Bug#861212: the certificates file for the LDAP server that causes this bug

2017-05-05 Thread Matthew B. Weatherford 


This is the large CA-bundle.crt file that when configured as the 
certificate bundle for the LDAP server, causes ldap-utils to fail with 
tls_read want/got mismatches early in the negotiation


https://csde.washington.edu/~mbw/hide/ca-bundle.crt

I'll leave this link up for at least 1 year

Matt

Bug#861838: About the LDAP *server* we are connecting to....

2017-05-04 Thread Matthew B. Weatherford 


The LDAP server we are connecting to is  openldap 2.4.40 and sasl 
2.1.26  provided by CentOS7


All the centos 7 clients work perfectly connecting to it

Bug#861838: more information

2017-05-04 Thread Matthew B. Weatherford 

ldapsearch and ldapwhoami return "Can't contact LDAP server (-1)"
on higher debug level (-d2) , it looks like there is a tls_read want/got 
mismatch.

Debug output below.

This is also broken in debian 8 but same commands work properly in 
Debian 7  and the tls_read want/got mismatch does not occur on debian 7



The key piece here, no matter whether I use password auth or CERT auth 
on debian 8/9 is that I always see an early debug (-d2 flag) message 
like this:


   tls_read: want=16384, got=14475

so there is a mismatch in the tls_read.  I'll paste the whole debug 
after the fold


On Debian 7 there is no such mismatch in the debug output and everything 
works.


Should this be reported as a SASL broken bug instead?  nlscd and sssd 
are also non functional.


Matt



root@ldi-deb9-test:~/UW-LDI# ./ldiauth
ldap_write: want=31, written=31
  :  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31 
0w...1.3.6.1

  0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_read: want=8, got=8
  :  30 0c 02 01 01 78 07 0a 0x..
ldap_read: want=6, got=6
  :  01 00 04 00 04 00 ..
tls_write: want=238, written=238
  :  16 03 01 00 e9 01 00 00  e5 03 03 59 0b 70 61 ad 
...Y.pa.
  0010:  a4 10 d9 f9 90 b2 b1 55  03 7f dc 9c d4 df 23 29 
...U..#)
  0020:  c3 48 0e 97 67 5e 43 12  08 bf 49 00 00 72 c0 2c 
.H..g^C...I..r.,
  0030:  c0 87 cc a9 c0 ad c0 0a  c0 24 c0 73 c0 2b c0 86 
.$.s.+..
  0040:  c0 ac c0 09 c0 23 c0 72  c0 08 c0 30 c0 8b cc a8 
.#.r...0
  0050:  c0 14 c0 28 c0 77 c0 2f  c0 8a c0 13 c0 27 c0 76 
...(.w./.'.v
  0060:  c0 12 00 9d c0 7b c0 9d  00 35 00 3d 00 84 00 c0 
.{...5.=
  0070:  00 9c c0 7a c0 9c 00 2f  00 3c 00 41 00 ba 00 0a 
...z.../.<.A
  0080:  00 9f c0 7d cc aa c0 9f  00 39 00 6b 00 88 00 c4 
...}.9.k
  0090:  00 9e c0 7c c0 9e 00 33  00 67 00 45 00 be 00 16 
...|...3.g.E
  00a0:  01 00 00 4a 00 17 00 00  00 16 00 00 00 05 00 05 
...J
  00b0:  01 00 00 00 00 ff 01 00  01 00 00 23 00 00 00 0a 
...#
  00c0:  00 0c 00 0a 00 17 00 18  00 19 00 15 00 13 00 0b 

