Hi,
I am using RHEL7 and openldap from LTB project(to test out SSHA password hashing). Currently I am having issues to configure SASL EXTERNAL auth. Maybe I am missing something, any pointers would be appreciated.
[root@oldp4-dk-vm ~]# /usr/local/openldap/libexec/slapd -V @(#) $OpenLDAP: slapd 2.4.44 (Feb 15 2016 11:14:35) $ clement@centos7.unix.example.com:/home/clement/build/BUILD/openldap-2.4.44/servers/slapd
[root@oldp4-dk-vm ~]#
After adding the ldapi:/// listener to the startup script, I verified its working using lsof.
[root@oldp4-dk-vm ~]# lsof | grep ldap | grep -e '(unix|LISTEN)' slapd 7988 ldap 3u unix 0xffff880077fc23c0 0t0 603136 socket slapd 7988 ldap 7u IPv4 603140 0t0 TCP *:ldap (LISTEN) slapd 7988 ldap 8u IPv6 603141 0t0 TCP *:ldap (LISTEN) slapd 7988 ldap 9u IPv4 603144 0t0 TCP *:ldaps (LISTEN) slapd 7988 ldap 10u IPv6 603145 0t0 TCP *:ldaps (LISTEN) slapd 7988 ldap 11u unix 0xffff880077fc2000 0t0 603146 /usr/local/openldap/var/run/ldapi slapd 7988 7989 ldap 3u unix 0xffff880077fc23c0 0t0 603136 socket slapd 7988 7989 ldap 7u IPv4 603140 0t0 TCP *:ldap (LISTEN) slapd 7988 7989 ldap 8u IPv6 603141 0t0 TCP *:ldap (LISTEN) slapd 7988 7989 ldap 9u IPv4 603144 0t0 TCP *:ldaps (LISTEN) slapd 7988 7989 ldap 10u IPv6 603145 0t0 TCP *:ldaps (LISTEN) slapd 7988 7989 ldap 11u unix 0xffff880077fc2000 0t0 603146 /usr/local/openldap/var/run/ldapi slapd 7988 7991 ldap 3u unix 0xffff880077fc23c0 0t0 603136 socket slapd 7988 7991 ldap 7u IPv4 603140 0t0 TCP *:ldap (LISTEN) slapd 7988 7991 ldap 8u IPv6 603141 0t0 TCP *:ldap (LISTEN) slapd 7988 7991 ldap 9u IPv4 603144 0t0 TCP *:ldaps (LISTEN) slapd 7988 7991 ldap 10u IPv6 603145 0t0 TCP *:ldaps (LISTEN) slapd 7988 7991 ldap 11u unix 0xffff880077fc2000 0t0 603146 /usr/local/openldap/var/run/ldapi [root@oldp4-dk-vm ~]#
Checking for supported sasl methods:
[root@oldp4-dk-vm ~]# ldapsearch -x -H ldapi:/// -b "" -LLL -s base supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN
[root@oldp4-dk-vm ~]#
Attempting to bind using sasl
[root@oldp4-dk-vm ~]# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b dn -vv -d 5 ldap_url_parse_ext(ldapi:///) ldap_initialize( ldapi:///??base ) ldap_create ldap_url_parse_ext(ldapi:///??base) ldap_sasl_interactive_bind: user selected: EXTERNAL ldap_int_sasl_bind: EXTERNAL ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_path ldap_new_socket: 3 ldap_connect_to_path: Trying /usr/local/openldap/var/run/ldapi ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_ndelay_on: 3 ldap_ndelay_off: 3 ldap_msgfree ldap_err2string ldap_sasl_interactive_bind_s: Local error (-2) ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 ldap_free_connection: actually freed [root@oldp4-dk-vm ~]#
Configuration:
[root@oldp4-dk-vm ~]# cat config.ldif dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /usr/local/openldap/etc/openldap/slapd.conf.bak olcConfigDir: /usr/local/openldap/etc/openldap/slapd.d olcAllows: bind_v2 olcArgsFile: /usr/local/openldap/var/run/slapd.args olcAttributeOptions: x-hidden lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcPidFile: /usr/local/openldap/var/run/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSCACertificateFile: /usr/local/openldap/etc/openldap/certs/ca-chain.cert.pem olcTLSCertificateFile: /usr/local/openldap/etc/openldap/certs/server.pem olcTLSCertificateKeyFile: /usr/local/openldap/etc/openldap/certs/server.key.pem olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0 structuralObjectClass: olcGlobal
dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema
include: file:///usr/local/openldap/etc/openldap/schema/core.ldif include: file:///usr/local/openldap/etc/openldap/schema/cosine.ldif include: file:///usr/local/openldap/etc/openldap/schema/inetorgperson.ldif include: file:///usr/local/openldap/etc/openldap/schema/nis.ldif
