Hello experts,
I setup an openLDAP server some time ago and am to create a newer server for TLS 1.3 support. I am using a fully patched CentOS 7 server with OpenLDAP 2.4.44 and am seeing 'invalid DN' when authenticating to the server from my Linux client. I will attempt to supply all the config and tests I have done thus far:
######################################## ldap.conf:
# # LDAP Defaults #
# See ldap.conf(5) for details # This file should be world readable but not world writable.
BASE dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net URI ldap://openldapsec.brm.acslab.wokyourdog.net
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 TLS_CACERTDIR /etc/openldap/certs TLS_CACERT /etc/openldap/certs/RootCA.pem TLSCACertificateFile /etc/openldap/certs/RootCA.pem TLSCertificateFile /etc/openldap/certs/Identity.pem TLSCertificateKeyFile /etc/openldap/certs/Identity.key TLSVerifyClient never
# Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on
######################################## slapd.conf
# See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema
# Added for policy include /etc/openldap/schema/ppolicy.schema
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
moduleload ppolicy.la
# The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. TLSCACertificateFile /etc/openldap/certs/RootCA.pem TLSCertificateFile /etc/openldap/certs/Identity.pem TLSCertificateKeyFile /etc/openldap/certs/Identity.key
database bdb suffix "dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net" rootdn "cn=root,dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net" rootpw {SSHA}C6RcppHr0rweEVCQW6pio6tnPCIHCGnt
# PPolicy Configuration overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net" ppolicy_use_lockout ppolicy_hash_cleartext
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
######################################## ldapsearch output:
[root@OpenLDAP_Server openldap]# ldapsearch -H ldap:// openldapsec.brm.acslab.wokyourdog.net -D "cn=root,dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net" -w Siladmin123 -ZZ # extended LDIF # # LDAPv3 # base <dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL #
# openldapsec.brm.acslab.wokyourdog.net dn: dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net dc: openldapsec objectClass: top objectClass: domain
# people, openldapsec.brm.acslab.wokyourdog.net dn: ou=people,dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net objectClass: top objectClass: organizationalUnit ou: people
# swadmin3, openldapsec.brm.acslab.wokyourdog.net dn: cn=swadmin3,dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net objectClass: person objectClass: uidObject cn: swadmin3 sn: admin user uid: swadmin3 userPassword:: e1NTSEF9WDdRQ2xzallYUDUvWU9sZnJyc3ZWVXhnS0xkbXB2U1o=
# search result search: 3 result: 0 Success
# numResponses: 4 # numEntries: 3
######################################## ldapwhoami
[root@OpenLDAP_Server openldap]# ldapwhoami -vvv -h openldapsec.brm.acslab.wokyourdog.net -p 389 -D "cn=swadmin3,dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net" -x -w Siladmin123 ldap_initialize( ldap://openldapsec.brm.acslab.wokyourdog.net:389 ) dn:cn=swadmin3,dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net Result: Success (0)
######################################## client authentication failure logs
ber_dump: buf=0x7fe684117870 ptr=0x7fe684117870 end=0x7fe68411788d len=29 0000: 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 ...w...1.3.6.1.4 0010: 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .1.1466.20037
ber_dump: buf=0x7fe684117870 ptr=0x7fe684117873 end=0x7fe68411788d len=26 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
ber_dump: buf=0x7fe684115be0 ptr=0x7fe684115be0 end=0x7fe684115c23 len=67 0000: 02 01 02 60 3e 02 01 03 04 2c 73 77 61 64 6d 69 ...`>....,swadmi 0010: 6e 33 40 6f 70 65 6e 6c 64 61 70 73 65 63 2e 62 n3@openldapsec.b
0020: 72 6d 2e 62 73 6e 6c 61 62 2e 62 72 6f 61 64 63 rm.acslab.wokyou 0030: 6f 6d 2e 6e 65 74 80 0b 53 69 6c 61 64 6d 69 6e rdog.net..Siladmin 0040: 31 32 33 123
ber_dump: buf=0x7fe684115be0 ptr=0x7fe684115be3 end=0x7fe684115c23 len=64 0000: 60 3e 02 01 03 04 2c 73 77 61 64 6d 69 6e 33 40 `>....,swadmin3@
0010: 6f 70 65 6e 6c 64 61 70 73 65 63 2e 62 72 6d 2e openldapsec.brm. 0020: 62 73 6e 6c 61 62 2e 62 72 6f 61 64 63 6f 6d 2e acslab.wokyourdog. 0030: 6e 65 74 80 0b 53 69 6c 61 64 6d 69 6e 31 32 33 net..Siladmin123 ber_dump: buf=0x7fe684115be0 ptr=0x7fe684115c16 end=0x7fe684115c23 len=13 0000: 00 0b 53 69 6c 61 64 6d 69 6e 31 32 33 ..Siladmin123
5d10d347 conn=1048 op=1 do_bind: invalid dn ( swadmin3@openldapsec.brm.acslab.wokyourdog.net) 0000: 30 16 02 01 02 61 11 0a 01 22 04 00 04 0a 69 6e 0....a..."....in 0010: 76 61 6c 69 64 20 44 4e valid DN
ber_dump: buf=0x7fe6841171a0 ptr=0x7fe6841171a0 end=0x7fe6841171a5 len=5 0000: 02 01 03 42 00 ...B.
