The first attempt fails :
ldapwhoami -v -ZZ -Y EXTERNAL ldap_initialize( <DEFAULT> ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate
This also fails :
ldapsearch -LLL -Y EXTERNAL -H ldaps:/// -b "" -s base + ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
Tim
On Thu, Jan 21, 2016 at 7:43 PM, Sergio NNX sfhacker@hotmail.com wrote:
My scenario is relatively simple.
Simple, but it doesn't work, right?
Are you after something similar to the output below?
ldapwhoami -v -ZZ -Y EXTERNAL
SASL/EXTERNAL authentication started SASL username: 2.5.4.13=End User Certificate (OpenLDAP 2.4.43),2.5.4.5=1234-2015 -UK,title=Mr,ou=Finance Department,o=MateAR.eu IT Solutions,l=Westminster,st=Lon don,c=GB,email=info@matear.eu,0.9.2342.19200300.100.1.1=Administrator,dc=EU,cn=A dministrator SASL SSF: 0 dn:description=end user certificate (openldap 2.4.43),serialNumber=1234-2015-uk, title=mr,ou=finance department,o=matear.eu it solutions,l=westminster,st=london, c=gb,email=info@matear.eu,uid=administrator,dc=eu,cn=administrator Result: Success (0)
ldapsearch -LLL -Y EXTERNAL -H ldaps:/// -b "" -s base +
SASL/EXTERNAL authentication started SASL username: 2.5.4.13=End User Certificate (OpenLDAP 2.4.43),2.5.4.5=1234-2015 -UK,title=Mr,ou=Finance Department,o=MateAR.eu IT Solutions,l=Westminster,st=Lon don,c=GB,email=info@matear.eu,0.9.2342.19200300.100.1.1=Administrator,dc=EU,cn=A dministrator SASL SSF: 0 dn: structuralObjectClass: OpenLDAProotDSE configContext: cn=config monitorContext: cn=Monitor namingContexts: dc=my-domain,dc=com supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.3.6.1.1.22 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12 supportedExtension: 1.3.6.1.4.1.1466.20037 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedExtension: 1.3.6.1.1.8 supportedFeatures: 1.3.6.1.1.14 supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 supportedFeatures: 1.3.6.1.4.1.4203.1.5.2 supportedFeatures: 1.3.6.1.4.1.4203.1.5.3 supportedFeatures: 1.3.6.1.4.1.4203.1.5.4 supportedFeatures: 1.3.6.1.4.1.4203.1.5.5 supportedLDAPVersion: 3 supportedSASLMechanisms: SRP supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: OTP supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: NTLM supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN entryDN: subschemaSubentry: cn=Subschema
--On Friday, January 22, 2016 9:38 AM -0600 Timothy Keith timothy.g.keith@gmail.com wrote:
The first attempt fails :
ldapwhoami -v -ZZ -Y EXTERNAL ldap_initialize( <DEFAULT> ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate
Why do you expect this to work? You failed to supply -H with a valid ldap:// URI.
This also fails :
ldapsearch -LLL -Y EXTERNAL -H ldaps:/// -b "" -s base + ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
Why do you expect this to work? You passed -H without providing a host.
--Quanah
Tim
On Thu, Jan 21, 2016 at 7:43 PM, Sergio NNX sfhacker@hotmail.com wrote:
My scenario is relatively simple.
Simple, but it doesn't work, right?
Are you after something similar to the output below?
ldapwhoami -v -ZZ -Y EXTERNAL
SASL/EXTERNAL authentication started SASL username: 2.5.4.13=End User Certificate (OpenLDAP 2.4.43),2.5.4.5=1234-2015 -UK,title=Mr,ou=Finance Department,o=MateAR.eu IT Solutions,l=Westminster,st=Lon don,c=GB,email=info@matear.eu,0.9.2342.19200300.100.1.1=Administrator,dc =EU,cn=A dministrator SASL SSF: 0 dn:description=end user certificate (openldap 2.4.43),serialNumber=1234-2015-uk, title=mr,ou=finance department,o=matear.eu it solutions,l=westminster,st=london, c=gb,email=info@matear.eu,uid=administrator,dc=eu,cn=administrator Result: Success (0)
ldapsearch -LLL -Y EXTERNAL -H ldaps:/// -b "" -s base +
SASL/EXTERNAL authentication started SASL username: 2.5.4.13=End User Certificate (OpenLDAP 2.4.43),2.5.4.5=1234-2015 -UK,title=Mr,ou=Finance Department,o=MateAR.eu IT Solutions,l=Westminster,st=Lon don,c=GB,email=info@matear.eu,0.9.2342.19200300.100.1.1=Administrator,dc =EU,cn=A dministrator SASL SSF: 0 dn: structuralObjectClass: OpenLDAProotDSE configContext: cn=config monitorContext: cn=Monitor namingContexts: dc=my-domain,dc=com supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.3.6.1.1.22 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12 supportedExtension: 1.3.6.1.4.1.1466.20037 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedExtension: 1.3.6.1.1.8 supportedFeatures: 1.3.6.1.1.14 supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 supportedFeatures: 1.3.6.1.4.1.4203.1.5.2 supportedFeatures: 1.3.6.1.4.1.4203.1.5.3 supportedFeatures: 1.3.6.1.4.1.4203.1.5.4 supportedFeatures: 1.3.6.1.4.1.4203.1.5.5 supportedLDAPVersion: 3 supportedSASLMechanisms: SRP supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: OTP supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: NTLM supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN entryDN: subschemaSubentry: cn=Subschema
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
I am new at LDAP , that is obvious I guess. But, I've been around Unix for 30 years.