## We serve small clients that do not handle referrals, ## so handle remote lookups on their behalf. #dn: olcDatabase=ldap,cn=config #objectClass: olcDatabaseConfig #objectClass: olcLdapConfig #olcDatabase: ldap #olcSuffix: "" #olcDbUri: ldap://ldap.some-server.com/
dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAddContentAcl: TRUE olcAccess: to attrs=name;x-hidden by * =cs olcAccess: to attrs=userPassword by * auth olcAccess: to * by * read olcLastMod: TRUE olcMaxDerefDepth: 0 olcReadOnly: FALSE olcSchemaDN: cn=Subschema olcSyncUseSubentry: FALSE olcMonitoring: FALSE structuralObjectClass: olcDatabaseConfig
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none olcAddContentAcl: TRUE olcRootPW: {SSHA}dWIRB+xNhhBABixGgVrRKv7/J93NrgW7 olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=config olcSyncUseSubentry: FALSE olcMonitoring: FALSE structuralObjectClass: olcDatabaseConfig
dn: olcDatabase={1}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {1}monitor olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=manager,dc=myds,dc=example,dc=com" read by * none olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcSyncUseSubentry: FALSE olcMonitoring: FALSE structuralObjectClass: olcDatabaseConfig
dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcAccess: {0} to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=manager,dc=myds,dc=example,dc=com" write by * none olcAccess: {1} to dn.base="" by * read olcAccess: {2} to * by self write by dn="cn=manager,dc=myds,dc=example,dc=com" write by * read olcAddContentAcl: FALSE olcDatabase: {2}hdb olcDbCacheFree: 1 olcDbCacheSize: 1000 olcDbCheckpoint: 512 15 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 3000 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbDirectory: /usr/local/openldap/var/openldap-data olcDbDirtyRead: FALSE olcDbDNcacheSize: 0 olcDbIDLcacheSize: 3000 olcDbIndex: cn,sn,mail pres,eq,approx,sub olcDbIndex: objectClass eq olcDbLinearIndex: FALSE olcDbMode: 0600 olcDbNoSync: FALSE olcDbSearchStack: 16 olcDbShmKey: 0 olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=manager,dc=myds,dc=example,dc=com olcRootPW: {SSHA}dWIRB+xNhhBABixGgVrRKv7/J93NrgW7 olcSuffix: dc=myds,dc=example,dc=com structuralObjectClass: olcHdbConfig [root@oldp4-dk-vm ~]#
Regards Kenneth
Penza Kenneth at MITA wrote:
I am using RHEL7 and openldap from LTB project(to test out SSHA password hashing). Currently I am having issues to configure SASL EXTERNAL auth. Maybe I am missing something, any pointers would be appreciated.
First of all you should always test with ldapwhoami command-line tool. It will show you the authc-DN and authz-DN.
For really using SASL/EXTERNAL you need authz-regexp statement(s) in slapd.conf or attribute olcAuthzRegexp in cn=config to map the authc-DN to a authz-DN.
See the man pages for details.
Example on my system:
$ ldapwhoami SASL/EXTERNAL authentication started SASL username: gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn:cn=michael ströder+mail=michael@stroeder.com,ou=private,dc=stroeder,dc=de
Based on this mapping:
dn: cn=config [..] olcAuthzRegexp: {1}"gidnumber=([0-9]+)+uidnumber=([0-9]+),cn=peercred,cn=ex ternal,cn=auth" "ldap:///dc=stroeder,dc=de??sub?(&(objectClass=posixAccount )(uidNumber=$2)(gidNumber=$1))"
Ciao, Michael.
Michael,
Please excuse broken threading, your reply email got rejected cause sender IP was not in SPF record of the domain, though now its ok.
Thanks for your feedback. I tried to use ldapwhoami, however it returned the same error "ldap_sasl_interactive_bind_s: Local error (-2)".
