why does ldapsearch just hang with SASL/EXTERNAL authentication started?

hello list,

:¬O H-E-E-E-E-E-L-L-L-L-P-P-P!!!!

for the past week and a half, i've been trying to get an openldap client on a mac os x 10.4.11 (OpenLDAP 2.2) to talk to an ldap directory server (sun iPlanet directory server 5.1) on a solaris 9 sparc box; using client authentication with x509 certificates for both the server and the client.

i have successfully configured client authn between the directory server (ds) on the solaris box and a precompiled ldapsearch binary client (also running on that same solaris box). the ldapsearch binary is part of the netscape security services (nss) ldap c sdk 6.0.x that came bundled with - what sun calls it's - "ds resource kit 5.2 (dsrk)".

since client authn works successfully between those 2 components running local to each other, i figured a remote client authn setup shouldn't be much of a stretch (if the openldap.org docs are to be believed). BOY! was i wrong!

after copying to my mac os x box, the same ca cert and client cert (in .pem format) that worked successfully on the solaris box, i configured ldap.conf and .ldaprc to point to the certs and keys (see below).

when i run an openldap ldapsearch on the mac, the tls handshake appears to succeed (see below); then the sasl/external client authn appears to kick off; then it just hangs! the last thing that's output to the shell is "SASL/EXTERNAL authentication started". but the shell cursor just hangs there; flashing away - doing nothing!

the solaris ds access logs seem to report that a bind took place as a result of the mac openldap ldapsearch attempt:

"...conn=45 SSL client bound as cn=bilbo,ou=development,o=helpme.com"

please, will you help me to get my mac openldap ldapsearch client to authenticate to my solaris ds using a client cert?

i've read and reread the openldap.org tls docs (http://www.openldap.org/doc/admin24/tls.html); i've read and reread the openldap.org sasl docs (http://www.openldap.org/doc/admin24/sasl.html); i've scoured this list; i've scoured the cyrus sasl list (http://asg.andrew.cmu.edu/archive/index.php?mailbox=archive.cyrus-sasl); i've tried adding the "-I" switch to the ldapsearch command, but that results in an endless loop of being prompted over and over to enter an authorization id.

i've tried editing /etc/syslog.conf with the following:

"local4.* /var/log/openldap.log" but nothing ever gets logged to that file!

i've spent so much time trying to solve this problem on my own, that my wife has threatened to leave me for my best friend if i don't stop spending so much time on this! my dog snarled at me and bit my behind today because he doesn't recognize me anymore! my daughter is talking about becoming an "exotic dancer" because i don't pay her enough attention from working on this! my failure to accomplish such a seemingly simple task has made me consider taking my own life!

seriously though: I NEED YOUR HELP!

thanks in advance for your help.

========================================================== ds access logs after successful ldapsearch on solaris box: ========================================================== ... [07/Dec/2008:04:29:38 +0000] conn=0 fd=49 slot=49 SSL connection from 127.0.0.1 to 127.0.0.1 [07/Dec/2008:04:29:38 +0000] conn=0 SSL 128-bit RC4; client O=helpme.com, OU=Development, CN=bilbo; issuer E=ldapca@helpme.com, CN=ldapca, OU=development, O=helpme.com, L=Chicago, ST=IL, C=US [07/Dec/2008:04:29:38 +0000] conn=0 SSL client bound as cn=bilbo,ou=development,o=helpme.com [07/Dec/2008:04:29:38 +0000] conn=0 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL [07/Dec/2008:04:29:38 +0000] conn=0 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=bilbo,ou=development,o=helpme.com" [07/Dec/2008:04:29:38 +0000] conn=0 op=1 SRCH base="ou=development,o=helpme.com" scope=2 filter="(cn=bilbo)" attrs=ALL [07/Dec/2008:04:29:38 +0000] conn=0 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [07/Dec/2008:04:29:38 +0000] conn=0 op=2 UNBIND [07/Dec/2008:04:29:38 +0000] conn=0 op=2 fd=49 closed - U1 ...

