Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#861212: nslcd: certificate authentication fails with Unknown authentication method: SASL(-4)
663 views
Skip to first unread message
Matt Weatherford
Apr 25, 2017, 8:40:03 PM4/25/17
to
Package: nslcd
Version: 0.9.7-2
Severity: important
Dear Maintainer,
debian 7 install works fine with certificate auth.
Debian 9 install with same config files appears to not work and throws these erros:
Apr 25 16:41:08 nori nslcd[1376]: [52255a] <passwd(all)> failed to bind to LDAP server ldap://ldi.s.uw.edu: Unknown authentication method: SASL(-4): no mechanism available:
Apr 25 16:41:08 nori nslcd[1376]: [52255a] <passwd(all)> no available LDAP server found: Unknown authentication method: Bad file descriptor
Apr 25 16:41:13 nori nslcd[1376]: [9cf92e] <group(all)> no available LDAP server found: Server is unavailable: Bad file descriptor
Apr 25 16:41:18 nori nslcd[1376]: [ed7263] <passwd="*"> request denied by validnames option
contents of /etc/nslcd.conf:
uid nslcd
gid nslcd
uri ldap://ldi.s.uw.edu
ssl start_tls
tls_cacertfile /etc/ssl/ldi/InCommonCA.crt
tls_cert /etc/ssl/ldi/ldi-client.crt
tls_key /etc/ssl/ldi/ldi-client.key
sasl_mech EXTERNAL
pagesize 250
nss_min_uid 1000
nss_initgroups_ignoreusers ALLLOCAL
certificate key Im using:
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 12603 (0x313b)
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: C = US, ST = WA, O = University of Washington, OU = UW Services, CN = UW Services CA, emailAddress = he...@cac.washington.edu
> Validity
> Not Before: Apr 5 00:15:01 2017 GMT
> Not After : Apr 6 00:15:01 2020 GMT
> Subject: C = US, ST = Washington, O = University of Washington, OU = Center for Studies in Demography and Ecology, CN = ldap-client.csde.washington.edu
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (4096 bit)
> Modulus:
> 00:c9:8a:c2:3c:fc:f5:2d:51:9b:45:57:19:35:a6:
> 77:a4:6c:b5:98:bf:6b:38:8a:b2:6c:19:24:86:d7:
> 41:20:38:ce:1a:01:a7:53:ae:6d:4d:89:1b:0e:49:
> 1b:d4:7d:c8:74:55:d8:2d:81:b9:aa:78:6f:5d:2f:
> 7b:6d:48:35:7c:c8:37:d7:c0:ec:8b:df:eb:b5:12:
> d1:d9:72:16:c9:b4:f0:41:7c:e1:a3:d2:cf:ee:c9:
> 44:44:c3:61:08:d6:36:74:18:ad:e8:a2:9c:f4:79:
> dd:f9:b7:84:49:18:ce:4f:00:de:e8:ff:b3:10:6f:
> dc:41:22:ff:2d:b7:34:5e:a1:5e:c2:a9:c4:4c:4a:
> 6d:d8:be:6d:0c:2d:26:bf:f6:8b:4c:fa:eb:6a:a2:
> 41:2b:65:a2:8b:8c:7d:4a:4e:fb:6a:55:81:bb:33:
> 99:9f:59:fd:78:da:d8:74:45:61:a9:87:59:f6:09:
> e9:6b:83:8c:d9:30:0e:7b:20:c6:96:c1:49:d2:76:
> a1:3f:bb:cf:6c:f8:34:a1:fb:d5:0c:26:06:65:57:
> 57:bb:50:cb:a0:9c:c5:74:c1:81:cd:1b:72:83:2c:
> 3d:9d:4a:87:72:b6:f1:29:93:63:81:24:f2:6e:1a:
> 2f:8d:6a:e8:a2:48:92:d1:c1:d7:40:b8:6e:f2:4b:
> 30:b6:a0:8d:c6:a5:c6:51:ba:67:6a:7b:e4:47:e5:
> 95:25:d3:5d:bb:04:50:97:2e:a8:fc:6c:92:03:20:
> 04:22:11:b8:af:c7:5b:ac:eb:5a:89:d2:77:b8:18:
> 5f:ff:ad:74:d2:7f:e2:5c:8c:98:2e:9d:e1:a1:3a:
> 93:4f:6d:9d:d0:e2:ee:57:21:1a:0b:08:7d:e9:6d:
> af:3f:3c:d7:75:f7:83:2a:7a:44:5b:83:96:b6:61:
> d6:ad:ab:58:e7:03:12:c2:bc:1a:a2:73:9a:34:a8:
> f5:84:9b:3d:6b:7a:a8:a2:cd:a1:c3:ea:9c:2f:1d:
> 45:7c:47:aa:12:67:d8:f0:18:89:1e:48:83:0c:ad:
> b5:19:45:e2:31:cb:ff:17:e3:24:85:e9:51:d2:2d:
> 5a:bc:99:73:68:85:05:10:06:eb:06:dd:62:cc:ff:
> ee:10:a5:49:f8:4e:19:d1:3b:f3:91:9d:cb:ed:3f:
> 40:ad:8d:90:bf:2a:54:58:00:a6:04:7d:a3:9a:ac:
> f6:fd:d3:8b:a0:dc:2e:56:7f:91:51:07:a1:a0:22:
> 91:ec:04:48:95:c3:de:77:ea:50:61:6b:b0:6b:48:
> 56:02:c4:7d:23:a7:4f:d7:e1:6a:0f:2d:0e:33:f4:
> e8:be:d6:dc:0c:22:76:db:ec:47:08:a0:0a:42:1e:
> 79:25:53
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints: critical
> CA:FALSE
> X509v3 Extended Key Usage:
> TLS Web Client Authentication, TLS Web Server Authentication
> X509v3 Subject Key Identifier:
> 68:2F:05:ED:33:1A:C2:60:57:0D:FF:87:E6:C6:3B:C1:60:3E:AD:96
> X509v3 Subject Alternative Name:
> DNS:ldap-client.csde.washington.edu
> X509v3 Authority Key Identifier:
> keyid:55:D7:C1:33:C6:FA:93:F8:27:3D:CB:20:4B:F5:5A:8E:58:97:7D:74
> DirName:/C=US/ST=WA/O=University of Washington/OU=UW Services/CN=UW Services CA/emailAddress=he...@cac.washington.edu
> serial:00
>
> X509v3 CRL Distribution Points:
>
> Full Name:
> URI:http://certs.cac.washington.edu/UWServicesCA.crl
