Re: [nssldap] Using tls_cert/key without rootbinddn

[Howard Chu <hyc [at] highlandsun.com>]

Iain Morgan wrote:
> Hello,
>
> I'm attempting to configure nss_ldap/pam_ldap to use a client SSL cert
> when binding to Sun's Directory Server. The intent is to avoid using
> rootbinddn and binddn altogether.
>
> While I can successfully bind to the server using the client cert, the
> client immediately attempts to rebind using simple authentication:
>
> [21/Feb/2007:10:45:03 -0800] conn=3829 op=-1 msgId=-1 - fd=17 slot=17
> LDAPS connection from 10.2.9.13:31250 to 10.2.9.209
> [21/Feb/2007:10:45:03 -0800] conn=3829 op=-1 msgId=-1 - SSL 56-bit
> RC4-56; client CN=HEC Proxy,OU=Proxy,O=NASA Advanced Supercomputing 
> Division; issuer CN=Temporary CA,O=NASA Advanced Supercomputing 
> Division
> [21/Feb/2007:10:45:03 -0800] conn=3829 op=-1 msgId=-1 - SSL client bound
> as cn=HEC Proxy,ou=Proxy,dc=nas,dc=nasa,dc=gov
> [21/Feb/2007:10:45:03 -0800] conn=3829 op=0 msgId=1 - BIND dn=""
> method=128 version=3
> [21/Feb/2007:10:45:03 -0800] conn=3829 op=0 msgId=1 - RESULT err=0
> tag=97 nentries=0 etime=0 dn=""
>
> The /etc/ldap.conf is simply:
>
> uri ldaps://linux09.nas.nasa.gov
> base dc=nas,dc=nasa,dc=gov
> ldap_version 3
>
> pam_password clear
>
> ssl on
> tls_cert /etc/ssl/private/HEC_client.pem
> tls_key /etc/ssl/private/HEC_client.key
>
> Is there any way to avoid this apparent rebinding?
>   
You need to configure nss_ldap to use SASL binds. But in the version I'm 
looking at (248, pretty old) it only supports SASL/GSSAPI, and you want 
it to use SASL/EXTERNAL. Patching "GSSAPI" to "EXTERNAL" would be 
sufficient in ldap-nss.c:do_bind(). Really the mechanism ought to be a 
config keyword.

--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 Chief Architect, OpenLDAP     http://www.openldap.org/project/