Hello,
everytime I try
*ldapmodify -Y EXTERNAL -H ldapi:///* * I get the following
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0
and thats all, same with password (-W), it stopped at all and no log messages.
Thanks Andreas *
On Mon, 03 Oct 2011 16:27:39 +0200, Andreas Rudat wrote:
*ldapmodify -Y EXTERNAL -H ldapi:///*
I get the following
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0
and thats all, same with password (-W), it stopped at all and no log messages.
Yes, and... ? What did you expect? This is expected behaviour, since you're not supplying LDIF input (either on STDIN or '-f file').
On 03/10/11 16:27 +0200, Andreas Rudat wrote:
Hello,
everytime I try
*ldapmodify -Y EXTERNAL -H ldapi:///*
I get the following
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0
and thats all, same with password (-W), it stopped at all and no log messages.
The output indicates that you successfully authenticated your connection to the server. ldapmodify is waiting for you to tell it something to do (from standard input).
Am 03.10.2011 16:43, schrieb Dan White:
On 03/10/11 16:27 +0200, Andreas Rudat wrote:
Hello,
everytime I try
*ldapmodify -Y EXTERNAL -H ldapi:///*
I get the following
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0
and thats all, same with password (-W), it stopped at all and no log messages.
The output indicates that you successfully authenticated your connection to the server. ldapmodify is waiting for you to tell it something to do (from standard input).
Ah ok, then I missunderstood the tutorial I read.
I'm trying to get sasl+tls running, but I have still some problems. ldapsearch -x -LLL -s base -b "" supportedSASLMechanisms
says supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: NTLM
so tls issn't allowed in my configuration? I added tls on ldap.conf and /etc/default/slapd
Debug says: TLS: can't connect: A TLS packet with unexpected length was received..
Thanks Andreas
On 03/10/11 17:43 +0200, Andreas Rudat wrote:
Am 03.10.2011 16:43, schrieb Dan White:
On 03/10/11 16:27 +0200, Andreas Rudat wrote:
*ldapmodify -Y EXTERNAL -H ldapi:///*
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0
The output indicates that you successfully authenticated your connection to the server. ldapmodify is waiting for you to tell it something to do (from standard input).
Ah ok, then I missunderstood the tutorial I read.
I'm trying to get sasl+tls running, but I have still some problems. ldapsearch -x -LLL -s base -b "" supportedSASLMechanisms
says supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: NTLM
so tls issn't allowed in my configuration? I added tls on ldap.conf and /etc/default/slapd
Debug says: TLS: can't connect: A TLS packet with unexpected length was received..
What are the contents of your ldap.conf, and your /etc/default/slapd?
What is your TLS configuration on the server? In particular, your TLSVerifyClient/olcTLSVerifyClient setting (which should be something other than the default).
Am 03.10.2011 18:04, schrieb Dan White:
On 03/10/11 17:43 +0200, Andreas Rudat wrote:
Am 03.10.2011 16:43, schrieb Dan White:
On 03/10/11 16:27 +0200, Andreas Rudat wrote:
*ldapmodify -Y EXTERNAL -H ldapi:///*
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0
The output indicates that you successfully authenticated your connection to the server. ldapmodify is waiting for you to tell it something to do (from standard input).
Ah ok, then I missunderstood the tutorial I read.
I'm trying to get sasl+tls running, but I have still some problems. ldapsearch -x -LLL -s base -b "" supportedSASLMechanisms
says supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: NTLM
so tls issn't allowed in my configuration? I added tls on ldap.conf and /etc/default/slapd
Debug says: TLS: can't connect: A TLS packet with unexpected length was received..
What are the contents of your ldap.conf, and your /etc/default/slapd?
What is your TLS configuration on the server? In particular, your TLSVerifyClient/olcTLSVerifyClient setting (which should be something other than the default).
What do you mena with TLS config? of /etc/ssl? I worked with this tutorial for tls https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html
ldap.conf ########################################## # host fs.foo.intern
# The distinguished name of the search base. base dc=foo,dc=intern
# Another way to specify your LDAP server is to provide an uri ldaps://127.0.0.1/ uri ldap://127.0.0.1/ rootbinddn cn=admin,dc=foo,dc=intern
ssl start_tls ssl on
tls_checkpeer yes
tls_cacertfile /etc/ssl/certs/ldap_cert.pem tls_cacertdir /etc/ssl/certs
tls_cert tls_key
sasl_secprops maxssf=0 # ############################################
default/slapd ############################################ # SLAPD_CONF=
SLAPD_USER="openldap" SLAPD_GROUP="openldap"
SLAPD_SERVICES="ldap:/// ldaps:///" # ############################################
Thanks Andreas
On 03/10/11 19:41 +0200, Andreas Rudat wrote:
Am 03.10.2011 18:04, schrieb Dan White:
On 03/10/11 17:43 +0200, Andreas Rudat wrote:
so tls issn't allowed in my configuration? I added tls on ldap.conf and /etc/default/slapd
Debug says: TLS: can't connect: A TLS packet with unexpected length was received..