>
> Signature Algorithm: sha256WithRSAEncryption
> a0:0b:58:27:ec:d5:b1:d3:76:e7:cc:b7:26:2c:5b:23:08:4f:
> 71:2a:de:16:9d:ec:7a:b2:f6:25:65:1c:c4:ea:e5:b6:d0:43:
> e0:1f:f3:22:79:d8:29:6b:f4:5c:a4:e9:48:b6:c8:93:a0:cd:
> e3:fe:3b:5a:93:ec:03:db:13:55:9a:5e:69:2f:8d:4c:82:f0:
> b1:41:33:2e:9d:81:9f:3f:52:f2:06:ee:2d:a0:93:80:d8:1d:
> 24:05:8a:b1:93:91:8e:16:32:c7:ca:f6:02:9b:5c:76:cd:dc:
> c9:51:81:74:c5:4d:fc:d1:d6:c4:08:ad:08:78:60:62:83:8a:
> 93:17
> -----BEGIN CERTIFICATE-----
> MIIFvDCCBSWgAwIBAgICMTswDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVT
> MQswCQYDVQQIEwJXQTEhMB8GA1UEChMYVW5pdmVyc2l0eSBvZiBXYXNoaW5ndG9u
> MRQwEgYDVQQLEwtVVyBTZXJ2aWNlczEXMBUGA1UEAxMOVVcgU2VydmljZXMgQ0Ex
> JjAkBgkqhkiG9w0BCQEWF2hlbHBAY2FjLndhc2hpbmd0b24uZWR1MB4XDTE3MDQw
> NTAwMTUwMVoXDTIwMDQwNjAwMTUwMVowgaYxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
> DApXYXNoaW5ndG9uMSEwHwYDVQQKDBhVbml2ZXJzaXR5IG9mIFdhc2hpbmd0b24x
> NTAzBgNVBAsMLENlbnRlciBmb3IgU3R1ZGllcyBpbiBEZW1vZ3JhcGh5IGFuZCBF
> Y29sb2d5MSgwJgYDVQQDDB9sZGFwLWNsaWVudC5jc2RlLndhc2hpbmd0b24uZWR1
> MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyYrCPPz1LVGbRVcZNaZ3
> pGy1mL9rOIqybBkkhtdBIDjOGgGnU65tTYkbDkkb1H3IdFXYLYG5qnhvXS97bUg1
> fMg318Dsi9/rtRLR2XIWybTwQXzho9LP7slERMNhCNY2dBit6KKc9Hnd+beESRjO
> TwDe6P+zEG/cQSL/Lbc0XqFewqnETEpt2L5tDC0mv/aLTPrraqJBK2Wii4x9Sk77
> alWBuzOZn1n9eNrYdEVhqYdZ9gnpa4OM2TAOeyDGlsFJ0nahP7vPbPg0ofvVDCYG
> ZVdXu1DLoJzFdMGBzRtygyw9nUqHcrbxKZNjgSTybhovjWrookiS0cHXQLhu8ksw
> tqCNxqXGUbpnanvkR+WVJdNduwRQly6o/GySAyAEIhG4r8dbrOtaidJ3uBhf/610
> 0n/iXIyYLp3hoTqTT22d0OLuVyEaCwh96W2vPzzXdfeDKnpEW4OWtmHWratY5wMS
> wrwaonOaNKj1hJs9a3qoos2hw+qcLx1FfEeqEmfY8BiJHkiDDK21GUXiMcv/F+Mk
> helR0i1avJlzaIUFEAbrBt1izP/uEKVJ+E4Z0TvzkZ3L7T9ArY2QvypUWACmBH2j
> mqz2/dOLoNwuVn+RUQehoCKR7ARIlcPed+pQYWuwa0hWAsR9I6dP1+FqDy0OM/To
> vtbcDCJ22+xHCKAKQh55JVMCAwEAAaOCAYMwggF/MAwGA1UdEwEB/wQCMAAwHQYD
> VR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQWBBRoLwXtMxrCYFcN
> /4fmxjvBYD6tljAqBgNVHREEIzAhgh9sZGFwLWNsaWVudC5jc2RlLndhc2hpbmd0
> b24uZWR1MIHBBgNVHSMEgbkwgbaAFFXXwTPG+pP4Jz3LIEv1Wo5Yl310oYGapIGX
> MIGUMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExITAfBgNVBAoTGFVuaXZlcnNp
> dHkgb2YgV2FzaGluZ3RvbjEUMBIGA1UECxMLVVcgU2VydmljZXMxFzAVBgNVBAMT
> DlVXIFNlcnZpY2VzIENBMSYwJAYJKoZIhvcNAQkBFhdoZWxwQGNhYy53YXNoaW5n
> dG9uLmVkdYIBADBBBgNVHR8EOjA4MDagNKAyhjBodHRwOi8vY2VydHMuY2FjLndh
> c2hpbmd0b24uZWR1L1VXU2VydmljZXNDQS5jcmwwDQYJKoZIhvcNAQELBQADgYEA
> oAtYJ+zVsdN258y3JixbIwhPcSreFp3serL2JWUcxOrlttBD4B/zInnYKWv0XKTp
> SLbIk6DN4/47WpPsA9sTVZpeaS+NTILwsUEzLp2Bnz9S8gbuLaCTgNgdJAWKsZOR
> jhYyx8r2Aptcds3cyVGBdMVN/NHWxAitCHhgYoOKkxc=
> -----END CERTIFICATE-----
> Issuing: openssl x509 -in ldap-client.csde.washington.edu.pem -noout -enddate
> notAfter=Apr 6 00:15:01 2020 GMT
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64
(x86_64)
Kernel: Linux 4.9.0-2-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages nslcd depends on:
ii adduser 3.115
ii debconf [debconf-2.0] 1.5.60
ii libc6 2.24-10
ii libgssapi-krb5-2 1.15-1
ii libldap-2.4-2 2.4.44+dfsg-4+b1
ii lsb-base 9.20161125
Versions of packages nslcd recommends:
ii bind9-host [host] 1:9.10.3.dfsg.P4-12.1
ii ca-certificates 20161130
ii host 1:9.10.3.dfsg.P4-12.1
ii ldap-utils 2.4.44+dfsg-4+b1
ii libnss-ldapd [libnss-ldap] 0.9.7-2
ii libpam-ldapd [libpam-ldap] 0.9.7-2
pn nscd <none>
ii nslcd-utils 0.9.7-2
Versions of packages nslcd suggests:
pn kstart <none>
-- debconf information:
nslcd/ldap-bindpw: (password omitted)
nslcd/xdm-needs-restart:
nslcd/restart-failed:
nslcd/ldap-sasl-authcid:
nslcd/ldap-auth-type: none
nslcd/ldap-reqcert:
nslcd/ldap-binddn:
nslcd/ldap-sasl-mech:
nslcd/ldap-sasl-authzid:
nslcd/restart-services:
* nslcd/ldap-base: dc=ldi,dc=uw,dc=edu
nslcd/ldap-starttls: false
nslcd/ldap-sasl-realm:
nslcd/ldap-sasl-secprops:
nslcd/ldap-sasl-krb5-ccname: /var/run/nslcd/nslcd.tkt
nslcd/disable-screensaver:
libraries/restart-without-asking: false
* nslcd/ldap-uris: ldap://ldi.s.uw.edu
nslcd/ldap-cacertfile: /etc/ssl/certs/ca-certificates.crt
Version: 0.9.7-2
Severity: important
Dear Maintainer,
debian 7 install works fine with certificate auth.