ber_dump: buf=0x7fe684107eb0 ptr=0x7fe684107eb0 end=0x7fe684107ecd len=29 0000: 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 ...w...1.3.6.1.4 0010: 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .1.1466.20037
ber_dump: buf=0x7fe684107eb0 ptr=0x7fe684107eb3 end=0x7fe684107ecd len=26 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
ber_dump: buf=0x7fe684002250 ptr=0x7fe684002250 end=0x7fe6840022ae len=94 0000: 02 01 02 60 59 02 01 03 04 47 63 6e 3d 73 77 61 ...`Y....Gcn=swa 0010: 64 6d 69 6e 33 2c 63 6e 3d 75 73 65 72 73 2c 64 dmin3,cn=users,d 0020: 63 3d 6f 70 65 6e 6c 64 61 70 73 65 63 2c 64 63 c=openldapsec,dc 0030: 3d 62 72 6d 2c 64 63 3d 62 73 6e 6c 61 62 2c 64 =brm,dc=acslab,d 0040: 63 3d 62 72 6f 61 64 63 6f 6d 2c 64 63 3d 6e 65 c=wokyourdog,dc=ne 0050: 74 80 0b 53 69 6c 61 64 6d 69 6e 31 32 33 t..Siladmin123
ber_dump: buf=0x7fe684002250 ptr=0x7fe684002253 end=0x7fe6840022ae len=91 0000: 60 59 02 01 03 04 47 63 6e 3d 73 77 61 64 6d 69 `Y....Gcn=swadmi 0010: 6e 33 2c 63 6e 3d 75 73 65 72 73 2c 64 63 3d 6f n3,cn=users,dc=o 0020: 70 65 6e 6c 64 61 70 73 65 63 2c 64 63 3d 62 72 penldapsec,dc=br 0030: 6d 2c 64 63 3d 62 73 6e 6c 61 62 2c 64 63 3d 62 m,dc=acslab,dc=w 0040: 72 6f 61 64 63 6f 6d 2c 64 63 3d 6e 65 74 80 0b kyourdog,dc=net.. 0050: 53 69 6c 61 64 6d 69 6e 31 32 33 Siladmin123
ber_dump: buf=0x7fe684002250 ptr=0x7fe6840022a1 end=0x7fe6840022ae len=13 0000: 00 0b 53 69 6c 61 64 6d 69 6e 31 32 33 ..Siladmin123
0000: 30 0c 02 01 02 61 07 0a 01 31 04 00 04 00 0....a...1....
ber_dump: buf=0x7fe684118dd0 ptr=0x7fe684118dd0 end=0x7fe684118dd5 len=5 0000: 02 01 03 42 00 ...B.
Please let me know if you can see my mis-configuration or if you have any questions about my setup.
Thanks, Chris
Le 24/06/2019 à 15:57, Chris K a écrit :
Hello experts,
Hello,
5d10d347 conn=1048 op=1 do_bind: invalid dn (swadmin3@openldapsec.brm.acslab.wokyourdog.net mailto:swadmin3@openldapsec.brm.acslab.wokyourdog.net)
Your LDAP client is sending the invalid DN, so the issue is not on server side. Check your LDAP client configuration.
openldap-technical@openldap.org