Replication with SSLCLIENTAUTH: server sent no certificate
by Eugen Lamers
I'm trying to setup a replication with a certificate based authentication between supplier and consumer. The certificates in the certdb at /etc/dirsrv/slapd-XXX contain the very same CA with which the respective server certificates in the certdbs have been signed. The certificates all have the 'u' flag, and the CA has the C and T flag.
The replication (on the supplier) has been setup such that TLS and certificate based authentication is used, see extract from the replication agreement object:
objectclass: nsds5ReplicationAgreement
nsds5replicahost: <consumer-hostname>
nsds5replicaport: 389
nsds5replicatransportinfo: TLS
nsds5replicabindmethod: SSLCLIENTAUTH
Trying to initialize the consumer raises this error in the error-log of the supplier (the host sending the starttls connection request):
Replication bind with EXTERNAL auth failed: LDAP error 48 (Inappropriate authentication) (missing client certificate)
The certificate that the server should have sent can, however, be used with the ldap commandline tools as ldapsearch. In this case a wireshark trace clearly shows that the client sends the certificate during the TLS handshake, while in the above case it doesn't.
The TLS handshake defines that the client has to send an "empty certificate" if it does not have a certificate that has been issued by a CA offered by the server during the handshake. I can't see a reason for the client to think the condition isn't met. The certificate with which the server (supplier) is setup is the only one available.
Is it possible that the server does not know which certificate it has to use for authentication with the consumer server? And if so, how do I make the server know?
The 389-ds in use is the version 1.4.1.6~git0.5ac5a8aad. The problem was the same with 1.4.0.3.
Thanks,
Eugen
2 years, 7 months
ERR - slapi_ldap_bind - Could not send bind request for id [(anon)] authentication mechanism [EXTERNAL]: error -1 (Can't contact LDAP server), system error 0 (no error), network error 0
by Graham Leggett
Hi all,
We have a long standing 389ds master LDAP server that was found to be unable to contact it’s slaves. Most specifically, the slaves show nothing in their logs about any kind of connection, while the master is logging this:
[12/Nov/2019:21:39:47.212715697 +0000] - ERR - slapi_ldap_bind - Could not send bind request for id [(anon)] authentication mechanism [EXTERNAL]: error -1 (Can't contact LDAP server), system error 0 (no error), network error 0 (Unknown error, host “ldap01:636”)
Key is "system error 0 (no error)”, which leaves us stumped. The error is obviously “success”.
Has anyone seen this kind of thing before?
This is 389ds running on CentOS7 as follows:
389-ds-base-1.3.9.1-10.el7.x86_64
Regards,
Graham
—
2 years, 10 months
LDAP Error Code 21- Invalid Syntax
by Thad
I am working with rh 9.1/389 1.2.11.15 and getting a syntax error. I am still in newbie phase of working with directory server so not sure how to determine the the syntax error and where to look to determine what the user did wrong. Any help figuring it out (and links to tutorials) would be appreciated.
Output from log file:
[27/Aug/2020:16:14:49 -0400] conn=1969 TLS1.0 128-bit AES
[27/Aug/2020:16:14:49 -0400] conn=1969 op=0 BIND dn="uid=mboone1,o=OUR Employees,o=OUR.com" method=128 version=3
[27/Aug/2020:16:14:49 -0400] conn=1969 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=mboone1,o=our employees,o=OUR.com"
[27/Aug/2020:16:14:49 -0400] conn=1969 op=1 ADD dn="uid=eboone,o=OUR Employees,o=OUR.com"
[27/Aug/2020:16:14:49 -0400] conn=1969 op=1 RESULT err=21 tag=105 nentries=0 etime=0 - c: value #0 invalid per syntax
[27/Aug/2020:16:14:49 -0400] conn=1969 op=2 UNBIND
[27/Aug/2020:16:14:49 -0400] conn=1969 op=2 fd=67 closed - U1
3 years
Creating extra backend database for sub-sub-suffix
by Jan Tomasek
Hi,
I've this directory structure:
dc=example,dc=cz
+ o=apps,dc=example,dc=cz
+ o=TCS2,o=aps,dc=example,dc=cz
I would like store o=TCS2,o=aps,dc=example,dc=cz in it's own database,
to be able create custom indexes only for entries under
o=TCS2,o=aps,dc=example,dc=cz.