Debian 9 install with same config files appears to not work and throws these erros:
Apr 25 16:41:08 nori nslcd[1376]: [52255a] <passwd(all)> failed to bind to LDAP server ldap://ldi.s.uw.edu: Unknown authentication method: SASL(-4): no mechanism available:
Apr 25 16:41:08 nori nslcd[1376]: [52255a] <passwd(all)> no available LDAP server found: Unknown authentication method: Bad file descriptor
Apr 25 16:41:13 nori nslcd[1376]: [9cf92e] <group(all)> no available LDAP server found: Server is unavailable: Bad file descriptor
Apr 25 16:41:18 nori nslcd[1376]: [ed7263] <passwd="*"> request denied by validnames option
contents of /etc/nslcd.conf:
uid nslcd
gid nslcd
uri ldap://ldi.s.uw.edu
ssl start_tls
tls_cacertfile /etc/ssl/ldi/InCommonCA.crt
tls_cert /etc/ssl/ldi/ldi-client.crt
tls_key /etc/ssl/ldi/ldi-client.key
sasl_mech EXTERNAL
pagesize 250
nss_min_uid 1000
nss_initgroups_ignoreusers ALLLOCAL
certificate key Im using:
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 12603 (0x313b)
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: C = US, ST = WA, O = University of Washington, OU = UW Services, CN = UW Services CA, emailAddress = he...@cac.washington.edu
> Validity
> Not Before: Apr 5 00:15:01 2017 GMT
> Not After : Apr 6 00:15:01 2020 GMT
> Subject: C = US, ST = Washington, O = University of Washington, OU = Center for Studies in Demography and Ecology, CN = ldap-client.csde.washington.edu
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (4096 bit)
> Modulus:
> 00:c9:8a:c2:3c:fc:f5:2d:51:9b:45:57:19:35:a6:
> 77:a4:6c:b5:98:bf:6b:38:8a:b2:6c:19:24:86:d7:
> 41:20:38:ce:1a:01:a7:53:ae:6d:4d:89:1b:0e:49:
> 1b:d4:7d:c8:74:55:d8:2d:81:b9:aa:78:6f:5d:2f:
> 7b:6d:48:35:7c:c8:37:d7:c0:ec:8b:df:eb:b5:12:
> d1:d9:72:16:c9:b4:f0:41:7c:e1:a3:d2:cf:ee:c9:
> 44:44:c3:61:08:d6:36:74:18:ad:e8:a2:9c:f4:79:
> dd:f9:b7:84:49:18:ce:4f:00:de:e8:ff:b3:10:6f:
> dc:41:22:ff:2d:b7:34:5e:a1:5e:c2:a9:c4:4c:4a:
> 6d:d8:be:6d:0c:2d:26:bf:f6:8b:4c:fa:eb:6a:a2:
> 41:2b:65:a2:8b:8c:7d:4a:4e:fb:6a:55:81:bb:33:
> 99:9f:59:fd:78:da:d8:74:45:61:a9:87:59:f6:09:
> e9:6b:83:8c:d9:30:0e:7b:20:c6:96:c1:49:d2:76:
> a1:3f:bb:cf:6c:f8:34:a1:fb:d5:0c:26:06:65:57:
> 57:bb:50:cb:a0:9c:c5:74:c1:81:cd:1b:72:83:2c:
> 3d:9d:4a:87:72:b6:f1:29:93:63:81:24:f2:6e:1a:
> 2f:8d:6a:e8:a2:48:92:d1:c1:d7:40:b8:6e:f2:4b:
> 30:b6:a0:8d:c6:a5:c6:51:ba:67:6a:7b:e4:47:e5:
> 95:25:d3:5d:bb:04:50:97:2e:a8:fc:6c:92:03:20:
> 04:22:11:b8:af:c7:5b:ac:eb:5a:89:d2:77:b8:18:
> 5f:ff:ad:74:d2:7f:e2:5c:8c:98:2e:9d:e1:a1:3a:
> 93:4f:6d:9d:d0:e2:ee:57:21:1a:0b:08:7d:e9:6d:
> af:3f:3c:d7:75:f7:83:2a:7a:44:5b:83:96:b6:61:
> d6:ad:ab:58:e7:03:12:c2:bc:1a:a2:73:9a:34:a8:
> f5:84:9b:3d:6b:7a:a8:a2:cd:a1:c3:ea:9c:2f:1d:
> 45:7c:47:aa:12:67:d8:f0:18:89:1e:48:83:0c:ad:
> b5:19:45:e2:31:cb:ff:17:e3:24:85:e9:51:d2:2d:
> 5a:bc:99:73:68:85:05:10:06:eb:06:dd:62:cc:ff:
> ee:10:a5:49:f8:4e:19:d1:3b:f3:91:9d:cb:ed:3f:
> 40:ad:8d:90:bf:2a:54:58:00:a6:04:7d:a3:9a:ac:
> f6:fd:d3:8b:a0:dc:2e:56:7f:91:51:07:a1:a0:22:
> 91:ec:04:48:95:c3:de:77:ea:50:61:6b:b0:6b:48:
> 56:02:c4:7d:23:a7:4f:d7:e1:6a:0f:2d:0e:33:f4:
> e8:be:d6:dc:0c:22:76:db:ec:47:08:a0:0a:42:1e:
> 79:25:53
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints: critical
> CA:FALSE
> X509v3 Extended Key Usage:
> TLS Web Client Authentication, TLS Web Server Authentication
> X509v3 Subject Key Identifier:
> 68:2F:05:ED:33:1A:C2:60:57:0D:FF:87:E6:C6:3B:C1:60:3E:AD:96
> X509v3 Subject Alternative Name:
> DNS:ldap-client.csde.washington.edu
> X509v3 Authority Key Identifier:
> keyid:55:D7:C1:33:C6:FA:93:F8:27:3D:CB:20:4B:F5:5A:8E:58:97:7D:74
> DirName:/C=US/ST=WA/O=University of Washington/OU=UW Services/CN=UW Services CA/emailAddress=he...@cac.washington.edu
> serial:00
>
> X509v3 CRL Distribution Points:
>
> Full Name:
> URI:http://certs.cac.washington.edu/UWServicesCA.crl
>
> Signature Algorithm: sha256WithRSAEncryption
> a0:0b:58:27:ec:d5:b1:d3:76:e7:cc:b7:26:2c:5b:23:08:4f:
> 71:2a:de:16:9d:ec:7a:b2:f6:25:65:1c:c4:ea:e5:b6:d0:43:
