Re: [nssldap] Using tls_cert/key without rootbinddn
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] Using tls_cert/key without rootbinddn
- From: Howard Chu <hyc [at] highlandsun.com>
- To: Iain Morgan <imorgan [at] nas.nasa.gov>
- Cc: nssldap [at] padl.com
- Subject: Re: [nssldap] Using tls_cert/key without rootbinddn
- Date: Wed, 21 Feb 2007 13:04:20 -0800
Iain Morgan wrote:
Hello,
I'm attempting to configure nss_ldap/pam_ldap to use a client SSL cert
when binding to Sun's Directory Server. The intent is to avoid using
rootbinddn and binddn altogether.
While I can successfully bind to the server using the client cert, the
client immediately attempts to rebind using simple authentication:
[21/Feb/2007:10:45:03 -0800] conn=3829 op=-1 msgId=-1 - fd=17 slot=17
LDAPS connection from 10.2.9.13:31250 to 10.2.9.209
[21/Feb/2007:10:45:03 -0800] conn=3829 op=-1 msgId=-1 - SSL 56-bit
RC4-56; client CN=HEC Proxy,OU=Proxy,O=NASA Advanced Supercomputing
Division; issuer CN=Temporary CA,O=NASA Advanced Supercomputing
Division
[21/Feb/2007:10:45:03 -0800] conn=3829 op=-1 msgId=-1 - SSL client bound
as cn=HEC Proxy,ou=Proxy,dc=nas,dc=nasa,dc=gov
[21/Feb/2007:10:45:03 -0800] conn=3829 op=0 msgId=1 - BIND dn=""
method=128 version=3
[21/Feb/2007:10:45:03 -0800] conn=3829 op=0 msgId=1 - RESULT err=0
tag=97 nentries=0 etime=0 dn=""
The /etc/ldap.conf is simply:
uri ldaps://linux09.nas.nasa.gov
base dc=nas,dc=nasa,dc=gov
ldap_version 3
pam_password clear
ssl on
tls_cert /etc/ssl/private/HEC_client.pem
tls_key /etc/ssl/private/HEC_client.key
Is there any way to avoid this apparent rebinding?
You need to configure nss_ldap to use SASL binds. But in the version I'm
looking at (248, pretty old) it only supports SASL/GSSAPI, and you want
it to use SASL/EXTERNAL. Patching "GSSAPI" to "EXTERNAL" would be
sufficient in ldap-nss.c:do_bind(). Really the mechanism ought to be a
config keyword.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
Chief Architect, OpenLDAP http://www.openldap.org/project/