user-db" index objectClass eq,pres index ou,cn,mail,surname eq,pres,sub index clearance,scicontrol eq,pres,sub index citizenship eq,pres,sub
####################################################################### # Translucent LDAP proxy to Active Directory ####################################################################### overlay translucent uri "ldaps://atlas.acme.com:636" chase-referrals no idassert-bind bindmethod=simple binddn="cn=devadmin,ou=Users,ou=System Accounts,ou=Acme,dc=acme,dc=com" credentials="******" mode=none tls_cacert=/opt/acme/global/certs/ca/gd-class2-root-2.pem tls_reqcert=demand
# Attributes to be searched for in local database. Only the classes that # apply to proxied accounts are candidates for translucent_local: # local wePerson attributes: translucent_local objectClass translucent_local UUID,accountStatus translucent_local rank,grade,position,command,agency translucent_local DSN translucent_local weGrp,weOrg translucent_local clearance,citizenship,scicontrol
# wePerson attributes pulled from remote directory: translucent_remote objectClass translucent_remote cn,givenName,sn,mail,o,mobile translucent_remote displayName,sAMAccountName,userPrincipalName
=============================================================================================== From output when setting SLAPD_OPTIONS="-d 65535"
===============================================================================================
<snip> loads slapd.conf
55f854a6 config_build_entry: "olcDatabase={2}mdb" 55f854a6 config_build_entry: "olcOverlay={0}translucent" 55f854a6 ==> translucent_cfadd 55f854a6 config_build_entry: "olcDatabase={0}ldap" 55f854a6 config_build_entry: "olcOverlay={1}glue" 55f854a6 backend_startup_one: starting "ou=Native,dc=acme,dc=com" 55f854a6 mdb_db_open: "ou=Native,dc=acme,dc=com" 55f854a6 mdb_db_open: database "ou=Native,dc=acme,dc=com": dbenv_open(/opt/acme/global/data/openldap/db/native-user-db). 55f854a6 mdb_monitor_db_open: monitoring disabled; configure monitor database to enable 55f854a6 backend_startup_one: starting "dc=acme,dc=com" 55f854a6 mdb_db_open: "dc=acme,dc=com" 55f854a6 mdb_db_open: database "dc=acme,dc=com": dbenv_open(/opt/acme/global/data/openldap/db/enterprise-user-db). 55f854a6 ==> translucent_db_open 55f854a6 backend_startup_one: starting "dc=acme,dc=com" 55f854a6 ldap_back_db_open: URI=ldaps://atlas.acme.com:636 55f854a6 ldap_back_monitor_db_open: monitoring disabled; configure monitor database to enable 55f854a6 slapd starting
<snip>
55f876ea ==> translucent_search: <dc=acme,dc=com> (sAMAccountName=admin) ldap_create ldap_url_parse_ext(ldaps://atlas.acme.com:636) 55f876ea =>ldap_back_getconn: conn=1000 op=1: lc=0x7f3e581a9950 inserted refcnt=1 rc=0 ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP atlas.acme.com:636 55f876ea daemon: activity on 1 descriptor 55f876ea daemon: activity on:55f876ea 55f876ea daemon: epoll: listen=6 active_threads=0 tvp=NULL 55f876ea daemon: epoll: listen=7 active_threads=0 tvp=NULL ldap_new_socket: 17 ldap_prepare_socket: 17 ldap_connect_to_host: Trying 172.12.3.45:636 ldap_pvt_connect: fd: 17 tm: -1 async: 0 attempting to connect: connect success TLS: certdb config: configDir='/opt/acme/local/certs/nssdb/' tokenDescription='ldap(1)' certPrefix='' keyPrefix='' flags=readOnly TLS: using moznss security dir /opt/acme/local/certs/nssdb/ prefix . TLS: loaded CA certificate file /opt/acme/global/certs/ca/gd-class2-root-2.pem. TLS: certificate 'server' successfully loaded from moznss database. TLS: no unlocked certificate for certificate 'CN=mv22.acme.com ,OU=Development,O=Acme,L=Denver,ST=Colorado,C=US'. TLS: cannot find private key for certificate 'CN=mv22.acme.com,OU=Development,O=Acme,L=Denver,ST=Colorado,C=US' (error -12285: Unable to find the certificate or key necessary for authentication.) TLS: error: unable to set up client certificate authentication for certificate named CN=mv22.acme.com ,OU=Development,O=Acme,L=Denver,ST=Colorado,C=US TLS: error: unable to set up client certificate authentication using 'CN= mv22.acme.com,OU=Development,O=Acme,L=Denver,ST=Colorado,C=US' TLS: error: could not initialize moznss security context - error -12285:Unable to find the certificate or key necessary for authentication. TLS: can't create ssl handle. 55f876ea send_ldap_result: conn=1000 op=1 p=3 55f876ea send_ldap_result: err=52 matched="" text="Proxy operation retry failed"