Sorry if this is long and naive, I'm making my way with OpenLDAP.
I have this annoying problem of local access over ldapi:/// of a configured
mdb database using its rootDN.
Some details:
(I typically use ldapvi to access/modify/edit config as I'm an old wolf with vi
hard-wired in my brain!)
(Same could be done using native OpenLDAP utilities ldapadd/search/delete/etc:
just replace the ldapvi '-h' option with '-H' to specify the
protocol/host/port).
Binding using EXTERNAL mech over local ldapi:/// works correctly for 'cn=config'.
For example, here I made a mod to olcLogLevel for 'cn=config':
~# ldapvi -Y EXTERNAL -h ldapi:/// -b 'cn=config'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
24 entries read
add: 0, rename: 0, modify: 1, delete: 0
Action? [yYqQvVebB*rsf+?] y
Done.
Server logs for slapd show the binding with ssf=71:
Sep 6 11:40:52 slapd[677]: conn=48667 fd=17 ACCEPT from PATH=/var/run/slapd/ldapi
(PATH=/var/run/slapd/ldapi)
Sep 6 11:40:52 slapd[677]: conn=48667 op=0 BIND dn="" method=163
Sep 6 11:40:52 slapd[677]: conn=48667 op=0 BIND
authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
Sep 6 11:40:52 slapd[677]: conn=48667 op=0 BIND
dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL
sasl_ssf=0 ssf=71
However for the configured mdb database 'olcDatabase={1}mdb,cn=config' I have set
olcSecurity: tls=1
to force binding with StartTLS. Here the relevant config piece for it:
('--out' makes ldapvi behave like ldapsearch).
~# ldapvi --out -Y EXTERNAL -h ldapi:/// -b 'olcDatabase={1}mdb,cn=config'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXX
olcSecurity: tls=1
...
However this setting prohibits me from binding to it using ldapi:/// with
EXTERNAL mech with its rootDN 'cn=admin,dc=example,dc=com' as I then get the
message:
~# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -D 'cn=admin,dc=example,dc=com' -b
'dc=example,dc=com'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
Confidentiality required (13)
Additional information: TLS confidentiality required
I can however do a simple bind over StartTLS with the rootDN of the database
either over localhost or a remote client:
~# ldapsearch -LLL -Z -x -w xxxxxxxx -H ldap://localhost -D
'cn=admin,dc=example,dc=com' -b 'dc=example,dc=com'
slapd logs show:
Sep 6 11:54:40 slapd[677]: conn=48699 fd=17 ACCEPT from IP=127.0.0.1:53542
(IP=0.0.0.0:389)
Sep 6 11:54:40 slapd[677]: conn=48699 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Sep 6 11:54:40 slapd[677]: conn=48699 op=0 STARTTLS
Sep 6 11:54:40 slapd[677]: conn=48699 op=0 RESULT oid= err=0 text=
Sep 6 11:54:40 slapd[677]: conn=48699 fd=17 TLS established tls_ssf=256 ssf=256
Sep 6 11:54:40 slapd[677]: conn=48699 op=1 BIND dn="cn=admin,dc=example,dc=com"
method=128
Sep 6 11:54:40 slapd[677]: conn=48699 op=1 BIND dn="cn=admin,dc=example,dc=com"
mech=SIMPLE ssf=0
So ssf=265...
I guess I need to modify either 'olcSecurity: tls=1' in the database config or
add/insert the proper value for 'olcLocalSSF=' in the cn=config. What value
should I use in order to still force StartTLS over simple binding and allow
read/write/modify local access on the ldapi:/// listener.
Regards!
jf
Show replies by date
--On Thursday, September 06, 2018 1:40 PM -0400 Jean-Francois Malouin
<Jean-Francois.Malouin(a)bic.mni.mcgill.ca> wrote:
I guess I need to modify either 'olcSecurity: tls=1' in the
database
config or add/insert the proper value for 'olcLocalSSF=' in the
cn=config. What value should I use in order to still force StartTLS over
simple binding and allow read/write/modify local access on the ldapi:///
listener.
Hello,
Just set:
olcSecurity: ssf=1
that will allow either to work as *some* SSF level is then required.
As long as you have tls=X, then it will always require TLS, regardless of
what the LocalSSF setting is configured to be.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<
http://www.symas.com>
Hi,
* Quanah Gibson-Mount <quanah(a)symas.com> [20180906 14:36]:
--On Thursday, September 06, 2018 1:40 PM -0400 Jean-Francois
Malouin <Jean-Francois.Malouin(a)bic.mni.mcgill.ca> wrote:
>I guess I need to modify either 'olcSecurity: tls=1' in the database
>config or add/insert the proper value for 'olcLocalSSF=' in the
>cn=config. What value should I use in order to still force StartTLS over
>simple binding and allow read/write/modify local access on the ldapi:///
>listener.
Hello,
Just set:
olcSecurity: ssf=1
that will allow either to work as *some* SSF level is then required.
As long as you have tls=X, then it will always require TLS,
regardless of what the LocalSSF setting is configured to be.
Thank you for the pointer!
jf
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<
http://www.symas.com>