4:43 p.m.
Hi,
I'm trying to configure OpenLDAP 2.4.23 (running on RHEL6.5) to use
client-side certificates via the SASL/EXTERNAL mechanism. I have
successfully configured server-side certs with TLS and was wanting to
expand my configuration on the client-side.
If set the TLSClientVerify to "allow" or "try" and attempt to use
"-Y
EXTERNAL", I get the following message:
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL (-4): no mechaism available:
If I do a search on the DSE, I get the following available methods:
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: PLAIN
I know that other people are using this but nobody (here at work) knows why
my particular configuration is getting this error. Can anyone help me
figure this out?
Thanks,
--
Frank Crow
1:18 a.m.
Am Mon, 31 Aug 2015 19:43:39 -0400
schrieb Frank Crow <fjcrow2008(a)gmail.com>:
Hi,
I'm trying to configure OpenLDAP 2.4.23 (running on RHEL6.5) to use
client-side certificates via the SASL/EXTERNAL mechanism. I have
successfully configured server-side certs with TLS and was wanting to
expand my configuration on the client-side.
If set the TLSClientVerify to "allow" or "try" and attempt to use
"-Y
EXTERNAL", I get the following message:
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL (-4): no mechaism available:
If I do a search on the DSE, I get the following available methods:
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: PLAIN
I know that other people are using this but nobody (here at work)
knows why my particular configuration is getting this error. Can
anyone help me figure this out?
It seems you have not initialised a TLS session, that is, either
startTLS
on port 389 or without starttls on secure port 636
ldapsearch -LLL -Y EXTERNAL -ZZ -H ldap://localhost -b "" -s base
supportedSASLMechanisms
SASL/EXTERNAL authentication started
SASL username: xxxxx
SASL SSF: 0
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: SCRAM-SHA-1
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
2:04 a.m.
Hi Frank,
if you want SASL to work, you need to have the cyrus-sasl libraries
installed. And slapd has to be compiled with sasl support:
# rpm -qa | grep sasl
cyrus-sasl-lib-2.1.23-8.el6.x86_64
cyrus-sasl-2.1.23-8.el6.x86_64
cyrus-sasl-plain-2.1.23-8.el6.x86_64
# ldd /usr/sbin/slapd
...
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f8152dbb000)
...
I'm trying to configure OpenLDAP 2.4.23 (running on RHEL6.5) to
use
client-side certificates via the SASL/EXTERNAL mechanism. I have
successfully configured server-side certs with TLS and was wanting to
expand my configuration on the client-side.
If set the TLSClientVerify to "allow" or "try" and attempt to use
"-Y
EXTERNAL", I get the following message:
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL (-4): no mechaism available:
If I do a search on the DSE, I get the following available methods:
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: PLAIN
I know that other people are using this but nobody (here at work) knows
why my particular configuration is getting this error. Can anyone help
me figure this out?
Regards,
Dirk Kastens
6:11 a.m.
Danke Dieter und Dirk! :-)
Actually, late yesterday afternoon, I finally discovered what the problem
was. I was using "-ZZ -Y EXTERNAL" and I did verify all the Cyrus
packages. You probably wouldn't believe how far "down the rabbit hole" I
went on some of that stuff. It's very interesting what can be done with
Cyrus for example. LOL
My problem was that I didn't RTFM! Well, not *enough* of the manual. I
neglected the ldap.conf man page. I didn't realize that variables like
TLS_CERT and TLS_KEY cannot be specified in the global ldap.conf. So the
user-side certs were never being offered up. Once I created a ~/.ldaprc
with the proper variables and valid cert, presto it worked.
The thing that was throwing me off is that, unless you bind with a cert,
the DSE does not give the EXTERNAL value of the supportedSASLMechanisms
attribute. It seems as though I should be able to do a simple bind (if
otherwise allowed, which it is on my DIT) and see all the mechanisms
available. Turns out that's not the case.
