I notice that the ldap.conf file is not used with commands ldapsearch, ldapwhoami (ldap tools). An environment variable (LDAPCONF) was set and pointing to the file (/etc/openldap/ldap.conf) but it doesn't work. On the other hand, using the information provided in an ldaprc file works. How to ensure the LDAP.conf file is taken into account because I need it for a mutual authentication connection with the use of LDAPS for SASL EXTERNAL. I'm using an openldap 2.6.6 version on CentOS.
--On Saturday, December 14, 2024 5:48 PM +0000 maudez.eric@neuf.fr wrote:
I notice that the ldap.conf file is not used with commands ldapsearch, ldapwhoami (ldap tools). An environment variable (LDAPCONF) was set and pointing to the file (/etc/openldap/ldap.conf) but it doesn't work. On the other hand, using the information provided in an ldaprc file works. How to ensure the LDAP.conf file is taken into account because I need it for a mutual authentication connection with the use of LDAPS for SASL EXTERNAL. I'm using an openldap 2.6.6 version on CentOS.
We need a better definition of "doesn't work". As per the man page:
"Some options are user-only. Such options are ignored if present in the ldap.conf (or file specified by LDAPCONF)."
--Quanah
When I want to validate a Tls mutual autentication with ldapsearch -H ldaps://…, I have an « peer did not return certificate » error message. However, my /etc/openldap/ldap.conf (with r options) is configured with TLS options (certificate, CA, key, tls_verifyclient=demand,…). I have no .ldaprc, LDAPRC, LDAPCONF environnement variable. When I used Ldapsearch -H ldaps://… with options like -o cert -o key -o cafile is Ok. I don’t understand why my ldap.conf is not read.
--On Thursday, December 19, 2024 9:05 AM +0000 Eric M em.job35@gmail.com wrote:
When I want to validate a Tls mutual autentication with ldapsearch -H ldaps://…, I have an « peer did not return certificate » error message. However, my /etc/openldap/ldap.conf (with r options) is configured with TLS options (certificate, CA, key, tls_verifyclient=demand,…). I have no .ldaprc, LDAPRC, LDAPCONF environnement variable. When I used Ldapsearch -H ldaps://… with options like -o cert -o key -o cafile is Ok. I don't understand why my ldap.conf is not read.
I will again refer you to the ldap.conf man page, which explicilty notes that the TLS mutual auth options (TLS_CERT, TLS_KEY) are USER ONLY options, which means you cannot set them via a global ldap.conf file.
Regards, Quanah
How do I configure my server for TLS mutual authentication to perform a search via ldapsearch ?
--On Thursday, December 19, 2024 9:23 PM +0000 Eric M em.job35@gmail.com wrote:
How do I configure my server for TLS mutual authentication to perform a search via ldapsearch ?
Can you give better background on what you want to do? Generally it's *not* recommended to use the ldap* tools inside of scripts, for example. I usually use python-ldap as an alternative in that case.
--Quanah
I just want to perform a ldapsearch search with TLS mutual authentication. My backend require mutual authentication because the parameter TLS_REQCERT is demanded. On my client server, i configured my LDAP.conf with his TLS parameters. An OpenSSL test is ok when I check and give all the certificate parameters in command line. But, with my search with ldapsearch, i notice an error « peer did not return certificate » with LDAP.conf configured.
--On Friday, December 27, 2024 2:17 PM +0000 Eric M em.job35@gmail.com wrote:
I just want to perform a ldapsearch search with TLS mutual authentication. My backend require mutual authentication because the parameter TLS_REQCERT is demanded. On my client server, i configured my LDAP.conf with his TLS parameters. An OpenSSL test is ok when I check and give all the certificate parameters in command line. But, with my search with ldapsearch, i notice an error « peer did not return certificate » with LDAP.conf configured.
Hi Eric,
You have two options:
a) Use a user specific .ldaprc file to set user specific TLS options
or
b) Use the -o command line switch for the client binaries as documented in the man page. Example also exists in test067-tls in the test suite.
