You have been subscribed to a public bug:
On our dapper machines, we use the sasl external mechanism for authentication
on slapd, the ldap server.
On hardy this doesn't work any more. Running an ldapsearch for example produces
errors messages.
hardy ldapsearch against hardy slapd:
$ ldapsearch -H ldaps://ldap
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
and slapd (-d 256) says
conn=6 fd=16 ACCEPT from IP=100.9.0.234:45017 (IP=0.0.0.0:636)
conn=6 fd=16 TLS established tls_ssf=16 ssf=16
conn=6 fd=16 closed (connection lost)
Here, the client fails
fedora core 3 ldapsearch (ldap utils are linked against openssl) against hardy
slapd:
$ ldapsearch -H ldaps://ldap
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
additional info: SASL(-4): no mechanism available:
and slapd (-d 256) says
conn=5 fd=16 ACCEPT from IP=100.9.11.1:38962 (IP=0.0.0.0:636)
conn=5 fd=16 TLS established tls_ssf=16 ssf=16
conn=5 op=0 BIND dn="" method=163
conn=5 op=0 RESULT tag=97 err=7 text=SASL(-4): no mechanism available:
conn=5 fd=16 closed (connection lost)
This shows that the server actually doesn't support the mechanism.
Installed packages:
[EMAIL PROTECTED]:~# dpkg -l '*slapd*' '*ldap*' '*gnutls*' '*openssl*' '*sasl*'
| grep ^ii | awk '{print $2"_"$3}'
gnutls-bin_2.0.4-1ubuntu2.1
gnutls-doc_2.0.4-1ubuntu2.1
ldap-auth-client_0.5
ldap-auth-config_0.5
ldap-utils_2.4.7-6ubuntu4.2
libcurl3-gnutls_7.18.0-1ubuntu2
libgnutls13_2.0.4-1ubuntu2.1
libldap-2.4-2_2.4.7-6ubuntu4.2
libnss-ldap_258-1ubuntu3
libpam-ldap_184-2ubuntu2
libsasl2_2.1.22.dfsg1-18ubuntu2
libsasl2-2_2.1.22.dfsg1-18ubuntu2
libsasl2-modules_2.1.22.dfsg1-18ubuntu2
openssl_0.9.8g-4ubuntu3.1
openssl-blacklist_0.1-0ubuntu0.8.04.4
php5-ldap_5.2.4-2ubuntu5.1
postfix-ldap_2.5.1-2ubuntu1
sasl2-bin_2.1.22.dfsg1-18ubuntu2
slapd_2.4.7-6ubuntu4.2
Configuration:
/etc/default/slapd
# Default location of the slapd.conf file
SLAPD_CONF=/etc/openldap/slapd.conf
# System account to run the slapd server under. If empty the server
# will run as root.
SLAPD_USER=openldap
# System group to run the slapd server under. If empty the server will
# run in the primary group of its user.
SLAPD_GROUP=openldap
# Path to the pid file of the slapd server. If not set the init.d script
# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf)
SLAPD_PIDFILE=
# Configure if db_recover should be called before starting slapd
TRY_BDB_RECOVERY=yes
# Configure if the slurpd daemon should be started. Possible values:
# - yes: Always start slurpd
# - no: Never start slurpd
# - auto: Start slurpd if a replica option is found in slapd.conf (default)
SLURPD_START=auto
# slapd normally serves ldap only on all TCP-ports 389. slapd can also
# service requests on TCP-port 636 (ldaps) and requests via unix
# sockets.
# Example usage:
SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
# Additional options to pass to slapd and slurpd
SLAPD_OPTIONS=""
SLURPD_OPTIONS=""
/etc/openldap/slapd.conf (relevant lines only)
TLSCACertificateFile /etc/ssl/cacert.pem
TLSCertificateFile /etc/ssl/ldap/ldap-CERT.pem
TLSCertificateKeyFile /etc/ssl/ldap/ldap-KEY.pem
TLSVerifyClient try
example .ldaprc
TLS_CACERT /home/max/.ssl/cacert.pem
TLS_CERT /home/max/.ssl/usercert.pem
TLS_KEY /home/max/.ssl/user.key
SASL_MECH EXTERNAL
First it was suspected gnutls might not like certificates/keys generated
with openssl. But playing around with gnutls-serv and gnutls-cli using
the same files shows that gnutls works.
The search shows external is not supported by server:
$ ldapsearch -x -H ldaps://ldap -b "" -LLL -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN
apparmor is not running on the server.
The authentication is not working with neither when openldap user is a
member of ssl-cert group or not, i.e. has read permission on
/etc/ssl/private
** Affects: openldap (Ubuntu)
Importance: Undecided
Status: New
--
Hardy slapd server is not supporting sasl/external authentication
https://bugs.launchpad.net/bugs/249881
You received this bug notification because you are a member of Ubuntu Server
Team, which is subscribed to openldap in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