> e0:1f:f3:22:79:d8:29:6b:f4:5c:a4:e9:48:b6:c8:93:a0:cd:
> e3:fe:3b:5a:93:ec:03:db:13:55:9a:5e:69:2f:8d:4c:82:f0:
> b1:41:33:2e:9d:81:9f:3f:52:f2:06:ee:2d:a0:93:80:d8:1d:
> 24:05:8a:b1:93:91:8e:16:32:c7:ca:f6:02:9b:5c:76:cd:dc:
> c9:51:81:74:c5:4d:fc:d1:d6:c4:08:ad:08:78:60:62:83:8a:
> 93:17
> -----BEGIN CERTIFICATE-----
> MIIFvDCCBSWgAwIBAgICMTswDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVT
> MQswCQYDVQQIEwJXQTEhMB8GA1UEChMYVW5pdmVyc2l0eSBvZiBXYXNoaW5ndG9u
> MRQwEgYDVQQLEwtVVyBTZXJ2aWNlczEXMBUGA1UEAxMOVVcgU2VydmljZXMgQ0Ex
> JjAkBgkqhkiG9w0BCQEWF2hlbHBAY2FjLndhc2hpbmd0b24uZWR1MB4XDTE3MDQw
> NTAwMTUwMVoXDTIwMDQwNjAwMTUwMVowgaYxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
> DApXYXNoaW5ndG9uMSEwHwYDVQQKDBhVbml2ZXJzaXR5IG9mIFdhc2hpbmd0b24x
> NTAzBgNVBAsMLENlbnRlciBmb3IgU3R1ZGllcyBpbiBEZW1vZ3JhcGh5IGFuZCBF
> Y29sb2d5MSgwJgYDVQQDDB9sZGFwLWNsaWVudC5jc2RlLndhc2hpbmd0b24uZWR1
> MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyYrCPPz1LVGbRVcZNaZ3
> pGy1mL9rOIqybBkkhtdBIDjOGgGnU65tTYkbDkkb1H3IdFXYLYG5qnhvXS97bUg1
> fMg318Dsi9/rtRLR2XIWybTwQXzho9LP7slERMNhCNY2dBit6KKc9Hnd+beESRjO
> TwDe6P+zEG/cQSL/Lbc0XqFewqnETEpt2L5tDC0mv/aLTPrraqJBK2Wii4x9Sk77
> alWBuzOZn1n9eNrYdEVhqYdZ9gnpa4OM2TAOeyDGlsFJ0nahP7vPbPg0ofvVDCYG
> ZVdXu1DLoJzFdMGBzRtygyw9nUqHcrbxKZNjgSTybhovjWrookiS0cHXQLhu8ksw
> tqCNxqXGUbpnanvkR+WVJdNduwRQly6o/GySAyAEIhG4r8dbrOtaidJ3uBhf/610
> 0n/iXIyYLp3hoTqTT22d0OLuVyEaCwh96W2vPzzXdfeDKnpEW4OWtmHWratY5wMS
> wrwaonOaNKj1hJs9a3qoos2hw+qcLx1FfEeqEmfY8BiJHkiDDK21GUXiMcv/F+Mk
> helR0i1avJlzaIUFEAbrBt1izP/uEKVJ+E4Z0TvzkZ3L7T9ArY2QvypUWACmBH2j
> mqz2/dOLoNwuVn+RUQehoCKR7ARIlcPed+pQYWuwa0hWAsR9I6dP1+FqDy0OM/To
> vtbcDCJ22+xHCKAKQh55JVMCAwEAAaOCAYMwggF/MAwGA1UdEwEB/wQCMAAwHQYD
> VR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQWBBRoLwXtMxrCYFcN
> /4fmxjvBYD6tljAqBgNVHREEIzAhgh9sZGFwLWNsaWVudC5jc2RlLndhc2hpbmd0
> b24uZWR1MIHBBgNVHSMEgbkwgbaAFFXXwTPG+pP4Jz3LIEv1Wo5Yl310oYGapIGX
> MIGUMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExITAfBgNVBAoTGFVuaXZlcnNp
> dHkgb2YgV2FzaGluZ3RvbjEUMBIGA1UECxMLVVcgU2VydmljZXMxFzAVBgNVBAMT
> DlVXIFNlcnZpY2VzIENBMSYwJAYJKoZIhvcNAQkBFhdoZWxwQGNhYy53YXNoaW5n
> dG9uLmVkdYIBADBBBgNVHR8EOjA4MDagNKAyhjBodHRwOi8vY2VydHMuY2FjLndh
> c2hpbmd0b24uZWR1L1VXU2VydmljZXNDQS5jcmwwDQYJKoZIhvcNAQELBQADgYEA
> oAtYJ+zVsdN258y3JixbIwhPcSreFp3serL2JWUcxOrlttBD4B/zInnYKWv0XKTp
> SLbIk6DN4/47WpPsA9sTVZpeaS+NTILwsUEzLp2Bnz9S8gbuLaCTgNgdJAWKsZOR
> jhYyx8r2Aptcds3cyVGBdMVN/NHWxAitCHhgYoOKkxc=
> -----END CERTIFICATE-----
> Issuing: openssl x509 -in ldap-client.csde.washington.edu.pem -noout -enddate
> notAfter=Apr 6 00:15:01 2020 GMT
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64
(x86_64)
Kernel: Linux 4.9.0-2-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages nslcd depends on:
ii adduser 3.115
ii debconf [debconf-2.0] 1.5.60
ii libc6 2.24-10
ii libgssapi-krb5-2 1.15-1
ii libldap-2.4-2 2.4.44+dfsg-4+b1
ii lsb-base 9.20161125
Versions of packages nslcd recommends:
ii bind9-host [host] 1:9.10.3.dfsg.P4-12.1
ii ca-certificates 20161130
ii host 1:9.10.3.dfsg.P4-12.1
ii ldap-utils 2.4.44+dfsg-4+b1
ii libnss-ldapd [libnss-ldap] 0.9.7-2
ii libpam-ldapd [libpam-ldap] 0.9.7-2
pn nscd <none>
ii nslcd-utils 0.9.7-2
Versions of packages nslcd suggests:
pn kstart <none>
-- debconf information:
nslcd/ldap-bindpw: (password omitted)
nslcd/xdm-needs-restart:
nslcd/restart-failed:
nslcd/ldap-sasl-authcid:
nslcd/ldap-auth-type: none
nslcd/ldap-reqcert:
nslcd/ldap-binddn:
nslcd/ldap-sasl-mech:
nslcd/ldap-sasl-authzid:
nslcd/restart-services:
* nslcd/ldap-base: dc=ldi,dc=uw,dc=edu
nslcd/ldap-starttls: false
nslcd/ldap-sasl-realm:
nslcd/ldap-sasl-secprops:
nslcd/ldap-sasl-krb5-ccname: /var/run/nslcd/nslcd.tkt
nslcd/disable-screensaver:
libraries/restart-without-asking: false
* nslcd/ldap-uris: ldap://ldi.s.uw.edu
nslcd/ldap-cacertfile: /etc/ssl/certs/ca-certificates.crt
Arthur de Jong
Apr 26, 2017, 5:20:02 AM4/26/17
to
On Tue, 2017-04-25 at 16:53 -0700, Matt Weatherford wrote:
> debian 7 install works fine with certificate auth.