When I create it this way:
dsconf -D "cn=Directory Manager" -w "$pswd" \
ldap://localhost backend create \
--be-name "example_cz" --suffix="dc=example,dc=cz"
dsconf -D "cn=Directory Manager" -w "$pswd" \
ldap://localhost backend create \
--be-name "TCS2_apps_example_cz" \
--suffix="o=TCS2,o=apps,dc=example,dc=cz" \
--parent-suffix="o=apps,dc=example,dc=cz"
Then I'm unable find o=TCS2 under o=apps,dc=example,dc=cz:
semik@doma:~$ ldapsearch -LLL -H ldaps://ldap.example.cz -D
"cn=directory manager" -W -x -b o=apps,dc=example,dc=cz '(o=TCS2)'
Enter LDAP Password:
semik@doma:~$
But it is there:
semik@doma:~$ ldapsearch -LLL -H ldaps://ldap.example.cz -D
"cn=directory manager" -W -x -b o=TCS2,o=apps,dc=example,dc=cz '(o=TCS2)'
Enter LDAP Password:
dn: o=TCS2,o=apps,dc=example,dc=cz
objectClass: top
objectClass: organization
o: TCS2
It is very likely because 389DS doesn't understand what I want to do.
semik@doma:~$ ldapsearch -LLL -H ldaps://ldap.example.cz -D
"cn=directory manager" -W -x -s base -b '' '(objectClass=*)'
namingContexts nsBackendSuffix
Enter LDAP Password:
dn:
namingContexts: o=TCS2,o=apps,dc=example,dc=cz
namingContexts: dc=example,dc=cz
nsBackendSuffix: example_cz:dc=example,dc=cz
nsBackendSuffix: TCS2_apps_example_cz:o=TCS2,o=apps,dc=example,dc=cz
When I create another database for o=apps,dc=example,dc=cz this way:
dsconf -D "cn=Directory Manager" -w "$pswd" \
ldap://localhost backend create \
--be-name "example_cz" --suffix="dc=example,dc=cz"
dsconf -D "cn=Directory Manager" -w "$pswd" \
ldap://localhost backend create \
--be-name "apps_example_cz" \
--suffix="o=apps,dc=example,dc=cz" \
--parent-suffix="dc=example,dc=cz"
dsconf -D "cn=Directory Manager" -w "$pswd" \
ldap://localhost backend create \
--be-name "TCS2_apps_example_cz" \
--suffix="o=TCS2,o=apps,dc=example,dc=cz" \
--parent-suffix="o=apps,dc=example,dc=cz"
It works:
semik@doma:~$ ldapsearch -LLL -H ldaps://ldap.example.cz -D
"cn=directory manager" -W -x -b o=apps,dc=example,dc=cz '(o=TCS2)'
Enter LDAP Password:
dn: o=TCS2,o=apps,dc=example,dc=cz
objectClass: top
objectClass: organization
o: TCS2
semik@doma:~$ ldapsearch -LLL -H ldaps://ldap.example.cz -D
"cn=directory manager" -W -x -s base -b '' '(objectClass=*)'
namingContexts nsBackendSuffix
Enter LDAP Password:
dn:
namingContexts: dc=example,dc=cz
nsBackendSuffix: example_cz:dc=example,dc=cz
nsBackendSuffix: apps_example_cz:o=apps,dc=example,dc=cz
nsBackendSuffix: TCS2_apps_example_cz:o=TCS2,o=apps,dc=example,dc=cz
In first scenario, there are two separate namingContexts
o=TCS2,o=apps,dc=example,dc=cz and dc=example,dc=cz.