========================================================== hanging mac osx openldap ldapsearch command results: ========================================================== bilbo$ ldapsearch -v -H ldap://bebop -s sub -b "" -LLL -d -7 -ZZ ldap_initialize( ldap://bebop ) ldap_create ldap_url_parse_ext(ldap://bebop) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP bebop:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.0.0.8:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_ndelay_on: 3 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_open_defconn: successful ldap_send_server_request ber_flush: 31 bytes to sd 3 ldap_result msgid 1 ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL wait4msg (infinite timeout), msgid 1 wait4msg continue, msgid 1, all 1 ** Connections: * host: bebop port: 389 (default) refcnt: 2 status: Connected last used: Sun Dec 7 16:04:48 2008

** Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 1, all 1 ber_get_next ber_get_next: tag 0x30 len 95 contents: ber_dump: buf=0x004044b0 ptr=0x004044b0 end=0x0040450f len=95 0000: 02 01 01 78 5a 0a 01 00 04 00 04 3b 53 74 61 72 ...xZ......;Star 0010: 74 20 54 4c 53 20 72 65 71 75 65 73 74 20 61 63 t TLS request ac 0020: 63 65 70 74 65 64 2e 53 65 72 76 65 72 20 77 69 cepted.Server wi 0030: 6c 6c 69 6e 67 20 74 6f 20 6e 65 67 6f 74 69 61 lling to negotia 0040: 74 65 20 53 53 4c 2e 8a 16 31 2e 33 2e 36 2e 31 te SSL...1.3.6.1 0050: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_read: message type extended-result msgid 1, original id 1 ber_scanf fmt ({iaa) ber: ber_dump: buf=0x004044b0 ptr=0x004044b3 end=0x0040450f len=92 0000: 78 5a 0a 01 00 04 00 04 3b 53 74 61 72 74 20 54 xZ......;Start T 0010: 4c 53 20 72 65 71 75 65 73 74 20 61 63 63 65 70 LS request accep 0020: 74 65 64 2e 53 65 72 76 65 72 20 77 69 6c 6c 69 ted.Server willi 0030: 6e 67 20 74 6f 20 6e 65 67 6f 74 69 61 74 65 20 ng to negotiate 0040: 53 53 4c 2e 8a 16 31 2e 33 2e 36 2e 31 2e 34 2e SSL...1.3.6.1.4. 0050: 31 2e 31 34 36 36 2e 32 30 30 33 37 1.1466.20037 read1msg: 0 new referrals read1msg: mark request completed, id = 1 request 1 done res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection ldap_free_connection: refcnt 1 ldap_parse_extended_result ber_scanf fmt ({iaa) ber: ber_dump: buf=0x004044b0 ptr=0x004044b3 end=0x0040450f len=92 0000: 78 5a 0a 01 00 04 00 04 3b 53 74 61 72 74 20 54 xZ......;Start T 0010: 4c 53 20 72 65 71 75 65 73 74 20 61 63 63 65 70 LS request accep 0020: 74 65 64 2e 53 65 72 76 65 72 20 77 69 6c 6c 69 ted.Server willi 0030: 6e 67 20 74 6f 20 6e 65 67 6f 74 69 61 74 65 20 ng to negotiate 0040: 53 53 4c 2e 8a 16 31 2e 33 2e 36 2e 31 2e 34 2e SSL...1.3.6.1.4. 0050: 31 2e 31 34 36 36 2e 32 30 30 33 37 1.1466.20037 ber_scanf fmt (a) ber: ber_dump: buf=0x004044b0 ptr=0x004044f7 end=0x0040450f len=24 0000: 8a 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 ..1.3.6.1.4.1.14 0010: 36 36 2e 32 30 30 33 37 66.20037 ldap_parse_result ber_scanf fmt ({iaa) ber: ber_dump: buf=0x004044b0 ptr=0x004044b3 end=0x0040450f len=92 0000: 78 5a 0a 01 00 04 00 04 3b 53 74 61 72 74 20 54 xZ......;Start T 0010: 4c 53 20 72 65 71 75 65 73 74 20 61 63 63 65 70 LS request accep 0020: 74 65 64 2e 53 65 72 76 65 72 20 77 69 6c 6c 69 ted.Server willi 0030: 6e 67 20 74 6f 20 6e 65 67 6f 74 69 61 74 65 20 ng to negotiate 0040: 53 53 4c 2e 8a 16 31 2e 33 2e 36 2e 31 2e 34 2e SSL...1.3.6.1.4. 0050: 31 2e 31 34 36 36 2e 32 30 30 33 37 1.1466.20037 ber_scanf fmt (x) ber: ber_dump: buf=0x004044b0 ptr=0x004044f7 end=0x0040450f len=24 0000: 8a 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 ..1.3.6.1.4.1.14 0010: 36 36 2e 32 30 30 33 37 66.20037 ber_scanf fmt (}) ber: ber_dump: buf=0x004044b0 ptr=0x0040450f end=0x0040450f len=0

ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /C=US/ST=IL/L=Chicago/O=helpme.com/OU=development/CN=ldapca/emailAddress=ldapca@helpme.com, issuer: /C=US/ST=IL/L=Chicago/O=helpme.com/OU=development/CN=ldapca/emailAddress=ldapca@helpme.com TLS certificate verification: depth: 0, err: 0, subject: /C=US/ST=IL/L=Chicago/O=helpme.com/OU=development/CN=bebop, issuer: /C=US/ST=IL/L=Chicago/O=helpme.com/OU=development/CN=ldapca/emailAddress=ldapca@helpme.com TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write certificate verify A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A ldap_sasl_interactive_bind_s: user selected: EXTERNAL ldap_int_sasl_bind: EXTERNAL ldap_int_sasl_open: host=bebop => ldap_dn2bv(16) ldap_err2string <= ldap_dn2bv(O=helpme.com,OU=Development,CN=bilbo)=0 Success SASL/EXTERNAL authentication started [shell just hangs here] ========================================================== ========================================================== ds access logs after hanging ldapsearch from mac os x: ========================================================== ... [07/Dec/2008:16:04:48 +0000] conn=45 fd=49 slot=49 connection from 10.0.0.9 to 10.0.0.8 [07/Dec/2008:16:04:48 +0000] conn=45 op=0 EXT oid="1.3.6.1.4.1.1466.20037" [07/Dec/2008:16:04:48 +0000] conn=45 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [07/Dec/2008:16:04:49 +0000] conn=45 SSL 128-bit RC4; client O=helpme.com, OU=Development, CN=bilbo; issuer E=ldapca@helpme.com, CN=ldapca, OU=development, O=helpme.com, L=Chicago, ST=IL, C=US [07/Dec/2008:16:04:49 +0000] conn=45 SSL client bound as cn=bilbo,ou=development,o=helpme.com [end of file]

========================================================== ldap.conf file: ==========================================================

HOST bebop BASE dc=bebop,dc=helpme,dc=net

TLS_REQCERT demand TLS_CACERT /Users/bilbo/development/projects/tutorials/ldap/conf/.security/take5/bebopCACert.pem

========================================================== .ldaprc file: ========================================================== URI ldaps://bebop:636 HOST bebop BASE "" TLS_REQCERT demand TLS_CACERT /Users/bilbo/development/projects/tutorials/ldap/conf/.security/take5/bebopCACert.pem TLS_CERT /Users/bilbo/development/projects/tutorials/ldap/conf/.security/take5/bilboClientCert.pem TLS_KEY /Users/bilbo/development/projects/tutorials/ldap/conf/.security/take5/bilboClientKey.pem SASL_MECH EXTERNAL ==========================================================