> Debian 9 install with same config files appears to not work and
> throws these erros:
>
> Apr 25 16:41:08 nori nslcd[1376]: [52255a] <passwd(all)> failed to
> bind to LDAP server ldap://ldi.s.uw.edu: Unknown authentication
> method: SASL(-4): no mechanism available:
> Apr 25 16:41:08 nori nslcd[1376]: [52255a] <passwd(all)> no available
> LDAP server found: Unknown authentication method: Bad file descriptor
> Apr 25 16:41:13 nori nslcd[1376]: [9cf92e] <group(all)> no available
> LDAP server found: Server is unavailable: Bad file descriptor
Does running nslcd in debug mode provide more information?
> debian 7 install works fine with certificate auth.
> Debian 9 install with same config files appears to not work and
> throws these erros:
>
> Apr 25 16:41:08 nori nslcd[1376]: [52255a] <passwd(all)> failed to
> bind to LDAP server ldap://ldi.s.uw.edu: Unknown authentication
> method: SASL(-4): no mechanism available:
> Apr 25 16:41:08 nori nslcd[1376]: [52255a] <passwd(all)> no available
> LDAP server found: Unknown authentication method: Bad file descriptor
> Apr 25 16:41:13 nori nslcd[1376]: [9cf92e] <group(all)> no available
> LDAP server found: Server is unavailable: Bad file descriptor
> contents of /etc/nslcd.conf:
>
> uri ldap://ldi.s.uw.edu
> ssl start_tls
>
> tls_cacertfile /etc/ssl/ldi/InCommonCA.crt
> tls_cert /etc/ssl/ldi/ldi-client.crt
> tls_key /etc/ssl/ldi/ldi-client.key
>
> sasl_mech EXTERNAL
So the client-side certificate is used for authentiction and that is
> uri ldap://ldi.s.uw.edu
> ssl start_tls
>
> tls_cacertfile /etc/ssl/ldi/InCommonCA.crt
> tls_cert /etc/ssl/ldi/ldi-client.crt
> tls_key /etc/ssl/ldi/ldi-client.key
>
> sasl_mech EXTERNAL
where it appears to fail.
Can you make the connection using the ldapsearch command-line tool? The
nslcd daemon does not do any TLS handling itself and only passes
configuration options to libldap but there are differences between TLS
libraries used.
Kind regards,
--
-- arthur - ade...@debian.org - https://people.debian.org/~adejong --
Matthew B. Weatherford
Apr 26, 2017, 4:10:03 PM4/26/17
to
Arthur,
Thank you for your quick response - I really appreciate that
> Does running nslcd in debug mode provide more information?
Heres the debug output:
nslcd: [8b4567] DEBUG: connection from pid=9817 uid=0 gid=0
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [8b4567] <group/member="root"> DEBUG: ignored group member
nslcd: [7b23c6] DEBUG: connection from pid=9823 uid=0 gid=0
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [7b23c6] <group/member="root"> DEBUG: ignored group member
nslcd: [3c9869] DEBUG: connection from pid=9829 uid=0 gid=0
nslcd: [3c9869] <passwd(all)> DEBUG:
myldap_search(base="ou=accounts,ou=csde,dc=ldi,dc=uw,dc=edu",
filter="(objectClass=posixAccount)")
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_initialize(ldap://ldi.s.uw.edu)
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_start_tls_s()
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_sasl_interactive_bind_s(NULL,"EXTERNAL") (uri="ldap://ldi.s.uw.edu")
nslcd: [3c9869] <passwd(all)> failed to bind to LDAP server
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_unbind()
nslcd: [3c9869] <passwd(all)> no available LDAP server found, sleeping 1
seconds
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_initialize(ldap://ldi.s.uw.edu)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_start_tls_s()
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_sasl_interactive_bind_s(NULL,"EXTERNAL") (uri="ldap://ldi.s.uw.edu")
nslcd: [3c9869] <passwd(all)> failed to bind to LDAP server
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_unbind()
nslcd: [3c9869] <passwd(all)> no available LDAP server found, sleeping 1
seconds
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_initialize(ldap://ldi.s.uw.edu)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_start_tls_s()
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_sasl_interactive_bind_s(NULL,"EXTERNAL") (uri="ldap://ldi.s.uw.edu")
nslcd: [3c9869] <passwd(all)> failed to bind to LDAP server
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_unbind()
nslcd: [3c9869] <passwd(all)> no available LDAP server found, sleeping 1
seconds
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_initialize(ldap://ldi.s.uw.edu)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_start_tls_s()
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_sasl_interactive_bind_s(NULL,"EXTERNAL") (uri="ldap://ldi.s.uw.edu")
nslcd: [3c9869] <passwd(all)> failed to bind to LDAP server
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_unbind()
nslcd: [3c9869] <passwd(all)> no available LDAP server found, sleeping 1
seconds
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_initialize(ldap://ldi.s.uw.edu)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_start_tls_s()
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_sasl_interactive_bind_s(NULL,"EXTERNAL") (uri="ldap://ldi.s.uw.edu")
nslcd: [3c9869] <passwd(all)> failed to bind to LDAP server
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_unbind()
nslcd: [3c9869] <passwd(all)> no available LDAP server found, sleeping 1
seconds
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_initialize(ldap://ldi.s.uw.edu)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_start_tls_s()
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_sasl_interactive_bind_s(NULL,"EXTERNAL") (uri="ldap://ldi.s.uw.edu")
nslcd: [3c9869] <passwd(all)> failed to bind to LDAP server
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_unbind()
nslcd: [3c9869] <passwd(all)> no available LDAP server found: Unknown
nslcd: [334873] <passwd="*"> request denied by validnames option
I did a ssh login as root, and a "getent passwd" and got the above output.