Regards, Quanah
--On Friday, December 27, 2024 7:30 PM +0000 Eric M em.job35@gmail.com wrote:
Hi, This is a client server connection. Why I can't use the file LDAP.conf
I've no clue what you're trying to do, so it's difficult to assist. By client, I assume you mean a client tool like ldapsearch. In that case, you must provide to it the appropriate options to do TLS cert authentication. If you mean something other than ldapsearch or similar tool, then you need to explain what you're doing.
--Quanah
Hi Eric
You need to be very careful with this. I ran into a similar problem some time ago and did not find an adequate solution.
As it stands, slapd does not check the server name on a client certificate, or client certificate chain. It only exposes the name to the access control rules. slapd will accept a connection from a client with ANY certificate signed by ANY CA in it's list. As such, the safest way to operate is to have a single dedicated CA, probably slapo-autoca, that exclusively signs certificates for valid clients, and use the access control rules to limit what the client can see.
If you want something more generic than autoca, like client certificates signed by public CA's, I would HIGHLY recommend putting a proxy in front of slapd and using the proxy (I used haproxy) to validate certificates. Yes this is ugly and cumbersome, but I believe (controversially) it is necessary.
I did start work on a plugin to better handle this but ran out of time. It won't be happening now. In any case, SOME modification to the slapd core would be needed to be able to drop connections from clients that fail certificate validation. At the time, there was ferocious resistance to any suggestion of changing the core, so I wasn't terribly motivated.
As to WHY the certificates are user-only configuration options, I never found an explanation, but always assumed it was so unprivileged system users could not assume the identity of any system daemons or root. This COULD have been implemented in other ways but it is what it is, and not such a big deal.
Regards
Sean.
On 28/12/2024 3:18 am, Quanah Gibson-Mount wrote:
--On Friday, December 27, 2024 2:17 PM +0000 Eric M em.job35@gmail.com wrote:
I just want to perform a ldapsearch search with TLS mutual authentication. My backend require mutual authentication because the parameter TLS_REQCERT is demanded. On my client server, i configured my LDAP.conf with his TLS parameters. An OpenSSL test is ok when I check and give all the certificate parameters in command line. But, with my search with ldapsearch, i notice an error « peer did not return certificate » with LDAP.conf configured.
Hi Eric,
You have two options:
a) Use a user specific .ldaprc file to set user specific TLS options
or
b) Use the -o command line switch for the client binaries as documented in the man page. Example also exists in test067-tls in the test suite.
Regards, Quanah
On 1/9/2025 8:00 PM, Sean Gallagher wrote:
As it stands, slapd does not check the server name on a client certificate, or client certificate chain. It only exposes the name to the access control rules. slapd will accept a connection from a client with ANY certificate signed by ANY CA in it's list.
Certificates are designed to provide authentication, not authorization. They let you prove who you are, but that says nothing about whether you should be allowed to perform a particular action.
On Fri, Jan 10, 2025 at 03:00:07PM +1100, Sean Gallagher wrote:
As it stands, slapd does not check the server name on a client certificate, or client certificate chain. It only exposes the name to the access control rules. slapd will accept a connection from a client with ANY certificate signed by ANY CA in it's list. As such, the safest way to operate is to have a single dedicated CA, probably slapo-autoca, that exclusively signs certificates for valid clients, and use the access control rules to limit what the client can see.
Hi Sean, there is something you omitted since it's obvious to you, but for the sake of clarity I feel I should make it clear for others' sake: with slapd you always configure a different set of CAs for the client (trusted to issue certificates of the servers you connect to) and the server side of the TLS auth (trusted to issue certificates of clients that connect to you).
Any certificates issued by a CA thus trusted will be accepted unless found to be revoked, you are spot on with the rest.
As to WHY the certificates are user-only configuration options, I never found an explanation, but always assumed it was so unprivileged system users could not assume the identity of any system daemons or root. This COULD have been implemented in other ways but it is what it is, and not such a big deal.
Yes, these are considered credentials, you generally do not trust system-wide configuration to store your credentials and as such, these options are ignored.
Regards,
Hi!