The first attempt fails :
ldapwhoami -v -ZZ -Y EXTERNAL ldap_initialize( <DEFAULT> ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate
Why do you expect this to work? You failed to supply -H with a valid ldap:// URI.
There seems to be a lack of knowledge and/or understanding of the basics here! There are dozens of good tutorials online about how to setup pass-through authentication using OpenLDAP. This issue shouldn't take more than a couple of days to fix and test. It is over a month now and it hasn't been fixed.
Can you seek advise from a colleague in your office? Can you describe your configuration in more detail?
Cheers.
Ser.
Can you recommend a pass-through tutorial ?
Tim
On Fri, Jan 22, 2016 at 2:22 PM, Sergio NNX sfhacker@hotmail.com wrote:
I am new at LDAP , that is obvious I guess. But, I've been around Unix for 30 years.
The first attempt fails :
ldapwhoami -v -ZZ -Y EXTERNAL ldap_initialize( <DEFAULT> ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate
Why do you expect this to work? You failed to supply -H with a valid ldap:// URI.
There seems to be a lack of knowledge and/or understanding of the basics here! There are dozens of good tutorials online about how to setup pass-through authentication using OpenLDAP. This issue shouldn't take more than a couple of days to fix and test. It is over a month now and it hasn't been fixed.
Can you seek advise from a colleague in your office? Can you describe your configuration in more detail?
Cheers.
Ser.
I am using this tutorial : Pass-Trough authentication with SASL http://ltb-project.org/wiki/documentation/general/sasl_delegation
Tim
On Fri, Jan 22, 2016 at 2:38 PM, Timothy Keith timothy.g.keith@gmail.com wrote:
Can you recommend a pass-through tutorial ?
Tim
On Fri, Jan 22, 2016 at 2:22 PM, Sergio NNX sfhacker@hotmail.com wrote:
I am new at LDAP , that is obvious I guess. But, I've been around Unix for 30 years.
The first attempt fails :
ldapwhoami -v -ZZ -Y EXTERNAL ldap_initialize( <DEFAULT> ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate
Why do you expect this to work? You failed to supply -H with a valid ldap:// URI.
There seems to be a lack of knowledge and/or understanding of the basics here! There are dozens of good tutorials online about how to setup pass-through authentication using OpenLDAP. This issue shouldn't take more than a couple of days to fix and test. It is over a month now and it hasn't been fixed.
Can you seek advise from a colleague in your office? Can you describe your configuration in more detail?
Cheers.
Ser.
Try editing your system-wide ldap.conf(5) file to have:
TLS_REQCERT never
“allow” should also work. Also make sure you have a valid setting for TLS_CACERT (and that the file actually exists and has some contents): if you tell LDAP software not to check validity, the cert path has to be there to be ignored.
On Jan 27, 2016, at 15:18, Timothy Keith timothy.g.keith@gmail.com wrote:
I am using this tutorial : Pass-Trough authentication with SASL http://ltb-project.org/wiki/documentation/general/sasl_delegation
Tim
On Fri, Jan 22, 2016 at 2:38 PM, Timothy Keith timothy.g.keith@gmail.com wrote:
Can you recommend a pass-through tutorial ?
Tim
On Fri, Jan 22, 2016 at 2:22 PM, Sergio NNX sfhacker@hotmail.com wrote:
I am new at LDAP , that is obvious I guess. But, I've been around Unix for 30 years.
The first attempt fails :
ldapwhoami -v -ZZ -Y EXTERNAL ldap_initialize( <DEFAULT> ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate
Why do you expect this to work? You failed to supply -H with a valid ldap:// URI.
There seems to be a lack of knowledge and/or understanding of the basics here! There are dozens of good tutorials online about how to setup pass-through authentication using OpenLDAP. This issue shouldn't take more than a couple of days to fix and test. It is over a month now and it hasn't been fixed.
