Hi,
I want to force SSL on my OpenLDAP server (2.4.21-0ubuntu5.7, Ubuntu 10.04 LTS), but then the SASL authentication breaks.
I did this to enable tls-only:
# feed to ldapmodify dn: cn=config changetype: modify add: olcSecurity olcSecurity: tls=1
But, then I can't use "-Y EXTERNAL" anymore, because it then demands a TLS connection. When I enable TLS (-ZZ) on tools like ldapmodify and use ldap://hostname/ and bind with my rootDN (admin user), it doesn't work (insufficient access (50)). I guess it needs the socket to know I'm root.
Inspecting all DB's with "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config", it appears the config DB's have an olcAccess rule like:
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
gid and uid = 0, so I guess it's the system's root account.
I tried adding an olcRootDN and olcRootPW to olcDatabase={0}config,cn=config so that I could modify the cn=config, but adding them gave an error: "<olcRootPW> can only be set when rootdn is under suffix". When I tried adding olcSuffix to "dc=domain,dc=tld", it said: "<olcSuffix> handler exited with 1". I also tried specifying a olcRootDN only (no olcRootPW) (like cn=admin,dc=domain,dc=tld) and then add that user to "dc=domain,dc=tld", but it didn't work. Unfortunately, I don't remember what went wrong.
So, is there a way to enforce TLS but still use the SASL authentication?
Any help is appreciated.
Thanks in advance,
Wiebe Cazemier
On 12/31/12 15:57 +0100, Wiebe Cazemier wrote:
I want to force SSL on my OpenLDAP server (2.4.21-0ubuntu5.7, Ubuntu 10.04 LTS), but then the SASL authentication breaks.
I did this to enable tls-only:
# feed to ldapmodify dn: cn=config changetype: modify add: olcSecurity olcSecurity: tls=1
But, then I can't use "-Y EXTERNAL" anymore, because it then demands a TLS connection. When I enable TLS (-ZZ) on tools like ldapmodify and use ldap://hostname/ and bind with my rootDN (admin user), it doesn't work (insufficient access (50)). I guess it needs the socket to know I'm root.
You can apply olcSecurity to a specific database as well (see man slapd-config). Configuring olcSecurity: tls=0 on olcDatabase={0}config,cn=config should have the intended behavior, if you only ever modify your config via ldapi:///.
Inspecting all DB's with "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config", it appears the config DB's have an olcAccess rule like:
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
Consider creating an authz-regexp to map:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
to your olcRootDN below. Your above ACL is not necessary in that case, since your root dn will bypass any ACL restrictions.
gid and uid = 0, so I guess it's the system's root account.
I tried adding an olcRootDN and olcRootPW to olcDatabase={0}config,cn=config so that I could modify the cn=config, but adding them gave an error: "<olcRootPW> can only be set when rootdn is under suffix". When I tried adding olcSuffix to "dc=domain,dc=tld", it said: "<olcSuffix> handler exited with 1". I also tried specifying a olcRootDN only (no olcRootPW) (like cn=admin,dc=domain,dc=tld) and then add that user to "dc=domain,dc=tld", but it didn't work. Unfortunately, I don't remember what went wrong.
If you're performing EXTERNAL sasl authentication over ldapi:///, you won't need a olcRootPW, but you will need an authz-regexp.
I don't believe olcRootDN will need to exist, underneath dc=domain,dc=tld, in that case.
----- Original Message -----
From: "Dan White" dwhite@olp.net To: "Wiebe Cazemier" wiebe@halfgaar.net Cc: openldap-technical@openldap.org Sent: Monday, 31 December, 2012 6:21:28 PM Subject: Re: Forcing TLS, but keep working SASL authentication
You can apply olcSecurity to a specific database as well (see man slapd-config). Configuring olcSecurity: tls=0 on olcDatabase={0}config,cn=config should have the intended behavior, if you only ever modify your config via ldapi:///.
Inspecting all DB's with "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config", it appears the config DB's have an olcAccess rule like:
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
Consider creating an authz-regexp to map:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
to your olcRootDN below. Your above ACL is not necessary in that case, since your root dn will bypass any ACL restrictions.
gid and uid = 0, so I guess it's the system's root account.
I tried adding an olcRootDN and olcRootPW to olcDatabase={0}config,cn=config so that I could modify the cn=config, but adding them gave an error: "<olcRootPW> can only be set when rootdn is under suffix". When I tried adding olcSuffix to "dc=domain,dc=tld", it said: "<olcSuffix> handler exited with 1". I also tried specifying a olcRootDN only (no olcRootPW) (like cn=admin,dc=domain,dc=tld) and then add that user to "dc=domain,dc=tld", but it didn't work. Unfortunately, I don't remember what went wrong.
If you're performing EXTERNAL sasl authentication over ldapi:///, you won't need a olcRootPW, but you will need an authz-regexp.
I don't believe olcRootDN will need to exist, underneath dc=domain,dc=tld, in that case.
-- Dan White
So even if you set tls=0 on olcDatabase={0}config,cn=config, you need that authz-regexp? Because I just set tls=0, and "-Y EXTERNAL" over ldapi:/// is now complaining about requiring TLS again.
Unfortunately, I'm pretty new to LDAP, so I don't know how to define that authz-regexp. I don't what a regex is, of course, I just don't know what to tell the LDAP server...
----- Original Message -----
From: "Wiebe Cazemier" wiebe@halfgaar.net To: "Dan White" dwhite@olp.net Cc: openldap-technical@openldap.org Sent: Friday, 4 January, 2013 1:22:23 PM Subject: Re: Forcing TLS, but keep working SASL authentication
So even if you set tls=0 on olcDatabase={0}config,cn=config, you need that authz-regexp? Because I just set tls=0, and "-Y EXTERNAL" over ldapi:/// is now complaining about requiring TLS again.
Unfortunately, I'm pretty new to LDAP, so I don't know how to define that authz-regexp. I don't what a regex is, of course, I just don't know what to tell the LDAP server...
As an addendum, I just did this:
dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcSecurity olcSecurity: tls=1
And that seems to have the desired effect. I can still run commands like:
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config
But trying to bind with "ldapsearch -xLLL -b ..." without SSL says: "TLS confidentiality required"
openldap-technical@openldap.org
-
Dan White -
Wiebe Cazemier