Bug#861212: the certificates file for the LDAP server that causes this bug
This is the large CA-bundle.crt file that when configured as the certificate bundle for the LDAP server, causes ldap-utils to fail with tls_read want/got mismatches early in the negotiation https://csde.washington.edu/~mbw/hide/ca-bundle.crt I'll leave this link up for at least 1 year Matt
Bug#861838: About the LDAP *server* we are connecting to....
The LDAP server we are connecting to is openldap 2.4.40 and sasl 2.1.26 provided by CentOS7 All the centos 7 clients work perfectly connecting to it
Bug#861838: more information
ldapsearch and ldapwhoami return "Can't contact LDAP server (-1)" on higher debug level (-d2) , it looks like there is a tls_read want/got mismatch. Debug output below. This is also broken in debian 8 but same commands work properly in Debian 7 and the tls_read want/got mismatch does not occur on debian 7 The key piece here, no matter whether I use password auth or CERT auth on debian 8/9 is that I always see an early debug (-d2 flag) message like this: tls_read: want=16384, got=14475 so there is a mismatch in the tls_read. I'll paste the whole debug after the fold On Debian 7 there is no such mismatch in the debug output and everything works. Should this be reported as a SASL broken bug instead? nlscd and sssd are also non functional. Matt root@ldi-deb9-test:~/UW-LDI# ./ldiauth ldap_write: want=31, written=31 : 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_read: want=8, got=8 : 30 0c 02 01 01 78 07 0a 0x.. ldap_read: want=6, got=6 : 01 00 04 00 04 00 .. tls_write: want=238, written=238 : 16 03 01 00 e9 01 00 00 e5 03 03 59 0b 70 61 ad ...Y.pa. 0010: a4 10 d9 f9 90 b2 b1 55 03 7f dc 9c d4 df 23 29 ...U..#) 0020: c3 48 0e 97 67 5e 43 12 08 bf 49 00 00 72 c0 2c .H..g^C...I..r., 0030: c0 87 cc a9 c0 ad c0 0a c0 24 c0 73 c0 2b c0 86 .$.s.+.. 0040: c0 ac c0 09 c0 23 c0 72 c0 08 c0 30 c0 8b cc a8 .#.r...0 0050: c0 14 c0 28 c0 77 c0 2f c0 8a c0 13 c0 27 c0 76 ...(.w./.'.v 0060: c0 12 00 9d c0 7b c0 9d 00 35 00 3d 00 84 00 c0 .{...5.= 0070: 00 9c c0 7a c0 9c 00 2f 00 3c 00 41 00 ba 00 0a ...z.../.<.A 0080: 00 9f c0 7d cc aa c0 9f 00 39 00 6b 00 88 00 c4 ...}.9.k 0090: 00 9e c0 7c c0 9e 00 33 00 67 00 45 00 be 00 16 ...|...3.g.E 00a0: 01 00 00 4a 00 17 00 00 00 16 00 00 00 05 00 05 ...J 00b0: 01 00 00 00 00 ff 01 00 01 00 00 23 00 00 00 0a ...# 00c0: 00 0c 00 0a 00 17 00 18 00 19 00 15 00 13 00 0b 00d0: 00 02 01 00 00 0d 00 16 00 14 04 01 04 03 05 01 00e0: 05 03 06 01 06 03 03 01 03 03 02 01 02 03 .. tls_read: want=5, got=5 : 16 03 03 40 00 ...@. tls_read: want=16384, got=14475 : 02 00 00 53 03 03 41 2d 92 aa 79 c5 6a 80 42 8c ...S..A-..y.j.B. 0010: f4 e2 60 75 bc 4f 01 a8 4f 6d 7c 32 27 08 ed 70 ..`u.O..Om|2'..p 0020: 45 92 e6 4b 40 d9 20 34 85 bd 62 41 05 e5 81 c7 E..K@. 4..bA 0030: a1 36 b4 6d bf 20 01 c8 49 70 40 0d c2 e7 19 23 .6.m. ..Ip@# 0040: 88 4f d4 57 0a 6d a8 c0 30 00 00 0b ff 01 00 01 .O.W.m..0... 0050: 00 00 0b 00 02 01 00 0b 00 15 57 00 15 54 00 05 ..W..T.. 0060: 96 30 82 05 92 30 82 04 7a a0 03 02 01 02 02 11 .0...0..z... 0070: 00 93 4f 82 f2 2d 6d cc 64 0f ce a1 57 97 a1 35 ..O..