Output with debug enabled:
[root@oldp4-dk-vm ~]# ldapwhoami -H ldapi:/// -Y EXTERNAL -d 3 ldap_url_parse_ext(ldapi:///) ldap_create ldap_url_parse_ext(ldapi:///??base) ldap_sasl_interactive_bind: user selected: EXTERNAL ldap_int_sasl_bind: EXTERNAL ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_path ldap_new_socket: 3 ldap_connect_to_path: Trying /usr/local/openldap/var/run/ldapi ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_ndelay_on: 3 ldap_ndelay_off: 3 ldap_msgfree ldap_err2string ldap_sasl_interactive_bind_s: Local error (-2) ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 ldap_write: want=7, written=7 0000: 30 05 02 01 01 42 00 0....B. ldap_free_connection: actually freed [root@oldp4-dk-vm ~]#
Regards Kenneth
Penza Kenneth at MITA wrote:
Michael,
Please excuse broken threading, your reply email got rejected cause sender IP was not in SPF record of the domain, though now its ok.
Thanks for your feedback. I tried to use ldapwhoami, however it returned the same error "ldap_sasl_interactive_bind_s: Local error (-2)".
Output with debug enabled:
[root@oldp4-dk-vm ~]# ldapwhoami -H ldapi:/// -Y EXTERNAL -d 3 ldap_url_parse_ext(ldapi:///) ldap_create ldap_url_parse_ext(ldapi:///??base) ldap_sasl_interactive_bind: user selected: EXTERNAL ldap_int_sasl_bind: EXTERNAL ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_path ldap_new_socket: 3 ldap_connect_to_path: Trying /usr/local/openldap/var/run/ldapi
It seems you're using a local OpenLDAP build.
So I'd try first: /usr/local/openldap/bin/ldapwhoami -H ldapi:/// -Y EXTERNAL -d 3
Ciao, Michael.
Michael,
Please excuse broken threading, your reply email got rejected cause
sender IP was not in SPF record of the domain, though now its ok.
Thanks for your feedback. I tried to use ldapwhoami, however it
returned the same error "ldap_sasl_interactive_bind_s: Local error (-2)".
Output with debug enabled:
[root@oldp4-dk-vm ~]# ldapwhoami -H ldapi:/// -Y EXTERNAL -d 3 ldap_url_parse_ext(ldapi:///) ldap_create ldap_url_parse_ext(ldapi:///??base) ldap_sasl_interactive_bind: user selected: EXTERNAL ldap_int_sasl_bind: EXTERNAL ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_path ldap_new_socket: 3 ldap_connect_to_path: Trying /usr/local/openldap/var/run/ldapi
It seems you're using a local OpenLDAP build.
So I'd try first: /usr/local/openldap/bin/ldapwhoami -H ldapi:/// -Y EXTERNAL -d 3
Ciao, Michael.
Michael,
I am using the openldap from ltb (ltb-project.org), which installs under /usr/local/openldap.
[root@oldp4-dk-vm openldap]# /usr/local/openldap/bin/ldapwhoami -H ldapi:/// -Y EXTERNAL -d 3 ldap_url_parse_ext(ldapi:///) ldap_create ldap_url_parse_ext(ldapi:///??base) ldap_sasl_interactive_bind: user selected: EXTERNAL ldap_int_sasl_bind: EXTERNAL ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_path ldap_new_socket: 3 ldap_connect_to_path: Trying /usr/local/openldap/var/run/ldapi ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_ndelay_on: 3 ldap_ndelay_off: 3 ldap_msgfree ldap_err2string ldap_sasl_interactive_bind_s: Local error (-2) ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 ldap_write: want=7, written=7 0000: 30 05 02 01 01 42 00 0....B. ldap_free_connection: actually freed [root@oldp4-dk-vm openldap]#
Noted that in /usr/local/openldap/etc/openldap/ldap.conf I had SASL_NOCANON set to on (it was copied over from RHEL7 openldap package). Removed it and SASL EXTERNAL works fine.
[root@oldp4-dk-vm openldap]# /usr/local/openldap/bin/ldapwhoami -H ldapi:/// -Y EXTERNAL SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth [root@oldp4-dk-vm openldap]#
Thanks a lot for all your help.
Kenneth
openldap-technical@openldap.org
-
Michael Ströder -
Penza Kenneth at MITA