>> contents of /etc/nslcd.conf:
>>
>> uri ldap://ldi.s.uw.edu
>> ssl start_tls
>>
>> tls_cacertfile /etc/ssl/ldi/InCommonCA.crt
>> tls_cert /etc/ssl/ldi/ldi-client.crt
>> tls_key /etc/ssl/ldi/ldi-client.key
>>
>> sasl_mech EXTERNAL
> So the client-side certificate is used for authentiction and that is
> where it appears to fail.
>
> Can you make the connection using the ldapsearch command-line tool? The
> nslcd daemon does not do any TLS handling itself and only passes
> configuration options to libldap but there are differences between TLS
> libraries used.
>
ldapsearch does not work either, see:
root@nori:~/UW-LDI# ./ldiauth
+ UNIT=csde
+ UNIT_ADMIN_CERT=./ldap-admin.csde.washington.edu.pem
+ UNIT_ADMIN_KEY=./ldap-admin.csde.washington.edu.key
+ LDI_SERVER=ldap://ldi.s.uw.edu
+ [ -f ./ldap-admin.csde.washington.edu.pem -a -f
./ldap-admin.csde.washington.edu.key ]
+ export LDAPTLS_CERT=./ldap-admin.csde.washington.edu.pem
+ export LDAPTLS_KEY=./ldap-admin.csde.washington.edu.key
+ AUTH=-QY EXTERNAL
+ [ 0 -eq 0 ]
+ ldapsearch -ZH ldap://ldi.s.uw.edu -QY EXTERNAL -LLL -s base -b
cn=unitAdmin,ou=auth,ou=csde,dc=ldi,dc=uw,dc=edu
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
+ ldapsearch -ZH ldap://ldi.s.uw.edu -QY EXTERNAL -LLL -s base -b
cn=AdminAccess,ou=auth,ou=csde,dc=ldi,dc=uw,dc=edu
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
+ ldapsearch -ZH ldap://ldi.s.uw.edu -QY EXTERNAL -LLL -s base -b
cn=BasicAccess,ou=auth,ou=csde,dc=ldi,dc=uw,dc=edu
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
+ exit 0
root@nori:~/UW-LDI#
Thank you for your quick response - I really appreciate that
> Does running nslcd in debug mode provide more information?
nslcd: [8b4567] DEBUG: connection from pid=9817 uid=0 gid=0
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [8b4567] <group/member="root"> DEBUG: ignored group member
nslcd: [7b23c6] DEBUG: connection from pid=9823 uid=0 gid=0
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [7b23c6] <group/member="root"> DEBUG: ignored group member
nslcd: [3c9869] DEBUG: connection from pid=9829 uid=0 gid=0
nslcd: [3c9869] <passwd(all)> DEBUG:
myldap_search(base="ou=accounts,ou=csde,dc=ldi,dc=uw,dc=edu",
filter="(objectClass=posixAccount)")
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_initialize(ldap://ldi.s.uw.edu)
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_start_tls_s()
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_sasl_interactive_bind_s(NULL,"EXTERNAL") (uri="ldap://ldi.s.uw.edu")
nslcd: [3c9869] <passwd(all)> failed to bind to LDAP server
ldap://ldi.s.uw.edu: Unknown authentication method: SASL(-4): no
mechanism available: : No such file or directory
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_unbind()
nslcd: [3c9869] <passwd(all)> no available LDAP server found, sleeping 1
seconds
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_initialize(ldap://ldi.s.uw.edu)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_start_tls_s()
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_sasl_interactive_bind_s(NULL,"EXTERNAL") (uri="ldap://ldi.s.uw.edu")
nslcd: [3c9869] <passwd(all)> failed to bind to LDAP server
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_unbind()
nslcd: [3c9869] <passwd(all)> no available LDAP server found, sleeping 1
seconds
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_initialize(ldap://ldi.s.uw.edu)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_start_tls_s()
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_sasl_interactive_bind_s(NULL,"EXTERNAL") (uri="ldap://ldi.s.uw.edu")
nslcd: [3c9869] <passwd(all)> failed to bind to LDAP server
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_unbind()
nslcd: [3c9869] <passwd(all)> no available LDAP server found, sleeping 1
seconds
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_initialize(ldap://ldi.s.uw.edu)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_start_tls_s()
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_sasl_interactive_bind_s(NULL,"EXTERNAL") (uri="ldap://ldi.s.uw.edu")
nslcd: [3c9869] <passwd(all)> failed to bind to LDAP server
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_unbind()
nslcd: [3c9869] <passwd(all)> no available LDAP server found, sleeping 1
seconds
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_initialize(ldap://ldi.s.uw.edu)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_start_tls_s()
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_sasl_interactive_bind_s(NULL,"EXTERNAL") (uri="ldap://ldi.s.uw.edu")
nslcd: [3c9869] <passwd(all)> failed to bind to LDAP server
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_unbind()
nslcd: [3c9869] <passwd(all)> no available LDAP server found, sleeping 1
seconds
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_initialize(ldap://ldi.s.uw.edu)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_start_tls_s()
nslcd: [3c9869] <passwd(all)> DEBUG:
ldap_sasl_interactive_bind_s(NULL,"EXTERNAL") (uri="ldap://ldi.s.uw.edu")
nslcd: [3c9869] <passwd(all)> failed to bind to LDAP server
nslcd: [3c9869] <passwd(all)> DEBUG: ldap_unbind()
nslcd: [3c9869] <passwd(all)> no available LDAP server found: Unknown
authentication method: Bad file descriptor
nslcd: [334873] DEBUG: connection from pid=9823 uid=0 gid=0
nslcd: [334873] <passwd="*"> request denied by validnames option
I did a ssh login as root, and a "getent passwd" and got the above output.
>> contents of /etc/nslcd.conf:
>>
>> uri ldap://ldi.s.uw.edu
>> ssl start_tls
>>
>> tls_cacertfile /etc/ssl/ldi/InCommonCA.crt
>> tls_cert /etc/ssl/ldi/ldi-client.crt
>> tls_key /etc/ssl/ldi/ldi-client.key
>>
>> sasl_mech EXTERNAL
> So the client-side certificate is used for authentiction and that is
> where it appears to fail.
>
> Can you make the connection using the ldapsearch command-line tool? The
> nslcd daemon does not do any TLS handling itself and only passes
> configuration options to libldap but there are differences between TLS
> libraries used.