  00d0:  00 02 01 00 00 0d 00 16  00 14 04 01 04 03 05 01 


  00e0:  05 03 06 01 06 03 03 01  03 03 02 01 02 03 ..
tls_read: want=5, got=5
  :  16 03 03 40 00 ...@.
tls_read: want=16384, got=14475
  :  02 00 00 53 03 03 41 2d  92 aa 79 c5 6a 80 42 8c 
...S..A-..y.j.B.
  0010:  f4 e2 60 75 bc 4f 01 a8  4f 6d 7c 32 27 08 ed 70 
..`u.O..Om|2'..p
  0020:  45 92 e6 4b 40 d9 20 34  85 bd 62 41 05 e5 81 c7   E..K@. 
4..bA
  0030:  a1 36 b4 6d bf 20 01 c8  49 70 40 0d c2 e7 19 23   .6.m. 
..Ip@#
  0040:  88 4f d4 57 0a 6d a8 c0  30 00 00 0b ff 01 00 01 
.O.W.m..0...
  0050:  00 00 0b 00 02 01 00 0b  00 15 57 00 15 54 00 05 
..W..T..
  0060:  96 30 82 05 92 30 82 04  7a a0 03 02 01 02 02 11 
.0...0..z...
  0070:  00 93 4f 82 f2 2d 6d cc  64 0f ce a1 57 97 a1 35 
..O..-m.d...W..5
  0080:  90 30 0d 06 09 2a 86 48  86 f7 0d 01 01 0b 05 00 
.0...*.H
  0090:  30 76 31 0b 30 09 06 03  55 04 06 13 02 55 53 31 
0v1.0...UUS1
  00a0:  0b 30 09 06 03 55 04 08  13 02 4d 49 31 12 30 10 
.0...UMI1.0.
  00b0:  06 03 55 04 07 13 09 41  6e 6e 20 41 72 62 6f 72 ..UAnn 
Arbor
  00c0:  31 12 30 10 06 03 55 04  0a 13 09 49 6e 74 65 72 
1.0...UInter
  00d0:  6e 65 74 32 31 11 30 0f  06 03 55 04 0b 13 08 49 
net21.0...UI
  00e0:  6e 43 6f 6d 6d 6f 6e 31  1f 30 1d 06 03 55 04 03 
nCommon1.0...U..
  00f0:  13 16 49 6e 43 6f 6d 6d  6f 6e 20 52 53 41 20 53 ..InCommon 
RSA S
  0100:  65 72 76 65 72 20 43 41  30 1e 17 0d 31 37 30 34   erver 
CA0...1704
  0110:  31 31 30 30 30 30 30 30  5a 17 0d 32 30 30 34 31 
1100Z..20041
  0120:  30 32 33 35 39 35 39 5a  30 81 a1 31 0b 30 09 06 
0235959Z0..1.0..
  0130:  03 55 04 06 13 02 55 53  31 0e 30 0c 06 03 55 04 
.UUS1.0...U.
  0140:  11 13 05 39 38 31 39 35  31 0b 30 09 06 03 55 04 
...981951.0...U.
  0150:  08 13 02 57 41 31 10 30  0e 06 03 55 04 07 13 07 
...WA1.0...U
  0160:  53 65 61 74 74 6c 65 31  19 30 17 06 03 55 04 09 
Seattle1.0...U..
  0170:  13 10 34 35 34 35 20 31  35 74 68 20 41 76 65 20   ..4545 
15th Ave
  0180:  4e 45 31 21 30 1f 06 03  55 04 0a 13 18 55 6e 69 
NE1!0...UUni
  0190:  76 65 72 73 69 74 79 20  6f 66 20 57 61 73 68 69 versity of 
Washi
  01a0:  6e 67 74 6f 6e 31 0e 30  0c 06 03 55 04 0b 13 05 
ngton1.0...U
  01b0:  55 57 2d 49 54 31 15 30  13 06 03 55 04 03 13 0c 
UW-IT1.0...U
  01c0:  6c 64 69 2e 73 2e 75 77  2e 65 64 75 30 82 01 22 
ldi.s.uw.edu0.."
  01d0:  30 0d 06 09 2a 86 48 86  f7 0d 01 01 01 05 00 03 
0...*.H.
  01e0:  82 01 0f 00 30 82 01 0a  02 82 01 01 00 c1 67 6e 
0.gn
  01f0:  bf 31 34 05 5c fd 8f 6a  03 0c 19 4d ef e3 4f 40 
.14.\..j...M..O@
  0200:  f3 4d f0 25 b0 aa fc 29  a2 c0 db 8d d5 3d 53 f8 
.M.%...).=S.
  0210:  e8 80 d4 18 c0 5b 5d a3  8b e4 63 57 49 c6 b5 3b 
.[]...cWI..;
  0220:  c7 94 9b 21 9f

Bug#861212: nslcd: certificate authentication fails with Unknown authentication method: SASL(-4)

2017-05-02 Thread Matthew B. Weatherford 

Arthur,

Thanks for the tips

I put several hours in to this problem today and am still stumped.

Now I am simply trying to connect to our university's openLDAP server 
with PASSWORD auth, and that fails.
It fails on Debian 8 and Debian 9 but works on a colleague's  Debian 7 
Raspberry PI.


