Hi all,
I'm using openldap/slapd as a ldap server (using libsasl2-2 & related modules
for sasl auth) on ubuntu and trying to get a client to authenticate/bind using
external/client certificate.
I'm using two clients - one is a native C client using windows winldap native
library and one is based on a different client ldap library (i.e. not using
winldap or openldap native libraries). The client based on winldap works fine,
but not the other one.
This is what I can see in the slapd logs for the two cases:
- the one which works fine via winldap
5fe876d4 conn=1000 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (}}) ber:
5fe876d4 >>> dnPrettyNormal: <>
5fe876d4 <<< dnPrettyNormal: <>, <>
5fe876d4 do_bind: dn () SASL mech EXTERNAL
5fe876d4 ==>slap_sasl2dn: converting SASL name
[email protected],cn=example,ou=example,o=example,st=anystate,c=us to a DN
5fe876d4 ==> rewrite_context_apply [depth=1]
string='[email protected],cn=example,ou=example,o=example,st=anystate,c=us'
5fe876d4 ==> rewrite_rule_apply
rule='[email protected],cn=example,ou=example,o=example,st=anystate,c=us'
string='[email protected],cn=example,ou=example,o=example,st=anystate,c=us'
[1 pass(es)]
5fe876d4 ==> rewrite_context_apply [depth=1] res={0,'cn=test,dc=example,dc=com'}
5fe876d4 slap_parseURI: parsing cn=test,dc=example,dc=com
ldap_url_parse_ext(cn=test,dc=example,dc=com)
5fe876d4 >>> dnNormalize: <cn=test,dc=example,dc=com>
5fe876d4 <<< dnNormalize: <cn=test,dc=example,dc=com>
5fe876d4 <==slap_sasl2dn: Converted SASL name to cn=test,dc=example,dc=com
5fe876d4 slap_sasl_getdn: dn:id converted to cn=test,dc=example,dc=com
5fe876d4 SASL Authorize [conn=1000]: proxy authorization allowed authzDN=""
5fe876d4 send_ldap_sasl: err=0 len=-1
5fe876d4 do_bind: SASL/EXTERNAL bind: dn="cn=test,dc=example,dc=com" sasl_ssf=0
5fe876d4 send_ldap_response: msgid=1 tag=97 err=0
- the one which doesn't work
5fe87b50 conn=1001 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (}}) ber:
5fe87b50 >>> dnPrettyNormal: <>
5fe87b50 <<< dnPrettyNormal: <>, <>
5fe87b50 do_bind: dn () SASL mech EXTERNAL
5fe87b50 send_ldap_sasl: err=14 len=0
5fe87b50 send_ldap_response: msgid=1 tag=97 err=14
As can be seen, the second one stops at "do_bind: dn () SASL mech EXTERNAL" and
slapd just returns the binding in progress result code.
Of course, the same client certificate is used in both cases. The fact that one
client works fine suggests that the slapd configuration is correct.
Any idea what is wrong? Can I enable any additional logs (sasl one?) to be able
to see more?
Thanks,
Dumitru