AFAIK ldapsearch does not use ldap.conf (and it seems you cannot specify certificates to authenticate as client using ldapsearch). Maybe you need to write a tool (or extend ldapsearch to accept additional options for certificates)
Kind regards, Ulrich
-----Original Message----- From: Eric M em.job35@gmail.com Sent: Friday, December 27, 2024 3:17 PM To: openldap-technical@openldap.org Subject: [EXT] Re: LDAP Tools don't use LDAP.conf
I just want to perform a ldapsearch search with TLS mutual authentication. My backend require mutual authentication because the parameter TLS_REQCERT is demanded. On my client server, i configured my LDAP.conf with his TLS parameters. An OpenSSL test is ok when I check and give all the certificate parameters in command line. But, with my search with ldapsearch, i notice an error « peer did not return certificate » with LDAP.conf configured.
Windl, Ulrich wrote:
Hi!
AFAIK ldapsearch does not use ldap.conf
(and it seems you cannot specify certificates to authenticate as client using ldapsearch).
Wrong. Re-read the ldap.conf(5) manpage. You must use an ldaprc file, not ldap.conf.
Maybe you need to write a tool (or extend ldapsearch to accept additional options for certificates)
Kind regards, Ulrich
-----Original Message----- From: Eric M em.job35@gmail.com Sent: Friday, December 27, 2024 3:17 PM To: openldap-technical@openldap.org Subject: [EXT] Re: LDAP Tools don't use LDAP.conf
I just want to perform a ldapsearch search with TLS mutual authentication. My backend require mutual authentication because the parameter TLS_REQCERT is demanded. On my client server, i configured my LDAP.conf with his TLS parameters. An OpenSSL test is ok when I check and give all the certificate parameters in command line. But, with my search with ldapsearch, i notice an error « peer did not return certificate » with LDAP.conf configured.
--On Friday, January 3, 2025 4:59 PM +0000 Howard Chu hyc@symas.com wrote:
Windl, Ulrich wrote:
Hi!
AFAIK ldapsearch does not use ldap.conf
(and it seems you cannot specify certificates to authenticate as client using ldapsearch).
Wrong. Re-read the ldap.conf(5) manpage. You must use an ldaprc file, not ldap.conf.
Yeah, I already noted this in this thread previously. And that you can use the -o options as documented in the ldapsearch man page. And provided the literal test in the test suite that shows how to use those options.
--Quanah
-----Original Message----- From: Quanah Gibson-Mount quanah@fast-mail.org Sent: Friday, December 20, 2024 7:39 PM To: Eric M em.job35@gmail.com; openldap-technical@openldap.org Subject: [EXT] Re: LDAP Tools don't use LDAP.conf
--On Thursday, December 19, 2024 9:23 PM +0000 Eric M em.job35@gmail.com wrote:
How do I configure my server for TLS mutual authentication to perform a search via ldapsearch ?
Can you give better background on what you want to do? Generally it's *not* recommended to use the ldap* tools inside of scripts, for example. I usually use python-ldap as an alternative in that case.
If the tools are not fit to be used in scripts, those tools should be fixed IMHO. The philosophy of UNIX was that any command can be used in a script...
Ulrich
On Fri, Jan 03, 2025 at 08:55:32AM +0000, Windl, Ulrich wrote:
Can you give better background on what you want to do? Generally it's *not* recommended to use the ldap* tools inside of scripts, for example. I usually use python-ldap as an alternative in that case.
If the tools are not fit to be used in scripts, those tools should be fixed IMHO. The philosophy of UNIX was that any command can be used in a script...
In the context of this discussion: - one shouldn't rely on system config files in scripts - -o tls_something=value settings exist, Eric even mentions them yet they do not want to use them, same with LDAPTLS_* environment variables - $CWD/ldaprc is available and these options we are discussing are honoured if set there
As for use in scripts, a lot of them tend to use the ldap* tools the way they would use "ls", and that's definitely not recommended. Anything from quoting issues to localisation can and will eventually break such scripts.
