Hi team,
I am trying to set up SASL/EXTERNAL binding mechanism.
I perform all actions from our docs (Administration guide)
First, I've set up SSL/TLS on the clean instance:
1) Cert was created and imported
2) Trusted CA cert was imported too
3) cert8.db, key3.db, secmod.db were copied to /etc/openldap/certs/
4) Config was changed to accept SSL/TLS
5) Setup was tested and everything worked perfectly
Then client certificate was created and approved by our CA.
openssl x509 -in client_ds.crt -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 16371655739931625967 (0xe333ce279b9c09ef)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CZ, ST=Moravia, L=Brno, O=Default Company Ltd, OU=Dev,
CN=Simon
Validity
Not Before: Feb 12 13:51:50 2016 GMT
Not After : Oct 21 13:51:50 2029 GMT
Subject: C=CZ, L=Default City, O=example.com, CN=simon
pichugin/emailAddress=spich...@redhat.com
After that certificate was imported to "userCertificate" attr of
our user (I've cut the attr output):
# spichugin, People, example.com
dn: uid=spichugin,ou=People,dc=example,dc=com
mail: spich...@redhat.com
uid: spichugin
givenName: simon
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: pichugin
cn: simon pichugin
userPassword:: e1NTSEF9OVJhbUdER3prOE1JdENObnFJb3
userCertificate:: LS0tLS1CRUdJTiBDRVJUSUZJQ0FU
Next, /etc/dirsrv/slapd-stal/certmap.conf was modified with this contents:
certmap Example o=example.com
Example:DNComps
Example:FilterComps mail,cn
Also tried with this:
certmap Example cn=simon pichugin
Example:DNComps
Example:FilterComps mail,cn
Also I have added "olcTLSVerifyClient: demand" to
/etc/openldap/slapd.d/cn\=config.ldif
/etc/openldap/ldap.conf contains only "TLS_CACERTDIR /etc/openldap/certs/", the
rest options is by default
Then I've tested setup with this command:
[spichugi@rhel-ws ~]$ ldapsearch -H ldaps://rhel-ws.brq.redhat.com:636 -b
"dc=example,dc=com" \
-Y EXTERNAL -U "dn:uid=spichugin,ou=People,dc=example,dc=com" -w Secret123 -d 1
ldap_url_parse_ext(ldaps://rhel-ws.brq.redhat.com:636)
ldap_create
ldap_url_parse_ext(ldaps://rhel-ws.brq.redhat.com:636/??base)
ldap_sasl_interactive_bind: user selected: EXTERNAL
ldap_int_sasl_bind: EXTERNAL
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP rhel-ws.brq.redhat.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: certdb config: configDir='/etc/openldap/certs/' tokenDescription='ldap(0)'
certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs/ prefix .
TLS: certificate
[CN=rhel-ws.brq.redhat.com,OU=sdfsd,O=qwedasdf,L=VCrno,ST=Alabama,C=US] is valid
TLS certificate verification: subject:
CN=rhel-ws.brq.redhat.com,OU=sdfsd,O=qwedasdf,L=VCrno,ST=Alabama,C=US, issuer:
CN=Simon,OU=Dev,O=Default Company Ltd,L=Brno,ST=Moravia,C=CZ, cipher: AES-256,
security level: high, secret key bits: 256, total key bits: 256, cache hits: 0,
cache misses: 0, cache not reusable: 0
ldap_int_sasl_open: host=rhel-ws.brq.redhat.com
SASL/EXTERNAL authentication started
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
Please, if someone has an idea what can be wrong, share it. :)
Thanks,
Simon
--
389-devel mailing list
389-devel@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-devel@lists.fedoraproject.org