I want to get rid of extra apps_example_cz backend database if possible.
Is there a way how to NOT create database for o=apps,dc=example,dc=cz?
Thanks
--
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/
3 years, 1 month
inconsistent results & FAILs with dsconf/dsctl cert imports & queries
by PGNet Dev
with installed
/usr/sbin/ns-slapd -v
389 Project
389-Directory/1.4.3.12 B2020.213.0000
running instancename == 'sso'
systemctl status dirsrv(a)sso.service -ln0
● dirsrv(a)sso.service - 389 Directory Server sso.
Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/dirsrv@.service.d
└─custom.conf
/etc/systemd/system/dirsrv(a)sso.service.d
└─override.conf
Active: active (running) since Thu 2020-08-27 16:11:16 PDT; 6min ago
Process: 24861 ExecStartPre=/usr/libexec/dirsrv/ds_systemd_ask_password_acl /etc/dirsrv/slapd-sso/dse.ldif (code=exited, status=0/SUCCESS)
Main PID: 24866 (ns-slapd)
Status: "slapd started: Ready to process requests"
Tasks: 25 (limit: 9500)
Memory: 50.7M
CPU: 2.832s
CGroup: /system.slice/system-dirsrv.slice/dirsrv(a)sso.service
└─24866 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-sso -i /run/dirsrv/slapd-sso.pid
dsctl sso status
Instance "sso" is running
checking _supported_ ciphers
dsconf -D "cn=ds" sso security ciphers list --supported | grep -i cha
TLS_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
setting initial security
dsconf -D "cn=ds" sso security set \
--security on \
--listen-host ldap.example.com \
--secure-port 636 \
--tls-protocol-min 1.2 \
--allow-insecure-ciphers off \
--allow-weak-dh-param off \
--cipher-pref "+TLS_CHACHA20_POLY1305_SHA256,+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
stopping server
dsctl sso stop
importing CA, OK
dsctl sso tls import-ca \
/src/ssl/myCA.CHAIN.crt.pem \
ldap.sso.CA.crt
importing cert/key, OK
dsctl sso tls import-server-key-cert \
/src/ssl/ldap.server.EC.crt \
/src/ssl/ldap.server.EC.key
importing client-CA, **FAILS**
dsctl sso tls import-client-ca \
/src/ssl/myCA.CHAIN.crt.pem \
ldap.sso.clientCA.crt
Error: Command '['/usr/bin/certutil', '-M', '-d', '/etc/dirsrv/slapd-sso', '-n', 'ldap.sso.clientCA.crt', '-t', 'T,,', '-f', '/etc/dirsrv/slapd-sso/pwdfile.txt']' returned non-zero exit status 255.
restarting server
dsctl sso start
checking _enabled_ ciphers
dsconf -D "cn=ds" sso security ciphers list --enabled
TLS_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
*2* certs are listed,
dsconf -D "cn=ds" sso security certificate list
Certificate Name: ldap.sso.CA.crt
Subject DN: E=ssl(a)example.com,CN=myCA_INTERMEDIATE,OU=myCA,O=example.com,ST=CA,C=US
Issuer DN: CN=myCA_ROOT,E=ssl(a)example.com,C=US,ST=CA,L=city,OU=myCA,O=example.com
Expires: 2027-06-02 21:41:51
Trust Flags: ,,
Certificate Name: Server-Cert
Subject DN: E=ssl(a)example.com,CN=ldap.example.com,OU=myCA,O=example.com,L=city,ST=CA,C=US
Issuer DN: E=ssl(a)example.com,CN=myCA_INTERMEDIATE,OU=myCA,O=example.com,ST=CA,C=US
Expires: 2030-08-25 00:50:38
Trust Flags: u,u,u
only one should be listed 'just' as a cert,
dsctl sso tls show-server-cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4666 (0x123a)
Signature Algorithm: X9.62 ECDSA signature with SHA256
Issuer: "E=ssl(a)example.com,CN=myCA_INTER
MEDIATE,OU=myCA,O=example.com,ST=CA,C=US"
Validity:
Not Before: Thu Aug 27 00:50:38 2020
Not After : Sun Aug 25 00:50:38 2030
Subject: "E=ssl(a)example.com,CN=ldap.example.com,OU=pr
esence-group.net_CA,O=example.com,L=city,ST=CA,C=
US"
Subject Public Key Info:
Public Key Algorithm: X9.62 elliptic curve public key
Args:
06:05:2b:81:04:00:22
EC Public Key:
PublicValue:
04:...:3c
Curve: SECG elliptic curve secp384r1 (aka NIST P-384)
Signed Extensions:
Name: Certificate Basic Constraints
Data: Is not a CA.