What are the contents of your ldap.conf, and your /etc/default/slapd?
What is your TLS configuration on the server? In particular, your TLSVerifyClient/olcTLSVerifyClient setting (which should be something other than the default).
What do you mena with TLS config? of /etc/ssl? I worked with this tutorial for tls https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html
ldap.conf ########################################## # host fs.foo.intern
# The distinguished name of the search base. base dc=foo,dc=intern
# Another way to specify your LDAP server is to provide an uri ldaps://127.0.0.1/ uri ldap://127.0.0.1/
If you really want the ldap utilities to try multiple servers this way, you should do:
uri ldaps://127.0.0.1/ ldap://127.0.0.1/
but I'm guessing what you really want is:
uri ldap://<fqdn>/
in which case the server will attempt to authenticate your TLS client certificate based on its TLSVerifyClient configuration. FQDN should be the server name (cn) corresponding to the certificate you created.
rootbinddn cn=admin,dc=foo,dc=intern
ssl start_tls ssl on
tls_checkpeer yes
Be aware these are not valid (openldap) ldap.conf config items, as specified in ldap.conf(5). They may be used by some other software you have installed.
tls_cacertfile /etc/ssl/certs/ldap_cert.pem tls_cacertdir /etc/ssl/certs
tls_cert tls_key
My mail client may have corrupted this part of your configuration. You'll of course need valid entries here.
sasl_secprops maxssf=0 # ############################################
default/slapd ############################################ # SLAPD_CONF=
SLAPD_USER="openldap" SLAPD_GROUP="openldap"
SLAPD_SERVICES="ldap:/// ldaps:///" # ############################################
ldaps:// is unnecessary (here, and in your uri statement) unless you have some software which requires it.
And again, you'll need to properly configure TLSVerifyClient/olcTLSVerifyClient in your OpenLDAP server config.
When properly configured, your list of supportedSASLMechanisms should include 'EXTERNAL'.
For reference, see the manpages for ldap.conf and slapd-config (or slapd.conf), and see the OpenLDAP Administrator's Guide.
Am 03.10.2011 20:51, schrieb Dan White:
On 03/10/11 19:41 +0200, Andreas Rudat wrote:
Am 03.10.2011 18:04, schrieb Dan White:
On 03/10/11 17:43 +0200, Andreas Rudat wrote:
so tls issn't allowed in my configuration? I added tls on ldap.conf and /etc/default/slapd
Debug says: TLS: can't connect: A TLS packet with unexpected length was received..
What are the contents of your ldap.conf, and your /etc/default/slapd?
What is your TLS configuration on the server? In particular, your TLSVerifyClient/olcTLSVerifyClient setting (which should be something other than the default).
What do you mena with TLS config? of /etc/ssl? I worked with this tutorial for tls https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html
ldap.conf ########################################## # host fs.foo.intern
# The distinguished name of the search base. base dc=foo,dc=intern
# Another way to specify your LDAP server is to provide an uri ldaps://127.0.0.1/ uri ldap://127.0.0.1/
If you really want the ldap utilities to try multiple servers this way, you should do:
uri ldaps://127.0.0.1/ ldap://127.0.0.1/
but I'm guessing what you really want is:
uri ldap://<fqdn>/
in which case the server will attempt to authenticate your TLS client certificate based on its TLSVerifyClient configuration. FQDN should be the server name (cn) corresponding to the certificate you created.
rootbinddn cn=admin,dc=foo,dc=intern
ssl start_tls ssl on
tls_checkpeer yes
Be aware these are not valid (openldap) ldap.conf config items, as specified in ldap.conf(5). They may be used by some other software you have installed.
tls_cacertfile /etc/ssl/certs/ldap_cert.pem tls_cacertdir /etc/ssl/certs
tls_cert tls_key
My mail client may have corrupted this part of your configuration. You'll of course need valid entries here.
These options are defaults in my conf. With some comments, after installing the slapd package
sasl_secprops maxssf=0 # ############################################
default/slapd ############################################ # SLAPD_CONF=
SLAPD_USER="openldap" SLAPD_GROUP="openldap"
SLAPD_SERVICES="ldap:/// ldaps:///" # ############################################
ldaps:// is unnecessary (here, and in your uri statement) unless you have some software which requires it.
