Hi,
I'm trying to configure OpenLDAP 2.4.23 (running on RHEL6.5) to use client-side certificates via the SASL/EXTERNAL mechanism. I have successfully configured server-side certs with TLS and was wanting to expand my configuration on the client-side.
If set the TLSClientVerify to "allow" or "try" and attempt to use "-Y EXTERNAL", I get the following message:
SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL (-4): no mechaism available:
If I do a search on the DSE, I get the following available methods:
dn: supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: LOGIN supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: PLAIN
I know that other people are using this but nobody (here at work) knows why my particular configuration is getting this error. Can anyone help me figure this out?
Thanks,
Am Mon, 31 Aug 2015 19:43:39 -0400 schrieb Frank Crow fjcrow2008@gmail.com:
Hi,
I'm trying to configure OpenLDAP 2.4.23 (running on RHEL6.5) to use client-side certificates via the SASL/EXTERNAL mechanism. I have successfully configured server-side certs with TLS and was wanting to expand my configuration on the client-side.
If set the TLSClientVerify to "allow" or "try" and attempt to use "-Y EXTERNAL", I get the following message:
SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL (-4): no mechaism available:
If I do a search on the DSE, I get the following available methods:
dn: supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: LOGIN supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: PLAIN
I know that other people are using this but nobody (here at work) knows why my particular configuration is getting this error. Can anyone help me figure this out?
It seems you have not initialised a TLS session, that is, either startTLS on port 389 or without starttls on secure port 636
ldapsearch -LLL -Y EXTERNAL -ZZ -H ldap://localhost -b "" -s base supportedSASLMechanisms
SASL/EXTERNAL authentication started SASL username: xxxxx SASL SSF: 0 dn: supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: SCRAM-SHA-1
-Dieter
Hi Frank,
if you want SASL to work, you need to have the cyrus-sasl libraries installed. And slapd has to be compiled with sasl support:
# rpm -qa | grep sasl cyrus-sasl-lib-2.1.23-8.el6.x86_64 cyrus-sasl-2.1.23-8.el6.x86_64 cyrus-sasl-plain-2.1.23-8.el6.x86_64
# ldd /usr/sbin/slapd ... libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f8152dbb000) ...
I'm trying to configure OpenLDAP 2.4.23 (running on RHEL6.5) to use client-side certificates via the SASL/EXTERNAL mechanism. I have successfully configured server-side certs with TLS and was wanting to expand my configuration on the client-side.
If set the TLSClientVerify to "allow" or "try" and attempt to use "-Y EXTERNAL", I get the following message:
SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL (-4): no mechaism available:
If I do a search on the DSE, I get the following available methods:
dn: supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: LOGIN supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: PLAIN
I know that other people are using this but nobody (here at work) knows why my particular configuration is getting this error. Can anyone help me figure this out?
Regards,
Dirk Kastens
Danke Dieter und Dirk! :-)
Actually, late yesterday afternoon, I finally discovered what the problem was. I was using "-ZZ -Y EXTERNAL" and I did verify all the Cyrus packages. You probably wouldn't believe how far "down the rabbit hole" I went on some of that stuff. It's very interesting what can be done with Cyrus for example. LOL
My problem was that I didn't RTFM! Well, not *enough* of the manual. I neglected the ldap.conf man page. I didn't realize that variables like TLS_CERT and TLS_KEY cannot be specified in the global ldap.conf. So the user-side certs were never being offered up. Once I created a ~/.ldaprc with the proper variables and valid cert, presto it worked.
The thing that was throwing me off is that, unless you bind with a cert, the DSE does not give the EXTERNAL value of the supportedSASLMechanisms attribute. It seems as though I should be able to do a simple bind (if otherwise allowed, which it is on my DIT) and see all the mechanisms available. Turns out that's not the case.
Also, the local4.debug (from the server) and the "-d -1" (from the command line utilities) are not very helpful. Things like "End of file" or "Is a directory", etc, etc, are not the actual problem but are the only related things reported.
Anyway, with the help of a coworker, I did finally RTFM and figured that out. So I just wanted to thank you guys for your assistance and report back that I'm good with this issue now.
Thanks, Frank
On Wed, Sep 2, 2015 at 5:04 AM, Dirk Kastens <dirk.kastens@uni-osnabrueck.de
wrote:
Hi Frank,
if you want SASL to work, you need to have the cyrus-sasl libraries installed. And slapd has to be compiled with sasl support:
# rpm -qa | grep sasl cyrus-sasl-lib-2.1.23-8.el6.x86_64 cyrus-sasl-2.1.23-8.el6.x86_64 cyrus-sasl-plain-2.1.23-8.el6.x86_64
# ldd /usr/sbin/slapd ... libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f8152dbb000) ...
I'm trying to configure OpenLDAP 2.4.23 (running on RHEL6.5) to use
client-side certificates via the SASL/EXTERNAL mechanism. I have successfully configured server-side certs with TLS and was wanting to expand my configuration on the client-side.
If set the TLSClientVerify to "allow" or "try" and attempt to use "-Y EXTERNAL", I get the following message:
SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL (-4): no mechaism available:
If I do a search on the DSE, I get the following available methods:
dn: supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: LOGIN supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: PLAIN
I know that other people are using this but nobody (here at work) knows why my particular configuration is getting this error. Can anyone help me figure this out?
Regards,
Dirk Kastens
On 08/31/15 19:43 -0400, Frank Crow wrote:
If set the TLSClientVerify to "allow" or "try" and attempt to use "-Y EXTERNAL", I get the following message:
SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL (-4): no mechaism available:
If I do a search on the DSE, I get the following available methods:
dn: supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: LOGIN supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: PLAIN
If you have a olcSaslAuxprops configured, verify it includes EXTERNAL.
Enable debugging on your client (e.g. -d -1), or enable logging on the server, to verify you're properly authenticating with your client certificate.
On 09/02/15 11:04 +0200, Dirk Kastens wrote:
Hi Frank,
if you want SASL to work, you need to have the cyrus-sasl libraries installed. And slapd has to be compiled with sasl support:
# rpm -qa | grep sasl cyrus-sasl-lib-2.1.23-8.el6.x86_64 cyrus-sasl-2.1.23-8.el6.x86_64 cyrus-sasl-plain-2.1.23-8.el6.x86_64
# ldd /usr/sbin/slapd ... libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f8152dbb000) ...
Based on his output, it's clear has those listed mechanisms properly installed. The EXTERNAL mechanism requires no additional shared libraries, other than the libsasl2 glue library.
On 09/02/15 08:25 -0500, Dan White wrote:
dn: supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: LOGIN supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: PLAIN
If you have a olcSaslAuxprops configured, verify it includes EXTERNAL.
That's a mistake. Check your SASL slapd.conf file for mech_list. If it exists, add EXTERNAL to it.
olcSaslAuxprops is something totally unrelated.
openldap-technical@openldap.org
-
Dan White -
Dieter Klünter -
Dirk Kastens -
Frank Crow