FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 04-08-2011, 09:08 AM
Bob McKay
 
Default StartTLS with F14, 389-console and system-config-authentication

I'm trying to do set up authentication between fedora 14 client and server using ldap passwords. I seem to be having a problem getting the server to accept startTLS. It has all been set up with 389-console and system-config-authentication.


In more detail, I set up the client using system-config-authentication, to use LDAP for the user account authentication, TLS to encrypt connections, and LDAP passwords. I set the LDAP server to ldap://<server name>. All this seems to be working OK, on the server (wireshark) I can see the initial ldap handshake on port 389, as expected. The problem seems to start at the next stage. I see a tcp packet to port 389 from the client, protocol LDAP, Info extendedReq(1) LDAP_START_TLS_OID, which I assume is the request packet from the client to start the TLS handshake. I see a TCP ack from the server, but this is immediately followed by a protocol LDAP message from the server to the client, extendedResp(1) (unsupported extended operation). I assume this is a failure message. However the client replies with an SSLv2 Client Hello. There is never an SSL response,


On the client, I see in the logs
ssd[be[LDAP]]: Could not start TLS encryption. unsupported extended operation
which I assume confirms that the attempt to start up TLS failed.

In the server* dirsrv access log, I see:


[08/Apr/2011:16:40:46 +0900] conn=12 fd=64 slot=64 connection from 192.168.1.7 to 192.168.1.192
[08/Apr/2011:16:40:46 +0900] conn=12 op=0 EXT oid="1.3.6.1.4.1.1466.20037"
[08/Apr/2011:16:40:46 +0900] conn=12 op=0 RESULT err=2 tag=120 nentries=0 etime=0

[08/Apr/2011:16:40:46 +0900] conn=12 op=-1 fd=64 closed error 71 (Protocol error) - B1

and in the error log (logging verbosity turned up a bit) I see

[08/Apr/2011:17:13:22 +0900] - new connection on 64
[08/Apr/2011:17:13:22 +0900] - activity on 64r

[08/Apr/2011:17:13:22 +0900] - read activity on 64
[08/Apr/2011:17:13:22 +0900] - conn 16 activity level = 0
[08/Apr/2011:17:13:22 +0900] - listener got signaled
[08/Apr/2011:17:13:22 +0900] - flush_ber() wrote 44 bytes to socket 64

[08/Apr/2011:17:13:22 +0900] - activity on 64r
[08/Apr/2011:17:13:22 +0900] - read activity on 64
[08/Apr/2011:17:13:22 +0900] - conn=16 received a non-LDAP message (tag 0x80, expected 0x30)
[08/Apr/2011:17:13:22 +0900] - conn 16 leaving turbo mode due to 3

[08/Apr/2011:17:13:22 +0900] - listener got signaled


All this seems to suggest that either I don't have startTLS built into my installation of 389, or I'm somehow failing to enable it. However I can't see any plugin in yum that would help, and the only place I can see (at least in 389-console) that looks like it could affect this is the Domain name "Secure connection" checkbox. However I've tried toggling this and I see exactly the same behaviour either way (I'm guessing that the checkbox actually enables SSL support on port 636, but the documentation isn't too clear on this).


One possibility, that I'm not too sure how to check, is that the (self-signed) CA certificate or the server certificate might be bad. However they look fine on dumping, and both appear to be installed in the server. And hopefully, I would have got rather more informative log messages in this case. I'm not too sure how to test this locally on the server, any pointers on how to do this would be great.


Any help anyone can give on this would be _hugely_ appreciated - I am now three days in on what looked like it was supposed to be a straightforward install, with no real progress, and getting further behind on other urgent stuff. Urrgggg.


System:
Client and server:
F14, 2.6.35.11-83.fc14.x86_64 kernel

Server:
slapd 2.4.23

Client:
sssd 64-bit 1.5.4-1.fc14


***** Best Wishes
***** Bob

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 04-08-2011, 06:10 PM
Rich Megginson
 
Default StartTLS with F14, 389-console and system-config-authentication

On 04/08/2011 03:08 AM, Bob McKay wrote:
I'm trying to do set up authentication between fedora
14 client and server using ldap passwords. I seem to be having a
problem getting the server to accept startTLS. It has all been set
up with 389-console and system-config-authentication.