Can you seek advise from a colleague in your office? Can you describe your configuration in more detail?
Cheers.
Ser.
Also, if you're authenticating against AD, there are a few other things that can be simplified in that tutorial. First, add the "-r" option to the list of saslauthd(8) options so the username becomes foo@REALM.
After that you can have the following settings in your saslauthd.conf(5) file:
ldap_servers: ldaps://adldap1.ad.example.com ldaps://adldap2.ad.example.com ldap_tls_check_peer: no ldap_use_sasl: no ldap_auth_method: fastbind ldap_filter: %u
The "fastbind" skips the search of the directory, and simply tries to bind as username@REALM (which should map to users' AD principal because of "-r"). This also removes the need for a service account to do the initial bind-and-search.
On Sun, January 31, 2016 22:14, David Magda wrote:
Try editing your system-wide ldap.conf(5) file to have:
TLS_REQCERT never
“allow” should also work. Also make sure you have a valid setting for TLS_CACERT (and that the file actually exists and has some contents): if you tell LDAP software not to check validity, the cert path has to be there to be ignored.
On Jan 27, 2016, at 15:18, Timothy Keith timothy.g.keith@gmail.com wrote:
I am using this tutorial : Pass-Trough authentication with SASL http://ltb-project.org/wiki/documentation/general/sasl_delegation
Tim
I found this comment in the documentation : The server must be built with the --enable-spasswd configuration option to enable pass-through authentication.
I ran slapd with this option, it listed :
slapd -VVV @(#) $OpenLDAP: slapd 2.4.40 (Sep 30 2015 06:51:51) $ mockbuild@x86-028.build.eng.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.40/openldap-2.4.40/build-servers/servers/slapd
Included static backends: config ldif monitor bdb hdb ldap mdb meta null passwd relay shell sock
How can I know that slapd was built with -enable-spasswd ?
Tim
On Mon, Feb 1, 2016 at 2:02 PM, David Magda dmagda@ee.ryerson.ca wrote:
Also, if you're authenticating against AD, there are a few other things that can be simplified in that tutorial. First, add the "-r" option to the list of saslauthd(8) options so the username becomes foo@REALM.
After that you can have the following settings in your saslauthd.conf(5) file:
ldap_servers: ldaps://adldap1.ad.example.comldaps://adldap2.ad.example.com ldap_tls_check_peer: no ldap_use_sasl: no ldap_auth_method: fastbind ldap_filter: %u
The "fastbind" skips the search of the directory, and simply tries to bind as username@REALM (which should map to users' AD principal because of "-r"). This also removes the need for a service account to do the initial bind-and-search.
On Sun, January 31, 2016 22:14, David Magda wrote:
Try editing your system-wide ldap.conf(5) file to have:
TLS_REQCERT never“allow” should also work. Also make sure you have a valid setting for TLS_CACERT (and that the file actually exists and has some contents): if you tell LDAP software not to check validity, the cert path has to be there to be ignored.
On Jan 27, 2016, at 15:18, Timothy Keith timothy.g.keith@gmail.com wrote:
I am using this tutorial : Pass-Trough authentication with SASL http://ltb-project.org/wiki/documentation/general/sasl_delegation
Tim
Timothy Keith wrote:
How can I know that slapd was built with -enable-spasswd ?
By looking at the configure command in the build script, spec file in source RPM or whatever produced the binary builds you're using.
Ciao, Michael.
On Sun, Feb 7, 2016 at 6:55 AM, Michael Ströder michael@stroeder.com wrote:
Timothy Keith wrote:
How can I know that slapd was built with -enable-spasswd ?
By looking at the configure command in the build script, spec file in source RPM or whatever produced the binary builds you're using.
Ciao, Michael.
I extracted the files from the yum binary packages. It is 2.4.40-7. I don't think there is a way to determine what the configure options were at build time.
Tim
--On Monday, February 08, 2016 6:04 PM -0600 Timothy Keith timothy.g.keith@gmail.com wrote:
On Sun, Feb 7, 2016 at 6:55 AM, Michael Ströder michael@stroeder.com wrote:
Timothy Keith wrote:
How can I know that slapd was built with -enable-spasswd ?
By looking at the configure command in the build script, spec file in source RPM or whatever produced the binary builds you're using.
Ciao, Michael.
I extracted the files from the yum binary packages. It is 2.4.40-7. I don't think there is a way to determine what the configure options were at build time.
You need to download the *source* RPM not the *binary* RPM, as the source RPM includes the SPEC file used to build OpenLDAP.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration A division of Synacor, Inc
openldap-technical@openldap.org
-
David Magda -
Michael Ströder -
Quanah Gibson-Mount -
Sergio NNX -
Timothy Keith