Name: Certificate Type
Data: <SSL Server>
Name: Certificate Comment
Comment: "example.com SERVER Certificate"
Name: Certificate Subject Key ID
Data:
ea:...:78
Name: Certificate Authority Key Identifier
Key ID:
d0:...:cd
Issuer:
Directory Name: "CN=myCA_ROOT,E=ssl@exa
mple.com,C=US,ST=CA,L=city,OU=my
CA,O=example.com"
Serial Number: 4096 (0x1000)
Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Name: Extended Key Usage
TLS Web Server Authentication Certificate
Name: Certificate Subject Alt Name
DNS name: "ldap.example.com"
DNS name: "www.ldap.example.com"
DNS name: "localhost"
Signature Algorithm: X9.62 ECDSA signature with SHA256
Signature:
30:...:67
Fingerprint (SHA-256):
22:...:18
Fingerprint (SHA1):
52:...:E3
Mozilla-CA-Policy: false (attribute missing)
Certificate Trust Flags:
SSL Flags:
User
Email Flags:
User
Object Signing Flags:
User
the other is the ca cert. but ca list reports empty with dsconf
dsconf -D "cn=ds" sso security ca-certificate list
(empty)
as do both of dsctl tls queries
dsctl sso tls list-ca
(empty)
dsctl sso tls list-client-ca
(empty)
3 years, 1 month
dsconf errors on exec of "Updating the List of Enabled Ciphers" with "-all," included
by PGNet Dev
@
Updating the List of Enabled Ciphers
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11...
exec
dsconf -D "cn=Directory Manager" testinst security ciphers set "-all,+TLS_CHACHA20_POLY1305_SHA256,+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
returns
usage: dsconf instance security ciphers set [-h] cipher-string
dsconf instance security ciphers set: error: the following arguments are required: cipher-string
checking
dsconf instance security ciphers set -h
usage: dsconf instance security ciphers set [-h] cipher-string
Use this command to directly set nsSSL3Ciphers attribute. It is a comma separated list of cipher names (prefixed with + or
-), optionally including +all or -all. The attribute may optionally be prefixed by keyword default. Please refer to
documentation of the attribute for a more detailed description.
positional arguments:
cipher-string
optional arguments:
-h, --help show this help message and exit
re-attempt rm'in "-all"
dsconf -D "cn=Directory Manager" testinst security ciphers set "+TLS_CHACHA20_POLY1305_SHA256,+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
Remeber to restart the server to apply the new cipher set.
(^^^^ fyi, typo)
Some ciphers may be disabled anyway due to allowWeakCipher attribute.
but, here
grep -i weak /etc/dirsrv/slapd-testinst/dse.ldif
allowWeakCipher: off
allowWeakDHParam: off
3 years, 1 month
dsconf-adding pkcs12 cert to 398ds/1.4.3.12 fails : "could not decode certificate: SEC_ERROR_INPUT_LEN: security library has experienced an input length error." ?