-m.d...W..5 0080: 90 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 .0...*.H 0090: 30 76 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 0v1.0...UUS1 00a0: 0b 30 09 06 03 55 04 08 13 02 4d 49 31 12 30 10 .0...UMI1.0. 00b0: 06 03 55 04 07 13 09 41 6e 6e 20 41 72 62 6f 72 ..UAnn Arbor 00c0: 31 12 30 10 06 03 55 04 0a 13 09 49 6e 74 65 72 1.0...UInter 00d0: 6e 65 74 32 31 11 30 0f 06 03 55 04 0b 13 08 49 net21.0...UI 00e0: 6e 43 6f 6d 6d 6f 6e 31 1f 30 1d 06 03 55 04 03 nCommon1.0...U.. 00f0: 13 16 49 6e 43 6f 6d 6d 6f 6e 20 52 53 41 20 53 ..InCommon RSA S 0100: 65 72 76 65 72 20 43 41 30 1e 17 0d 31 37 30 34 erver CA0...1704 0110: 31 31 30 30 30 30 30 30 5a 17 0d 32 30 30 34 31 1100Z..20041 0120: 30 32 33 35 39 35 39 5a 30 81 a1 31 0b 30 09 06 0235959Z0..1.0.. 0130: 03 55 04 06 13 02 55 53 31 0e 30 0c 06 03 55 04 .UUS1.0...U. 0140: 11 13 05 39 38 31 39 35 31 0b 30 09 06 03 55 04 ...981951.0...U. 0150: 08 13 02 57 41 31 10 30 0e 06 03 55 04 07 13 07 ...WA1.0...U 0160: 53 65 61 74 74 6c 65 31 19 30 17 06 03 55 04 09 Seattle1.0...U.. 0170: 13 10 34 35 34 35 20 31 35 74 68 20 41 76 65 20 ..4545 15th Ave 0180: 4e 45 31 21 30 1f 06 03 55 04 0a 13 18 55 6e 69 NE1!0...UUni 0190: 76 65 72 73 69 74 79 20 6f 66 20 57 61 73 68 69 versity of Washi 01a0: 6e 67 74 6f 6e 31 0e 30 0c 06 03 55 04 0b 13 05 ngton1.0...U 01b0: 55 57 2d 49 54 31 15 30 13 06 03 55 04 03 13 0c UW-IT1.0...U 01c0: 6c 64 69 2e 73 2e 75 77 2e 65 64 75 30 82 01 22 ldi.s.uw.edu0.." 01d0: 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 0...*.H. 01e0: 82 01 0f 00 30 82 01 0a 02 82 01 01 00 c1 67 6e 0.gn 01f0: bf 31 34 05 5c fd 8f 6a 03 0c 19 4d ef e3 4f 40 .14.\..j...M..O@ 0200: f3 4d f0 25 b0 aa fc 29 a2 c0 db 8d d5 3d 53 f8 .M.%...).=S. 0210: e8 80 d4 18 c0 5b 5d a3 8b e4 63 57 49 c6 b5 3b .[]...cWI..; 0220: c7 94 9b 21 9f
Bug#861212: nslcd: certificate authentication fails with Unknown authentication method: SASL(-4)
Arthur, Thanks for the tips I put several hours in to this problem today and am still stumped. Now I am simply trying to connect to our university's openLDAP server with PASSWORD auth, and that fails. It fails on Debian 8 and Debian 9 but works on a colleague's Debian 7 Raspberry PI. Here is a diff of the two debug outputs from ldapsearch when providing my admin password: one for Debian 8 and one for Raspbian (deb7) http://www.mergely.com/DDFOIIQR/ I also was able to find a debian 9 tool to dump the cipher suites that the LDI server allows, but havent figure out how to tell what the debian 8/9 clients are using... but if I cant even password auth then something is really broken here. root@ldi-deb9-test:~/UW-LDI# gnutls-cli-debug -V --app-proto ldap -p 389 ldi.s.uw.edu GnuTLS debug client 3.5.8 Checking ldi.s.uw.edu:389 for SSL 3.0 (RFC6101) support... no whether we need to disable TLS 1.2... no whether we need to disable TLS 1.1... no whether we need to disable TLS 1.0... no whether %NO_EXTENSIONS is required... no whether %COMPAT is required... no for TLS 1.0 (RFC2246) support... yes for TLS 1.1 (RFC4346) support... yes for TLS 1.2 (RFC5246) support... yes fallback from