>
root@nori:~/UW-LDI# ./ldiauth
+ UNIT=csde
+ UNIT_ADMIN_CERT=./ldap-admin.csde.washington.edu.pem
+ UNIT_ADMIN_KEY=./ldap-admin.csde.washington.edu.key
+ LDI_SERVER=ldap://ldi.s.uw.edu
+ [ -f ./ldap-admin.csde.washington.edu.pem -a -f
./ldap-admin.csde.washington.edu.key ]
+ export LDAPTLS_CERT=./ldap-admin.csde.washington.edu.pem
+ export LDAPTLS_KEY=./ldap-admin.csde.washington.edu.key
+ AUTH=-QY EXTERNAL
+ [ 0 -eq 0 ]
+ ldapsearch -ZH ldap://ldi.s.uw.edu -QY EXTERNAL -LLL -s base -b
cn=unitAdmin,ou=auth,ou=csde,dc=ldi,dc=uw,dc=edu
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
+ ldapsearch -ZH ldap://ldi.s.uw.edu -QY EXTERNAL -LLL -s base -b
cn=AdminAccess,ou=auth,ou=csde,dc=ldi,dc=uw,dc=edu
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
+ ldapsearch -ZH ldap://ldi.s.uw.edu -QY EXTERNAL -LLL -s base -b
cn=BasicAccess,ou=auth,ou=csde,dc=ldi,dc=uw,dc=edu
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
+ exit 0
root@nori:~/UW-LDI#
Matthew B. Weatherford
Apr 26, 2017, 4:20:03 PM4/26/17
to
one other thought here....
I generated the certificate signing request (CSR) for the certs using
openssl.... like this:
openssl req -new -nodes -newkey rsa:4096 -keyout hostname.key -out
hostname.csr
I thought I read somewhere that openssl was no longer recommended for
debian certs and we are to use gnutils or something now?
And I dont have these certs in the "Debian Standard" Cert locations -
they are instead
inside of a directory I created called: /etc/ssl/ldi/
I generated the certificate signing request (CSR) for the certs using
openssl.... like this:
openssl req -new -nodes -newkey rsa:4096 -keyout hostname.key -out
hostname.csr
I thought I read somewhere that openssl was no longer recommended for
debian certs and we are to use gnutils or something now?
And I dont have these certs in the "Debian Standard" Cert locations -
they are instead
inside of a directory I created called: /etc/ssl/ldi/
Matt Weatherford
Apr 27, 2017, 11:40:02 PM4/27/17
to
Arthur,
Im sure you have many, many other projects going but I am motivated to
solve this problem - is there anything else I can try on my side? I've
sent you nslcd debug info ... anything else I can do?
do you know of anyone who has a working cert-based auth on debian 9?
thanks,
Matt
Im sure you have many, many other projects going but I am motivated to
solve this problem - is there anything else I can try on my side? I've
sent you nslcd debug info ... anything else I can do?
do you know of anyone who has a working cert-based auth on debian 9?
thanks,
Matt
Arthur de Jong
May 2, 2017, 3:10:03 PM5/2/17
to
On Thu, 2017-04-27 at 20:25 -0700, Matt Weatherford wrote:
> Im sure you have many, many other projects going but I am motivated
> to solve this problem - is there anything else I can try on my
> side? I've sent you nslcd debug info ... anything else I can do?
Sorry for not replying sooner. Your ldapsearch output shows that at
> Im sure you have many, many other projects going but I am motivated
> to solve this problem - is there anything else I can try on my
> side? I've sent you nslcd debug info ... anything else I can do?
least the problem is not per se in nss-pam-ldapd ;)
To get more debugging info from nslcd you could specify -d twice when
running nslcd. This also enables extra debugging in libldap which
produces a lot of output but I don't think it will include extra debug
output of the TLS library (GnuTLS on Debian).
For ldapsearch you could try passing -d1 to get debug output. I assume
the ldapsearch in your script works on older versions? From my
experience I think the certificates and keys can only be configured in
a configuration file (e.g. ldaprc in the current directory).
Maybe comparing the debug output from Debian 7 and 9 will provide some
more insights?
One thing that you could try is add the DN to bind as as binddn instead
of leaving it empty. You should probably be able to get the DN from an
ldapwhoami query on older versions of Debian.
Another thing that could help is looking in the server logs to see if
any problem is logged there (it could be a TLS version or cypher-suite
mismatch).
I don't think there should be much issues with how the key, CSR and CRT
are generated. GnuTLS should be able to handle files generated by
OpenSSL file as far as I know. Location of the files should also not be
an issue.
I have not doen client certificate authentication recently and not on
Debian.
Matthew B. Weatherford
May 2, 2017, 9:10:03 PM5/2/17
to
Arthur,
Thanks for the tips
I put several hours in to this problem today and am still stumped.
Now I am simply trying to connect to our university's openLDAP server
with PASSWORD auth, and that fails.
It fails on Debian 8 and Debian 9 but works on a colleague's Debian 7
Raspberry PI.
Here is a diff of the two debug outputs from ldapsearch when providing
my admin password: one for Debian 8 and one for Raspbian (deb7)
http://www.mergely.com/DDFOIIQR/
I also was able to find a debian 9 tool to dump the cipher suites that
the LDI server allows, but havent figure out how to tell what the
debian 8/9 clients are using... but if I cant even password auth then
something is really broken here.
> root@ldi-deb9-test:~/UW-LDI# gnutls-cli-debug -V --app-proto ldap -p
> 389 ldi.s.uw.edu
> GnuTLS debug client 3.5.8
> Checking ldi.s.uw.edu:389
> for SSL 3.0 (RFC6101) support... no
> whether we need to disable TLS 1.2... no
> whether we need to disable TLS 1.1... no
> whether we need to disable TLS 1.0... no
> whether %NO_EXTENSIONS is required... no
> whether %COMPAT is required... no
> for TLS 1.0 (RFC2246) support... yes
> for TLS 1.1 (RFC4346) support... yes
> for TLS 1.2 (RFC5246) support... yes
> fallback from TLS 1.6 to... TLS1.2
> for inappropriate fallback (RFC7507) support... yes
> for certificate chain order... sorted
>
> for trusted CAs...