Regards,
What are the solutions? Client/server or server/server exchanges use their own certificate to enable the TLS connection. LDAP.conf would provide this information but it is not used.
the ldap.conf(5) manpage specifies :
The ldap.conf configuration file is used to set system-wide defaults to be applied when running ldap clients.
Users may create an optional configuration file, ldaprc or .ldaprc, in their home directory which will be used to override the system-wide defaults file. The file ldaprc in the current working directory is also used.
--On Monday, January 6, 2025 6:20 PM +0000 Eric M em.job35@gmail.com wrote:
the ldap.conf(5) manpage specifies :
The ldap.conf configuration file is used to set system-wide defaults to be applied when running ldap clients.
Users may create an optional configuration file, ldaprc or.ldaprc, in their home directory which will be used to override the system-wide defaults file. The file ldaprc in the current working directory is also used.
I've already quoted this to you previously, but you've left it out here, so I'll quote it again:
" Some options are user-only. Such options are ignored if present in the ldap.conf (or file specified by LDAPCONF)."
You've been told multiple different ways to configure client cert auth, you've failed to demonstrate you've paid attention to any of it, repeatedly.
You've generally failed to specify how your server<->server TLS client auth would be occurring. For example, with syncrepl, the syncrepl configuration EXPLICITLY has the bits for configuring cert auth. Same for things like back-ldap and back-meta.
For client<->server TLS auth, it depends on what the client is. For the LDAP client tools (such as ldapsearch), you've been repeatedly told all the different options you have at your disposal. Again, with ZERO indication from you that you've followed any of the options.
--Quanah
I do not completely agree with your answer. What I want to achieve is a client server connection with ldapsearch with mutual TLS auhentification. These are two servers, one of which is considered a client with the ldap tools (ldapsearch) installed. As indicated in my answers, this works when using an ldaprc file in the $CWD or when specifying the TLS options of the client server with -O options but I can't understand why the information from the LDAP.conf file is not taken into account in this case. My server is a client. You specify that the certificate information in the LDAP.conf file is user-only options. Yes, this is specified in the ldap.conf manpage. This doesn't simplify the processing.
On Jan 7, 2025, at 4:37 AM, Eric M em.job35@gmail.com wrote:
I do not completely agree with your answer. What I want to achieve is a client server connection with ldapsearch with mutual TLS auhentification.
``` # Begin test: env LDAPTLS_CERT=/etc/ldap/foo1.crt LDAPTLS_KEY=/etc/ldap/foo1.pem LDAPTLS_CACERT=/etc/ldap/ca.crt ldapsearch -Y EXTERNAL -H ldap://hostname -b dc=example,dc=com '(objectclass=*)' -ZZ ``` — Shawn
These are two servers, one of which is considered a client with the ldap tools (ldapsearch) installed. As indicated in my answers, this works when using an ldaprc file in the $CWD or when specifying the TLS options of the client server with -O options but I can't understand why the information from the LDAP.conf file is not taken into account in this case. My server is a client. You specify that the certificate information in the LDAP.conf file is user-only options. Yes, this is specified in the ldap.conf manpage. This doesn't simplify the processing.
Eric M wrote:
I do not completely agree with your answer. What I want to achieve is a client server connection with ldapsearch with mutual TLS auhentification. These are two servers, one of which is considered a client with the ldap tools (ldapsearch) installed. As indicated in my answers, this works when using an ldaprc file in the $CWD or when specifying the TLS options of the client server with -O options but I can't understand why the information from the LDAP.conf file is not taken into account in this case. My server is a client. You specify that the certificate information in the LDAP.conf file is user-only options. Yes, this is specified in the ldap.conf manpage. This doesn't simplify the processing.
ldap.conf is for system-wide configuration. Security credentials should not be system-wide.
You've been told how to achieve the configuration you want, using ldaprc. That should be enough. This thread has wasted enough time.
openldap-technical@openldap.org
-
Eric M -
Howard Chu -
Jordan Brown -
maudez.eric@neuf.fr -
Ondřej Kuzník -
Quanah Gibson-Mount -
Sean Gallagher -
Shawn McKinney -
Windl, Ulrich