TLS 1.6 to... TLS1.2 for inappropriate fallback (RFC7507) support... yes for certificate chain order... sorted for trusted CAs... for safe renegotiation (RFC5746) support... yes for encrypt-then-MAC (RFC7366) support... no for ext master secret (RFC7627) support... no for heartbeat (RFC6520) support... no for version rollback bug in RSA PMS... dunno for version rollback bug in Client Hello... no whether the server ignores the RSA PMS version... yes whether small records (512 bytes) are tolerated on handshake... yes whether cipher suites not in SSL 3.0 spec are accepted... yes whether a bogus TLS record version in the client hello is accepted... yes whether the server understands TLS closure alerts... partially whether the server supports session resumption... no for anonymous authentication support... no for ephemeral Diffie-Hellman support... yes ephemeral Diffie-Hellman group info... saved in debug-dh.out for ephemeral EC Diffie-Hellman support... yes for curve SECP256r1 (RFC4492)... yes for curve SECP384r1 (RFC4492)... no for curve SECP521r1 (RFC4492)... no for curve X25519 (draft-ietf-tls-rfc4492bis-07)... no for AES-128-GCM cipher (RFC5288) support... yes for AES-128-CCM cipher (RFC6655) support... no for AES-128-CCM-8 cipher (RFC6655) support... no for AES-128-CBC cipher (RFC3268) support... yes for CAMELLIA-128-GCM cipher (RFC6367) support... no for CAMELLIA-128-CBC cipher (RFC5932) support... no for 3DES-CBC cipher (RFC2246) support... yes for ARCFOUR 128 cipher (RFC2246) support... yes for CHACHA20-POLY1305 cipher (RFC7905) support... no for MD5 MAC support... yes for SHA1 MAC support... yes for SHA256 MAC support... yes for ZLIB compression support... no for max record size (RFC6066) support... no for OCSP status response (RFC6066) support... no for OpenPGP authentication (RFC6091) support... no root@ldi-deb9-test:~/UW-LDI# Matt
Bug#861212: nslcd: certificate authentication fails with Unknown authentication method: SASL(-4)
one other thought here I generated the certificate signing request (CSR) for the certs using openssl like this: openssl req -new -nodes -newkey rsa:4096 -keyout hostname.key -out hostname.csr I thought I read somewhere that openssl was no longer recommended for debian certs and we are to use gnutils or something now? And I dont have these certs in the "Debian Standard" Cert locations - they are instead inside of a directory I created called: /etc/ssl/ldi/ On 4/26/2017 2:08 AM, Arthur de Jong wrote: On Tue, 2017-04-25 at 16:53 -0700, Matt Weatherford wrote: debian 7 install works fine with certificate auth. Debian 9 install with same config files appears to not work and throws these erros: Apr 25 16:41:08 nori nslcd[1376]: [52255a]failed to bind to LDAP server ldap://ldi.s.uw.edu: Unknown authentication method: SASL(-4): no mechanism available: Apr 25 16:41:08 nori nslcd[1376]: [52255a] no available LDAP server found: Unknown authentication method: Bad file descriptor Apr 25 16:41:13 nori nslcd[1376]: [9cf92e] no available LDAP server found: Server is unavailable: Bad file descriptor Does running nslcd in debug mode provide more information? contents