Here is a diff of the two debug outputs from ldapsearch when providing 
my admin password: one for Debian 8 and one for Raspbian (deb7)


http://www.mergely.com/DDFOIIQR/



I also was able to find a debian 9 tool to dump the cipher suites that 
the LDI server allows,  but havent figure out how to tell what the 
debian 8/9 clients are using... but if I cant even password auth then 
something is really broken here.



root@ldi-deb9-test:~/UW-LDI# gnutls-cli-debug -V --app-proto ldap -p 
389  ldi.s.uw.edu

GnuTLS debug client 3.5.8
Checking ldi.s.uw.edu:389
 for SSL 3.0 (RFC6101) support... no
whether we need to disable TLS 1.2... no
whether we need to disable TLS 1.1... no
whether we need to disable TLS 1.0... no
whether %NO_EXTENSIONS is required... no
   whether %COMPAT is required... no
 for TLS 1.0 (RFC2246) support... yes
 for TLS 1.1 (RFC4346) support... yes
 for TLS 1.2 (RFC5246) support... yes
  fallback from TLS 1.6 to... TLS1.2
  for inappropriate fallback (RFC7507) support... yes
   for certificate chain order... sorted

   for trusted CAs...
  for safe renegotiation (RFC5746) support... yes
for encrypt-then-MAC (RFC7366) support... no
   for ext master secret (RFC7627) support... no
   for heartbeat (RFC6520) support... no
   for version rollback bug in RSA PMS... dunno
  for version rollback bug in Client Hello... no
whether the server ignores the RSA PMS version... yes
whether small records (512 bytes) are tolerated on handshake... yes
whether cipher suites not in SSL 3.0 spec are accepted... yes
whether a bogus TLS record version in the client hello is accepted... yes
 whether the server understands TLS closure alerts... partially
whether the server supports session resumption... no
  for anonymous authentication support... no
  for ephemeral Diffie-Hellman support... yes
   ephemeral Diffie-Hellman group info... saved in 
debug-dh.out

   for ephemeral EC Diffie-Hellman support... yes
 for curve SECP256r1 (RFC4492)... yes
 for curve SECP384r1 (RFC4492)... no
 for curve SECP521r1 (RFC4492)... no
   for curve X25519 (draft-ietf-tls-rfc4492bis-07)... no
  for AES-128-GCM cipher (RFC5288) support... yes
  for AES-128-CCM cipher (RFC6655) support... no
for AES-128-CCM-8 cipher (RFC6655) support... no
  for AES-128-CBC cipher (RFC3268) support... yes
 for CAMELLIA-128-GCM cipher (RFC6367) support... no
 for CAMELLIA-128-CBC cipher (RFC5932) support... no
 for 3DES-CBC cipher (RFC2246) support... yes
  for ARCFOUR 128 cipher (RFC2246) support... yes
for CHACHA20-POLY1305 cipher (RFC7905) support... no
   for MD5 MAC support... yes
  for SHA1 MAC support... yes
for SHA256 MAC support... yes
  for ZLIB compression support... no
 for max record size (RFC6066) support... no
for OCSP status response (RFC6066) support... no
  for OpenPGP authentication (RFC6091) support... no
root@ldi-deb9-test:~/UW-LDI# 


Matt

Bug#861212: nslcd: certificate authentication fails with Unknown authentication method: SASL(-4)

2017-04-26 Thread Matthew B. Weatherford 

one other thought here

I generated the certificate signing request (CSR) for the certs using 
openssl like this:


openssl req -new -nodes -newkey rsa:4096  -keyout hostname.key -out 
hostname.csr


I thought I read somewhere that openssl was no longer recommended for 
debian certs and we are to use gnutils or something now?



And I dont have these certs in the "Debian Standard" Cert locations - 
they are instead


inside of a directory I created called:  /etc/ssl/ldi/





On 4/26/2017 2:08 AM, Arthur de Jong wrote:

On Tue, 2017-04-25 at 16:53 -0700, Matt Weatherford wrote:

debian 7 install works fine with certificate auth.
Debian 9 install with same config files appears to not work and
throws these erros:

Apr 25 16:41:08 nori nslcd[1376]: [52255a]  failed to
bind to LDAP server ldap://ldi.s.uw.edu: Unknown authentication
method: SASL(-4): no mechanism available:
Apr 25 16:41:08 nori nslcd[1376]: [52255a]  no available
LDAP server found: Unknown authentication method: Bad file descriptor
Apr 25 16:41:13 nori nslcd[1376]: [9cf92e]  no available
LDAP server found: Server is unavailable: Bad file descriptor

Does running nslcd in debug mode provide more information?


contents of /etc/nslcd.conf:

uri ldap://ldi.s.uw.edu
ssl start_tls

tls_cacertfile  /etc/ssl/ldi/InCommonCA.crt
tls_cert/etc/ssl/ldi/ldi-client.crt
tls_key /etc/ssl/ldi/ldi-client.key

sasl_mech   EXTERNAL

So the client-side certificate is used for authentiction and that is
where it appears to fail.

