Hello list, Using openldap 2.4.39 on Centos 7, I've been trying to set up a metadirectory which proxies "my" current AD server, "my" future AD server, and my FreeIPA server (note: I only have control over the FreeIPA server). I have configured idassert-bind with my AD credentials so web apps can search for users. I want binds against my proxy as users in one of the proxied databases to work (for authentication). Anonymous binds to my proxy are working fine:
ldapsearch -x -H ldap://localhost -b ou=ds.fs.fed.us,ou=users,ou=remapped,dc=usfs-i2,dc=umt,dc=edu '(uid=bnordgren)' What is not working fine is providing credentials via the client, and the breaking point is TLS between my proxy and AD. Specifically, wireshark tells me there is an Encrypted Alert #21, which is a decryption error. For instance, this: ldapsearch -x -H ldap://localhost:390/ -b ou=users,ou=remapped,dc=usfs-i2,dc=umt,dc=edu -D cn=bnordgren,ou=RMRS,ou=RESEARCH,ou=ds.fs.fed.us,ou=users,ou=remapped,dc=usfs-i2,dc=umt,dc=edu -W (uid=bnordgren) Results in: ... Frame 20: 91 bytes on wire (728 bits), 91 bytes captured (728 bits) on interface 0 Ethernet II, Src: CadmusCo_99:90:db (08:00:27:99:90:db), Dst: RealtekU_12:35:02 (52:54:00:12:35:02) Internet Protocol Version 4, Src: 10.0.2.15 (10.0.2.15), Dst: 166.7.3.102 (166.7.3.102) Transmission Control Protocol, Src Port: 37058 (37058), Dst Port: ldap (389), Seq: 394, Ack: 5716, Len: 37 Secure Sockets Layer TLSv1 Record Layer: Encrypted Alert Content Type: Alert (21) Version: TLS 1.0 (0x0301) Length: 32 Alert Message: Encrypted Alert Where 166.7.3.102 is AD, and 10.0.2.15 is my proxy. This failure is reported by the client as "ldap_bind: Server is unavailable (52)". Once this failure occurs, then anonymous binds fail with "ldap_bind: Invalid DN Syntax (34)" To fix things, I need to restart my proxy server. The relevant portion of my proxy config file is: database meta suffix ou=users,ou=remapped,dc=usfs-i2,dc=umt,dc=edu uri ldap://166.7.3.102/ou=ds.fs.fed.us,ou=users,ou=remapped,dc=usfs-i2,dc=umt,dc=edu idle-timeout 600 tls ldaps idassert-authzFrom dn.regex:.* idassert-bind bindmethod=simple binddn=cn=bnordgren,ou=RMRS,ou=RESEARCH,ou=ENDUSERS,ou=_FOREST_SERVICE,dc=ds,dc=fs,dc=fed,dc=us credentials=secret mode=none tls_reqcert=never flags=override suffixmassage "ou=ds.fs.fed.us,ou=users,ou=remapped,dc=usfs-i2,dc=umt,dc=edu" "OU=ENDUSERS,OU=_FOREST_SERVICE,DC=ds,DC=fs,DC=fed,DC=us" Wireshark confirms that in spite of my efforts to turn TLS off, TLS is used successfully for the anonymous binds. Yet TLS fails for the case where credentials are provided by the client. And once its failed once, the proxy is broken until restart. What is different between how the proxy uses TLS when it is id-asserting and when it isn't? I'd really appreciate your advice on this. Thanks, Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