In more detail, I set up the client using
system-config-authentication, to use LDAP for the user account
authentication, TLS to encrypt connections, and LDAP passwords. I
set the LDAP server to ldap://<server name>. All this seems
to be working OK, on the server (wireshark) I can see the initial
ldap handshake on port 389, as expected. The problem seems to
start at the next stage. I see a tcp packet to port 389 from the
client, protocol LDAP, Info extendedReq(1) LDAP_START_TLS_OID,
which I assume is the request packet from the client to start the
TLS handshake. I see a TCP ack from the server, but this is
immediately followed by a protocol LDAP message from the server to
the client, extendedResp(1) (unsupported extended operation). I
assume this is a failure message. However the client replies with
an SSLv2 Client Hello. There is never an SSL response,



On the client, I see in the logs

ssd[be[LDAP]]: Could not start TLS encryption. unsupported
extended operation

which I assume confirms that the attempt to start up TLS failed.



In the server* dirsrv access log, I see:



[08/Apr/2011:16:40:46 +0900] conn=12 fd=64 slot=64 connection from
192.168.1.7 to 192.168.1.192

[08/Apr/2011:16:40:46 +0900] conn=12 op=0 EXT
oid="1.3.6.1.4.1.1466.20037"

[08/Apr/2011:16:40:46 +0900] conn=12 op=0 RESULT err=2 tag=120
nentries=0 etime=0

[08/Apr/2011:16:40:46 +0900] conn=12 op=-1 fd=64 closed error 71
(Protocol error) - B1



and in the error log (logging verbosity turned up a bit) I see



[08/Apr/2011:17:13:22 +0900] - new connection on 64

[08/Apr/2011:17:13:22 +0900] - activity on 64r

[08/Apr/2011:17:13:22 +0900] - read activity on 64

[08/Apr/2011:17:13:22 +0900] - conn 16 activity level = 0

[08/Apr/2011:17:13:22 +0900] - listener got signaled

[08/Apr/2011:17:13:22 +0900] - flush_ber() wrote 44 bytes to
socket 64

[08/Apr/2011:17:13:22 +0900] - activity on 64r

[08/Apr/2011:17:13:22 +0900] - read activity on 64

[08/Apr/2011:17:13:22 +0900] - conn=16 received a non-LDAP message
(tag 0x80, expected 0x30)

[08/Apr/2011:17:13:22 +0900] - conn 16 leaving turbo mode due to 3

[08/Apr/2011:17:13:22 +0900] - listener got signaled





All this seems to suggest that either I don't have startTLS built
into my installation of 389,
That's not it.

or I'm somehow failing to enable it.
That's it.

However I can't see any plugin in yum that would help,
and the only place I can see (at least in 389-console) that looks
like it could affect this is the Domain name "Secure connection"
checkbox. However I've tried toggling this and I see exactly the
same behaviour either way (I'm guessing that the checkbox actually
enables SSL support on port 636, but the documentation isn't too
clear on this).



One possibility, that I'm not too sure how to check, is that the
(self-signed) CA certificate or the server certificate might be
bad. However they look fine on dumping, and both appear to be
installed in the server.
How are you checking?* How did you enable security for 389?



Did you read
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#SecureConnections
?

And hopefully, I would have got rather more
informative log messages in this case. I'm not too sure how to
test this locally on the server, any pointers on how to do this
would be great.



Any help anyone can give on this would be _hugely_ appreciated - I
am now three days in on what looked like it was supposed to be a
straightforward install, with no real progress, and getting
further behind on other urgent stuff. Urrgggg.



System:

Client and server:

F14, 2.6.35.11-83.fc14.x86_64 kernel



Server:

slapd 2.4.23


This is the openldap version - try

rpm -qi 389-ds-base



Client:

sssd 64-bit 1.5.4-1.fc14





***** Best Wishes

***** Bob



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 05:29 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org