Can you make the connection using the ldapsearch command-line tool? The
nslcd daemon does not do any TLS handling itself and only passes
configuration options to libldap but there are differences between TLS
libraries used.

Kind regards,

Bug#861212: nslcd: certificate authentication fails with Unknown authentication method: SASL(-4)

2017-04-26 Thread Matthew B. Weatherford 

Arthur,

Thank you for your quick response - I really appreciate that


Does running nslcd in debug mode provide more information?


Heres the debug output:

nslcd: [8b4567] DEBUG: connection from pid=9817 uid=0 gid=0
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [8b4567]  DEBUG: ignored group member
nslcd: [7b23c6] DEBUG: connection from pid=9823 uid=0 gid=0
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [7b23c6]  DEBUG: ignored group member
nslcd: [3c9869] DEBUG: connection from pid=9829 uid=0 gid=0
nslcd: [3c9869]  DEBUG: 
myldap_search(base="ou=accounts,ou=csde,dc=ldi,dc=uw,dc=edu", 
filter="(objectClass=posixAccount)")

nslcd: [3c9869]  DEBUG: ldap_initialize(ldap://ldi.s.uw.edu)
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [3c9869]  DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869]  DEBUG: 
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)

nslcd: [3c9869]  DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869]  DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869]  DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869]  DEBUG: 
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869]  DEBUG: 
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869]  DEBUG: 
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)

nslcd: [3c9869]  DEBUG: ldap_start_tls_s()
nslcd: [3c9869]  DEBUG: 
ldap_sasl_interactive_bind_s(NULL,"EXTERNAL") (uri="ldap://ldi.s.uw.edu;)
nslcd: [3c9869]  failed to bind to LDAP server 
ldap://ldi.s.uw.edu: Unknown authentication method: SASL(-4): no 
mechanism available: : No such file or directory

nslcd: [3c9869]  DEBUG: ldap_unbind()
nslcd: [3c9869]  no available LDAP server found, sleeping 1 
seconds

nslcd: [3c9869]  DEBUG: ldap_initialize(ldap://ldi.s.uw.edu)
nslcd: [3c9869]  DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869]  DEBUG: 
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)

nslcd: [3c9869]  DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869]  DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869]  DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869]  DEBUG: 
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869]  DEBUG: 
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869]  DEBUG: 
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)

nslcd: [3c9869]  DEBUG: ldap_start_tls_s()
nslcd: [3c9869]  DEBUG: 
ldap_sasl_interactive_bind_s(NULL,"EXTERNAL") (uri="ldap://ldi.s.uw.edu;)
nslcd: [3c9869]  failed to bind to LDAP server 
ldap://ldi.s.uw.edu: Unknown authentication method: SASL(-4): no 
mechanism available:

nslcd: [3c9869]  DEBUG: ldap_unbind()
nslcd: [3c9869]  no available LDAP server found, sleeping 1 
seconds

nslcd: [3c9869]  DEBUG: ldap_initialize(ldap://ldi.s.uw.edu)
nslcd: [3c9869]  DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869]  DEBUG: 
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)

nslcd: [3c9869]  DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869]  DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869]  DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869]  DEBUG: 
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869]  DEBUG: 
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869]  DEBUG: 
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)

nslcd: [3c9869]  DEBUG: ldap_start_tls_s()
nslcd: [3c9869]  DEBUG: 
ldap_sasl_interactive_bind_s(NULL,"EXTERNAL") (uri="ldap://ldi.s.uw.edu;)
nslcd: [3c9869]  failed to bind to LDAP server 
ldap://ldi.s.uw.edu: Unknown authentication method: SASL(-4): no 
mechanism available:

nslcd: [3c9869]  DEBUG: ldap_unbind()
nslcd: [3c9869]  no available LDAP server found, sleeping 1 
seconds

nslcd: [3c9869]  DEBUG: ldap_initialize(ldap://ldi.s.uw.edu)
nslcd: [3c9869]  DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869]  DEBUG: 
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)

nslcd: [3c9869]  DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869]  DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869]  DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869]  DEBUG: 
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869]