of /etc/nslcd.conf: uri ldap://ldi.s.uw.edu ssl start_tls tls_cacertfile /etc/ssl/ldi/InCommonCA.crt tls_cert/etc/ssl/ldi/ldi-client.crt tls_key /etc/ssl/ldi/ldi-client.key sasl_mech EXTERNAL So the client-side certificate is used for authentiction and that is where it appears to fail. Can you make the connection using the ldapsearch command-line tool? The nslcd daemon does not do any TLS handling itself and only passes configuration options to libldap but there are differences between TLS libraries used. Kind regards,
Bug#861212: nslcd: certificate authentication fails with Unknown authentication method: SASL(-4)
Arthur, Thank you for your quick response - I really appreciate that Does running nslcd in debug mode provide more information? Heres the debug output: nslcd: [8b4567] DEBUG: connection from pid=9817 uid=0 gid=0 nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable nslcd: [8b4567] DEBUG: ignored group member nslcd: [7b23c6] DEBUG: connection from pid=9823 uid=0 gid=0 nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable nslcd: [7b23c6] DEBUG: ignored group member nslcd: [3c9869] DEBUG: connection from pid=9829 uid=0 gid=0 nslcd: [3c9869]DEBUG: myldap_search(base="ou=accounts,ou=csde,dc=ldi,dc=uw,dc=edu", filter="(objectClass=posixAccount)") nslcd: [3c9869] DEBUG: ldap_initialize(ldap://ldi.s.uw.edu) nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable nslcd: [3c9869] DEBUG: ldap_set_rebind_proc() nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [3c9869] DEBUG: ldap_start_tls_s() nslcd: [3c9869] DEBUG: ldap_sasl_interactive_bind_s(NULL,"EXTERNAL") (uri="ldap://ldi.s.uw.edu;) nslcd: [3c9869] failed to bind to LDAP server ldap://ldi.s.uw.edu: Unknown authentication method: SASL(-4): no mechanism available: : No such file or directory nslcd: [3c9869] DEBUG: ldap_unbind() nslcd: [3c9869] no available LDAP server found, sleeping 1 seconds nslcd: [3c9869] DEBUG: ldap_initialize(ldap://ldi.s.uw.edu) nslcd: [3c9869] DEBUG: ldap_set_rebind_proc() nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [3c9869] DEBUG: ldap_start_tls_s() nslcd: [3c9869] DEBUG: ldap_sasl_interactive_bind_s(NULL,"EXTERNAL") (uri="ldap://ldi.s.uw.edu;) nslcd: [3c9869] failed to bind to LDAP server ldap://ldi.s.uw.edu: Unknown authentication method: SASL(-4): no mechanism available: nslcd: [3c9869] DEBUG: ldap_unbind() nslcd: [3c9869] no available LDAP server found, sleeping 1 seconds nslcd: [3c9869] DEBUG: ldap_initialize(ldap://ldi.s.uw.edu) nslcd: [3c9869] DEBUG: ldap_set_rebind_proc() nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [3c9869] DEBUG: ldap_start_tls_s() nslcd: [3c9869] DEBUG: ldap_sasl_interactive_bind_s(NULL,"EXTERNAL") (uri="ldap://ldi.s.uw.edu;) nslcd: [3c9869] failed to bind to LDAP server ldap://ldi.s.uw.edu: Unknown authentication method: SASL(-4): no mechanism available: nslcd: [3c9869] DEBUG: ldap_unbind() nslcd: [3c9869] no available LDAP server found, sleeping 1 seconds nslcd: [3c9869] DEBUG: ldap_initialize(ldap://ldi.s.uw.edu) nslcd: [3c9869] DEBUG: ldap_set_rebind_proc() nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [3c9869]