what do you want to achieve, do you want to do client authentication via a certificate ? you have to provide configuration info in ldap.conf or .ldaprc or environment variables, so that the openldap libs built with nss can access the client certificate, it has to be in a nss database.

with env it is something like this:

export LDAPTLS_CERT=Client-Cert
export LDAPTLS_KEY=/etc/dirsrv/slapd-EXAMPLE.COM/pwdfile.txt
export LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-EXAMPLE.COM

LDAPTLS_CERT is the nickname of a certificate in the certificate database
LDAPTLS_KEY is a file containing the password for the key database

in a config file omit the "LDAP" part of the option name.

and are you running your search against a 389 server ? I think the file /etc/openldap/slapd.d/cn\=config.ldif is only relevant for openldap server.


On 02/15/2016 05:12 PM, Simon Pichugin wrote:
Hi team,

I am trying to set up SASL/EXTERNAL binding mechanism.
I perform all actions from our docs (Administration guide)

First, I've set up SSL/TLS on the clean instance:
1) Cert was created and imported
2) Trusted CA cert was imported too
3) cert8.db, key3.db, secmod.db were copied to /etc/openldap/certs/
4) Config was changed to accept SSL/TLS
5) Setup was tested and everything worked perfectly

Then client certificate was created and approved by our CA.

openssl x509 -in client_ds.crt -text
         Version: 1 (0x0)
         Serial Number: 16371655739931625967 (0xe333ce279b9c09ef)
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=CZ, ST=Moravia, L=Brno, O=Default Company Ltd, OU=Dev, 
             Not Before: Feb 12 13:51:50 2016 GMT
             Not After : Oct 21 13:51:50 2029 GMT
         Subject: C=CZ, L=Default City, O=example.com, CN=simon 

After that certificate was imported to "userCertificate" attr of
our user (I've cut the attr output):

# spichugin, People, example.com
dn: uid=spichugin,ou=People,dc=example,dc=com
mail: spich...@redhat.com
uid: spichugin
givenName: simon
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: pichugin
cn: simon pichugin
userPassword:: e1NTSEF9OVJhbUdER3prOE1JdENObnFJb3
userCertificate:: LS0tLS1CRUdJTiBDRVJUSUZJQ0FU
Next, /etc/dirsrv/slapd-stal/certmap.conf was modified with this contents:
certmap Example o=example.com
Example:FilterComps mail,cn
Also tried with this:
certmap Example cn=simon pichugin
Example:FilterComps mail,cn

Also I have added "olcTLSVerifyClient: demand" to 

/etc/openldap/ldap.conf contains only "TLS_CACERTDIR /etc/openldap/certs/", the 
rest options is by default

Then I've tested setup with this command:

[spichugi@rhel-ws ~]$ ldapsearch -H ldaps://rhel-ws.brq.redhat.com:636 -b 
"dc=example,dc=com" \
-Y EXTERNAL -U "dn:uid=spichugin,ou=People,dc=example,dc=com" -w Secret123 -d 1
ldap_sasl_interactive_bind: user selected: EXTERNAL
ldap_int_sasl_bind: EXTERNAL
ldap_new_connection 1 1 0
ldap_connect_to_host: TCP rhel-ws.brq.redhat.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: certdb config: configDir='/etc/openldap/certs/' tokenDescription='ldap(0)' 
certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs/ prefix .
TLS: certificate 
[CN=rhel-ws.brq.redhat.com,OU=sdfsd,O=qwedasdf,L=VCrno,ST=Alabama,C=US] is valid
TLS certificate verification: subject: 
CN=rhel-ws.brq.redhat.com,OU=sdfsd,O=qwedasdf,L=VCrno,ST=Alabama,C=US, issuer: 
CN=Simon,OU=Dev,O=Default Company Ltd,L=Brno,ST=Moravia,C=CZ, cipher: AES-256, 
security level: high, secret key bits: 256, total key bits: 256, cache hits: 0, 
cache misses: 0, cache not reusable: 0
ldap_int_sasl_open: host=rhel-ws.brq.redhat.com
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
         additional info: SASL(-4): no mechanism available:
ldap_free_connection 1 1
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed

Please, if someone has an idea what can be wrong, share it. :)

389-devel mailing list
389-devel mailing list

Reply via email to