Also, the local4.debug (from the server) and the "-d -1" (from the command
line utilities) are not very helpful. Things like "End of file" or "Is a
directory", etc, etc, are not the actual problem but are the only related
things reported.
Anyway, with the help of a coworker, I did finally RTFM and figured that
out. So I just wanted to thank you guys for your assistance and report
back that I'm good with this issue now.
Thanks,
Frank
On Wed, Sep 2, 2015 at 5:04 AM, Dirk Kastens <dirk.kastens(a)uni-osnabrueck.de
wrote:
Hi Frank,
if you want SASL to work, you need to have the cyrus-sasl libraries
installed. And slapd has to be compiled with sasl support:
# rpm -qa | grep sasl
cyrus-sasl-lib-2.1.23-8.el6.x86_64
cyrus-sasl-2.1.23-8.el6.x86_64
cyrus-sasl-plain-2.1.23-8.el6.x86_64
# ldd /usr/sbin/slapd
...
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f8152dbb000)
...
I'm trying to configure OpenLDAP 2.4.23 (running on RHEL6.5) to use
> client-side certificates via the SASL/EXTERNAL mechanism. I have
> successfully configured server-side certs with TLS and was wanting to
> expand my configuration on the client-side.
>
> If set the TLSClientVerify to "allow" or "try" and attempt to use
"-Y
> EXTERNAL", I get the following message:
>
> SASL/EXTERNAL authentication started
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> additional info: SASL (-4): no mechaism available:
>
>
> If I do a search on the DSE, I get the following available methods:
>
> dn:
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: LOGIN
> supportedSASLMechanisms: CRAM-MD5
> supportedSASLMechanisms: DIGEST-MD5
> supportedSASLMechanisms: PLAIN
>
>
> I know that other people are using this but nobody (here at work) knows
> why my particular configuration is getting this error. Can anyone help
> me figure this out?
>
Regards,
Dirk Kastens
--
Frank
6:25 a.m.
On 08/31/15 19:43 -0400, Frank Crow wrote:
If set the TLSClientVerify to "allow" or "try" and
attempt to use "-Y
EXTERNAL", I get the following message:
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL (-4): no mechaism available:
If I do a search on the DSE, I get the following available methods:
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: PLAIN
If you have a olcSaslAuxprops configured, verify it includes EXTERNAL.
Enable debugging on your client (e.g. -d -1), or enable logging on the
server, to verify you're properly authenticating with your client
certificate.
On 09/02/15 11:04 +0200, Dirk Kastens wrote:
Hi Frank,
if you want SASL to work, you need to have the cyrus-sasl libraries
installed. And slapd has to be compiled with sasl support:
# rpm -qa | grep sasl
cyrus-sasl-lib-2.1.23-8.el6.x86_64
cyrus-sasl-2.1.23-8.el6.x86_64
cyrus-sasl-plain-2.1.23-8.el6.x86_64
# ldd /usr/sbin/slapd
...
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f8152dbb000)
...
Based on his output, it's clear has those listed mechanisms properly
installed. The EXTERNAL mechanism requires no additional shared libraries,
other than the libsasl2 glue library.
--
Dan White
6:28 a.m.
On 09/02/15 08:25 -0500, Dan White wrote:
>dn:
>supportedSASLMechanisms: GSSAPI
>supportedSASLMechanisms: LOGIN
>supportedSASLMechanisms: CRAM-MD5
>supportedSASLMechanisms: DIGEST-MD5
>supportedSASLMechanisms: PLAIN
If you have a olcSaslAuxprops configured, verify it includes EXTERNAL.
That's a mistake. Check your SASL slapd.conf file for mech_list. If it
exists, add EXTERNAL to it.
olcSaslAuxprops is something totally unrelated.
--
Dan White
3011
days inactive
3013
days old
openldap-technical@openldap.org
5 comments
4 participants
participants (4)
-
Dan White -
Dieter Klünter -
Dirk Kastens -
Frank Crow