And again, you'll need to properly configure TLSVerifyClient/olcTLSVerifyClient in your OpenLDAP server config.
So I added this to cn=config:
|*|add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem|*
I think, thats what you meant?
|
When properly configured, your list of supportedSASLMechanisms should
include 'EXTERNAL'.
For reference, see the manpages for ldap.conf and slapd-config (or slapd.conf), and see the OpenLDAP Administrator's Guide.
On 03/10/11 21:43 +0200, Andreas Rudat wrote:
Am 03.10.2011 20:51, schrieb Dan White:
On 03/10/11 19:41 +0200, Andreas Rudat wrote:
tls_cert tls_key
My mail client may have corrupted this part of your configuration. You'll of course need valid entries here.
These options are defaults in my conf. With some comments, after installing the slapd package
You'll need to create a (client) certificate and populate those two values, or otherwise find a way to specify them while performing your ldapsearch command.
I don't see how you will will be able to obtain SASL EXTERNAL over STARTTLS otherwise.
And again, you'll need to properly configure TLSVerifyClient/olcTLSVerifyClient in your OpenLDAP server config.
So I added this to cn=config:
|*|add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem|*
I think, thats what you meant?
... and olcTLSVerifyClient.
When properly configured, your list of supportedSASLMechanisms should
include 'EXTERNAL'.
For reference, see the manpages for ldap.conf and slapd-config (or slapd.conf), and see the OpenLDAP Administrator's Guide.
I'd recommend depending a lot less on the howto you are reading, and a lot more on the above documentation.
Dan White wrote:
On 03/10/11 21:43 +0200, Andreas Rudat wrote:
Am 03.10.2011 20:51, schrieb Dan White:
On 03/10/11 19:41 +0200, Andreas Rudat wrote:
tls_cert tls_key
My mail client may have corrupted this part of your configuration. You'll of course need valid entries here.
These options are defaults in my conf. With some comments, after installing the slapd package
You'll need to create a (client) certificate and populate those two values, or otherwise find a way to specify them while performing your ldapsearch command.
I don't see how you will will be able to obtain SASL EXTERNAL over STARTTLS otherwise.
How did this conversation get to STARTTLS? The Subject is asking about SASL EXTERNAL over ldapi, which does not need TLS.
On 04/10/11 09:22 -0700, Howard Chu wrote:
Dan White wrote:
On 03/10/11 21:43 +0200, Andreas Rudat wrote:
Am 03.10.2011 20:51, schrieb Dan White:
On 03/10/11 19:41 +0200, Andreas Rudat wrote:
tls_cert tls_key
My mail client may have corrupted this part of your configuration. You'll of course need valid entries here.
These options are defaults in my conf. With some comments, after installing the slapd package
You'll need to create a (client) certificate and populate those two values, or otherwise find a way to specify them while performing your ldapsearch command.
I don't see how you will will be able to obtain SASL EXTERNAL over STARTTLS otherwise.
How did this conversation get to STARTTLS? The Subject is asking about SASL EXTERNAL over ldapi, which does not need TLS.
I was led down that path via the howto referenced in the original post, and made several, possibly incorrect, assumptions about what the end goal is.
Am 04.10.2011 18:59, schrieb Dan White:
On 04/10/11 09:22 -0700, Howard Chu wrote:
Dan White wrote:
On 03/10/11 21:43 +0200, Andreas Rudat wrote:
Am 03.10.2011 20:51, schrieb Dan White:
On 03/10/11 19:41 +0200, Andreas Rudat wrote:
tls_cert tls_key
My mail client may have corrupted this part of your configuration. You'll of course need valid entries here.
These options are defaults in my conf. With some comments, after installing the slapd package
You'll need to create a (client) certificate and populate those two values, or otherwise find a way to specify them while performing your ldapsearch command.
I don't see how you will will be able to obtain SASL EXTERNAL over STARTTLS otherwise.
How did this conversation get to STARTTLS? The Subject is asking about SASL EXTERNAL over ldapi, which does not need TLS.
I was led down that path via the howto referenced in the original post, and made several, possibly incorrect, assumptions about what the end goal is.
Sorry for that confusion Howard and thanks for you help Dan, I will work with the man page now and will create a new better topic if needed.
Andreas
openldap-technical@openldap.org
-
Andreas Rudat -
Dan White -
Howard Chu -
turbo@bayour.com