You have been subscribed to a public bug: On our dapper machines, we use the sasl external mechanism for authentication on slapd, the ldap server. On hardy this doesn't work any more. Running an ldapsearch for example produces errors messages.
hardy ldapsearch against hardy slapd: $ ldapsearch -H ldaps://ldap SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) and slapd (-d 256) says conn=6 fd=16 ACCEPT from IP=100.9.0.234:45017 (IP=0.0.0.0:636) conn=6 fd=16 TLS established tls_ssf=16 ssf=16 conn=6 fd=16 closed (connection lost) Here, the client fails fedora core 3 ldapsearch (ldap utils are linked against openssl) against hardy slapd: $ ldapsearch -H ldaps://ldap SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Authentication method not supported (7) additional info: SASL(-4): no mechanism available: and slapd (-d 256) says conn=5 fd=16 ACCEPT from IP=100.9.11.1:38962 (IP=0.0.0.0:636) conn=5 fd=16 TLS established tls_ssf=16 ssf=16 conn=5 op=0 BIND dn="" method=163 conn=5 op=0 RESULT tag=97 err=7 text=SASL(-4): no mechanism available: conn=5 fd=16 closed (connection lost) This shows that the server actually doesn't support the mechanism. Installed packages: [EMAIL PROTECTED]:~# dpkg -l '*slapd*' '*ldap*' '*gnutls*' '*openssl*' '*sasl*' | grep ^ii | awk '{print $2"_"$3}' gnutls-bin_2.0.4-1ubuntu2.1 gnutls-doc_2.0.4-1ubuntu2.1 ldap-auth-client_0.5 ldap-auth-config_0.5 ldap-utils_2.4.7-6ubuntu4.2 libcurl3-gnutls_7.18.0-1ubuntu2 libgnutls13_2.0.4-1ubuntu2.1 libldap-2.4-2_2.4.7-6ubuntu4.2 libnss-ldap_258-1ubuntu3 libpam-ldap_184-2ubuntu2 libsasl2_2.1.22.dfsg1-18ubuntu2 libsasl2-2_2.1.22.dfsg1-18ubuntu2 libsasl2-modules_2.1.22.dfsg1-18ubuntu2 openssl_0.9.8g-4ubuntu3.1 openssl-blacklist_0.1-0ubuntu0.8.04.4 php5-ldap_5.2.4-2ubuntu5.1 postfix-ldap_2.5.1-2ubuntu1 sasl2-bin_2.1.22.dfsg1-18ubuntu2 slapd_2.4.7-6ubuntu4.2 Configuration: /etc/default/slapd # Default location of the slapd.conf file SLAPD_CONF=/etc/openldap/slapd.conf # System account to run the slapd server under. If empty the server # will run as root. SLAPD_USER=openldap # System group to run the slapd server under. If empty the server will # run in the primary group of its user. SLAPD_GROUP=openldap # Path to the pid file of the slapd server. If not set the init.d script # will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf) SLAPD_PIDFILE= # Configure if db_recover should be called before starting slapd TRY_BDB_RECOVERY=yes # Configure if the slurpd daemon should be started. Possible values: # - yes: Always start slurpd # - no: Never start slurpd # - auto: Start slurpd if a replica option is found in slapd.conf (default) SLURPD_START=auto # slapd normally serves ldap only on all TCP-ports 389. slapd can also # service requests on TCP-port 636 (ldaps) and requests via unix # sockets. # Example usage: SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///" # Additional options to pass to slapd and slurpd SLAPD_OPTIONS="" SLURPD_OPTIONS="" /etc/openldap/slapd.conf (relevant lines only) TLSCACertificateFile /etc/ssl/cacert.pem TLSCertificateFile /etc/ssl/ldap/ldap-CERT.pem TLSCertificateKeyFile /etc/ssl/ldap/ldap-KEY.pem TLSVerifyClient try example .ldaprc TLS_CACERT /home/max/.ssl/cacert.pem TLS_CERT /home/max/.ssl/usercert.pem TLS_KEY /home/max/.ssl/user.key SASL_MECH EXTERNAL First it was suspected gnutls might not like certificates/keys generated with openssl. But playing around with gnutls-serv and gnutls-cli using the same files shows that gnutls works. The search shows external is not supported by server: $ ldapsearch -x -H ldaps://ldap -b "" -LLL -s base supportedSASLMechanisms dn: supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: NTLM supportedSASLMechanisms: PLAIN supportedSASLMechanisms: LOGIN apparmor is not running on the server. The authentication is not working with neither when openldap user is a member of ssl-cert group or not, i.e. has read permission on /etc/ssl/private ** Affects: openldap (Ubuntu) Importance: Undecided Status: New -- Hardy slapd server is not supporting sasl/external authentication https://bugs.launchpad.net/bugs/249881 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs