>sigh< It's amazing what you see as you hit the Send button... Here is my ldap.conf file:
TLS_CACERTDIR /opt/issinc/local/certs/nssdb TLS_KEY /opt/issinc/local/certs/.nss_tmp_pwd TLS_REQCERT allow It did have TLS_REQCERT=demand, which was apparently causing the attempt to load the private key, etc. Setting it to allow got rid of the TLS messages, but didn't change the result. Here's what the debug output looks like now: 55fb193d ==> translucent_search: <dc=acme,dc=com> (&(objectClass=organizationalPerson)(|(givenName=john.doe)(sn=john.doe)(sAMAccountName=john.doe)(userPrincipalName=john.doe))) 55fb193d =>ldap_back_getconn: conn 0x7f1a041a9960 fetched refcnt=1. ldap_sasl_bind ldap_send_initial_request ldap_send_server_request 55fb193d send_ldap_result: conn=1009 op=1 p=3 55fb193d send_ldap_result: err=52 matched="" text="Proxy operation retry failed" 55fb193d send_ldap_result: conn=1009 op=1 p=3 55fb193d send_ldap_result: err=52 matched="" text="" On Thu, Sep 17, 2015 at 1:43 PM, Ernie Kovak <[email protected]> wrote: > Hello - > > I'm running openldap 2.4.39 on centos 7, using the translucent overlay and > moznss for connections to the backend Active Directory server. When I issue > a search request for users in the backend directory I get no results and a > "server not available" error - see the debug output below. > > The same slapd.conf configuration, but on centos 5.10 and using OpenSSL, > works correctly. So, I imagine it's related to moznss. > > I've verified (firewall logs) that openldap successfully connects to the > backend on startup, but not when the search request is submitted. It looks > like it's trying to use client-authenticated TLS, even though the backend > is not set up for that?? > > Any ideas? > > Thanks! > Ernie > > > =============================================================================================== > slapd.conf > > =============================================================================================== > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/ppolicy.schema > include /etc/openldap/schema/we_person_and_npe.schema > > pidfile /var/run/openldap/slapd.pid > > loglevel stats > #loglevel -1 > #loglevel trace conns filter stats > > # Path to dynamic modules: > modulepath /usr/lib64/openldap > moduleload back_mdb > moduleload back_ldap > moduleload translucent > moduleload accesslog > moduleload auditlog > moduleload valsort > moduleload ppolicy > moduleload memberof > > # TLS server certs (TLS client config is in ldap.conf) > #TLSCACertificateFile /opt/acme/global/certs/ca/ca.pem > #TLSCertificateFile /opt/acme/global/certs/server-cert.pem > #TLSCertificateKeyFile /opt/acme/global/certs/server-key.pem > > # not working in our docker container since openldap is linked against NSS > and not OpenSSL > #TLSCipherSuite TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL:!SSLv2 > > # path of the directory containing the NSS certificate and key database > files > TLSCACertificatePath /opt/acme/local/certs/nssdb/ > > # specifies the name of the certificate to use > TLSCertificateFile server > > # name of a file that contains the password for the key for the > certificate specified with TLSCertificateFile > TLSCertificateKeyFile /opt/acme/local/certs/.nss_tmp_pwd (contains clear > text pasword for keystore and server cert private key) > > access to dn.base="" by * read > access to dn.base="cn=Subschema" by * read > access to attrs=clearance,citizenship,sciControl > by dn="cn=npe-user-mgmt,ou=NPEs,ou=Native,dc=acme,dc=com" write > by dn="cn=npe-sts,ou=NPEs,ou=Native,dc=acme,dc=com" read > access to > attrs=gimmeeOrg,gimmeeRegion,gimmeeTopic,gimmeeIsAICP,gimmeeGroup,gimmeeProject,gimmeeProjectGroup > by dn="cn=npe-user-mgmt,ou=NPEs,ou=Native,dc=acme,dc=com" write > by dn="cn=npe-sts,ou=NPEs,ou=Native,dc=acme,dc=com" read > access to attrs=UUID > by dn="cn=npe-user-mgmt,ou=NPEs,ou=Native,dc=acme,dc=com" write > by users read > access to attrs=userPassword > by dn="cn=npe-user-mgmt,ou=NPEs,ou=Native,dc=acme,dc=com" write > by self write > by anonymous auth > access to > attrs=currentLoginDate,lastLoginDate,lastFailedLoginDate,currentLoginIpAddr,lastLoginIpAddr,lastFailedLoginIpAddr > by dn="cn=npe-user-mgmt,ou=NPEs,ou=Native,dc=acme,dc=com" write > by dn="cn=npe-openid,ou=NPEs,ou=Native,dc=acme,dc=com" write > by users read > access to * > by dn="cn=npe-user-mgmt,ou=NPEs,ou=Native,dc=acme,dc=com" write > by users read > by anonymous auth > > ####################################################################### > # Database for Native accounts (NPEs and users) > ####################################################################### > > database mdb > suffix "ou=Native,dc=acme,dc=com" > rootdn "cn=weAdmin,dc=acme,dc=com" > directory "/opt/acme/global/data/openldap/db/native-user-db" > subordinate > index objectClass eq,pres > index ou,cn,mail,surname eq,pres,sub > index clearance,scicontrol eq,pres,sub > index citizenship eq,pres,sub > password-hash {SSHA} > > # Apply password policy overlay to Native accounts, with a default policy. > overlay ppolicy > ppolicy_default "cn=default,ou=Policies,ou=Native,dc=acme,dc=com" > ppolicy_use_lockout > ppolicy_hash_cleartext > > ####################################################################### > # Database for additional attributes for enterprise accounts. > ####################################################################### > > database mdb > suffix "dc=acme,dc=com" > rootdn "cn=weAdmin,dc=acme,dc=com" > rootpw {SSHA}73M5MnfH97O8KAN8anAbneD2wf0C6VSg > directory "/opt/acme/global/data/openldap/db/enterprise-user-db" > index objectClass eq,pres > index ou,cn,mail,surname eq,pres,sub > index clearance,scicontrol eq,pres,sub > index citizenship eq,pres,sub > > ####################################################################### > # Translucent LDAP proxy to Active Directory > ####################################################################### > overlay translucent > uri "ldaps://atlas.acme.com:636" > chase-referrals no > idassert-bind bindmethod=simple > binddn="cn=devadmin,ou=Users,ou=System Accounts,ou=Acme,dc=acme,dc=com" > credentials="******" > mode=none > tls_cacert=/opt/acme/global/certs/ca/gd-class2-root-2.pem > tls_reqcert=demand > > # Attributes to be searched for in local database. Only the classes that > # apply to proxied accounts are candidates for translucent_local: > # local wePerson attributes: > translucent_local objectClass > translucent_local UUID,accountStatus > translucent_local rank,grade,position,command,agency > translucent_local DSN > translucent_local weGrp,weOrg > translucent_local clearance,citizenship,scicontrol > > # wePerson attributes pulled from remote directory: > translucent_remote objectClass > translucent_remote cn,givenName,sn,mail,o,mobile > translucent_remote displayName,sAMAccountName,userPrincipalName > > > =============================================================================================== > From output when setting SLAPD_OPTIONS="-d 65535" > > =============================================================================================== > > <snip> loads slapd.conf > > 55f854a6 config_build_entry: "olcDatabase={2}mdb" > 55f854a6 config_build_entry: "olcOverlay={0}translucent" > 55f854a6 ==> translucent_cfadd > 55f854a6 config_build_entry: "olcDatabase={0}ldap" > 55f854a6 config_build_entry: "olcOverlay={1}glue" > 55f854a6 backend_startup_one: starting "ou=Native,dc=acme,dc=com" > 55f854a6 mdb_db_open: "ou=Native,dc=acme,dc=com" > 55f854a6 mdb_db_open: database "ou=Native,dc=acme,dc=com": > dbenv_open(/opt/acme/global/data/openldap/db/native-user-db). > 55f854a6 mdb_monitor_db_open: monitoring disabled; configure monitor > database to enable > 55f854a6 backend_startup_one: starting "dc=acme,dc=com" > 55f854a6 mdb_db_open: "dc=acme,dc=com" > 55f854a6 mdb_db_open: database "dc=acme,dc=com": > dbenv_open(/opt/acme/global/data/openldap/db/enterprise-user-db). > 55f854a6 ==> translucent_db_open > 55f854a6 backend_startup_one: starting "dc=acme,dc=com" > 55f854a6 ldap_back_db_open: URI=ldaps://atlas.acme.com:636 > 55f854a6 ldap_back_monitor_db_open: monitoring disabled; configure monitor > database to enable > 55f854a6 slapd starting > > <snip> > > 55f876ea ==> translucent_search: <dc=acme,dc=com> (sAMAccountName=admin) > ldap_create > ldap_url_parse_ext(ldaps://atlas.acme.com:636) > 55f876ea =>ldap_back_getconn: conn=1000 op=1: lc=0x7f3e581a9950 inserted > refcnt=1 rc=0 > ldap_sasl_bind > ldap_send_initial_request > ldap_new_connection 1 1 0 > ldap_int_open_connection > ldap_connect_to_host: TCP atlas.acme.com:636 > 55f876ea daemon: activity on 1 descriptor > 55f876ea daemon: activity on:55f876ea > 55f876ea daemon: epoll: listen=6 active_threads=0 tvp=NULL > 55f876ea daemon: epoll: listen=7 active_threads=0 tvp=NULL > ldap_new_socket: 17 > ldap_prepare_socket: 17 > ldap_connect_to_host: Trying 172.12.3.45:636 > ldap_pvt_connect: fd: 17 tm: -1 async: 0 > attempting to connect: > connect success > TLS: certdb config: configDir='/opt/acme/local/certs/nssdb/' > tokenDescription='ldap(1)' certPrefix='' keyPrefix='' flags=readOnly > TLS: using moznss security dir /opt/acme/local/certs/nssdb/ prefix . > TLS: loaded CA certificate file > /opt/acme/global/certs/ca/gd-class2-root-2.pem. > TLS: certificate 'server' successfully loaded from moznss database. > TLS: no unlocked certificate for certificate 'CN=mv22.acme.com > ,OU=Development,O=Acme,L=Denver,ST=Colorado,C=US'. > TLS: cannot find private key for certificate > 'CN=mv22.acme.com,OU=Development,O=Acme,L=Denver,ST=Colorado,C=US' > (error -12285: Unable to find the certificate or key necessary for > authentication.) > TLS: error: unable to set up client certificate authentication for > certificate named CN=mv22.acme.com > ,OU=Development,O=Acme,L=Denver,ST=Colorado,C=US > TLS: error: unable to set up client certificate authentication using 'CN= > mv22.acme.com,OU=Development,O=Acme,L=Denver,ST=Colorado,C=US' > TLS: error: could not initialize moznss security context - error > -12285:Unable to find the certificate or key necessary for authentication. > TLS: can't create ssl handle. > 55f876ea send_ldap_result: conn=1000 op=1 p=3 > 55f876ea send_ldap_result: err=52 matched="" text="Proxy operation retry > failed" > > > > > > >
