Hardy slapd server is not supporting sasl/external authentication
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openldap (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Hardy |
Invalid
|
Medium
|
Unassigned | ||
openldap2.3 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Hardy |
Invalid
|
Medium
|
Unassigned |
Bug Description
On our dapper machines, we use the sasl external mechanism for authentication on slapd, the ldap server.
On hardy this doesn't work any more. Running an ldapsearch for example produces errors messages.
hardy ldapsearch against hardy slapd:
$ ldapsearch -H ldaps://ldap
SASL/EXTERNAL authentication started
ldap_sasl_
and slapd (-d 256) says
conn=6 fd=16 ACCEPT from IP=100.
conn=6 fd=16 TLS established tls_ssf=16 ssf=16
conn=6 fd=16 closed (connection lost)
Here, the client fails
fedora core 3 ldapsearch (ldap utils are linked against openssl) against hardy slapd:
$ ldapsearch -H ldaps://ldap
SASL/EXTERNAL authentication started
ldap_sasl_
additional info: SASL(-4): no mechanism available:
and slapd (-d 256) says
conn=5 fd=16 ACCEPT from IP=100.9.11.1:38962 (IP=0.0.0.0:636)
conn=5 fd=16 TLS established tls_ssf=16 ssf=16
conn=5 op=0 BIND dn="" method=163
conn=5 op=0 RESULT tag=97 err=7 text=SASL(-4): no mechanism available:
conn=5 fd=16 closed (connection lost)
This shows that the server actually doesn't support the mechanism.
Installed packages:
root@system:~# dpkg -l '*slapd*' '*ldap*' '*gnutls*' '*openssl*' '*sasl*' | grep ^ii | awk '{print $2"_"$3}'
gnutls-
gnutls-
ldap-auth-
ldap-auth-
ldap-utils_
libcurl3-
libgnutls13_
libldap-
libnss-
libpam-
libsasl2_
libsasl2-
libsasl2-
openssl_
openssl-
php5-ldap_
postfix-
sasl2-bin_
slapd_2.
Configuration:
/etc/default/slapd
# Default location of the slapd.conf file
SLAPD_CONF=
# System account to run the slapd server under. If empty the server
# will run as root.
SLAPD_USER=openldap
# System group to run the slapd server under. If empty the server will
# run in the primary group of its user.
SLAPD_GROUP=
# Path to the pid file of the slapd server. If not set the init.d script
# will try to figure it out from $SLAPD_CONF (/etc/ldap/
SLAPD_PIDFILE=
# Configure if db_recover should be called before starting slapd
TRY_BDB_
# Configure if the slurpd daemon should be started. Possible values:
# - yes: Always start slurpd
# - no: Never start slurpd
# - auto: Start slurpd if a replica option is found in slapd.conf (default)
SLURPD_START=auto
# slapd normally serves ldap only on all TCP-ports 389. slapd can also
# service requests on TCP-port 636 (ldaps) and requests via unix
# sockets.
# Example usage:
SLAPD_SERVICES=
# Additional options to pass to slapd and slurpd
SLAPD_OPTIONS=""
SLURPD_OPTIONS=""
/etc/openldap/
TLSCACertificat
TLSCertificateFile /etc/ssl/
TLSCertificateK
TLSVerifyClient try
example .ldaprc
TLS_CACERT /home/max/
TLS_CERT /home/max/
TLS_KEY /home/max/
SASL_MECH EXTERNAL
First it was suspected gnutls might not like certificates/keys generated with openssl. But playing around with gnutls-serv and gnutls-cli using the same files shows that gnutls works.
The search shows external is not supported by server:
$ ldapsearch -x -H ldaps://ldap -b "" -LLL -s base supportedSASLMe
dn:
supportedSASLMe
supportedSASLMe
supportedSASLMe
supportedSASLMe
supportedSASLMe
apparmor is not running on the server.
The authentication is not working with neither when openldap user is a member of ssl-cert group or not, i.e. has read permission on /etc/ssl/private
Changed in openldap: | |
status: | New → Incomplete |
Changed in openldap2.3: | |
status: | New → Invalid |
importance: | Undecided → Medium |
status: | New → Confirmed |
Changed in openldap: | |
status: | Confirmed → Invalid |
Changed in openldap: | |
status: | Incomplete → Invalid |
Changed in openldap2.3: | |
status: | Confirmed → Invalid |
Confirming as a regression in hardy.
Strangely, I see EXTERNAL as an option if I connect using ldapi:///, but not when using ldap://; I'm not sure why that would be, but it may have to do with the use of gnutls vs. openssl.