by PGNet Dev
i've installed
ns-slapd -v
389 Project
389-Directory/1.4.3.12 B2020.213.0000
on
grep PRETTY /etc/os-release
PRETTY_NAME="Fedora 32 (Server Edition)"
a server instance is up
dsctl testinst status
Instance "testinst" is running
i check for cipher support
dsconf -D "cn=Directory Manager" testinst security ciphers list --supported | grep -i cha
TLS_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
setup security, enabling those ciphers
dsconf -D "cn=Directory Manager" testinst security set \
--security on \
--listen-host ldap.testinst.example.com \
--secure-port 636 \
--tls-protocol-min 3.3 \
--allow-insecure-ciphers off \
--allow-weak-dh-param off \
--cipher-pref +TLS_CHACHA20_POLY1305_SHA256,+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
dsconf -D "cn=Directory Manager" testinst security ciphers list
+TLS_CHACHA20_POLY1305_SHA256
+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
bundle my EC cert & key into a pkcs12
openssl pkcs12 -export \
-in testinst.server.EC.crt \
-inkey testinst.server.EC.key \
-out testinst.server.EC.p12 \
-name Server-Cert
verify it
openssl pkcs12 -info -in testinst.server.EC.p12
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: 52 ... E3
friendlyName: Server-Cert
subject=...
-----BEGIN CERTIFICATE-----
MII...dBn
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
localKeyID: 52 ... E3
friendlyName: Server-Cert
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MII...6Fa
-----END ENCRYPTED PRIVATE KEY-----
add my CA cert
dsconf -D "cn=Directory Manager" testinst security ca-certificate add \
--file /src/ssl/myCA.chain.crt \
--name myCA.chain.crt
and, finally, attempt to add my just-created .p12
dsconf -D "cn=Directory Manager" testinst security certificate add \
--file /src/ssl/testinst.server.EC.p12 \
--name ldap.testinst.server.p12 \
--primary-cert
the attempt FAILs,
Error: Command '['/usr/bin/certutil', '-A', '-d', '/etc/dirsrv/slapd-testinst/certs', '-n', 'ldap.testinst.server.p12', '-t', ',,', '-i', '/src/ssl/testinst.server.EC.p12', '-a', '-f', '/etc/dirsrv/slapd-testinst/certs/pwdfile.txt']' returned non-zero exit status 255.
manually exec'ing that^ failed cmd
/usr/bin/certutil \
-A \
-d /etc/dirsrv/slapd-testinst/certs \
-n ldap.testinst.server.p12 \
-t,, \
-i /src/ssl/testinst.server.EC.p12 \
-a \
-f /etc/dirsrv/slapd-testinst/certs/pwdfile.txt
returns
certutil: could not decode certificate: SEC_ERROR_INPUT_LEN: security library has experienced an input length error.
my cert/key are good, .p12 verification passes ... I'm not sure which 'security library' is being referenced here.
what's the cause of the problem here?
my usage? 389ds capabilities/support?
3 years, 1 month
Installing an instance of 389ds from scratch - how?
by Graham Leggett
Hi all,
I am struggling with automating the install of 389ds.
In the world of RHEL7 and below, there was a script called setup-ds.pl which did a bare bones configuration of a 389ds instance, allowing you to then connect to the instance and configure the instance appropriately. The script was painful to automate, but it was possible to work around most of the issues in it.
In the world of RHEL8 and above, there is a replacement tool called dscreate, which appears to try and configure more of the server. The dscreate tool however does not appear to be able to install a server without starting that server (https://bugzilla.redhat.com/show_bug.cgi?id=1872910) and cannot install a server without binding that server to all ports and enabling a self signed certificate nor can it configure a server to bind to localhost (https://bugzilla.redhat.com/show_bug.cgi?id=1872915), nor can dscreate make me a server bound to a unix domain socket (https://bugzilla.redhat.com/show_bug.cgi?id=1872930).
Is there a documented method of installing an instance from scratch without setup-ds.pl or dscreate?
In other words, create directory X, create config file from template in Y, etc? Obviously I can reverse engineer the process from first principles, but I would like some confirmation I am on the right track.
Regards,
Graham
—
3 years, 1 month
Problem browsing LDAP with Outlook
by Chris Bryant
When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
Thanks,
Chris
USA.NET
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
3 years, 1 month