> for safe renegotiation (RFC5746) support... yes
> for encrypt-then-MAC (RFC7366) support... no
> for ext master secret (RFC7627) support... no
> for heartbeat (RFC6520) support... no
> for version rollback bug in RSA PMS... dunno
> for version rollback bug in Client Hello... no
> whether the server ignores the RSA PMS version... yes
> whether small records (512 bytes) are tolerated on handshake... yes
> whether cipher suites not in SSL 3.0 spec are accepted... yes
> whether a bogus TLS record version in the client hello is accepted... yes
> whether the server understands TLS closure alerts... partially
> whether the server supports session resumption... no
> for anonymous authentication support... no
> for ephemeral Diffie-Hellman support... yes
> ephemeral Diffie-Hellman group info... saved in
> debug-dh.out
> for ephemeral EC Diffie-Hellman support... yes
> for curve SECP256r1 (RFC4492)... yes
> for curve SECP384r1 (RFC4492)... no
> for curve SECP521r1 (RFC4492)... no
> for curve X25519 (draft-ietf-tls-rfc4492bis-07)... no
> for AES-128-GCM cipher (RFC5288) support... yes
> for AES-128-CCM cipher (RFC6655) support... no
> for AES-128-CCM-8 cipher (RFC6655) support... no
> for AES-128-CBC cipher (RFC3268) support... yes
> for CAMELLIA-128-GCM cipher (RFC6367) support... no
> for CAMELLIA-128-CBC cipher (RFC5932) support... no
> for 3DES-CBC cipher (RFC2246) support... yes
> for ARCFOUR 128 cipher (RFC2246) support... yes
> for CHACHA20-POLY1305 cipher (RFC7905) support... no
> for MD5 MAC support... yes
> for SHA1 MAC support... yes
> for SHA256 MAC support... yes
> for ZLIB compression support... no
> for max record size (RFC6066) support... no
> for OCSP status response (RFC6066) support... no
> for OpenPGP authentication (RFC6091) support... no
> root@ldi-deb9-test:~/UW-LDI#
Matt
Thanks for the tips
I put several hours in to this problem today and am still stumped.
Now I am simply trying to connect to our university's openLDAP server
with PASSWORD auth, and that fails.
It fails on Debian 8 and Debian 9 but works on a colleague's Debian 7
Raspberry PI.
Here is a diff of the two debug outputs from ldapsearch when providing
my admin password: one for Debian 8 and one for Raspbian (deb7)
http://www.mergely.com/DDFOIIQR/
I also was able to find a debian 9 tool to dump the cipher suites that
the LDI server allows, but havent figure out how to tell what the
debian 8/9 clients are using... but if I cant even password auth then
something is really broken here.
> root@ldi-deb9-test:~/UW-LDI# gnutls-cli-debug -V --app-proto ldap -p
> 389 ldi.s.uw.edu
> GnuTLS debug client 3.5.8
> Checking ldi.s.uw.edu:389
> for SSL 3.0 (RFC6101) support... no
> whether we need to disable TLS 1.2... no
> whether we need to disable TLS 1.1... no
> whether we need to disable TLS 1.0... no
> whether %NO_EXTENSIONS is required... no
> whether %COMPAT is required... no
> for TLS 1.0 (RFC2246) support... yes
> for TLS 1.1 (RFC4346) support... yes
> for TLS 1.2 (RFC5246) support... yes
> fallback from TLS 1.6 to... TLS1.2
> for inappropriate fallback (RFC7507) support... yes
> for certificate chain order... sorted
>
> for trusted CAs...
> for safe renegotiation (RFC5746) support... yes
> for encrypt-then-MAC (RFC7366) support... no
> for ext master secret (RFC7627) support... no
> for heartbeat (RFC6520) support... no
> for version rollback bug in RSA PMS... dunno
> for version rollback bug in Client Hello... no
> whether the server ignores the RSA PMS version... yes
> whether small records (512 bytes) are tolerated on handshake... yes
> whether cipher suites not in SSL 3.0 spec are accepted... yes
> whether a bogus TLS record version in the client hello is accepted... yes
> whether the server understands TLS closure alerts... partially
> whether the server supports session resumption... no
> for anonymous authentication support... no
> for ephemeral Diffie-Hellman support... yes
> ephemeral Diffie-Hellman group info... saved in
> debug-dh.out
> for ephemeral EC Diffie-Hellman support... yes
> for curve SECP256r1 (RFC4492)... yes
> for curve SECP384r1 (RFC4492)... no
> for curve SECP521r1 (RFC4492)... no
> for curve X25519 (draft-ietf-tls-rfc4492bis-07)... no
> for AES-128-GCM cipher (RFC5288) support... yes
> for AES-128-CCM cipher (RFC6655) support... no
> for AES-128-CCM-8 cipher (RFC6655) support... no
> for AES-128-CBC cipher (RFC3268) support... yes
> for CAMELLIA-128-GCM cipher (RFC6367) support... no
> for CAMELLIA-128-CBC cipher (RFC5932) support... no
> for 3DES-CBC cipher (RFC2246) support... yes
> for ARCFOUR 128 cipher (RFC2246) support... yes
> for CHACHA20-POLY1305 cipher (RFC7905) support... no
> for MD5 MAC support... yes
> for SHA1 MAC support... yes
> for SHA256 MAC support... yes
> for ZLIB compression support... no
> for max record size (RFC6066) support... no
> for OCSP status response (RFC6066) support... no
> for OpenPGP authentication (RFC6091) support... no
> root@ldi-deb9-test:~/UW-LDI#
Matt
Matt Weatherford
May 5, 2017, 2:10:03 AM5/5/17
to
Update: I logged this bug further down the stack, as it was also
affecting the "ldap-utils" package (ldapsearch and ldapwhoami also)
I got some feedback that led us to determine that our LDAP server on
CentOS was offering up a LOT of certificate options... scaling those
back made the system including nslcd work again.
the other bug is Bug#861838
Thanks Arthur for the help in getting started on the debugging process
for this.
Matt
affecting the "ldap-utils" package (ldapsearch and ldapwhoami also)
I got some feedback that led us to determine that our LDAP server on
CentOS was offering up a LOT of certificate options... scaling those
back made the system including nslcd work again.
the other bug is Bug#861838
Thanks Arthur for the help in getting started on the debugging process
for this.
Matt
Arthur de Jong
May 6, 2017, 2:30:03 PM5/6/17
to
On Thu, 2017-05-04 at 23:01 -0700, Matt Weatherford wrote:
> Update: I logged this bug further down the stack, as it was also
> affecting the "ldap-utils" package (ldapsearch and ldapwhoami also)
>
> I got some feedback that led us to determine that our LDAP server on
> CentOS was offering up a LOT of certificate options... scaling those
> back made the system including nslcd work again.
>
> the other bug is Bug#861838
Thanks for following up. Since the bug is not in nss-pam-ldapd I am
> Update: I logged this bug further down the stack, as it was also
> affecting the "ldap-utils" package (ldapsearch and ldapwhoami also)
>
> I got some feedback that led us to determine that our LDAP server on
> CentOS was offering up a LOT of certificate options... scaling those
> back made the system including nslcd work again.
>
> the other bug is Bug#861838
inclined to close this bug report. Any progress on this can be tracked
in #861838 further.
Thanks,
Matt Weatherford
May 6, 2017, 3:10:03 PM5/6/17
to
Makes sense to me! Thank you for all your work supporting debian ;)
Matt
Matt
0 new messages