That should be impossible. Bind DLZ is compiled to use the same
openldap libraries that your openldap server is using. If you configure
the query URL as ldapi then the same thing is being sent to
the libraries that ldapsearch is sending. That is why you do not have
to do anything special other than change the query string to ldap: or
ldapi: or ldaps: in the dlz config.
Are you using the examples on
http://bind-dlz.dourceforge.net/ldap-_driver.html?
is dlz possibly dynamically linked and can't find the openldap libraries?
Ted
On 2/12/2021 4:09 AM, Dario García Díaz-Miguel wrote:
Hi Ted,
The values related with the issue configured on the slapd configuration are on
my original message:
- olcSecurity: ssf=256
- olcLocalSSF: 256
- olcRequires: authc
- olcDisallow: bind_anon
- olcTLSVerifyClient: try
Exactly, using LDAPI with my olcLocalSSF configuration is not using SSL and
that's required due to some implementations.
The problem is that BIND DLZ is NOT using LDAPI nor LDAPS and I don't know how
to configure it.
Ldapsearch -H ldapi:/// -D "cn=Administrator,dc=example,dc=com" -W --> works
Ldapsearch -H ldaps://machine1.example.com -D "cn=Administrator,dc=example,dc=com"
-W --> works
Ldapsearch -H ldap://machine1.example.com -D "cn=Administrator,dc=example,dc=com"
-W --> does not work
Ldapsearch -H ldap://machine1.example.com -D "cn=Administrator,dc=example,dc=com"
-W -Z --> works
This is the expected behavior and not related at all with my original question.
I just asked how should we configure BIND DLZ to use LDAPS (636) or LDAPI
instead of LDAP(389), since DLZ queries does not support port specifications.
Thank you so much.
Kind Regards.
-----Mensaje original-----
If the programs are both on the same machine and you are using ldapi
with oldlocalSSF then you are NOT using SSL.
For starters on this machine if you simply run a LDAP query with
the command line tools against the OpenLDAP server does it work?
Like ldapsearch -LLL -H ldapi://blardy blardy blar
What is in your slapd.lidf? Usually there should be a
olcSecurity: ssf=something and this should match the
value you are using in the olclocalSSF The command line ldap program
should pump out an error message if this mechanism is broken.
If you are not familiar with stunnel you should have looked up what it
was before responding. It's not going to be applicable here and I
would not have suggested it if I had known both programs were on the
same machine.
Ted
Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com
De: Dario García Díaz-Miguel
Enviado el: viernes, 12 de febrero de 2021 12:15
Para: bind-users@lists.isc.org
CC: skmf_support<skmf_supp...@gmv.com>
Asunto: RE: Can't use Bind DLZ through LDAPS SSL
Hi Ted,
Thank you for your answer.
Both servers (OpenLDAP and BIND DLZ) are on the same machine.
LDAPI:/// socket has been configured to not require SSL with olcLocalSSF
If BIND DLZ is not supporting LDAPS, does it support any way to bind against
LDAP using LDAPI?
I've tried to use the ldapi:/// as well as the ldaps:// on the queries and it
does not work.
I also has tried adding the port to the hostnames on the connection parameters
from named.conf and it also does not work.
About stunnel, I'm not sure since I'm not familiar with it and including a new
software would suppose an approval request explaining good enough reasons to
use it.
Thank you so much.
Regards.
Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com
-----Mensaje original-----
Date: Fri, 12 Feb 2021 01:29:17 -0800
From: Ted Mittelstaedt<t...@ipinc.net>
To: bind-users@lists.isc.org
Subject: Re: Can't use Bind DLZ through LDAPS SSL
Message-ID:<60264a6d.1090...@ipinc.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Instead of beating your head against DLZ can't you simply put the DLZ query
into stunnel and connect to the openldap server that way?
Ted
On 2/11/2021 10:39 PM, Dario Garc?a D?az-Miguel wrote:
Hi there,
I really don't know If this is the correct place to ask about Bind DLZ, but I'm afraid
that I could not have any responses from the BIND DLZ mail list and, since this seems to
be an "official" plugin and it's compiled on the bind9 package from the SuSE15
SP2 repository I will try to ask it over here.
I've deployed an OpenLDAP using the security options recommended by my
cybersecurity team:
- olcSecurity: ssf=256
- olcLocalSSF: 256
- olcRequires: authc
- olcDisallow: bind_anon
- olcTLSVerifyClient: try
So essentially right now is required to use certificates and LDAPS in order to
bind to the OpenLDAP server. Otherwise a Confidential error will appear since
TLS SSL Handshake is not possible. Well, this is the expected behavior.
All the software of the environment works flawlessly using the SSL Certificates
through LDAPS SSL except Bind DLZ. I could not find the way to configure it to
use SSL.
The Bind DLZ used is the one compiled with the BIND 9.16.6 (Stable Release)
from the SUSE 15 SP2 repository.
Could anybody help me?
Thank you so much.
Regards.
Dario Garcia
D?az-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
Espa?a
+34 918 07 21 00
+34 918 07 21 99
http://www.gmv.com
P Please consider the environment before printing this e-mail.
P Please consider the environment before printing this e-mail.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
