Can’t use EXTERNAL authentication after enabling TLS in ldap-2.4

openldapsasl

I used the following LDIF file to activate the TLS support for the LDAP server:

dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: NORMAL 
-
add: olcTLSCRLCheck
olcTLSCRLCheck: none
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/CA.crt
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/server.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/key.pem

and force the TLS usage for the client connections with the following LDIF:

dn: cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1

After this I can't use the "-Y EXTERNAL" any more to read or modify the configuration schema. For example I get SASL error if I run:

$ sudo ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b "" -LLL -s base -Z supportedSASLMechanisms
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
    additional info: SASL(-4): no mechanism available:

and if I check for supported SASL mechanisms:

$ sudo ldapsearch -x -H ldapi:/// -b "" -LLL -s base -Z supportedSASLMechanisms
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN

I really can't see the EXTERNAL included in the list. What am I missing here?

This is on Ubuntu-12.04 and slapd-2.4.31.

Best Answer

Without access to the running config, you'll have to stop slapd and edit the configuration offline.

  1. stop slapd: service slapd stop
  2. dump the config database to a text file: slapcat -F /etc/ldap/slapd.d -b cn=config -l config.ldif
  3. move the existing config database out of the way: mv /etc/ldap/slapd.d{,.old}

  4. make a new, empty config database:

    mkdir /etc/ldap/slapd.d chown --reference=/etc/ldap/slapd.d.old /etc/ldap/slapd.d chmod --reference=/etc/ldap/slapd.d.old /etc/ldap/slapd.d

  5. edit the dumped config.ldif to remove your olcSecurity setting (or add olcRootDN and olcRootPW to cn=config, or any other changes you like)
  6. load the edited LDIF into the new empty database: slapadd -F /etc/ldap/slapd.d -b cn=config -l config.ldif

(The above assumes your configuration lives at /etc/ldap/slapd.d, which is the default in Debian and Ubuntu.)

Note that slapadd of a complete LDIF should always be done into an empty database; so if you make a mistake and slapadd fails, make sure to clear out the partial database before trying again.

You can find more information in the OpenLDAP Admin Guide as well as the relevant man pages.

Related Topic